Back to the Start – Exception Handling (Part 4)

The C programming language does not offer any support to handle exceptions in the program and this is one of the major differences between C and C++. The Structured Exception Handling (SEH) is an extension to Microsoft C++ and C language support. Although, it is recommended to use the in-built exception handling mechanism if you are using C++  because it helps with the portability of the code across platforms. But, Microsoft compiler allows us to use SEH with C++ and C. The SEH provides a way to handle resources (memory buffers, synchronization primitives, etc) in case the program flow is interrupted due to software or hardware exceptions.

The SEH mechanism which was mentioned in the first post is :

  • Exception handler – __except block: called in response to an exception.
  • Termination handler – __finally block: always called.

When the developer defines the SEH block (aka exception frame), it gets installed on the stack and with the unwinding of the stack, it gets removed. The exception can be caught in the same function or the caller function. In terms of unwinding the stack, if the exception is unhandled in the callee, it goes higher up the stack in the previous or caller’s frame and appropriate action is taken. So the above two SEH mechanisms may be different in terms of functionality but as far as unwinding the stack is concerned, they are similar.

In this post, we dig into the flow of the exception in user-mode (supported by OS) and in the developer’s code (exception or termination handler written by the developer). It is expected that the reader has some knowledge of C and WinDbg or any other related debugging tool.

The Thread Environment

Let’s take a look at the stack once we return to the user-mode after the ‘First Chance’ exception (see previous post).

Continue reading “Back to the Start – Exception Handling (Part 4)”

The Hidden Iceberg – Exception Dispatching (Part 3)

In part 2 of this post series, we left with the question concerning how we reach to the ‘first chance exception’ manifested in the debugger. We further see how exceptions and interrupts have associated handlers in kernel mode, called trap-handlers. The CPU stores the address of interrupt dispatch table (IDT) in IDTR register and every entry in IDT corresponds to an exception or interrupt handler routine also called trap handler. We use Windows 7 x86 system for debugging and note that the trap handler symbol for ‘divide by zero’ exception is ‘KiTrap00’.  The processor transfers control to this routine when a ‘divide by zero’ exception occurs. We can set a breakpoint on this handler and get the stack as shown below.

0: kd> kn # ChildEBP RetAddr 
00 93d0dd98 01236a9e nt!_KiTrap00 >>>>trap handler called on exception 
01 93d0ddc8 00000000 Ex1!SafeDiv+0x3e

In this post, we explicate the flow of exception dispatching from user mode to kernel mode which remains unseen by the developers. It is expected that the reader has some knowledge of C and WinDbg or any other related debugging tool.

Reverse Engineering the trap-handler

The ‘KiDispatchException‘ is the key routine to handle the exception and a breakpoint can be set here: Continue reading “The Hidden Iceberg – Exception Dispatching (Part 3)”