Installing Exception Handler in a driver?

What about _try/_except?

The following *should* trap a debug exception when a kernel debugger is
not present.

_try
{
KdBreakPoint();
}
_except (EXCEPTION_EXECUTE_HANDLER)
{
}

On 24-Sep-04, at 5:40 PM, xxxxx@conexant.com wrote:

Hi All,

Does anyone know if it is possible to create an exception handler
routine in a driver, and then hook it to an specific exception trap?
For example, let’s say I generate a debug trap, like “_asm int 3” in
my code. Normally, if a debugger is attached this goes to the debugger
exception handler. If a debugger is NOT attached, it would crash the
system with exception not handled.

For debugging purposes, it may be useful to trap the debug exception
back into a routine my driver provides. Is this possible? Is there a
DDK routine/api I can call to supply a function address, and request
it to be hooked to a particular exception code?

Thanks,
James

******************Legal Disclaimer**************************
“This email may contain confidential and privileged material for the
sole use of the intended recipient. Any unauthorized review, use or
distribution by others is strictly prohibited. If you have received
the message in error, please advise the sender by reply email and
delete the message. Thank you.”
****************************************************************

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

–

Cliff

It could work but using it in every function is a bit impractical and also, there are side effects. Stack usage, slower code and mainly if there is some bug which causes an exception, it would be masked.

I guess OP means something as global exception handler for apps. I believe there is nothing similar for drivers. Maybe system wide exception handler could be changed/catched but it would be an overkill.

What about using opposite approach? Detect debugger (during driver startup) and generate int 3 only if attached. Or don’t use int 3 at all and use RtlAssert instead. If there is no debugger, failed assert causes BSOD and gives developer a chance to analyse crashdump. IMHO much better than continue with unexpected error and crash later.

In our build environment we have 3 options for asserts:

• don’t compile (final release build)
• assert only if debugger is present and use debug print otherwise (debug build)
• assert always (testing release build)

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Cliff Russell[SMTP:xxxxx@telus.net]
Reply To: Windows System Software Devs Interest List
Sent: Saturday, September 25, 2004 2:58 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Installing Exception Handler in a driver?

What about _try/_except?

The following *should* trap a debug exception when a kernel debugger is
not present.

_try
{
KdBreakPoint();
}
_except (EXCEPTION_EXECUTE_HANDLER)
{
}

On 24-Sep-04, at 5:40 PM, xxxxx@conexant.com wrote:

> Hi All,
>
> Does anyone know if it is possible to create an exception handler
> routine in a driver, and then hook it to an specific exception trap?
> For example, let’s say I generate a debug trap, like “_asm int 3” in
> my code. Normally, if a debugger is attached this goes to the debugger
> exception handler. If a debugger is NOT attached, it would crash the
> system with exception not handled.
>
> For debugging purposes, it may be useful to trap the debug exception
> back into a routine my driver provides. Is this possible? Is there a
> DDK routine/api I can call to supply a function address, and request
> it to be hooked to a particular exception code?
>
> Thanks,
> James
>
> ******************Legal Disclaimer**************************
> “This email may contain confidential and privileged material for the
> sole use of the intended recipient. Any unauthorized review, use or
> distribution by others is strictly prohibited. If you have received
> the message in error, please advise the sender by reply email and
> delete the message. Thank you.”
> ****************************************************************
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag
> argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Cliff

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@upek.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

From: xxxxx@lists.osr.com .

mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@conexant.com

For debugging purposes, it may be useful to trap the
debug exception back into a routine my driver provides.
Is this possible? Is there a DDK routine/api I can call
to supply a function address, and request it to be hooked
to a particular exception code?

Thanks,
James

Yes, it is possible. For example look at
I8042KeyboardInterruptService() function in the DDK source for
i8042.sys port driver (src\input\pnpi8042\kbddep.c).
It drops into the kernel debugger
(DbgBreakPointWithStatus(DBG_STATUS_SYSRQ)) on SysReq keypress
if the debugger is active, otherwise it just discards the exception.

Dmitriy Budko, VMware

Quite a few exception handlers are there in the kernel service table, one of
them is int_3 (breakpoint handler ). There are ways to hook to them, but
HIGHLY FORBIDDEN. No one recommends it ....

-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@conexant.com
Sent: Friday, September 24, 2004 5:40 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Installing Exception Handler in a driver?

