Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Get the value of EIP?

MT2002MT2002 Member Posts: 1,444
[blue]
Hello everyone,

As some of you may know Im developing a 32bit OS. Im currently
developing a way to trap kernel errors, and output debug information.

The problem: I cant, of course, access EIP.

I know there is a way of getting EIPs value, but what?

Thanks for any help!
[/blue]

Comments

  • IDKIDK Member Posts: 1,784
    : [blue]
    : Hello everyone,
    :
    : As some of you may know Im developing a 32bit OS. Im currently
    : developing a way to trap kernel errors, and output debug information.
    :
    : The problem: I cant, of course, access EIP.
    :
    : I know there is a way of getting EIPs value, but what?
    :
    : Thanks for any help!
    : [/blue]
    :

    Hmm, how does your error code get called?

    If it's called with int or call, then the address should be on the stack.


  • frank91frank91 Member Posts: 19
    : [blue]
    : Hello everyone,
    :
    : As some of you may know Im developing a 32bit OS. Im currently
    : developing a way to trap kernel errors, and output debug information.
    :
    : The problem: I cant, of course, access EIP.
    :
    : I know there is a way of getting EIPs value, but what?
    :
    : Thanks for any help!
    : [/blue]
    :
    There are two ways to do it, on is with an interrupt and the other is with a bogus function call. When an interrupt happens the stack looks like the following:
    [code]
    ESP: error code - sometimes on certain cpu exceptions like a page fault
    ESP + 4: eip
    ESP + 8: cs
    ESP + A: eflags
    [/code]
    so you could get EIP like this, in an interupt handler of course:
    [code]
    mov eax, [esp] ; or esp + 4 if the processor pushed an error code
    [/code]

    The other way is with a bogus function call, when a function is called its stack looks like this
    [code]
    ESP: eip
    ESP + 4: parameters to the function, if passed on stack
    [/code]
    so you could get eip like this
    [code]
    get_eip:
    mov eax, [esp]
    ret
    [/code]
  • MT2002MT2002 Member Posts: 1,444
    : : [blue]
    : : Hello everyone,
    : :
    : : As some of you may know Im developing a 32bit OS. Im currently
    : : developing a way to trap kernel errors, and output debug information.
    : :
    : : The problem: I cant, of course, access EIP.
    : :
    : : I know there is a way of getting EIPs value, but what?
    : :
    : : Thanks for any help!
    : : [/blue]
    : :
    :
    : Hmm, how does your error code get called?
    :
    : If it's called with int or call, then the address should be on the stack.
    :
    :
    [blue]
    Its envoked by my exception handler (The exceptions are hardware
    exceptions envoked through the interrupt descriptor table (IDT)).
    Its executed through the interrupr table:
    [/blue][code]
    ;------------------------------
    ; Divide by 0
    ;------------------------------

    SysDivide_Error:

    ; some code...

    push 01h
    [blue] call _KERNEL_TRAP[/blue]
    pop ax

    hlt

    ; some code...
    iret
    [/code][blue]
    My _KERNEL_TRAP is a C routine used to output the debugging information,
    and error information..[/blue]
    [code]
    void KERNEL_TRAP (unsigned int exception) {

    [blue]// Output registers, stack trace, and small mem dump
    // from some bytes from EIP--Or so I want to[/blue]

    // How should I get EIP? Or better: How should I
    // get the address of the faulting instruction?

    }
    [/code][blue]
    Do you have any suggestions?

    Thanks for the reply!
    [/blue]
  • MT2002MT2002 Member Posts: 1,444
    : : [blue]
    : : Hello everyone,
    : :
    : : As some of you may know Im developing a 32bit OS. Im currently
    : : developing a way to trap kernel errors, and output debug information.
    : :
    : : The problem: I cant, of course, access EIP.
    : :
    : : I know there is a way of getting EIPs value, but what?
    : :
    : : Thanks for any help!
    : : [/blue]
    : :
    : There are two ways to do it, on is with an interrupt and the other is with a bogus function call. When an interrupt happens the stack looks like the following:
    : [code]
    : ESP: error code - sometimes on certain cpu exceptions like a page fault
    : ESP + 4: eip
    : ESP + 8: cs
    : ESP + A: eflags
    : [/code]
    : so you could get EIP like this, in an interupt handler of course:
    : [code]
    : mov eax, [esp] ; or esp + 4 if the processor pushed an error code
    : [/code]
    :
    : The other way is with a bogus function call, when a function is called its stack looks like this
    : [code]
    : ESP: eip
    : ESP + 4: parameters to the function, if passed on stack
    : [/code]
    : so you could get eip like this
    : [code]
    : get_eip:
    : mov eax, [esp]
    : ret
    : [/code]
    :
    [blue]
    I tried the interrupt version, and it seems to work.

    Thanks alot!:-)[/blue]
  • m34tb34tm34tb34t Member Posts: 25
    I didn't read this thread well enough. My reply was already posted...
  • JW_postJW_post Member Posts: 4
    /* this is what I do. I put this inside my _try/_except SEH blocks.
    the below will put the target EIP into the class variable OurEaddr, which also happens in this case to be a possible offending exception address. I can further test for this addr in my filter function to varify that it is in fact MY exception so I can choose to handle it or pass it on if not. Compiles with MS VC 2005 */

    _asm
    {
    mov ebx, this //C++ Class scope vars so requires 'this' + offset
    mov eax, TEST_EIP //Grab the (possible) offending addr
    mov [ebx + OurEaddr], eax
    TEST_EIP: mov eax, [ebx + ppScratch] // except to filter if so.
    }
  • JW_postJW_post Member Posts: 4
    This post has been deleted.
Sign In or Register to comment.