2

I'm writing a file protector that is similar to armadillo. So, I want to implement some kind of "nanomites" for anti-dump protection.

However, instead of opening my own process I've decided to hook KiUserExceptionDispatcher.

The problem is I don't know what is being passed to KiUserExceptionDispatchernor am I sure how to continue after I have determined the exception type is a STATUS_BREAKPOINT exception.

I've tried searching Google, but to no avail. All I find are results for KiDispatchException, which is hooked in rootkits.

Can someone provide me a typedef of this function, and tell me what I would do to continue after determining it was indeed a STATUS_BREAKPOINT exception? Would I call NtContinue after modifying the EIP context?

Or if this is not simple as I think it is, should I just stick to the armadillo style? Debugging my own process?

Thanks.

Jason
  • 1,297
  • 12
  • 24

1 Answers1

8

The closest thing to documentation is going to be this MSJ article: A Crash Course on the Depths of Win32 Structured Exception Handling

Which provides this as sample for basic prototype (from Figure 14):

KiUserExceptionDispatcher( PEXCEPTION_RECORD pExcptRec, CONTEXT * pContext )

In practice, I've also seen instances where the PEXCEPTION_RECORD was in the 3rd parameter and not the first (at least from WinDbg's perspective). There are also potential differences between x86 and x64 implementations.

Is there a reason you can't add an additional exception vector via AddVectoredExceptionHandler?

Additional reading: Under the Hood: New Vectored Exception Handling in Windows XP

mirh
  • 514
  • 8
  • 14
josh poley
  • 7,236
  • 1
  • 25
  • 25
  • 1
    On Windows 7 x64, the exception code given to KiUserExceptionDispatcher is stored in the first argument(first argument to be pushed on the stack; third stack element from Ollydbg's perspective). – farmdve Jun 27 '14 at 23:39