Windows SEH学习 x86

      windows 提供的异常处理机制实际上只是一个简单的框架。我们通常所用的异常处理(比如 C++ 的 throw、try、catch)都是编译器在系统提供的异常处理机制上进行加工了的增强版本。这里先抛开增强版的不提,先说原始版本。
     原始版本的机制很简单:谁都可以触发异常,谁都可以处理异常(只要它能看得见)。但是不管是触发还是处理都得先注册。系统把这些注册信息保存在一个链表里,并且这个链表保存在线程的数据结构里。也就是说,异常所涉及的一些行为都是线程相关的。比如,线程 T1 触发的异常就只能由线程 T1 来处理,其他线程根本就不知道 T1 发生了什么事,更不会处理。等注册完毕后,线程就可以抛出或处理异常了,系统也可以做相应的管理工作了。
系统提供的管理工作简单来说包括(但不限于):找到触发异常的线程的异常处理链表(前面注册的那个),然后按照规则对该异常进行分发,根据分发后的处理结果再进行下一步的分发或者结束处理。
     系统管理所使用的数据结构:

  #define EXCEPTION_CHAIN_END ((struct _EXCEPTION_REGISTRATION_RECORD * POINTER_32)-1)

    typedef enum _EXCEPTION_DISPOSITION {
        ExceptionContinueExecution,  
        ExceptionContinueSearch,
        ExceptionNestedException,
        ExceptionCollidedUnwind
    } EXCEPTION_DISPOSITION;

    typedef struct _EXCEPTION_RECORD {
        DWORD ExceptionCode;
        DWORD ExceptionFlags;
        struct _EXCEPTION_RECORD *ExceptionRecord; 
        PVOID ExceptionAddress;
        DWORD NumberParameters;
        ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
    } EXCEPTION_RECORD;

    typedef EXCEPTION_RECORD *PEXCEPTION_RECORD;

    typedef
    EXCEPTION_DISPOSITION
    (*PEXCEPTION_ROUTINE) (
        IN struct _EXCEPTION_RECORD *ExceptionRecord,
        IN PVOID EstablisherFrame,
        IN OUT struct _CONTEXT *ContextRecord,
        IN OUT PVOID DispatcherContext
        );

    typedef struct _EXCEPTION_REGISTRATION_RECORD {
        //指向下一个 EXCEPTION_REGISTRATION_RECORD,由此构成一个异常注册信息链表。
        //链表中的最后一个结点会将 Next 置为 EXCEPTION_CHAIN_END,表示链表到此结束。
        struct _EXCEPTION_REGISTRATION_RECORD *Next;
        PEXCEPTION_ROUTINE Handler;  //指向异常处理函数
    } EXCEPTION_REGISTRATION_RECORD;

    typedef EXCEPTION_REGISTRATION_RECORD *PEXCEPTION_REGISTRATION_RECORD;

       当接收到异常后,系统找到当前线程的异常链表,从链表中的第一个结点开始遍历,找到一个 EXCEPTION_REGISTRATION_RECORD 就调用它的 Handler,并把该异常(类型为 EXCEPTION_RECORD 的参数)表示传递给该 Handler,Handler 处理并返回一个类型为 EXCEPTION_DISPOSITION 的枚举值。该返回值指示系统下一步该做什么:
  ExceptionContinueExecution 表示:已经处理了异常,回到异常触发点继续执行。
  ExceptionContinueSearch 表示:没有处理异常,继续遍历异常链表。
  ExceptionCollidedUnwind 表示在展开过程中再次触发异常。

   ExceptionNestedException这里先不做解释

  这样系统根据不同的返回值来继续遍历异常链表或者回到触发点继续执行。

内核模式异常处理:

 首先,CPU 执行的指令触发了异常,CPU 改执行 IDT 中 KiTrap??,KiTrap?? 会调用 KiDispatchException。

该函数原型如下:  功能如名字一样,分发异常

VOID   KiDispatchException (
      IN PEXCEPTION_RECORD ExceptionRecord,
      IN PKEXCEPTION_FRAME ExceptionFrame,
      IN PKTRAP_FRAME TrapFrame,
      IN KPROCESSOR_MODE PreviousMode,
      IN BOOLEAN FirstChance );
View Code

Wrk中关于KiDispatchException的源代码在后面贴出,基本流程就是:


检查 ExceptionRecord->ExceptionCode,
如果是 STATUS_BREAKPOINT,那么将 CONTEXT::Eip 减一;
如果是 KI_EXCEPTION_ACCESS_VIOLATION,那么将检查是否是由 AtlThunk 触发(这个小环节没有深究),
如果是触发 NX(不可执行),那么将 ExceptionRecord->ExceptionInformation [0] 置为 0(貌似表示触发操作的类型,0表示读、1表示写),MSDN有详细解释,推荐阅读
如果 PreviousMode 是 KernelMode,
         那么如果 FirstChance 为 TRUE,那么将该异常传达给内核调试器,如果内核调试器没有处理,那么调用 RtlDispatchException 进行处理。
         如果 FirstChance 为 FALSE,那么再次将该异常传达给内核调试器,如果内核调试器没有处理,那么 BUGCHECK。
如果 PreviousMode 是 UserMode,
        那么,如果 FirstChance 为 TRUE,那么将该异常传达给内核调试器,如果内核调试器没有处理,那么将异常传达给应用层调试器。
                     如果仍然没有处理,那么将 KTRAP_FRAME 和 EXCEPTION_RECORD 拷贝到 UserMode 的栈中,并设置 KTRAP_FRAME::Eip 设置为                               ntdll!KiUserExceptionDispatcher,返回(将该异常交由应用层异常处理程序进行处理)。
         如果 FirstChance 为 FALSE,那么再次将异常传达给应用层调试器,如果仍然没有处理,那么调用 ZwTerminateProcess 结束进程,并 BUGCHECK。

VOID
KiDispatchException (
    IN PEXCEPTION_RECORD ExceptionRecord,
    IN PKEXCEPTION_FRAME ExceptionFrame,
    IN PKTRAP_FRAME TrapFrame,
    IN KPROCESSOR_MODE PreviousMode,
    IN BOOLEAN FirstChance
    )

/*++

Routine Description:

    This function is called to dispatch an exception to the proper mode and
    to cause the exception dispatcher to be called. If the previous mode is
    kernel, then the exception dispatcher is called directly to process the
    exception. Otherwise the exception record, exception frame, and trap
    frame contents are copied to the user mode stack. The contents of the
    exception frame and trap are then modified such that when control is
    returned, execution will commense in user mode in a routine which will
    call the exception dispatcher.

Arguments:

    ExceptionRecord - Supplies a pointer to an exception record.

    ExceptionFrame - Supplies a pointer to an exception frame. For NT386,
        this should be NULL.

    TrapFrame - Supplies a pointer to a trap frame.

    PreviousMode - Supplies the previous processor mode.

    FirstChance - Supplies a boolean value that specifies whether this is
        the first (TRUE) or second (FALSE) chance for the exception.

Return Value:

    None.

--*/

{

    CONTEXT ContextRecord;
    BOOLEAN DebugService;
    EXCEPTION_RECORD ExceptionRecord1;
    BOOLEAN ExceptionWasForwarded = FALSE;
    ULONG64 FaultingRsp;
    PMACHINE_FRAME MachineFrame;
    ULONG64 UserStack1;
    ULONG64 UserStack2;

    //
    // Move machine state from trap and exception frames to a context frame
    // and increment the number of exceptions dispatched.
    //

    KeGetCurrentPrcb()->KeExceptionDispatchCount += 1;
    ContextRecord.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS | CONTEXT_SEGMENTS;
    //在当前栈中分配一个 CONTEXT,调用 KeContextFromKframes 初始化它
    KeContextFromKframes(TrapFrame, ExceptionFrame, &ContextRecord);

    //
    // If the exception is a break point, then convert the break point to a
    // fault.
    //

    if (ExceptionRecord->ExceptionCode == STATUS_BREAKPOINT) {
        ContextRecord.Rip -= 1;
    }

    //
    // If the exception is an internal general protect fault, invalid opcode,
    // or integer divide by zero, then attempt to resolve the problem without
    // actually raising an exception.
    // 

    if (KiPreprocessFault(ExceptionRecord,
                          TrapFrame,
                          &ContextRecord,
                          PreviousMode) != FALSE) {

        goto Handled1;
    }

    //
    // Select the method of handling the exception based on the previous mode.
    //

    if (PreviousMode == KernelMode) {

        //
        // Previous mode was kernel.
        //
        // If the kernel debugger is active, then give the kernel debugger
        // the first chance to handle the exception. If the kernel debugger
        // handles the exception, then continue execution. Otherwise, attempt
        // to dispatch the exception to a frame based handler. If a frame
        // based handler handles the exception, then continue execution.
        //
        // If a frame based handler does not handle the exception, give the
        // kernel debugger a second chance, if it's present.
        //
        // If the exception is still unhandled call bugcheck.
        //

        if (FirstChance != FALSE) {
            if ((KiDebugRoutine)(TrapFrame,  //内核调试器处理  KdpTrap   KdpStub
                                 ExceptionFrame,
                                 ExceptionRecord,
                                 &ContextRecord,
                                 PreviousMode,
                                 FALSE) != FALSE) {

                goto Handled1;
            }

            //
            // Kernel debugger didn't handle exception.
            //
            // If interrupts are disabled, then bugcheck.
            //

            if (RtlDispatchException(ExceptionRecord, &ContextRecord) != FALSE) {
                goto Handled1;
            }
        }

        //
        // This is the second chance to handle the exception.
        //

        if ((KiDebugRoutine)(TrapFrame,
                             ExceptionFrame,
                             ExceptionRecord,
                             &ContextRecord,
                             PreviousMode,
                             TRUE) != FALSE) {

            goto Handled1;
        }
        //蓝屏
        KeBugCheckEx(KMODE_EXCEPTION_NOT_HANDLED,
                     ExceptionRecord->ExceptionCode,
                     (ULONG64)ExceptionRecord->ExceptionAddress,
                     ExceptionRecord->ExceptionInformation[0],
                     ExceptionRecord->ExceptionInformation[1]);

    } else {  //UserMode

        //
        // Previous mode was user.
        //
        // If this is the first chance and the current process has a debugger
        // port, then send a message to the debugger port and wait for a reply.
        // If the debugger handles the exception, then continue execution. Else
        // transfer the exception information to the user stack, transition to
        // user mode, and attempt to dispatch the exception to a frame based
        // handler. If a frame based handler handles the exception, then continue
        // execution with the continue system service. Else execute the
        // NtRaiseException system service with FirstChance == FALSE, which
        // will call this routine a second time to process the exception.
        //
        // If this is the second chance and the current process has a debugger
        // port, then send a message to the debugger port and wait for a reply.
        // If the debugger handles the exception, then continue execution. Else
        // if the current process has a subsystem port, then send a message to
        // the subsystem port and wait for a reply. If the subsystem handles the
        // exception, then continue execution. Else terminate the process.
        //
        // If the current process is a wow64 process, an alignment fault has
        // occurred, and the AC bit is set in EFLAGS, then clear AC in EFLAGS
        // and continue execution. Otherwise, attempt to resolve the exception.
        //

        if ((PsGetCurrentProcess()->Wow64Process != NULL) &&
            (ExceptionRecord->ExceptionCode == STATUS_DATATYPE_MISALIGNMENT) &&
            ((TrapFrame->EFlags & EFLAGS_AC_MASK) != 0)) {

            TrapFrame->EFlags &= ~EFLAGS_AC_MASK;
            goto Handled2;
        }

        //
        // If the exception happened while executing 32-bit code, then convert
        // the exception to a wow64 exception. These codes are translated later
        // by wow64.
        //

        if ((ContextRecord.SegCs & 0xfff8) == KGDT64_R3_CMCODE) {
            
            switch (ExceptionRecord->ExceptionCode) {
            case STATUS_BREAKPOINT:
                ExceptionRecord->ExceptionCode = STATUS_WX86_BREAKPOINT;
                break;

            case STATUS_SINGLE_STEP:
                ExceptionRecord->ExceptionCode = STATUS_WX86_SINGLE_STEP;
                break;
            }

            //
            // Clear the upper 32-bits of the stack address and 16-byte
            // align the stack address.
            //

            FaultingRsp = (ContextRecord.Rsp & 0xfffffff0UI64);

        } else {
            FaultingRsp = ContextRecord.Rsp;
        }

        if (FirstChance == TRUE) {

            //
            // This is the first chance to handle the exception.
            //
            // If the current processor is not being debugged and user mode
            // exceptions are not being ignored, or this is a debug service,
            // then attempt to handle the exception via the kernel debugger.
            //


            DebugService = KdIsThisAKdTrap(ExceptionRecord,
                                           &ContextRecord,
                                           UserMode);

            if (((PsGetCurrentProcess()->DebugPort == NULL) &&
                 (KdIgnoreUmExceptions == FALSE)) ||
                (DebugService == TRUE)) {

