花猫,这段代码是不是异常处理代码

77F9FB90 8B 1C 24             mov         ebx,dword ptr [esp]
77F9FB93 51                   push        ecx
77F9FB94 53                   push        ebx
77F9FB95 E8 86 B3 FE FF       call        77F8AF20
77F9FB9A 0A C0                or          al,al
77F9FB9C 74 0C                je          77F9FBAA
77F9FB9E 5B                   pop         ebx
77F9FB9F 59                   pop         ecx
77F9FBA0 6A 00                push        0
77F9FBA2 51                   push        ecx
77F9FBA3 E8 EE 2B FF FF       call        77F92796
77F9FBA8 EB 0B                jmp         77F9FBB5
77F9FBAA 5B                   pop         ebx
77F9FBAB 59                   pop         ecx
77F9FBAC 6A 00                push        0
77F9FBAE 51                   push        ecx
77F9FBAF 53                   push        ebx
77F9FBB0 E8 3D 65 FE FF       call        77F860F2
77F9FBB5 83 C4 EC             add         esp,0ECh
77F9FBB8 89 04 24             mov         dword ptr [esp],eax
77F9FBBB C7 44 24 04 01 00 00 mov         dword ptr [esp+4],1
77F9FBC3 89 5C 24 08          mov         dword ptr [esp+8],ebx
77F9FBC7 C7 44 24 10 00 00 00 mov         dword ptr [esp+10h],0
77F9FBCF 54                   push        esp
77F9FBD0 E8 8B 07 01 00       call        77FB0360
77F9FBD5 C2 08 00             ret         8
77F9FBD8 50                   push        eax
77F9FBD9 55                   push        ebp
77F9FBDA 8B EC                mov         ebp,esp
77F9FBDC 83 EC 50             sub         esp,50h
77F9FBDF 89 44 24 0C          mov         dword ptr [esp+0Ch],eax
77F9FBE3 64 A1 18 00 00 00    mov         eax,fs:[00000018]
77F9FBE9 8B 80 A4 01 00 00    mov         eax,dword ptr [eax+1A4h]
77F9FBEF 89 04 24             mov         dword ptr [esp],eax
77F9FBF2 C7 44 24 04 00 00 00 mov         dword ptr [esp+4],0
77F9FBFA C7 44 24 08 00 00 00 mov         dword ptr [esp+8],0
77F9FC02 C7 44 24 10 00 00 00 mov         dword ptr [esp+10h],0
77F9FC0A 54                   push        esp
77F9FC0B E8 50 07 01 00       call        77FB0360
77F9FC10 8B 04 24             mov         eax,dword ptr [esp]
77F9FC13 8B E5                mov         esp,ebp
77F9FC15 5D                   pop         ebp
77F9FC16 C3                   ret
77F9FC17 33 C0                xor         eax,eax
77F9FC19 E9 FA 3D FF FF       jmp         77F93A18
77F9FC1E 57                   push        edi
77F9F

不是

你看看jeff richter的书，里面有讲通过esp+多少便宜得到FS的，好象是这样的，要不直接通过FS:[0]来做
看到里面的ESP+0ch很象，记不住了

[编辑 -  10/14/02 by  ooze]

你看看jeff richter的书，里面有讲通过esp+多少便宜得到FS的，好象是这样的，要不直接通过FS:[0]来做
看到里面的ESP+0ch很象，记不住了

[编辑 -  10/14/02 by  ooze]

SEH只和FS:[0]有关

typedef struct _CONTEXT {

    //
    // This section is specified/returned if the ContextFlags word contains
    // the flag CONTEXT_FLOATING_POINT.
    //

    ULONGLONG FltF0;
    ULONGLONG FltF1;
    ULONGLONG FltF2;
    ULONGLONG FltF3;
    ULONGLONG FltF4;
    ULONGLONG FltF5;
    ULONGLONG FltF6;
    ULONGLONG FltF7;
    ULONGLONG FltF8;
    ULONGLONG FltF9;
    ULONGLONG FltF10;
    ULONGLONG FltF11;
    ULONGLONG FltF12;
    ULONGLONG FltF13;
    ULONGLONG FltF14;
    ULONGLONG FltF15;
    ULONGLONG FltF16;
    ULONGLONG FltF17;
    ULONGLONG FltF18;
    ULONGLONG FltF19;
    ULONGLONG FltF20;
    ULONGLONG FltF21;
    ULONGLONG FltF22;
    ULONGLONG FltF23;
    ULONGLONG FltF24;
    ULONGLONG FltF25;
    ULONGLONG FltF26;
    ULONGLONG FltF27;
    ULONGLONG FltF28;
    ULONGLONG FltF29;
    ULONGLONG FltF30;
    ULONGLONG FltF31;

    //
    // This section is specified/returned if the ContextFlags word contains
    // the flag CONTEXT_INTEGER.
    //
    // N.B. The registers gp, sp, and ra are defined in this section, but are
    //  considered part of the control context rather than part of the integer
    //  context.
    //

