Fix unreliable RaiseException code (untested)

elicn · elicn · commit f6c1ab5f5681 · 2022-01-10T11:37:31.000+02:00
diff --git a/qiling/os/utils.py b/qiling/os/utils.py
@@ -184,24 +184,3 @@ def printf(self, format: str, args: MutableSequence, wstring: bool = False) -> i
 
     def update_ellipsis(self, params: MutableMapping, args: Sequence) -> None:
         params.update((f'{QlOsUtils.ELLIPSIS_PREF}{i}', a) for i, a in enumerate(args))
-
-    def exec_arbitrary(self, start: int, end: int):
-        old_sp = self.ql.reg.arch_sp
-
-        # we read where this hook is supposed to return
-        ret = self.ql.stack_read(0)
-
-        def restore(ql: Qiling):
-            self.ql.log.debug(f"Executed code from {start:#x} to {end:#x}")
-            # now we can restore the register to be where we were supposed to
-            ql.reg.arch_sp = old_sp + ql.pointersize
-            ql.reg.arch_pc = ret
-
-            # we want to execute the code once, not more
-            hret.remove()
-
-        # we have to set an address to restore the registers
-        hret = self.ql.hook_address(restore, end)
-        # we want to rewrite the return address to the function
-        self.ql.stack_write(0, start)
-
diff --git a/qiling/os/windows/dlls/kernel32/errhandlingapi.py b/qiling/os/windows/dlls/kernel32/errhandlingapi.py
@@ -75,9 +75,7 @@ def hook_SetErrorMode(ql: Qiling, address: int, params):
 def hook_RaiseException(ql: Qiling, address: int, params):
     func_addr = ql.os.handle_manager.search("TopLevelExceptionHandler").obj
 
-    # TODO: this implementation won't work most of the time
-    size = find_size_function(ql, func_addr)
-    ql.os.exec_arbitrary(func_addr, func_addr + size)
+    ql.os.fcall.call_native(func_addr, [], None)
 
     return 0
 
@@ -122,7 +120,6 @@ def exec_standard_into(ql: Qiling, intno: int, user_data):
         ql.reg.esi = user_data
 
     addr = params["Handler"]
-    #size = find_size_function(ql, addr)
 
     # the interrupts 0x2d, 0x3 must be hooked
     hook = ql.hook_intno(exec_standard_into, 0x3, user_data=addr)
diff --git a/qiling/os/windows/utils.py b/qiling/os/windows/utils.py
@@ -37,21 +37,6 @@ def path_leaf(path):
     head, tail = ntpath.split(path)
     return tail or ntpath.basename(head)
 
-# FIXME: determining a function size by locating 'ret' opcodes in its code is a very unreliable way, to say
-# the least. not only that 'ret' instructions may appear more than once in a single function, they not are
-# necessarily located at the last function basic block: think of a typical nested loop spaghetty.
-#
-# also, there is no telling whether a 0xC3 value found in function code is actually a 'ret' instruction, or
-# just part of a magic value (e.g. "mov eax, 0xffffffc3").
-#
-# finally, if this method happens to find the correct function size, by any chance, that would be a pure luck.
-def find_size_function(ql: Qiling, func_addr: int):
-    # We have to retrieve the return address position
-    code = ql.mem.read(func_addr, 0x100)
-    return_procedures = [b"\xc3", b"\xc2", b"\xcb", b"\xca"]
-    min_index = min([code.index(return_value) for return_value in return_procedures if return_value in code])
-    return min_index
-
 
 def io_Write(ql: Qiling, in_buffer: bytes):
     heap = ql.os.heap
