0

I want to hook (local) the function that finally calls an exception handler in order to get the address of the handler before it actually gets executed.

Is this even possible (in usermode)?

Which function do I have to hook?

Which parameter do I have to analyse to get the address of the exception handler that actually handles the exception?

thanks!

user2252343
  • 95
  • 2
  • 7
  • The question is not about the diffrence between C and C++ exceptions. I want to know which function finaly dispatches the control flow into an exception handler. – user2252343 May 15 '13 at 21:16
  • There is no "function", an __except filter determines what code handles the exception. If there is none then the program crashes. – Hans Passant May 15 '13 at 21:24
  • Im talking about internal functions that handles exceptions. When an exception is thrown a chain of internal function gets called which somehow dispatch the control flow to the exception handler. As a programmer you only see try/catch/... but I want to hook the functions behind these keywords. Hooking my own code would not make too much sense anyway :D. Hope this makes it more clear. – user2252343 May 15 '13 at 22:00
  • Compilers don't do this, the operating system searches for an exception handler. Review RtlVirtualUnwind for example. – Hans Passant May 15 '13 at 22:11
  • 2
    Just modify the function and recompile it instead of hooking it. Hooking is a crazy world. Don't go there. Just follow normal engineering practices. Interfering exception dispatch will get you flagged as malware, since that's the sort of thing malware does to avoid detection. Each successive version of Windows hardens exception dispatch further in response to more and more sophisticated malware attacks. – Raymond Chen May 16 '13 at 05:26

1 Answers1

0

the following is from some crash dump:

00000000`0019c450 00000000`76f89d0d ntdll!_C_specific_handler+0x8c
00000000`0019c4c0 00000000`76f791af ntdll!RtlpExecuteHandlerForException+0xd
00000000`0019c4f0 00000000`76fb1278 ntdll!RtlDispatchException+0x45a
00000000`0019cbd0 00000001`3fcb2a36 ntdll!KiUserExceptionDispatch+0x2e

_C_specific_handler looks what you're looking for

xwlan
  • 554
  • 3
  • 5