Windows exception Handling

Reference book: "Windows environment 32-bit assembly language Program design" 14 chapters, "C + + disassembly and reverse analysis Technology Disclosure" 13 chapter

The effect of exception handling: The system gives the program the last chance to fix an error or an exception when the program runs out of exception or error.

Exception handling is divided into 2 classes (by Scope):

1, filter filter callback function, the scope of the function is the process scope, a process has and only one filter filter callback function,

Advantages: Easy to use

Disadvantage: Because it is global, it is not conducive to encapsulation, and cannot set exception handlers for threads alone.

2. Structured exception Handling (SEH), which is scoped to a thread, and can set multiple exception handlers for each thread at the same time

=================================================================

Exception Handling Process:

(1). System to see if the process that caused the exception is being debugged, and if it is being debugged, send the Exception_debug_event event to the debugger

(2). If the process is not being debugged or the debugger does not handle the exception, then the system checks the thread in which the exception is located and looks in the thread environment for FS:[0] to determine whether the SEH exception handling callback function is installed and, if so, calls it.

(3). The callback function tries to handle this exception, if it can be handled correctly, fix the error and set the return value to Exceptioncontinueexecution, and the system will end the entire discovery process

(4). If the callback function returns Exceptioncontinuesearch and tells the system that he cannot handle the exception, the system will get the address of the previous callback function based on the Prev field in the Seh chain and repeat the Step (3) procedure. Until a callback function in the chain returns Exceptioncontinueexecution, the lookup ends

(5). If there is no callback function willing to handle the exception at the end of the Seh chain, the system will again detect if the process is being debugged, and if it is debugged, notify the debugger again

(6). If the debugger still does not handle the exception or the process is not debugged, then the system checks that there is no installation filter callback function, if any, then to call him, the filter callback function returned, the system default exception handler according to the return value will be the corresponding action

(7). If the filter callback function is not installed, the system directly calls the default exception handler to terminate the process

==================================================================

Data structures related to exception handling:

typedef struct _EXCEPTION_POINTERS {
Pexception_record ExceptionRecord; Some related data about this exception
PCONTEXT contextrecord;//An exception occurs when the thread execution environment
} exception_pointers, *pexception_pointers;

typedef struct _EXCEPTION_RECORD {
DWORD exceptioncode;//Exception event code
DWORD exceptionflags;//Exception Time flag
struct _exception_record* exceptionrecord;//next Exception_record structure address
PVOID exceptionaddress;
DWORD numberparameters;
DWORD Exceptioninformation[exception_maximum_parameters];
} Exception_record;

struct exception_registration
{
exception_registration* prev; Previous Exception_registration
Farproc handler; Exception handling function Address
};

======================================================================

Filter filter callback function use and note:

1. Call SetUnhandledExceptionFilter to set the callback function

LONG WINAPI UnhandledExceptionFilter (
_in_ struct _exception_pointers *exceptioninfo
);

This is the prototype of the callback function.

Return exception_execute_handler=1 return This value the process will usually be terminated

Return exception_continue_execution=-1 return This value the process will continue to run

Return exception_continue_search=0 return This value the process is usually terminated, but the System error dialog box pops up

Seh Use and note:

1. Replace the fs:[0] exception_registration pointer

The FS segment register always points to the current thread structure, TIB, while Fs:[0] points to the exception_registration pointer

SEH callback function return value

Exceptioncontinueexecution=0 continues execution, the system sets the thread environment to

The exceptioncontinuesearch=1 callback function refuses to handle this exception, and the system calls the last level of callback function pointed to in exception_registration.

A new exception occurred during the execution of the exceptionnestedexception=2 callback function, that is, nested exceptions

exceptioncollidedunwind=3 occurrence of nested expansion operations

=====================================================================================

Expansion of the exception (Exception_unwind)

Why an exception is thrown: when all the exception callback functions on the SEH chain cannot handle or do not handle an exception, the system sends Exception_unwind to each callback function in the SEH chain, causing an exception to unfold (Exception_ Unwind can also be emitted by one of the SEH callback functions and then issued Exception_unwind all the previous callback functions will be unloaded, fs:[0] will point to the callback function that emits exception_unwind)

The role of abnormal expansion:

1, received Exception_unwind SEH callback function will be unloaded, so when the callback function received Exception_unwind, will do some work for themselves, which is particularly important is to modify fs:[0] to their next SEH callback function

Exception expansion function: Rtlunwind () Specific operation can be seen in the Windows environment of 32-bit assembly language program design P521

　　

Windows exception Handling