Jump to content
Tuts 4 You

calling getEHinfo in x64


CodeExplorer

Recommended Posts

CodeExplorer
Posted

Calling getEHinfo x64: crushes
 

        [UnmanagedFunctionPointer(CallingConvention.StdCall)]
        public delegate void getEHinfo(IntPtr self, IntPtr ftn, uint EHnumber, out CORINFO_EH_CLAUSE clause);
        
        public static IntPtr getEHinfoaddress;
        
        public static bool ShouldResolve = false;
        public static int targetIndex;
        
        public static IntPtr Compiler;
        public static IntPtr iftn;
        public static int EhCounti;
        
        public static unsafe void ResolveEH(int idx, IntPtr comp, int EHCount, IntPtr ftn)
        {
            //IntPtr selfEH1 =  GetEHInfo(comp, false);
            IntPtr getEHinfoaddress = GetEHInfo(comp, false);
            
            //MessageBox.Show(getEHinfoaddress.ToString("X8"));
            
            string installedFr = GetFramework4Version();
            if (IntPtr.Size==8)
            {
            //getEHinfoaddress = X64CallingConvention(getEHinfoaddress);
            }
            else
            {
            
            if (installedFr.StartsWith("4.5")||installedFr.StartsWith("4.7")||installedFr.StartsWith("4.8"))
                getEHinfoaddress = ConvertCallingConvention(getEHinfoaddress, CallingConvention.ThisCall, CallingConvention.StdCall);
            }
            
            
            //ICorJitInfo* comp_ptr = (ICorJitInfo*)(comp);
            //IntPtr getEHinfoaddress1 = ICorStaticInfo.ICorMethodInfo(ICorDynamicInfo.ICorStaticInfo(ICorJitInfo.ICorDynamicInfo(comp_ptr)))->vfptr->getEHinfo;
            
            //MessageBox.Show(getEHinfoaddress.ToString("X8")+"-"+getEHinfoaddress1.ToString("X8"));
            
            getEHinfo getEHinfo = null;
            getEHinfo = (getEHinfo)Marshal.GetDelegateForFunctionPointer(getEHinfoaddress, typeof(getEHinfo));

            //IntPtr selfEH = (IntPtr)ICorStaticInfo.ICorMethodInfo(ICorDynamicInfo.ICorStaticInfo(ICorJitInfo.ICorDynamicInfo(comp_ptr)));
            IntPtr selfEH = IntPtr.Zero;
            
            if (installedFr.StartsWith("4.7")||installedFr.StartsWith("4.8"))
            selfEH = comp;
            else
            selfEH = GetEHInfo(comp, true);

            //MessageBox.Show("a"+selfEH.ToString("X8")+"-"+ftn.ToString("X8"));
            List<CORINFO_EH_CLAUSE> ehcs = new List<CORINFO_EH_CLAUSE>();
            for (uint i = 0; i < EHCount; i++)
            {
                CORINFO_EH_CLAUSE clause = new CORINFO_EH_CLAUSE();
                getEHinfo(selfEH, ftn, i, out clause);
                ehcs.Add(clause);
            }
            
            MI.moduledata.TryCatch[idx] = GetExceptionBytes(ehcs, true);
            MessageBox.Show("OK");
        }

        
        // https://github.com/dotnet/runtime/issues/4887
        
        public unsafe static IntPtr GetEHInfo(IntPtr pICorJitInfo, bool ReturnEHThis)
        {
            // CLR47:
            // 8BBB 48190000 | mov     edi, [ebx+0x1948]            |
            // 8D5424 3C     | lea     edx, [esp+0x3C]              |
            // 52            | push    edx                          |
            // 51            | push    ecx                          |
            // FFB3 54190000 | push    [ebx+0x1954]                 |
            // 8B07          | mov     eax, [edi]                   |
            // 8B70 20       | mov     esi, [eax+0x20]              |
            // 8BCE          | mov     ecx, esi                     |
            // FF15 8C112D6F | call    [<__guard_check_icall_fptr>] |
            // 8BCF          | mov     ecx, edi                     |
            // FFD6          | call    esi                          |

            // CLR40:
            // 8B86 D81B0000 | mov     eax, [esi+0x1BD8]  | eax是pICorJitInfo
            // 8B48 04       | mov     ecx, [eax+0x4]     |
            // 8B49 04       | mov     ecx, [ecx+0x4]     |
            // 8D55 E4       | lea     edx, [ebp-0x1C]    |
            // 52            | push    edx                |
            // FF75 E0       | push    [ebp-0x20]         |
            // 8D4401 04     | lea     eax, [ecx+eax+0x4] |
            // FFB6 E41B0000 | push    [esi+0x1BE4]       |
            // 8B08          | mov     ecx, [eax]         |
            // 50            | push    eax                |
            // FF51 28       | call    [ecx+0x28]         | [ecx+0x28]是getEHinfo vtordisp的函数指针

