Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

kernel try/exception filter won't work?

kindofkindof Member - All Emails Posts: 33
recently we received a bsod case that my exception filter won't work, here is the code

__try
{
MmProbeAndLockPages( Mdl, KernelMode, IoWriteAccess);
}
__except((S = GetExceptionCode()) !=0x123456 ? EXCEPTION_EXECUTE_HANDLER:EXCEPTION_CONTINUE_SEARCH)
{
IoFreeMdl( Mdl );
Mdl = NULL;
}
and the stack when bsod occurs like :

2: kd> k
Child-SP RetAddr Call Site
fffffe82`a895e648 fffff802`1afc7b63 nt!KeBugCheckEx
fffffe82`a895e650 fffff802`1af7e68f nt!PspSystemThreadStartup$filt$0+0x44
fffffe82`a895e690 fffff802`1afb66fd nt!_C_specific_handler+0x9f
fffffe82`a895e700 fffff802`1ae1fa3a nt!RtlpExecuteHandlerForException+0xd
fffffe82`a895e730 fffff802`1ae2020d nt!RtlDispatchException+0x4ba
fffffe82`a895ee20 fffff802`1afc0ece nt!KiDispatchException+0x14d
fffffe82`a895f4e0 fffff802`1afbc03b nt!KiExceptionDispatch+0xce
fffffe82`a895f6c0 fffff800`c15f1a30 nt!KiSegmentNotPresentFault+0x3fb

which it seems i dont handle the exception well,but the value of S(assigned by GetExceptionCode()) is c0000005 for sure

3: kd> dd S
fffff808`c20851e8 c0000005

on the other hand ,i do another test,code like :
__try
{
MmProbeAndLockPages( Mdl, KernelMode, IoWriteAccess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl( Mdl );
Mdl = NULL;
}

no bsod !!!

so what is going on??


plus?i find out a driver with signature sha1 only was loaded on that machine


ps:asm code for the exception filter

xx!KlibMemEnableW$filt$0
76 fffff808`c2083cc0 48894c2408 mov qword ptr [rsp+8],rcx
76 fffff808`c2083cc5 4889542410 mov qword ptr [rsp+10h],rdx
76 fffff808`c2083cca 55 push rbp
76 fffff808`c2083ccb 4883ec30 sub rsp,30h
76 fffff808`c2083ccf 488bea mov rbp,rdx
76 fffff808`c2083cd2 48894d40 mov qword ptr [rbp+40h],rcx
76 fffff808`c2083cd6 488b4540 mov rax,qword ptr [rbp+40h]
76 fffff808`c2083cda 488b00 mov rax,qword ptr [rax]
76 fffff808`c2083cdd 8b00 mov eax,dword ptr [rax]
76 fffff808`c2083cdf 894548 mov dword ptr [rbp+48h],eax
76 fffff808`c2083ce2 8b4548 mov eax,dword ptr [rbp+48h]
76 fffff808`c2083ce5 8905fd140000 mov dword ptr [xx!gInjectionHandle+0x8 (fffff808`c20851e8)],eax
76 fffff808`c2083ceb 8b05f7140000 mov eax,dword ptr [xx!gInjectionHandle+0x8 (fffff808`c20851e8)]
76 fffff808`c2083cf1 3d56341200 cmp eax,123456h
76 fffff808`c2083cf6 7409 je xx!KlibMemEnableW$filt$0+0x41 (fffff808`c2083d01)

xx!KlibMemEnableW$filt$0+0x38
76 fffff808`c2083cf8 c7454c01000000 mov dword ptr [rbp+4Ch],1
76 fffff808`c2083cff eb07 jmp xx!KlibMemEnableW$filt$0+0x48 (fffff808`c2083d08)

xx!KlibMemEnableW$filt$0+0x41
76 fffff808`c2083d01 c7454c00000000 mov dword ptr [rbp+4Ch],0

xx!KlibMemEnableW$filt$0+0x48
76 fffff808`c2083d08 8b454c mov eax,dword ptr [rbp+4Ch]
76 fffff808`c2083d0b 4883c430 add rsp,30h
76 fffff808`c2083d0f 5d pop rbp
76 fffff808`c2083d10 c3 ret

