-
-
异常分发的不明之处
-
发表于:
2014-4-3 07:56
4138
-
查看资料显示,异常产生进入r3,调用KiUserExceptionDispatcher,函数会先检查存在调试器,检查 VEH,检查 SEH 。。。看了看资料 大体是
KiUserExceptionDispatcher(PEXCEPTION_RECORD ExceptionRecord,
PCONTEXT Context)
{
EXCEPTION_RECORD NestedExceptionRecord;
NTSTATUS Status;
/* call the vectored exception handlers */
if(RtlpExecuteVectoredExceptionHandlers(ExceptionRecord,
Context) != ExceptionContinueExecution)
{
goto ContinueExecution;
}
else
{
/* Dispatch the exception and check the result */
if(RtlDispatchException(ExceptionRecord, Context))
{
ContinueExecution:
/* Continue executing */
Status = NtContinue(Context, FALSE);
}
else
{
/* Raise an exception */
Status = NtRaiseException(ExceptionRecord, Context, FALSE);
}
}
..............
}
但是用OD,查看的结果是 伪代码
DWORD retValue;
if (RtlDispatchException(pExcptRec,pContext))
{
retValue=::ZwContinue( pContext,0);
}else{
retValue=::ZwRaiseException(pExcptRec,pContext,0);
}
只调用了RtlDispatchException,只检查SEH,这是为什么
[课程]Linux pwn 探索篇!
