Windows RT has differences in several points, and implementation of SEH is one of them. To sort out my understanding of ARM exception handling, I wrote an IDAPython script that interprets SEH information in an Windows RT PE file and applies it to an IDB. Here is an example of how this script helps you (I use one of PatchGuard routines uses SEH to obfuscate its code flow):
 |
| Image1: Before Use (plain output of IDA) |
 |
| Image2: After Use |
 |
| Image3: Exception Filter |
About the internal of ARM exception handling, I do not explain it here as there is detailed enough explanations on MSDN[1] to understand it, but in short, it is fairly similar to one on x64. For instance, each function in a file is dictated by a RUNTIME_FUNCTION structure located in a .pdata section, and the structure points to an .xdata record consists of a SCOPE_TABLE structure and an array of its entries describing ranges of __try blocks, addresses of except filters and body blocks (or finally blocks). These are all essentially the same design as x64.
As a note, I listed some references below which may complement your understanding of ARM exception handing[2][3][4][5]. Hope you enjoy them and my script too.
- ARM Exception Handling
- Exceptional behavior: the Windows 8.1 X64 SEH Implementation
References listed at the top of the articles are all exceptionally good, apart from this article. - RtlLookupFunctionEntry function
Returns a corresponding .pdata entry for a given address. - .fnent (Display Function Data)
You can dump .pdata/.xdata information with it. - Improving IDA Analysis of x64 Exception Handling
An x64 version of my script. Very handy.
No comments:
Post a Comment