Comments

  • jack_zhengjack_zheng Member - All Emails Posts: 1
    兄弟,用你脑子好好想想

    2018-01-29 16:48 GMT+08:00 5771067@qq.com :

    > recently we received a bsod case that my exception filter won't work, here
    > is the code
    >
    > __try
    > {
    > MmProbeAndLockPages( Mdl, KernelMode,
    > IoWriteAccess);
    > }
    > __except((S = GetExceptionCode()) !=0x123456 ?
    > EXCEPTION_EXECUTE_HANDLER:EXCEPTION_CONTINUE_SEARCH)
    > {
    > IoFreeMdl( Mdl );
    > Mdl = NULL;
    > }
    > and the stack when bsod occurs like :
    >
    > 2: kd> k
    > Child-SP RetAddr Call Site
    > fffffe82`a895e648 fffff802`1afc7b63 nt!KeBugCheckEx
    > fffffe82`a895e650 fffff802`1af7e68f nt!PspSystemThreadStartup$filt$0+0x44
    > fffffe82`a895e690 fffff802`1afb66fd nt!_C_specific_handler+0x9f
    > fffffe82`a895e700 fffff802`1ae1fa3a nt!RtlpExecuteHandlerForException+0xd
    > fffffe82`a895e730 fffff802`1ae2020d nt!RtlDispatchException+0x4ba
    > fffffe82`a895ee20 fffff802`1afc0ece nt!KiDispatchException+0x14d
    > fffffe82`a895f4e0 fffff802`1afbc03b nt!KiExceptionDispatch+0xce
    > fffffe82`a895f6c0 fffff800`c15f1a30 nt!KiSegmentNotPresentFault+0x3fb
    >
    > which it seems i dont handle the exception well,but the value of
    > S(assigned by GetExceptionCode()) is c0000005 for sure
    >
    > 3: kd> dd S
    > fffff808`c20851e8 c0000005
    >
    > on the other hand ,i do another test,code like :
    > __try
    > {
    > MmProbeAndLockPages( Mdl, KernelMode,
    > IoWriteAccess);
    > }
    > __except(EXCEPTION_EXECUTE_HANDLER)
    > {
    > IoFreeMdl( Mdl );
    > Mdl = NULL;
    > }
    >
    > no bsod !!!
    >
    > so what is going on??
    >
    >
    > plus?i find out a driver with signature sha1 only was loaded on that
    > machine
    >
    >
    > ps:asm code for the exception filter
    >
    > xx!KlibMemEnableW$filt$0
    > 76 fffff808`c2083cc0 48894c2408 mov qword ptr [rsp+8],rcx
    > 76 fffff808`c2083cc5 4889542410 mov qword ptr [rsp+10h],rdx
    > 76 fffff808`c2083cca 55 push rbp
    > 76 fffff808`c2083ccb 4883ec30 sub rsp,30h
    > 76 fffff808`c2083ccf 488bea mov rbp,rdx
    > 76 fffff808`c2083cd2 48894d40 mov qword ptr [rbp+40h],rcx
    > 76 fffff808`c2083cd6 488b4540 mov rax,qword ptr [rbp+40h]
    > 76 fffff808`c2083cda 488b00 mov rax,qword ptr [rax]
    > 76 fffff808`c2083cdd 8b00 mov eax,dword ptr [rax]
    > 76 fffff808`c2083cdf 894548 mov dword ptr [rbp+48h],eax
    > 76 fffff808`c2083ce2 8b4548 mov eax,dword ptr [rbp+48h]
    > 76 fffff808`c2083ce5 8905fd140000 mov dword ptr
    > [xx!gInjectionHandle+0x8 (fffff808`c20851e8)],eax
    > 76 fffff808`c2083ceb 8b05f7140000 mov eax,dword ptr
    > [xx!gInjectionHandle+0x8 (fffff808`c20851e8)]
    > 76 fffff808`c2083cf1 3d56341200 cmp eax,123456h
    > 76 fffff808`c2083cf6 7409 je
    > xx!KlibMemEnableW$filt$0+0x41 (fffff808`c2083d01)
    >
    > xx!KlibMemEnableW$filt$0+0x38
    > 76 fffff808`c2083cf8 c7454c01000000 mov dword ptr [rbp+4Ch],1
    > 76 fffff808`c2083cff eb07 jmp
    > xx!KlibMemEnableW$filt$0+0x48 (fffff808`c2083d08)
    >
    > xx!KlibMemEnableW$filt$0+0x41
    > 76 fffff808`c2083d01 c7454c00000000 mov dword ptr [rbp+4Ch],0
    >
    > xx!KlibMemEnableW$filt$0+0x48
    > 76 fffff808`c2083d08 8b454c mov eax,dword ptr [rbp+4Ch]
    > 76 fffff808`c2083d0b 4883c430 add rsp,30h
    > 76 fffff808`c2083d0f 5d pop rbp
    > 76 fffff808`c2083d10 c3 ret
    >
    >
    >
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: showlists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,271
    "CONTINUE_SEARCH" is going to BSOD.

