Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017

Kernel Debugging & Crash Analysis for Windows, Nashua (Amherst) NH, 4 December 2017

Writing WDF Drivers I: Core Concepts, Nashua (Amherst) NH, 8 January 2018

WDF Drivers II: Advanced Implementation Techniques, Nashua (Amherst) NH, 15 January 2018


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 5  
29 Jan 18 03:47
kindof
xxxxxx@qq.com
Join Date: 06 Jul 2014
Posts To This List: 33
kernel try/exception filter won't work?

recently we received a bsod case that my exception filter won't work, here is the code __try { MmProbeAndLockPages( Mdl, KernelMode, IoWriteAccess); } __except((S = GetExceptionCode()) !=0x123456 ? EXCEPTION_EXECUTE_HANDLER:EXCEPTION_CONTINUE_SEARCH) { IoFreeMdl( Mdl ); Mdl = NULL; } and the stack when bsod occurs like : 2: kd> k Child-SP RetAddr Call Site fffffe82`a895e648 fffff802`1afc7b63 nt!KeBugCheckEx fffffe82`a895e650 fffff802`1af7e68f nt!PspSystemThreadStartup$filt$0+0x44 fffffe82`a895e690 fffff802`1afb66fd nt!_C_specific_handler+0x9f fffffe82`a895e700 fffff802`1ae1fa3a nt!RtlpExecuteHandlerForException+0xd fffffe82`a895e730 fffff802`1ae2020d nt!RtlDispatchException+0x4ba fffffe82`a895ee20 fffff802`1afc0ece nt!KiDispatchException+0x14d fffffe82`a895f4e0 fffff802`1afbc03b nt!KiExceptionDispatch+0xce fffffe82`a895f6c0 fffff800`c15f1a30 nt!KiSegmentNotPresentFault+0x3fb which it seems i dont handle the exception well,but the value of S(assigned by GetExceptionCode()) is c0000005 for sure 3: kd> dd S fffff808`c20851e8 c0000005 on the other hand ,i do another test,code like : __try { MmProbeAndLockPages( Mdl, KernelMode, IoWriteAccess); } __except(EXCEPTION_EXECUTE_HANDLER) { IoFreeMdl( Mdl ); Mdl = NULL; } no bsod !!! so what is going on?? plus?i find out a driver with signature sha1 only was loaded on that machine ps:asm code for the exception filter xx!KlibMemEnableW$filt$0 76 fffff808`c2083cc0 48894c2408 mov qword ptr [rsp+8],rcx 76 fffff808`c2083cc5 4889542410 mov qword ptr [rsp+10h],rdx 76 fffff808`c2083cca 55 push rbp 76 fffff808`c2083ccb 4883ec30 sub rsp,30h 76 fffff808`c2083ccf 488bea mov rbp,rdx 76 fffff808`c2083cd2 48894d40 mov qword ptr [rbp+40h],rcx 76 fffff808`c2083cd6 488b4540 mov rax,qword ptr [rbp+40h] 76 fffff808`c2083cda 488b00 mov rax,qword ptr [rax] 76 fffff808`c2083cdd 8b00 mov eax,dword ptr [rax] 76 fffff808`c2083cdf 894548 mov dword ptr [rbp+48h],eax 76 fffff808`c2083ce2 8b4548 mov eax,dword ptr [rbp+48h] 76 fffff808`c2083ce5 8905fd140000 mov dword ptr [xx!gInjectionHandle+0x8 (fffff808`c20851e8)],eax 76 fffff808`c2083ceb 8b05f7140000 mov eax,dword ptr [xx!gInjectionHandle+0x8 (fffff808`c20851e8)] 76 fffff808`c2083cf1 3d56341200 cmp eax,123456h 76 fffff808`c2083cf6 7409 je xx!KlibMemEnableW$filt$0+0x41 (fffff808`c2083d01) xx!KlibMemEnableW$filt$0+0x38 76 fffff808`c2083cf8 c7454c01000000 mov dword ptr [rbp+4Ch],1 76 fffff808`c2083cff eb07 jmp xx!KlibMemEnableW$filt$0+0x48 (fffff808`c2083d08) xx!KlibMemEnableW$filt$0+0x41 76 fffff808`c2083d01 c7454c00000000 mov dword ptr [rbp+4Ch],0 xx!KlibMemEnableW$filt$0+0x48 76 fffff808`c2083d08 8b454c mov eax,dword ptr [rbp+4Ch] 76 fffff808`c2083d0b 4883c430 add rsp,30h 76 fffff808`c2083d0f 5d pop rbp 76 fffff808`c2083d10 c3 ret
  Message 2 of 5  
09 Feb 18 06:54
jack zheng
xxxxxx@gmail.com
Join Date: 03 Nov 2016
Posts To This List: 1
kernel try/exception filter won't work?