                //
                // Attempt to handle the exception with the kernel debugger.
                //

                if ((KiDebugRoutine)(TrapFrame,
                                     ExceptionFrame,
                                     ExceptionRecord,
                                     &ContextRecord,
                                     PreviousMode,
                                     FALSE) != FALSE) {

                    goto Handled1;
                }
            }

            if ((ExceptionWasForwarded == FALSE) &&
                (DbgkForwardException(ExceptionRecord, TRUE, FALSE))) {

                goto Handled2;
            }

            //
            // Clear the trace flag in the trap frame so a spurious trace
            // trap is guaranteed not to occur in the trampoline code.
            //
    
            TrapFrame->EFlags &= ~EFLAGS_TF_MASK;

            //
            // Transfer exception information to the user stack, transition
            // to user mode, and attempt to dispatch the exception to a frame
            // based handler.
            //

            ExceptionRecord1.ExceptionCode = STATUS_ACCESS_VIOLATION;

        repeat:
            try {

                //
                // Compute address of aligned machine frame, compute address
                // of exception record, compute address of context record,
                // and probe user stack for writeability.
                //

                MachineFrame =
                    (PMACHINE_FRAME)((FaultingRsp - sizeof(MACHINE_FRAME)) & ~STACK_ROUND);

                UserStack1 = (ULONG64)MachineFrame - EXCEPTION_RECORD_LENGTH;
                UserStack2 = UserStack1 - CONTEXT_LENGTH;
                ProbeForWriteSmallStructure((PVOID)UserStack2,
                                            sizeof(MACHINE_FRAME) + EXCEPTION_RECORD_LENGTH + CONTEXT_LENGTH,
                                            STACK_ALIGN);

                //
                // Fill in machine frame information.
                //

                MachineFrame->Rsp = FaultingRsp;
                MachineFrame->Rip = ContextRecord.Rip;

                //
                // Copy exception record to the user stack.
                //

                *(PEXCEPTION_RECORD)UserStack1 = *ExceptionRecord;

                //
                // Copy context record to the user stack.
                //

                *(PCONTEXT)UserStack2 = ContextRecord;

                //
                // Set the address of the new stack pointer in the current
                // trap frame.
                //

                TrapFrame->Rsp = UserStack2;

                //
                // Set the user mode 64-bit code selector.
                //

                TrapFrame->SegCs = KGDT64_R3_CODE | RPL_MASK;

                //
                // Set the address of the exception routine that will call the
                // exception dispatcher and then return to the trap handler.
                // The trap handler will restore the exception and trap frame
                // context and continue execution in the routine that will
                // call the exception dispatcher.
                //

                TrapFrame->Rip = (ULONG64)KeUserExceptionDispatcher;
                return;

            } except (KiCopyInformation(&ExceptionRecord1,
                        (GetExceptionInformation())->ExceptionRecord)) {

                //
                // If the exception is a stack overflow, then attempt to
                // raise the stack overflow exception. Otherwise, the user's
                // stack is not accessible, or is misaligned, and second
                // chance processing is performed.
                //

                if (ExceptionRecord1.ExceptionCode == STATUS_STACK_OVERFLOW) {
                    ExceptionRecord1.ExceptionAddress = ExceptionRecord->ExceptionAddress;
                    *ExceptionRecord = ExceptionRecord1;

                    goto repeat;
                }
            }
        }

        //
        // This is the second chance to handle the exception.
        //

        if (DbgkForwardException(ExceptionRecord, TRUE, TRUE)) {
            goto Handled2;

        } else if (DbgkForwardException(ExceptionRecord, FALSE, TRUE)) {
            goto Handled2;

        } else {
            ZwTerminateProcess(NtCurrentProcess(), ExceptionRecord->ExceptionCode);
            KeBugCheckEx(KMODE_EXCEPTION_NOT_HANDLED,
                         ExceptionRecord->ExceptionCode,
                         (ULONG64)ExceptionRecord->ExceptionAddress,
                         ExceptionRecord->ExceptionInformation[0],
                         ExceptionRecord->ExceptionInformation[1]);
        }
    }

    //
    // Move machine state from context frame to trap and exception frames and
    // then return to continue execution with the restored state.
    //

Handled1:
    KeContextToKframes(TrapFrame,
                       ExceptionFrame,
                       &ContextRecord,
                       ContextRecord.ContextFlags,
                       PreviousMode);

    //
    // Exception was handled by the debugger or the associated subsystem
    // and state was modified, if necessary, using the get state and set
    // state capabilities. Therefore the context frame does not need to
    // be transferred to the trap and exception frames.
    //

Handled2:
    return;
}
KiDispatchException

我们主要关注KernelMode的异常处理情况,重点是RtlDispatchException的操作:

函数流程大致如下:

遍历当前线程的异常链表,挨个调用 RtlpExecuteHandlerForException,RtlpExecuteHandlerForException 会调用异常处理函数。再根据返回值做出不同的处理:

对于 ExceptionContinueExecution,结束遍历,返回。(对于标记为‘EXCEPTION_NONCONTINUABLE’的异常,会调用 RtlRaiseException。)
对于 ExceptionContinueSearch,继续遍历下一个结点;
对于 ExceptionNestedException,则从指定的新异常继续遍历;
只有正确处理 ExceptionContinueExecution 才会返回 TRUE,其他情况都返回 FALSE。

BOOLEAN
RtlDispatchException (
    IN PEXCEPTION_RECORD ExceptionRecord,
    IN PCONTEXT ContextRecord
    )

/*++

Routine Description:

    This function attempts to dispatch an exception to a call frame based
    handler by searching backwards through the stack based call frames. The
    search begins with the frame specified in the context record and continues
    backward until either a handler is found that handles the exception, the
    stack is found to be invalid (i.e., out of limits or unaligned), or the end
    of the call hierarchy is reached.

Arguments:

    ExceptionRecord - Supplies a pointer to an exception record.

    ContextRecord - Supplies a pointer to a context record.

Return Value:

    If the exception is handled by one of the frame based handlers, then
    a value of TRUE is returned. Otherwise a value of FALSE is returned.

--*/

{

    BOOLEAN Completion = FALSE;
    DISPATCHER_CONTEXT DispatcherContext;
    EXCEPTION_DISPOSITION Disposition;
    PEXCEPTION_REGISTRATION_RECORD RegistrationPointer;
    PEXCEPTION_REGISTRATION_RECORD NestedRegistration;
    ULONG HighAddress;
    ULONG HighLimit;
    ULONG LowLimit;
    EXCEPTION_RECORD ExceptionRecord1;
    ULONG Index;

    //
    // Get current stack limits.
    //

    RtlpGetStackLimits(&LowLimit, &HighLimit);

    //
    // Start with the frame specified by the context record and search
    // backwards through the call frame hierarchy attempting to find an
    // exception handler that will handler the exception.
    //

    RegistrationPointer = RtlpGetRegistrationHead();
    NestedRegistration = 0;

    while (RegistrationPointer != EXCEPTION_CHAIN_END) {

        //
        // If the call frame is not within the specified stack limits or the
        // call frame is unaligned, then set the stack invalid flag in the
        // exception record and return FALSE. Else check to determine if the
        // frame has an exception handler.
        //

        HighAddress = (ULONG)RegistrationPointer +
            sizeof(EXCEPTION_REGISTRATION_RECORD);

        if ( ((ULONG)RegistrationPointer < LowLimit) ||
             (HighAddress > HighLimit) ||
             (((ULONG)RegistrationPointer & 0x3) != 0) 
           ) {

            //
            // Allow for the possibility that the problem occured on the
            // DPC stack.
            //

            ULONG TestAddress = (ULONG)RegistrationPointer;

            if (((TestAddress & 0x3) == 0) &&
                KeGetCurrentIrql() >= DISPATCH_LEVEL) {

                PKPRCB Prcb = KeGetCurrentPrcb();
                ULONG DpcStack = (ULONG)Prcb->DpcStack;

                if ((Prcb->DpcRoutineActive) &&
                    (HighAddress <= DpcStack) &&
                    (TestAddress >= DpcStack - KERNEL_STACK_SIZE)) {

                    //
                    // This error occured on the DPC stack, switch
                    // stack limits to the DPC stack and restart
                    // the loop.
                    //

                    HighLimit = DpcStack;
                    LowLimit = DpcStack - KERNEL_STACK_SIZE;
                    continue;
                }
            }

            ExceptionRecord->ExceptionFlags |= EXCEPTION_STACK_INVALID;
            goto DispatchExit;
        }

        // See if the handler is reasonable

        if (!RtlIsValidHandler(RegistrationPointer->Handler)) {
            ExceptionRecord->ExceptionFlags |= EXCEPTION_STACK_INVALID;
            goto DispatchExit;
        }

        //
        // The handler must be executed by calling another routine
        // that is written in assembler. This is required because
        // up level addressing of the handler information is required
        // when a nested exception is encountered.
        //

        if (NtGlobalFlag & FLG_ENABLE_EXCEPTION_LOGGING) {
            Index = RtlpLogExceptionHandler(
                            ExceptionRecord,
                            ContextRecord,
                            0,
                            (PULONG)RegistrationPointer,
                            4 * sizeof(ULONG));
                    // can't use sizeof(EXCEPTION_REGISTRATION_RECORD
                    // because we need the 2 dwords above it.
        }

        Disposition = RtlpExecuteHandlerForException(
            ExceptionRecord,
            (PVOID)RegistrationPointer,
            ContextRecord,
            (PVOID)&DispatcherContext,
            (PEXCEPTION_ROUTINE)RegistrationPointer->Handler);

        if (NtGlobalFlag & FLG_ENABLE_EXCEPTION_LOGGING) {
            RtlpLogLastExceptionDisposition(Index, Disposition);
        }

        //
        // If the current scan is within a nested context and the frame
        // just examined is the end of the context region, then clear
        // the nested context frame and the nested exception in the
        // exception flags.
        //

        if (NestedRegistration == RegistrationPointer) {
            ExceptionRecord->ExceptionFlags &= (~EXCEPTION_NESTED_CALL);
            NestedRegistration = 0;
        }

        //
        // Case on the handler disposition.
        //

        switch (Disposition) {

            //
            // The disposition is to continue execution. If the
            // exception is not continuable, then raise the exception
            // STATUS_NONCONTINUABLE_EXCEPTION. Otherwise return
            // TRUE.
            //

        case ExceptionContinueExecution :
            if ((ExceptionRecord->ExceptionFlags &
               EXCEPTION_NONCONTINUABLE) != 0) {
                ExceptionRecord1.ExceptionCode =
                                        STATUS_NONCONTINUABLE_EXCEPTION;
                ExceptionRecord1.ExceptionFlags = EXCEPTION_NONCONTINUABLE;
                ExceptionRecord1.ExceptionRecord = ExceptionRecord;
                ExceptionRecord1.NumberParameters = 0;
                RtlRaiseException(&ExceptionRecord1);

            } else {
                Completion = TRUE;
                goto DispatchExit;
            }

            //
            // The disposition is to continue the search. If the frame isn't
            // suspect/corrupt, get next frame address and continue the search 
            //

        case ExceptionContinueSearch :
            if (ExceptionRecord->ExceptionFlags & EXCEPTION_STACK_INVALID)
                goto DispatchExit;

            break;

            //
            // The disposition is nested exception. Set the nested
            // context frame to the establisher frame address and set
            // nested exception in the exception flags.
            //

        case ExceptionNestedException :
            ExceptionRecord->ExceptionFlags |= EXCEPTION_NESTED_CALL;
            if (DispatcherContext.RegistrationPointer > NestedRegistration) {
                NestedRegistration = DispatcherContext.RegistrationPointer;
            }

            break;

            //
            // All other disposition values are invalid. Raise
            // invalid disposition exception.
            //

        default :
            ExceptionRecord1.ExceptionCode = STATUS_INVALID_DISPOSITION;
            ExceptionRecord1.ExceptionFlags = EXCEPTION_NONCONTINUABLE;
            ExceptionRecord1.ExceptionRecord = ExceptionRecord;
            ExceptionRecord1.NumberParameters = 0;
            RtlRaiseException(&ExceptionRecord1);
            break;
        }

        //
        // If chain goes in wrong direction or loops, report an
        // invalid exception stack, otherwise go on to the next one.
        //

        RegistrationPointer = RegistrationPointer->Next;
    }

    //
    // Call vectored continue handlers.
    //

DispatchExit:

    return Completion;
}
RtlDispatchException 源代码
EXCEPTION_DISPOSITION
RtlpExecuteHandlerForException (
    IN PEXCEPTION_RECORD ExceptionRecord,
    IN PVOID EstablisherFrame,
    IN OUT PCONTEXT ContextRecord,
    IN OUT PVOID DispatcherContext,
    IN PEXCEPTION_ROUTINE ExceptionRoutine
    );
RtlpExecuteHandlerForException

