新堆栈帧建立后,指令“push 0FFFFFFFFh”有什么意义?

时间:2018-03-05 09:08:58

标签: reverse-engineering disassembly

指令"push 0FFFFFFFFh“出现在被调用者中新的堆栈帧之后,例如,

push        ebp  
mov         ebp,esp  
push        0FFFFFFFFh  <===HERE          //[ebp-4] is set to 0FFFFFFFFh
push        0255F58h                      // SEH EXCEPTION_REGISTRATION.handler
mov         eax,dword ptr fs:[00000000h]  
push        eax                           // SEH EXCEPTION_REGISTRATION.prev
sub         esp,0D8h  
push        ebx  
push        esi  
push        edi  
lea         edi,[ebp-0E4h]                      
mov         ecx,36h                       // 36h * 0CCCCCCCCh
mov         eax,0CCCCCCCCh  
rep stos    dword ptr es:[edi] 

mov         eax,dword ptr [__security_cookie (025A004h)]  
xor         eax,ebp  
push        eax  

lea         eax,[ebp-0Ch]  
mov         dword ptr fs:[00000000h],eax  // Install new EXECEPTION_REGISTRATION
lea         ecx,[intobj]  
call        A<int>::A<int> (0251389h)  
mov         dword ptr [ebp-4],0           //[ebp-4] is set to 0 
call        A<int>::PrintNum (025139Dh)  
mov         dword ptr [ebp-0E0h],0  
mov         dword ptr [ebp-4],0FFFFFFFFh  //[ebp-4] is set to 0FFFFFFFFh again, then [ebp-4] keeps the value in this callee. 
lea         ecx,[intobj]  
call        A<int>::~A<int> (025138Eh)  
mov         eax,dword ptr [ebp-0E0h]
...

这条指令有什么意义“推0FFFFFFFFh”?

[C ++源代码]   C++ Source Code

[更新] 2018年4月4日

使用Windbg,我可以确保指令“push 0FFFFFFFFh”(参见反汇编代码中的“Here”)与SEH无关,虽然我仍然不知道这条指令的意思是什么“推0FFFFFFFFh”?

0:000> dd fs:[0] l4
0053:00000000  0046fec0 00470000 0046d000 00000000

0:000> dt _Exception_registration_record 0046fec0
test!_EXCEPTION_REGISTRATION_RECORD
   +0x000 Next             : 0x0046ff28   _EXCEPTION_REGISTRATION_RECORD <== eax
   +0x004 Handler          : 0x00255F58   _EXCEPTION_DISPOSITION test!__scrt_stub_for_acrt_uninitialize+0  <== 0255F58h

0:000> dt _Exception_registration_record 0x0046ff28
test!_EXCEPTION_REGISTRATION_RECORD
   +0x000 Next             : 0x0046ff84 _EXCEPTION_REGISTRATION_RECORD
   +0x004 Handler          : 0x00283100     _EXCEPTION_DISPOSITION  test!_except_handler4+0

0:000> dt _Exception_registration_record 0x0046ff84
test!_EXCEPTION_REGISTRATION_RECORD
   +0x000 Next             : 0xffffffff _EXCEPTION_REGISTRATION_RECORD
   +0x004 Handler          : 0x77875845     _EXCEPTION_DISPOSITION  ntdll!_except_handler4+0

1 个答案:

答案 0 :(得分:3)

由于SEH是一个链表,实际上有两个地址。

第一个是下一个处理程序的地址(在链接的情况下)或0xFFFFFFFF(-1)这是最后一个。下一个是实际的SE Handler。

关于SEH的一篇陈旧但很好的读物是"A Crash Course on the Depths of Win32™ Structured Exception Handling"

相关问题
最新问题