KiDispatchException

最新推荐文章于 2025-02-07 16:35:05 发布
最新推荐文章于 2025-02-07 16:35:05 发布
阅读量2.5k 收藏
点赞数 1
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/bkxiaoc/article/details/60964410
本文深入解析了KiDispatchException函数的工作原理,介绍了如何根据系统模式派发异常,包括内核模式和用户模式下的异常处理流程。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >


VOID
KiDispatchException (
    IN PEXCEPTION_RECORD ExceptionRecord,
    IN PKEXCEPTION_FRAME ExceptionFrame,
    IN PKTRAP_FRAME TrapFrame,
    IN KPROCESSOR_MODE PreviousMode,
    IN BOOLEAN FirstChance
    )

/*++

// 异常派发函数
// 派发一个异常到适当的模式
// ps.
// 调试本身流程是经过 KiDispatchException 而不是 KiDispatchInterrupt
// KiDispatchInterrupt 主要功能为处理外部中断,时钟,鼠键等,若分析定时器等实现需要跟入该函数实现

// 如果中断发生前 处于内核模式,将直接处理该异常,否则把异常信息包装抛出到用户模式(涉及跨级别的内存拷贝)


Routine Description:

    This function is called to dispatch an exception to the proper mode and
    to cause the exception dispatcher to be called. If the previous mode is
    kernel, then the exception dispatcher is called directly to process the
    exception. Otherwise the exception record, exception frame, and trap
    frame contents are copied to the user mode stack. The contents of the
    exception frame and trap are then modified such that when control is
    returned, execution will commense in user mode in a routine which will
    call the exception dispatcher.

Arguments:

    // 异常记录的指针
    ExceptionRecord - Supplies a pointer to an exception record.

    // 指向异常帧,在 NT386 模式下 该指针为 NULL
    ExceptionFrame - Supplies a pointer to an exception frame. For NT386,
        this should be NULL.

    // 指向陷阱帧
    TrapFrame - Supplies a pointer to a trap frame.

    // 前一个模式, 在中断发生之前系统所处的模式
    PreviousMode - Supplies the previous processor mode.

    // 是否是第一次机会异常
    FirstChance - Supplies a boolean value that specifies whether this is
        the first (TRUE) or second (FALSE) chance for the exception.

Return Value:

    None.

--*/

{
    CONTEXT ContextFrame;
    EXCEPTION_RECORD ExceptionRecord1, ExceptionRecord2;
    LONG Length;
    ULONG UserStack1;
    ULONG UserStack2;

    //
    // Move machine state from trap and exception frames to a context frame,
    // and increment the number of exceptions dispatched.
    //

    // 增加异常派发计数
    KeGetCurrentPrcb()->KeExceptionDispatchCount += 1;
    // 设置上下文帧需要记录的内容标志
    // SS:SP, CS:IP, FLAGS, BP
    // AX, BX, CX, DX, SI, DI
    // DS, ES, FS, GS
    // DB 0-3,6,7

    ContextFrame.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;

    // 如果之前处于用户程序,且处于调试模式,需要对 ContextFrame 进行包装
    if ((PreviousMode == UserMode) || KdDebuggerEnabled) {
        // 为了处理一些特殊情况 (80387处理器 的npx支持) 而特别需要加上的标志
        //
        // For usermode exceptions always try to dispatch the floating
        // point state.  This allows exception handlers & debuggers to
        // examine/edit the npx context if required.  Plus it allows
        // exception handlers to use fp instructions without destroying
        // the npx state at the time of the exception.
        //
        // Note: If there's no 80387, ContextTo/FromKFrames will use the
        // emulator's current state.  If the emulator can not give the
        // current state, then the context_floating_point bit will be
        // turned off by ContextFromKFrames.
        //

        ContextFrame.ContextFlags |= CONTEXT_FLOATING_POINT;
        if (KeI386XMMIPresent) {
            ContextFrame.ContextFlags |= CONTEXT_EXTENDED_REGISTERS;
        }
    }

    // 根据所设置的标志位从 陷阱帧中取出相应的寄存器数据 加入 上下文帧
    // 注意 这里并未使用异常帧
    KeContextFromKframes(TrapFrame, ExceptionFrame, &ContextFrame);

    //
    // if it is BREAK_POINT exception, we subtract 1 from EIP and report
    // the updated EIP to user.  This is because Cruiser requires EIP
    // points to the int 3 instruction (not the instruction following int 3).
    // In this case, BreakPoint exception is fatal. Otherwise we will step
    // on the int 3 over and over again, if user does not handle it
    //
    // if the BREAK_POINT occured in V86 mode, the debugger running in the
    // VDM will expect CS:EIP to point after the exception (the way the
    // processor left it.  this is also true for protected mode dos
    // app debuggers.  We will need a way to detect this.
    //
    //

    // 如果是 int 3 造成的异常,eip需要减一之后传递给用户层,,
    switch (ExceptionRecord->ExceptionCode) {
        case STATUS_BREAKPOINT:
            ContextFrame.Eip--;
            break;

        // 应用层无效的访问或访问越界
        case KI_EXCEPTION_ACCESS_VIOLATION:
            ExceptionRecord->ExceptionCode = STATUS_ACCESS_VIOLATION;
            if (PreviousMode == UserMode) {
                if (KiCheckForAtlThunk(ExceptionRecord,&ContextFrame) != FALSE) {
                    goto Handled1;
                }

                if ((SharedUserData->ProcessorFeatures[PF_NX_ENABLED] == TRUE) &&
                    (ExceptionRecord->ExceptionInformation [0] == EXCEPTION_EXECUTE_FAULT)) {

                    if (((KeFeatureBits & KF_GLOBAL_32BIT_EXECUTE) != 0) ||
                        (PsGetCurrentProcess()->Pcb.Flags.ExecuteEnable != 0) ||
                        (((KeFeatureBits & KF_GLOBAL_32BIT_NOEXECUTE) == 0) &&
                         (PsGetCurrentProcess()->Pcb.Flags.ExecuteDisable == 0))) {
                        ExceptionRecord->ExceptionInformation [0] = 0;
                    }
                }
            }
            break;
    }

    //
    // Select the method of handling the exception based on the previous mode.
    //

    ASSERT ((
             !((PreviousMode == KernelMode) &&
             (ContextFrame.EFlags & EFLAGS_V86_MASK))
           ));

    // 当之前的模式处于内核模式
    if (PreviousMode == KernelMode) {

        //
        // 首先判断 内核调试器是否存在,如果内核调试器存在,给予内核调试第一轮处理机会
        // 如果内核调试器处理异常,将继续运行。
        // 如果内核调试器不能处理,交给异常的处理框架处理。
        // 如果框架能处理则继续运行。
        // 如果处理框架也不能处理,给予内核调试器第二次处理机会,如果不能处理 KeBugCheck,给个蓝脸
        //

        // ps.
        // 故 KiDebugRoutine 是检查当前系统是否处于调试状态的一个点

        //
        // Previous mode was kernel.
        //
        // If the kernel debugger is active, then give the kernel debugger the
        // first chance to handle the exception. If the kernel debugger handles
        // the exception, then continue execution. Else attempt to dispatch the
        // exception to a frame based handler. If a frame based handler handles
        // the exception, then continue execution.
        //
        // If a frame based handler does not handle the exception,
        // give the kernel debugger a second chance, if it's present.
        //
        // If the exception is still unhandled, call KeBugCheck().
        //

        if (FirstChance == TRUE) {

            if ((KiDebugRoutine != NULL) &&
               (((KiDebugRoutine) (TrapFrame,
                                   ExceptionFrame,
                                   ExceptionRecord,
                                   &ContextFrame,
                                   PreviousMode,
                                   FALSE)) != FALSE)) {

                goto Handled1;
            }

            // Kernel debugger didn't handle exception.  所以 实际上 异常处理框架只有一次处理机会

            if (RtlDispatchException(ExceptionRecord, &ContextFrame) == TRUE) {
                goto Handled1;
            }
        }

        //
        // This is the second chance to handle the exception.
        //

        if ((KiDebugRoutine != NULL) &&
            (((KiDebugRoutine) (TrapFrame,
                                ExceptionFrame,
                                ExceptionRecord,
                                &ContextFrame,
                                PreviousMode,
                                TRUE)) != FALSE)) {

            goto Handled1;
        }

        KeBugCheckEx(
            KERNEL_MODE_EXCEPTION_NOT_HANDLED,
            ExceptionRecord->ExceptionCode,
            (ULONG)ExceptionRecord->ExceptionAddress,
            (ULONG)TrapFrame,
            0);

    } else {

        // 如果当前处于用户模式

        // 如果这是第一次处理机会且当前进程存在调试端口,发送消息到调试端口并等待回应。
        // 如果调试器处理异常,继续执行。
        //
        // 如果不存在调试器,则拷贝异常信息到用户栈,交由用户层的异常处理框架处理。
        // 如果处理框架能够处理,则继续执行。
        // 如果是调用的 NtRaiseException 自行抛出的异常且不接收第一次处理机会
        // 那么它将在第二次调用的时候才有机会处理

        // 如果这是第二次机会,并且当前进程存在调试端口,还是优先发往调试端口
        // 否则则发往子系统端口,如果子系统端口不能处理,结束进程

        // Previous mode was user.
        //
        // If this is the first chance and the current process has a debugger
        // port, then send a message to the debugger port and wait for a reply.
        // If the debugger handles the exception, then continue execution. Else
        // transfer the exception information to the user stack, transition to
        // user mode, and attempt to dispatch the exception to a frame based
        // handler. If a frame based handler handles the exception, then continue
        // execution with the continue system service. Else execute the
        // NtRaiseException system service with FirstChance == FALSE, which
        // will call this routine a second time to process the exception.
        //
        // If this is the second chance and the current process has a debugger
        // port, then send a message to the debugger port and wait for a reply.
        // If the debugger handles the exception, then continue execution. Else
        // if the current process has a subsystem port, then send a message to
        // the subsystem port and wait for a reply. If the subsystem handles the
        // exception, then continue execution. Else terminate the process.
        //

        if (FirstChance == TRUE) {

            //
            // This is the first chance to handle the exception.
            //
            // 优先交给内核调试器处理
            if ((KiDebugRoutine != NULL)  &&
                ((PsGetCurrentProcess()->DebugPort == NULL &&
                  !KdIgnoreUmExceptions) ||
                 (KdIsThisAKdTrap(ExceptionRecord, &ContextFrame, UserMode)))) {
                //
                // Now dispatch the fault to the kernel debugger.
                //

                if ((((KiDebugRoutine) (TrapFrame,
                                        ExceptionFrame,
                                        ExceptionRecord,
                                        &ContextFrame,
                                        PreviousMode,
                                        FALSE)) != FALSE)) {

                    goto Handled1;
                }
            }

            // 发往调试端口和异常端口(子系统端口)
            if (DbgkForwardException(ExceptionRecord, TRUE, FALSE)) {
                goto Handled2;
            }

            //
            // Transfer exception information to the user stack, transition
            // to user mode, and attempt to dispatch the exception to a frame
            // based handler.

