среда, 9 ноября 2016 г.

rfg longjumps

In IMAGE_LOAD_CONFIG_DIRECTORY64 there are two fields for setjmp/longjmp support - GuardLongJumpTargetTable & GuardLongJumpTargetCount. Lets see some module where this fields are not zero - for example hal.dll
load_config:
.rdata:00000001C003D510  dq offset __guard_longjmp_table ; load_config 0ffset b0
.rdata:00000001C003D518  dq 1


Check __guard_longjmp_table:
GFIDS:00000001C0073DC4 __guard_longjmp_table dd 8282h

Image base is 1C0000000. Look at address 1C0000000 + 8282 = 1c0008282:
.text:00000001C000827D   call    _setjmp
.text:00000001C0008282   mov     rbx, [rsp+38h+var_18]


It seems that this longjump return addresses checked in ntdll!RtlGuardCheckLongJumpTarget function:
.text:0000000180007E0E   mov   r8d, 0Ah     ; IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
.text:0000000180007E14   mov   dl, 1
.text:0000000180007E16   call  RtlImageDirectoryEntryToData
.text:0000000180007E1B   mov   rdx, rax
.text:0000000180007E1E   test  rax, rax
.text:0000000180007E21   jz    short loc_180007E93
.text:0000000180007E23   mov   eax, [rax]  ; IMAGE_LOAD_CONFIG_DIRECTORY64.Size
.text:0000000180007E25   cmp   eax, 0C0h
.text:0000000180007E2A   jb    short loc_180007E93
.text:0000000180007E2C   cmp   dword ptr [rsp+48h+arg_18], eax
.text:0000000180007E30   jnz   short loc_180007E93
.text:0000000180007E32   test  dword ptr [rdx+90h], 10000h
.text:0000000180007E3C   jz    short loc_180007E93
.text:0000000180007E3E   mov   eax, esi
.text:0000000180007E40   sub   eax, dword ptr [rsp+48h+var_10]
.text:0000000180007E44   mov   [rsp+48h+var_18], eax
.text:0000000180007E48   mov   eax, [rdx+90h]
.text:0000000180007E4E   mov   r8, [rdx+0B8h] ; IMAGE_LOAD_CONFIG_DIRECTORY64.GuardLongJumpTargetCount
.text:0000000180007E55   shr   eax, 1Ch
.text:0000000180007E58   add   eax, 4
.text:0000000180007E5B   test  r8, r8
.text:0000000180007E5E   jz    loc_1800AD2B7
.text:0000000180007E64   and   [rsp+48h+var_20], 0
.text:0000000180007E6A   lea   rcx, [rsp+48h+var_18]      ; void *
.text:0000000180007E6F   mov   rdx, [rdx+0B0h]            ; IMAGE_LOAD_CONFIG_DIRECTORY64.GuardLongJumpTargetTable
.text:0000000180007E76   mov   r9d, eax                   ; size_t
.text:0000000180007E79   lea   rax, RtlpTargetCompare
.text:0000000180007E80   mov   [rsp+48h+var_28], rax
.text:0000000180007E85   call  bsearch_s
...

.text:0000000180089970 RtlpTargetCompare proc near 
.text:0000000180089970   mov   eax, [rdx] ; load rva from
__guard_longjmp_table
.text:0000000180089972   sub   eax, [r8]
.text:0000000180089975   retn
.text:0000000180089975 RtlpTargetCompare endp

Комментариев нет:

Отправить комментарий