#include
int main(int argc, const char* argv[])
{ jmp_buf buf = {0,}; int k = 0;
setjmp(buf);
k = 1;
longjmp(buf, 1);
}
测试代码如上所示, 看一下Disassemble的代码
__setjmp3:
69CDFC38 mov edx,dword ptr [esp+4]
69CDFC3C mov dword ptr [edx],ebp
69CDFC3E mov dword ptr [edx+4],ebx
69CDFC41 mov dword ptr [edx+8],edi
69CDFC44 mov dword ptr [edx+0Ch],esi
69CDFC47 mov dword ptr [edx+10h],esp
69CDFC4A mov eax,dword ptr [esp]
69CDFC4D mov dword ptr [edx+14h],eax
69CDFC50 mov dword ptr [edx+20h],56433230h
69CDFC57 mov dword ptr [edx+24h],0
69CDFC5E mov eax,dword ptr fs:[00000000h]
69CDFC64 mov dword ptr [edx+18h],eax
69CDFC67 cmp eax,0FFFFFFFFh
69CDFC6A jne _s3_get_count (69CDFC75h)
69CDFC6C mov dword ptr [edx+1Ch],0FFFFFFFFh
69CDFC73 jmp _s3_done (69CDFCB0h)
_s3_get_count:
69CDFC75 mov ecx,dword ptr [esp+8]
69CDFC79 or ecx,ecx
69CDFC7B je _s3_default_trylevel (69CDFC87h)
69CDFC7D mov eax,dword ptr [esp+0Ch]
69CDFC81 mov dword ptr [edx+24h],eax
69CDFC84 dec ecx
69CDFC85 jne _s3_save_trylevel (69CDFC8Fh)
_s3_default_trylevel:
69CDFC87 mov eax,dword ptr [eax+0Ch]
69CDFC8A mov dword ptr [edx+1Ch],eax
69CDFC8D jmp _s3_done (69CDFCB0h)
_s3_save_trylevel:
69CDFC8F mov eax,dword ptr [esp+10h]
69CDFC93 mov dword ptr [edx+1Ch],eax
69CDFC96 dec ecx
69CDFC97 je _s3_done (69CDFCB0h)
69CDFC99 push esi
69CDFC9A push edi
69CDFC9B lea esi,[esp+1Ch]
69CDFC9F lea edi,[edx+28h]
69CDFCA2 cmp ecx,6
69CDFCA5 jbe _s3_save_data (69CDFCACh)
69CDFCA7 mov ecx,6
_s3_save_data:
69CDFCAC rep movs dword ptr es:[edi],dword ptr [esi]
69CDFCAE pop edi
69CDFCAF pop esi
_s3_done:
69CDFCB0 sub eax,eax
69CDFCB2 ret
69CDFCB3 int 3
69CDFCB4 int 3
69CDFCB5 int 3
69CDFCB6 int 3
69CDFCB7 int 3
69CDFCB8 int 3
69CDFCB9 int 3
69CDFCBA int 3
69CDFCBB int 3
69CDFCBC int 3
69CDFCBD int 3
69CDFCBE int 3
69CDFCBF int 3
将刚刚压入栈中的buf[esp + 4]赋值给edx,然后分别将线程相关的Context的各个register,以及TEB中的某些字段fs:[00000000h]放到该结构体中。
fs:[00000000h]保存的是与SEH相关的信息,参考:
参考:
总之,一旦调用longjmp,那么包括esp在内的Context可能都会被改变