miasm
Reverse engineering framework
Classes | Functions | Variables
miasm.os_dep.win_api_x86_32_seh Namespace Reference

Classes

class  LoadedModules
 

Functions

def build_teb (jitter, teb_address)
 
def build_peb (jitter, peb_address)
 
def build_ldr_data (jitter, modules_info)
 
def create_modules_chain (jitter, name2module)
 
def set_link_list_entry (jitter, loaded_modules, modules_info, offset)
 
def fix_InLoadOrderModuleList (jitter, modules_info)
 
def fix_InMemoryOrderModuleList (jitter, modules_info)
 
def fix_InInitializationOrderModuleList (jitter, modules_info)
 
def add_process_env (jitter)
 
def add_process_parameters (jitter)
 
def init_seh (jitter)
 
def regs2ctxt (jitter, context_address)
 
def ctxt2regs (jitter, ctxt_ptr)
 
def fake_seh_handler (jitter, except_code, previous_seh=None)
 
def dump_seh (jitter)
 
def set_win_fs_0 (jitter, fs=4)
 
def return_from_seh (jitter)
 

Variables

int EXCEPTION_BREAKPOINT = 0x80000003
 
int EXCEPTION_SINGLE_STEP = 0x80000004
 
int EXCEPTION_ACCESS_VIOLATION = 0xc0000005
 
int EXCEPTION_INT_DIVIDE_BY_ZERO = 0xc0000094
 
int EXCEPTION_PRIV_INSTRUCTION = 0xc0000096
 
int EXCEPTION_ILLEGAL_INSTRUCTION = 0xc000001d
 
 log = logging.getLogger("seh_helper")
 
 console_handler = logging.StreamHandler()
 
int tib_address = 0x7ff70000
 
int PEB_AD = 0x7ffdf000
 
int LDR_AD = 0x340000
 
int DEFAULT_SEH = 0x7ffff000
 
int MAX_MODULES = 0x40
 
int peb_address = PEB_AD
 
int peb_ldr_data_offset = 0x1ea0
 
int peb_ldr_data_address = LDR_AD + peb_ldr_data_offset
 
int modules_list_offset = 0x1f00
 
int InInitializationOrderModuleList_offset = 0x1ee0
 
int InInitializationOrderModuleList_address = LDR_AD + \
 
int InLoadOrderModuleList_offset = 0x1ee0 + \
 
int InLoadOrderModuleList_address = LDR_AD + \
 
int process_environment_address = 0x10000
 
int process_parameters_address = 0x200000
 
int return_from_exception = 0x6eadbeef
 
list name2module = []
 
 main_pe = None
 
string main_pe_name = "c:\\xxx\\toto.exe"
 
int MAX_SEH = 5
 
int seh_count = 0
 

Function Documentation

◆ add_process_env()

def miasm.os_dep.win_api_x86_32_seh.add_process_env (   jitter) 
Build a process environment structure
@jitter: jitter instance
Here is the caller graph for this function:

◆ add_process_parameters()

def miasm.os_dep.win_api_x86_32_seh.add_process_parameters (   jitter) 
Build a process parameters structure
@jitter: jitter instance
Here is the caller graph for this function:

◆ build_ldr_data()

def miasm.os_dep.win_api_x86_32_seh.build_ldr_data (   jitter,
  modules_info 
) 
Build Loader information using following structure:

+0x000 Length                          : Uint4B
+0x004 Initialized                     : UChar
+0x008 SsHandle                        : Ptr32 Void
+0x00c InLoadOrderModuleList           : _LIST_ENTRY
+0x014 InMemoryOrderModuleList         : _LIST_ENTRY
+0x01C InInitializationOrderModuleList         : _LIST_ENTRY
# dummy dll base
+0x024 DllBase : Ptr32 Void

@jitter: jitter instance
@modules_info: LoadedModules instance
Here is the caller graph for this function:

◆ build_peb()

def miasm.os_dep.win_api_x86_32_seh.build_peb (   jitter,
  peb_address 
) 
Build PEB information using following structure:

@jitter: jitter instance
@peb_address: the PEB address
Here is the caller graph for this function:

◆ build_teb()

def miasm.os_dep.win_api_x86_32_seh.build_teb (   jitter,
  teb_address 
) 
Build TEB information using following structure:

@jitter: jitter instance
@teb_address: the TEB address
Here is the caller graph for this function:

◆ create_modules_chain()

def miasm.os_dep.win_api_x86_32_seh.create_modules_chain (   jitter,
  name2module 
) 
Create the modules entries. Those modules are not linked in this function.

