0

I'm curious how Windows handles exceptions. More exactly, how Windows find the catch block of a try / catch. I saw that the compiler makes a separate function in assembly for catch block. Since the catch block was represented by another function in assembly, I couldn't find any correlation between the instruction that was generating the exception and the RUNTIME_FUNCTION entries from .pdata section.

I tried to put a breakpoint on RaiseException, RtlRaiseException and RtlVirtualUnwind but all I could find was the address after the RaiseException call. Tried to debug a divide by 0 exception, but it looks like the debugger has some additional exception handlers and the message in the catch block was not printed.

Any additional information about Stack Unwinding on Windows 64bit are welcome :D.

Maco
  • 21
  • 5
  • The Runtime_Function data is visited by RtlVirtualUnwind, I do not think you can debug that since that is internal to how the debugger interacts with the exception handling mechanism to give you an illusion of a simple goto on error. It is not at all simple because you need to know the exact stack layout at every instruction in your method to be able to locate the return address on the stack. That is what the Runtime_Function data is used for. – Alois Kraus Sep 10 '21 at 14:25
  • See https://web.archive.org/web/20160306065103/http://geekswithblogs.net/akraus1/archive/2016/01/30/172079.aspx from some pointers when I was playing around with that stuff. Some links might still work. – Alois Kraus Sep 13 '21 at 05:36

2 Answers2

0

The exceptions are handled by exception handler routines. When you add a try/catch block to your C++ code you will see that the compiler added __CxxFrameHandler3 to your import table (providing that the MSVCRT is not statically linked). So this is your exception handler that will be called when an exception occurs in the try block. Another one __C_specific_handler is imported when you add __try/__except block to your C or C++ code. There are a few others but these two are used in the C/C++ code.

To answer your question, the best way is to hook (replace the import table pointer with a pointer to your local routine) one of these functions and see how your "handler" will be called when an exception is thrown.

Alexxx
  • 101
0

With the goal of finding C++ catch you can set Vectored Exception Handler and set a breakpoint in it. VEH goes before frame-based handlers, so it it not too late:

LONG NTAPI vh(EXCEPTION_POINTERS* ExceptionInfo)
{
    return EXCEPTION_CONTINUE_SEARCH;
}

AddVectoredExceptionHandler(TRUE, vh);

Alternatively, if you want to set breakpoint closer to catch block, have __try...__except deeper in call stack than target catch block, in __except expression return EXCEPTION_CONTINUE_SEARCH and have your breakpoint there.

Alex Guteniev
  • 12,039
  • 2
  • 34
  • 79