Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Whilst messing around with some x86 asm, I got to wondering about cases where a bug has caused EIP to be set to 00000000, or another memory location that does not exist. Is it possible to catch these cases with SEH or similar error handling mechanisms and recover execution? (assuming the stack, heap and registers weren’t trashed)
There’s no really good way to catch this before it happens, but one thing you can try is to inspect the stack (memory at
ESPand/orEBP) and check for pointers to code.If the instruction that caused this was a
call, you’re in luck – the dword atESPwill be the return address, pointing right after the offender.If it was a
jmp, the chances are slimmer, but you can still look for possible traces of execution.The worst case is when this is caused by a
retwith trashedESP– usually at this point the stack is completely bogus. You can still check values of other registers, maybe one of them will contain a pointer which might give you some clues, and you scan the whole stack area for the stack frame patters, as described in this post.