intercept a specific exception
in [Win32 Kernel]
|
From: Simon Chen on 29 Oct 2006 21:21 Hi guys, I am thinking of writing something that can intercept a specific type of exception in all applications. >From my understanding, windows kernel has an exception handling linked list data structure. If an exception happens, windows would walk through the list to see which one can handle the exception. Even if I can add something to this list, it seems to me that the exception handling structure added by the application would be found first. So the question is: can I do something to intercept a specific kind of exception from any applications before the application's exception handler does? Thanks a lot! -Simon
From: anton bassov on 30 Oct 2006 08:19 Hi mate > I am thinking of writing something that can intercept a specific type > of exception in all applications. > >From my understanding, windows kernel has an exception handling linked > list data structure. If an exception happens, windows would walk > through the list to see which one can handle the exception. When some exception occurs, its corresponding handler gets invoked (exception handlers reside in the kernel mode, and their addresses are stored in IDT). Except page faults and other situations when the decision gets made right by exception handler itself, exception eventually ends up being handled by KiDispatchException(). It works the following way ( I make an assumption that debugger is not present): A. Kernel-mode exception If SearchFrames is FALSE, the system gets shut down straight away. If SearchFrames is TRUE, RtlDispatchException() gets invoked in order to seach frames and invoke exception handler( if one is found, of course). If exception is handled, the target thread is allowed to run. If no appropriate handler is found or handlers that have been found do not handle the exception, the system gets shut down. B User-mode exception If SearchFrames is FALSE, the process gets terminated. If SearchFrames is TRUE, the user-mode stack gets adjusted in such way that KiUserExceptionDispatcher() gets invoked upon the return to the user mode, and the return to the user mode is made. KiUserExceptionDispatcher() invokes user-mode RtlDispatchException() in order to seach frames and invoke exception handler( if one is found, of course). If exception is handled, the target thread is allowed to run. If the exception still does not handled, the exception gets re-signaled (i.e SearchFrames is set to FALSE), and the thread re-enters the kernel mode - we already know what KiDispatchException() does if SearchFrames is FALSE, don't we???? > Even if I can add something to this list, it seems to me that the > exception handling structure added by the application would be found > first. This is true - structured exception handling is stack-based, and the pointer to the first structure in a chain has to be right on top of the stack at the time of the exception...... > So the question is: can I do something to intercept a specific kind of > exception from any applications before the application's exception > handler does? By now you must have aldeady understood that user-mode exception handling is process-based - the frame searh is done in the user mode..... Therefore, you can either: 1. Hook IDT, so that you will be the very first one who gets informed about all exceptions of the given class that happen anywhere in the system 2. If you don't want to go to the kernel mode, you can hook ntdll.dll in all processes in the system. You would have to use disassembly -style hooking, because you would have to hook RtlDispatchException() directly Anton Bassov Simon Chen wrote: > Hi guys, > > I am thinking of writing something that can intercept a specific type > of exception in all applications. > > >From my understanding, windows kernel has an exception handling linked > list data structure. If an exception happens, windows would walk > through the list to see which one can handle the exception. > > Even if I can add something to this list, it seems to me that the > exception handling structure added by the application would be found > first. > > So the question is: can I do something to intercept a specific kind of > exception from any applications before the application's exception > handler does? > > Thanks a lot! > > -Simon
From: Simon Chen on 30 Oct 2006 11:44 Thanks a lot, Anton. Your reply is extremely helpful. anton bassov wrote: > Hi mate > > > I am thinking of writing something that can intercept a specific type > > of exception in all applications. > > > >From my understanding, windows kernel has an exception handling linked > > list data structure. If an exception happens, windows would walk > > through the list to see which one can handle the exception. > > When some exception occurs, its corresponding handler gets invoked > (exception handlers reside in the kernel mode, and their addresses are > stored in IDT). > Except page faults and other situations when the decision gets made > right by exception handler itself, exception eventually ends up being > handled by KiDispatchException(). It works the following way ( I make > an assumption that debugger is not present): > > A. Kernel-mode exception > > If SearchFrames is FALSE, the system gets shut down straight away. If > SearchFrames is TRUE, RtlDispatchException() gets invoked in order to > seach frames and invoke exception handler( if one is found, of course). > If exception is handled, the target thread is allowed to run. If no > appropriate handler is found or handlers that have been found do not > handle the exception, the system gets shut down. > > B User-mode exception > > If SearchFrames is FALSE, the process gets terminated. > > If SearchFrames is TRUE, the user-mode stack gets adjusted in such way > that KiUserExceptionDispatcher() gets invoked upon the return to the > user mode, and the return to the user mode is made. > KiUserExceptionDispatcher() invokes user-mode RtlDispatchException() in > order to seach frames and invoke exception handler( if one is found, of > course). If exception is handled, the target