How much is pushed onto a 32-bit stack under Windows x86-64 on an exception?
Asked Answered
D

2

3

In this this question, I give some background on a parallel language I have implemented. The compiler generates native x86-32 code.

A key implementation decision is to allocate stack space from the heap for every function (call). This allows for recursion until you run out of VM, and enables a cactus stack for lexical scopes even for nested parallel children, etc.

The compiler's code generator can compute how much stack space is needed by the function itself; that's messy but straightforward and it already does that well. There's no problem with stack demands from OS calls; my functions don't make any (if that's needed, the code switches to a standard "big stack", does the system calls, and then switches back). To be safe in the face of exceptions and asynchronous calls, it adds an egregious constant, presently about 500 bytes to that stack space needed by a function, intended to cover a x86-32 complete context save, calibrated from windows 32 experience.

This language and the asynch exception handling all work great on x86-32 systems. We have occasional problems running this 32 bit implementation on x86-64 systems. I suspect a stack overflow on an exception.

The question is, how much can Windows push onto a stack for a (divide by zero) hardware exception, or a StopThread call, when running my 32 bit implementation on a Windows 64 box? I'm nervous that Windows pushes a complete x86-64 context, which is way bigger than an x86-32 context. Does anybody know? Is there a document that answers this chapter-and-verse?

I'm about ready to run some dynamic experiments to see.

Dover answered 27/2, 2012 at 7:46 Comment(0)
E
2

The same stack context, if you talking about emulated x32 environment on a x64 box, then its exactly the same size as on a x32 which in my case is 0x3E0 bytes aligned to DWORD.

Everything emulated on WOW64 process should be handled exactly the same at is x32 counter part at least when it comes to functionality, now if you rely on TEB32 for inspect the stack that is a different case, as you can see on this article:

http://www.dumpanalysis.org/blog/index.php/2009/07/07/raw-stack-dump-of-wow64-process/

Sadly there isn't an official paper i could find regarding your question.

Also here is an interesting paper you can read regarding WOW64 emulated process:

http://blog.rewolf.pl/blog/?p=102#.UBTmHaBEUXw

Finally if what you meant is to have an stack made function to handle exceptions it can be done without any worry, i can see here on trace logs after the exception is trigger, how some function made in stack, is receiving the exception before the mine SEH, it seems to be some kind of Avast engine or maybe some spyware, i cant trace it to any knowed module since after the function pass, it is dealloced.

Hope that i've helped on something.

PS: If you can post some extra info maybe the stack log and your function to handle exceptions, we could help more.

Emancipated answered 29/7, 2012 at 7:50 Comment(0)
D
3

[Answer complete; see specific values for both Win32 Vista and Win64 Wow64 for Windows7]

==========================================================================

Running on 32 bit Windows Vista, doing an IDIV with zero divisor, I get the following values:

EBP@div == x01C00800  // base of heap-allocated stack frame
ESP@div == x01C00FF8  // stack at "top" of allocated stack frame
ESP@entry to SEH  == 0x1C00C30 // ESP measured at first instruction of Structured Exception Handler
ContextOffset[ESP]== 0x1C00D2C // Pointer to context block at entry to SEH

So from the ESP=0x1C00FF8 at the point of the divide, to the bottom of the pushed context block, 0x1C00FF8-0x1C00D2C = 0x2CC = 716 bytes are pushed. From the bottom of the pushed context block to the entry at SEH, 0x1C00D2C-0x1C00C30 = 0xFC == 252 bytes are pushed. So, it appears that 716+252 = 968 bytes get pushed (which I find rediculous).