            ExceptionRecord1.ExceptionCode = 0; // satisfy no_opt compilation

            // 拷贝异常信息到用户栈上  
        repeat:
            try {

                //
                // If the SS segment is not 32 bit flat, there is no point
                // to dispatch exception to frame based exception handler.
                //

                if (TrapFrame->HardwareSegSs != (KGDT_R3_DATA | RPL_MASK) ||
                    TrapFrame->EFlags & EFLAGS_V86_MASK ) {
                    ExceptionRecord2.ExceptionCode = STATUS_ACCESS_VIOLATION;
                    ExceptionRecord2.ExceptionFlags = 0;
                    ExceptionRecord2.NumberParameters = 0;
                    ExRaiseException(&ExceptionRecord2);
                }

                //
                // Compute length of context record and new aligned user stack
                // pointer.
                //

                UserStack1 = (ContextFrame.Esp & ~CONTEXT_ROUND) - CONTEXT_ALIGNED_SIZE;

                //
                // Probe user stack area for writability and then transfer the
                // context record to the user stack.
                //

                ProbeForWrite((PCHAR)UserStack1, CONTEXT_ALIGNED_SIZE, CONTEXT_ALIGN);
                RtlCopyMemory((PULONG)UserStack1, &ContextFrame, sizeof(CONTEXT));

                //
                // Compute length of exception record and new aligned stack
                // address.
                //

                Length = (sizeof(EXCEPTION_RECORD) - (EXCEPTION_MAXIMUM_PARAMETERS -
                         ExceptionRecord->NumberParameters) * sizeof(ULONG) +3) &
                         (~3);
                UserStack2 = UserStack1 - Length;

                //
                // Probe user stack area for writeability and then transfer the
                // context record to the user stack area.
                // N.B. The probing length is Length+8 because there are two
                //      arguments need to be pushed to user stack later.
                //

                ProbeForWrite((PCHAR)(UserStack2 - 8), Length + 8, sizeof(ULONG));
                RtlCopyMemory((PULONG)UserStack2, ExceptionRecord, Length);

                //
                // Push address of exception record, context record to the
                // user stack.  They are the two parameters required by
                // _KiUserExceptionDispatch.
                //

                *(PULONG)(UserStack2 - sizeof(ULONG)) = UserStack1;
                *(PULONG)(UserStack2 - 2*sizeof(ULONG)) = UserStack2;

                //
                // Set new stack pointer to the trap frame.
                //

                KiSegSsToTrapFrame(TrapFrame, KGDT_R3_DATA);
                KiEspToTrapFrame(TrapFrame, (UserStack2 - sizeof(ULONG)*2));

                //
                // Force correct R3 selectors into TrapFrame.
                //

                TrapFrame->SegCs = SANITIZE_SEG(KGDT_R3_CODE, PreviousMode);
                TrapFrame->SegDs = SANITIZE_SEG(KGDT_R3_DATA, PreviousMode);
                TrapFrame->SegEs = SANITIZE_SEG(KGDT_R3_DATA, PreviousMode);
                TrapFrame->SegFs = SANITIZE_SEG(KGDT_R3_TEB, PreviousMode);
                TrapFrame->SegGs = 0;

                //
                // Set the address of the exception routine that will call the
                // exception dispatcher and then return to the trap handler.
                // The trap handler will restore the exception and trap frame
                // context and continue execution in the routine that will
                // call the exception dispatcher.
                //

                TrapFrame->Eip = (ULONG)KeUserExceptionDispatcher;
                return;

            } except (KiCopyInformation(&ExceptionRecord1,
                        (GetExceptionInformation())->ExceptionRecord)) {

                //
                // If the exception is a stack overflow, then attempt
                // to raise the stack overflow exception. Otherwise,
                // the user's stack is not accessible, or is misaligned,
                // and second chance processing is performed.
                //

                if (ExceptionRecord1.ExceptionCode == STATUS_STACK_OVERFLOW) {
                    ExceptionRecord1.ExceptionAddress = ExceptionRecord->ExceptionAddress;
                    RtlCopyMemory((PVOID)ExceptionRecord,
                                  &ExceptionRecord1, sizeof(EXCEPTION_RECORD));
                    goto repeat;
                }
            }
        }

        //
        // This is the second chance to handle the exception.
        //

        if (DbgkForwardException(ExceptionRecord, TRUE, TRUE)) {
            goto Handled2;
        } else if (DbgkForwardException(ExceptionRecord, FALSE, TRUE)) {
            goto Handled2;
        } else {
            ZwTerminateProcess(NtCurrentProcess(), ExceptionRecord->ExceptionCode);
            KeBugCheckEx(
                KERNEL_MODE_EXCEPTION_NOT_HANDLED,
                ExceptionRecord->ExceptionCode,
                (ULONG)ExceptionRecord->ExceptionAddress,
                (ULONG)TrapFrame,
                0);
        }
    }

    //
    // Move machine state from context frame to trap and exception frames and
    // then return to continue execution with the restored state.
    //

Handled1:
    // 还原上下文到陷阱帧
    KeContextToKframes(TrapFrame, ExceptionFrame, &ContextFrame,
                       ContextFrame.ContextFlags, PreviousMode);

    //
    // Exception was handled by the debugger or the associated subsystem
    // and state was modified, if necessary, using the get state and set
    // state capabilities. Therefore the context frame does not need to
    // be transferred to the trap and exception frames.
    //