    ULONGLONG IntV0;    //  $0: return value register, v0
    ULONGLONG IntT0;    //  $1: temporary registers, t0 - t7
    ULONGLONG IntT1;    //  $2:
    ULONGLONG IntT2;    //  $3:
    ULONGLONG IntT3;    //  $4:
    ULONGLONG IntT4;    //  $5:
    ULONGLONG IntT5;    //  $6:
    ULONGLONG IntT6;    //  $7:
    ULONGLONG IntT7;    //  $8:
    ULONGLONG IntS0;    //  $9: nonvolatile registers, s0 - s5
    ULONGLONG IntS1;    // $10:
    ULONGLONG IntS2;    // $11:
    ULONGLONG IntS3;    // $12:
    ULONGLONG IntS4;    // $13:
    ULONGLONG IntS5;    // $14:
    ULONGLONG IntFp;    // $15: frame pointer register, fp/s6
    ULONGLONG IntA0;    // $16: argument registers, a0 - a5
    ULONGLONG IntA1;    // $17:
    ULONGLONG IntA2;    // $18:
    ULONGLONG IntA3;    // $19:
    ULONGLONG IntA4;    // $20:
    ULONGLONG IntA5;    // $21:
    ULONGLONG IntT8;    // $22: temporary registers, t8 - t11
    ULONGLONG IntT9;    // $23:
    ULONGLONG IntT10;   // $24:
    ULONGLONG IntT11;   // $25:
    ULONGLONG IntRa;    // $26: return address register, ra
    ULONGLONG IntT12;   // $27: temporary register, t12
    ULONGLONG IntAt;    // $28: assembler temp register, at
    ULONGLONG IntGp;    // $29: global pointer register, gp
    ULONGLONG IntSp;    // $30: stack pointer register, sp
    ULONGLONG IntZero;  // $31: zero register, zero

    //
    // This section is specified/returned if the ContextFlags word contains
    // the flag CONTEXT_FLOATING_POINT.
    //

    ULONGLONG Fpcr;     // floating point control register
    ULONGLONG SoftFpcr; // software extension to FPCR

    //
    // This section is specified/returned if the ContextFlags word contains
    // the flag CONTEXT_CONTROL.
    //
    // N.B. The registers gp, sp, and ra are defined in the integer section,
    //   but are considered part of the control context rather than part of
    //   the integer context.
    //

    ULONGLONG Fir;      // (fault instruction) continuation address
    DWORD Psr;          // processor status

    //
    // The flags values within this flag control the contents of
    // a CONTEXT record.
    //
    // If the context record is used as an input parameter, then
    // for each portion of the context record controlled by a flag
    // whose value is set, it is assumed that that portion of the
    // context record contains valid context. If the context record
    // is being used to modify a thread\'s context, then only that
    // portion of the threads context will be modified.
    //
    // If the context record is used as an IN OUT parameter to capture
    // the context of a thread, then only those portions of the thread\'s
    // context corresponding to set flags will be returned.
    //
    // The context record is never used as an OUT only parameter.
    //

    DWORD ContextFlags;
    DWORD Fill[4];      // padding for 16-byte stack frame alignment

} CONTEXT, *PCONTEXT;

Figure 1 CONTEXT Structure
typedef struct _CONTEXT
{
DWORD ContextFlags;
DWORD Dr0;
DWORD Dr1;
DWORD Dr2;
DWORD Dr3;
DWORD Dr6;
DWORD Dr7;
FLOATING_SAVE_AREA FloatSave;
DWORD SegGs;
DWORD SegFs;
DWORD SegEs;
DWORD SegDs;
DWORD Edi;
DWORD Esi;
DWORD Ebx;
DWORD Edx;
DWORD Ecx;
DWORD Eax;
DWORD Ebp;
DWORD Eip;
DWORD SegCs;
DWORD EFlags;
DWORD Esp;
DWORD SegSs;
} CONTEXT;

Figure 1 CONTEXT Structure
typedef struct _CONTEXT
{
DWORD ContextFlags;
DWORD Dr0;
DWORD Dr1;
DWORD Dr2;
DWORD Dr3;
DWORD Dr6;
DWORD Dr7;
FLOATING_SAVE_AREA FloatSave;
DWORD SegGs;
DWORD SegFs;
DWORD SegEs;
DWORD SegDs;
DWORD Edi;
DWORD Esi;
DWORD Ebx;
DWORD Edx;
DWORD Ecx;
DWORD Eax;
DWORD Ebp;
DWORD Eip;
DWORD SegCs;
DWORD EFlags;
DWORD Esp;
DWORD SegSs;
} CONTEXT;
 

实在忘记了，核心编程讲线程的那部分有这个结构，还有怎么取得这个结构，通过这个结构就可以作到SEH了

mov eax,fs:[00000018]----得到线程TEB
mov eax,dword ptr [eax+1A4h]---?????---

SEH应该是[eax+0],不清楚[eax+1A4]是什么？
SEH和fs:[0]相关，或者TEB的0偏移

查下.h文件，看看teb怎么定义的，算算偏移1a4是啥

windows在创建线程时，操作系统均会为每个线程分配TEB（线程环境块），而且都将FS段选择器指向当前线程的TEB数据。偏移量为00H的ERR结构主要用于处理SEH，也就是说对FS：[00]的任何访问都意味着SEH。