Hi All,

Does anyone know if it is possible to create an exception handler routine
in a driver, and then hook it to an specific exception trap? For example,
let's say I generate a debug trap, like "_asm int 3" in my code. Normally,
if a debugger is attached this goes to the debugger exception handler. If a
debugger is NOT attached, it would crash the system with exception not
handled.

For debugging purposes, it may be useful to trap the debug exception back
into a routine my driver provides. Is this possible? Is there a DDK
routine/api I can call to supply a function address, and request it to be
hooked to a particular exception code?

Thanks,
James

******************Legal Disclaimer**************************
"This email may contain confidential and privileged material for the sole
use of the intended recipient. Any unauthorized review, use or distribution
by others is strictly prohibited. If you have received the message in error,
please advise the sender by reply email and delete the message. Thank you."
****************************************************************

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Also there is possibly a central point KiDispatchException that does the
dispatching ...

I did not say anything, and you did not hear from me PERIOD ...

-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, September 24, 2004 7:41 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Installing Exception Handler in a driver?

Quite a few exception handlers are there in the kernel service table, one
of them is int_3 (breakpoint handler ). There are ways to hook to them, but
HIGHLY FORBIDDEN. No one recommends it ....

-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@conexant.com
Sent: Friday, September 24, 2004 5:40 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Installing Exception Handler in a driver?

Hi All,

Does anyone know if it is possible to create an exception handler
routine in a driver, and then hook it to an specific exception trap? For
example, let's say I generate a debug trap, like "_asm int 3" in my code.
Normally, if a debugger is attached this goes to the debugger exception
handler. If a debugger is NOT attached, it would crash the system with
exception not handled.

For debugging purposes, it may be useful to trap the debug exception
back into a routine my driver provides. Is this possible? Is there a DDK
routine/api I can call to supply a function address, and request it to be
hooked to a particular exception code?

Thanks,
James

******************Legal Disclaimer**************************
"This email may contain confidential and privileged material for the
sole use of the intended recipient. Any unauthorized review, use or
distribution by others is strictly prohibited. If you have received the
message in error, please advise the sender by reply email and delete the
message. Thank you."
****************************************************************

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com

On Sep 24, 2004, at 7:58 PM, Cliff Russell wrote:

What about _try/_except?

For an interesting counter-point (i.e. SEH is bad), check out Larry
Osterman’s thoughts on the topic:

http://weblogs.asp.net/larryosterman/archive/2004/09/10/228068.aspx

I heard similar expressions of dislike for SEH at the last Driver
DevCon in the driver security talk.

Steve Dispensa
MVP - Windows DDK
www.kernelmustard.com

And before getting any hail storm, and sorry for polluting this thread.
Actually IDT also gives a hand to int_3 and such ...

-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, September 24, 2004 7:54 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Installing Exception Handler in a driver?

Also there is possibly a central point KiDispatchException that does the
dispatching ...

I did not say anything, and you did not hear from me PERIOD ...

-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, September 24, 2004 7:41 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Installing Exception Handler in a driver?

Quite a few exception handlers are there in the kernel service table,
one of them is int_3 (breakpoint handler ). There are ways to hook to them,
but HIGHLY FORBIDDEN. No one recommends it ....

-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@conexant.com
Sent: Friday, September 24, 2004 5:40 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Installing Exception Handler in a driver?

Hi All,

Does anyone know if it is possible to create an exception handler
routine in a driver, and then hook it to an specific exception trap? For
example, let's say I generate a debug trap, like "_asm int 3" in my code.
Normally, if a debugger is attached this goes to the debugger exception
handler. If a debugger is NOT attached, it would crash the system with
exception not handled.

For debugging purposes, it may be useful to trap the debug exception
back into a routine my driver provides. Is this possible? Is there a DDK
routine/api I can call to supply a function address, and request it to be
hooked to a particular exception code?

Thanks,
James

******************Legal Disclaimer**************************
"This email may contain confidential and privileged material for the
sole use of the intended recipient. Any unauthorized review, use or
distribution by others is strictly prohibited. If you have received the
message in error, please advise the sender by reply email and delete the
message. Thank you."
****************************************************************

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com

> For an interesting counter-point (i.e. SEH is bad), check out Larry

Osterman’s thoughts on the topic:

http://weblogs.asp.net/larryosterman/archive/2004/09/10/228068.aspx

Great story!

I observed the similar things when my test build (complex FS/disk filter)
managed to load some junk instead of the SYSTEM hive.

The registry code threw the usual 0xc0000005, which was caught, but the hive
mutex was not freed, and the OS hung in a few seconds after.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

You just gave three times in a row suggestions you admit yourself being
un-recommendable.

