Windows kernel reading note--windows exception distribution processing mechanism

IDT is the gateway to handling exceptions and implementing the interaction between the operating system and the CPU.

The system will fill in this structure during the initialization phase.

Each of IDT's table entries becomes a gate descriptor because IDT functions like a gate, jumping from one space to another.

IDT contains three gate descriptors

• Task Gate Descriptor: for task switching
• Interrupt Gate Descriptor: Used to describe interrupt processing routines
• Trap descriptors: Used to describe exception handling routines

How the CPU uses IDT

The CPU first finds IDT based on IDTR, and then uses the vector numbers to find the door descriptor. To determine the type of the gate descriptor, if it is a task descriptor, the CPU performs a hardware-mode task switch to the thread defined by the descriptor.

If it is a trap or interrupt descriptor, then the processing routine is called. The X64 architecture does not support hardware-mode task switching, and there is no longer a task gate.

Before invoking the processing routine, the CPU pushes the eflags, CS, and EIP into the stack, and the error code is pressed into the stack if an exception occurs with an error code.

Windows systems use the EXCEPTION_RECORD structure to describe exceptions.

1typedefstruct_exception_record {2 DWORD exceptioncode;//Exception code3 DWORD exceptionflags;//Exception Flag4   struct_exception_record *another exception related to exceptionrecord;//5 PVOID exceptionaddress;//The address where the exception occurred6 the number of parameters in the DWORD numberparameters;//parameter array7 ulong_ptr exceptioninformation[exception_maximum_parameters];//parameter array8} Exception_record, *pexception_record;

Exception code, can be considered as the exception of the alias, some exceptions have exception code some are not.

The Commondispatchexception function generates a EXCEPTION_RECORD structure in the stack, which writes the current data situation to the structure.

The kidispatchexception is then called with this structure as a parameter to distribute the exception.

Software exception, the software exception is generated by calling the kernel function ntraiseexception directly or indirectly, the user layer can also call this function, the user layer exports a raiseexception function in Kernel32.dll, for the user to produce a custom exception.

The implementation principle of the RaiseException function is to put the corresponding parameters into the EXCEPTION_RECORD structure, call the Rtlraiseexception function, which puts the current thread context into a context structure, Then call Ntraiseexception.

Ntraiseexception Internal implementation function is Kiraiseexception

1   //from WRK1.22 NTSTATUS3 Kiraiseexception (4In Pexception_record ExceptionRecord,//Exception Record5In PCONTEXT Contextrecord,//Thread Context Structure6In Pkexception_frame Exceptionframe,//not used, is empty7In Pktrap_frame Trapframe,//stack frame Base address8In BOOLEAN firstchance//is the first or second round of processing9       )Ten    One { A     //omitted part of the content -     //Copy the Contextrecord to the kernel stack of the current thread - kecontexttokframes (Trapframe, the Exceptionframe, - Contextrecord, -Contextrecord->Contextflags, - previousmode); +     //Zero The exception code in the exception record so that it can distinguish between software exceptions and CPU exceptions -Exceptionrecord->exceptioncode &= ~ki_exception_internal; +     //calling a function that distributes exceptions A kidispatchexception (ExceptionRecord, at Exceptionframe, - Trapframe, - Previousmode, - firstchance); -  -     returnstatus_success; in}

Windows kernel reading note--windows exception distribution processing mechanism