            /*
060C230A    8B4C24 24       MOV ECX,DWORD PTR SS:[ESP+0x24]
060C230E    8B5424 28       MOV EDX,DWORD PTR SS:[ESP+0x28]
060C2312    8BC1            MOV EAX,ECX
060C2314    8B48 04         MOV ECX,DWORD PTR DS:[EAX+0x4]
060C2317    8B49 04         MOV ECX,DWORD PTR DS:[ECX+0x4]
060C231A    8D4408 04       LEA EAX,DWORD PTR DS:[EAX+ECX+0x4]
060C231E    8B08            MOV ECX,DWORD PTR DS:[EAX]
060C2320    8B51 28         MOV EDX,DWORD PTR DS:[ECX+0x28]          ; clr.79212570

B9 30 A8 18 00 8B C1 8B 48 04 8B 49 04 8D 44 08 04 8B 08 8B 51 28

             */
            
            // ECX= 791AFF10
            // DS:[791AFF38]=79212570 (clr.79212570)
            IntPtr pGetEHInfo = IntPtr.Zero;
            if (Environment.Version.Major<4)
            {
                MessageBox.Show("Not supported yet!");
            }
            else
            {
            string installedFr = GetFramework4Version();
            if (installedFr.StartsWith("4.5")||installedFr.StartsWith("4.7")||installedFr.StartsWith("4.8"))
            {
                uint edi1;
                uint eax1;

                if (IntPtr.Size==4)
                {
                edi1 = (uint)pICorJitInfo.ToInt32();
                eax1 = *(uint*)edi1;
                
                if (ReturnEHThis)
                {
                    return (IntPtr)eax1;  // clr!CEEJitInfo::`vftable'
                }
                pGetEHInfo = (IntPtr)(*(uint**)(eax1 + 0x20));  // clr!CEEJitInfo::GetEHInfo
                return pGetEHInfo;
                }
                else
                {
                ulong ledi1 = (ulong)pICorJitInfo.ToInt64();
                //MessageBox.Show("cool"+ledi1.ToString("X8"));
                ulong leax1 = *(ulong*)ledi1;

                    
                if (ReturnEHThis)
                {
                IntPtr retvalue = (IntPtr)(*(ulong*)(ledi1));  // clr!CEEJitInfo::`vftable'
                //MessageBox.Show("Offset"+retvalue.ToString("X8"));
                return retvalue;
                }
                pGetEHInfo = (IntPtr)(*(ulong**)(leax1 + (ulong)(0x20/4*IntPtr.Size)));  // clr!CEEJitInfo::GetEHInfo
                //MessageBox.Show("cool"+pGetEHInfo.ToString("X8"));
                return pGetEHInfo;
                //



                

                //MessageBox.Show("cool"+eax1.ToString("X8"));

                }
                
            }
            
            uint eax;
            uint ecx;

            eax = (uint)pICorJitInfo;
            //MessageBox.Show("cool-"+eax.ToString("X8"));
            ecx = *(uint*)(eax + 0x4);  // Stack DS:[0018A834]=791AF450 (clr.791AF450)
            ecx = *(uint*)(ecx + 0x4);  // DS:[791AF454]=00000030
            eax = ecx + eax + 0x4;  // 030+pICorJitInfo+04
            if (ReturnEHThis)
            {
                return (IntPtr)(eax);
            }
            
            ecx = *(uint*)eax;  // Stack DS:[0018A864]=791AFF10 (clr.791AFF10)

            //MessageBox.Show(((uint)pICorJitInfo).ToString("X8")+"-"+ecx.ToString("X8"));
                            
                if (installedFr.StartsWith("4.0"))
                {
                pGetEHInfo = (IntPtr)(*(void**)(ecx + 0x28));  // DS:[791AFF38]=79212570 (clr.79212570)
                return pGetEHInfo;
                }
                
                /*if (installedFr.StartsWith("4.8"))
                {
                pGetEHInfo = (IntPtr)(*(void**)(ecx + 0x20));
                return pGetEHInfo;
                }
                */

            }


            
            //uint valuem = *(uint*)(ecx + 0x28);
            

