Uninformed: Informative Information for the Uninformed

Vol 4» 2006.Jun


Exception Directory

The Exception Directory of a PE32+ binary is used to convey the complete list of functions that could be found in a stack frame during an unwind operation. These functions are known as non-leaf functions, and they are qualified as such if they either allocate space on the stack or call other functions. The IMAGE_RUNTIME_FUNCTION_ENTRY data structure is used to describe the non-leaf functions, as shown below[1]:

typedef struct _IMAGE_RUNTIME_FUNCTION_ENTRY {
    ULONG BeginAddress;
    ULONG EndAddress;
    ULONG UnwindInfoAddress;
} _IMAGE_RUNTIME_FUNCTION_ENTRY, *_PIMAGE_RUNTIME_FUNCTION_ENTRY;

The BeginAddress and EndAddress attributes are RVAs that represent the range of the non-leaf function. The UnwindInfoAddress will be discussed in more detail in the following subsection on unwind information. The Exception directory itself is merely an array of IMAGE_RUNTIME_FUNCTION_ENTRY structures. When an exception occurs, the exception dispatcher will enumerate the array of runtime function entries until it finds the non-leaf function associated with the address it's searching for (typically a return address).