JIT-ed Exception handler implementation

Question

Consider the following IL code:

    .method public static void Main()
    {
        ldstr "Starts Here"
        call void [mscorlib] System.Console::WriteLine(string)
        .try {      
            ldstr "Try Me!"
            call void [mscorlib] System.Console::WriteLine(string)
            leave.s Done
        }
        catch [mscorlib] System.Exception {
            ldstr "Catch Me!"
            call void [mscorlib] System.Console::WriteLine(string)
            leave.s Done
        }
    Done:
        ldstr "Ends Here"
        call void [mscorlib] System.Console::WriteLine(string)
        ret
    }

How does CLR define the try block in JIT-ed code? The native code looks the following way:

...
00900076 8b0538214703    mov     eax,dword ptr ds:[3472138h] ("Starts Here")
...

00900090 8b053c214703    mov     eax,dword ptr ds:[347213Ch] ("Try Me!")
...

009000a2 eb1b            jmp     009000bf ;// Done

009000a4 8945d4          mov     dword ptr [ebp-2Ch],eax
009000a7 8b0540214703    mov     eax,dword ptr ds:[3472140h] ("Catch Me!")
...

009000b8 e888293b73      call    clr!JIT_EndCatch (73cb2a45)
009000bd eb00            jmp     009000bf ;// Done

;// Done:
009000bf 8b0544214703    mov     eax,dword ptr ds:[3472144h] ("Ends Here")
...
009000d6 c3              ret

We can see clr!JIT_EndCatch but where is the beginning and the end of the try block?

Answer 1

The jitter generates a lot more than just the machine code that you can easily see with the debugger. You'll want to read this answer, it talks about the tables that the jitter generates to assist the garbage collector.

That works in a very similar way for exception handling, the jitter generates function tables used by the SafeSEH implementation to let the operating system discover the exception filter. Such a table has entries for the start and end address of the try-block and a function pointer for the filter. The exact way it works is heavily under-documented, exception handling has been exploited heavily by malware in the past and google hits for "safeseh" are not anything I want to repeat here. There's some cursory info about it in the MSDN article for the assembler's option. I'm not aware of a simple way to inspect these tables with the debugger.