@jitter: jitter instance
@name2module: dict containing association between name and its pe instance
Here is the caller graph for this function:

◆ ctxt2regs()

def miasm.os_dep.win_api_x86_32_seh.ctxt2regs (   jitter,
  ctxt_ptr 
) 
Restore x86_32 registers from an exception context
@ctxt: the serialized context
@jitter: jitload instance
Here is the caller graph for this function:

◆ dump_seh()

def miasm.os_dep.win_api_x86_32_seh.dump_seh (   jitter) 
Walk and dump the SEH entries
@jitter: jitter instance
Here is the caller graph for this function:

◆ fake_seh_handler()

def miasm.os_dep.win_api_x86_32_seh.fake_seh_handler (   jitter,
  except_code,
  previous_seh = None 
) 
Create an exception context
@jitter: jitter instance
@except_code: x86 exception code
@previous_seh: (optional) last SEH address when multiple SEH are used
Here is the call graph for this function:
Here is the caller graph for this function:

◆ fix_InInitializationOrderModuleList()

def miasm.os_dep.win_api_x86_32_seh.fix_InInitializationOrderModuleList (   jitter,
  modules_info 
) 
Fix InInitializationOrderModuleList double link list. First module is the
ntdll, then kernel32.

@jitter: the jitter instance
@modules_info: the LoadedModules instance
Here is the call graph for this function:
Here is the caller graph for this function:

◆ fix_InLoadOrderModuleList()

def miasm.os_dep.win_api_x86_32_seh.fix_InLoadOrderModuleList (   jitter,
  modules_info 
) 
Fix InLoadOrderModuleList double link list. First module is the main pe,
then ntdll, kernel32.

@jitter: the jitter instance
@modules_info: the LoadedModules instance
Here is the call graph for this function:
Here is the caller graph for this function:

◆ fix_InMemoryOrderModuleList()

def miasm.os_dep.win_api_x86_32_seh.fix_InMemoryOrderModuleList (   jitter,
  modules_info 
) 
Fix InMemoryOrderLinks double link list. First module is the main pe,
then ntdll, kernel32.

@jitter: the jitter instance
@modules_info: the LoadedModules instance
Here is the call graph for this function:
Here is the caller graph for this function:

◆ init_seh()

def miasm.os_dep.win_api_x86_32_seh.init_seh (   jitter) 
Build the modules entries and create double links
@jitter: jitter instance
Here is the call graph for this function:

◆ regs2ctxt()

def miasm.os_dep.win_api_x86_32_seh.regs2ctxt (   jitter,
  context_address 
) 
Build x86_32 cpu context for exception handling
@jitter: jitload instance
Here is the caller graph for this function:

◆ return_from_seh()

def miasm.os_dep.win_api_x86_32_seh.return_from_seh (   jitter) 
Handle the return from an exception handler
@jitter: jitter instance
Here is the call graph for this function:

◆ set_link_list_entry()

def miasm.os_dep.win_api_x86_32_seh.set_link_list_entry (   jitter,
  loaded_modules,
  modules_info,
  offset 
)
Here is the caller graph for this function:

◆ set_win_fs_0()

def miasm.os_dep.win_api_x86_32_seh.set_win_fs_0 (   jitter,
  fs = 4 
) 
Set FS segment selector and create its corresponding segment
@jitter: jitter instance
@fs: segment selector value
Here is the caller graph for this function:

Variable Documentation

◆ console_handler

miasm.os_dep.win_api_x86_32_seh.console_handler = logging.StreamHandler()

◆ DEFAULT_SEH

int miasm.os_dep.win_api_x86_32_seh.DEFAULT_SEH = 0x7ffff000

◆ EXCEPTION_ACCESS_VIOLATION

int miasm.os_dep.win_api_x86_32_seh.EXCEPTION_ACCESS_VIOLATION = 0xc0000005

◆ EXCEPTION_BREAKPOINT

int miasm.os_dep.win_api_x86_32_seh.EXCEPTION_BREAKPOINT = 0x80000003

◆ EXCEPTION_ILLEGAL_INSTRUCTION

int miasm.os_dep.win_api_x86_32_seh.EXCEPTION_ILLEGAL_INSTRUCTION = 0xc000001d

◆ EXCEPTION_INT_DIVIDE_BY_ZERO

int miasm.os_dep.win_api_x86_32_seh.EXCEPTION_INT_DIVIDE_BY_ZERO = 0xc0000094

◆ EXCEPTION_PRIV_INSTRUCTION

int miasm.os_dep.win_api_x86_32_seh.EXCEPTION_PRIV_INSTRUCTION = 0xc0000096

◆ EXCEPTION_SINGLE_STEP

int miasm.os_dep.win_api_x86_32_seh.EXCEPTION_SINGLE_STEP = 0x80000004

◆ InInitializationOrderModuleList_address

int miasm.os_dep.win_api_x86_32_seh.InInitializationOrderModuleList_address = LDR_AD + \

◆ InInitializationOrderModuleList_offset

int miasm.os_dep.win_api_x86_32_seh.InInitializationOrderModuleList_offset = 0x1ee0

◆ InLoadOrderModuleList_address

int miasm.os_dep.win_api_x86_32_seh.InLoadOrderModuleList_address = LDR_AD + \

◆ InLoadOrderModuleList_offset

int miasm.os_dep.win_api_x86_32_seh.InLoadOrderModuleList_offset = 0x1ee0 + \

◆ LDR_AD

int miasm.os_dep.win_api_x86_32_seh.LDR_AD = 0x340000

◆ log

miasm.os_dep.win_api_x86_32_seh.log = logging.getLogger("seh_helper")

◆ main_pe

miasm.os_dep.win_api_x86_32_seh.main_pe = None

◆ main_pe_name

string miasm.os_dep.win_api_x86_32_seh.main_pe_name = "c:\\xxx\\toto.exe"

◆ MAX_MODULES

int miasm.os_dep.win_api_x86_32_seh.MAX_MODULES = 0x40

◆ MAX_SEH

int miasm.os_dep.win_api_x86_32_seh.MAX_SEH = 5

◆ modules_list_offset

int miasm.os_dep.win_api_x86_32_seh.modules_list_offset = 0x1f00

◆ name2module

list miasm.os_dep.win_api_x86_32_seh.name2module = []

◆ PEB_AD

int miasm.os_dep.win_api_x86_32_seh.PEB_AD = 0x7ffdf000

◆ peb_address

int miasm.os_dep.win_api_x86_32_seh.peb_address = PEB_AD

◆ peb_ldr_data_address

int miasm.os_dep.win_api_x86_32_seh.peb_ldr_data_address = LDR_AD + peb_ldr_data_offset

◆ peb_ldr_data_offset

int miasm.os_dep.win_api_x86_32_seh.peb_ldr_data_offset = 0x1ea0

◆ process_environment_address

int miasm.os_dep.win_api_x86_32_seh.process_environment_address = 0x10000

◆ process_parameters_address

int miasm.os_dep.win_api_x86_32_seh.process_parameters_address = 0x200000

◆ return_from_exception

int miasm.os_dep.win_api_x86_32_seh.return_from_exception = 0x6eadbeef

◆ seh_count

int miasm.os_dep.win_api_x86_32_seh.seh_count = 0

◆ tib_address

int miasm.os_dep.win_api_x86_32_seh.tib_address = 0x7ff70000