How to get the name/description of an exception?

Question

How do you get the name and/or description of an SEH exception without having to hard-code the strings into your application?

I tried to use FormatMessage(), but it truncates the message sometimes, even if you specify to ignore inserts:

__asm { // raise access violation
    xor    eax, eax
    mov    eax, [eax]
}

Raises an exception with the code 0xC0000005 (EXCEPTION_ACCESS_VIOLATION).

char msg[256];
FormatMessageA(FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_IGNORE_INSERTS,
    GetModuleHandleA("ntdll.dll"), 0xC0000005,
    MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
    msg, sizeof(msg), NULL);

Fills msg with the truncated string: "The instruction at 0x".

Wow this really does seem broken. It works for various messages, but I can't get it to work for STATUS_ACCESS_VIOLATION for the life of me. — Charlie, Nov 27 '08 at 03:51
I'm a bit rusty on this now but have you tried FORMAT_MESSAGE_FROM_SYSTEM? — morechilli, Nov 27 '08 at 10:14
morechilli: Yes, I tried it already, but it doesn't change the outcome. — Sascha, Nov 27 '08 at 13:53

4LegsDrivenCat · Answer 1 · 2023-07-08T17:36:48.053

Structured exception codes are defined through NTSTATUS numbers. Although someone from MS suggests here (the article has been moved to here) using FormatMessage() to convert NTSTATUS numbers to strings, I would not do this. Flag FORMAT_MESSAGE_FROM_SYSTEM is used to convert result of GetLastError() into a string, so it makes no sense here. Using flag FORMAT_MESSAGE_FROM_HMODULE along with ntdll.dll will lead to incorrect results for some codes. E.g., for EXCEPTION_ACCESS_VIOLATION you will get The instruction at 0x, which is not very informative :) .

When you look at the strings that are stored in ntdll.dll it becomes obvious that many of them are supposed to be used with the printf() function, not with the FormatMessage(). For example, the string for EXCEPTION_ACCESS_VIOLATION is:

The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

%0 is treated by FormatMessage() as the escape sequence meaning message terminator, not an insert. Inserts are %1 to %99. That's why flag FORMAT_MESSAGE_IGNORE_INSERTS does not make any difference.

You might want to load the string from ntdll.dll and pass it to vprintf() but you will need to prepare arguments exactly as the string specifies (e.g. for EXCEPTION_ACCESS_VIOLATION it's unsigned long, unsigned long, char*). And this approach has major drawback: any change in the number, order or size of arguments in ntdll.dll may break your code.

So it's safer and easier to hard code the strings into your own code. I find it dangerous to use strings prepared by someone else without coordination with me :) and moreover for other function. This is just one more possibility for malfunction.

That they had every opportunity initially (when NT was created) to make these proper event log strings (%1 style formatting) and instead made them printf format strings. And then they've never provided a substitute. There must be hundreds of programs - if not thousands - that have special code to format AVs for logging purposes. — davidbak, Jun 03 '17 at 17:20

score 1 · Answer 2 · answered Nov 26 '08 at 20:30

1

Does this apply?

http://www.winehq.org/pipermail/wine-devel/2001-May/000801.html

answered Nov 26 '08 at 20:30

John

15,990
10
70
110

How to get the name/description of an exception?

2 Answers2

Linked