然后了解异常链表在线程中的位置

 kd> dt _ETHREAD
  ntdll!_ETHREAD
     +0x000 Tcb              : _KTHREAD


 kd> dt _KTHREAD
  ntdll!_KTHREAD
                ......
     +0x074 Teb              : Ptr32 Void

 kd> dt _TEB
  ntdll!_TEB
     +0x000 NtTib            : _NT_TIB


 kd> dt _NT_TIB
  ntdll!_NT_TIB
     +0x000 ExceptionList    : Ptr32 _EXCEPTION_REGISTRATION_RECORD  //异常处理链表
     +0x004 StackBase        : Ptr32 Void
     +0x008 StackLimit       : Ptr32 Void
     +0x00c SubSystemTib     : Ptr32 Void
     +0x010 FiberData        : Ptr32 Void
     +0x010 Version          : Uint4B
     +0x014 ArbitraryUserPointer : Ptr32 Void
     +0x018 Self             : Ptr32 _NT_TIB

系统根据FS寄存器来寻找异常处理链表,在应用层,FS 寄存器“指向”当前执行线程的 _TEB 结构体。

在内核层,FS 寄存器“指向”另一个跟 CPU 相关的结构体:_KPCR,来看看它的结构,

kd> dt _kpcr
nt!_KPCR
   +0x000 NtTib            : _NT_TIB
   +0x000 Used_ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD
     ......省略

与 _TEB 一样,它的第一个域成员也是 _NT_TIB,只不过此时是 nt!_NT_TIB,而在应用层是 ntdll!_NT_TIB,但它们的结构是一样的。
这样,不论在应用层还是在内核层,系统都可以使用 FS:[0] 找到异常链表。

 

总结一下异常处理调用流程
硬件异常:
CPU 检测到异常 -> KiTrap?? -> KiDispatchException -> RtlDispatchException -> RtlpExecuteHandlerForException
软件异常:
RtlRaiseException -> RtlDispatchException -> RtlpExecuteHandlerForException

接下来看看RtlRaiseException 函数,大致流程就是:

首先调用 RtlDispatchException 分发异常,如果 RtlDispatchException 成功分发,有处理函数处理了这个异常,那么结束本函数。
 如果没有成功分发,那么调用 ZwRaiseException 再次触发该异常,这次传入的异常的 FirstChance 被置为 FALSE。

DECLSPEC_NOINLINE
VOID
RtlRaiseException (
    IN PEXCEPTION_RECORD ExceptionRecord
    )

/*++

Routine Description:

    This function raises a software exception by building a context record
    and calling the raise exception system service.

Arguments:

    ExceptionRecord - Supplies a pointer to an exception record.

Return Value:

    None.

--*/

{

    CONTEXT ContextRecord;
    ULONG64 ControlPc;
    ULONG64 EstablisherFrame;
    PRUNTIME_FUNCTION FunctionEntry;
    PVOID HandlerData;
    ULONG64 ImageBase;
    NTSTATUS Status = STATUS_INVALID_DISPOSITION;

    //
    // Capture the current context, unwind to the caller of this routine, set
    // the exception address, and call the appropriate exception dispatcher.
    //

    RtlCaptureContext(&ContextRecord);
    ControlPc = ContextRecord.Rip;
    FunctionEntry = RtlLookupFunctionEntry(ControlPc, &ImageBase, NULL);
    if (FunctionEntry != NULL) {
        RtlVirtualUnwind(UNW_FLAG_NHANDLER,
                         ImageBase,
                         ControlPc,
                         FunctionEntry,
                         &ContextRecord,
                         &HandlerData,
                         &EstablisherFrame,
                         NULL);

        ExceptionRecord->ExceptionAddress = (PVOID)ContextRecord.Rip;

        if (RtlDispatchException(ExceptionRecord, &ContextRecord) != FALSE) {
            return;
    
        }

        Status = ZwRaiseException(ExceptionRecord, &ContextRecord, FALSE);
    }

    //
    // There should never be a return from either exception dispatch or the
    // system service unless there is a problem with the argument list itself.
    // Raise another exception specifying the status value returned.
    //

    RtlRaiseStatus(Status);
    return;
}
RtlRaiseException

 

到这里,系统提供的 SEH 机制,大致完毕,我们可以回顾一下:
1. 系统的SEH的实现较简单,代码量不大,而且 wrk 基本上有所有关键函数的实现代码。
2. 系统的SEH的功能过于简单,实际过程中很难直接使用。整个异常处理过程无非就是遍历异常链表,挨个调用异常注册信息的处理函数,
    如果其中有某个处理函数处理了该异常(返回值为 ExceptionContinueExecution),
    那么就从异常触发点(如果是断点异常,则要回退一个字节的指令(int 3 指令本身))重新执行。
    否则不管是整个链表中没有找到合适的处理函数(返回值为 ExceptionContinueSearch),
    或者遍历过程中出现问题(返回值为 ExceptionNestedException),系统都会简单粗暴的 BUGCHECK。

那么问题来了:
线程运行过程中会调用很多个函数,每个函数都有可能注册异常处理,
它们提供的异常处理函数既可能处理该函数自身触发的异常,又可能需要处理其子孙函数触发的异常。
前者还好说,自己出了问题,多少还有可能自己修复。
而后者就很头疼了,它无法了解所有其调用的子孙函数内部的实现,要想修复子孙函数触发的异常,太困难了。
而一旦没有正确处理,或者没人处理,系统就崩掉,这个后果太严重。
于是实际上现实程序设计中,基本上没有直接使用系统的SEH机制,而是使用编译器提供的增强版本。

 

下面就学习编译器提供的增强版本。

 增强版中的结构体

    typedef struct _EXCEPTION_REGISTRATION PEXCEPTION_REGISTRATION;
    struct _EXCEPTION_REGISTRATION{
        PEXCEPTION_POINTERS xpointers;
        struct _EXCEPTION_REGISTRATION *prev;
        void (*handler)(PEXCEPTION_RECORD, PEXCEPTION_REGISTRATION, PCONTEXT, PEXCEPTION_RECORD);
        struct scopetable_entry *scopetable;    //类型为 scopetable_entry 的数组
        int trylevel;          //数组下标,用来索引 scopetable 中的数组成员。
        int _ebp;    //包含该 _EXCEPTION_REGISTRATION 结构体的函数的栈帧指针。
                     //对于没有 FPO 优化过的函数,一开头通常有个 push ebp 的操作,_ebp 的值就是被压入的 ebp 的值
    };

 

也就是说它沿用了系统SEH的注册信息结构,只是在域成员名称上做了些改动,把 Next 改名为 prev,把 Handler 改为 handler。

除此之外,在原始版本基础上增加了4个域成员(scopetable、trylevel、_ebp、xpointers),用来支持它的增强功能。

scopetable_entry
   +0x000 previousTryLevel : Uint4B
   +0x004 lpfnFilter       : Ptr32     int 
   +0x008 lpfnHandler      : Ptr32     int

 

按照原始版本的设计,每一对“触发异常-处理异常”都会有一个注册信息即 EXCEPTION_REGISTRATION_RECORD。
也就是说,如果按照原始的设计,每一个 __try/__except(__finally) 都应该对应一个 EXCEPTION_REGISTRATION。但是实际的 MSC(微软编译器,我用的VS2010)实现不是这样的。
真正的实现是:
每个使用 __try/__except(__finally) 的函数,不管其内部嵌套或反复使用多少 __try/__except(__finally),都只注册一遍,
即只将一个 EXCEPTION_REGISTRATION 挂入当前线程的异常链表中
(对于递归函数,每一次调用都会创建一个 EXCEPTION_REGISTRATION,并挂入线程的异常链表中,这是另外一回事)。


那如何处理函数内部出现的多个 __try/__except(__finally) 呢?
这多个 __except 代码块的功能可能大不相同,而注册信息 EXCEPTION_REGISTRATION 中只能提供一个处理函数 handler,怎么办?


MSC 的做法是,MSC 提供一个处理函数,即 EXCEPTION_REGISTRATION::handler 被设置为 MSC 的某个函数,而不是我们自己提供的 __except 代码块。
我们自己提供的多个 __except 块被存储在 EXCEPTION_REGISTRATION::scopetable 数组中。
我们看看上面的 scopetable_entry 定义,由于我没有找到它的定义代码,所以就贴了 windbg 中 dt 输出结果。
其中 scopetable_entry::lpfnHandler 就是程序猿提供的 __except 异常处理块代码。
而 lpfnFilter 就是 __except 的过滤块代码。对于 __finally 代码块,其 lpfnFilter 被置为 NULL,lpfnHandler 就是其包含的代码块。

下面,我们用一小段简单的伪代码来学习

 1    VOID SimpleSEH()
 2       {
 3          __try
 4            {   
 5            }   
 6          __except(ExceptionFilter_0(...))
 7           {   
 8               ExceptCodeBlock_0;
 9           }   
10 
11 
12         
13          __try
14           {
15               __try
16               {
              //假设触发异常
17               }
18               __except(ExceptionFilter_1(...))
19               {
20                  ExceptCodeBlock_1;
21               }
22           }   
23          __except(ExceptionFilter_2(...))
24           {   
25                 ExceptCodeBlock_2;
26           }   
27      }

编译时,编译器会为 SimpleSeh 分配一个 EXCEPTION_REGISTRATION 和一个拥有3个成员的 scopetable 数组,并将 EXCEPTION_REGISTRATION::scopetable 指向该数组(请留意:EXCEPTION_REGISTRATION::scopetable 只是一个指针,不是数组)。然后按照 __try 关键字出现的顺序,将对应的__except/__finally 都存入该数组,步骤如下:

  scopetable[0].lpfnFilter = ExceptionFilter_0;
  scopetable[0].lpfnHandler = ExceptCodeBlock_0;

  scopetable[1].lpfnFilter = ExceptionFilter_1;
  scopetable[1].lpfnHandler = ExceptCodeBlock_1;

  scopetable[2].lpfnFilter = ExceptionFilter_2;
  scopetable[2].lpfnHandler = ExceptCodeBlock_2;

我们假象当前开始执行 SimpleSEH 函数,在行16和17行之间触发了异常。
根据之前的流程:RtlRaiseException -> RtlDispatchException -> RtlpExecuteHandlerForException。
RtlpExecuteHandlerForException 会调用注册信息中的处理函数,即 EXCEPTION_REGISTRATION::handler。
该函数是由 MSC 提供的,内部会依次调用 scopetable 中的 lpfnHandler。
那咱们来模拟执行一下,在16和17行之前触发异常,那应该先从 scopetable[2] 的 ExceptionFilter_2 开始执行,
假设该函数返回 EXCEPTION_CONTINUE_SEARCH,那接下来应该是 scopetable[1];
假设 ExceptionFilter_1 也返回 EXCEPTION_CONTINUE_SEARCH;
那么接下来是不是就应该轮到 scopetable[0] 了?不是。
再看看上面的伪代码,行16和行17之间的代码并没处于第一个 __try/__except 的范围中,该异常轮不到 scopetable[0] 来处理。
那怎么办?
SimpleSEH 执行的过程中怎么知道到 scopetable[1] 就应该停止?

 

MSC 是通过 scopetable_entry::previousTryLevel 来解决这个问题的。上面数组的设置,完整的形式其实是这样:

  scopetable[0].previousTryLevel = TRYLEVEL_NONE;
  scopetable[0].lpfnFilter = ExceptionFilter_0;
  scopetable[0].lpfnHandler = ExceptCodeBlock_0;

  scopetable[1].previousTryLevel = TRYLEVEL_NONE;
  scopetable[1].lpfnFilter = ExceptionFilter_1;
  scopetable[1].lpfnHandler = ExceptCodeBlock_1;

  scopetable[2].previousTryLevel = 1;
  scopetable[2].lpfnFilter = ExceptionFilter_2;
  scopetable[2].lpfnHandler = ExceptCodeBlock_2;

scopetable_entry::previousTryLevel 包含的意思是“下一个该轮到数组下标为 previousTryLevel 的单元了”。

当 scopetable_entry::previousTryLevel 等于 TRYLEVEL_NONE(-1) 时,就会停止遍历 scopetable。

TRYLEVEL_NONE           equ     -1
TRYLEVEL_INVALID        equ     -2

咱再来模拟执行一遍,当14和15行之间触发异常时,首先遍历到 scopetable[2],处理完后,找到 scopetable[2].previousTryLevel,发现其值为1,那么遍历到 scopetable[1],处理完后,找到 scopetable[1].previousTryLevel,发现其值为 TRYLEVEL_NONE,于是停止遍历。
 好像挺圆满的。

再假设下,如果行4和行5之间触发了同样的异常,执行流程应该如何。
首先,执行 scopetable[2],然后在 scopetable[1],然后……(省略若干同上字)。
停!这次的异常是在第一个 __try/__except 中触发的,轮不到 scopetable[2] 来处理,怎么办?


