-1

i'm trying to impl some post mortem debugger , means to catch only exception who not handled by the program, so i'm sets unhandled exception filter (and make sure no one set it after me) but i have some cases (e.g in mshtml.dll) that access violation occur but no unhandled exception filter call , and to post mortem debugger(e.g windbg) is pop up how does the post mortem debugger catch it?

and AddVectoredExceptionHandler is not a good idea because its called even the seh handled it and continue .

gedalia
  • 3
  • 3
  • Why do you need to know instead of setting up Windows Error Reporting to [collect user-mode dumps](https://msdn.microsoft.com/en-us/library/windows/desktop/bb787181.aspx) for you? – IInspectable Mar 12 '18 at 17:23
  • Do you have a dump from that case? It may be caused by [__fastfail](https://learn.microsoft.com/en-us/cpp/intrinsics/fastfail) that several [CRT functions](https://learn.microsoft.com/en-us/cpp/c-runtime-library/security-enhanced-versions-of-crt-functions) use to terminate process when security issue is detected. In case of __fastfail there are no exception handlers invoked (because they may be already corrupted and participate in further exploitation). – ge0rdi Mar 12 '18 at 18:58
  • yes you right its caused by __fastfail but how postmortem debugger (windbg) catch it? – gedalia Mar 12 '18 at 19:02
  • This is a different usage of "post-mortem debugger" than I'm used to. Regardless, a typical debugger (like windbg) doesn't set an unhandled exception filter. Instead, it tells the OS that it's actively debugging the target process, and then it runs an event loop to which the debugger will deliver events like exceptions. – Adrian McCarthy Mar 12 '18 at 21:07
  • "it tells the OS that it's actively debugging the target process, and then it runs an event loop to which the debugger will deliver events like exceptions" how can i impl it? – gedalia Mar 13 '18 at 15:09
  • Have a look at [Creating a Basic Debugger](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679288(v=vs.85).aspx). – ge0rdi Mar 14 '18 at 07:26
  • but the post-mortem debugger not need to set the process in debug mode the catch RaiseFailFastException – gedalia Mar 14 '18 at 10:34
  • Post-mortem debugger is invoked by OS when a process crashes. – ge0rdi Mar 14 '18 at 19:38

2 Answers2

2

That's done by the operating system:

MSDN:

  1. If the process is not being debugged, or if the associated debugger does not handle the exception, the system provides default handling based on the exception type.

That behavior can be influenced by Registry settings such as AeDebug (Dr. Watson key) and WER keys (such as LocalDumps).

Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
0

a most smallest simple post mortem debugger is just printing the pid and event that is provided by the os using the AeDebug key

int main(int argc, char* argv[])
{
    printf("%s\n", GetCommandLineA());
    printf("%d\n", getchar());
    return 0;
}

enter image description here

i was not sure if windbg catched fastfail i tested and both windbg as well as the code above catches fastfail and catches two events as shown in screen shot 2 and three 

C:\>cdb -c "uf accvio!main;q" accvio.exe | tail

0:000> cdb: Reading initial command 'uf accvio!main;q'

accvio!main:
01361000 33c9            xor     ecx,ecx
01361002 cd29            int     29h  <<<<<< __fastfail(0 @ecx)
01361004 33c0            xor     eax,eax
01361006 c3              ret
quit:

C:\>

Event 168 Event 204

blabb
  • 8,674
  • 1
  • 18
  • 27