Manual Mapping and EH support

[Cypher]

Hey all, as some of you may already know, one of the modules in my HadesMem project is a manual mapper. The overall aim is to write a stable and reliable manual mapper for both x86 and x64.

Currently I have the basics working under both architectures (imports, relocs, sections, etc), however I'm having a bit of trouble with getting exception handling working.

Because of new security mechanisms in Windows, for targets with DEP enabled you can no longer just inject your code and run it, as exception handlers are now validated. So I'm using a VEH under x86 to 'manually' dispatch exceptions. Currently the code is a disgusting hack, but it's only a PoC, and it works, so that's all fine.

The real problems are occurring under x64 targets. At the moment I have SEH working, but C++ EH is not. Under x64 I'm using the 'RtlAddFunctionTable' to add the handlers for my module to the list, and that is working great for SEH, however whenever I throw a C+++ exception it goes unhandled. I ensured that the number of handlers being added by the API was correct by checking it against the number dumped by PEDUMP, and now I'm at a loss as to what could be causing it to bomb out.

Anyway, sorry for the long intro. Tl;dr version is:
Under x64 targets, exception handling is not working in my manual mapper. SEH works fine in my tests, but C++ EH is not. My C++ exceptions are going unhandled.

If anyone could please take a look at my code and point out any flaws they see that could be causing this particular bug it would be hugely appreciated. I've tried to reverse the exception dispatcher but the symbol server is being retarded and I can't get symbols for my build of Windows for some reason. (I'm gonna set up a VM soon, but I'm not even sure if reversing the dispatcher is gonna help, as I have no idea where to begin.)

Code here:
http://code.google.com/p/hadesmem/so...er/DllMain.cpp <-- The module I'm mapping.
http://code.google.com/p/hadesmem/so.../ManualMap.cpp <-- Manual mapper code
http://code.google.com/p/hadesmem/so...ry/ManualMap.h <-- Manual mapper code
http://code.google.com/p/hadesmem/so...nDbgManMap.lua <-- Script to pass to sandbox (WinDbg is the target I'm mapping into)

Also, if you see any other problems with the manual mapper feel free to point them out. I'm aware of some of them, but have been too lazy to tag them, so I may already know, but then again, you may see something I've overlooked, so please, go nuts, and be brutal! The more bugs you can find the better!

P.S. If you want me to post binaries so you can test without having to compile everything yourself please let me know and I'll upload them.

P.P.S. Yes, the code is a cluster**** of failure at the moment. Sorry about that, but like I said, it's currently only a PoC and undergoing heavy testing and changes, so bear with me. Don't let that stop you from pointing out any problems you see though! Again, be brutal!

[Cypher]

Fixed the links, sorry about that.

Thanks Namreeb for pointing that out.

[MaiN]

This is like going into a kindergarten asking kids about quantum physics.

[Cypher]

Worth a try though.

[andy012345]

It really depends on what compiler you're using. C++ exceptions are part of the language, using objects, so different compilers can implement it in different ways.

Visual C++ implements it by transforming it into SEH and the throw becomes a call to RaiseException. You might want to look there for your answers.

[Cypher]

It really depends on what compiler you're using. C++ exceptions are part of the language, using objects, so different compilers can implement it in different ways.

Visual C++ implements it by transforming it into SEH and the throw becomes a call to RaiseException. You might want to look there for your answers.

This is obviously Windows-only code and all Windows compilers I can think of use SEH 'under the hood' to implement C++ EH (at least, I think they all do). Yes, they use different methods, but I'm still pretty sure they're all using SEH to handle the low level exception dispatching.

The problem is that despite all the handlers being correctly registered it's still not working correctly. Compounding that was the fact that previously I couldn't pull down symbols which was making reversing the exception dispatcher way too much work. Now I've gotten WinDbg pulling down symbols correctly but IDA is still being retarded. It happened since I applied the latest patches, I'm gonna need to set up a VM to reverse in I think.

To make matters even more confusing, C++EH works under x86 targets, even when DEP is enabled and handler validation occurs, because I'm using a VEH to implement my own 'manual' dispatcher (which is currently unfiltered, I know, but it's just a PoC).

Tl;dr:
I know where to look, I'm just hoping somebody else might have some clever ideas or notice an obvious bug which could be causing my issues, so I can avoid spending hours and hours tracing through the exception-dispatcher's implementation to work out what the hell is going on.

[Tanaris4]

This is like going into a kindergarten asking kids about quantum physics.

rofl so true, makes me semi happy I don't have to worry about this on a mac (Yes I know everyone hates them, not trying to change the topic)

[Cypher]

In-case anybody tried compiling and using the ManualMapper recently and noticed it was severely broken, I'm sorry. That was caused by a regression introduced into MemoryMgr::Call when I added code to allow return values to be retrieved that are the full size for the given architecture, rather than being truncated to 32-bits under x64.

This bug is now fixed and the manual mapper is back to working in the state described in the original post (i.e. currently everything but C++EH works under x64).