Handled2:
    return;
}
FadeTrack
关注
中断和异常
u012138730的专栏
05-10 3390
最近在看内存方面的知识,打算写一系列的博客分享记录一下。 本文介绍任务管理器里各个内存项的含义以及用一个例子也解释独占性。 目录 内存项含义 1.工作集Working Set(内存)=内存(专用工作集)+ 内存(共享工作集) 2.提交大小 Comitted Memory 内存的独占性 内存项含义 打开任务管理--详细信息---右键选择列,选择下面这4个。 1....
请大神帮忙看看windbg分析dump文件 解决windows蓝屏
m0_59138075的博客
07-17 901
analyze -vnt!1: kd>!analyze -vArguments:Value: 1Value: 1Value: 7Value: 702Value: 94Value: cValue: 1Value: 1.ecxr;kb---------1: kd>!analyze -vArguments:Value: 1。
异常派发研究KiDispatchException
ADADQDQQ的博客
10-14 1461
当系统Debug模式下: KdDebuggerEnabled1 KdPitchDebugger0 KiDebugRoutine==KdpTrap 此模式下R3触发的异常相关若没有异常处理接管,电脑直接卡死 当系统正常模式下: KdDebuggerEnabled0 KdPitchDebugger1 KiDebugRoutine==KdpStub 此模式下R3触发异常若没有异常处理接管,则程序崩溃 KdDebuggerNotPresent:启动Debug并且连接调试器0,否则1 KdEnteredDebugge
44 异常分发函数_KiDispatchException@20的逆向分析
huei0的博客
04-18 279
异常处理
异常处理流程
weixin_30555753的博客
08-06 268
对于CPU级的异常,CPU会通过IDT表寻找异常的处理函数,也就是KiTrapXX例程,会调用CommonDispatchException准备参数,然后调用内核分发函数KiDispatchException进行异常分发。 下面的图是内核异常分发总管KiDispatchException处理的流程。 内核态异常的分发过程:  1.如果PreviousM...
.text:0000000140070C34 .text:0000000140070C34 ; __int64 __usercall KiDispatchException@<rax>(PEXCEPTION_RECORD ExceptionRecord@<rcx>, char) .text:0000000140070C34 KiDispatchException proc near ; CODE XREF: KiInitializeUserApc+342↓p .text:0000000140070C34 ; KiRaiseException+1A8↓p .text:0000000140070C34 ; KiExceptionDispatch+BD↓p .text:0000000140070C34 ; KiFastFailDispatch+DF↓p .text:0000000140070C34 ; KiParkUmsThread+3D6↓p .text:0000000140070C34 ; PspInitializeThunkContext+14926F↓p .text:0000000140070C34 ; KiSwapToUmsThread+420↓p .text:0000000140070C34 ; DATA XREF: .rdata:00000001402ACCA4↓o .text:0000000140070C34 ; .pdata:000000014037BF38↓o .text:0000000140070C34 ; sub_1407AAAC8+44D1↓o .text:0000000140070C34 ; RtlpFunctionAddressTableEntry+23↓o .text:0000000140070C34 .text:0000000140070C34 BugCheckParameter4= qword ptr -1B0h .text:0000000140070C34 var_1A8= qword ptr -1A8h .text:0000000140070C34 var_1A0= dword ptr -1A0h .text:0000000140070C34 var_198= qword ptr -198h .text:0000000140070C34 var_190= dword ptr -190h .text:0000000140070C34 var_188= qword ptr -188h .text:0000000140070C34 var_180= dword ptr -180h .text:0000000140070C34 var_17C= dword ptr -17Ch .text:0000000140070C34 var_178= dword ptr -178h .text:0000000140070C34 var_170= qword ptr -170h .text:0000000140070C34 var_168= qword ptr -168h .text:0000000140070C34 var_160= qword ptr -160h .text:0000000140070C34 var_158= qword ptr -158h .text:0000000140070C34 var_150= qword ptr -150h .text:0000000140070C34 var_148= qword ptr -148h .text:0000000140070C34 var_140= qword ptr -140h .text:0000000140070C34 var_138= qword ptr -138h .text:0000000140070C34 var_130= qword ptr -130h .text:0000000140070C34 var_128= qword ptr -128h .text:0000000140070C34 var_120= qword ptr -120h .text:0000000140070C34 var_118= qword ptr -118h .text:0000000140070C34 var_110= qword ptr -110h .text:0000000140070C34 var_108= qword ptr -108h .text:0000000140070C34 var_100= qword ptr -100h .text:0000000140070C34 var_F0= dword ptr -0F0h .text:0000000140070C34 var_E0= qword ptr -0E0h .text:0000000140070C34 var_D8= dword ptr -0D8h .text:0000000140070C34 var_D0= byte ptr -0D0h .text:0000000140070C34 var_58= byte ptr -58h .text:0000000140070C34 var_50= xmmword ptr -50h .text:0000000140070C34 var_40= qword ptr -40h .text:0000000140070C34 var_38= qword ptr -38h .text:0000000140070C34 arg_20= byte ptr 30h .text:0000000140070C34 .text:0000000140070C34 ; FUNCTION CHUNK AT .text:000000014015BC0C SIZE 000000C3 BYTES .text:0000000140070C34 ; FUNCTION CHUNK AT .text:000000014018730E SIZE 00000120 BYTES .text:0000000140070C34 .text:0000000140070C34 ; __unwind { // __GSHandlerCheck_SEH .text:0000000140070C34 40 55 push rbp .text:0000000140070C36 53 push rbx .text:0000000140070C37 56 push rsi .text:0000000140070C38 41 54 push r12 .text:0000000140070C3A 41 55 push r13 .text:0000000140070C3C 41 56 push r14 .text:0000000140070C3E 41 57 push r15 .text:0000000140070C40 48 81 EC A0 01 00 00 sub rsp, 1A0h .text:0000000140070C47 48 8D 6C 24 30 lea rbp, [rsp+30h] .text:0000000140070C4C 48 8B 05 45 44 2A 00 mov rax, cs:__security_cookie .text:0000000140070C53 48 33 C5 xor rax, rbp .text:0000000140070C56 48 89 85 68 01 00 00 mov [rbp+1A0h+var_38], rax .text:0000000140070C5D 45 8A F9 mov r15b, r9b .text:0000000140070C60 49 8B F0 mov rsi, r8 .text:0000000140070C63 4C 8B E2 mov r12, rdx .text:0000000140070C66 48 8B D9 mov rbx, rcx .text:0000000140070C69 48 89 4D 30 mov [rbp+1A0h+var_170], rcx .text:0000000140070C6D 48 89 95 80 00 00 00 mov [rbp+1A0h+var_120], rdx .text:0000000140070C74 4C 89 45 58 mov [rbp+1A0h+var_148], r8 .text:0000000140070C78 44 88 4D 00 mov byte ptr [rbp+1A0h+var_1A0], r9b .text:0000000140070C7C 65 48 8B 04 25 88 01 00 00 mov rax, gs:188h .text:0000000140070C85 48 8B 80 B8 00 00 00 mov rax, [rax+0B8h] .text:0000000140070C8C 48 89 45 08 mov [rbp+1A0h+var_198], rax .text:0000000140070C90 48 89 45 70 mov [rbp+1A0h+var_130], rax .text:0000000140070C94 65 FF 04 25 B4 5C 00 00 inc dword ptr gs:5CB4h .text:0000000140070C9C 41 BD 1F 00 10 00 mov r13d, 10001Fh .text:0000000140070CA2 44 89 6D 10 mov [rbp+1A0h+var_190], r13d .text:0000000140070CA6 45 84 C9 test r9b, r9b .text:0000000140070CA9 0F 85 CC 04 00 00 jnz loc_14007117B .text:0000000140070CA9 .text:0000000140070CAF .text:0000000140070CAF loc_140070CAF: ; CODE XREF: KiDispatchException+563↓j .text:0000000140070CAF 48 8D 55 24 lea rdx, [rbp+1A0h+var_17C] .text:0000000140070CB3 41 8B CD mov ecx, r13d .text:0000000140070CB6 E8 35 9A 03 00 call RtlGetExtendedContextLength .text:0000000140070CB6 .text:0000000140070CBB 8B 45 24 mov eax, [rbp+1A0h+var_17C] .text:0000000140070CBE 48 8D 48 0F lea rcx, [rax+0Fh] .text:0000000140070CC2 48 3B C8 cmp rcx, rax .text:0000000140070CC5 77 0A ja short loc_140070CD1 .text:0000000140070CC5 .text:0000000140070CC7 48 B9 F0 FF FF FF FF FF FF 0F mov rcx, 0FFFFFFFFFFFFFF0h .text:0000000140070CC7 .text:0000000140070CD1 .text:0000000140070CD1 loc_140070CD1: ; CODE XREF: KiDispatchException+91↑j .text:0000000140070CD1 48 83 E1 F0 and rcx, 0FFFFFFFFFFFFFFF0h .text:0000000140070CD5 48 8B C1 mov rax, rcx .text:0000000140070CD8 E8 23 1F 0E 00 call __chkstk .text:0000000140070CD8 .text:0000000140070CDD 48 2B E1 sub rsp, rcx .text:0000000140070CE0 4C 8D 74 24 30 lea r14, [rsp+1D0h+var_1A0] .text:0000000140070CE5 4C 89 75 68 mov [rbp+1A0h+var_138], r14 .text:0000000140070CE9 4C 8D 45 40 lea r8, [rbp+1A0h+var_160] .text:0000000140070CED 41 8B D5 mov edx, r13d .text:0000000140070CF0 49 8B CE mov rcx, r14 .text:0000000140070CF3 E8 AC 9A 03 00 call RtlInitializeExtendedContext .text:0000000140070CF3 .text:0000000140070CF8 89 45 20 mov [rbp+1A0h+var_180], eax .text:0000000140070CFB 4D 8B C6 mov r8, r14 .text:0000000140070CFE 49 8B D4 mov rdx, r12 .text:0000000140070D01 48 8B CE mov rcx, rsi .text:0000000140070D04 E8 DF 1B 00 00 call KeContextFromKframes .text:0000000140070D04 .text:0000000140070D09 81 3B 03 00 00 80 cmp dword ptr [rbx], 80000003h .text:0000000140070D0F 0F 84 9E 04 00 00 jz loc_1400711B3 .text:0000000140070D0F .text:0000000140070D15 .text:0000000140070D15 loc_140070D15: ; CODE XREF: KiDispatchException+586↓j .text:0000000140070D15 45 84 FF test r15b, r15b .text:0000000140070D18 0F 85 7E 04 00 00 jnz loc_14007119C .text:0000000140070D18 .text:0000000140070D1E .text:0000000140070D1E loc_140070D1E: ; CODE XREF: KiDispatchException+574↓j .text:0000000140070D1E 45 8A C7 mov r8b, r15b .text:0000000140070D21 49 8B D6 mov rdx, r14 ; int .text:0000000140070D24 48 8B CB mov rcx, rbx ; int .text:0000000140070D27 E8 FC 04 00 00 call KiPreprocessFault .text:0000000140070D27 .text:0000000140070D2C 84 C0 test al, al .text:0000000140070D2E 0F 85 8B 04 00 00 jnz loc_1400711BF .text:0000000140070D2E .text:0000000140070D34 .text:0000000140070D34 loc_140070D34: ; CODE XREF: KiDispatchException+1166FC↓j .text:0000000140070D34 45 84 FF test r15b, r15b .text:0000000140070D37 75 4C jnz short loc_140070D85 .text:0000000140070D37 .text:0000000140070D39 44 38 BD D0 01 00 00 cmp [rbp+1A0h+arg_20], r15b .text:0000000140070D40 0F 84 EF 65 11 00 jz loc_140187335 .text:0000000140070D40 .text:0000000140070D46 44 88 7C 24 28 mov byte ptr [rsp+1D0h+var_1A8], r15b .text:0000000140070D4B 44 88 7C 24 20 mov byte ptr [rsp+1D0h+BugCheckParameter4], r15b .text:0000000140070D50 4D 8B CE mov r9, r14 .text:0000000140070D53 4C 8B C3 mov r8, rbx .text:0000000140070D56 49 8B D4 mov rdx, r12 .text:0000000140070D59 48 8B CE mov rcx, rsi .text:0000000140070D5C 48 8B 05 2D 34 35 00 mov rax, cs:KiDebugRoutine .text:0000000140070D63 FF D0 call rax ; KdpStub .text:0000000140070D63 .text:0000000140070D65 84 C0 test al, al .text:0000000140070D67 0F 85 52 04 00 00 jnz loc_1400711BF .text:0000000140070D67 .text:0000000140070D6D 49 8B D6 mov rdx, r14 ; Context .text:0000000140070D70 48 8B CB mov rcx, rbx ; ExceptionRecord .text:0000000140070D73 E8 F0 2E 00 00 call RtlDispatchException .text:0000000140070D73 .text:0000000140070D78 84 C0 test al, al .text:0000000140070D7A 0F 84 B5 65 11 00 jz loc_140187335 .text:0000000140070D7A .text:0000000140070D80 E9 3A 04 00 00 jmp loc_1400711BF .text:0000000140070D80 .text:0000000140070D85 ; --------------------------------------------------------------------------- .text:0000000140070D85 .text:0000000140070D85 loc_140070D85: ; CODE XREF: KiDispatchException+103↑j .text:0000000140070D85 49 8B 96 98 00 00 00 mov rdx, [r14+98h] .text:0000000140070D8C 48 89 55 18 mov [rbp+1A0h+var_188], rdx .text:0000000140070D90 48 89 55 38 mov [rbp+1A0h+var_168], rdx .text:0000000140070D94 48 8B 45 08 mov rax, [rbp+1A0h+var_198] .text:0000000140070D98 8B 80 AC 06 00 00 mov eax, [rax+6ACh] .text:0000000140070D9E A8 01 test al, 1 .text:0000000140070DA0 75 3D jnz short loc_140070DDF .text:0000000140070DA0 .text:0000000140070DA2 65 48 8B 04 25 88 01 00 00 mov rax, gs:188h .text:0000000140070DAB 48 8B 88 B8 00 00 00 mov rcx, [rax+0B8h] .text:0000000140070DB2 48 83 B9 28 04 00 00 00 cmp qword ptr [rcx+428h], 0 .text:0000000140070DBA 74 0C jz short loc_140070DC8 .text:0000000140070DBA .text:0000000140070DBC 81 3B 02 00 00 80 cmp dword ptr [rbx], 80000002h .text:0000000140070DC2 0F 84 B3 65 11 00 jz loc_14018737B .text:0000000140070DC2 .text:0000000140070DC8 .text:0000000140070DC8 loc_140070DC8: ; CODE XREF: KiDispatchException+186↑j .text:0000000140070DC8 ; KiDispatchException+116751↓j .text:0000000140070DC8 41 0F B7 46 38 movzx eax, word ptr [r14+38h] .text:0000000140070DCD B9 F8 FF 00 00 mov ecx, 0FFF8h .text:0000000140070DD2 66 23 C1 and ax, cx .text:0000000140070DD5 66 83 F8 20 cmp ax, 20h ; ' ' .text:0000000140070DD9 0F 84 BB 65 11 00 jz loc_14018739A .text:0000000140070DD9 .text:0000000140070DDF .text:0000000140070DDF loc_140070DDF: ; CODE XREF: KiDispatchException+16C↑j .text:0000000140070DDF ; KiDispatchException+116794↓j .text:0000000140070DDF 8B 4B 18 mov ecx, [rbx+18h] .text:0000000140070DE2 48 83 C1 04 add rcx, 4 .text:0000000140070DE6 48 8D 0C CB lea rcx, [rbx+rcx*8] ; void * .text:0000000140070DEA 4C 8B C3 mov r8, rbx .text:0000000140070DED 4C 2B C1 sub r8, rcx .text:0000000140070DF0 49 81 C0 98 00 00 00 add r8, 98h ; Size .text:0000000140070DF7 33 D2 xor edx, edx ; Val .text:0000000140070DF9 E8 82 77 0E 00 call memset .text:0000000140070DF9 .text:0000000140070DFE 80 BD D0 01 00 00 00 cmp [rbp+1A0h+arg_20], 0 .text:0000000140070E05 0F 84 CD 03 00 00 jz loc_1400711D8 .text:0000000140070E05 .text:0000000140070E0B 48 8B CB mov rcx, rbx .text:0000000140070E0E E8 ED 21 6B 00 call KdIsThisAKdTrap .text:0000000140070E0E .text:0000000140070E13 65 48 8B 0C 25 88 01 00 00 mov rcx, gs:188h .text:0000000140070E1C 48 8B 91 B8 00 00 00 mov rdx, [rcx+0B8h] .text:0000000140070E23 48 83 BA 20 04 00 00 00 cmp qword ptr [rdx+420h], 0 .text:0000000140070E2B 0F 85 9C 65 11 00 jnz loc_1401873CD .text:0000000140070E2B .text:0000000140070E31 8A 0D BC 9A 2C 00 mov cl, cs:KdIgnoreUmExceptions .text:0000000140070E37 84 C9 test cl, cl .text:0000000140070E39 0F 85 8E 65 11 00 jnz loc_1401873CD .text:0000000140070E39 .text:0000000140070E3F .text:0000000140070E3F loc_140070E3F: ; CODE XREF: KiDispatchException+1167A1↓j .text:0000000140070E3F C6 44 24 28 00 mov byte ptr [rsp+1D0h+var_1A8], 0 .text:0000000140070E44 44 88 7C 24 20 mov byte ptr [rsp+1D0h+BugCheckParameter4], r15b .text:0000000140070E49 4D 8B CE mov r9, r14 .text:0000000140070E4C 4C 8B C3 mov r8, rbx .text:0000000140070E4F 49 8B D4 mov rdx, r12 .text:0000000140070E52 48 8B CE mov rcx, rsi .text:0000000140070E55 48 8B 05 34 33 35 00 mov rax, cs:KiDebugRoutine .text:0000000140070E5C FF D0 call rax ; KdpStub .text:0000000140070E5C .text:0000000140070E5E 84 C0 test al, al .text:0000000140070E60 0F 85 59 03 00 00 jnz loc_1400711BF .text:0000000140070E60 .text:0000000140070E66 .text:0000000140070E66 loc_140070E66: ; CODE XREF: KiDispatchException+11679B↓j .text:0000000140070E66 45 33 C0 xor r8d, r8d .text:0000000140070E69 B2 01 mov dl, 1 .text:0000000140070E6B 48 8B CB mov rcx, rbx .text:0000000140070E6E E8 61 5B 4B 00 call DbgkForwardException .text:0000000140070E6E .text:0000000140070E73 84 C0 test al, al .text:0000000140070E75 0F 85 DE 02 00 00 jnz loc_140071159 .text:0000000140070E75 .text:0000000140070E7B 48 8B 45 08 mov rax, [rbp+1A0h+var_198] .text:0000000140070E7F 48 83 B8 F0 06 00 00 00 cmp qword ptr [rax+6F0h], 0 .text:0000000140070E87 0F 85 4D 65 11 00 jnz loc_1401873DA .text:0000000140070E87 .text:0000000140070E8D .text:0000000140070E8D loc_140070E8D: ; CODE XREF: KiDispatchException+1167CB↓j .text:0000000140070E8D FA cli .text:0000000140070E8E 0F BA B6 78 01 00 00 08 btr dword ptr [rsi+178h], 8 .text:0000000140070E96 FB sti .text:0000000140070E97 C7 85 B0 00 00 00 05 00 00 C0 mov [rbp+1A0h+var_F0], 0C0000005h .text:0000000140070EA1 4C 8B 65 18 mov r12, [rbp+1A0h+var_188] .text:0000000140070EA1 .text:0000000140070EA5 .text:0000000140070EA5 loc_140070EA5: ; CODE XREF: KiDispatchException+50C↓j .text:0000000140070EA5 90 nop .text:0000000140070EA5 .text:0000000140070EA6 .text:0000000140070EA6 loc_140070EA6: ; DATA XREF: .rdata:00000001402ACC8C↓o .text:0000000140070EA6 ; __try { // __except at loc_1400710B4 .text:0000000140070EA6 49 8B D4 mov rdx, r12 .text:0000000140070EA9 48 89 55 48 mov [rbp+1A0h+var_158], rdx .text:0000000140070EAD 41 8B C5 mov eax, r13d .text:0000000140070EB0 B9 40 00 10 00 mov ecx, 100040h .text:0000000140070EB5 23 C1 and eax, ecx .text:0000000140070EB7 3B C1 cmp eax, ecx .text:0000000140070EB9 75 16 jnz short loc_140070ED1 .text:0000000140070EB9 .text:0000000140070EBB 48 8B 45 40 mov rax, [rbp+1A0h+var_160] .text:0000000140070EBF 8B 48 14 mov ecx, [rax+14h] .text:0000000140070EC2 48 2B D1 sub rdx, rcx .text:0000000140070EC5 48 89 55 48 mov [rbp+1A0h+var_158], rdx .text:0000000140070EC9 48 83 E2 C0 and rdx, 0FFFFFFFFFFFFFFC0h .text:0000000140070ECD 48 89 55 48 mov [rbp+1A0h+var_158], rdx .text:0000000140070ECD .text:0000000140070ED1 .text:0000000140070ED1 loc_140070ED1: ; CODE XREF: KiDispatchException+285↑j .text:0000000140070ED1 48 8D 42 D8 lea rax, [rdx-28h] .text:0000000140070ED5 48 83 E0 F0 and rax, 0FFFFFFFFFFFFFFF0h .text:0000000140070ED9 48 89 45 18 mov [rbp+1A0h+var_188], rax .text:0000000140070EDD 48 89 45 78 mov [rbp+1A0h+var_128], rax .text:0000000140070EE1 4C 8D 80 60 FF FF FF lea r8, [rax-0A0h] .text:0000000140070EE8 4C 89 45 08 mov [rbp+1A0h+var_198], r8 .text:0000000140070EEC 4C 89 85 98 00 00 00 mov [rbp+1A0h+var_108], r8 .text:0000000140070EF3 49 83 C0 E0 add r8, 0FFFFFFFFFFFFFFE0h .text:0000000140070EF7 4C 89 85 90 00 00 00 mov [rbp+1A0h+var_110], r8 .text:0000000140070EFE 4D 8D B8 30 FB FF FF lea r15, [r8-4D0h] .text:0000000140070F05 4C 89 7D 60 mov [rbp+1A0h+var_140], r15 .text:0000000140070F09 49 8B C7 mov rax, r15 .text:0000000140070F0C 49 2B C0 sub rax, r8 .text:0000000140070F0F 89 85 50 01 00 00 mov dword ptr [rbp+1A0h+var_50], eax .text:0000000140070F15 49 8B CC mov rcx, r12 .text:0000000140070F18 49 2B CF sub rcx, r15 .text:0000000140070F1B 89 8D 54 01 00 00 mov dword ptr [rbp+1A0h+var_50+4], ecx .text:0000000140070F21 89 85 58 01 00 00 mov dword ptr [rbp+1A0h+var_50+8], eax .text:0000000140070F27 C7 85 5C 01 00 00 D0 04 00 00 mov dword ptr [rbp+1A0h+var_50+0Ch], 4D0h .text:0000000140070F31 48 8B C2 mov rax, rdx .text:0000000140070F34 49 2B C0 sub rax, r8 .text:0000000140070F37 89 85 60 01 00 00 mov dword ptr [rbp+1A0h+var_40], eax .text:0000000140070F3D 49 8B C4 mov rax, r12 .text:0000000140070F40 48 2B C2 sub rax, rdx .text:0000000140070F43 89 85 64 01 00 00 mov dword ptr [rbp+1A0h+var_40+4], eax .text:0000000140070F49 48 8D 41 FF lea rax, [rcx-1] .text:0000000140070F4D 48 3D FE 0F 00 00 cmp rax, 0FFEh .text:0000000140070F53 0F 87 25 01 00 00 ja loc_14007107E .text:0000000140070F53 .text:0000000140070F59 41 F6 C7 0F test r15b, 0Fh .text:0000000140070F5D 0F 85 16 01 00 00 jnz loc_140071079 .text:0000000140070F5D .text:0000000140070F63 4C 3B 3D 56 42 35 00 cmp r15, cs:MmUserProbeAddress .text:0000000140070F6A 4C 0F 43 3D 4E 42 35 00 cmovnb r15, cs:MmUserProbeAddress .text:0000000140070F72 41 8A 07 mov al, [r15] .text:0000000140070F75 41 88 07 mov [r15], al .text:0000000140070F78 41 8A 44 0F FF mov al, [r15+rcx-1] .text:0000000140070F7D 41 88 44 0F FF mov [r15+rcx-1], al .text:0000000140070F82 48 8B 4D 78 mov rcx, [rbp+1A0h+var_128] .text:0000000140070F86 48 8B 95 98 00 00 00 mov rdx, [rbp+1A0h+var_108] .text:0000000140070F8D 4C 8B 7D 60 mov r15, [rbp+1A0h+var_140] .text:0000000140070F8D .text:0000000140070F91 .text:0000000140070F91 loc_140070F91: ; CODE XREF: KiDispatchException+463↓j .text:0000000140070F91 4C 89 61 18 mov [rcx+18h], r12 .text:0000000140070F95 49 8B 86 F8 00 00 00 mov rax, [r14+0F8h] .text:0000000140070F9C 48 89 01 mov [rcx], rax .text:0000000140070F9F 0F 10 03 movups xmm0, xmmword ptr [rbx] .text:0000000140070FA2 0F 11 02 movups xmmword ptr [rdx], xmm0 .text:0000000140070FA5 0F 10 4B 10 movups xmm1, xmmword ptr [rbx+10h] .text:0000000140070FA9 0F 11 4A 10 movups xmmword ptr [rdx+10h], xmm1 .text:0000000140070FAD 0F 10 43 20 movups xmm0, xmmword ptr [rbx+20h] .text:0000000140070FB1 0F 11 42 20 movups xmmword ptr [rdx+20h], xmm0 .text:0000000140070FB5 0F 10 4B 30 movups xmm1, xmmword ptr [rbx+30h] .text:0000000140070FB9 0F 11 4A 30 movups xmmword ptr [rdx+30h], xmm1 .text:0000000140070FBD 0F 10 43 40 movups xmm0, xmmword ptr [rbx+40h] .text:0000000140070FC1 0F 11 42 40 movups xmmword ptr [rdx+40h], xmm0 .text:0000000140070FC5 0F 10 4B 50 movups xmm1, xmmword ptr [rbx+50h] .text:0000000140070FC9 0F 11 4A 50 movups xmmword ptr [rdx+50h], xmm1 .text:0000000140070FCD 0F 10 43 60 movups xmm0, xmmword ptr [rbx+60h] .text:0000000140070FD1 0F 11 42 60 movups xmmword ptr [rdx+60h], xmm0 .text:0000000140070FD5 B8 80 00 00 00 mov eax, 80h .text:0000000140070FDA 48 03 D0 add rdx, rax .text:0000000140070FDD 0F 10 43 70 movups xmm0, xmmword ptr [rbx+70h] .text:0000000140070FE1 0F 11 42 F0 movups xmmword ptr [rdx-10h], xmm0 .text:0000000140070FE5 0F 10 0C 03 movups xmm1, xmmword ptr [rbx+rax] .text:0000000140070FE9 0F 11 0A movups xmmword ptr [rdx], xmm1 .text:0000000140070FEC 48 8B 44 03 10 mov rax, [rbx+rax+10h] .text:0000000140070FF1 48 89 42 10 mov [rdx+10h], rax .text:0000000140070FF5 48 83 64 24 28 00 and [rsp+1D0h+var_1A8], 0 .text:0000000140070FFB 48 8B 45 40 mov rax, [rbp+1A0h+var_160] .text:0000000140070FFF 48 89 44 24 20 mov [rsp+1D0h+BugCheckParameter4], rax .text:0000000140071004 45 8B CD mov r9d, r13d .text:0000000140071007 4C 8D 85 50 01 00 00 lea r8, [rbp+1A0h+var_50] .text:000000014007100E 48 8B 9D 90 00 00 00 mov rbx, [rbp+1A0h+var_110] .text:0000000140071015 48 8B D3 mov rdx, rbx .text:0000000140071018 B1 01 mov cl, 1 .text:000000014007101A E8 E9 95 03 00 call RtlpCopyExtendedContext .text:000000014007101A .text:000000014007101F 89 45 20 mov [rbp+1A0h+var_180], eax .text:0000000140071022 0F 10 85 50 01 00 00 movups xmm0, [rbp+1A0h+var_50] .text:0000000140071029 0F 11 03 movups xmmword ptr [rbx], xmm0 .text:000000014007102C F2 0F 10 8D 60 01 00 00 movsd xmm1, [rbp+1A0h+var_40] .text:0000000140071034 F2 0F 11 4B 10 movsd qword ptr [rbx+10h], xmm1 .text:0000000140071039 FA cli .text:000000014007103A 4C 89 BE 80 01 00 00 mov [rsi+180h], r15 .text:0000000140071041 B8 33 00 00 00 mov eax, 33h ; '3' .text:0000000140071046 66 89 86 70 01 00 00 mov [rsi+170h], ax .text:000000014007104D 48 8B 05 1C 46 35 00 mov rax, cs:KeUserExceptionDispatcher .text:0000000140071054 48 89 86 68 01 00 00 mov [rsi+168h], rax .text:000000014007105B 65 48 8B 04 25 88 01 00 00 mov rax, gs:188h .text:0000000140071064 48 8B 88 B8 00 00 00 mov rcx, [rax+0B8h] .text:000000014007106B 48 8B 91 C8 02 00 00 mov rdx, [rcx+2C8h] .text:0000000140071072 48 85 D2 test rdx, rdx .text:0000000140071075 75 25 jnz short loc_14007109C .text:0000000140071075 .text:0000000140071077 EB 35 jmp short loc_1400710AE .text:0000000140071077 .text:0000000140071079 ; --------------------------------------------------------------------------- .text:0000000140071079 .text:0000000140071079 loc_140071079: ; CODE XREF: KiDispatchException+329↑j .text:0000000140071079 E8 AE F3 67 00 call ExRaiseDatatypeMisalignment .text:0000000140071079 .text:000000014007107E ; --------------------------------------------------------------------------- .text:000000014007107E .text:000000014007107E loc_14007107E: ; CODE XREF: KiDispatchException+31F↑j .text:000000014007107E 41 B8 10 00 00 00 mov r8d, 10h ; Alignment .text:0000000140071084 48 8B D1 mov rdx, rcx ; Length .text:0000000140071087 49 8B CF mov rcx, r15 ; Address .text:000000014007108A E8 41 FB 3A 00 call ProbeForWrite .text:000000014007108A .text:000000014007108F 48 8B 4D 18 mov rcx, [rbp+1A0h+var_188] .text:0000000140071093 48 8B 55 08 mov rdx, [rbp+1A0h+var_198] .text:0000000140071097 E9 F5 FE FF FF jmp loc_140070F91 .text:0000000140071097 .text:000000014007109C ; --------------------------------------------------------------------------- .text:000000014007109C .text:000000014007109C loc_14007109C: ; CODE XREF: KiDispatchException+441↑j .text:000000014007109C 48 8B 86 68 01 00 00 mov rax, [rsi+168h] .text:00000001400710A3 48 89 46 58 mov [rsi+58h], rax .text:00000001400710A7 48 89 96 68 01 00 00 mov [rsi+168h], rdx .text:00000001400710A7 .text:00000001400710AE .text:00000001400710AE loc_1400710AE: ; CODE XREF: KiDispatchException+443↑j .text:00000001400710AE FB sti .text:00000001400710AF E9 A5 00 00 00 jmp loc_140071159 .text:00000001400710AF ; } // starts at 140070EA6 .text:00000001400710AF .text:00000001400710B4 ; --------------------------------------------------------------------------- .text:00000001400710B4 .text:00000001400710B4 loc_1400710B4: ; DATA XREF: .rdata:00000001402ACC8C↓o .text:00000001400710B4 ; __except(loc_14015BC0C) // owned by 140070EA6 .text:00000001400710B4 48 8B 5D 30 mov rbx, [rbp+1A0h+var_170] .text:00000001400710B8 48 8B 75 58 mov rsi, [rbp+1A0h+var_148] .text:00000001400710BC 81 BD B0 00 00 00 FD 00 00 C0 cmp [rbp+1A0h+var_F0], 0C00000FDh .text:00000001400710C6 75 7D jnz short loc_140071145 .text:00000001400710C6 .text:00000001400710C8 48 8B 43 10 mov rax, [rbx+10h] .text:00000001400710CC 48 89 85 C0 00 00 00 mov [rbp+1A0h+var_E0], rax .text:00000001400710D3 48 8D 85 B0 00 00 00 lea rax, [rbp+1A0h+var_F0] .text:00000001400710DA 0F 10 00 movups xmm0, xmmword ptr [rax] .text:00000001400710DD 0F 11 03 movups xmmword ptr [rbx], xmm0 .text:00000001400710E0 0F 10 48 10 movups xmm1, xmmword ptr [rax+10h] .text:00000001400710E4 0F 11 4B 10 movups xmmword ptr [rbx+10h], xmm1 .text:00000001400710E8 0F 10 40 20 movups xmm0, xmmword ptr [rax+20h] .text:00000001400710EC 0F 11 43 20 movups xmmword ptr [rbx+20h], xmm0 .text:00000001400710F0 0F 10 48 30 movups xmm1, xmmword ptr [rax+30h] .text:00000001400710F4 0F 11 4B 30 movups xmmword ptr [rbx+30h], xmm1 .text:00000001400710F8 0F 10 40 40 movups xmm0, xmmword ptr [rax+40h] .text:00000001400710FC 0F 11 43 40 movups xmmword ptr [rbx+40h], xmm0 .text:0000000140071100 0F 10 48 50 movups xmm1, xmmword ptr [rax+50h] .text:0000000140071104 0F 11 4B 50 movups xmmword ptr [rbx+50h], xmm1 .text:0000000140071108 0F 10 40 60 movups xmm0, xmmword ptr [rax+60h] .text:000000014007110C 0F 11 43 60 movups xmmword ptr [rbx+60h], xmm0 .text:0000000140071110 0F 10 48 70 movups xmm1, xmmword ptr [rax+70h] .text:0000000140071114 0F 11 4B 70 movups xmmword ptr [rbx+70h], xmm1 .text:0000000140071118 0F 10 80 80 00 00 00 movups xmm0, xmmword ptr [rax+80h] .text:000000014007111F 0F 11 83 80 00 00 00 movups xmmword ptr [rbx+80h], xmm0 .text:0000000140071126 48 8B 80 90 00 00 00 mov rax, [rax+90h] .text:000000014007112D 48 89 83 90 00 00 00 mov [rbx+90h], rax .text:0000000140071134 44 8B 6D 10 mov r13d, [rbp+1A0h+var_190] .text:0000000140071138 4C 8B 75 68 mov r14, [rbp+1A0h+var_138] .text:000000014007113C 4C 8B 65 38 mov r12, [rbp+1A0h+var_168] .text:0000000140071140 E9 60 FD FF FF jmp loc_140070EA5 .text:0000000140071140 .text:0000000140071145 ; --------------------------------------------------------------------------- .text:0000000140071145 .text:0000000140071145 loc_140071145: ; CODE XREF: KiDispatchException+492↑j .text:0000000140071145 4C 8B 75 70 mov r14, [rbp+1A0h+var_130] .text:0000000140071149 4C 8B A5 80 00 00 00 mov r12, [rbp+1A0h+var_120] .text:0000000140071150 44 8A 7D 00 mov r15b, byte ptr [rbp+1A0h+var_1A0] .text:0000000140071154 E9 83 00 00 00 jmp loc_1400711DC .text:0000000140071154 .text:0000000140071159 ; --------------------------------------------------------------------------- .text:0000000140071159 .text:0000000140071159 loc_140071159: ; CODE XREF: KiDispatchException+241↑j .text:0000000140071159 ; KiDispatchException+47B↑j .text:0000000140071159 ; KiDispatchException+5A2↓j .text:0000000140071159 ; KiDispatchException+5B8↓j .text:0000000140071159 ; KiDispatchException+5DB↓j .text:0000000140071159 ; KiDispatchException+5EC↓j .text:0000000140071159 ; KiDispatchException+1166F6↓j .text:0000000140071159 ; KiDispatchException+116761↓j .text:0000000140071159 ; KiDispatchException+1167C5↓j .text:0000000140071159 ; KiDispatchException+1167EF↓j .text:0000000140071159 48 8B 8D 68 01 00 00 mov rcx, [rbp+1A0h+var_38] .text:0000000140071160 48 33 CD xor rcx, rbp ; StackCookie .text:0000000140071163 E8 48 AD 0C 00 call __security_check_cookie .text:0000000140071163 .text:0000000140071168 48 8D A5 70 01 00 00 lea rsp, [rbp+170h] .text:000000014007116F 41 5F pop r15 .text:0000000140071171 41 5E pop r14 .text:0000000140071173 41 5D pop r13 .text:0000000140071175 41 5C pop r12 .text:0000000140071177 5E pop rsi .text:0000000140071178 5B pop rbx .text:0000000140071179 5D pop rbp .text:000000014007117A C3 retn .text:000000014007117A .text:000000014007117B ; --------------------------------------------------------------------------- .text:000000014007117B .text:000000014007117B loc_14007117B: ; CODE XREF: KiDispatchException+75↑j .text:000000014007117B 48 8B 05 A6 40 35 00 mov rax, cs:KeFeatureBits .text:0000000140071182 25 00 00 80 00 and eax, 800000h .text:0000000140071187 B9 5F 00 10 00 mov ecx, 10005Fh .text:000000014007118C 48 85 C0 test rax, rax .text:000000014007118F 44 0F 45 E9 cmovnz r13d, ecx .text:0000000140071193 44 89 6D 10 mov [rbp+1A0h+var_190], r13d .text:0000000140071197 E9 13 FB FF FF jmp loc_140070CAF .text:0000000140071197 .text:000000014007119C ; --------------------------------------------------------------------------- .text:000000014007119C .text:000000014007119C loc_14007119C: ; CODE XREF: KiDispatchException+E4↑j .text:000000014007119C 48 8B 45 08 mov rax, [rbp+1A0h+var_198] .text:00000001400711A0 48 83 B8 F0 06 00 00 00 cmp qword ptr [rax+6F0h], 0 .text:00000001400711A8 0F 84 70 FB FF FF jz loc_140070D1E .text:00000001400711A8 .text:00000001400711AE E9 5B 61 11 00 jmp loc_14018730E .text:00000001400711AE .text:00000001400711B3 ; --------------------------------------------------------------------------- .text:00000001400711B3 .text:00000001400711B3 loc_1400711B3: ; CODE XREF: KiDispatchException+DB↑j .text:00000001400711B3 49 FF 8E F8 00 00 00 dec qword ptr [r14+0F8h] .text:00000001400711BA E9 56 FB FF FF jmp loc_140070D15 .text:00000001400711BA .text:00000001400711BF ; --------------------------------------------------------------------------- .text:00000001400711BF .text:00000001400711BF loc_1400711BF: ; CODE XREF: KiDispatchException+FA↑j .text:00000001400711BF ; KiDispatchException+133↑j .text:00000001400711BF ; KiDispatchException+14C↑j .text:00000001400711BF ; KiDispatchException+22C↑j .text:00000001400711BF ; KiDispatchException+116722↓j .text:00000001400711BF 44 88 7C 24 20 mov byte ptr [rsp+1D0h+BugCheckParameter4], r15b .text:00000001400711C4 45 8B 4E 30 mov r9d, [r14+30h] .text:00000001400711C8 4D 8B C6 mov r8, r14 .text:00000001400711CB 49 8B D4 mov rdx, r12 .text:00000001400711CE 48 8B CE mov rcx, rsi .text:00000001400711D1 E8 7A BB 0D 00 call KeContextToKframes .text:00000001400711D1 .text:00000001400711D6 EB 81 jmp short loc_140071159 .text:00000001400711D6 .text:00000001400711D8 ; --------------------------------------------------------------------------- .text:00000001400711D8 .text:00000001400711D8 loc_1400711D8: ; CODE XREF: KiDispatchException+1D1↑j .text:00000001400711D8 4C 8B 75 08 mov r14, [rbp+1A0h+var_198] .text:00000001400711D8 .text:00000001400711DC .text:00000001400711DC loc_1400711DC: ; CODE XREF: KiDispatchException+520↑j .text:00000001400711DC 41 B0 01 mov r8b, 1 .text:00000001400711DF 41 8A D0 mov dl, r8b .text:00000001400711E2 48 8B CB mov rcx, rbx .text:00000001400711E5 E8 EA 57 4B 00 call DbgkForwardException .text:00000001400711E5 .text:00000001400711EA 84 C0 test al, al .text:00000001400711EC 0F 85 67 FF FF FF jnz loc_140071159 .text:00000001400711EC .text:00000001400711F2 49 83 BE F0 06 00 00 00 cmp qword ptr [r14+6F0h], 0 .text:00000001400711FA 0F 85 04 62 11 00 jnz loc_140187404 .text:00000001400711FA .text:0000000140071200 .text:0000000140071200 loc_140071200: ; CODE XREF: KiDispatchException+1167F5↓j .text:0000000140071200 41 B0 01 mov r8b, 1 .text:0000000140071203 33 D2 xor edx, edx .text:0000000140071205 48 8B CB mov rcx, rbx .text:0000000140071208 E8 C7 57 4B 00 call DbgkForwardException .text:0000000140071208 .text:000000014007120D 84 C0 test al, al .text:000000014007120F 0F 85 44 FF FF FF jnz loc_140071159 .text:000000014007120F .text:0000000140071215 8B 13 mov edx, [rbx] ; ExitStatus .text:0000000140071217 48 83 C9 FF or rcx, 0FFFFFFFFFFFFFFFFh ; ProcessHandle .text:000000014007121B E8 40 88 0D 00 call ZwTerminateProcess .text:000000014007121B .text:0000000140071220 E9 34 FF FF FF jmp loc_140071159 .text:0000000140071220 ; } // starts at 140070C34 .text:0000000140071220 .text:0000000140071220 KiDispatchException endp .text:0000000140071220 .text:0000000140071220 ; --------------------------------------------------------------------------- .text:0000000140071225 algn_140071225: ; DATA XREF: .rdata:00000001402ACCA4↓o .text:0000000140071225 ; .pdata:000000014037BF38↓o .text:0000000140071225 CC CC CC align 8 .text:0000000140071228 .text:0000000140071228 ; =============== S U B R O U T I N E ======================================= .text:0000000140071228 .text:0000000140071228 .text:0000000140071228 ; __int64 __fastcall KiPreprocessFault(int, int) .text:0000000140071228 KiPreprocessFault proc near ; CODE XREF: KiDispatchException+F3↑p分析每段函数和这个函数的执行流程和作用
07-04
我们正在分析Windows内核中的KiDispatchException函数,这是一个关键的内核异常分发函数。函数作用:处理异常的分发,包括用户模式和内核模式的异常,尝试将异常交给调试器、异常处理程序或终止进程。执行流程:根据...
PROCESS_NAME: System STACK_TEXT: fffff806`7fabc0c8 fffff806`ec1b3c46 : 00000000`0000001e ffffffff`c0000005 fffff806`ec2bb567 00000000`00000000 : nt!KeBugCheckEx fffff806`7fabc0d0 fffff806`ec2aecc2 : fffff806`7fabc8d0 00000000`00000000 fffff806`7fabc1a0 00000000`00000000 : nt!KiFatalExceptionHandler+0x22 fffff806`7fabc110 fffff806`ebfc38f2 : 00000000`00000000 fffff806`ebc00000 fffff806`ec2a6674 fffff806`ebd15854 : nt!RtlpExecuteHandlerForException+0x12 fffff806`7fabc140 fffff806`ebfc5681 : fffff806`7faa7560 fffff806`7fabcdd0 fffff806`7faa7560 fffff780`00000708 : nt!RtlDispatchException+0x2d2 fffff806`7fabc8a0 fffff806`ec2a58e2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchException+0xac1 fffff806`7fabcfb0 fffff806`ec2a58b0 : fffff806`ec2b983e fffff806`7c7a5280 fffff806`7faa78e8 fffff806`7c7a1180 : nt!KxExceptionDispatchOnExceptionStack+0x12 fffff806`7faa7558 fffff806`ec2b983e : fffff806`7c7a5280 fffff806`7faa78e8 fffff806`7c7a1180 ffffc882`c236d090 : nt!KiExceptionDispatchOnExceptionStackContinue fffff806`7faa7560 fffff806`ec2b4525 : 00000000`00000f44 00000000`00000000 000000ba`f5d006e7 fffff806`ebe2ac36 : nt!KiExceptionDispatch+0x13e fffff806`7faa7740 fffff806`ec2bb567 : fffff806`ec0c988a 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiGeneralProtectionFault+0x365 fffff806`7faa78d8 fffff806`ec0c988a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!_memset_spec_plain+0x67 fffff806`7faa78e0 fffff806`ec064a35 : fffff806`7c7a1180 fffff806`7c7a1180 fffff806`7c7a99c0 000000ba`f5d01599 : nt!PpmIdleSelectStates+0x8a fffff806`7faa7b70 fffff806`ec2a6674 : fffff806`7c7a1180 fffff806`7c7a1100 00000000`00000000 00000000`00000000 : nt!PoIdle+0x135 fffff806`7faa7c40 00000000`00000000 : fffff806`7faa8000 fffff806`7faa2000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x54 SYMBOL_NAME: nt!_memset_spec_plain+67 MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe IMAGE_VERSION: 10.0.26100.4652 STACK_COMMAND: .process /r /p 0xfffff806ecbcef80; .thread 0xfffff806ecbd1640 ; kb BUCKET_ID_FUNC_OFFSET: 67 FAILURE_BUCKET_ID: AV_R_nt!_memset_spec_plain OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {67cb34c2-a297-89cc-2d48-15685235b407} Followup: MachineOwner
最新发布
07-18
我们正在处理一个特定的蓝屏错误:KMODE_EXCEPTION_NOT_HANDLED,并且与System进程(可能是ntoskrnl.exe)和函数`nt!_memset_spec_plain`相关。这个错误表明在内核模式中发生了一个未被处理的异常,而异常发生在内存...
nt!DbgBreakPointWithStatus: fffff805`7affd0b0 cc int 3 kd> ed nt!Kd_DEFAULT_Mask 0xFFFFFFFF kd> ed nt!Kd_IHVDRIVER_Mask 0xFFFFFFFF kd> g [+] [DriverEntry] 驱动加载开始 [+] [DriverEntry] 驱动加载成功 [+] [ProcessNotifyCallback] 目标进程 oxygen.exe 创建 (PID: 7948) [+] [ProcessNotifyCallback] 工作线程已创建 [+] Worker thread started for hook installation [+] [InstallHook] 找到目标函数地址: FFFFF8057B2EFB60 [PTE_HOOK] 跳板池分配成功: 地址=0xFFFFCF812F9C8000, 大小=32768字节 [PTE_HOOK] 构造跳转指令: 目标地址: 0xFFFFF805802B14E0 跳板位置: 0xFFFFCF812F9C8000 指令大小: 18字节 写入跳板结构到 0xFFFFCF812F9C8000: FF 25 00 00 00 00 00 00 00 00 E0 14 2B 80 05 F8 FF FF 反汇编跳板指令: Break instruction exception - code 80000003 (first chance) nt!KeCheckStackAndTargetAddress+0x53: fffff805`7ae8da03 cc int 3 kd> g KDTARGET: Refreshing KD connection *** Fatal System Error: 0x00000139 (0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. For analysis of this file, run !analyze -v nt!DbgBreakPointWithStatus: fffff805`7affd0b0 cc int 3 kd> !analyze -v Connected to Windows 10 19041 x64 target at (Tue Jun 24 23:20:51.742 2025 (UTC + 8:00)), ptr64 TRUE Loading Kernel Symbols .................................... Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols. ........................... ................................................................ ..................................................... Loading User Symbols Loading unloaded module list ...... ERROR: FindPlugIns 8007007b ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine. Arguments: Arg1: 0000000000000000, A stack-based buffer has been overrun. Arg2: 0000000000000000, Address of the trap frame for the exception that caused the BugCheck Arg3: 0000000000000000, Address of the exception record for the exception that caused the BugCheck Arg4: 0000000000000000, Reserved Debugging Details: ------------------ Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols. KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 3750 Key : Analysis.Elapsed.mSec Value: 44828 Key : Analysis.IO.Other.Mb Value: 0 Key : Analysis.IO.Read.Mb Value: 2 Key : Analysis.IO.Write.Mb Value: 0 Key : Analysis.Init.CPU.mSec Value: 3625 Key : Analysis.Init.Elapsed.mSec Value: 71532 Key : Analysis.Memory.CommitPeak.Mb Value: 62 Key : Analysis.Version.DbgEng Value: 10.0.27829.1001 Key : Analysis.Version.Description Value: 10.2503.24.01 amd64fre Key : Analysis.Version.Ext Value: 1.2503.24.1 Key : Bugcheck.Code.KiBugCheckData Value: 0x139 Key : Bugcheck.Code.LegacyAPI Value: 0x139 Key : Bugcheck.Code.TargetModel Value: 0x139 Key : Failure.Bucket Value: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck Key : Failure.Hash Value: {9bee41a7-2ef9-07ca-7e59-7d5a0c6e2d05} Key : Hypervisor.Enlightenments.Value Value: 12576 Key : Hypervisor.Enlightenments.ValueHex Value: 0x3120 Key : Hypervisor.Flags.AnyHypervisorPresent Value: 1 Key : Hypervisor.Flags.ApicEnlightened Value: 0 Key : Hypervisor.Flags.ApicVirtualizationAvailable Value: 0 Key : Hypervisor.Flags.AsyncMemoryHint Value: 0 Key : Hypervisor.Flags.CoreSchedulerRequested Value: 0 Key : Hypervisor.Flags.CpuManager Value: 0 Key : Hypervisor.Flags.DeprecateAutoEoi Value: 1 Key : Hypervisor.Flags.DynamicCpuDisabled Value: 0 Key : Hypervisor.Flags.Epf Value: 0 Key : Hypervisor.Flags.ExtendedProcessorMasks Value: 0 Key : Hypervisor.Flags.HardwareMbecAvailable Value: 0 Key : Hypervisor.Flags.MaxBankNumber Value: 0 Key : Hypervisor.Flags.MemoryZeroingControl Value: 0 Key : Hypervisor.Flags.NoExtendedRangeFlush Value: 1 Key : Hypervisor.Flags.NoNonArchCoreSharing Value: 0 Key : Hypervisor.Flags.Phase0InitDone Value: 1 Key : Hypervisor.Flags.PowerSchedulerQos Value: 0 Key : Hypervisor.Flags.RootScheduler Value: 0 Key : Hypervisor.Flags.SynicAvailable Value: 1 Key : Hypervisor.Flags.UseQpcBias Value: 0 Key : Hypervisor.Flags.Value Value: 536632 Key : Hypervisor.Flags.ValueHex Value: 0x83038 Key : Hypervisor.Flags.VpAssistPage Value: 1 Key : Hypervisor.Flags.VsmAvailable Value: 0 Key : Hypervisor.RootFlags.AccessStats Value: 0 Key : Hypervisor.RootFlags.CrashdumpEnlightened Value: 0 Key : Hypervisor.RootFlags.CreateVirtualProcessor Value: 0 Key : Hypervisor.RootFlags.DisableHyperthreading Value: 0 Key : Hypervisor.RootFlags.HostTimelineSync Value: 0 Key : Hypervisor.RootFlags.HypervisorDebuggingEnabled Value: 0 Key : Hypervisor.RootFlags.IsHyperV Value: 0 Key : Hypervisor.RootFlags.LivedumpEnlightened Value: 0 Key : Hypervisor.RootFlags.MapDeviceInterrupt Value: 0 Key : Hypervisor.RootFlags.MceEnlightened Value: 0 Key : Hypervisor.RootFlags.Nested Value: 0 Key : Hypervisor.RootFlags.StartLogicalProcessor Value: 0 Key : Hypervisor.RootFlags.Value Value: 0 Key : Hypervisor.RootFlags.ValueHex Value: 0x0 Key : SecureKernel.HalpHvciEnabled Value: 0 Key : WER.OS.Branch Value: vb_release Key : WER.OS.Version Value: 10.0.19041.1 BUGCHECK_CODE: 139 BUGCHECK_P1: 0 BUGCHECK_P2: 0 BUGCHECK_P3: 0 BUGCHECK_P4: 0 FAULTING_THREAD: ffffbd046bee5080 TRAP_FRAME: ffff800000000000 -- (.trap 0xffff800000000000) Unable to read trap frame at ffff8000`00000000 Resetting default scope EXCEPTION_RECORD: 0000000000000000 -- (.exr 0x0) Cannot read Exception record @ 0000000000000000 PROCESS_NAME: System STACK_TEXT: fffffc89`cb028028 fffff805`7b111882 : fffffc89`cb028190 fffff805`7af7c940 00000000`00000100 00000000`00000000 : nt!DbgBreakPointWithStatus fffffc89`cb028030 fffff805`7b110e66 : 00000000`00000003 fffffc89`cb028190 fffff805`7b00a0c0 00000000`00000139 : nt!KiBugCheckDebugBreak+0x12 fffffc89`cb028090 fffff805`7aff5317 : fffff805`7ac00000 00000000`00000001 fffffc89`cb029a38 fffff805`7aea29a5 : nt!KeBugCheck2+0x946 fffffc89`cb0287a0 fffff805`7affdd1b : 00000000`00000139 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx+0x107 fffffc89`cb0287e0 fffff805`7ae8da0c : fffffc89`cb028878 fffffc89`cb0288b8 00000000`00000000 fffffc89`cb028920 : nt!guard_icall_bugcheck+0x1b fffffc89`cb028810 fffff805`7afcbe6b : fffff805`7aea29a5 fffff805`7acd158c 00000000`00000000 00000000`00000000 : nt!KeCheckStackAndTargetAddress+0x5c fffffc89`cb028840 fffff805`7affe0d2 : fffff805`7acd158c fffffc89`cb028e20 fffff805`7afcbe30 00000000`00000000 : nt!_C_specific_handler+0x3b fffffc89`cb0288b0 fffff805`7ae52db7 : fffffc89`cb028e20 00000000`00000000 fffffc89`cb029c10 fffff805`7aea29a5 : nt!RtlpExecuteHandlerForException+0x12 fffffc89`cb0288e0 fffff805`7ae519a6 : fffffc89`cb0297f8 fffffc89`cb029530 fffffc89`cb0297f8 fffffc89`cb029a9a : nt!RtlDispatchException+0x297 fffffc89`cb029000 fffff805`7b0072ac : 00000000`00001000 fffffc89`cb0298a0 ffff8000`00000000 00000000`00000000 : nt!KiDispatchException+0x186 fffffc89`cb0296c0 fffff805`7b003443 : fffffc89`cb029a48 fffffc89`cb029990 fffffc89`cb0299a0 fffff805`7affd0d5 : nt!KiExceptionDispatch+0x12c fffffc89`cb0298a0 00000000`00000000 : fffff805`802b19e9 fffff805`802b2ce0 00000000`000000b8 00000000`00000000 : nt!KiPageFault+0x443 SYMBOL_NAME: nt!guard_icall_bugcheck+1b MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe STACK_COMMAND: .process /r /p 0xffffbd046545f1c0; .thread 0xffffbd046bee5080 ; kb BUCKET_ID_FUNC_OFFSET: 1b FAILURE_BUCKET_ID: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck OS_VERSION: 10.0.19041.1 BUILDLAB_STR: vb_release OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {9bee41a7-2ef9-07ca-7e59-7d5a0c6e2d05} Followup: MachineOwner --------- kd> u FFFFCF812F9C8000 ffffcf81`2f9c8000 ff2500000000 jmp qword ptr [ffffcf81`2f9c8006] ffffcf81`2f9c8006 0000 add byte ptr [rax],al ffffcf81`2f9c8008 0000 add byte ptr [rax],al ffffcf81`2f9c800a e014 loopne ffffcf81`2f9c8020 ffffcf81`2f9c800c 2b8005f8ffff sub eax,dword ptr [rax-7FBh] ffffcf81`2f9c8012 dd75f5 fnsave [rbp-0Bh] ffffcf81`2f9c8015 5d pop rbp ffffcf81`2f9c8016 7df7 jge ffffcf81`2f9c800f这是什么错误?写入时候的错误还是执行hook内容的错误?
06-25
我们遇到了一个蓝屏错误:KERNEL_SECURITY_CHECK_FAILURE(139),参数1为0,表示一个栈缓冲区溢出。错误发生在nt!guard_icall_bugcheck函数中,这是一个与控制流防护(ControlFlowGuard,CFG)或间接调用保护...
漫谈兼容内核之二十五:Windows的结构化异常处理(二)
周寅的专栏
03-13 1205
 先看调用参数。异常纪录块ExceptionRecord就是前面准备好的;指针ExceptionFrame是NULL,这是个 KEXCEPTION_FRAME结构指针,但是从代码中看这只是为PowerPC芯片而设的,用于保存一些附加寄存器的内容,386架构的处理器芯片无 此要求;而陷阱框架指针Tf指向堆栈上因异常而形成的框架,我们在前面倒是称之为“异常框架”。此外,PreviousMode为Ker
蓝屏总结(一) ——基本分析方法
热门推荐
VinWqx的博客
07-20 1万+
目录 一、蓝屏造成原因 二、通常的排查步骤 三、Debug步骤 四、使用Driver Verifier进行排查 五、Debug示例 1、分析示例 1 2、分析示例 2 一、蓝屏造成原因 关于停止错误(蓝屏或者错误检查)没有简单的解释,包含很多因素,目前大量研究表明停止错误通常不是由微软Windows组件导致的,而是厂商的硬件驱动或者三方软件的驱动,包括声卡、无线网卡、安全程序等等。 crash的根因一般都是由三方驱动代码引起的,另外一小部分是硬件问...
初探windows异常处理
hongduilanjun的博客
05-09 1329
windows系统里,为了保证系统内核的强壮和稳定,为了保证用户程序的强壮和稳定,提供了异常处理机制,来帮助程序员和系统使用人员处理异常。如果想要更加深入的掌握操作系统,异常处理的知识是必不可少的,不仅如此,软件调试也与异常处理息息相关。 异常执行流程 CPU检测到异常 -> 查中断表执行处理函数 -> CommonDispatchException -> KiDispatchException -> KiUserExceptionDispatcher -> Rtl
Windows对异常的管理(描述、分发和处理)及源码剖析
qq_42814021的博客
11-17 1767
异常 Windows中异常处理分为两种: 硬件异常:CPU产生的异常。 软件异常:通过软件方式模拟出的异常,RaiseException 或 throw。 先来介绍一下软件异常,throw抛出异常底层也是通过RaiseException实现的,因此我们从throw开始! C++异常处理 C++中的异常处理机制由try、throw、catch组成。 try语句块负责监视异常; throw语句用于异常信息的发送,也称为抛出异常; catch语句用于异常的捕获,并作出相应的处理。 代码结构如下: try { /
windows高级调试
LIJIWEI0611的博客
02-07 1223
无论用户模拟异常还是CPU异常,经过前面分析,在经过记录之后,最终都会经过KiDispatchException这个派发函数中。在KiDispatchException中会对CPU异常和用户异常分别进行处理。
python堆栈跟踪_traceback
weixin_39716921的博客
11-24 432
traceback --- 打印或检索堆栈回溯¶该模块提供了一个标准接口来提取、格式化和打印 Python 程序的堆栈跟踪结果。它完全模仿Python 解释器在打印堆栈跟踪结果时的行为。当您想要在程序控制下打印堆栈跟踪结果时,例如在“封装”解释器时,这是非常有用的。这个模块使用 traceback 对象 —— 这是存储在 sys.last_traceback 中的对象类型变量,并作为 sys.ex...
win11蓝屏有懂的吗,怎么解决,感谢留言
qq_65776246的博客
12-11 1088
.Run!analyze -vnt!6: kd>!analyze -vArguments:Value: 843Value: 0Value: 0Value: 0Value: 156Value: 99Value: 1Value: 0Value: 1Value: 0nt!???????????????kb---------
IDT hook KiTrap03
weixin_30632899的博客
03-23 235
关于idt的基本知识就不进行赘述了,先看一个例子 0x1000: mov eax,0 0x1006: Int 3 ;------->进入内核,找到中断处理例程KiTrap03 0x1007: Mov eax,1 这段代码执行,触发3号中断,然后开始执行KiTrap03例程,要知道,执行完中断以后还是要回到原来的程序处继续执行...
Windows内核调试器原理浅析
峥嵘岁月
02-04 3730
文摘出处:http://www.xfocus.net/articles/200412/765.html创建时间:2004-12-23文章属性:原创文章提交:SoBeIt (kinsephi_at_hotmail.com)Windows内核调试器原理浅析                                                                    
如果很不幸——蓝屏了怎么办?记一次奇怪的蓝屏IRQL_NOT_LESS_OR_EQUAL
weixin_30376509的博客
02-28 3199
不知从什么时候,我的电脑出现了一个奇怪的问题,在某些软件里上传文件的时候只要一上传就出现IRQL_NOT_LESS_OR_EQUAL的错误,然后蓝屏重启。最开始是IE会这样,后来连chrome都是这样。谷歌百度了半天都没有找出原因,今天又出现了,终于解决了这个问题。这里记一下,希望能帮助到遇到类似情况的朋友。 首先亮出我的配置: 机器:DELL M800 内存:16GB 显卡:Intel集...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值