            //if
            
            //pGetEHInfo = *(void**)(ecx + 0x20);
            //pGetEHInfo = (void*)0;
            

            return pGetEHInfo;
        }
        

https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_4_chang_en.pdf
https://github.com/LJP-TW/JITHook/blob/main/JITUnpacker/main.cpp

https://www.cnblogs.com/wwh1004/p/17620592.html
So I know what getEHinfo address is:
 getEHinfo = (getEHinfoFunc*)ICorJitInfo[8];
if you take in consideration that each element is a qword;
SelfEH also has valid value;
but it crushes
from what I could tell it tries to read something from Methodhandle - ftn and will result in any memory access violation.
Does anyone know how to solve the problem or does anyone know any x64 jitter?
 

  • Like 2
CodeExplorer
Posted

clr!CEEJitInfo::getEHinfo:
00007ffd`ba03b150 4053            push    rbx
00007ffd`ba03b152 56              push    rsi
00007ffd`ba03b153 57              push    rdi
00007ffd`ba03b154 4156            push    r14
00007ffd`ba03b156 4157            push    r15
00007ffd`ba03b158 4881ec80000000  sub     rsp,80h
00007ffd`ba03b15f 48c7442448feffffff mov   qword ptr [rsp+48h],0FFFFFFFFFFFFFFFEh
00007ffd`ba03b168 488b0591be9400  mov     rax,qword ptr [clr!_security_cookie (00007ffd`ba987000)]
00007ffd`ba03b16f 4833c4          xor     rax,rsp
00007ffd`ba03b172 4889442478      mov     qword ptr [rsp+78h],rax
00007ffd`ba03b177 498bf1          mov     rsi,r9
00007ffd`ba03b17a 458bf0          mov     r14d,r8d
00007ffd`ba03b17d 488bfa          mov     rdi,rdx
00007ffd`ba03b180 4c8bf9          mov     r15,rcx
00007ffd`ba03b183 488b5928        mov     rbx,qword ptr [rcx+28h]
00007ffd`ba03b187 488b4310        mov     rax,qword ptr [rbx+10h]
00007ffd`ba03b18b 4889442430      mov     qword ptr [rsp+30h],rax
00007ffd`ba03b190 803da9be940000  cmp     byte ptr [clr!g_StackProbingEnabled (00007ffd`ba987040)],0
00007ffd`ba03b197 0f8543983300    jne     clr!CEEJitInfo::getEHinfo+0x339890 (00007ffd`ba3749e0)
00007ffd`ba03b19d 488b4310        mov     rax,qword ptr [rbx+10h]
00007ffd`ba03b1a1 4889442428      mov     qword ptr [rsp+28h],rax
00007ffd`ba03b1a6 833df3db940000  cmp     dword ptr [clr!g_fJitPerfOn (00007ffd`ba988da0)],0
00007ffd`ba03b1ad 0f8552983300    jne     clr!CEEJitInfo::getEHinfo+0x3398b5 (00007ffd`ba374a05)
00007ffd`ba03b1b3 8a4706          mov     al,byte ptr [rdi+6]
00007ffd`ba03b1b6 2407            and     al,7
00007ffd`ba03b1b8 3c07            cmp     al,7
00007ffd`ba03b1ba 0f843f491100    je      clr!CEEJitInfo::getEHinfo+0x131 (00007ffd`ba14faff)
00007ffd`ba03b1c0 498b4758        mov     rax,qword ptr [r15+58h]
00007ffd`ba03b1c4 488b5028        mov     rdx,qword ptr [rax+28h]
00007ffd`ba03b1c8 4b8d0c76        lea     rcx,[r14+r14*2]
00007ffd`ba03b1cc f60240          test    byte ptr [rdx],40h ds:00000000`00000000=??

rdx register is 0 so it crushes
does anyone knows what 40h stands for or what the above code tries to do?
 

  • Like 1
CodeExplorer
Posted (edited)

I've made real progress:

            ulong ledi1 = (ulong)selfEH.ToInt64();
            //
            ulong leax1 = *(ulong*)(ledi1+0x58);
            
            ulong valueZero = *(ulong*)(leax1+0x28);
            
            ulong Pointer = leax1+0x28;
            
            MessageBox.Show(valueZero.ToString("X8"));
When valueZero is zero method has no exception handers;
So I've found add that EHCount from info->EHcount from CORINFO_METHOD_INFO_Fr4_x64 has invalid value;
mainly the function was called for methods with no Exception Handlers.

 

Edited by CodeExplorer
  • Like 3
  • Thanks 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...