more structures for DT command, for study exceptions

sha0coder · sha0coder · commit b373dad83138 · 2021-12-25T17:46:39.000+01:00
diff --git a/README.md b/README.md
@@ -216,3 +216,49 @@ LdrDataTableEntry {
 ```
 
 
+
+A malware is hiding something in an exception
+```
+3307726 0x4f9673: push  ebp
+3307727 0x4f9674: push  edx
+3307728 0x4f9675: push  eax
+3307729 0x4f9676: push  ecx
+3307730 0x4f9677: push  ecx
+3307731 0x4f9678: push  4F96F4h
+3307732 0x4f967d: push  dword ptr fs:[0]
+Reading SEH 0x0
+-------
+3307733 0x4f9684: mov   eax,[51068Ch]
+--- console ---
+=>
+```
+
+Let's inspect exception structures:
+```
+--- console ---
+=>r esp
+        esp: 0x22de98
+=>dt
+structure=>cppeh_record
+address=>0x22de98
+CppEhRecord {
+    old_esp: 0x0,
+    exc_ptr: 0x4f96f4,
+    next: 0xfffffffe,
+    exception_handler: 0xfffffffe,
+    scope_table: PScopeTableEntry {
+        enclosing_level: 0x278,
+        filter_func: 0x51068c,
+        handler_func: 0x288,
+    },
+    try_level: 0x288,
+}
+=>
+```
+
+And here we have the error routine 0x4f96f4 and the filter 0x51068c
+
+
+
+
+
diff --git a/src/emu32.rs b/src/emu32.rs
@@ -1553,6 +1553,10 @@ impl Emu32 {
                             let s = structures::ListEntry::load(addr, &self.maps);
                             s.print();
                         }
+                        "cppeh_record" => {
+                            let s = structures::CppEhRecord::load(addr, &self.maps);
+                            s.print();
+                        }
 
                         _  => println!("unrecognized structure."),
                     }
@@ -1684,20 +1688,20 @@ impl Emu32 {
                         0x30 => {
                             let peb = self.maps.get_mem("peb");
                             if self.cfg.verbose >= 1 {
-                                println!("{} Reding PEB 0x{:x}", self.pos, peb.get_base());
+                                println!("{} Reading PEB 0x{:x}", self.pos, peb.get_base());
                             }
                             peb.get_base()
                         }
                         0x18 => {
                             let teb = self.maps.get_mem("teb");
                             if self.cfg.verbose >= 1 {
-                                println!("{} Reding TEB 0x{:x}", self.pos, teb.get_base());
+                                println!("{} Reading TEB 0x{:x}", self.pos, teb.get_base());
                             }
                             teb.get_base()
                         }
                         0x00 =>  {
                             if self.cfg.verbose >= 1 {
-                                println!("Reding SEH 0x{:x}", self.seh);
+                                println!("Reading SEH 0x{:x}", self.seh);
                             }
                             self.seh
                         }
diff --git a/src/emu32/structures.rs b/src/emu32/structures.rs
@@ -1,6 +1,8 @@
 use crate::emu32::maps::Maps;
 
 
+////// PEB / TEB //////
+
 #[derive(Debug)]
 pub struct ListEntry {
     flink: u32,
@@ -148,3 +150,95 @@ impl PEB {
     }
 }
 
+
+
+
+////// EXCEPTIONS //////
+
+
+/*
+ypedef struct _SCOPETABLE_ENTRY {
+ DWORD EnclosingLevel;
+ PVOID FilterFunc;
+ PVOID HandlerFunc;
+} SCOPETABLE_ENTRY, *PSCOPETABLE_ENTRY;
