PE学习(十)第十章: 加载配置信息表
生活随笔
收集整理的這篇文章主要介紹了
PE学习(十)第十章: 加载配置信息表
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
第十章:加載配置信息
加載配置信息表最初是用來存放附加信息,后來用來存放SEH各種導演句柄變成“異常處理表”
異常與中斷類似,中斷有點外部(鍵盤)發出,異常由軟件,異常發生時跑到異常處理函數,這個函數存放在中斷描述符表(IDT)的數據結構中。
異常:硬異常(系統異常)和軟異常(程序自己拋出的異常)
;------------------------
; 測試異常處理
; 戚利
; 2011.1.19
;------------------------.386.model flat,stdcalloption casemap:noneinclude windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib;數據段.data
szText db 'HelloWorldPE',0
szErr db 'SEH Error',0
;代碼段.code_handler proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXTinvoke MessageBox,NULL,addr szErr,NULL,MB_OK ;111mov [edi].regEip,offset _safePlaceassume edi:nothingpopad ;測試一;發生的異常已被該函數接管mov eax,ExceptionContinueExecution;測試二;發生的異常未被該函數接管;mov eax,ExceptionContinueSearchret
_handler endpstart:assume fs:nothingpush offset _handlerpush fs:[0]mov fs:[0],espxor eax,eaxmov dword ptr [eax],eax_safePlace:pop fs:[0]pop eaxinvoke MessageBox,NULL,addr szText,NULL,MB_OK ;222invoke ExitProcess,NULLend start
//111,222兩處彈框
?
<pre class="plain" name="code">;------------------------
; 測試異常處理
; 戚利
; 2011.1.19
;------------------------.386.model flat,stdcalloption casemap:noneinclude windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib;數據段.data
szText db 'HelloWorldPE',0
szErr db 'SEH Error',0
;代碼段.code_handler proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXTinvoke MessageBox,NULL,addr szErr,NULL,MB_OK ;111mov [edi].regEip,offset _safePlaceassume edi:nothingpopad ;測試一;發生的異常已被該函數接管;mov eax,ExceptionContinueExecution;測試二;發生的異常未被該函數接管mov eax,ExceptionContinueSearchret
_handler endpstart:assume fs:nothingpush offset _handlerpush fs:[0]mov fs:[0],espxor eax,eaxmov dword ptr [eax],eax_safePlace:pop fs:[0]pop eaxinvoke MessageBox,NULL,addr szText,NULL,MB_OK ;222invoke ExitProcess,NULLend start
//111彈兩次,222彈一次
<pre class="plain" name="code">;------------------------ ; 測試異常處理 ; 指定了一個safe SEH Handler ; 并測試該異常處理函數,運行后會顯示兩個提示信息 ; 一個是異常處理函數的提示信息, ; 另外一個是異常被處理后主程序的提示信息 ; 戚利 ; 2011.2.15 ;------------------------.386.model flat,stdcalloption casemap:noneinclude windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib;數據段.data szText1 db 'safeHandler!',0 szText2 db 'nosafeHandler!',0 szText db 'HelloWorldPE',0;代碼段.code;IMAGE_LOAD_CONFIG_STRUCT STRUCTCharacteristics dd 00000048hTimeDateStamp dd 0MajorVersion dw 0MinorVersion dw 0GlobalFlagsClear dd 0GlobalFlagsSet dd 0CriticalSectionDefaultTimeout dd 0DeCommitFreeBlockThreshold dd 0DeCommitTotalFreeThreshold dd 0LockPrefixTable dd 0MaximumAllocationSize dd 0VirtualMemoryThreshold dd 0ProcessHeapFlags dd 0ProcessAffinityMask dd 0CSDVersion dw 0Reserved1 dw 0EditList dd 0SecurityCookie dd 00000000hSEHandlerTable dd offset safeHandler ;(VA地址)SEHandlerCount dd 00000001h ;IMAGE_LOAD_CONFIG_STRUCT ENDS;構造RVA safeHandler dd offset _handler1-00400000hdd 0;------------------------------------------- ; 已注冊的異常回調函數 ;------------------------------------------- _handler1 proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXTinvoke MessageBox,NULL,addr szText1,NULL,MB_OK ;111mov [edi].regEip,offset _safePlaceassume edi:nothingpopad mov eax,ExceptionContinueExecutionret _handler1 endp;------------------------------------------- ; 未注冊的異常回調函數 ;------------------------------------------- _handler2 proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXTinvoke MessageBox,NULL,addr szText2,NULL,MB_OKmov [edi].regEip,offset _safePlaceassume edi:nothingpopad mov eax,ExceptionContinueExecutionret _handler2 endpstart:assume fs:nothingpush offset _handler1push fs:[0]mov fs:[0],espxor eax,eax ;引發越界異常mov dword ptr [eax],eax_safePlace:pop fs:[0]pop eaxinvoke MessageBox,NULL,addr szText,NULL,MB_OK ;222invoke ExitProcess,NULLend start //111,222各彈一次