    Mark Roddy

    On Mon, Jan 29, 2018 at 3:48 AM, 5771067@qq.com wrote:

    > recently we received a bsod case that my exception filter won't work, here
    > is the code
    >
    > __try
    > {
    > MmProbeAndLockPages( Mdl, KernelMode,
    > IoWriteAccess);
    > }
    > __except((S = GetExceptionCode()) !=0x123456 ?
    > EXCEPTION_EXECUTE_HANDLER:EXCEPTION_CONTINUE_SEARCH)
    > {
    > IoFreeMdl( Mdl );
    > Mdl = NULL;
    > }
    > and the stack when bsod occurs like :
    >
    > 2: kd> k
    > Child-SP RetAddr Call Site
    > fffffe82`a895e648 fffff802`1afc7b63 nt!KeBugCheckEx
    > fffffe82`a895e650 fffff802`1af7e68f nt!PspSystemThreadStartup$filt$0+0x44
    > fffffe82`a895e690 fffff802`1afb66fd nt!_C_specific_handler+0x9f
    > fffffe82`a895e700 fffff802`1ae1fa3a nt!RtlpExecuteHandlerForException+0xd
    > fffffe82`a895e730 fffff802`1ae2020d nt!RtlDispatchException+0x4ba
    > fffffe82`a895ee20 fffff802`1afc0ece nt!KiDispatchException+0x14d
    > fffffe82`a895f4e0 fffff802`1afbc03b nt!KiExceptionDispatch+0xce
    > fffffe82`a895f6c0 fffff800`c15f1a30 nt!KiSegmentNotPresentFault+0x3fb
    >
    > which it seems i dont handle the exception well,but the value of
    > S(assigned by GetExceptionCode()) is c0000005 for sure
    >
    > 3: kd> dd S
    > fffff808`c20851e8 c0000005
    >
    > on the other hand ,i do another test,code like :
    > __try
    > {
    > MmProbeAndLockPages( Mdl, KernelMode,
    > IoWriteAccess);
    > }
    > __except(EXCEPTION_EXECUTE_HANDLER)
    > {
    > IoFreeMdl( Mdl );
    > Mdl = NULL;
    > }
    >
    > no bsod !!!
    >
    > so what is going on??
    >
    >
    > plus?i find out a driver with signature sha1 only was loaded on that
    > machine
    >
    >
    > ps:asm code for the exception filter
    >
    > xx!KlibMemEnableW$filt$0
    > 76 fffff808`c2083cc0 48894c2408 mov qword ptr [rsp+8],rcx
    > 76 fffff808`c2083cc5 4889542410 mov qword ptr [rsp+10h],rdx
    > 76 fffff808`c2083cca 55 push rbp
    > 76 fffff808`c2083ccb 4883ec30 sub rsp,30h
    > 76 fffff808`c2083ccf 488bea mov rbp,rdx
    > 76 fffff808`c2083cd2 48894d40 mov qword ptr [rbp+40h],rcx
    > 76 fffff808`c2083cd6 488b4540 mov rax,qword ptr [rbp+40h]
    > 76 fffff808`c2083cda 488b00 mov rax,qword ptr [rax]
    > 76 fffff808`c2083cdd 8b00 mov eax,dword ptr [rax]
    > 76 fffff808`c2083cdf 894548 mov dword ptr [rbp+48h],eax
    > 76 fffff808`c2083ce2 8b4548 mov eax,dword ptr [rbp+48h]
    > 76 fffff808`c2083ce5 8905fd140000 mov dword ptr
    > [xx!gInjectionHandle+0x8 (fffff808`c20851e8)],eax
    > 76 fffff808`c2083ceb 8b05f7140000 mov eax,dword ptr
    > [xx!gInjectionHandle+0x8 (fffff808`c20851e8)]
    > 76 fffff808`c2083cf1 3d56341200 cmp eax,123456h
    > 76 fffff808`c2083cf6 7409 je
    > xx!KlibMemEnableW$filt$0+0x41 (fffff808`c2083d01)
    >
    > xx!KlibMemEnableW$filt$0+0x38
    > 76 fffff808`c2083cf8 c7454c01000000 mov dword ptr [rbp+4Ch],1
    > 76 fffff808`c2083cff eb07 jmp
    > xx!KlibMemEnableW$filt$0+0x48 (fffff808`c2083d08)
    >
    > xx!KlibMemEnableW$filt$0+0x41
    > 76 fffff808`c2083d01 c7454c00000000 mov dword ptr [rbp+4Ch],0
    >
    > xx!KlibMemEnableW$filt$0+0x48
    > 76 fffff808`c2083d08 8b454c mov eax,dword ptr [rbp+4Ch]
    > 76 fffff808`c2083d0b 4883c430 add rsp,30h
    > 76 fffff808`c2083d0f 5d pop rbp
    > 76 fffff808`c2083d10 c3 ret
    >
    >
    >
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: showlists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,556
    Furthermore, an attempt to modify an HVCI-protected code page, as is what appeared to be happening here, will never succeed. It?s expected that this will always result in an access violation exception being raised on an attempt to write to a SLAT-protected physical address.

