seh doubts

[JC1]

I've read the exception handling tutorial written by Jeremy Gordon. http://win32assembly.online.fr/Exceptionhandling.html

There are some things not clear for me. He says that when the exception handler is called ESP+4 points to EXCEPTION_RECORD, ESP+8 points to the ERR structure and so on. Later in the article instead of using ESP to acess those structures, Jeremy uses EBP+8 to acess the EXCEPTION_RECORD.
This seems to be correct, even though I think this is not verbally mentioned.
So, can I always assume that when the exception handler is called:

[esp+4]==[ebp+8]
[esp+8]==[ebp+0Ch]
[esp+0Ch]==[ebp+10h]
?

One more question. Do I need to fix the EBP and ESP values each time I want to continue execution from a safe place?

[wjr]

Do not always assume - you may use EBP instead only after these first two instructions...

Code Select Expand


ExceptionHandler:
        push    ebp
        mov     ebp,esp ;[ebp+8]=pEXCEPTION_RECORD
                        ;[ebp+0Ch]=pERR
                        ;[ebp+10h]=pCONTEXT

        push    ebx     ;save registers
        push    edi
        push    esi
        ;
        ;


...and then, in this example, saving registers will change ESP throwing off your assumed equivalence. You still could carefully just use ESP, but as in the above example you would then need to adjust the offsets according to stack usage.

Execution continuing from the safe place does require the proper value for ESP and EBP... however, depending upon the complexity of the code protected by the handler, these may not actually need fixing for the simple cases where the context record would already have the proper values.

WJR

[ToutEnMasm]

hello,
use a standard frame proc and don't work with ebp and esp,the proc make it very much better than you.
All you have to know is.
First , Is it a final handler or a Handler and how are initialised the handler ?
a final handler is the first install.
use SetUnhandledExceptionFilter to install (supported by win 98 and XP)

The callback for the final handler is like that

FINAL_HANDLER PROC  uses esi edi ebx ExceptionInfo:DWORD     ;pointer to EXCEPTION_POINTERS structure
; report yoursef to UnhandledExceptionFilter in the SDK
      local pExceptionRecord:DWORD
      local PCONTEXT:DWORD
   mov ebx,ExceptionInfo
   mov edx,DWORD ptr [ebx]      ;pExceptionRecord
   mov pExceptionRecord,edx
   mov excminidumppExceptionRecord,edx   
   mov ecx,DWORD ptr [ebx+4]      ;PCONTEXT
   mov excminidumpContext,ecx
   mov PCONTEXT,ecx
   mov ebx,pExceptionRecord
   mov eax,(EXCEPTION_RECORD ptr [ebx]).ExceptionFlags
   ;----- Is it possible to look at the error ? ----------
   .if eax ==EXCEPTION_NONCONTINUABLE
      invoke ExitProcess,NULL
   .endif

Depending on how you install the following handler (XP method or 98 method with FS:) you can have other Types of callback.
                     ToutEnMasm

[JC1]

Do not always assume - you may use EBP instead only after these first two instructions...

Sure, in that case EBP is given the value of ESP. But in except1.asm, a demonstration program which comes with the article, we have this code:

Code Select Expand

HANDLER:
PUSH EBX,EDI,ESI        ;save registers as required by Windows
MOV EBX,[EBP+8]         ;get exception record in ebx                   <<-----
MOV EAX,[EBX+4]         ;get flag sent by the system
TEST AL,1h              ;see if its a non-continuable exception


So, here EBP doesn't receive ESP value. Try to check these values as soon as the handler is executed:

[esp+4]==[ebp+8]
[esp+8]==[ebp+0Ch]
[esp+0Ch]==[ebp+10h]

In the little program I've attached they are equal after the handler is called. I don't know if I'm misunderstanding something..

[attachment deleted by admin]

[wjr]

But in except1.asm, a demonstration program which comes with the article, we have this code...

A more recent version than what I had... I now see why you would ask.

Given the stack frames set up in both the article and the larger demonstration program except2.asm, in this case I suspect that Jeremy may have missed the above two instructions. However, it still worked most likely since the system's handler received the same info on the stack and set up its own stack frame from which it then passed on a copy of the info to the program's handler (so EBP initially different from ESP, yet with the relevant values pointed to being the same).

Although it does work, system code could change, so I would still stick with my initial response.

WJR