Today I gonna dump some facts about Windows Structured Exception Handling (SEH) mechanism. This article is mostly based on This great article.
OK, some dry facts about exception handling in Windows:
- per thread
- FS:[0] (TIB first dword) points to the first EXCEPTION_REGISTRATION struct
_EXCEPTION_REGISTRATION structexcept_handler callback
prev dd ? // EXCEPTION_REGISTRATION linked list next record
handler dd ? // _except_ handler callback function pointer
_EXCEPTION_REGISTRATION ends
- can agree/decline to handle a given exception
- if declined, the system will continue looking for other exception handler
EXCEPTION_DISPOSITION __cdecl _except_handler(
struct _EXCEPTION_RECORD *ExceptionRecord,
void * EstablisherFrame,
struct _CONTEXT *ContextRecord, // registers values when exception occured
void * DispatcherContext );
typedef struct _EXCEPTION_RECORDException handling flow:
{
DWORD ExceptionCode; // assigned by OS
DWORD ExceptionFlags;
struct _EXCEPTION_RECORD *ExceptionRecord;
PVOID ExceptionAddress; // where the exception occured
DWORD NumberParameters;
DWORD ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
} EXCEPTION_RECORD;
- Exception occurred
- The system walks the EXCEPTION_REGISTRATIONs linked list to find a hanlder
- when a handler agreed to handle the exception all the handlers before it are called again with flag EH_UNWINDING (to allow cleanups*)
* when handler declines handling an exception, control typically doesn't exit from the function normally - calling dtors and finally blocks - execution continues wherever the handling callback decides (with ebp, esp set by the handler)
- all things below the handling frame's stack region are "removed"
- EXCEPTION_REGISTRATIONs in the list prior to the one that handled the exception are removed from the list
- see step 11 in the above figure
- default OS supplied exception handler (terminate / debug dialog)
- always agrees to handle an exception
- if no debugger is installed, the default dialog you will see may be similar to this:
Visual C++ Compiler level SEH
- every EXCEPTION_REGISTRATION handler points to the same VC++ runtime lib function __except_handlerX
- only one EXCEPTION_REGISTRATION is created per function on the stack
The Extended Exception Handling Frame
EBP-00 _ebp
EBP-04 trylevel
EBP-08 scopetable pointer
EBP-0C handler function address
EBP-10 previous EXCEPTION_REGISTRATION
EBP-14 GetExceptionPointers // pointers to GetExceptionInformation, GetExceptionCode
EBP-18 Standard ESP in frame
struct _EXCEPTION_REGISTRATION{
struct _EXCEPTION_REGISTRATION *prev;
void (*handler)(PEXCEPTION_RECORD,
PEXCEPTION_REGISTRATION,
PCONTEXT,
PEXCEPTION_RECORD);
struct scopetable_entry *scopetable;
int trylevel; // index into scopetable
int _ebp; // ebp value before the EXCEPTION_REGISTRATION was created
PEXCEPTION_POINTERS xpointers;
};
typedef struct _SCOPETABLE
{
DWORD previousTryLevel; // the next level try block trylevel (most in -> out)
DWORD lpfnFilter
DWORD lpfnHandler
} SCOPETABLE, *PSCOPETABLE;
The main idea behind this technique is expressed in the following simple example:
void foo() { printf("code line #1\n"); printf("code line #2\n"); printf("code line #3\n"); }will become:
void foo() { try { // exception } catch(...) { printf("code line #1\n"); try { // exception } catch(...) { printf("code line #2\n"); try { // exception } catch(...) { printf("code line #3\n"); } } } }