It gets worse. What follows is a dump of the stack frame at entry to SEH; notice the values below 0x1C00C30 down to 0x1C00B78 (see at least the "obvious Win32 return address" 0x77c39534 at 0x1C00BD8) that are not cdcdcdcd; I believe that Windows has stepped on these values while passing control to my SEH. That's 0x1C00B78-0x1C00C30 = 0xB8 = 184 additional bytes. (So, rediculous + unbelievable) = 1152 bytes are needed to get to the SEH, minimum. [Weirdly, a Win32 ThreadStop executed by another thread appears to push nothing on the stopped threads stack]

0x01C00800  01b002f0 00000001 cd4b1b19 cdcdcdcd cdcdcdcd 0000000b cdcdcdcd cdcdcdcd  ð.°.......KÍÍÍÍÍÍÍÍÍ....ÍÍÍÍÍÍÍÍ
0x01C00820  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00840  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00860  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00880  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C008A0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C008C0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C008E0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00900  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00920  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00940  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00960  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00980  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C009A0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C009C0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C009E0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00A00  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00A20  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00A40  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00A60  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00A80  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00AA0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00AC0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00AE0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00B00  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00B20  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd ffff0000 cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ..ÿÿÍÍÍÍ
0x01C00B40  00000035 00000034 00000001 cdcdcdcd cdcdcdcd f5f55f5f cdcdcdcd cdcdcdcd  5...4.......ÍÍÍÍÍÍÍÍ__õõÍÍÍÍÍÍÍÍ
0x01C00B60  cdcdcdcd cdcdcdcd ffff0000 cdcdcdcd cdcdcdcd 0190bfa8 52b396ac 52b396ac  ÍÍÍÍÍÍÍÍ..ÿÿÍÍÍÍÍÍÍͨ¿..¬–.R¬–.R
0x01C00B80  cdcdcdcd 0190bfa8 cdcdcdcd 00000011 00000000 01c00d18 cdcdcdcd cdcdcdcd  ÍÍÍͨ¿..ÍÍÍÍ..........À.ÍÍÍÍÍÍÍÍ
0x01C00BA0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00BC0  cdcdcdcd cdcdcdcd 00000000 cdcdcdcd 01c00c30 77c39534 cdcdcdcd 00000011  ÍÍÍÍÍÍÍÍ....ÍÍÍÍ0.À.4.ÃwÍÍÍÍ....
0x01C00BE0  00000000 01c00c30 77c39598 77c395b1 43e4d1f4 00000000 01c00d18 00456c00  ....0.À.˜.Ãw±.ÃwôÑäC......À..lE.
0x01C00C00  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd 00000000 00400000 01c00bf0 cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ......@.ð.À.ÍÍÍÍ
0x01C00C20  0184ff74 77c09aa2 35e18e8c 01c00c50 77c65dd9 01c00d18 0184ff74 01c00d2c  tÿ..¢šÀwŒŽá5P.À.Ù]Æw..À.tÿ..,.À.
0x01C00C40  01c00cec 0184ff74 77c65ded 0184ff74 01c00d00 77c65dab 01c00d18 0184ff74  ì.À.tÿ..í]Æwtÿ....À.«]Æw..À.tÿ..
0x01C00C60  01c00d2c 01c00cec 00456c00 00000000 01c00d18 0184ff74 77c39442 01c00d18  ,.À.ì.À..lE.......À.tÿ..B”Ãw..À.
0x01C00C80  0184ff74 01c00d2c 01c00cec 00456c00 7ffde08c 01c00d18 01b00300 cdcdcdcd  tÿ..,.À.ì.À..lE.Œàý...À...°.ÍÍÍÍ
0x01C00CA0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00CC0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x01C00CE0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd 00000072 01850000 0184c000 00cdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍr........À..ÍÍÍ.
0x01C00D00  01c00800 77c65c37 00c00d18 01c00d2c 01c00d18 01c00d2c c0000094 00000000  ..À.7\Æw..À.,.À...À.,.À.”..À....
0x01C00D20  00000000 023eb44c 00000000 0001003f 00000000 00000000 00000000 00000000  ....L´>.....?...................
0x01C00D40  00000000 00000000 ffff037b ffff2120 ffffffff 02383596 051f001b 02382ecc  ........{.ÿÿ !ÿÿÿÿÿÿ–58.....Ì.8.
0x01C00D60  ffff0023 00000000 c0000000 00004000 00000000 c000c000 00000000 80000000  #.ÿÿ.......À.@.......À.À.......€
0x01C00D80  0000c001 00000000 c0008000 00000000 c0000000 0000c001 00000000 c002e000  .À.......€.À.......À.À.......à.À
0x01C00DA0  00000000 80000000 00003fff 40000000 4010a51c 00000000 00000000 0000003b  .......€ÿ?.....@.¥.@........;...
0x01C00DC0  00000023 00000023 7ffde08c 01b00300 0190bfa8 00000000 00000000 00000063  #...#...Œàý...°.¨¿..........c...
0x01C00DE0  01c00800 023eb44c 0000001b 00010246 01c00ff8 00000023 2120037b 051f0000  ..À.L´>.....F...ø.À.#...{. !....
0x01C00E00  02383596 0000001b 02382ecc 00000023 00001f80 0000ffff 00000000 c0000000  –58.....Ì.8.#...€...ÿÿ.........À
0x01C00E20  00004000 00000000 00000000 c0000000 0000c000 00000000 00000000 80000000  .@.............À.À.............€
0x01C00E40  0000c001 00000000 00000000 80000000 0000c000 00000000 00000000 c0000000  .À.............€.À.............À
0x01C00E60  0000c001 00000000 00000000 e0000000 0000c002 00000000 00000000 80000000  .À.............à.À.............€
0x01C00E80  00003fff 00000000 00000000 a51c4000 00004010 00000000 00000000 00000000  ÿ?...........@.¥.@..............
0x01C00EA0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x01C00EC0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x01C00EE0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x01C00F00  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x01C00F20  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x01C00F40  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x01C00F60  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x01C00F80  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x01C00FA0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x01C00FC0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x01C00FE0  00000000 00000000 00000000 00000000 00000000 00000000 52b396ac 01c00b78  ........................¬–.Rx.À.


