在使用IDA PRO分析X64 异常展开,进行_SCOPE_TABLE类型设置时,将操作数转换为偏移量
- 示例:UNWIND_INFO 分析
- 1、添加ScopeRecord类型
- 2、设置类型
- 3、将操作数转换为偏移量
- 4、设置完成
- 链接1
- 链接2
示例:UNWIND_INFO 分析
- _C_specific_handler_0 是一个导入函数,是进行异常处理分发的,可以不用分析。
- 下面跟着的为_SCOPE_TABLEl数据
typedef struct _SCOPE_TABLE {ULONG Count;struct{ULONG BeginAddress;ULONG EndAddress;ULONG HandlerAddress;ULONG JumpTarget;} ScopeRecord[1];} SCOPE_TABLE, *PSCOPE_TABLE;
1、添加ScopeRecord类型
2、设置类型
3、将操作数转换为偏移量
双击类型来到struct窗口,设置偏移,(快捷键CTRL+R)
调整偏移设置
4、设置完成
链接1
如何分析X64的SEH
链接2
igors-tip-of-the-week-113-image-relative-offsets-rva
Image-relative offsets are values that represent an offset from the image base of the current module (image) in memory. This means that they can be used to refer to other locations in the same module regardless of its real, final load address, and thus can be used to make the code position-independent (PIC), similarly to the self-relative offsets. The alternative name RVA means “Relative virtual address” and is often used in the context of the PE file format.
图像相对偏移量是表示与内存中当前模块(图像)的图像基础的偏移量的值。这意味着它们可用于引用同一模块中的其他位置,而不管其实际的最终加载地址如何,因此可用于使代码位置无关 (PIC),类似于自相对偏移。替代名称 RVA 的意思是“相对虚拟地址”,通常用于 PE 文件格式的上下文中。
However, PIC is not the only advantage of RVAs. For example, on x64-bit platforms RVA values usually use 32 bits instead of 64 like a full pointer. While this makes their range more limited (4GiB from imagebase), the savings from pointer-type values can be substantial when accumulated over the whole binary.
然而,PIC 并不是 RVA 的唯一优势。例如,在 x64 位平台上,RVA 值通常使用 32 位,而不是像完整指针那样使用 64 位。虽然这使得它们的范围更加有限(来自 imagebase 的 4GiB),但当在整个二进制文件中累积时,指针类型值的节省可能会很大。
For known RVA values, such as those in the PE headers or EH structures, IDA can usually convert them to an assembler-specific expression automatically:
对于已知的 RVA 值,例如 PE 标头或 EH 结构中的值,IDA 通常可以自动将它们转换为特定于汇编程序的表达式:
However, sometimes there may be a need to do it manually, for example, when dealing with another update of the file format not yet handled by IDA, or a custom format/structure which uses RVAs for addressing. In that case, you can use yet another variation of the User-defined offset. The option to turn on is Use image base as offset base. When it’s enabled, IDA will ignore the entered offset base and will always use the imagebase.
但是,有时可能需要手动执行此操作,例如,在处理 IDA 尚未处理的文件格式的另一个更新时,或使用 RVA 进行寻址的自定义格式/结构时。在这种情况下,您可以使用用户定义的偏移量的另一种变体。打开的选项是使用图像基底作为偏移基。启用后,IDA 将忽略输入的偏移基数,并始终使用图像基数。
However, even if you use this approach in a 64-bit program, you may fail to reach the desired effect: the value will be displayed in red to indicate an error and not show a nice expression with the final address, as expected.
但是,即使在 64 位程序中使用此方法,也可能无法达到预期的效果:该值将以红色显示以指示错误,并且不会像预期的那样显示带有最终地址的漂亮表达式。
This happens because the command defaults to OFF32 for 32-bit values, but the final address does not fit into 32 bits. The fix is simple: select OFF64 instead of OFF32.
发生这种情况的原因是,对于 32 位值,该命令默认为 OFF32,但最终地址不适合 32 位。解决方法很简单:选择 OFF64 而不是 OFF32。
NOTE: for ARM binaries, the imagerel keyword is used instead of rva.
注意:对于 ARM 二进制文件,使用 imagerel 关键字而不是 rva .
See also: 另请参阅:
Igor’s tip of the week #105: Offsets with custom base
伊戈尔的本周小贴士 #105:使用自定义底座进行偏移
Igor’s tip of the week #110: Self-relative offsets
伊戈尔的本周小贴士 #110:自相对偏移