<p>;------------------------ ; 測試異常處理 ; 與exception4.asm不同之處,注冊的異常處理程序為_handler2 ; safe Handler列表中兩個函數都進行了注冊 ; 戚利 ; 2011.1.19 ;------------------------.386.model flat,stdcalloption casemap:none</p><p>include??? windows.inc include??? user32.inc includelib user32.lib include??? kernel32.inc includelib kernel32.lib</p><p>;數據段.data szText1???? db? 'safeHandler!',0 szText2???? db? 'Second safeHandler!',0 szText????? db? 'HelloWorldPE',0</p><p>;代碼段.code</p><p>;IMAGE_LOAD_CONFIG_STRUCT STRUCTCharacteristics dd????????????????? 00000048hTimeDateStamp dd??????????????????? 0MajorVersion dw???????????????????? 0MinorVersion dw???????????????????? 0GlobalFlagsClear dd???????????????? 0GlobalFlagsSet dd?????????????????? 0CriticalSectionDefaultTimeout dd??? 0DeCommitFreeBlockThreshold dd?????? 0DeCommitTotalFreeThreshold dd?????? 0LockPrefixTable dd????????????????? 0MaximumAllocationSize dd??????????? 0VirtualMemoryThreshold dd?????????? 0ProcessHeapFlags dd???????????????? 0ProcessAffinityMask dd????????????? 0CSDVersion dw?????????????????????? 0Reserved1 dw??????????????????????? 0EditList dd???????????????????????? 0SecurityCookie dd????????????????? 00000000hSEHandlerTable dd????????????????? offset safeHandler ;(VA地址)SEHandlerCount? dd???????????????? 00000002h ;IMAGE_LOAD_CONFIG_STRUCT ENDS</p><p>;構造RVA safeHandler????? dd??? offset _handler1-00400000hdd??? offset _handler2-00400000hdd??? 0</p><p> ;------------------------------------------- ; 已注冊的異常回調函數1 ;------------------------------------------- _handler1 proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXT</p><p>? invoke MessageBox,NULL,addr szText1,NULL,MB_OK</p><p>? mov [edi].regEip,offset _safePlaceassume edi:nothing</p><p>? popad? </p><p>? mov eax,ExceptionContinueExecutionret _handler1 endp</p><p>;------------------------------------------- ; 以注冊的異常回調函數2 ;------------------------------------------- _handler2 proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXT</p><p>? invoke MessageBox,NULL,addr szText2,NULL,MB_OK?;111</p><p>? mov [edi].regEip,offset _safePlaceassume edi:nothing</p><p>? popad? mov eax,ExceptionContinueExecutionret _handler2 endp</p><p>start:assume fs:nothingpush offset _handler2push fs:[0]mov fs:[0],esp</p><p>??? xor eax,eax? ;引發越界異常mov dword ptr [eax],eax</p><p>_safePlace:</p><p>??? pop fs:[0]pop eax</p><p>??? invoke MessageBox,NULL,addr szText,NULL,MB_OK?;222invoke ExitProcess,NULLend start</p> ///111,222各彈一次 ? <p>;------------------------ ; 測試異常處理 ; 與exception4.asm相比,該程序中調用了未注冊的異常處理函數_handler2 ; 戚利 ; 2011.1.19 ;------------------------.386.model flat,stdcalloption casemap:none</p><p>include??? windows.inc include??? user32.inc includelib user32.lib include??? kernel32.inc includelib kernel32.lib</p><p>;數據段.data szText1???? db? 'safeHandler!',0 szText2???? db? 'nosafeHandler!',0 szText????? db? 