thread is allowed to run. > If the exception still does not handled, the exception gets re-signaled > (i.e > SearchFrames is set to FALSE), and the thread re-enters the kernel mode > - we already know what KiDispatchException() does if SearchFrames is > FALSE, don't we???? > > > Even if I can add something to this list, it seems to me that the > > exception handling structure added by the application would be found > > first. > > This is true - structured exception handling is stack-based, and the > pointer to the first structure in a chain has to be right on top of the > stack at the time of the exception...... > > > So the question is: can I do something to intercept a specific kind of > > exception from any applications before the application's exception > > handler does? > > By now you must have aldeady understood that user-mode exception > handling is process-based - the frame searh is done in the user > mode..... > > Therefore, you can either: > > 1. Hook IDT, so that you will be the very first one who gets informed > about all exceptions of the given class that happen anywhere in the > system > > 2. If you don't want to go to the kernel mode, you can hook ntdll.dll > in all processes in the system. You would have to use disassembly > -style hooking, because you would have to hook RtlDispatchException() > directly > > > Anton Bassov > > > > > Simon Chen wrote: > > Hi guys, > > > > I am thinking of writing something that can intercept a specific type > > of exception in all applications. > > > > >From my understanding, windows kernel has an exception handling linked > > list data structure. If an exception happens, windows would walk > > through the list to see which one can handle the exception. > > > > Even if I can add something to this list, it seems to me that the > > exception handling structure added by the application would be found > > first. > > > > So the question is: can I do something to intercept a specific kind of > > exception from any applications before the application's exception > > handler does? > > > > Thanks a lot! > > > > -Simon
From: Simon Chen on 30 Oct 2006 20:08 I found that windows xp actually support a vectored exception handling scheme. Does it make any difference? Thanks! anton bassov wrote: > Hi mate > > > I am thinking of writing something that can intercept a specific type > > of exception in all applications. > > > >From my understanding, windows kernel has an exception handling linked > > list data structure. If an exception happens, windows would walk > > through the list to see which one can handle the exception. > > When some exception occurs, its corresponding handler gets invoked > (exception handlers reside in the kernel mode, and their addresses are > stored in IDT). > Except page faults and other situations when the decision gets made > right by exception handler itself, exception eventually ends up being > handled by KiDispatchException(). It works the following way ( I make > an assumption that debugger is not present): > > A. Kernel-mode exception > > If SearchFrames is FALSE, the system gets shut down straight away. If > SearchFrames is TRUE, RtlDispatchException() gets invoked in order to > seach frames and invoke exception handler( if one is found, of course). > If exception is handled, the target thread is allowed to run. If no > appropriate handler is found or handlers that have been found do not > handle the exception, the system gets shut down. > > B User-mode exception > > If SearchFrames is FALSE, the process gets terminated. > > If SearchFrames is TRUE, the user-mode stack gets adjusted in such way > that KiUserExceptionDispatcher() gets invoked upon the return to the > user mode, and the return to the user mode is made. > KiUserExceptionDispatcher() invokes user-mode RtlDispatchException() in > order to seach frames and invoke exception handler( if one is found, of > course). If exception is handled, the target thread is allowed to run. > If the exception still does not handled, the exception gets re-signaled > (i.e > SearchFrames is set to FALSE), and the thread re-enters the kernel mode > - we already know what KiDispatchException() does if SearchFrames is > FALSE, don't we???? > > > Even if I can add something to this list, it seems to me that the > > exception handling structure added by the application would be found > > first. > > This is true - structured exception handling is stack-based, and the > pointer to the first structure in a chain has to be right on top of the > stack at the time of the exception...... > > > So the question is: can I do something to intercept a specific kind of > > exception from any applications before the application's exception > > handler does? > > By now you must have aldeady understood that user-mode exception > handling is process-based - the frame searh is done in the user > mode..... > > Therefore, you can either: > > 1. Hook IDT, so that you will be the very first one who gets informed > about all exceptions of the given class that happen anywhere in the > system > > 2. If you don't want to go to the kernel mode, you can hook ntdll.dll > in all processes in the system. You would have to use disassembly > -style hooking, because you would have to hook RtlDispatchException() > directly > > > Anton Bassov > > > > > Simon Chen wrote: > > Hi guys, > > > > I am thinking of writing something that can intercept a specific type > > of exception in all applications. > > > > >From my understanding, windows kernel has an exception handling linked > > list data structure. If an exception happens, windows would walk > > through the list to see which one can handle the exception. > > > > Even if I can add something to this list, it seems to me that the > > exception handling structure added by the application would be found > > first. > > > > So the question is: can I do something to intercept a specific kind of > > exception from any applications before the application's exception > > handler does? > > > > Thanks a lot! > > > > -Simon
|
Pages: 1 Prev: Freeze process Next: Getting subnet mask with GetAdaptersAddresses |