News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

Standalone SEH macro and usage example

Started by Antariy, June 22, 2012, 09:48:44 AM

Previous topic - Next topic

Antariy

This is a set of two MACROses which allows to use SEH in the assembly programs.
Code is fully standalone and produces small overhead in the executable.
The usage ideology is different from C(++), though, because assembly gives controlling possibilities which aren't available in the HLL. For instance, the code doesn't call a user-defined code from the SEHandler, but processing an exception, and passing exception information to the user code via appropriate structures, if specified.

Example of usage of the MACROses:


someproc proc ...
LOCAL cont:CONTEXT
LOCAL excr:EXCEPTION_RECORD
LOCAL bIsExc:DWORD


AxEH_try el1,excr,cont,bIsExc

... the code which requires to be covered ...

AxEH_exc el1:
cmp bIsExc,0
jz @noException

... after-exception handling ...

@noException:

...



AxEH_try macro setting the SEH frame up. First parameter is obligated to be specified by the user - it is the code label, which should be unique in the current code scope. Other parameters are optional. Second parameter is a reference to an EXCEPTION_RECORD structure, which will receive the exception information if the exception will occur. Third parameter is a reference to a CONTEXT structure, which will receive the detailed CPU state information if the exception will occur. In a case of no exceptions the contents of the structures is not touched. Fourth parameter is a reference to a DWORD sized flag, which, if specified, will receive the flag of the execution state: if after the SEH block its contents is 0 - there was no exception, if its contents is 1 - there was an exception.
Optional parameters are not abligated to be specified and could be set to 0, but if the code wants to check if there was an exception - it should use the fourth flag parameter, at least.

AxEH_exc macro leaving the SEH frame, and its parameter is a just the code label, which is used in the AxEH_try macro.


The archive attached contains the MACROses itself (AxEH.inc file) and usage example (AxEH.asm) with the executable.

An example EXE output/test input:


#1 [in al,60h] EAX: FFFFFFFF

#2 [div 0] Exception Code: C0000094, exception address: 0040110B

#3.1 Registers BEFORE calling a proc which will change the regs and fail:
        EAX: 00000044, ECX: 77C418BF, EDX: 77C61B78, EBX: 7FFFF000
        ESP: 0012FCA0, EBP: 0012FFC0, ESI: 00380035, EDI: 00330032

#3.2 Registers AFTER calling a proc which have changed the regs and failed:
        EAX: 00000044, ECX: 77C418BF, EDX: 77C61B78, EBX: 7FFFF000
        ESP: 0012FCA0, EBP: 0012FFC0, ESI: 00380035, EDI: 00330032

#3.3 Registers which were IN the called proc at the time it failed:
        EAX: 00000012, ECX: 00000034, EDX: 00000056, EBX: 00000078
        ESP: 0012F844, EBP: 00000090, ESI: 000000AB, EDI: CDEF0056

#3.4 The exception code: C0000005, address: 0040107C

#4.1 Enter the bare hex address to peek the byte from, -1 to finish: 1
#4.1 Failed to peek the byte value at the specified address!
#4.1 Enter the bare hex address to peek the byte from, -1 to finish: 400000
#4.1 The byte value is: 4D
#4.1 Enter the bare hex address to peek the byte from, -1 to finish: -1
Find and press [Any] key to exit ...

hutch--



jj2007

Good job, Alex :t
Looks very useful for those who don't own a legal copy of MasmBasic :biggrin:

Now that you will have to explain:
AxEH_exc MACRO exceptLabel:REQ
exceptLabel
   db 67h,64h,8Fh,6,0,0   ; short form of pop fs:[0]
   add esp,4*5   
ENDM

By the way, my Avira s**tware complains it's malware - almost a sign of quality, hehe :greensml:

Antariy

Quote from: jj2007 on June 22, 2012, 05:31:56 PM
Now that you will have to explain:
AxEH_exc MACRO exceptLabel:REQ
exceptLabel
   db 67h,64h,8Fh,6,0,0   ; short form of pop fs:[0]
   add esp,4*5   
ENDM

That is a short form of pop fs:[0] :biggrin:
Take notice on the address-size override prefix in the instruction encoding, thus, the displacement takes 2 bytes instead of 4. The long form is 648f0500000000 - one byte longer :biggrin:

Quote from: jj2007 on June 22, 2012, 05:31:56 PM
By the way, my Avira s**tware complains it's malware - almost a sign of quality, hehe :greensml:

That's probably due to obviously suspect actions like intended division by zero and IO instruction usage, all in SEH frames, which are analysed by Avira's heuristic. These rude AVs have no idea about the things with the title "EXAMPLE PROGRAM WITH 3 KB .EXE" :lol: Could be overcomed pretty easy, though.

hutch--

Put a manifest and version control block into it and the AV scanner will probably shut up.

Antariy

Quote from: hutch-- on June 27, 2012, 09:41:05 AM
Put a manifest and version control block into it and the AV scanner will probably shut up.

Nice advice, especially for the public release type programs, thanks, Hutch! :t

Magnum

Great job Alex.

The program ran fine and M.S. Forefront Endpoint Protection did not have a problem with it even without a manifest and version control block.

Andy
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org


Gunther

You have to know the facts before you can distort them.