'HelloWorldPE',0</p><p>;代碼段.code</p><p>;IMAGE_LOAD_CONFIG_STRUCT STRUCTCharacteristics dd????????????????? 00000048hTimeDateStamp dd??????????????????? 0MajorVersion dw???????????????????? 0MinorVersion dw???????????????????? 0GlobalFlagsClear dd???????????????? 0GlobalFlagsSet dd?????????????????? 0CriticalSectionDefaultTimeout dd??? 0DeCommitFreeBlockThreshold dd?????? 0DeCommitTotalFreeThreshold dd?????? 0LockPrefixTable dd????????????????? 0MaximumAllocationSize dd??????????? 0VirtualMemoryThreshold dd?????????? 0ProcessHeapFlags dd???????????????? 0ProcessAffinityMask dd????????????? 0CSDVersion dw?????????????????????? 0Reserved1 dw??????????????????????? 0EditList dd???????????????????????? 0SecurityCookie dd????????????????? 00000000hSEHandlerTable dd????????????????? offset safeHandler ;(VA地址)SEHandlerCount? dd???????????????? 00000001h ;IMAGE_LOAD_CONFIG_STRUCT ENDS</p><p>;構造RVA safeHandler????? dd??? offset _handler1-00400000hdd??? 0</p><p> ;------------------------------------------- ; 已注冊的異常回調函數 ;------------------------------------------- _handler1 proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXT</p><p>? invoke MessageBox,NULL,addr szText1,NULL,MB_OK</p><p>? mov [edi].regEip,offset _safePlaceassume edi:nothing</p><p>? popad? </p><p>? mov eax,ExceptionContinueExecutionret _handler1 endp</p><p>;------------------------------------------- ; 未注冊的異常回調函數 ;------------------------------------------- _handler2 proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXT</p><p>? invoke MessageBox,NULL,addr szText2,NULL,MB_OK</p><p>? mov [edi].regEip,offset _safePlaceassume edi:nothing</p><p>? popad? mov eax,ExceptionContinueExecutionret _handler2 endp</p><p>start:assume fs:nothingpush offset _handler2push fs:[0]mov fs:[0],esp</p><p>??? xor eax,eax? ;引發越界異常mov dword ptr [eax],eax</p><p>_safePlace:</p><p>??? pop fs:[0]pop eax</p><p>??? invoke MessageBox,NULL,addr szText,NULL,MB_OKinvoke ExitProcess,NULLend start</p>//一個都不彈 因為沒有加入SEH框架中的異常處理函數未在PE映像的加載配置信息表中定義。
;------------------------ ; 測試異常處理 ; 戚利 ; 2011.1.19 ;------------------------.386.model flat,stdcalloption casemap:noneinclude windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib;數據段.data szText db 'HelloWorldPE',0 szErr db 'SEH Error',0 ;代碼段.code_handler proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXTinvoke MessageBox,NULL,addr szErr,NULL,MB_OK ;111mov [edi].regEip,offset _safePlaceassume edi:nothingpopad ;測試一;發生的異常已被該函數接管;mov eax,ExceptionContinueExecution;測試二;發生的異常未被該函數接管mov eax,ExceptionContinueSearchret _handler endpstart:assume fs:nothingpush offset _handlerpush fs:[0]mov fs:[0],espxor eax,eaxmov dword ptr [eax],eax_safePlace:pop fs:[0]pop eaxinvoke MessageBox,NULL,addr szText,NULL,MB_OK ;222invoke ExitProcess,NULLend start //111彈兩次,222彈一次
<pre class="plain" name="code">;------------------------ ; 測試異常處理 ; 指定了一個safe SEH Handler ; 并測試該異常處理函數,運行后會顯示兩個提示信息 ; 一個是異常處理函數的提示信息, ; 另外一個是異常被處理后主程序的提示信息 ; 戚利 ; 2011.2.15 ;------------------------.386.model flat,stdcalloption casemap:noneinclude windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib;數據段.data szText1 db 'safeHandler!',0 szText2 db 'nosafeHandler!',0 szText db 'HelloWorldPE',0;代碼段.code;IMAGE_LOAD_CONFIG_STRUCT STRUCTCharacteristics dd 00000048hTimeDateStamp dd 0MajorVersion dw 0MinorVersion dw 0GlobalFlagsClear dd 0GlobalFlagsSet dd 0CriticalSectionDefaultTimeout dd 0DeCommitFreeBlockThreshold dd 0DeCommitTotalFreeThreshold dd 0LockPrefixTable dd 0MaximumAllocationSize dd 0VirtualMemoryThreshold dd 0ProcessHeapFlags dd 0ProcessAffinityMask dd 0CSDVersion dw 0Reserved1 dw 0EditList dd 0SecurityCookie dd 00000000hSEHandlerTable dd offset safeHandler ;(VA地址)SEHandlerCount dd 00000001h ;IMAGE_LOAD_CONFIG_STRUCT ENDS;構造RVA safeHandler dd offset _handler1-00400000hdd 0;------------------------------------------- ; 已注冊的異常回調函數 ;------------------------------------------- _handler1 proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXTinvoke MessageBox,NULL,addr szText1,NULL,MB_OK ;111mov [edi].regEip,offset _safePlaceassume edi:nothingpopad mov eax,ExceptionContinueExecutionret _handler1 endp;------------------------------------------- ; 未注冊的異常回調函數 ;------------------------------------------- _handler2 proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXTinvoke MessageBox,NULL,addr szText2,NULL,MB_OKmov [edi].regEip,offset _safePlaceassume edi:nothingpopad mov eax,ExceptionContinueExecutionret _handler2 endpstart:assume fs:nothingpush offset _handler1push fs:[0]mov fs:[0],espxor eax,eax ;引發越界異常mov dword ptr [eax],eax_safePlace:pop fs:[0]pop eaxinvoke MessageBox,NULL,addr szText,NULL,MB_OK ;222invoke ExitProcess,NULLend start //111,222各彈一次
<p>;------------------------ ; 測試異常處理 ; 與exception4.asm不同之處,注冊的異常處理程序為_handler2 ; safe Handler列表中兩個函數都進行了注冊 ; 戚利 ; 2011.1.19 ;------------------------.386.model flat,stdcalloption casemap:none</p><p>include??? windows.inc include??? user32.inc includelib user32.lib include??? kernel32.inc includelib kernel32.lib</p><p>;數據段.data szText1???? db? 'safeHandler!',0 szText2???? db? 'Second safeHandler!',0 szText????? db? 'HelloWorldPE',0</p><p>;代碼段.code</p><p>;IMAGE_LOAD_CONFIG_STRUCT STRUCTCharacteristics dd????????????????? 00000048hTimeDateStamp dd??????????????????? 0MajorVersion dw???????????????????? 0MinorVersion dw???????????????????? 0GlobalFlagsClear dd???????????????? 0GlobalFlagsSet dd?????????????????? 0CriticalSectionDefaultTimeout dd??? 0DeCommitFreeBlockThreshold dd?????? 0DeCommitTotalFreeThreshold dd?????? 0LockPrefixTable dd????????????????? 0MaximumAllocationSize dd??????????? 0VirtualMemoryThreshold dd?????????? 0ProcessHeapFlags dd???????????????? 0ProcessAffinityMask dd????????????? 0CSDVersion dw?????????????????????? 0Reserved1 dw??????????????????????? 0EditList dd???????????????????????? 0SecurityCookie dd????????????????? 00000000hSEHandlerTable dd????????????????? offset safeHandler ;(VA地址)SEHandlerCount? dd???????????????? 00000002h ;IMAGE_LOAD_CONFIG_STRUCT ENDS</p><p>;構造RVA safeHandler????? dd??? offset _handler1-00400000hdd??? offset _handler2-00400000hdd??? 0</p><p> ;------------------------------------------- ; 已注冊的異常回調函數1 ;------------------------------------------- _handler1 proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXT</p><p>? invoke MessageBox,NULL,addr szText1,NULL,MB_OK</p><p>? mov [edi].regEip,offset _safePlaceassume edi:nothing</p><p>? popad? </p><p>? mov eax,ExceptionContinueExecutionret _handler1 endp</p><p>;------------------------------------------- ; 以注冊的異常回調函數2 ;------------------------------------------- _handler2 proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXT</p><p>? invoke MessageBox,NULL,addr szText2,NULL,MB_OK?;111</p><p>? mov [edi].regEip,offset _safePlaceassume edi:nothing</p><p>? popad? mov eax,ExceptionContinueExecutionret _handler2 endp</p><p>start:assume fs:nothingpush offset _handler2push fs:[0]mov fs:[0],esp</p><p>??? xor eax,eax? ;引發越界異常mov dword ptr [eax],eax</p><p>_safePlace:</p><p>??? pop fs:[0]pop eax</p><p>??? invoke MessageBox,NULL,addr szText,NULL,MB_OK?;222invoke ExitProcess,NULLend start</p> ///111,222各彈一次 ? <p>;------------------------ ; 測試異常處理 ; 與exception4.asm相比,該程序中調用了未注冊的異常處理函數_handler2 ; 戚利 ; 2011.1.19 ;------------------------.386.model flat,stdcalloption casemap:none</p><p>include??? windows.inc include??? user32.inc includelib user32.lib include??? kernel32.inc includelib kernel32.lib</p><p>;數據段.data szText1???? db? 