?????????????????????????=A5??????? 2018-01-29 16:48 GMT+08:00 xxxxx@qq.com <xxxxx@lists.osr.com>: > recently we received a bsod case that my exception filter won't work, here > is the code > > __try > { > MmProbeAndLockPages( Mdl, KernelMode, > IoWriteAccess); > } > __except((S = GetExceptionCode()) !=0x123456 ? > EXCEPTION_EXECUTE_HANDLER:EXCEPTION_CONTINUE_SEARCH) <...excess quoted lines suppressed...> --
  Message 3 of 5  
09 Feb 18 10:29
Mark Roddy
xxxxxx@gmail.com
Join Date: 25 Feb 2000
Posts To This List: 4056
kernel try/exception filter won't work?

"CONTINUE_SEARCH" is going to BSOD. Mark Roddy On Mon, Jan 29, 2018 at 3:48 AM, xxxxx@qq.com <xxxxx@lists.osr.com> wrote: > recently we received a bsod case that my exception filter won't work, here > is the code > > __try > { > MmProbeAndLockPages( Mdl, KernelMode, > IoWriteAccess); > } > __except((S = GetExceptionCode()) !=0x123456 ? > EXCEPTION_EXECUTE_HANDLER:EXCEPTION_CONTINUE_SEARCH) <...excess quoted lines suppressed...> --
  Message 4 of 5  
09 Feb 18 14:27
Ken Johnson
xxxxxx@valhallalegends.com
Join Date: 24 Jul 2008
Posts To This List: 1026
kernel try/exception filter won't work?

