Catching unhandled exceptions in the kernel

Hey,

First of all, I’m hooking KiDispatchException in the kernel with my function, the problem with this approach that i see weird exception codes. Even if i use this code:

uint32_t *x = NULL;
*x = 0xdeadbeef;

I won’t see STATUS_ACCESS_VIOLATION…

Or if i’ll use:

RaiseException(0xdeadbeef, …, …);

I’m not seeing ‘0xdeadbeef’. The only codes i see are:

  • 0xC000001D
  • 0x800000003
  • 0x100000004

And more weird kernel codes, Not sure why. I’m also assuming this is the signature of
KiDispatchException:
VOID
NTAPI
KiDispatchException(IN PEXCEPTION_RECORD ExceptionRecord,
IN PKEXCEPTION_FRAME ExceptionFrame,
IN PKTRAP_FRAME TrapFrame,
IN KPROCESSOR_MODE PreviousMode,
IN BOOLEAN FirstChance)

But this won’t give me an unhandled exception, but rather give me EVERY exception. I only need to log an unhandled exception, and i was wondering if there is any indication
within the kernel to an exception triggered in a process that wasn’t handled, or this is purely user-space and the kernel doesn’t care.

Exception handling uses the process or library binary in x64. For instance, if you have a __try/__except pair of blocks, a structure in the binary indicates that the code within the __try block has an exception handler which starts at __except. So if any exception occurs within the __try block, the kernel will jump to the exception handler.

If the kernel cannot find an exception handler than you have an unhandled exception.

This is a simplistic explanation but you can find more detailed documentation about Windows Exception Handling on the web.

H. G.

Unhandled exceptions are dispatched with FirstChance == FALSE