Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
Exception DirectoryThe Exception Directory of a PE32+ binary is used to convey the complete list of functions that could be found in a stack frame during an unwind operation. These functions are known as non-leaf functions, and they are qualified as such if they either allocate space on the stack or call other functions. The IMAGE_RUNTIME_FUNCTION_ENTRY data structure is used to describe the non-leaf functions, as shown below[1]:
typedef struct _IMAGE_RUNTIME_FUNCTION_ENTRY { ULONG BeginAddress; ULONG EndAddress; ULONG UnwindInfoAddress; } _IMAGE_RUNTIME_FUNCTION_ENTRY, *_PIMAGE_RUNTIME_FUNCTION_ENTRY; The BeginAddress and EndAddress attributes are RVAs that represent the range of the non-leaf function. The UnwindInfoAddress will be discussed in more detail in the following subsection on unwind information. The Exception directory itself is merely an array of IMAGE_RUNTIME_FUNCTION_ENTRY structures. When an exception occurs, the exception dispatcher will enumerate the array of runtime function entries until it finds the non-leaf function associated with the address it's searching for (typically a return address).
|