'safeHandler!',0 szText2???? db? 'nosafeHandler!',0 szText????? db? 'HelloWorldPE',0</p><p>;代碼段.code</p><p>;IMAGE_LOAD_CONFIG_STRUCT STRUCTCharacteristics dd????????????????? 00000048hTimeDateStamp dd??????????????????? 0MajorVersion dw???????????????????? 0MinorVersion dw???????????????????? 0GlobalFlagsClear dd???????????????? 0GlobalFlagsSet dd?????????????????? 0CriticalSectionDefaultTimeout dd??? 0DeCommitFreeBlockThreshold dd?????? 0DeCommitTotalFreeThreshold dd?????? 0LockPrefixTable dd????????????????? 0MaximumAllocationSize dd??????????? 0VirtualMemoryThreshold dd?????????? 0ProcessHeapFlags dd???????????????? 0ProcessAffinityMask dd????????????? 0CSDVersion dw?????????????????????? 0Reserved1 dw??????????????????????? 0EditList dd???????????????????????? 0SecurityCookie dd????????????????? 00000000hSEHandlerTable dd????????????????? offset safeHandler ;(VA地址)SEHandlerCount? dd???????????????? 00000001h ;IMAGE_LOAD_CONFIG_STRUCT ENDS</p><p>;構造RVA safeHandler????? dd??? offset _handler1-00400000hdd??? 0</p><p> ;------------------------------------------- ; 已注冊的異常回調函數 ;------------------------------------------- _handler1 proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXT</p><p>? invoke MessageBox,NULL,addr szText1,NULL,MB_OK</p><p>? mov [edi].regEip,offset _safePlaceassume edi:nothing</p><p>? popad? </p><p>? mov eax,ExceptionContinueExecutionret _handler1 endp</p><p>;------------------------------------------- ; 未注冊的異常回調函數 ;------------------------------------------- _handler2 proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXT</p><p>? invoke MessageBox,NULL,addr szText2,NULL,MB_OK</p><p>? mov [edi].regEip,offset _safePlaceassume edi:nothing</p><p>? popad? mov eax,ExceptionContinueExecutionret _handler2 endp</p><p>start:assume fs:nothingpush offset _handler2push fs:[0]mov fs:[0],esp</p><p>??? xor eax,eax? ;引發越界異常mov dword ptr [eax],eax</p><p>_safePlace:</p><p>??? pop fs:[0]pop eax</p><p>??? invoke MessageBox,NULL,addr szText,NULL,MB_OKinvoke ExitProcess,NULLend start</p>//一個都不彈 因為沒有加入SEH框架中的異常處理函數未在PE映像的加載配置信息表中定義。
;------------------------ ; 測試異常處理 ; 戚利 ; 2011.1.19 ;------------------------.386.model flat,stdcalloption casemap:noneinclude windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib;數據段.data szText db 'HelloWorldPE',0 szErr db 'SEH Error',0 ;代碼段.code_handler proc _lpException,_lpSEH,\_lpContext,_lpDispatcherContextnoppushadmov esi,_lpExceptionmov edi,_lpContextassume edi:ptr CONTEXTinvoke MessageBox,NULL,addr szErr,NULL,MB_OK ;111mov [edi].regEip,offset _safePlaceassume edi:nothingpopad ;測試一;發生的異常已被該函數接管;mov eax,ExceptionContinueExecution;測試二;發生的異常未被該函數接管mov eax,ExceptionContinueSearchret _handler endpstart:assume fs:nothingpush offset _handlerpush fs:[0]mov fs:[0],espxor eax,eaxmov dword ptr [eax],eax_safePlace:pop fs:[0]pop eaxinvoke MessageBox,NULL,addr szText,NULL,MB_OK ;222invoke ExitProcess,NULLend start //111彈兩次,222彈一次
?
總結
以上是生活随笔為你收集整理的PE学习(十)第十章: 加载配置信息表的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: PE学习(九)第九章:TLS 动态TLS
- 下一篇: PE学习(十一)第十一章:动态加载技术