这个时候就轮到 EXCEPTION_REGISTRATION::trylevel 出场了。EXCEPTION_REGISTRATION::trylevel 的作用就是标识从那个数组单元开始遍历。
与 scopetable_entry::previousTryLevel 不同,EXCEPTION_REGISTRATION::trylevel 是动态变化的,也就是说,这个值在 SimpleSeh 执行过程中是会经常改变的。
比如:
执行到行4和行5之间,该值就会被修改为0;
执行到第12行,该值被修改为1;
执行到14行,该值为2。
这样,当异常触发时候,MSC 就能正确的遍历 scopetable 了。

 

 到目前位置,已经熟悉了增强版的概要流程。下面结合真实代码来分析。代码分为三块:SEH 创建代码、MSC 提供的 handler 函数,以及展开函数。

先把后面分析要用的宏和结构体列出来:

    #define EXCEPTION_NONCONTINUABLE 0x1    // Noncontinuable exception
    #define EXCEPTION_UNWINDING 0x2         // Unwind is in progress
    #define EXCEPTION_EXIT_UNWIND 0x4       // Exit unwind is in progress
    #define EXCEPTION_STACK_INVALID 0x8     // Stack out of limits or unaligned
    #define EXCEPTION_NESTED_CALL 0x10      // Nested exception handler call
    #define EXCEPTION_TARGET_UNWIND 0x20    // Target unwind in progress
    #define EXCEPTION_COLLIDED_UNWIND 0x40  // Collided exception handler call

    #define EXCEPTION_UNWIND (EXCEPTION_UNWINDING | EXCEPTION_EXIT_UNWIND | \
                              EXCEPTION_TARGET_UNWIND | EXCEPTION_COLLIDED_UNWIND)

    nt!_EXCEPTION_RECORD
       +0x000 ExceptionCode    : Int4B
       +0x004 ExceptionFlags   : Uint4B
       +0x008 ExceptionRecord  : Ptr32 _EXCEPTION_RECORD
       +0x00c ExceptionAddress : Ptr32 Void
       +0x010 NumberParameters : Uint4B
       +0x014 ExceptionInformation : [15] Uint4B

    typedef enum _EXCEPTION_DISPOSITION {
        ExceptionContinueExecution,
        ExceptionContinueSearch,
        ExceptionNestedException,
        ExceptionCollidedUnwind
    } EXCEPTION_DISPOSITION;

    // scopetable_entry::lpfnFilter 的返回值,也就是 __except 过滤块的返回值
    #define EXCEPTION_EXECUTE_HANDLER       1
    #define EXCEPTION_CONTINUE_SEARCH       0
    #define EXCEPTION_CONTINUE_EXECUTION    -1

一、SEH 创建代码

#include <ntifs.h>
#include <devioctl.h>

VOID TestSeh();
LONG Filter_0();
LONG Filter_2();

NTSTATUS
DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString)
{
    TestSeh();
    return STATUS_SUCCESS;
}

VOID TestSeh()
{
    
       ULONG ulVal = 0;

        __try // 第一个 __try 域
        {
            ulVal = 0x11111111; // 最后一位为1表示“在 __try 代码块中”
        }
        __except(Filter_0())
        {
            ulVal = 0x11111110; // 最后一位为0表示“在 __except/__finally 代码块中”
        }

        __try // 第二个 __try 域
        {
            ulVal = 0x22222222;

            __try // 第三个 __try 域
            {
                ulVal = 0x33333333;

                *((ULONG*)NULL) = ulVal; // 触发异常
            }
            __finally
            {
                ulVal = 0x33333330;
            }
        }
        __except(Filter_2())
        {
            ulVal = 0x22222220;
        }

        return;

}

LONG Filter_0()
{
    return EXCEPTION_EXECUTE_HANDLER;
}


LONG Filter_2()
{
    return EXCEPTION_EXECUTE_HANDLER;

}

 

将生成的文件用Ida反汇编查看,TestSeh() 函数如下

 

.text:00011030 ; _DWORD __stdcall TestSeh()
.text:00011030 _TestSeh@0      proc near               ; CODE XREF: DriverEntry(x,x)+5p
.text:00011030
.text:00011030 ulVal           = dword ptr -1Ch
.text:00011030 ms_exc          = CPPEH_RECORD ptr -18h
.text:00011030
.text:00011030                 mov     edi, edi
.text:00011032                 push    ebp
.text:00011033                 mov     ebp, esp
.text:00011035                 push    0FFFFFFFEh
.text:00011037                 push    offset scopetable ; ExceptionRegister->scopetable
.text:0001103C                 push    offset __except_handler4 ; ExceptionRegistration-->handler  系统自己的
.text:00011041                 mov     eax, large fs:0 ; prev
.text:00011047                 push    eax
.text:00011048                 add     esp, 0FFFFFFF4h
.text:0001104B                 push    ebx
.text:0001104C                 push    esi
.text:0001104D                 push    edi
.text:0001104E                 mov     eax, ___security_cookie
.text:00011053                 xor     [ebp+ms_exc.registration.ScopeTable], eax ; 对scopetable进行加密
.text:00011056                 xor     eax, ebp        ; 对security_cookie进行异或加密
.text:00011058                 push    eax
.text:00011059                 lea     eax, [ebp+ms_exc.registration]
.text:0001105C                 mov     large fs:0, eax ; registration挂入线程异常链表
.text:00011062                 mov     [ebp+ms_exc.old_esp], esp
.text:00011065                 mov     [ebp+ulVal], 0
.text:0001106C                 mov     [ebp+ms_exc.registration.TryLevel], 0 ; 进入第一个__try域,TryLevel=0
.text:00011073                 mov     [ebp+ulVal], 11111111h
.text:0001107A                 mov     [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh ; 离开第一个__try域,TryLevel=TRYLEVEL_NONE (-2)
.text:00011081                 jmp     short loc_1109A
.text:00011083 ; ---------------------------------------------------------------------------
.text:00011083
.text:00011083 $LN7:                                   ; DATA XREF: .rdata:scopetableo
.text:00011083                 call    _Filter_0@0     ; Exception filter 0 for function 11030
.text:00011088
.text:00011088 $LN9:
.text:00011088                 retn
.text:00011089 ; ---------------------------------------------------------------------------
.text:00011089
.text:00011089 $LN8:                                   ; DATA XREF: .rdata:scopetableo
.text:00011089                 mov     esp, [ebp+ms_exc.old_esp] ; Exception handler 0 for function 11030
.text:0001108C                 mov     [ebp+ulVal], 11111110h
.text:00011093                 mov     [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh
.text:0001109A
.text:0001109A loc_1109A:                              ; CODE XREF: TestSeh()+51j
.text:0001109A                 mov     [ebp+ms_exc.registration.TryLevel], 1 ; 第二个__try域,TryLevel=1
.text:000110A1                 mov     [ebp+ulVal], 22222222h
.text:000110A8                 mov     [ebp+ms_exc.registration.TryLevel], 2 ; 第三个__try域,TryLevel=2
.text:000110AF                 mov     [ebp+ulVal], 33333333h
.text:000110B6                 mov     eax, [ebp+ulVal]
.text:000110B9                 mov     large ds:0, eax ; *((ULONG*)NULL) = ulVal; 触发异常
.text:000110BE                 mov     [ebp+ms_exc.registration.TryLevel], 1 ; 离开第三个__try域,TryLevel=1
.text:000110C5                 call    $LN15           ; Finally handler 2 for function 11030
.text:000110CA ; ---------------------------------------------------------------------------
.text:000110CA
.text:000110CA loc_110CA:                              ; CODE XREF: TestSeh():$LN16j
.text:000110CA                 jmp     short $LN18
.text:000110CC ; ---------------------------------------------------------------------------
.text:000110CC
.text:000110CC $LN15:                                  ; CODE XREF: TestSeh()+95j
.text:000110CC                                         ; DATA XREF: .rdata:scopetableo
.text:000110CC                 mov     [ebp+ulVal], 33333330h ; Finally handler 2 for function 11030
.text:000110D3
.text:000110D3 $LN16:
.text:000110D3                 retn
.text:000110D4 ; ---------------------------------------------------------------------------
.text:000110D4
.text:000110D4 $LN18:                                  ; CODE XREF: TestSeh():loc_110CAj
.text:000110D4                 mov     [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh
.text:000110DB                 jmp     short loc_110F4
.text:000110DD ; ---------------------------------------------------------------------------
.text:000110DD
.text:000110DD $LN11:                                  ; DATA XREF: .rdata:scopetableo
.text:000110DD                 call    _Filter_0@0     ; Exception filter 1 for function 11030
.text:000110E2
.text:000110E2 $LN13:
.text:000110E2                 retn
.text:000110E3 ; ---------------------------------------------------------------------------
.text:000110E3
.text:000110E3 $LN12:                                  ; DATA XREF: .rdata:scopetableo
.text:000110E3                 mov     esp, [ebp+ms_exc.old_esp] ; Exception handler 1 for function 11030
.text:000110E6                 mov     [ebp+ulVal], 22222220h ; 第二个__except处理
.text:000110ED                 mov     [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh
.text:000110F4
.text:000110F4 loc_110F4:                              ; CODE XREF: TestSeh()+ABj
.text:000110F4                 mov     ecx, [ebp+ms_exc.registration.Next] ; 恢复旧的EXCEPTION_REGISTRATION,从链表中摘除ExceptionRegistration
.text:000110F7                 mov     large fs:0, ecx
.text:000110FE                 pop     ecx
.text:000110FF                 pop     edi
.text:00011100                 pop     esi
.text:00011101                 pop     ebx
.text:00011102                 mov     esp, ebp
.text:00011104                 pop     ebp
.text:00011105                 retn
.text:00011105 _TestSeh@0      endp

 

 

用WinDbg来看看 scopetable 的内容:

kd> uf SEHx86!TestSeh
SEHx86!TestSeh [d:\sehx86\sehx86.c @ 18]:
   18 91de8030 8bff            mov     edi,edi
   18 91de8032 55              push    ebp
   18 91de8033 8bec            mov     ebp,esp
   18 91de8035 6afe            push    0FFFFFFFEh
   18 91de8037 68c890de91      push    offset SEHx86!__safe_se_handler_table+0x8 (91de90c8)
   18 91de803c 683081de91      push    offset SEHx86!_except_handler4 (91de8130)
   18 91de8041 64a100000000    mov     eax,dword ptr fs:[00000000h]
   18 91de8047 50              push    eax
   18 91de8048 83c4f4          add     esp,0FFFFFFF4h
   18 91de804b 53              push    ebx
   18 91de804c 56              push    esi
   18 91de804d 57              push    edi
   18 91de804e a100a0de91      mov     eax,dword ptr [SEHx86!__security_cookie (91dea000)]
   18 91de8053 3145f8          xor     dword ptr [ebp-8],eax
   18 91de8056 33c5            xor     eax,ebp
   18 91de8058 50              push    eax
   18 91de8059 8d45f0          lea     eax,[ebp-10h]
   18 91de805c 64a300000000    mov     dword ptr fs:[00000000h],eax
   18 91de8062 8965e8          mov     dword ptr [ebp-18h],esp
   20 91de8065 c745e400000000  mov     dword ptr [ebp-1Ch],0
   22 91de806c c745fc00000000  mov     dword ptr [ebp-4],0
   24 91de8073 c745e411111111  mov     dword ptr [ebp-1Ch],11111111h
   25 91de807a c745fcfeffffff  mov     dword ptr [ebp-4],0FFFFFFFEh
   25 91de8081 eb17            jmp     SEHx86!TestSeh+0x6a (91de809a)

SEHx86!TestSeh+0x6a [d:\sehx86\sehx86.c @ 31]:
   31 91de809a c745fc01000000  mov     dword ptr [ebp-4],1
   33 91de80a1 c745e422222222  mov     dword ptr [ebp-1Ch],22222222h
   35 91de80a8 c745fc02000000  mov     dword ptr [ebp-4],2
   37 91de80af c745e433333333  mov     dword ptr [ebp-1Ch],33333333h
   39 91de80b6 8b45e4          mov     eax,dword ptr [ebp-1Ch]
   39 91de80b9 a300000000      mov     dword ptr ds:[00000000h],eax
   41 91de80be c745fc01000000  mov     dword ptr [ebp-4],1
   41 91de80c5 e802000000      call    SEHx86!TestSeh+0x9c (91de80cc)
   41 91de80ca eb08            jmp     SEHx86!TestSeh+0xa4 (91de80d4)

SEHx86!TestSeh+0xa4 [d:\sehx86\sehx86.c @ 45]:
   45 91de80d4 c745fcfeffffff  mov     dword ptr [ebp-4],0FFFFFFFEh
   45 91de80db eb17            jmp     SEHx86!TestSeh+0xc4 (91de80f4)

