📄 asmfuncs.asm
字号:
;; result in a variable since we'll need this again.
.IF ExceptionNumber == EXCPT32_DOUBLE_FAULT
mov ExtraPush, 1
.ELSEIF ExceptionNumber == EXCPT32_INVALID_TSS
mov ExtraPush, 1
.ELSEIF ExceptionNumber == EXCPT32_SEG_NOT_PRESENT
mov ExtraPush, 1
.ELSEIF ExceptionNumber == EXCPT32_STACK_FAULT
mov ExtraPush, 1
.ELSEIF ExceptionNumber == EXCPT32_GP_FAULT
mov ExtraPush, 1
.ELSEIF ExceptionNumber == EXCPT32_PAGE_FAULT
mov ExtraPush, 1
.ELSEIF ExceptionNumber == EXCPT32_ALIGNMENT_CHECK
mov ExtraPush, 1
.ELSE
mov ExtraPush, 0
.ENDIF
;; If there's some extra data, save it also, and modify the saved AppEsp to effectively
;; pop this value off the application's stack.
.IF ExtraPush == 1
mov eax, AppEsp
mov ebx, [eax]
mov ExceptData, ebx
add eax, 4
mov AppEsp, eax
.ELSE
mov ExceptData, 0
.ENDIF
;; The "pushad" above pushed the debug stack esp. Since what we're actually doing
;; is building the context record on the debug stack, we need to save the pushed
;; debug ESP, and replace it with the application's last stack entry...
mov eax, [esp + 12]
mov DebugEsp, eax
mov eax, AppEsp
add eax, 12
; application stack has eflags, cs, & eip, so
; last actual application stack entry is
; 12 bytes into the application stack.
mov [esp + 12], eax
;; continue building context record
;; UINT32 Gs, Fs, Es, Ds, Cs, Ss; insure high 16 bits of each is zero
mov eax, ss
push eax
; CS from application is one entry back in application stack
mov eax, AppEsp
movzx eax, word ptr [eax + 4]
push eax
mov eax, ds
push eax
mov eax, es
push eax
mov eax, fs
push eax
mov eax, gs
push eax
;; UINT32 Eip;
; Eip from application is on top of application stack
mov eax, AppEsp
push dword ptr [eax]
;; UINT64 Gdtr, Idtr;
push 0
push 0
sidt fword ptr [esp]
push 0
push 0
sgdt fword ptr [esp]
;; UINT32 Ldtr, Tr;
xor eax, eax
str ax
push eax
sldt ax
push eax
;; UINT32 EFlags;
;; Eflags from application is two entries back in application stack
mov eax, AppEsp
push dword ptr [eax + 8]
;; UINT32 Cr0, Cr1, Cr2, Cr3, Cr4;
;; insure FXSAVE/FXRSTOR is enabled in CR4...
;; ... while we're at it, make sure DE is also enabled...
mov eax, cr4
or eax, 208h
mov cr4, eax
push eax
mov eax, cr3
push eax
mov eax, cr2
push eax
push 0
mov eax, cr0
push eax
;; UINT32 Dr0, Dr1, Dr2, Dr3, Dr6, Dr7;
mov eax, dr7
push eax
;; clear Dr7 while executing debugger itself
xor eax, eax
mov dr7, eax
mov eax, dr6
push eax
;; insure all status bits in dr6 are clear...
xor eax, eax
mov dr6, eax
mov eax, dr3
push eax
mov eax, dr2
push eax
mov eax, dr1
push eax
mov eax, dr0
push eax
;; FX_SAVE_STATE FxSaveState;
sub esp, 512
mov edi, esp
; IMPORTANT!! The debug stack has been carefully constructed to
; insure that esp and edi are 16 byte aligned when we get here.
; They MUST be. If they are not, a GP fault will occur.
FXSTOR_EDI
;; UINT32 ExceptionData;
mov eax, ExceptData
push eax
; call to C code which will in turn call registered handler
; pass in the vector number
mov eax, esp
push eax
mov eax, ExceptionNumber
push eax
call InterruptDistrubutionHub
add esp, 8
; restore context...
;; UINT32 ExceptionData;
add esp, 4
;; FX_SAVE_STATE FxSaveState;
mov esi, esp
FXRSTOR_ESI
add esp, 512
;; UINT32 Dr0, Dr1, Dr2, Dr3, Dr6, Dr7;
pop eax
mov dr0, eax
pop eax
mov dr1, eax
pop eax
mov dr2, eax
pop eax
mov dr3, eax
;; skip restore of dr6. We cleared dr6 during the context save.
add esp, 4
pop eax
mov dr7, eax
;; UINT32 Cr0, Cr1, Cr2, Cr3, Cr4;
pop eax
mov cr0, eax
add esp, 4
pop eax
mov cr2, eax
pop eax
mov cr3, eax
pop eax
mov cr4, eax
;; UINT32 EFlags;
mov eax, AppEsp
pop dword ptr [eax + 8]
;; UINT16 Ldtr, Tr;
;; UINT64 Gdtr, Idtr;
;; Best not let anyone mess with these particular registers...
add esp, 24
;; UINT32 Eip;
pop dword ptr [eax]
;; UINT32 SegGs, SegFs, SegEs, SegDs, SegCs, SegSs;
;; bugbug - modified segment registers could hang the debugger... Should we
;; attempt to insulate ourselves against this possibility?
pop gs
pop fs
pop es
pop ds
pop [eax + 4]
pop ss
;; bugbug - before restoring the last bit of stuff, we need to check and
;; possibly move application stack top.
;; The next stuff to restore is the general purpose registers that were pushed
;; using the pushad instruction.
;;
;; The value of ESP as stored in the context record is the application ESP
;; including the 3 entries on the application stack caused by the exception
;; itself. It may have been modified by the debug agent, so we need to
;; determine if we need to relocate the application stack.
mov ebx, [esp + 12] ; move the potentially modified AppEsp into ebx
mov eax, AppEsp
add eax, 12
cmp ebx, eax
je NoAppStackMove
mov eax, AppEsp
mov ecx, [eax] ; EIP
mov [ebx], ecx
mov ecx, [eax + 4] ; CS
mov [ebx + 4], ecx
mov ecx, [eax + 8] ; EFLAGS
mov [ebx + 8], ecx
mov eax, ebx ; modify the saved AppEsp to the new AppEsp
mov AppEsp, eax
NoAppStackMove:
mov eax, DebugEsp ; restore the DebugEsp on the debug stack
; so our popad will not cause a stack switch
mov [esp + 12], eax
cmp ExceptionNumber, 068h
jne NoChain
Chain:
;; Restore eflags so when we chain, the flags will be exactly as if we were never here.
;; We gin up the stack to do an iretd so we can get ALL the flags.
mov eax, AppEsp
mov ebx, [eax + 8]
and ebx, NOT 300h ; special handling for IF and TF
push ebx
push cs
push PhonyIretd
iretd
PhonyIretd:
;; UINT32 Edi, Esi, Ebp, Esp, Ebx, Edx, Ecx, Eax;
popad
;; Switch back to application stack
mov esp, AppEsp
;; Jump to original handler
jmp OrigVector
NoChain:
;; UINT32 Edi, Esi, Ebp, Esp, Ebx, Edx, Ecx, Eax;
popad
;; Switch back to application stack
mov esp, AppEsp
;; We're outa here...
iretd
END
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -