In part 2 of this post series, we left with the question concerning how we reach to the ‘first chance exception’ manifested in the debugger. We further see how exceptions and interrupts have associated handlers in kernel mode, called trap-handlers. The CPU stores the address of interrupt dispatch table (IDT) in IDTR register and every entry in IDT corresponds to an exception or interrupt handler routine also called trap handler. We use Windows 7 x86 system for debugging and note that the trap handler symbol for ‘divide by zero’ exception is ‘KiTrap00’. The processor transfers control to this routine when a ‘divide by zero’ exception occurs. We can set a breakpoint on this handler and get the stack as shown below.
0: kd> kn # ChildEBP RetAddr 00 93d0dd98 01236a9e nt!_KiTrap00 >>>>trap handler called on exception 01 93d0ddc8 00000000 Ex1!SafeDiv+0x3e
In this post, we explicate the flow of exception dispatching from user mode to kernel mode which remains unseen by the developers. It is expected that the reader has some knowledge of C and WinDbg or any other related debugging tool.
Reverse Engineering the trap-handler
The ‘KiDispatchException‘ is the key routine to handle the exception and a breakpoint can be set here: Continue reading “The Hidden Iceberg – Exception Dispatching (Part 3)”