SEHx86!TestSeh+0xc4 [d:\sehx86\sehx86.c @ 53]:
   53 91de80f4 8b4df0          mov     ecx,dword ptr [ebp-10h]
   53 91de80f7 64890d00000000  mov     dword ptr fs:[0],ecx
   53 91de80fe 59              pop     ecx
   53 91de80ff 5f              pop     edi
   53 91de8100 5e              pop     esi
   53 91de8101 5b              pop     ebx
   53 91de8102 8be5            mov     esp,ebp
   53 91de8104 5d              pop     ebp
   53 91de8105 c3              ret
uf Windbg

 

 

kd> dd 91de90c8
91de90c8 【fffffffe 00000000 ffffffd4 00000000】   >>>16个字节的空间
91de90d8 【fffffffe 91de8083 91de8089】【fffffffe   >>>3个socpetable_entry结构 
91de90e8 91de80dd 91de80e3】【00000001 00000000
91de90f8 91de80cc】 00000000 00000000 00000000
91de9108 00000000 00000000 00000000 00000000
91de9118 00000000 00000000 00000000 00000000
91de9128 00000000 00000000 00000000 00000000
91de9138 00000000 00000000 00000000 00000000

 

接下来再看系统自己的handler函数

text:00011130 ; _EXCEPTION_DISPOSITION __cdecl _except_handler4(_EXCEPTION_RECORD *ExceptionRecord, _EXCEPTION_REGISTRATION_RECORD *EstablisherFrame, _CONTEXT *ContextRecord, void *DispatcherContext)
.text:00011130 __except_handler4 proc near             ; DATA XREF: TestSeh()+Co
.text:00011130                                         ; .rdata:___safe_se_handler_tableo
.text:00011130
.text:00011130 ExceptionPointers= _EXCEPTION_POINTERS ptr -14h
.text:00011130 ScopeTableRecord= dword ptr -0Ch
.text:00011130 Disposition     = dword ptr -8
.text:00011130 Revalidate      = byte ptr -1
.text:00011130 ExceptionRecord = dword ptr  8
.text:00011130 EstablisherFrame= dword ptr  0Ch
.text:00011130 ContextRecord   = dword ptr  10h
.text:00011130 DispatcherContext= dword ptr  14h
.text:00011130
.text:00011130                 mov     edi, edi        ; 这里的_EXCEPTION_REGISTRATION_RECORD是编译器增强版,不是wrk中的定义
.text:00011132                 push    ebp
.text:00011133                 mov     ebp, esp
.text:00011135                 sub     esp, 14h
.text:00011138                 push    ebx
.text:00011139                 mov     ebx, [ebp+EstablisherFrame]
.text:0001113C                 push    esi
.text:0001113D                 mov     esi, [ebx+8]    ; scopetable
.text:00011140                 xor     esi, ___security_cookie ; 解密scopetable
.text:00011146                 push    edi
.text:00011147                 mov     eax, [esi]
.text:00011149                 mov     [ebp+Revalidate], 0 ; BOOLEAN 用来表示是否执行过任何 scopetable_entry::lpfnFilter
.text:0001114D                 mov     [ebp+Disposition], 1 ; 函数的返回值,初始化为EXCEPTION_EXECUTE_HANDLER(0)
.text:00011154                 lea     edi, [ebx+10h]  ; ebx为ExceptionRigstration,+10h即为_ebp
.text:00011157                 cmp     eax, 0FFFFFFFEh
.text:0001115A                 jz      short loc_11169
.text:0001115C                 mov     ecx, [esi+4]    ; 检验scopetable(1)
.text:0001115F                 add     ecx, edi
.text:00011161                 xor     ecx, [eax+edi]  ; cookie
.text:00011164                 call    @__security_check_cookie@4 ; __security_check_cookie(x)
.text:00011169
.text:00011169 loc_11169:                              ; CODE XREF: __except_handler4+2Aj
.text:00011169                 mov     ecx, [esi+0Ch]  ; 检验scopetable(2)
.text:0001116C                 mov     eax, [esi+8]
.text:0001116F                 add     ecx, edi
.text:00011171                 xor     ecx, [eax+edi]  ; cookie
.text:00011174                 call    @__security_check_cookie@4 ; __security_check_cookie(x)
.text:00011179                 mov     eax, [ebp+ExceptionRecord]
.text:0001117C                 test    byte ptr [eax+4], 66h ; wrk中的定义EXCEPTION_UNWIND equ 00066H
.text:0001117C                                         ; ExceptionRecord->ExceptionFlags & EXCEPTION_UNWIND
.text:0001117C                                         ; 判断是异常处理过程还是展开过程
.text:00011180                 jnz     $LN31           ; 展开
.text:00011186                 mov     ecx, [ebp+ContextRecord] ; 异常处理过程
.text:00011189                 lea     edx, [ebp+ExceptionPointers]
.text:0001118C                 mov     [ebx-4], edx    ; ebx是第二个参数ExceptionRigstrationRecord,
.text:0001118C                                         ; [ebx-4]就是前文提到过的xpointers
.text:0001118F                 mov     ebx, [ebx+0Ch]  ; ebx = TryLevel
.text:00011192                 mov     [ebp+ExceptionPointers.ExceptionRecord], eax ; 将参数拷贝到自己的函数栈
.text:00011195                 mov     [ebp+ExceptionPointers.ContextRecord], ecx
.text:00011198                 cmp     ebx, 0FFFFFFFEh
.text:0001119B                 jz      short loc_111FC
.text:0001119D                 lea     ecx, [ecx+0]
.text:000111A0
.text:000111A0 loc_111A0:                              ; CODE XREF: __except_handler4+A0j
.text:000111A0                 lea     eax, [ebx+ebx*2] ; eax=ebx*3
.text:000111A3                 mov     ecx, [esi+eax*4+14h] ; 这里的eax*4加上上面的ebx*3,相当于是*12,
.text:000111A3                                         ; 为了跳过trylevel个scopetable_entry(大小为12个字节)
.text:000111A3                                         ; 然后+14h,为了过上文提到过的10h的一个坑,
.text:000111A3                                         ; 即ecx = scopetable[i].lpfnFilter
.text:000111A7                 lea     eax, [esi+eax*4+10h] ; eax = &scopetable[i]
.text:000111AB                 mov     [ebp+ScopeTableRecord], eax ; ScopeTableRecord存放的就是当前异常
.text:000111AB                                         ; 的ScopeTableEntry
.text:000111AE                 mov     eax, [eax]      ; eax = scopetable[i].previousTryLevel
.text:000111B0                 mov     [ebp+ExceptionRecord], eax
.text:000111B3                 test    ecx, ecx
.text:000111B5                 jz      short loc_111CB ; ecx =0,即lpfnHandler为NULL,则跳转
.text:000111B7                 mov     edx, edi        ; edi = _ebp
.text:000111B9                 call    @_EH4_CallFilterFunc@8 ; 在函数里面 call ecx,即调用lpfnFilter
.text:000111BE                 mov     [ebp+Revalidate], 1 ; 表示是否执行过 lpfnFilter
.text:000111C2                 test    eax, eax        ; 检验lpfnHandler函数的返回值
.text:000111C4                 jl      short loc_11206 ; 如果是 EXCEPTION_CONTINUE_EXECUTION (-1) 就跳
.text:000111C6                 jg      short loc_1120F ; 如果是 EXCEPTION_EXECUTE_HANDLER (1) 就跳
.text:000111C8                 mov     eax, [ebp+ExceptionRecord] ; eax = scopetable[i].previousTryLevel
.text:000111CB
.text:000111CB loc_111CB:                              ; CODE XREF: __except_handler4+85j
.text:000111CB                 mov     ebx, eax
.text:000111CD                 cmp     eax, 0FFFFFFFEh ; cmp scopetable[i].previousTryLevel, TRYLEVEL_INVALID
.text:000111D0                 jnz     short loc_111A0 ; 不为TRYLEVEL_INVALID(-2),跳转,寻找下一个
.text:000111D2                 cmp     [ebp+Revalidate], 0
.text:000111D6                 jz      short loc_111FC ; 没有执行过 lpfnFilter,无需进行安全检查
.text:000111D8
.text:000111D8 loc_111D8:                              ; CODE XREF: __except_handler4+DDj
.text:000111D8                                         ; __except_handler4+14Fj
.text:000111D8                 mov     eax, [esi]
.text:000111DA                 cmp     eax, 0FFFFFFFEh ; 根据 scopetable 空间的第一个DWORD值
.text:000111DA                                         ; 判断是否需要做进一步的安全检查
.text:000111DD                 jz      short loc_111EC
.text:000111DF                 mov     ecx, [esi+4]    ; 检验scopetable完整性(1)
.text:000111E2                 add     ecx, edi
.text:000111E4                 xor     ecx, [eax+edi]  ; cookie
.text:000111E7                 call    @__security_check_cookie@4 ; __security_check_cookie(x)
.text:000111EC
.text:000111EC loc_111EC:                              ; CODE XREF: __except_handler4+ADj
.text:000111EC                 mov     ecx, [esi+0Ch]  ; 检验scopetable完整性(2)
.text:000111EF                 mov     edx, [esi+8]
.text:000111F2                 add     ecx, edi
.text:000111F4                 xor     ecx, [edx+edi]  ; cookie
.text:000111F7                 call    @__security_check_cookie@4 ; __security_check_cookie(x)
.text:000111FC
.text:000111FC loc_111FC:                              ; CODE XREF: __except_handler4+6Bj
.text:000111FC                                         ; __except_handler4+A6j ...
.text:000111FC                 mov     eax, [ebp+Disposition] ; 函数返回EXCEPTION_EXCUTE_HANDLER (1)
.text:000111FF                 pop     edi
.text:00011200                 pop     esi
.text:00011201                 pop     ebx
.text:00011202                 mov     esp, ebp
.text:00011204                 pop     ebp
.text:00011205                 retn
.text:00011206 ; ---------------------------------------------------------------------------
.text:00011206
.text:00011206 loc_11206:                              ; CODE XREF: __except_handler4+94j
.text:00011206                 mov     [ebp+Disposition], 0 ; 函数返回EXECEPTION_CONTINUE_SEARCH (0)
.text:0001120D                 jmp     short loc_111D8
.text:0001120F ; ---------------------------------------------------------------------------
.text:0001120F
.text:0001120F loc_1120F:                              ; CODE XREF: __except_handler4+96j
.text:0001120F                 mov     ecx, [ebp+EstablisherFrame] ; 全局展开操作
.text:00011212                 call    @_EH4_GlobalUnwind@4 ; _EH4_GlobalUnwind(x)
.text:00011217                 mov     eax, [ebp+EstablisherFrame]
.text:0001121A                 cmp     [eax+0Ch], ebx
.text:0001121D                 jz      short loc_11231
.text:0001121F                 push    offset ___security_cookie
.text:00011224                 push    edi
.text:00011225                 mov     edx, ebx
.text:00011227                 mov     ecx, eax
.text:00011229                 call    @_EH4_LocalUnwind@16 ; _EH4_LocalUnwind(x,x,x,x)
.text:0001122E                 mov     eax, [ebp+EstablisherFrame]
.text:00011231
.text:00011231 loc_11231:                              ; CODE XREF: __except_handler4+EDj
.text:00011231                 mov     ecx, [ebp+ExceptionRecord]
.text:00011234                 mov     [eax+0Ch], ecx
.text:00011237                 mov     eax, [esi]
.text:00011239                 cmp     eax, 0FFFFFFFEh
.text:0001123C                 jz      short loc_1124B
.text:0001123E                 mov     ecx, [esi+4]
.text:00011241                 add     ecx, edi
.text:00011243                 xor     ecx, [eax+edi]  ; cookie
.text:00011246                 call    @__security_check_cookie@4 ; __security_check_cookie(x)
.text:0001124B
.text:0001124B loc_1124B:                              ; CODE XREF: __except_handler4+10Cj
.text:0001124B                 mov     ecx, [esi+0Ch]
.text:0001124E                 mov     edx, [esi+8]
.text:00011251                 add     ecx, edi
.text:00011253                 xor     ecx, [edx+edi]  ; cookie
.text:00011256                 call    @__security_check_cookie@4 ; __security_check_cookie(x)
.text:0001125B                 mov     eax, [ebp+ScopeTableRecord]
.text:0001125E                 mov     ecx, [eax+8]
.text:00011261                 mov     edx, edi
.text:00011263                 call    @_EH4_TransferToHandler@8 ; _EH4_TransferToHandler(x,x)
.text:00011268
.text:00011268 $LN31:                                  ; CODE XREF: __except_handler4+50j
.text:00011268                 mov     edx, 0FFFFFFFEh
.text:0001126D                 cmp     [ebx+0Ch], edx
.text:00011270                 jz      short loc_111FC
.text:00011272                 push    offset ___security_cookie
.text:00011277                 push    edi
.text:00011278                 mov     ecx, ebx
.text:0001127A                 call    @_EH4_LocalUnwind@16 ; _EH4_LocalUnwind(x,x,x,x)
.text:0001127F                 jmp     loc_111D8
.text:0001127F __except_handler4 endp

 在函数的最后有展开操作,先学习一下展开的概念

 我们假设一系列使用 SEH 的函数调用流程: 
  func1 -> func2 -> func3,然后在 func3 执行的过程中触发了异常。

  看看分发异常流程 RtlRaiseException -> RtlDispatchException -> RtlpExecuteHandlerForException
  RtlDispatchException 会遍历异常链表,对每个 EXCEPTION_REGISTRATION 都调用 RtlpExecuteHandlerForException。
  RtlpExecuteHandlerForException 会调用 EXCEPTION_REGISTRATION::handler,也就是 PassThrough!_except_handler4。如咱们上面分析,该函数内部遍历 EXCEPTION_REGISTRATION::scopetable,如果遇到有 scopetable_entry::lpfnFilter 返回 EXCEPTION_EXECUTE_HANDLER,那么 scopetable_entry::lpfnHandler 就会被调用,来处理该异常。
  因为 lpfnHandler 不会返回到 PassThrough!_except_handler4,于是执行完 lpfnHandler 后,就会从 lpfnHandler 之后的代码继续执行下去。也就是说,假设 func3 中触发了一个异常,该异常被 func1 中的 __except 处理块处理了,那 __except 处理块执行完毕后,就从其后的指令继续执行下去,即异常处理完毕后,接着执行的就是 func1 的代码。不会再回到 func2 或者 func3,这样就有个问题,func2 和 func3 中占用的资源怎么办?这些资源比如申请的内存是不会自动释放的,岂不是会有资源泄漏问题?