    For this (among other) reasons, it?s advisable to move away from code page patching.

    - S (Msft)

    From: xxxxx@gmail.com
    Sent: Friday, February 9, 2018 7:28 AM
    To: Windows System Software Devs Interest List
    Subject: Re: [ntdev] kernel try/exception filter won't work?

    "CONTINUE_SEARCH" is going to BSOD.

    Mark Roddy

    On Mon, Jan 29, 2018 at 3:48 AM, 5771067@qq.com > wrote:
    recently we received a bsod case that my exception filter won't work, here is the code

    __try
    {
    MmProbeAndLockPages( Mdl, KernelMode, IoWriteAccess);
    }
    __except((S = GetExceptionCode()) !=0x123456 ? EXCEPTION_EXECUTE_HANDLER:EXCEPTION_CONTINUE_SEARCH)
    {
    IoFreeMdl( Mdl );
    Mdl = NULL;
    }
    and the stack when bsod occurs like :

    2: kd> k
    Child-SP RetAddr Call Site
    fffffe82`a895e648 fffff802`1afc7b63 nt!KeBugCheckEx
    fffffe82`a895e650 fffff802`1af7e68f nt!PspSystemThreadStartup$filt$0+0x44
    fffffe82`a895e690 fffff802`1afb66fd nt!_C_specific_handler+0x9f
    fffffe82`a895e700 fffff802`1ae1fa3a nt!RtlpExecuteHandlerForException+0xd
    fffffe82`a895e730 fffff802`1ae2020d nt!RtlDispatchException+0x4ba
    fffffe82`a895ee20 fffff802`1afc0ece nt!KiDispatchException+0x14d
    fffffe82`a895f4e0 fffff802`1afbc03b nt!KiExceptionDispatch+0xce
    fffffe82`a895f6c0 fffff800`c15f1a30 nt!KiSegmentNotPresentFault+0x3fb

    which it seems i dont handle the exception well,but the value of S(assigned by GetExceptionCode()) is c0000005 for sure

    3: kd> dd S
    fffff808`c20851e8 c0000005

    on the other hand ,i do another test,code like :
    __try
    {
    MmProbeAndLockPages( Mdl, KernelMode, IoWriteAccess);
    }
    __except(EXCEPTION_EXECUTE_HANDLER)
    {
    IoFreeMdl( Mdl );
    Mdl = NULL;
    }

    no bsod !!!