========================================================================================

Running on 64 bit Windows 7, running 32 bit process under WOW64, doing an IDIV with zero divisor, I get the following values:

EBP@div == x02100800  // base of heap-allocated stack frame
ESP@div == x02100FF8  // stack at "top" of allocated stack frame
ESP@entry to SEH  == 0x02100BD4 // ESP measured at first instruction of Structured Exception Handler
ContextOffset[ESP]== 0x02100D10 // Pointer to context block at entry to SEH

So from the ESP=0x02100FF8 at the point of the divide, to the bottom of the pushed context block, 0x02100FF8-0x02100D10 = 0x2E8 = 744 bytes are pushed (Win32 pushed 716). From the bottom of the pushed context block to the entry at SEH, 0x02100D10-0x02100BD4 = 0x132 == 316 bytes are pushed (Windows32 pushed 252). So, it appears that 744+316 = 1060 bytes get pushed (which I find worse than the rediculous amount pushed by Win32).

It gets worse. What follows is a dump of the stack frame at entry to SEH; notice the values below 0x02100BD4 down to 0x021009D8 (see at least the "obvious Win32 return address" 0x77c39534 at 0x021009D8) that are not cdcdcdcd; I believe that Windows has stepped on these values while passing control to my SEH. That's 0x02100BD4-0x021009D8 = 0x1FC = 508 additional bytes. (So, rediculous + unbelievable) = 1568 bytes are needed to get to the SEH, minimum.