  这就需要用到“展开”了。
  所谓“展开”就是进行清理,这里的清理主要包含动态分配的资源的清理,栈空间是由 func1 的“mov esp,ebp” 这类操作顺手清理 

 那这个展开工作由谁来完成呢?由 func1 来完成肯定不合适,毕竟 func2 和 func3 有没有申请资源、申请了哪些资源,func1 无从得知。于是这个展开工作还得要交给 func2 和 func3 自己来完成。

 展开分为两种:“全局展开”和“局部展开”。
  全局展开是指针对异常链表中的某一段,局部展开针对指定 EXCEPTION_REGISTRATION。用上面的例子来讲,局部展开就是针对 func3 或 func2 (某一个函数)内部进行清理,全局展开就是 func2 和 func3 的局部清理的总和。再归纳一下,局部展开是指具体某一函数内部的清理,而全局展开是指,从异常触发点(func3)到异常处理点(func1)之间所有函数(包含异常触发点 func3)的局部清理的总和。

 下面来看看wrk中RtlUwind的源代码:

VOID
RtlUnwind (
    IN PVOID TargetFrame OPTIONAL,
    IN PVOID TargetIp OPTIONAL,
    IN PEXCEPTION_RECORD ExceptionRecord OPTIONAL,
    IN PVOID ReturnValue
    )

/*++

Routine Description:

    This function initiates an unwind of procedure call frames. The machine
    state at the time of the call to unwind is captured in a context record
    and the unwinding flag is set in the exception flags of the exception
    record. If the TargetFrame parameter is not specified, then the exit unwind
    flag is also set in the exception flags of the exception record. A backward
    walk through the procedure call frames is then performed to find the target
    of the unwind operation.

    N.B.    The captured context passed to unwinding handlers will not be
            a  completely accurate context set for the 386.  This is because
            there isn't a standard stack frame in which registers are stored.

            Only the integer registers are affected.  The segment and
            control registers (ebp, esp) will have correct values for
            the flat 32 bit environment.

    N.B.    If you change the number of arguments, make sure you change the
            adjustment of ESP after the call to RtlpCaptureContext (for
            STDCALL calling convention)

Arguments:

    TargetFrame - Supplies an optional pointer to the call frame that is the
        target of the unwind. If this parameter is not specified, then an exit
        unwind is performed.

    TargetIp - Supplies an optional instruction address that specifies the
        continuation address of the unwind. This address is ignored if the
        target frame parameter is not specified.

    ExceptionRecord - Supplies an optional pointer to an exception record.

    ReturnValue - Supplies a value that is to be placed in the integer
        function return register just before continuing execution.

Return Value:

    None.

--*/

{
    PCONTEXT ContextRecord;
    CONTEXT ContextRecord1;
    DISPATCHER_CONTEXT DispatcherContext;
    EXCEPTION_DISPOSITION Disposition;
    PEXCEPTION_REGISTRATION_RECORD RegistrationPointer;
    PEXCEPTION_REGISTRATION_RECORD PriorPointer;
    ULONG HighAddress;
    ULONG HighLimit;
    ULONG LowLimit;
    EXCEPTION_RECORD ExceptionRecord1;
    EXCEPTION_RECORD ExceptionRecord2;

    //
    // Get current stack limits.
    //

    RtlpGetStackLimits(&LowLimit, &HighLimit);

    //
    // If an exception record is not specified, then build a local exception
    // record for use in calling exception handlers during the unwind operation.
    //

    if (ARGUMENT_PRESENT(ExceptionRecord) == FALSE) {
        ExceptionRecord = &ExceptionRecord1;
        ExceptionRecord1.ExceptionCode = STATUS_UNWIND;
        ExceptionRecord1.ExceptionFlags = 0;
        ExceptionRecord1.ExceptionRecord = NULL;
        ExceptionRecord1.ExceptionAddress = _ReturnAddress();  //返回地址
        ExceptionRecord1.NumberParameters = 0;
    }

    //
    // If the target frame of the unwind is specified, then set EXCEPTION_UNWINDING
    // flag in the exception flags. Otherwise set both EXCEPTION_EXIT_UNWIND and
    // EXCEPTION_UNWINDING flags in the exception flags.
    //

    if (ARGUMENT_PRESENT(TargetFrame) == TRUE) {
        ExceptionRecord->ExceptionFlags |= EXCEPTION_UNWINDING;
    } else {
        ExceptionRecord->ExceptionFlags |= (EXCEPTION_UNWINDING |
                                                        EXCEPTION_EXIT_UNWIND);
    }

    //
    // Capture the context.
    //

    ContextRecord = &ContextRecord1;
    ContextRecord1.ContextFlags = CONTEXT_INTEGER | CONTEXT_CONTROL | CONTEXT_SEGMENTS;
    RtlpCaptureContext(ContextRecord);

    //
    // Adjust captured context to pop our arguments off the stack
    //
    ContextRecord->Esp += sizeof(TargetFrame) +
                          sizeof(TargetIp)    +
                          sizeof(ExceptionRecord) +
                          sizeof(ReturnValue);
    ContextRecord->Eax = (ULONG)ReturnValue;

    //
    // Scan backward through the call frame hierarchy, calling exception
    // handlers as they are encountered, until the target frame of the unwind
    // is reached.
    //

    RegistrationPointer = RtlpGetRegistrationHead();//异常链表头
    while (RegistrationPointer != EXCEPTION_CHAIN_END) {

        //
        // If this is the target of the unwind, then continue execution
        // by calling the continue system service.
        //
        //说明展开完毕
        if ((ULONG)RegistrationPointer == (ULONG)TargetFrame) {
            ZwContinue(ContextRecord, FALSE);

        //
        // If the target frame is lower in the stack than the current frame,
        // then raise STATUS_INVALID_UNWIND exception.
        //

        } else if ( (ARGUMENT_PRESENT(TargetFrame) == TRUE) &&
                    ((ULONG)TargetFrame < (ULONG)RegistrationPointer) ) {
            //超出了异常链表的查找范围
            ExceptionRecord2.ExceptionCode = STATUS_INVALID_UNWIND_TARGET;
            ExceptionRecord2.ExceptionFlags = EXCEPTION_NONCONTINUABLE;
            ExceptionRecord2.ExceptionRecord = ExceptionRecord;
            ExceptionRecord2.NumberParameters = 0;
            RtlRaiseException(&ExceptionRecord2);
        }

        //
        // If the call frame is not within the specified stack limits or the
        // call frame is unaligned, then raise the exception STATUS_BAD_STACK.
        // Else restore the state from the specified frame to the context
        // record.
        //

        HighAddress = (ULONG)RegistrationPointer +
            sizeof(EXCEPTION_REGISTRATION_RECORD);
        //低于线程栈底或者高于线程栈顶,进行错误处理
        if ( ((ULONG)RegistrationPointer < LowLimit) ||
             (HighAddress > HighLimit) ||
             (((ULONG)RegistrationPointer & 0x3) != 0) 
           ) {

            //
            // Allow for the possibility that the problem occured on the
            // DPC stack.
            //

            ULONG TestAddress = (ULONG)RegistrationPointer;
            //& 0x3 检查是否4字节对齐 ,IRQL级别,如果当前正在执行dpc操作,restart
            if (((TestAddress & 0x3) == 0) &&
                KeGetCurrentIrql() >= DISPATCH_LEVEL) {

                PKPRCB Prcb = KeGetCurrentPrcb();
                ULONG DpcStack = (ULONG)Prcb->DpcStack;

                if ((Prcb->DpcRoutineActive) &&
                    (HighAddress <= DpcStack) &&
                    (TestAddress >= DpcStack - KERNEL_STACK_SIZE)) {

                    //
                    // This error occured on the DPC stack, switch
                    // stack limits to the DPC stack and restart
                    // the loop.
                    //

                    HighLimit = DpcStack;
                    LowLimit = DpcStack - KERNEL_STACK_SIZE;
                    continue;
                }
            }

            ExceptionRecord2.ExceptionCode = STATUS_BAD_STACK;
            ExceptionRecord2.ExceptionFlags = EXCEPTION_NONCONTINUABLE;
            ExceptionRecord2.ExceptionRecord = ExceptionRecord;
            ExceptionRecord2.NumberParameters = 0;
            RtlRaiseException(&ExceptionRecord2);
        } else { //一般情况的展开

            //
            // The handler must be executed by calling another routine
            // that is written in assembler. This is required because
            // up level addressing of the handler information is required
            // when a collided unwind is encountered.
            //
            //在内部调用Handler处理函数
            Disposition = RtlpExecuteHandlerForUnwind(
                ExceptionRecord,
                (PVOID)RegistrationPointer,
                ContextRecord,
                (PVOID)&DispatcherContext,
                RegistrationPointer->Handler);

            //
            // Case on the handler disposition.
            //
            //检查Handler的返回值
            switch (Disposition) {

                //
                // The disposition is to continue the search. Get next
                // frame address and continue the search.
                //

            case ExceptionContinueSearch :
                break;

                //
                // The disposition is colided unwind. Maximize the target
                // of the unwind and change the context record pointer.
                //

            case ExceptionCollidedUnwind :

                //
                // Pick up the registration pointer that was active at
                // the time of the unwind, and simply continue.
                //

                RegistrationPointer = DispatcherContext.RegistrationPointer;
                break;


                //
                // All other disposition values are invalid. Raise
                // invalid disposition exception.
                //

            default :
                ExceptionRecord2.ExceptionCode = STATUS_INVALID_DISPOSITION;
                ExceptionRecord2.ExceptionFlags = EXCEPTION_NONCONTINUABLE;
                ExceptionRecord2.ExceptionRecord = ExceptionRecord;
                ExceptionRecord2.NumberParameters = 0;
                RtlRaiseException(&ExceptionRecord2);
                break;
            }

            //
            // Step to next registration record
            //

            PriorPointer = RegistrationPointer;
            RegistrationPointer = RegistrationPointer->Next;

            //
            // Unlink the unwind handler, since it's been called.
            //

            RtlpUnlinkHandler(PriorPointer);

            //
            // If chain goes in wrong direction or loops, raise an
            // exception.
            //

        }
    }

    if (TargetFrame == EXCEPTION_CHAIN_END) {

        //
        //  Caller simply wants to unwind all exception records.
        //  This differs from an exit_unwind in that no "exit" is desired.
        //  Do a normal continue, since we've effectively found the
        //  "target" the caller wanted.
        //

        ZwContinue(ContextRecord, FALSE);

    } else {

        //
        //  Either (1) a real exit unwind was performed, or (2) the
        //  specified TargetFrame is not present in the exception handler
        //  list.  In either case, give debugger and subsystem a chance
        //  to see the unwind.
        //

        ZwRaiseException(ExceptionRecord, ContextRecord, FALSE);

    }
    return;
}
wrk RtlUnwind

 

代码不长,主要功能也不复杂:从异常链表头开始遍历,一直遍历到指定 EXCEPTION_REGISTRATION_RECORD,对每个遍历到的 EXCEPTION_REGISTRATION_RECORD,执行 RtlpExecuteHandlerForUnwind 进行局部展开。 

