Re: intercept a specific exception
- From: "Simon Chen" <simonchennj@xxxxxxxxx>
- Date: 30 Oct 2006 17:08:49 -0800
I found that windows xp actually support a vectored exception handling
scheme.
Does it make any difference?
Thanks!
anton bassov wrote:
Hi mate
I am thinking of writing something that can intercept a specific type
of exception in all applications.
From my understanding, windows kernel has an exception handling linkedlist data structure. If an exception happens, windows would walk
through the list to see which one can handle the exception.
When some exception occurs, its corresponding handler gets invoked
(exception handlers reside in the kernel mode, and their addresses are
stored in IDT).
Except page faults and other situations when the decision gets made
right by exception handler itself, exception eventually ends up being
handled by KiDispatchException(). It works the following way ( I make
an assumption that debugger is not present):
A. Kernel-mode exception
If SearchFrames is FALSE, the system gets shut down straight away. If
SearchFrames is TRUE, RtlDispatchException() gets invoked in order to
seach frames and invoke exception handler( if one is found, of course).
If exception is handled, the target thread is allowed to run. If no
appropriate handler is found or handlers that have been found do not
handle the exception, the system gets shut down.
B User-mode exception
If SearchFrames is FALSE, the process gets terminated.
If SearchFrames is TRUE, the user-mode stack gets adjusted in such way
that KiUserExceptionDispatcher() gets invoked upon the return to the
user mode, and the return to the user mode is made.
KiUserExceptionDispatcher() invokes user-mode RtlDispatchException() in
order to seach frames and invoke exception handler( if one is found, of
course). If exception is handled, the target thread is allowed to run.
If the exception still does not handled, the exception gets re-signaled
(i.e
SearchFrames is set to FALSE), and the thread re-enters the kernel mode
- we already know what KiDispatchException() does if SearchFrames is
FALSE, don't we????
Even if I can add something to this list, it seems to me that the
exception handling structure added by the application would be found
first.
This is true - structured exception handling is stack-based, and the
pointer to the first structure in a chain has to be right on top of the
stack at the time of the exception......
So the question is: can I do something to intercept a specific kind of
exception from any applications before the application's exception
handler does?
By now you must have aldeady understood that user-mode exception
handling is process-based - the frame searh is done in the user
mode.....
Therefore, you can either:
1. Hook IDT, so that you will be the very first one who gets informed
about all exceptions of the given class that happen anywhere in the
system
2. If you don't want to go to the kernel mode, you can hook ntdll.dll
in all processes in the system. You would have to use disassembly
-style hooking, because you would have to hook RtlDispatchException()
directly
Anton Bassov
Simon Chen wrote:
Hi guys,
I am thinking of writing something that can intercept a specific type
of exception in all applications.
From my understanding, windows kernel has an exception handling linkedlist data structure. If an exception happens, windows would walk
through the list to see which one can handle the exception.
Even if I can add something to this list, it seems to me that the
exception handling structure added by the application would be found
first.
So the question is: can I do something to intercept a specific kind of
exception from any applications before the application's exception
handler does?
Thanks a lot!
-Simon
.
- References:
- intercept a specific exception
- From: Simon Chen
- Re: intercept a specific exception
- From: anton bassov
- intercept a specific exception
- Prev by Date: Re: undestroyable process
- Next by Date: Re: undestroyable process
- Previous by thread: Re: intercept a specific exception
- Next by thread: RE: CreateProcess win64
- Index(es):
Relevant Pages
|