...Please!

Mat

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Prokash Sinha
Sent: Friday, September 24, 2004 11:40 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Installing Exception Handler in a driver?

And before getting any hail storm, and sorry for polluting this thread.
Actually IDT also gives a hand to int_3 and such ...
?
-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, September 24, 2004 7:54 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Installing Exception Handler in a driver?
Also there is possibly a central point KiDispatchException that does the
dispatching ...
?
I did not say anything, and you did not hear from me PERIOD ...
?
-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, September 24, 2004 7:41 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Installing Exception Handler in a driver?
Quite a few exception handlers are there in the kernel service table, one of
them is int_3 (breakpoint handler ). There are ways to hook to them, but
HIGHLY FORBIDDEN. No one recommends it ....
?
-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@conexant.com
Sent: Friday, September 24, 2004 5:40 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Installing Exception Handler in a driver?
Hi All,

Does anyone know if it is possible to create an exception handler routine in
a driver, and then hook it to an specific exception trap? For example, let's
say I generate a debug trap, like "_asm int 3" in my code. Normally, if a
debugger is attached this goes to the debugger exception handler. If a
debugger is NOT attached, it would crash the system with exception not
handled.

For debugging purposes, it may be useful to trap the debug exception back
into a routine my driver provides. Is this possible? Is there a DDK
routine/api I can call to supply a function address, and request it to be
hooked to a particular exception code?

Thanks,
James

******************Legal Disclaimer**************************
"This email may contain confidential and privileged material for the sole
use of the intended recipient. Any unauthorized review, use or distribution
by others is strictly prohibited. If you have received the message in error,
please advise the sender by reply email and delete the message. Thank you."
****************************************************************

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Mat,

What I said is the tip-of-the-icebarg. There are at least three books, about
at least 5 to 10 articles all are highly praised once, and at least another
5 to 10 websites that chalked out more than one methods of doing this
business...

OP is thinking for debugging his own driver, but then that is also very
questionable ! I've been seeing couple requests every month(s) on this site,
the names also tells me that they are not new on this list, so I dont know
what will make them stop doing it. IT IS MORE LIKE ARGUMENT ON DRUGS ( BE
LIKE USA OR BE LIKE HOLLAND ).

Have you seen another person asking how to delay packets when the mechanism
is hooking NDIS

IF SOMEONE IS DESPERATE ENOUGH I DONT SEE WHAT IS GOING TO MAKE THEM STOP !

The hint are not going to get OP anywhere, it is an indication that it can
be done, but a bad practice ...

-pro

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mathieu Routhier
Sent: Monday, September 27, 2004 7:01 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Installing Exception Handler in a driver?

You just gave three times in a row suggestions you admit yourself being
un-recommendable.

...Please!

Mat

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Prokash Sinha
Sent: Friday, September 24, 2004 11:40 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Installing Exception Handler in a driver?

And before getting any hail storm, and sorry for polluting this thread.
Actually IDT also gives a hand to int_3 and such ...
?
-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, September 24, 2004 7:54 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Installing Exception Handler in a driver?
Also there is possibly a central point KiDispatchException that does the
dispatching ...
?
I did not say anything, and you did not hear from me PERIOD ...
?
-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Friday, September 24, 2004 7:41 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Installing Exception Handler in a driver?
Quite a few exception handlers are there in the kernel service table, one of
them is int_3 (breakpoint handler ). There are ways to hook to them, but
HIGHLY FORBIDDEN. No one recommends it ....
?
-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@conexant.com
Sent: Friday, September 24, 2004 5:40 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Installing Exception Handler in a driver?
Hi All,

Does anyone know if it is possible to create an exception handler routine in
a driver, and then hook it to an specific exception trap? For example, let's
say I generate a debug trap, like "_asm int 3" in my code. Normally, if a
debugger is attached this goes to the debugger exception handler. If a
debugger is NOT attached, it would crash the system with exception not
handled.

For debugging purposes, it may be useful to trap the debug exception back
into a routine my driver provides. Is this possible? Is there a DDK
routine/api I can call to supply a function address, and request it to be
hooked to a particular exception code?

Thanks,
James

******************Legal Disclaimer**************************
"This email may contain confidential and privileged material for the sole
use of the intended recipient. Any unauthorized review, use or distribution
by others is strictly prohibited. If you have received the message in error,
please advise the sender by reply email and delete the message. Thank you."
****************************************************************

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com