0x02100800  020402f0 00000001 fa0ad4b0 cdcdcdcd cdcdcdcd 0000000b cdcdcdcd cdcdcdcd  ð.......°Ô.úÍÍÍÍÍÍÍÍ....ÍÍÍÍÍÍÍÍ
0x02100820  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x02100840  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x02100860  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x02100880  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x021008A0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x021008C0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x021008E0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x02100900  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x02100920  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x02100940  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x02100960  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x02100980  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x021009A0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x021009C0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd 74fce2d9 00000000  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÙâüt....
0x021009E0  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x02100A00  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd 002bbfc8 00000000 02040300 00000000  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÈ¿+.............
0x02100A20  fffd708c 00000000 77791266 00000000 cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  Œpýÿ....f.yw....ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x02100A40  cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd cdcdcdcd  ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x02100A60  0010001f 00001f80 002b0023 0053002b 002b002b 00010246 00000000 00000000  ....€...#.+.+.S.+.+.F...........
0x02100A80  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x02100AA0  00000000 00000000 00000063 00000000 00000000 00000000 00000000 00000000  ........c.......................
0x02100AC0  002bbfc8 00000000 02100ff8 00000000 02100800 00000000 02040300 00000000  È¿+.....ø.......................
0x02100AE0  fffd708c 00000000 0000002b 00000000 76f612ea 00000000 00000000 00000000  Œpýÿ....+.......ê.öv............
0x02100B00  002fe7e0 00000000 fffd5000 00000000 002ffd20 00000000 002ff170 00000000  àç/......Pýÿ.... ý/.....pñ/.....
0x02100B20  74f32450 00000000 0281b1a4 00000000 2120037b 051f0000 027b359f 00000011  P$ót....¤±......{. !....Ÿ5{.....
0x02100B40  00000000 02100cc0 00001f80 0000ffff 00000000 80000000 00004001 00000000  ....À...€...ÿÿ.........€.@......
0x02100B60  00000000 c0000000 0000c000 00000000 00000000 00000000 00000000 00000000  .......À.À......................
0x02100B80  02100bd8 00000011 00000000 02100bd8 7797b2da 7797b2f3 72982375 00000000  Ø...........Ø...Ú.—wó.—wu#˜r....
0x02100BA0  02100cc0 00456c00 0000c002 00000000 00000000 80000000 00000000 00400000  À....lE..À.............€......@.
0x02100BC0  02100b98 dfb28000 0203ff74 779971d5 071ce70d 02100bf8 7797b459 02100cc0  ˜....€.ßtÿ..Õq™w.ç..ø...Y´—wÀ...
0x02100BE0  0203ff74 02100d10 02100c94 0203ff74 7797b46d 0203ff74 02100ca8 7797b42b  tÿ......”...tÿ..m´—wtÿ..¨...+´—w
0x02100C00  02100cc0 0203ff74 02100d10 02100c94 00456c00 00000000 02100cc0 0203ff74  À...tÿ......”....lE.....À...tÿ..
0x02100C20  7797b3ce 02100cc0 0203ff74 02100d10 02100c94 00456c00 fffd708c 02100cc0  Î.—wÀ...tÿ......”....lE.ŒpýÿÀ...
0x02100C40  02040300 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x02100C60  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x02100C80  00000000 00000000 00000000 00000000 00000000 00000000 00000072 02040000  ........................r.......
0x02100CA0  0203c000 00000000 02100800 77930133 00100cc0 02100d10 02100cc0 02100d10  .À..........3.“wÀ.......À.......
0x02100CC0  c0000094 00000000 00000000 0281b1a4 00000000 00000000 00000000 00000000  ”..À........¤±..................
0x02100CE0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x02100D00  00000000 00000000 00000000 00000000 0001003f 00000000 00000000 00000000  ................?...............
0x02100D20  00000000 00000000 00000000 0000037b 00002120 0000ffff 027b359f 051f0023  ............{... !..ÿÿ..Ÿ5{.#...
0x02100D40  027b2ecc 0000002b 00000000 80000000 00004001 00000000 c000c000 00000000  Ì.{.+..........€.@.......À.À....
0x02100D60  80000000 0000c001 00000000 c0008000 00000000 c0000000 0000c001 00000000  ...€.À.......€.À.......À.À......
0x02100D80  c002e000 00000000 80000000 00003fff 80000000 400fdfb2 00000000 0000002b  .à.À.......€ÿ?.....€.ß.@....+...
0x02100DA0  00000053 0000002b 0000002b fffd708c 02040300 002bbfc8 00000000 00000000  S...+...+...Œpýÿ....È¿+.........
0x02100DC0  00000063 02100800 0281b1a4 00000023 00010246 02100ff8 0000002b 2120037b  c.......¤±..#...F...ø...+...{. !
0x02100DE0  051f0000 027b359f 00000023 027b2ecc 0000002b 00001f80 0000ffff 00000000  ....Ÿ5{.#...Ì.{.+...€...ÿÿ......
0x02100E00  80000000 00004001 00000000 00000000 c0000000 0000c000 00000000 00000000  ...€.@.............À.À..........
0x02100E20  80000000 0000c001 00000000 00000000 80000000 0000c000 00000000 00000000  ...€.À.............€.À..........
0x02100E40  c0000000 0000c001 00000000 00000000 e0000000 0000c002 00000000 00000000  ...À.À.............à.À..........
0x02100E60  80000000 00003fff 00000000 00000000 dfb28000 0000400f 00000000 00000000  ...€ÿ?...........€.ß.@..........
0x02100E80  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x02100EA0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x02100EC0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x02100EE0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x02100F00  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x02100F20  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x02100F40  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x02100F60  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x02100F80  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x02100FA0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
0x02100FC0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 fffffd34  ............................4ýÿÿ
0x02100FE0  000002e4 fffffd34 000002cc 00000019 00000000 00000063 52b396ac 02100b78  ä...4ýÿÿÌ...........c...¬–.Rx...