+*/
+
+
+#[derive(Debug)]
+pub struct PScopeTableEntry {
+    enclosing_level: u32,
+    filter_func: u32,
+    handler_func: u32,
+}
+
+impl PScopeTableEntry {
+    pub fn load(addr:u32, maps:&Maps) -> PScopeTableEntry {
+        PScopeTableEntry {
+            enclosing_level: maps.read_dword(addr).unwrap(),
+            filter_func: maps.read_dword(addr + 4).unwrap(),
+            handler_func: maps.read_dword(addr + 8).unwrap(),
+        }
+    }
+
+    pub fn size() -> u32 {
+        return 12;
+    }
+
+    pub fn print(&self) {
+        println!("{:#x?}", self);
+    }
+}
+
+
+
+#[derive(Debug)]
+pub struct CppEhRecord {
+    old_esp: u32,
+    exc_ptr: u32,
+    next: u32, // ptr to _EH3_EXCEPTION_REGISTRATION
+    exception_handler: u32, 
+    scope_table: PScopeTableEntry,
+    try_level: u32,
+}
+
+impl CppEhRecord {
+    pub fn load(addr:u32, maps:&Maps) -> CppEhRecord {
+        CppEhRecord{
+            old_esp: maps.read_dword(addr).unwrap(),
+            exc_ptr: maps.read_dword(addr + 4).unwrap(),
+            next: maps.read_dword(addr + 8).unwrap(),
+            exception_handler: maps.read_dword(addr + 12).unwrap(),
+            scope_table: PScopeTableEntry::load(addr + 16, &maps),
+            try_level: maps.read_dword(addr + 16 + PScopeTableEntry::size()).unwrap(),
+        }
+    }
+
+    pub fn print(&self) {
+        println!("{:#x?}", self);
+    }
+}
+
+
+#[derive(Debug)]
+pub struct ExceptionPointers {
+    exception_record: u32,
+    context_record: u32,
+}
+
+impl ExceptionPointers {
+    pub fn load(addr:u32, maps:&Maps) -> ExceptionPointers {
+        ExceptionPointers {
+            exception_record: maps.read_dword(addr).unwrap(),
+            context_record: maps.read_dword(addr + 4).unwrap(),
+        }
+    }
+
+    pub fn size() -> u32 {
+        return 8;
+    }
+
+    pub fn print(&self) {
+        println!("{:#x?}", self);
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -1553,6 +1553,10 @@ impl Emu32 {`
`1553`	`1553`	`let s = structures::ListEntry::load(addr, &self.maps);`
`1554`	`1554`	`s.print();`
`1555`	`1555`	`}`
	`1556`	`+ "cppeh_record" => {`
	`1557`	`+ let s = structures::CppEhRecord::load(addr, &self.maps);`
	`1558`	`+ s.print();`
	`1559`	`+ }`
`1556`	`1560`
`1557`	`1561`	`_ => println!("unrecognized structure."),`
`1558`	`1562`	`}`
`@@ -1684,20 +1688,20 @@ impl Emu32 {`
`1684`	`1688`	`0x30 => {`
`1685`	`1689`	`let peb = self.maps.get_mem("peb");`
`1686`	`1690`	`if self.cfg.verbose >= 1 {`
`1687`		`- println!("{} Reding PEB 0x{:x}", self.pos, peb.get_base());`
	`1691`	`+ println!("{} Reading PEB 0x{:x}", self.pos, peb.get_base());`
`1688`	`1692`	`}`
`1689`	`1693`	`peb.get_base()`
`1690`	`1694`	`}`
`1691`	`1695`	`0x18 => {`
`1692`	`1696`	`let teb = self.maps.get_mem("teb");`
`1693`	`1697`	`if self.cfg.verbose >= 1 {`
`1694`		`- println!("{} Reding TEB 0x{:x}", self.pos, teb.get_base());`
	`1698`	`+ println!("{} Reading TEB 0x{:x}", self.pos, teb.get_base());`
`1695`	`1699`	`}`
`1696`	`1700`	`teb.get_base()`
`1697`	`1701`	`}`
`1698`	`1702`	`0x00 => {`
`1699`	`1703`	`if self.cfg.verbose >= 1 {`
`1700`		`- println!("Reding SEH 0x{:x}", self.seh);`
	`1704`	`+ println!("Reading SEH 0x{:x}", self.seh);`
`1701`	`1705`	`}`
`1702`	`1706`	`self.seh`
`1703`	`1707`	`}`