I've been digging around alot of win32k stuff lately and I notice quite often the use of this structure CPPEH_RECORD as given by ida and also refference by its alias "ms_exc". Whats the purpose of this structure ? I tried googling ofcourse but all I got was other people's disassembly and I'm guessing this structure from its abbreviation has something to do with microsoft exchange ? Just a guess. Not looking for a direct answer just some direction to help shed some light.

The CPPEH_RECORD, according to what I found, looks like an exception handling in C++. I'm not entirely sure about most of it but the structure definitely follows similarly to an SEH record. Sorry for the google translate but this is the best info I could find right now. ms_exc looks to be a different entity and might refer to the exception handler that is used. Hope this helps at least point you in the right direction.


http://translate.google.com/translate?hl=en&sl=de&u=http://board.codingcrew.de/assembler-f5/c-c-gt-ida-pro-gt-masm-t12631.html&ei=KJIoTsq5HJDBtgfL09G7Cg&sa=X&oi=translate&ct=result&resnum=7&ved=0CE4Q7gEwBg&prev=/search%3Fq%3DCPPEH_RECORD%2B%2Bida%26hl%3Den%26biw%3D1280%26bih%3D835%26prmd%3Divns

Isn't that just a different syntax of an Exception Handler Frame?



That struct is from a useful set of IDC scripts I sometimes use to make sense of that stuff disassembled:

http://www.openrce.org/downloads/details/196/Microsoft_VC++_Reversing_Helpers

Also, here's an MS ppt presentation which discusses the EH Frame.

Recent Evolutions in Compiler-Based Security Mechanisms
http://www.facultyresourcecenter.com/curriculum/pfv.aspx?ID=7361


Expand that and I thought it served the same purpose as CPPEH_RECORD.

Thanks a ton