diff options
| author | Fabrice Desclaux <fabrice.desclaux@cea.fr> | 2016-02-22 11:09:10 +0100 |
|---|---|---|
| committer | Fabrice Desclaux <fabrice.desclaux@cea.fr> | 2016-06-23 10:59:43 +0200 |
| commit | b736b0634c942bfb2fdfd21da789ba9be5716e8b (patch) | |
| tree | 7087bb18edc9c71e4df8942c5c904af98ed4b1b9 | |
| parent | 23be356d7dbf4fd4e52e8cbef0b06690462244de (diff) | |
| download | miasm-b736b0634c942bfb2fdfd21da789ba9be5716e8b.tar.gz miasm-b736b0634c942bfb2fdfd21da789ba9be5716e8b.zip | |
Jitter: mini seh
| -rw-r--r-- | miasm2/os_dep/win_api_x86_32_seh.py | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/miasm2/os_dep/win_api_x86_32_seh.py b/miasm2/os_dep/win_api_x86_32_seh.py index 47166095..da8df7d7 100644 --- a/miasm2/os_dep/win_api_x86_32_seh.py +++ b/miasm2/os_dep/win_api_x86_32_seh.py @@ -48,6 +48,7 @@ log.setLevel(logging.INFO) FS_0_AD = 0x7ff70000 PEB_AD = 0x7ffdf000 LDR_AD = 0x340000 +DEFAULT_SEH = 0x7ffff000 MAX_MODULES = 0x40 @@ -69,7 +70,6 @@ InLoadOrderModuleList_offset = 0x1ee0 + \ InLoadOrderModuleList_address = LDR_AD + \ InLoadOrderModuleList_offset -default_seh = PEB_AD + 0x20000 process_environment_address = 0x10000 process_parameters_address = 0x200000 @@ -106,7 +106,7 @@ def build_teb(jitter, teb_address): TEB.get_offset("ProcessEnvironmentBlock")), "TEB.ProcessEnvironmentBlock") Teb = TEB(jitter.vm, teb_address) - Teb.NtTib.ExceptionList = default_seh + Teb.NtTib.ExceptionList = DEFAULT_SEH Teb.NtTib.Self = teb_address Teb.ProcessEnvironmentBlock = peb_address @@ -449,9 +449,6 @@ def init_seh(jitter): add_process_env(jitter) add_process_parameters(jitter) - jitter.vm.add_memory_page(default_seh, PAGE_READ | PAGE_WRITE, pck32( - 0xffffffff) + pck32(0x41414141) + pck32(0x42424242), - "Default seh handler") def regs2ctxt(jitter, context_address): @@ -632,10 +629,12 @@ def dump_seh(jitter): if loop > MAX_SEH: log.warn("Too many seh, quit") return + if not jitter.vm.is_mapped(cur_seh_ptr, 8): + break prev_seh, eh = struct.unpack('II', jitter.vm.get_mem(cur_seh_ptr, 8)) log.info('\t' * indent + 'seh_ptr: %x { prev_seh: %x eh %x }', cur_seh_ptr, prev_seh, eh) - if prev_seh in [0xFFFFFFFF, 0]: + if prev_seh == 0: break cur_seh_ptr = prev_seh indent += 1 |