Exception Handing

What is the output of the following program?

CRITICAL_SECTION g_cs;

int filter(unsigned int code, struct _EXCEPTION_POINTERS *ep)

{

OutputDebugStringA("Inside Filter Function");

if (code == EXCEPTION_ACCESS_VIOLATION)

{

return EXCEPTION_EXECUTE_HANDLER;

}

else

{

return EXCEPTION_CONTINUE_SEARCH;

}

}

int _tmain(int argc, _TCHAR* argv[])

{

__try

{

__try

{

__try

{

EnterCriticalSection(&g_cs);

}

__finally

{

OutputDebugStringA("inner\n");

}

}

__finally

{

OutputDebugStringA("outer\n");

}

}

__except(EXCEPTION_EXECUTE_HANDLER/*filter(GetExceptionCode(), GetExceptionInformation())*/)

{

OutputDebugStringA("Got the exception\n");

}

return 0;

}

Answer:

Inside Filter function

Inner

Outer

Got the exception

Summary:

Whenever exception happens it searches for very first __except irrespective of any number of __finally block in between(like above) and then it executes very first finally block and soon...

Why exception has occurred in above code?

Ans: We have not called InitializeCriticalSection().

Where are variables stored?

Local Variables - Stack

Register variables - Register

Global & static variables - data segment.

dynamically created memory - Heap

C program instructions get stored - code segment

extern variables - data segment.

Argument of KiUserExceptionDispatcher() function

For hardware generated exceptions (such as access violations), one can look for ntdll!KiUserExceptionDispatcher on the stack, which takes a PCONTEXT and PEXCEPTION_RECORD as argument.

Stack Trace:

0021e9fc 77db5f79 fffffffe 0021f878 0021eb04 ntdll!_except_handler4+0x8e

0021ea20 77db5f4b 0021eae8 0021f878 0021eb04 ntdll!ExecuteHandler2+0x26

0021ead0 77db5dd7 0121eae8 0021eb04 0021eae8 ntdll!ExecuteHandler+0x24

0021ead0 77d8e13d 0121eae8 0021eb04 0021eae8 ntdll!KiUserExceptionDispatcher+0xf

0021ee20 77d8e04d 00000000 00000000 00000001 ntdll!RtlpWaitOnCriticalSection+0xc5

0:000> .exr 0x21eae8

ExceptionAddress: 77d8e13d (ntdll!RtlpWaitOnCriticalSection+0x000000c5)

ExceptionCode: c0000005 (Access violation)

ExceptionFlags: 00000000

NumberParameters: 2

Parameter[0]: 00000001

Parameter[1]: 00000014

Attempt to write to address 00000014

0:000> .cxr 0x21eb04

eax=00000000 ebx=fffffffc ecx=00000000 edx=00000004 esi=737b19a0 edi=737b19a4

eip=77d8e13d esp=0021edd0 ebp=0021ee20 iopl=0 nv up ei pl nz ac po cy

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213

ntdll!RtlpWaitOnCriticalSection+0xc5:

77d8e13d 83401401 add dword ptr [eax+14h],1 ds:0023:00000014=????????

0:000> dt -r1 0x21eb04 CONTEXT

ntdll!CONTEXT

+0x000 ContextFlags : 0x1003f

+0x004 Dr0 : 0

+0x008 Dr1 : 0

+0x00c Dr2 : 0

+0x010 Dr3 : 0

+0x014 Dr6 : 0

+0x018 Dr7 : 0

+0x01c FloatSave : _FLOATING_SAVE_AREA

   +0x000 ControlWord : 0xffff027f

   +0x004 StatusWord : 0xffff0000

   +0x008 TagWord : 0xffffffff

   +0x00c ErrorOffset : 0

   +0x010 ErrorSelector : 0

   +0x014 DataOffset : 0

   +0x018 DataSelector : 0xffff0000

   +0x01c RegisterArea : [80] ""

   +0x06c Cr0NpxState : 0

+0x08c SegGs : 0

+0x090 SegFs : 0x3b

+0x094 SegEs : 0x23

+0x098 SegDs : 0x23

+0x09c Edi : 0x737b19a4

+0x0a0 Esi : 0x737b19a0

+0x0a4 Ebx : 0xfffffffc

+0x0a8 Edx : 4

+0x0ac Ecx : 0

+0x0b0 Eax : 0

+0x0b4 Ebp : 0x21ee20

+0x0b8 Eip : 0x77d8e13d

+0x0bc SegCs : 0x1b

+0x0c0 EFlags : 0x10213

+0x0c4 Esp : 0x21edd0

+0x0c8 SegSs : 0x23

+0x0cc ExtendedRegisters : [512] "???"

0:000> dt -r1 0x21eae8 EXCEPTION_RECORD

ntdll!EXCEPTION_RECORD

+0x000 ExceptionCode : 0xc0000005

+0x004 ExceptionFlags : 0

+0x008 ExceptionRecord : (null)

+0x00c ExceptionAddress : 0x77d8e13d

+0x010 NumberParameters : 2

+0x014 ExceptionInformation : [15] 1

0:000> !error 0xc0000005

Error code: (NTSTATUS) 0xc0000005 (3221225477) - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

You can see the exception code is 0xc0000005 which is Access Violation
So whenever you find the KiUserExceptionDispatcher() function in call stack you can check for CONTEXT structure and EXCEPTION_RECORD structure, to find the exception code.

References:
Debugger tricks: Find all probable CONTEXT records in a crash dump

How to enable Windows Installer logging

How to enable Windows Installer logging Clickhere!!!

Windows Template Library

Windows Template Library 8.0 Click here!!!

ETW

Event Tracing for Windows

1. Core OS Events in Windows 7 Click here!!!
2. Core Instrumentation Events in Windows 7 Click here!!!

IRP

Working With An Incomplete Or Invalid IRP Click here!!!

Windows 7

1. Introducing The Taskbar APIs Click here!!!
2. Introducing Libraries Click here!!!

Solving 11 Likely Problems In Your Multithreaded Code

Solving 11 Likely Problems In Your Multithreaded Code Click here!!!

Test Your Security IQ

Test Your Security IQ Click here!!!

Debugging Information

1. Create Dump File Click Here!!!
2. Debugging Windows Services Click here!!!
3. Debugging Winlogon.exe Click here!!!
4. Debugging CSRSS Click here!!!
5. Analyze Crashes to find Security Vulnerabilities in your App Click here!!!

Good Links

You will never get the code perfect but you can add defenses.

1. Protecting Your Code with Visual C++ Defenses Click here!!!
2. FAQ about HeapSetInformation Click here!!!
3. HeapSetInformation in VC++ 2010 Click here!!!