Consider the following IL code:
.method public static void Main()
{
ldstr "Starts Here"
call void [mscorlib] System.Console::WriteLine(string)
.try {
ldstr "Try Me!"
call void [mscorlib] System.Console::WriteLine(string)
leave.s Done
}
catch [mscorlib] System.Exception {
ldstr "Catch Me!"
call void [mscorlib] System.Console::WriteLine(string)
leave.s Done
}
Done:
ldstr "Ends Here"
call void [mscorlib] System.Console::WriteLine(string)
ret
}
How does CLR define the try
block in JIT-ed code? The native code looks the following way:
...
00900076 8b0538214703 mov eax,dword ptr ds:[3472138h] ("Starts Here")
...
00900090 8b053c214703 mov eax,dword ptr ds:[347213Ch] ("Try Me!")
...
009000a2 eb1b jmp 009000bf ;// Done
009000a4 8945d4 mov dword ptr [ebp-2Ch],eax
009000a7 8b0540214703 mov eax,dword ptr ds:[3472140h] ("Catch Me!")
...
009000b8 e888293b73 call clr!JIT_EndCatch (73cb2a45)
009000bd eb00 jmp 009000bf ;// Done
;// Done:
009000bf 8b0544214703 mov eax,dword ptr ds:[3472144h] ("Ends Here")
...
009000d6 c3 ret
We can see clr!JIT_EndCatch
but where is the beginning and the end of the try
block?
The jitter generates a lot more than just the machine code that you can easily see with the debugger. You'll want to read this answer, it talks about the tables that the jitter generates to assist the garbage collector.
That works in a very similar way for exception handling, the jitter generates function tables used by the SafeSEH implementation to let the operating system discover the exception filter. Such a table has entries for the start and end address of the try-block and a function pointer for the filter. The exact way it works is heavily under-documented, exception handling has been exploited heavily by malware in the past and google hits for "safeseh" are not anything I want to repeat here. There's some cursory info about it in the MSDN article for the assembler's option. I'm not aware of a simple way to inspect these tables with the debugger.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With