[求助]UnhandledExceptionFilter合适被调用的?-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (1)
Hacksign 雪币： 2313 活跃值： (4393) 能力值： ( LV9，RANK：140 ) 在线值：发帖 34 回帖 113 粉丝 38 关注私信	Hacksign 2 2 楼好吧,我特么2了...... 调用位置的确是在except_handler3里面: 0:000> kv ChildEBP RetAddr Args to Child 0022fa78 7c843892 0022faa0 7c839b21 0022faa8 kernel32!UnhandledExceptionFilter (FPO: [Non-Fpo]) 0022fa80 7c839b21 0022faa8 00000000 0022faa8 kernel32!BaseProcessStart+0x39 (FPO: [Non-Fpo]) 0022faa8 7c9232a8 0022fb94 0022ffe0 0022fba8 kernel32!_except_handler3+0x61 (FPO: [Uses EBP] [3,0,7]) 0022facc 7c92327a 0022fb94 0022ffe0 0022fba8 ntdll!ExecuteHandler2+0x26 0022fb7c 7c92e46a 00000000 0022fba8 0022fb94 ntdll!ExecuteHandler+0x24 0022fb7c 7c812aeb 00000000 0022fba8 0022fb94 ntdll!KiUserExceptionDispatcher+0xe (FPO: [2,0,0]) (CONTEXT @ 0022fba8) 0022fec8 004015ec 11223344 00000000 00000000 kernel32!RaiseException+0x53 (FPO: [Non-Fpo]) WARNING: Stack unwind information not available. Following frames may be wrong. 0022fee8 004013e2 003e24c0 0000000a 00000001 image00400000+0x15ec 0022ffc0 7c817067 017af6ee 017af71c 7ffd5000 image00400000+0x13e2 0022fff0 00000000 004014e0 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo]) __except_handler3+B mov ebx, [ebp+TargetFrame] __except_handler3+E mov eax, [ebp+arg_0] __except_handler3+11 test dword ptr [eax+4], 6 __except_handler3+18 jnz loc_7C92E9C9 __except_handler3+1E mov [ebp+var_8], eax __except_handler3+21 mov eax, [ebp+arg_8] __except_handler3+24 mov [ebp+var_4], eax __except_handler3+27 lea eax, [ebp+var_8] __except_handler3+2A mov [ebx-4], eax __except_handler3+2D mov esi, [ebx+0Ch] __except_handler3+30 mov edi, [ebx+8] __except_handler3+33 push ebx __except_handler3+34 call __ValidateEH3RN __except_handler3+39 add esp, 4 __except_handler3+3C or eax, eax __except_handler3+3E jz short loc_7C92E9BB __except_handler3+40 __except_handler3+40 loc_7C92E940: ; CODE XREF: __except_handler3+B2j __except_handler3+40 cmp esi, 0FFFFFFFFh __except_handler3+43 jz short loc_7C92E9C2 __except_handler3+45 lea ecx, [esi+esi2] __except_handler3+48 mov eax, [edi+ecx4+4] __except_handler3+4C or eax, eax __except_handler3+4E jz short loc_7C92E9A9 __except_handler3+50 push esi __except_handler3+51 push ebp __except_handler3+52 lea ebp, [ebx+10h] __except_handler3+55 xor ebx, ebx __except_handler3+57 xor ecx, ecx __except_handler3+59 xor edx, edx __except_handler3+5B xor esi, esi __except_handler3+5D xor edi, edi __except_handler3+5F call eax __except_handler3+61 pop ebp __except_handler3+62 pop esi __except_handler3+63 mov ebx, [ebp+TargetFrame] 2015-9-26 18:14 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (1)

Hacksign

雪币： 2313

活跃值： (4393)

能力值：

( LV9，RANK：140 )

在线值：

发帖

回帖

113

粉丝

关注

私信

Hacksign 2: 2 楼

好吧,我特么2了......
调用位置的确是在except_handler3里面:

0:000> kv
ChildEBP RetAddr  Args to Child              
0022fa78 7c843892 0022faa0 7c839b21 0022faa8 kernel32!UnhandledExceptionFilter (FPO: [Non-Fpo])
0022fa80 7c839b21 0022faa8 00000000 0022faa8 kernel32!BaseProcessStart+0x39 (FPO: [Non-Fpo])
0022faa8 7c9232a8 0022fb94 0022ffe0 0022fba8 kernel32!_except_handler3+0x61 (FPO: [Uses EBP] [3,0,7])
0022facc 7c92327a 0022fb94 0022ffe0 0022fba8 ntdll!ExecuteHandler2+0x26
0022fb7c 7c92e46a 00000000 0022fba8 0022fb94 ntdll!ExecuteHandler+0x24
0022fb7c 7c812aeb 00000000 0022fba8 0022fb94 ntdll!KiUserExceptionDispatcher+0xe (FPO: [2,0,0]) (CONTEXT @ 0022fba8)
0022fec8 004015ec 11223344 00000000 00000000 kernel32!RaiseException+0x53 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
0022fee8 004013e2 003e24c0 0000000a 00000001 image00400000+0x15ec
0022ffc0 7c817067 017af6ee 017af71c 7ffd5000 image00400000+0x13e2
0022fff0 00000000 004014e0 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

__except_handler3+B                    mov     ebx, [ebp+TargetFrame]
__except_handler3+E                    mov     eax, [ebp+arg_0]
__except_handler3+11                   test    dword ptr [eax+4], 6
__except_handler3+18                   jnz     loc_7C92E9C9
__except_handler3+1E                   mov     [ebp+var_8], eax
__except_handler3+21                   mov     eax, [ebp+arg_8]
__except_handler3+24                   mov     [ebp+var_4], eax
__except_handler3+27                   lea     eax, [ebp+var_8]
__except_handler3+2A                   mov     [ebx-4], eax
__except_handler3+2D                   mov     esi, [ebx+0Ch]
__except_handler3+30                   mov     edi, [ebx+8]
__except_handler3+33                   push    ebx
__except_handler3+34                   call    __ValidateEH3RN
__except_handler3+39                   add     esp, 4
__except_handler3+3C                   or      eax, eax
__except_handler3+3E                   jz      short loc_7C92E9BB
__except_handler3+40
__except_handler3+40   loc_7C92E940:                           ; CODE XREF: __except_handler3+B2j
__except_handler3+40                   cmp     esi, 0FFFFFFFFh
__except_handler3+43                   jz      short loc_7C92E9C2
__except_handler3+45                   lea     ecx, [esi+esi*2]
__except_handler3+48                   mov     eax, [edi+ecx*4+4]
__except_handler3+4C                   or      eax, eax
__except_handler3+4E                   jz      short loc_7C92E9A9
__except_handler3+50                   push    esi
__except_handler3+51                   push    ebp
__except_handler3+52                   lea     ebp, [ebx+10h]
__except_handler3+55                   xor     ebx, ebx
__except_handler3+57                   xor     ecx, ecx
__except_handler3+59                   xor     edx, edx
__except_handler3+5B                   xor     esi, esi
__except_handler3+5D                   xor     edi, edi
__except_handler3+5F                   call    eax
__except_handler3+61                   pop     ebp
__except_handler3+62                   pop     esi
__except_handler3+63                   mov     ebx, [ebp+TargetFrame]

2015-9-26 18:14