Re: push pop ebp
From: Alex McDonald (alex_mcd_at_btopenworld.com)
Date: 07/12/04
- Next message: James Van Buskirk: "Re: Prime number in assembly?"
- Previous message: Ludas Matyas: "all references to "User32.dll" discarded by /OPT:REF"
- In reply to: f0dder: "Re: push pop ebp"
- Next in thread: Beth: "Re: push pop ebp"
- Reply: Beth: "Re: push pop ebp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 11 Jul 2004 22:45:08 +0000 (UTC)
"f0dder" <f0dder_spicedham@flork.dk> wrote in message
news:40f13fa1$0$165$edfadb0f@dtext01.news.tele.dk...
===snipped
> >
> I'm not sure why, but SEH frames must indeed be on the stack, and they
> must come in sequential order - it's very hard to fool around with them.
>
> Also, if you plan to set up your own stack space somewhere out of the
> region initially defined by the windows loader, you will have to mess
> with two fields in the TEB (the [fs:xx] stuff), to indicate the valid
> upper and lower bounds for the stack (I assume these fields were added
> to avoid/detect stack over and underflows). [FS:4] is the upper limit,
> [FS:8] is the lower limit. I think these might be interpreted as signed
> numbers, at least the code I have here sets the upper limit to 7FFFFFFF.
>
>
The TEB/TIB is sort-of documented in WINTERNL.H. The stack can't be above
the 2Gb limit, so it's unsigned.
http://blogs.msdn.com/greggm/archive/2004/03/16/90720.aspx for a discussion
of why processes just sometimes disappear.
http://blogs.msdn.com/cbrumme/archive/2003/10/01/51524.aspx "We’ve already
seen that SEH records are necessarily built on the stack. And in fact the
OS actually checks to be sure they are within the stack bounds. Those SEH
records contain callback pointers which the OS will invoke if an exception
occurs. So another way to exploit a buffer overrun is to rewrite the
callback pointer in an SEH record on the stack. There’s a new linker switch
(/SAFESEH) that can provide its own speed bump against this sort of attack.
Modules built this way declare that all their handlers are embedded in a
table in the image; they do not point to arbitrary code sequences sprinkled
in the stack or in heap blocks. During exception processing, the exception
callbacks can be validated against this table."
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcmasm/html/vclrfSAFESEH.asp
and
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore/html/vclrfSAFESEHImageHasSafeExceptionHandlers.asp
for SAFESEH options in ML.EXE (latest MASM version 7.10.3077) and VC++;
looks like it sets somethimg in the PE (?) to identify where the non-stack
SEH structures are allocated. It doesn't appear to be very well documented;
Googling got very few hits.
-- Regards Alex McDonald
- Next message: James Van Buskirk: "Re: Prime number in assembly?"
- Previous message: Ludas Matyas: "all references to "User32.dll" discarded by /OPT:REF"
- In reply to: f0dder: "Re: push pop ebp"
- Next in thread: Beth: "Re: push pop ebp"
- Reply: Beth: "Re: push pop ebp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
