kernel try/exception filter won't work?

recently we received a bsod case that my exception filter won’t work, here is the code

__try
{
MmProbeAndLockPages( Mdl, KernelMode, IoWriteAccess);
}
__except((S = GetExceptionCode()) !=0x123456 ? EXCEPTION_EXECUTE_HANDLER:EXCEPTION_CONTINUE_SEARCH)
{
IoFreeMdl( Mdl );
Mdl = NULL;
}
and the stack when bsod occurs like :

2: kd> k
Child-SP RetAddr Call Site
fffffe82a895e648 fffff8021afc7b63 nt!KeBugCheckEx
fffffe82a895e650 fffff8021af7e68f nt!PspSystemThreadStartup$filt$0+0x44
fffffe82a895e690 fffff8021afb66fd nt!_C_specific_handler+0x9f
fffffe82a895e700 fffff8021ae1fa3a nt!RtlpExecuteHandlerForException+0xd
fffffe82a895e730 fffff8021ae2020d nt!RtlDispatchException+0x4ba
fffffe82a895ee20 fffff8021afc0ece nt!KiDispatchException+0x14d
fffffe82a895f4e0 fffff8021afbc03b nt!KiExceptionDispatch+0xce
fffffe82a895f6c0 fffff800c15f1a30 nt!KiSegmentNotPresentFault+0x3fb

which it seems i dont handle the exception well,but the value of S(assigned by GetExceptionCode()) is c0000005 for sure

3: kd> dd S
fffff808`c20851e8 c0000005

on the other hand ,i do another test,code like :
__try
{
MmProbeAndLockPages( Mdl, KernelMode, IoWriteAccess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl( Mdl );
Mdl = NULL;
}

no bsod !!!

so what is going on??

plus?i find out a driver with signature sha1 only was loaded on that machine

ps:asm code for the exception filter

xx!KlibMemEnableW$filt$0
76 fffff808c2083cc0 48894c2408 mov qword ptr [rsp+8],rcx 76 fffff808c2083cc5 4889542410 mov qword ptr [rsp+10h],rdx
76 fffff808c2083cca 55 push rbp 76 fffff808c2083ccb 4883ec30 sub rsp,30h
76 fffff808c2083ccf 488bea mov rbp,rdx 76 fffff808c2083cd2 48894d40 mov qword ptr [rbp+40h],rcx
76 fffff808c2083cd6 488b4540 mov rax,qword ptr [rbp+40h] 76 fffff808c2083cda 488b00 mov rax,qword ptr [rax]
76 fffff808c2083cdd 8b00 mov eax,dword ptr [rax] 76 fffff808c2083cdf 894548 mov dword ptr [rbp+48h],eax
76 fffff808c2083ce2 8b4548 mov eax,dword ptr [rbp+48h] 76 fffff808c2083ce5 8905fd140000 mov dword ptr [xx!gInjectionHandle+0x8 (fffff808c20851e8)],eax 76 fffff808c2083ceb 8b05f7140000 mov eax,dword ptr [xx!gInjectionHandle+0x8 (fffff808c20851e8)] 76 fffff808c2083cf1 3d56341200 cmp eax,123456h
76 fffff808c2083cf6 7409 je xx!KlibMemEnableW$filt$0+0x41 (fffff808c2083d01)

xx!KlibMemEnableW$filt$0+0x38
76 fffff808c2083cf8 c7454c01000000 mov dword ptr [rbp+4Ch],1 76 fffff808c2083cff eb07 jmp xx!KlibMemEnableW$filt$0+0x48 (fffff808`c2083d08)

xx!KlibMemEnableW$filt$0+0x41
76 fffff808`c2083d01 c7454c00000000 mov dword ptr [rbp+4Ch],0

xx!KlibMemEnableW$filt$0+0x48
76 fffff808c2083d08 8b454c mov eax,dword ptr [rbp+4Ch] 76 fffff808c2083d0b 4883c430 add rsp,30h
76 fffff808c2083d0f 5d pop rbp 76 fffff808c2083d10 c3 ret

兄弟,用你脑子好好想想

2018-01-29 16:48 GMT+08:00 5771067@qq.com :

> recently we received a bsod case that my exception filter won’t work, here
> is the code
>
> __try
> {
> MmProbeAndLockPages( Mdl, KernelMode,
> IoWriteAccess);
> }
>__except((S = GetExceptionCode()) !=0x123456 ?
> EXCEPTION_EXECUTE_HANDLER:EXCEPTION_CONTINUE_SEARCH)
> {
> IoFreeMdl( Mdl );
> Mdl = NULL;
> }
> and the stack when bsod occurs like :
>
> 2: kd> k
> Child-SP RetAddr Call Site
> fffffe82a895e648 fffff8021afc7b63 nt!KeBugCheckEx
> fffffe82a895e650 fffff8021af7e68f nt!PspSystemThreadStartup$filt$0+0x44
> fffffe82a895e690 fffff8021afb66fd nt!_C_specific_handler+0x9f
> fffffe82a895e700 fffff8021ae1fa3a nt!RtlpExecuteHandlerForException+0xd
> fffffe82a895e730 fffff8021ae2020d nt!RtlDispatchException+0x4ba
> fffffe82a895ee20 fffff8021afc0ece nt!KiDispatchException+0x14d
> fffffe82a895f4e0 fffff8021afbc03b nt!KiExceptionDispatch+0xce
> fffffe82a895f6c0 fffff800c15f1a30 nt!KiSegmentNotPresentFault+0x3fb
>
> which it seems i dont handle the exception well,but the value of
> S(assigned by GetExceptionCode()) is c0000005 for sure
>
> 3: kd> dd S
> fffff808c20851e8 c0000005<br>&gt;<br>&gt; on the other hand ,i do another test,code like :<br>&gt; __try<br>&gt; {<br>&gt; MmProbeAndLockPages( Mdl, KernelMode,<br>&gt; IoWriteAccess);<br>&gt; }<br>&gt;__except(EXCEPTION_EXECUTE_HANDLER)<br>&gt; {<br>&gt; IoFreeMdl( Mdl );<br>&gt; Mdl = NULL;<br>&gt; }<br>&gt;<br>&gt; no bsod !!!<br>&gt;<br>&gt; so what is going on??<br>&gt;<br>&gt;<br>&gt; plus?i find out a driver with signature sha1 only was loaded on that<br>&gt; machine<br>&gt;<br>&gt;<br>&gt; ps:asm code for the exception filter<br>&gt;<br>&gt; xx!KlibMemEnableW$filt$0<br>&gt; 76 fffff808c2083cc0 48894c2408 mov qword ptr [rsp+8],rcx
> 76 fffff808c2083cc5 4889542410 mov qword ptr [rsp+10h],rdx<br>&gt; 76 fffff808c2083cca 55 push rbp
> 76 fffff808c2083ccb 4883ec30 sub rsp,30h<br>&gt; 76 fffff808c2083ccf 488bea mov rbp,rdx
> 76 fffff808c2083cd2 48894d40 mov qword ptr [rbp+40h],rcx<br>&gt; 76 fffff808c2083cd6 488b4540 mov rax,qword ptr [rbp+40h]
> 76 fffff808c2083cda 488b00 mov rax,qword ptr [rax]<br>&gt; 76 fffff808c2083cdd 8b00 mov eax,dword ptr [rax]
> 76 fffff808c2083cdf 894548 mov dword ptr [rbp+48h],eax<br>&gt; 76 fffff808c2083ce2 8b4548 mov eax,dword ptr [rbp+48h]
> 76 fffff808c2083ce5 8905fd140000 mov dword ptr<br>&gt; [xx!gInjectionHandle+0x8 (fffff808c20851e8)],eax
> 76 fffff808c2083ceb 8b05f7140000 mov eax,dword ptr<br>&gt; [xx!gInjectionHandle+0x8 (fffff808c20851e8)]
> 76 fffff808c2083cf1 3d56341200 cmp eax,123456h<br>&gt; 76 fffff808c2083cf6 7409 je
> xx!KlibMemEnableW$filt$0+0x41 (fffff808c2083d01)<br>&gt;<br>&gt; xx!KlibMemEnableW$filt$0+0x38<br>&gt; 76 fffff808c2083cf8 c7454c01000000 mov dword ptr [rbp+4Ch],1
> 76 fffff808c2083cff eb07 jmp<br>&gt; xx!KlibMemEnableW$filt$0+0x48 (fffff808c2083d08)
>
> xx!KlibMemEnableW$filt$0+0x41
> 76 fffff808c2083d01 c7454c00000000 mov dword ptr [rbp+4Ch],0<br>&gt;<br>&gt; xx!KlibMemEnableW$filt$0+0x48<br>&gt; 76 fffff808c2083d08 8b454c mov eax,dword ptr [rbp+4Ch]
> 76 fffff808c2083d0b 4883c430 add rsp,30h<br>&gt; 76 fffff808c2083d0f 5d pop rbp
> 76 fffff808`c2083d10 c3 ret
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

“CONTINUE_SEARCH” is going to BSOD.

Mark Roddy

On Mon, Jan 29, 2018 at 3:48 AM, 5771067@qq.com wrote:

> recently we received a bsod case that my exception filter won’t work, here
> is the code
>
> __try
> {
> MmProbeAndLockPages( Mdl, KernelMode,
> IoWriteAccess);
> }
>__except((S = GetExceptionCode()) !=0x123456 ?
> EXCEPTION_EXECUTE_HANDLER:EXCEPTION_CONTINUE_SEARCH)
> {
> IoFreeMdl( Mdl );
> Mdl = NULL;
> }
> and the stack when bsod occurs like :
>
> 2: kd> k
> Child-SP RetAddr Call Site
> fffffe82a895e648 fffff8021afc7b63 nt!KeBugCheckEx
> fffffe82a895e650 fffff8021af7e68f nt!PspSystemThreadStartup$filt$0+0x44
> fffffe82a895e690 fffff8021afb66fd nt!_C_specific_handler+0x9f
> fffffe82a895e700 fffff8021ae1fa3a nt!RtlpExecuteHandlerForException+0xd
> fffffe82a895e730 fffff8021ae2020d nt!RtlDispatchException+0x4ba
> fffffe82a895ee20 fffff8021afc0ece nt!KiDispatchException+0x14d
> fffffe82a895f4e0 fffff8021afbc03b nt!KiExceptionDispatch+0xce
> fffffe82a895f6c0 fffff800c15f1a30 nt!KiSegmentNotPresentFault+0x3fb
>
> which it seems i dont handle the exception well,but the value of
> S(assigned by GetExceptionCode()) is c0000005 for sure
>
> 3: kd> dd S
> fffff808c20851e8 c0000005<br>&gt;<br>&gt; on the other hand ,i do another test,code like :<br>&gt; __try<br>&gt; {<br>&gt; MmProbeAndLockPages( Mdl, KernelMode,<br>&gt; IoWriteAccess);<br>&gt; }<br>&gt;__except(EXCEPTION_EXECUTE_HANDLER)<br>&gt; {<br>&gt; IoFreeMdl( Mdl );<br>&gt; Mdl = NULL;<br>&gt; }<br>&gt;<br>&gt; no bsod !!!<br>&gt;<br>&gt; so what is going on??<br>&gt;<br>&gt;<br>&gt; plus?i find out a driver with signature sha1 only was loaded on that<br>&gt; machine<br>&gt;<br>&gt;<br>&gt; ps:asm code for the exception filter<br>&gt;<br>&gt; xx!KlibMemEnableW$filt$0<br>&gt; 76 fffff808c2083cc0 48894c2408 mov qword ptr [rsp+8],rcx
> 76 fffff808c2083cc5 4889542410 mov qword ptr [rsp+10h],rdx<br>&gt; 76 fffff808c2083cca 55 push rbp
> 76 fffff808c2083ccb 4883ec30 sub rsp,30h<br>&gt; 76 fffff808c2083ccf 488bea mov rbp,rdx
> 76 fffff808c2083cd2 48894d40 mov qword ptr [rbp+40h],rcx<br>&gt; 76 fffff808c2083cd6 488b4540 mov rax,qword ptr [rbp+40h]
> 76 fffff808c2083cda 488b00 mov rax,qword ptr [rax]<br>&gt; 76 fffff808c2083cdd 8b00 mov eax,dword ptr [rax]
> 76 fffff808c2083cdf 894548 mov dword ptr [rbp+48h],eax<br>&gt; 76 fffff808c2083ce2 8b4548 mov eax,dword ptr [rbp+48h]
> 76 fffff808c2083ce5 8905fd140000 mov dword ptr<br>&gt; [xx!gInjectionHandle+0x8 (fffff808c20851e8)],eax
> 76 fffff808c2083ceb 8b05f7140000 mov eax,dword ptr<br>&gt; [xx!gInjectionHandle+0x8 (fffff808c20851e8)]
> 76 fffff808c2083cf1 3d56341200 cmp eax,123456h<br>&gt; 76 fffff808c2083cf6 7409 je
> xx!KlibMemEnableW$filt$0+0x41 (fffff808c2083d01)<br>&gt;<br>&gt; xx!KlibMemEnableW$filt$0+0x38<br>&gt; 76 fffff808c2083cf8 c7454c01000000 mov dword ptr [rbp+4Ch],1
> 76 fffff808c2083cff eb07 jmp<br>&gt; xx!KlibMemEnableW$filt$0+0x48 (fffff808c2083d08)
>
> xx!KlibMemEnableW$filt$0+0x41
> 76 fffff808c2083d01 c7454c00000000 mov dword ptr [rbp+4Ch],0<br>&gt;<br>&gt; xx!KlibMemEnableW$filt$0+0x48<br>&gt; 76 fffff808c2083d08 8b454c mov eax,dword ptr [rbp+4Ch]
> 76 fffff808c2083d0b 4883c430 add rsp,30h<br>&gt; 76 fffff808c2083d0f 5d pop rbp
> 76 fffff808`c2083d10 c3 ret
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

Furthermore, an attempt to modify an HVCI-protected code page, as is what appeared to be happening here, will never succeed. It?s expected that this will always result in an access violation exception being raised on an attempt to write to a SLAT-protected physical address.

For this (among other) reasons, it?s advisable to move away from code page patching.

  • S (Msft)

From: xxxxx@gmail.commailto:xxxxx
Sent: Friday, February 9, 2018 7:28 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: Re: [ntdev] kernel try/exception filter won’t work?

“CONTINUE_SEARCH” is going to BSOD.

Mark Roddy

On Mon, Jan 29, 2018 at 3:48 AM, 5771067@qq.commailto:5771067 > wrote:
recently we received a bsod case that my exception filter won’t work, here is the code

__try
{
MmProbeAndLockPages( Mdl, KernelMode, IoWriteAccess);
}
__except((S = GetExceptionCode()) !=0x123456 ? EXCEPTION_EXECUTE_HANDLER:EXCEPTION_CONTINUE_SEARCH)
{
IoFreeMdl( Mdl );
Mdl = NULL;
}
and the stack when bsod occurs like :

2: kd> k
Child-SP RetAddr Call Site
fffffe82a895e648 fffff8021afc7b63 nt!KeBugCheckEx
fffffe82a895e650 fffff8021af7e68f nt!PspSystemThreadStartup$filt$0+0x44
fffffe82a895e690 fffff8021afb66fd nt!_C_specific_handler+0x9f
fffffe82a895e700 fffff8021ae1fa3a nt!RtlpExecuteHandlerForException+0xd
fffffe82a895e730 fffff8021ae2020d nt!RtlDispatchException+0x4ba
fffffe82a895ee20 fffff8021afc0ece nt!KiDispatchException+0x14d
fffffe82a895f4e0 fffff8021afbc03b nt!KiExceptionDispatch+0xce
fffffe82a895f6c0 fffff800c15f1a30 nt!KiSegmentNotPresentFault+0x3fb

which it seems i dont handle the exception well,but the value of S(assigned by GetExceptionCode()) is c0000005 for sure