    so what is going on??


    plus?i find out a driver with signature sha1 only was loaded on that machine


    ps:asm code for the exception filter

    xx!KlibMemEnableW$filt$0
    76 fffff808`c2083cc0 48894c2408 mov qword ptr [rsp+8],rcx
    76 fffff808`c2083cc5 4889542410 mov qword ptr [rsp+10h],rdx
    76 fffff808`c2083cca 55 push rbp
    76 fffff808`c2083ccb 4883ec30 sub rsp,30h
    76 fffff808`c2083ccf 488bea mov rbp,rdx
    76 fffff808`c2083cd2 48894d40 mov qword ptr [rbp+40h],rcx
    76 fffff808`c2083cd6 488b4540 mov rax,qword ptr [rbp+40h]
    76 fffff808`c2083cda 488b00 mov rax,qword ptr [rax]
    76 fffff808`c2083cdd 8b00 mov eax,dword ptr [rax]
    76 fffff808`c2083cdf 894548 mov dword ptr [rbp+48h],eax
    76 fffff808`c2083ce2 8b4548 mov eax,dword ptr [rbp+48h]
    76 fffff808`c2083ce5 8905fd140000 mov dword ptr [xx!gInjectionHandle+0x8 (fffff808`c20851e8)],eax
    76 fffff808`c2083ceb 8b05f7140000 mov eax,dword ptr [xx!gInjectionHandle+0x8 (fffff808`c20851e8)]
    76 fffff808`c2083cf1 3d56341200 cmp eax,123456h
    76 fffff808`c2083cf6 7409 je xx!KlibMemEnableW$filt$0+0x41 (fffff808`c2083d01)

    xx!KlibMemEnableW$filt$0+0x38
    76 fffff808`c2083cf8 c7454c01000000 mov dword ptr [rbp+4Ch],1
    76 fffff808`c2083cff eb07 jmp xx!KlibMemEnableW$filt$0+0x48 (fffff808`c2083d08)

    xx!KlibMemEnableW$filt$0+0x41
    76 fffff808`c2083d01 c7454c00000000 mov dword ptr [rbp+4Ch],0

    xx!KlibMemEnableW$filt$0+0x48
    76 fffff808`c2083d08 8b454c mov eax,dword ptr [rbp+4Ch]
    76 fffff808`c2083d0b 4883c430 add rsp,30h
    76 fffff808`c2083d0f 5d pop rbp
    76 fffff808`c2083d10 c3 ret





    ---
    NTDEV is sponsored by OSR

    Visit the list online at: >

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    Details at >

    To unsubscribe, visit the List Server section of OSR Online at >

    --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 12,667
    xxxxx@gmail.com wrote:
    >
    >
    > 2018-01-29 16:48 GMT+08:00 5771067@qq.com <mailto:5771067@qq.com>
    > <xxxxx@lists.osr.com :
    >
    > recently we received a bsod case that my exception filter won't
    > work, here is the code
    > ...
    > and the stack when bsod occurs like :
    >
    > 2: kd> k
    > Child-SP          RetAddr           Call Site
    > fffffe82`a895e648 fffff802`1afc7b63 nt!KeBugCheckEx
    > fffffe82`a895e650 fffff802`1af7e68f
    > nt!PspSystemThreadStartup$filt$0+0x44
    > fffffe82`a895e690 fffff802`1afb66fd nt!_C_specific_handler+0x9f
    > fffffe82`a895e700 fffff802`1ae1fa3a
    > nt!RtlpExecuteHandlerForException+0xd
    > fffffe82`a895e730 fffff802`1ae2020d nt!RtlDispatchException+0x4ba
    > fffffe82`a895ee20 fffff802`1afc0ece nt!KiDispatchException+0x14d
    > fffffe82`a895f4e0 fffff802`1afbc03b nt!KiExceptionDispatch+0xce
    > fffffe82`a895f6c0 fffff800`c15f1a30 nt!KiSegmentNotPresentFault+0x3fb
    >

    Given that stack, what leads you to suspect the exception filter? 
    There's nothing here that points to that code.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!