汇编代码如下,就不写注释了,直接看wrk源码更清晰

.text:00475C9B                   ; int __stdcall RtlUnwind(int, int, PEXCEPTION_RECORD ExceptionRecord, int)
.text:00475C9B                   public _RtlUnwind@16
.text:00475C9B                   _RtlUnwind@16 proc near       ; CODE XREF: __global_unwind2+13p
.text:00475C9B                                                 ; _EH4_GlobalUnwind(x)+10p
.text:00475C9B
.text:00475C9B                   var_384= dword ptr -384h
.text:00475C9B                   var_380= dword ptr -380h
.text:00475C9B                   var_37C= dword ptr -37Ch
.text:00475C9B                   var_378= EXCEPTION_RECORD ptr -378h
.text:00475C9B                   var_328= dword ptr -328h
.text:00475C9B                   var_324= dword ptr -324h
.text:00475C9B                   var_320= dword ptr -320h
.text:00475C9B                   var_31C= dword ptr -31Ch
.text:00475C9B                   var_318= dword ptr -318h
.text:00475C9B                   Context= CONTEXT ptr -2D8h
.text:00475C9B                   var_4= dword ptr -4
.text:00475C9B                   arg_0= dword ptr  8
.text:00475C9B                   ExceptionRecord= dword ptr  10h
.text:00475C9B                   arg_C= dword ptr  14h
.text:00475C9B
.text:00475C9B 8B FF             mov     edi, edi
.text:00475C9D 55                push    ebp
.text:00475C9E 8B EC             mov     ebp, esp
.text:00475CA0 83 E4 F8          and     esp, 0FFFFFFF8h
.text:00475CA3 81 EC 84 03 00 00 sub     esp, 384h
.text:00475CA9 A1 44 2A 52 00    mov     eax, ___security_cookie
.text:00475CAE 33 C4             xor     eax, esp
.text:00475CB0 89 84 24 80 03 00+mov     [esp+384h+var_4], eax
.text:00475CB7 53                push    ebx
.text:00475CB8 56                push    esi
.text:00475CB9 57                push    edi
.text:00475CBA 8B 7D 10          mov     edi, [ebp+ExceptionRecord]
.text:00475CBD 8D 44 24 10       lea     eax, [esp+390h+var_380]
.text:00475CC1 50                push    eax
.text:00475CC2 8D 74 24 18       lea     esi, [esp+394h+var_37C]
.text:00475CC6 E8 80 3D 01 00    call    _RtlpGetStackLimits@8 ; RtlpGetStackLimits(x,x)
.text:00475CCB 84 C0             test    al, al
.text:00475CCD 75 0A             jnz     short loc_475CD9
.text:00475CCF 68 28 00 00 C0    push    0C0000028h            ; Status
.text:00475CD4 E8 9B D0 FB FF    call    _RtlRaiseStatus@4     ; RtlRaiseStatus(x)
.text:00475CD9                   ; ---------------------------------------------------------------------------
.text:00475CD9
.text:00475CD9                   loc_475CD9:                   ; CODE XREF: RtlUnwind(x,x,x,x)+32j
.text:00475CD9 33 F6             xor     esi, esi
.text:00475CDB 3B FE             cmp     edi, esi
.text:00475CDD 75 1F             jnz     short loc_475CFE
.text:00475CDF 8B 45 04          mov     eax, [ebp+4]
.text:00475CE2 8D 7C 24 68       lea     edi, [esp+390h+var_328]
.text:00475CE6 C7 44 24 68 27 00+mov     [esp+390h+var_328], 0C0000027h
.text:00475CEE 89 74 24 6C       mov     [esp+390h+var_324], esi
.text:00475CF2 89 74 24 70       mov     [esp+390h+var_320], esi
.text:00475CF6 89 44 24 74       mov     [esp+390h+var_31C], eax
.text:00475CFA 89 74 24 78       mov     [esp+390h+var_318], esi
.text:00475CFE
.text:00475CFE                   loc_475CFE:                   ; CODE XREF: RtlUnwind(x,x,x,x)+42j
.text:00475CFE 39 75 08          cmp     [ebp+arg_0], esi
.text:00475D01 74 06             jz      short loc_475D09
.text:00475D03 83 4F 04 02       or      dword ptr [edi+4], 2
.text:00475D07 EB 04             jmp     short loc_475D0D
.text:00475D09                   ; ---------------------------------------------------------------------------
.text:00475D09
.text:00475D09                   loc_475D09:                   ; CODE XREF: RtlUnwind(x,x,x,x)+66j
.text:00475D09 83 4F 04 06       or      dword ptr [edi+4], 6
.text:00475D0D
.text:00475D0D                   loc_475D0D:                   ; CODE XREF: RtlUnwind(x,x,x,x)+6Cj
.text:00475D0D 8D 84 24 B8 00 00+lea     eax, [esp+390h+Context]
.text:00475D14 50                push    eax
.text:00475D15 C7 84 24 BC 00 00+mov     [esp+394h+Context.ContextFlags], 10007h
.text:00475D20 E8 3F 01 FE FF    call    _RtlpCaptureContext@4 ; RtlpCaptureContext(x)
.text:00475D25 8B 45 14          mov     eax, [ebp+arg_C]
.text:00475D28 83 84 24 7C 01 00+add     [esp+390h+Context._Esp], 10h
.text:00475D30 89 84 24 68 01 00+mov     [esp+390h+Context._Eax], eax
.text:00475D37 E8 BC 01 FE FF    call    _RtlpGetRegistrationHead@0 ; RtlpGetRegistrationHead()
.text:00475D3C 8B D8             mov     ebx, eax
.text:00475D3E 83 FB FF          cmp     ebx, 0FFFFFFFFh
.text:00475D41 0F 84 DC 00 00 00 jz      loc_475E23
.text:00475D47 33 F6             xor     esi, esi
.text:00475D49 46                inc     esi
.text:00475D4A
.text:00475D4A                   loc_475D4A:                   ; CODE XREF: RtlUnwind(x,x,x,x)+180j
.text:00475D4A 3B 5D 08          cmp     ebx, [ebp+arg_0]
.text:00475D4D 75 11             jnz     short loc_475D60
.text:00475D4F 6A 00             push    0                     ; TestAlert
.text:00475D51 8D 84 24 BC 00 00+lea     eax, [esp+394h+Context]
.text:00475D58 50                push    eax                   ; Context
.text:00475D59 E8 2A D5 FB FF    call    _ZwContinue@8         ; ZwContinue(x,x)
.text:00475D5E EB 2A             jmp     short loc_475D8A
.text:00475D60                   ; ---------------------------------------------------------------------------
.text:00475D60
.text:00475D60                   loc_475D60:                   ; CODE XREF: RtlUnwind(x,x,x,x)+B2j
.text:00475D60 83 7D 08 00       cmp     [ebp+arg_0], 0
.text:00475D64 74 24             jz      short loc_475D8A
.text:00475D66 39 5D 08          cmp     [ebp+arg_0], ebx
.text:00475D69 73 1F             jnb     short loc_475D8A
.text:00475D6B 83 64 24 28 00    and     [esp+390h+var_378.NumberParameters], 0
.text:00475D70 8D 44 24 18       lea     eax, [esp+390h+var_378]
.text:00475D74 50                push    eax                   ; ExceptionRecord
.text:00475D75 C7 44 24 1C 29 00+mov     [esp+394h+var_378.ExceptionCode], 0C0000029h
.text:00475D7D 89 74 24 20       mov     [esp+394h+var_378.ExceptionFlags], esi
.text:00475D81 89 7C 24 24       mov     [esp+394h+var_378.ExceptionRecord], edi
.text:00475D85 E8 96 CF FB FF    call    _RtlRaiseException@4  ; RtlRaiseException(x)
.text:00475D8A                   ; ---------------------------------------------------------------------------
.text:00475D8A
.text:00475D8A                   loc_475D8A:                   ; CODE XREF: RtlUnwind(x,x,x,x)+C3j
.text:00475D8A                                                 ; RtlUnwind(x,x,x,x)+C9j
.text:00475D8A                                                 ; RtlUnwind(x,x,x,x)+CEj
.text:00475D8A 3B 5C 24 14       cmp     ebx, [esp+390h+var_37C]
.text:00475D8E 72 69             jb      short loc_475DF9
.text:00475D90 8D 43 08          lea     eax, [ebx+8]
.text:00475D93 3B 44 24 10       cmp     eax, [esp+390h+var_380]
.text:00475D97 77 60             ja      short loc_475DF9
.text:00475D99 F6 C3 03          test    bl, 3
.text:00475D9C 75 5B             jnz     short loc_475DF9
.text:00475D9E 8B 43 04          mov     eax, [ebx+4]
.text:00475DA1 E8 ED A4 FF FF    call    _RtlIsValidHandler@8  ; RtlIsValidHandler(x,x)
.text:00475DA6 84 C0             test    al, al
.text:00475DA8 74 4F             jz      short loc_475DF9
.text:00475DAA FF 73 04          push    dword ptr [ebx+4]
.text:00475DAD 8D 44 24 10       lea     eax, [esp+394h+var_384]
.text:00475DB1 50                push    eax
.text:00475DB2 8D 84 24 C0 00 00+lea     eax, [esp+398h+Context]
.text:00475DB9 50                push    eax
.text:00475DBA 53                push    ebx
.text:00475DBB 57                push    edi
.text:00475DBC E8 A7 FF FD FF    call    _RtlpExecuteHandlerForUnwind@20 ; RtlpExecuteHandlerForUnwind(x,x,x,x,x)
.text:00475DC1 48                dec     eax
.text:00475DC2 74 29             jz      short loc_475DED
.text:00475DC4 48                dec     eax
.text:00475DC5 48                dec     eax
.text:00475DC6 74 21             jz      short loc_475DE9
.text:00475DC8 83 64 24 28 00    and     [esp+390h+var_378.NumberParameters], 0
.text:00475DCD 8D 44 24 18       lea     eax, [esp+390h+var_378]
.text:00475DD1 50                push    eax                   ; ExceptionRecord
.text:00475DD2 C7 44 24 1C 26 00+mov     [esp+394h+var_378.ExceptionCode], 0C0000026h
.text:00475DDA 89 74 24 20       mov     [esp+394h+var_378.ExceptionFlags], esi
.text:00475DDE 89 7C 24 24       mov     [esp+394h+var_378.ExceptionRecord], edi
.text:00475DE2 E8 39 CF FB FF    call    _RtlRaiseException@4  ; RtlRaiseException(x)
.text:00475DE2                   ; ---------------------------------------------------------------------------
.text:00475DE7 EB                db 0EBh ; 
.text:00475DE8 04                db    4
.text:00475DE9                   ; ---------------------------------------------------------------------------
.text:00475DE9
.text:00475DE9                   loc_475DE9:                   ; CODE XREF: RtlUnwind(x,x,x,x)+12Bj
.text:00475DE9 8B 5C 24 0C       mov     ebx, [esp+390h+var_384]
.text:00475DED
.text:00475DED                   loc_475DED:                   ; CODE XREF: RtlUnwind(x,x,x,x)+127j
.text:00475DED 8B C3             mov     eax, ebx
.text:00475DEF 8B 1B             mov     ebx, [ebx]
.text:00475DF1 50                push    eax
.text:00475DF2 E8 2D 00 FE FF    call    _RtlpUnlinkHandler@4  ; RtlpUnlinkHandler(x)
.text:00475DF7 EB 1F             jmp     short loc_475E18
.text:00475DF9                   ; ---------------------------------------------------------------------------
.text:00475DF9
.text:00475DF9                   loc_475DF9:                   ; CODE XREF: RtlUnwind(x,x,x,x)+F3j
.text:00475DF9                                                 ; RtlUnwind(x,x,x,x)+FCj
.text:00475DF9                                                 ; RtlUnwind(x,x,x,x)+101j
.text:00475DF9                                                 ; RtlUnwind(x,x,x,x)+10Dj
.text:00475DF9 83 64 24 28 00    and     [esp+390h+var_378.NumberParameters], 0
.text:00475DFE 8D 44 24 18       lea     eax, [esp+390h+var_378]
.text:00475E02 50                push    eax                   ; ExceptionRecord
.text:00475E03 C7 44 24 1C 28 00+mov     [esp+394h+var_378.ExceptionCode], 0C0000028h
.text:00475E0B 89 74 24 20       mov     [esp+394h+var_378.ExceptionFlags], esi
.text:00475E0F 89 7C 24 24       mov     [esp+394h+var_378.ExceptionRecord], edi
.text:00475E13 E8 08 CF FB FF    call    _RtlRaiseException@4  ; RtlRaiseException(x)
.text:00475E18                   ; ---------------------------------------------------------------------------
.text:00475E18
.text:00475E18                   loc_475E18:                   ; CODE XREF: RtlUnwind(x,x,x,x)+15Cj
.text:00475E18 83 FB FF          cmp     ebx, 0FFFFFFFFh
.text:00475E1B 0F 85 29 FF FF FF jnz     loc_475D4A
.text:00475E21 33 F6             xor     esi, esi
.text:00475E23
.text:00475E23                   loc_475E23:                   ; CODE XREF: RtlUnwind(x,x,x,x)+A6j
.text:00475E23 83 7D 08 FF       cmp     [ebp+arg_0], 0FFFFFFFFh
.text:00475E27 56                push    esi                   ; SearchFrames
.text:00475E28 8D 84 24 BC 00 00+lea     eax, [esp+394h+Context]
.text:00475E2F 50                push    eax                   ; Context
.text:00475E30 75 07             jnz     short loc_475E39
.text:00475E32 E8 51 D4 FB FF    call    _ZwContinue@8         ; ZwContinue(x,x)
.text:00475E37 EB 06             jmp     short loc_475E3F
.text:00475E39                   ; ---------------------------------------------------------------------------
.text:00475E39
.text:00475E39                   loc_475E39:                   ; CODE XREF: RtlUnwind(x,x,x,x)+195j
.text:00475E39 57                push    edi                   ; ExceptionRecord
.text:00475E3A E8 C5 E4 FB FF    call    _ZwRaiseException@12  ; ZwRaiseException(x,x,x)
.text:00475E3F
.text:00475E3F                   loc_475E3F:                   ; CODE XREF: RtlUnwind(x,x,x,x)+19Cj
.text:00475E3F 8B 8C 24 8C 03 00+mov     ecx, [esp+390h+var_4]
.text:00475E46 5F                pop     edi
.text:00475E47 5E                pop     esi
.text:00475E48 5B                pop     ebx
.text:00475E49 33 CC             xor     ecx, esp
.text:00475E4B E8 88 22 FE FF    call    @__security_check_cookie@4 ; __security_check_cookie(x)
.text:00475E50 8B E5             mov     esp, ebp
.text:00475E52 5D                pop     ebp
.text:00475E53 C2 10 00          retn    10h
.text:00475E53                   _RtlUnwind@16 endp
asm RtlUnwind