3: kd> dd S
fffff808c20851e8 c0000005<br><br>on the other hand ,i do another test,code like :<br> __try<br> {<br> MmProbeAndLockPages( Mdl, KernelMode, IoWriteAccess);<br> }<br>__except(EXCEPTION_EXECUTE_HANDLER)<br> {<br> IoFreeMdl( Mdl );<br> Mdl = NULL;<br> }<br><br>no bsod !!!<br><br>so what is going on??<br><br>plus?i find out a driver with signature sha1 only was loaded on that machine<br><br>ps:asm code for the exception filter<br><br>xx!KlibMemEnableW$filt$0<br> 76 fffff808c2083cc0 48894c2408 mov qword ptr [rsp+8],rcx
76 fffff808c2083cc5 4889542410 mov qword ptr [rsp+10h],rdx<br> 76 fffff808c2083cca 55 push rbp
76 fffff808c2083ccb 4883ec30 sub rsp,30h<br> 76 fffff808c2083ccf 488bea mov rbp,rdx
76 fffff808c2083cd2 48894d40 mov qword ptr [rbp+40h],rcx<br> 76 fffff808c2083cd6 488b4540 mov rax,qword ptr [rbp+40h]
76 fffff808c2083cda 488b00 mov rax,qword ptr [rax]<br> 76 fffff808c2083cdd 8b00 mov eax,dword ptr [rax]
76 fffff808c2083cdf 894548 mov dword ptr [rbp+48h],eax<br> 76 fffff808c2083ce2 8b4548 mov eax,dword ptr [rbp+48h]
76 fffff808c2083ce5 8905fd140000 mov dword ptr [xx!gInjectionHandle+0x8 (fffff808c20851e8)],eax
76 fffff808c2083ceb 8b05f7140000 mov eax,dword ptr [xx!gInjectionHandle+0x8 (fffff808c20851e8)]
76 fffff808c2083cf1 3d56341200 cmp eax,123456h<br> 76 fffff808c2083cf6 7409 je xx!KlibMemEnableW$filt$0+0x41 (fffff808c2083d01)<br><br>xx!KlibMemEnableW$filt$0+0x38<br> 76 fffff808c2083cf8 c7454c01000000 mov dword ptr [rbp+4Ch],1
76 fffff808c2083cff eb07 jmp xx!KlibMemEnableW$filt$0+0x48 (fffff808c2083d08)

xx!KlibMemEnableW$filt$0+0x41
76 fffff808c2083d01 c7454c00000000 mov dword ptr [rbp+4Ch],0<br><br>xx!KlibMemEnableW$filt$0+0x48<br> 76 fffff808c2083d08 8b454c mov eax,dword ptr [rbp+4Ch]
76 fffff808c2083d0b 4883c430 add rsp,30h<br> 76 fffff808c2083d0f 5d pop rbp
76 fffff808`c2083d10 c3 ret


NTDEV is sponsored by OSR

Visit the list online at: http:>

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:>

To unsubscribe, visit the List Server section of OSR Online at http:>

— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:></mailto:5771067></mailto:xxxxx></mailto:xxxxx>

xxxxx@gmail.com wrote:

2018-01-29 16:48 GMT+08:00 5771067@qq.com mailto:5771067
> >:
>
> recently we received a bsod case that my exception filter won’t
> work, here is the code
> …
> and the stack when bsod occurs like :
>
> 2: kd> k
> Child-SP     RetAddr      Call Site
> fffffe82a895e648 fffff8021afc7b63 nt!KeBugCheckEx
> fffffe82a895e650 fffff8021af7e68f
> nt!PspSystemThreadStartup$filt$0+0x44
> fffffe82a895e690 fffff8021afb66fd nt!_C_specific_handler+0x9f
> fffffe82a895e700 fffff8021ae1fa3a
> nt!RtlpExecuteHandlerForException+0xd
> fffffe82a895e730 fffff8021ae2020d nt!RtlDispatchException+0x4ba
> fffffe82a895ee20 fffff8021afc0ece nt!KiDispatchException+0x14d
> fffffe82a895f4e0 fffff8021afbc03b nt!KiExceptionDispatch+0xce
> fffffe82a895f6c0 fffff800c15f1a30 nt!KiSegmentNotPresentFault+0x3fb
>

Given that stack, what leads you to suspect the exception filter?Â
There’s nothing here that points to that code.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.</mailto:5771067>