Final summary for cost to enter SEH:

  • Windows32 pushes 968 bytes and trashes 184 bytes beyond that; you need 1152 bytes of additional stack beyond what you have at the point of the trap.
  • Windows64 (WOW64) pushes 1060 bytes and trashes 508 bytes beyond that; you need 1568 bytes in addition to what you have at the point of the trap.

Its damn hard to define a "small activation record" scheme in the face of Windows profligate use of stack space.

I'd guess that exception handling under Windows must be exceeding slow, to boot; it takes time to read and write all those bytes.

I'll likely try this again with a beta version of Windows8. I expect to to be disgusted.

Dover answered 29/7, 2012 at 23:42 Comment(2)
I get here on my x32 windows 7 0x3E0 bytes pushed into stack after an div by 0. So i wouldn't rely on stable values, besides spyware or AVs can handle your exception before you and push more bytes into context.Emancipated
I'm willing to outlaw spyware in my running world. AVs get into my address space and muck with my exception? So the AVs are leeches in my address space? Now, that's a nice architecture.Dover
E
2

The same stack context, if you talking about emulated x32 environment on a x64 box, then its exactly the same size as on a x32 which in my case is 0x3E0 bytes aligned to DWORD.

Everything emulated on WOW64 process should be handled exactly the same at is x32 counter part at least when it comes to functionality, now if you rely on TEB32 for inspect the stack that is a different case, as you can see on this article:

http://www.dumpanalysis.org/blog/index.php/2009/07/07/raw-stack-dump-of-wow64-process/

Sadly there isn't an official paper i could find regarding your question.

Also here is an interesting paper you can read regarding WOW64 emulated process:

http://blog.rewolf.pl/blog/?p=102#.UBTmHaBEUXw

Finally if what you meant is to have an stack made function to handle exceptions it can be done without any worry, i can see here on trace logs after the exception is trigger, how some function made in stack, is receiving the exception before the mine SEH, it seems to be some kind of Avast engine or maybe some spyware, i cant trace it to any knowed module since after the function pass, it is dealloced.

Hope that i've helped on something.

PS: If you can post some extra info maybe the stack log and your function to handle exceptions, we could help more.

Emancipated answered 29/7, 2012 at 7:50 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.