再看_except_handler4中的局部展开

.text:000113C8 ; int __fastcall _EH4_LocalUnwind(_EXCEPTION_REGISTRATION_RECORD *EstablisherFrame, int TryLevel, int FrameEBP, int *CookiePointer)
.text:000113C8 @_EH4_LocalUnwind@16 proc near          ; CODE XREF: __except_handler4+F9p
.text:000113C8                                         ; __except_handler4+14Ap
.text:000113C8
.text:000113C8 FrameEBP        = dword ptr  4
.text:000113C8 CookiePointer   = dword ptr  8
.text:000113C8
.text:000113C8                 push    ebp
.text:000113C9                 mov     ebp, [esp+4+FrameEBP] ; 切换ebp准备局部展开
.text:000113CD                 push    edx             ; TryLevel
.text:000113CE                 push    ecx             ; EstablisherFrame
.text:000113CF                 push    [esp+0Ch+CookiePointer] ; CookiePointer
.text:000113D3                 call    __local_unwind4
.text:000113D8                 add     esp, 0Ch
.text:000113DB                 pop     ebp
.text:000113DC                 retn    8
.text:000113DC @_EH4_LocalUnwind@16 endp

 

 

text:0001128C ; int __cdecl _local_unwind4(int *CookiePointer, _EXCEPTION_REGISTRATION_RECORD *EstablisherFrame, int TryLevel)
.text:0001128C __local_unwind4 proc near               ; CODE XREF: _unwind_handler4+2Dp
.text:0001128C                                         ; _seh_longjmp_unwind4(x)+10p ...
.text:0001128C
.text:0001128C var_20          = dword ptr -20h
.text:0001128C CookiePointer   = dword ptr  4
.text:0001128C EstablisherFrame= dword ptr  8
.text:0001128C TryLevel        = dword ptr  0Ch
.text:0001128C
.text:0001128C                 push    ebx
.text:0001128D                 push    esi
.text:0001128E                 push    edi
.text:0001128F                 mov     edx, [esp+0Ch+CookiePointer]
.text:00011293                 mov     eax, [esp+0Ch+EstablisherFrame]
.text:00011297                 mov     ecx, [esp+0Ch+TryLevel]
.text:0001129B                 push    ebp
.text:0001129C                 push    edx
.text:0001129D                 push    eax
.text:0001129E                 push    ecx
.text:0001129F                 push    ecx
.text:000112A0                 push    offset _unwind_handler4 ; Handler,局部展开发生异常时调用
.text:000112A5                 push    large dword ptr fs:0
.text:000112AC                 mov     eax, ___security_cookie
.text:000112B1                 xor     eax, esp
.text:000112B3                 mov     [esp+28h+var_20], eax
.text:000112B7                 mov     large fs:0, esp ; 安装新的SEH
.text:000112BE
.text:000112BE _lu_top:                                ; CODE XREF: __local_unwind4+64j
.text:000112BE                                         ; __local_unwind4+80j
.text:000112BE                 mov     eax, [esp+28h+EstablisherFrame]
.text:000112C2                 mov     ebx, [eax+8]    ; 获取ScopeTable
.text:000112C5                 mov     ecx, [esp+28h+CookiePointer]
.text:000112C9                 xor     ebx, [ecx]      ; 解密scopetable
.text:000112CB                 mov     esi, [eax+0Ch]  ; 获取TryLevel
.text:000112CE                 cmp     esi, 0FFFFFFFEh ; 判断是否遍历完毕
.text:000112D1                 jz      short _lu_done
.text:000112D3                 mov     edx, [esp+28h+TryLevel]
.text:000112D7                 cmp     edx, 0FFFFFFFEh
.text:000112DA                 jz      short loc_112E0
.text:000112DC                 cmp     esi, edx        ; 判断当前__try是否在EXCEPTION_EXECUTE_HANDLER的__try语句里层
.text:000112DE                 jbe     short _lu_done
.text:000112E0
.text:000112E0 loc_112E0:                              ; CODE XREF: __local_unwind4+4Ej
.text:000112E0                 lea     esi, [esi+esi*2]
.text:000112E3                 lea     ebx, [ebx+esi*4+10h] ; 和_except_handler4中作用一样,不过这里是+0x10,取scopetable
.text:000112E7                 mov     ecx, [ebx]
.text:000112E9                 mov     [eax+0Ch], ecx  ; 使当前异常帧指向上一个__try语句,也就是移除当前异常帧指向的
.text:000112EC                 cmp     dword ptr [ebx+4], 0
.text:000112F0                 jnz     short _lu_top
.text:000112F2                 push    101h
.text:000112F7                 mov     eax, [ebx+8]
.text:000112FA                 call    __NLG_Notify
.text:000112FF                 mov     ecx, 1
.text:00011304                 mov     eax, [ebx+8]
.text:00011307                 call    __NLG_Call      ;  进入__finally块处理
.text:0001130C                 jmp     short _lu_top   ; 遍历上一个__try/__except(或__finally)
.text:0001130E ; ---------------------------------------------------------------------------
.text:0001130E
.text:0001130E _lu_done:                               ; CODE XREF: __local_unwind4+45j
.text:0001130E                                         ; __local_unwind4+52j
.text:0001130E                 pop     large dword ptr fs:0
.text:00011315                 add     esp, 18h
.text:00011318                 pop     edi
.text:00011319                 pop     esi
.text:0001131A                 pop     ebx
.text:0001131B                 retn
.text:0001131B __local_unwind4 endp

 

 

看到了有人写出了C语言代码,直接就抄过来了

/** 
 * 
 * 操作系统原始的SEH异常帧结构     
 * struct _EXCEPTION_REGISTRATION_RECORD{     
 *      struct _EXCEPTION_REGISTRATION_RECORD *Next;     
 *      _except_handler Handler;      
 * } 
 * 
 * SEH异常处理函数原型 
 * EXCEPTION_DISPOSITION (__cdecl *PEXCEPTION_ROUTINE)( 
 *          struct _EXCEPTION_RECORD *_ExceptionRecord,     
 *          void * _EstablisherFrame,     
 *          struct _CONTEXT *_ContextRecord,     
 *          void * _DispatcherContext     
 * ); 
 * 
 * C/C++编译器扩展SEH的异常帧结构:       
 * [ebp-18] ESP       
 * [ebp-14] PEXCEPTION_POINTERS xpointers;          
 *          struct _EXCEPTION_REGISTRATION{          
 * [ebp-10]      struct _EXCEPTION_REGISTRATION *Prev;          
 * [ebp-0C]      PEXCEPTION_ROUTINE Handler;          
 * [ebp-08]      struct _EH4_SCOPETABLE *ScopeTable;          
 * [ebp-04]      int TryLevel;          
 * [ebp-00]      int _Ebp;          
 *          }; 
 * 
 * C/C++运行库使用的SCOPE TABLE结构   
 * struct _EH4_SCOPETABLE {   
 *      DWORD GSCookieOffset;   
 *      DWORD GSCookieXOROffset;   
 *      DWORD EHCookieOffset;   
 *      DWORD EHCookieXOROffset;   
 *      struct _EH4_SCOPETABLE_RECORD ScopeRecord;   
 * };   
 *   
 * C/C++运行库使用的SCOPE TABLE RECORD结构   
 * struct _EH4_SCOPETABLE_RECORD {   
 *      DWORD EnclosingLevel;       //上一层__try块   
 *      PVOID FilterFunc;           //过滤表达式   
 *      union   
 *      {   
 *          PVOID HandlerAddress;   //__except块代码   
 *          PVOID FinallyFunc;      //__finally块代码   
 *      };   
 * }; 
 *   
 * 参数说明: 
 * CookiePointer    - 安全码所在地址,用于解密异常帧的ScopeTable. 
 * EstablisherFrame - 当前异常帧结构 
 * TryLevel         - __try/__except(EXCEPTION_EXECUTE_HANDLER)所在的__try 
 * 
**/  
int __cdecl _local_unwind4(int *CookiePointer,   
                    _EXCEPTION_REGISTRATION_RECORD *EstablisherFrame,   
                    int TryLevel  
            )  
{  
    //安装SEH,_local_unwind4局部展开发生异常时调用  
    __asm push _unwind_handler4  
    __asm push dword ptr fs:[0]  
    __asm mov fs:[0],esp  
      
    //解密ScopeTable  
    struct _EH4_SCOPETABLE * pScopeTable = EstablisherFrame->ScopeTable ^ (*CookiePointer);  
    struct _EH4_SCOPETABLE_RECORD * pScopeRecord = &pScopeTable->ScopeRecord;  
      
    //当前异常帧不存在__try块,退出!  
    while(EstablisherFrame->TryLevel != 0xFFFFFFFE)  
    {     
        //越里层的__try其TryLevel值越高,捕获异常的__try通常在引发异常__try的外层  
        //这里判断当前异常帧指向的__try的TryLevel值是否正常.  
        if(EstablisherFrame->TryLevel!=0xFFFFFFFE && EstablisherFrame->TryLevel <= TryLevel) break;          
      
        //移除当前__try/__except(__finally)信息,使其指向上一层__try块  
        EstablisherFrame->TryLevel = pScopeRecord->EnclosingLevel;  
          
        //__except过滤表达式存在,也就是__finally块不存在,向上一层__try/__except(__finally)遍历  
        if(pScopeRecord->FilterFunc) continue;  
          
        //作用未知!  
        __NLG_Notify(101);  
          
        //进入__finally块处理  
        pScopeRecord->FinallyFunc();  
    }  
      
    //恢复SEH  
    __asm pop dword ptr fs:[0]  
}

 

 

 

到这里概要流程就讲完了。在处理异常和展开过程中多处涉及到遍历操作,咱们来总结一下这些遍历操作。
  1. 在异常处理过程中,每个被"卷入是非"的异常都至少会遍历异常链表两次(如果发生嵌套异常,比如在展开过程中
      EXCEPTION_REGISTRATION_RECORD::Handler 又触发异常,则会遍历更多次。不过这也可以算作是一个新异常了。看如何理解。)。
      一次是在 RtlDispatchException 中,遍历的目的是找到愿意处理该异常的 _EXCEPTION_REGISTRATION_RECORD。
      另一次是在展开过程中、RtlUnwind 函数内,遍历的目录是为了对每个遍历到的 EXCEPTION_REGISTRATION_RECORD 进行局部展开。
  2. 同样的,每个被"卷入是非"的异常的 scopetable 也会被遍历至少两次,
      一次是在 modulename!_except_handler? 中,遍历目的也是找到愿意处理该异常的 scopetable_entry。
      另一次是在展开过程中、_local_unwind4 函数内,遍历的目的是找到所有指定范围内的 scopetable_entry::lpfnFilter 为 NULL 的 scopetable_entry,调用它们的 lpfnHandler (即 __finally 处理块)。

 

posted on 2015-07-19 14:07  _懒人  阅读(5358)  评论(3编辑  收藏  举报

导航