Furthermore, an attempt to modify an HVCI-protected code page, as is what appeared to be happening here, will never succeed. It?s expected that this will always result in an access violation exception being raised on an attempt to write to a SLAT-protected physical address. For this (among other) reasons, it?s advisable to move away from code page patching. - S (Msft) From: xxxxx@gmail.com<mailto:xxxxx@lists.osr.com> Sent: Friday, February 9, 2018 7:28 AM To: Windows System Software Devs Interest List<mailto:xxxxx@lists.osr.com> Subject: Re: [ntdev] kernel try/exception filter won't work? "CONTINUE_SEARCH" is going to BSOD. Mark Roddy On Mon, Jan 29, 2018 at 3:48 AM, xxxxx@qq.com<mailto:xxxxx@qq.com> <xxxxx@lists.osr.com<mailto:xxxxx@lists.osr.com>> wrote: recently we received a bsod case that my exception filter won't work, here is the code __try { MmProbeAndLockPages( Mdl, KernelMode, IoWriteAccess); } __except((S = GetExceptionCode()) !=0x123456 ? EXCEPTION_EXECUTE_HANDLER:EXCEPTION_CONTINUE_SEARCH) { IoFreeMdl( Mdl ); Mdl = NULL; } and the stack when bsod occurs like : 2: kd> k Child-SP RetAddr Call Site fffffe82`a895e648 fffff802`1afc7b63 nt!KeBugCheckEx fffffe82`a895e650 fffff802`1af7e68f nt!PspSystemThreadStartup$filt$0+0x44 fffffe82`a895e690 fffff802`1afb66fd nt!_C_specific_handler+0x9f fffffe82`a895e700 fffff802`1ae1fa3a nt!RtlpExecuteHandlerForException+0xd fffffe82`a895e730 fffff802`1ae2020d nt!RtlDispatchException+0x4ba fffffe82`a895ee20 fffff802`1afc0ece nt!KiDispatchException+0x14d fffffe82`a895f4e0 fffff802`1afbc03b nt!KiExceptionDispatch+0xce fffffe82`a895f6c0 fffff800`c15f1a30 nt!KiSegmentNotPresentFault+0x3fb which it seems i dont handle the exception well,but the value of S(assigned by GetExceptionCode()) is c0000005 for sure 3: kd> dd S fffff808`c20851e8 c0000005 on the other hand ,i do another test,code like : __try { MmProbeAndLockPages( Mdl, KernelMode, IoWriteAccess); } __except(EXCEPTION_EXECUTE_HANDLER) { IoFreeMdl( Mdl ); Mdl = NULL; } no bsod !!! so what is going on?? plus?i find out a driver with signature sha1 only was loaded on that machine ps:asm code for the exception filter xx!KlibMemEnableW$filt$0 76 fffff808`c2083cc0 48894c2408 mov qword ptr [rsp+8],rcx 76 fffff808`c2083cc5 4889542410 mov qword ptr [rsp+10h],rdx 76 fffff808`c2083cca 55 push rbp 76 fffff808`c2083ccb 4883ec30 sub rsp,30h 76 fffff808`c2083ccf 488bea mov rbp,rdx 76 fffff808`c2083cd2 48894d40 mov qword ptr [rbp+40h],rcx 76 fffff808`c2083cd6 488b4540 mov rax,qword ptr [rbp+40h] 76 fffff808`c2083cda 488b00 mov rax,qword ptr [rax] 76 fffff808`c2083cdd 8b00 mov eax,dword ptr [rax] 76 fffff808`c2083cdf 894548 mov dword ptr [rbp+48h],eax 76 fffff808`c2083ce2 8b4548 mov eax,dword ptr [rbp+48h] 76 fffff808`c2083ce5 8905fd140000 mov dword ptr [xx!gInjectionHandle+0x8 (fffff808`c20851e8)],eax 76 fffff808`c2083ceb 8b05f7140000 mov eax,dword ptr [xx!gInjectionHandle+0x8 (fffff808`c20851e8)] 76 fffff808`c2083cf1 3d56341200 cmp eax,123456h 76 fffff808`c2083cf6 7409 je xx!KlibMemEnableW$filt$0+0x41 (fffff808`c2083d01) xx!KlibMemEnableW$filt$0+0x38 76 fffff808`c2083cf8 c7454c01000000 mov dword ptr [rbp+4Ch],1 76 fffff808`c2083cff eb07 jmp xx!KlibMemEnableW$filt$0+0x48 (fffff808`c2083d08) xx!KlibMemEnableW$filt$0+0x41 76 fffff808`c2083d01 c7454c00000000 mov dword ptr [rbp+4Ch],0 xx!KlibMemEnableW$filt$0+0x48 76 fffff808`c2083d08 8b454c mov eax,dword ptr [rbp+4Ch] 76 fffff808`c2083d0b 4883c430 add rsp,30h 76 fffff808`c2083d0f 5d pop rbp 76 fffff808`c2083d10 c3 ret --- NTDEV is sponsored by OSR Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev<https://na01.safelinks.protect ion.outlook.com/?url=http%3A%2F%2Fwww.osronline.com%2Fshowlists.cfm%3Flist%3Dntde v&data=01%7C01%7C%7C6c8b46509cdc4126b5eb08d56fd1cb57%7C86905f1707e74740ba90cdb1f2 017e2a%7C1&sdata=aNwCBcT9oZD%2FobcENrnJcZ87Q731dB%2B%2B7psGeI7gpqM%3D&reserved=0> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at <http://www.osr.com/seminars<https://na01.safelinks.protection.outlook.com/?url=h ttp%3A%2F%2Fwww.osr.com%2Fseminars&data=01%7C01%7C%7C6c8b46509cdc4126b5eb08d56fd1 cb57%7C86905f1707e74740ba90cdb1f2017e2a%7C1&sdata=l%2FEt3VKJukB6eA1DTu5xuKk1NbUBN hng8i3pq8dnDFQ%3D&reserved=0>> To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer<https://na01.safelinks.protect ion.outlook.com/?url=http%3A%2F%2Fwww.osronline.com%2Fpage.cfm%3Fname%3DListServe r&data=01%7C01%7C%7C6c8b46509cdc4126b5eb08d56fd1cb57%7C86905f1707e74740ba90cdb1f2 017e2a%7C1&sdata=9LokB3t1sg4SId5PsIaf0912bfQnt00OOSm9CHiuqbA%3D&reserved=0>> --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at --
  Message 5 of 5  
09 Feb 18 14:48
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11795
kernel try/exception filter won't work?

xxxxx@gmail.com wrote: > > > 2018-01-29 16:48 GMT+08:00 xxxxx@qq.com <mailto:xxxxx@qq.com> > <xxxxx@lists.osr.com <mailto:xxxxx@lists.osr.com>>: > > recently we received a bsod case that my exception filter won't > work, here is the code > ... > and the stack when bsod occurs like : > <...excess quoted lines suppressed...> Given that stack, what leads you to suspect the exception filter?  There's nothing here that points to that code. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 06:50.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license