Rebuild Exception Information of a x86 64Bit Pe-File Disassembly
Stefan Sellmer
stefansel at hotmail.de
Thu Jun 14 00:03:52 PDT 2007
Hi List, In the past i wrote a disassembler which is able to produce recompileable code of programs which are written in C(x68 -32bit pe-files) and are compiled with msvc 7.After the asm-listing was created by the disassembler, it is was easy to obfuscate it on text level and assemble it again with yasm and then link it again with cl(msvc 7).This was done in order to protect a driver + additional programs from reverse engineering.Now i try the same with x86 64-bit pe-files, but there is one problem, is it possible to rebuild the the Exception Information???For Example : int main(){ char* p=0; printf("hello world\n"); __try{ *p='c'; } __except(EXCEPTION_EXECUTE_HANDLER){ printf("exception\n"); } return 1;}Looks in Ida-Pro like this:.text:0000000000401000 ; int __cdecl main(int argc,const char **argv,const char *envp).text:0000000000401000 main proc near ; CODE XREF: start+16C�p.text:0000000000401000 ; DATA XREF: .pdata:ExceptionDir�o.text:0000000000401000.text:0000000000401000 var_18 = qword ptr -18h.text:0000000000401000.text:0000000000401000 sub rsp, 38h.text:0000000000401004 mov [rsp+38h+var_18], 0.text:000000000040100D lea rcx, aHelloWorld ; "hello world\n".text:0000000000401014 call printf.text:0000000000401019 nop.text:000000000040101A.text:000000000040101A BeginTryBlock: ; DATA XREF: .rdata:00000000004020A8�o.text:000000000040101A mov rax, [rsp+38h+var_18].text:000000000040101F mov byte ptr [rax], 63h.text:0000000000401022 jmp short loc_401031.text:0000000000401024 ; ---------------------------------------------------------------------------.text:0000000000401024.text:0000000000401024 JumpTarget_execptBlock: ; DATA XREF: .rdata:00000000004020A8�o.text:0000000000401024 lea rcx, aException ; "exception\n".text:000000000040102B call printf.text:0000000000401030 nop.text:0000000000401031.text:0000000000401031 loc_401031: ; CODE XREF: main+22�j.text:0000000000401031 mov eax, 1.text:0000000000401036 add rsp, 38h.text:000000000040103A retn.text:000000000040103A main endpThe UnWind-Information:.rdata:0000000000402098 MyExecption UNWIND_INFO <9, 4, 1, 0>.rdata:0000000000402098 ; DATA XREF: .pdata:ExceptionDir�o.rdata:000000000040209C UNWIND_CODE <4, 62h> ; UWOP_ALLOC_SMALL.rdata:000000000040209E align 4.rdata:00000000004020A0 dd rva __C_specific_handler.rdata:00000000004020A4 dd 1.rdata:00000000004020A8 C_SCOPE_TABLE <rva BeginTryBlock, rva JumpTarget_execptBlock, \.rdata:00000000004020A8 rva ExecptHandler, rva JumpTarget_execptBlock>The Content of the Exception Directory:.pdata:0000000000404000 ExceptionDir RUNTIME_FUNCTION <rva main, rva EndOfMain, rva MyExecption>.pdata:000000000040400C RUNTIME_FUNCTION <rva ExecptHandler, rva __C_specific_handler, \.pdata:000000000040400C rva stru_4020B8>You see IDA displays every reference correct...now my question is:Is there a way to rewrite this assembler listing, that yasm will rebuild the Unwind information+ Exception Directory equal to the original one????It can look different but the functionality should be the same.p.s. i read already this http://www.tortall.net/projects/yasm/manual/html/objfmt-win64-exception.htmlpart of the documetation.any hint is is appreciated.Best regards, Stefan
_________________________________________________________________
Gefunden! Tolle Bilder von Kati Witt gibt es hier!
http://search.msn.de/images/results.aspx?q=katarina%20witt&form=MIDGPS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cvs.tortall.net/pipermail/yasm-devel/attachments/20070614/c8fab5d4/attachment.html
More information about the yasm-devel
mailing list