Hey,
First of all, I’m hooking KiDispatchException in the kernel with my function, the problem with this approach that i see weird exception codes. Even if i use this code:
uint32_t *x = NULL;
*x = 0xdeadbeef;
I won’t see STATUS_ACCESS_VIOLATION…
Or if i’ll use:
RaiseException(0xdeadbeef, …, …);
I’m not seeing ‘0xdeadbeef’. The only codes i see are:
- 0xC000001D
- 0x800000003
- 0x100000004
And more weird kernel codes, Not sure why. I’m also assuming this is the signature of
KiDispatchException:
VOID
NTAPI
KiDispatchException(IN PEXCEPTION_RECORD ExceptionRecord,
IN PKEXCEPTION_FRAME ExceptionFrame,
IN PKTRAP_FRAME TrapFrame,
IN KPROCESSOR_MODE PreviousMode,
IN BOOLEAN FirstChance)
But this won’t give me an unhandled exception, but rather give me EVERY exception. I only need to log an unhandled exception, and i was wondering if there is any indication
within the kernel to an exception triggered in a process that wasn’t handled, or this is purely user-space and the kernel doesn’t care.