The Hidden Iceberg – Exception Dispatching (Part 3)

In part 2 of this post series, we left with the question concerning how we reach to the ‘first chance exception’ manifested in the debugger. We further see how exceptions and interrupts have associated handlers in kernel mode, called trap-handlers. The CPU stores the address of interrupt dispatch table (IDT) in IDTR register and every entry in IDT corresponds to an exception or interrupt handler routine also called trap handler. We use Windows 7 x86 system for debugging and note that the trap handler symbol for ‘divide by zero’ exception is ‘KiTrap00’.  The processor transfers control to this routine when a ‘divide by zero’ exception occurs. We can set a breakpoint on this handler and get the stack as shown below.

0: kd> kn # ChildEBP RetAddr 
00 93d0dd98 01236a9e nt!_KiTrap00 >>>>trap handler called on exception 
01 93d0ddc8 00000000 Ex1!SafeDiv+0x3e

In this post, we explicate the flow of exception dispatching from user mode to kernel mode which remains unseen by the developers. It is expected that the reader has some knowledge of C and WinDbg or any other related debugging tool.

Reverse Engineering the trap-handler

The ‘KiDispatchException‘ is the key routine to handle the exception and a breakpoint can be set here: Continue reading “The Hidden Iceberg – Exception Dispatching (Part 3)”

The Trap of Operating System: Exception Handling (Part 2)

The exception hierarchy of the operating system allows the developers to handle both hardware and software exceptions in a unified way and also improves the modularity of the code being developed. In the previous post we observed how the disassembly of a guarded code (__try, __except) block is different. In this post and explore how the system takes control when the exception happens. It is expected that the reader has some knowledge of C and WinDbg or any other related debugging tool.

Catching Exception In Debugger

Using WinDbg, load the application symbols during loader break  and set a breakpoint on ‘main’ routine  Continue reading “The Trap of Operating System: Exception Handling (Part 2)”