Hullo,

I have recently discovered the world of the assembler language and after having learned the different processor instructions I realized that I did not know how to code even the simplest application.
So I started writing simple applications in higher level languages (expecially C) and study the generated assembler code. Using a very user friendly debugger such as OllyDbg I see sometimes instructions I can't understand such as those following. Can anyone explain them to me?

What is the meaning of the following lines:

0040110F LEA EAX,DWORD PTR DS:[40332A] ; Structured exception handler
004010B3 PUSH DWORD PTR FS:[0]

Why does OllyDbg print "Structured exception handler" for the line at 0040110F and what is FS:[0]?
Also, I have seen in an application the use of the PUSHFD and POPFD instructions. What do they accomplish? What is the typical situation in which to use them? I have read that they push/pop the flags register on/from the stack but this tells me nothing about where and for what to use them for.

Thank you.
S.
Posted on 2003-12-05 14:18:27 by seppuku

Hullo,


What is the meaning of the following lines:

0040110F LEA EAX,DWORD PTR DS:[40332A] ; Structured exception handler
004010B3 PUSH DWORD PTR FS:[0]

Why does OllyDbg print "Structured exception handler" for the line at 0040110F and what is FS:[0]?
Also, I have seen in an application the use of the PUSHFD and POPFD instructions. What do they accomplish? What is the typical situation in which to use them? I have read that they push/pop the flags register on/from the stack but this tells me nothing about where and for what to use them for.

Thank you.
S.


1. Mov address to eax from address pointed on Code selector from CS at 0x40332A.
2. Push dword value(32-Bit) from Code selector FS at memory 0.
3. Save the 32-bit Flag and load it back. Pushfd use if the next instruction is change the Flag.
Posted on 2003-12-05 16:31:56 by realvampire
realvampire,

I probably haven't been clear enough about my being new to assembler programming .... so, I'll make more specific questions:

1) why ollydbg labels as "Structured exception handler" the line LEA EAX,DWORD PTR DS:[40332A]???
2) what is FS and specifically position 0???
3) when and why would you use PUSHFD and POPFD (I already know their meaning I don't simply see when they could be employed)???

Thanks.
S.
Posted on 2003-12-05 17:23:32 by seppuku
1) the address loaded into eax is the address of an exception handler routine
2) at fs:[0] the OS keeps a list of exception handlers for the current process, I assume eax will be added to that list in the lines following the ones you've pasted
3) Basically you use them when you want to 'squeeze in' some extra code (in this case an exception handler), and then want to restore the CPU state, so the original code can continue without problems.
The exception handler code may write to the flags register, so the original flags for the code that caused the exception would be lost. By using pushfd/popfd you can save and restore the flags, and after the exception was handled, you can return to the code that caused the exception and resume where it left off.
Posted on 2003-12-05 17:42:50 by Bruce-li
Hello Bruce,

thanks for your answers.
Please let me verify my understanding of what you said:

1) ollydbg has probably labeled the line LEA EAX,DWORD PTR DS:[40332A] with "Structured exception handler" based on the code that follows because from this instruction it could not be deduced.

2) how do you add a routine to the list of exception handlers having its address in a register?

3) ok, this was very clear.

Since everything here has to do with exception handlers I will have to take a look at that acticle titled "exception handling for assembler programmers".

S.
Posted on 2003-12-05 18:00:39 by seppuku
1) correct
2) It's been quite a while since I've used SEH, so I may not be 100% correct...
But if I'm not mistaken, at fs:[0], there is a linked list, that is formed by nodes of 2 dwords each (so actually a struct).
The first dword is the pointer to the current exception handler, the second dword is a pointer to the next node, with another exception handler.
(the OS will walk down this list and calls all handlers. It stops as soon as one of the exception handlers has accepted the current exception code, performed its work, and returned a value that indicates that the exception was handled).

So a common scenario is to create the node on stack. I assume that the PUSH DWORD PTR FS:[0] pushes the current exception handler list to the stack, then it pushes eax, et voila you have the node on stack. So then it will load the value of esp into fs:[0], and the new exception handler node is added at the front of the list.
Am I right?
Posted on 2003-12-05 18:11:13 by Bruce-li
An seh is usually begun with the following code:


push handler
push dword [fs:ecx]
mov [fs:ecx], esp


And ends with


pop dword [fs:esi]
add esp, 4
Posted on 2003-12-05 21:34:35 by roticv