SetUnhandledExceptionFilter 抓取dump调试过程中的一些疑问
C/C++本地代码调试
SetUnhandledExceptionFilter 抓取dump调试过程中的一些疑问
码农
2015-10-10, 19:03 下午
SetUnhandledExceptionFilter 设置异常 filter, 但是在调试过程中,产生的异常总是被 调试器(VS)事先拦截掉了,根本就走不到 SetUnhandledExceptionFilter 设置的 filter 函数。请问有什么办法突破这个限制吗? 这样子方便调试。
Re: SetUnhandledExceptionFilter 抓取dump调试过程中的一些疑问
格蠹老雷
2015-10-12, 10:31 上午
在系统的UnhandledExceptionFilter设置断点,在调试器里修改EIP寄存器或者改子函数的返回值...
Re: SetUnhandledExceptionFilter 抓取dump调试过程中的一些疑问
nightxie
2015-10-12, 11:33 上午
把kernel32.dll的BasepIsDebugPortPresent给patch了
Re: SetUnhandledExceptionFilter 抓取dump调试过程中的一些疑问
码农
2015-10-12, 19:50 下午
CommandLine: D:\curl_download\solution\debug\test.exe
Symbol search path is: SRV*d:\SymbolsLocal*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00c20000 00ced000 test.exe
ModLoad: 77850000 779d0000 ntdll.dll
ModLoad: 766e0000 767f0000 C:\windows\syswow64\kernel32.dll
ModLoad: 763d0000 76417000 C:\windows\syswow64\KERNELBASE.dll
ModLoad: 76ea0000 76f2f000 C:\windows\syswow64\OLEAUT32.dll
ModLoad: 764b0000 7660c000 C:\windows\syswow64\ole32.dll
ModLoad: 76620000 766cc000 C:\windows\syswow64\msvcrt.dll
ModLoad: 76f60000 76ff0000 C:\windows\syswow64\GDI32.dll
ModLoad: 772d0000 773d0000 C:\windows\syswow64\USER32.dll
ModLoad: 76080000 76120000 C:\windows\syswow64\ADVAPI32.dll
ModLoad: 76c70000 76c89000 C:\windows\SysWOW64\sechost.dll
ModLoad: 76160000 76250000 C:\windows\syswow64\RPCRT4.dll
ModLoad: 75360000 753c0000 C:\windows\syswow64\SspiCli.dll
ModLoad: 75350000 7535c000 C:\windows\syswow64\CRYPTBASE.dll
ModLoad: 77820000 7782a000 C:\windows\syswow64\LPK.dll
ModLoad: 76ff0000 7708d000 C:\windows\syswow64\USP10.dll
ModLoad: 0fcd0000 0fd87000 C:\windows\SysWOW64\MSVCP100D.dll
ModLoad: 10140000 102b2000 C:\windows\SysWOW64\MSVCR100D.dll
(21dc.254c): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=cc090000 edx=0017e108 esi=fffffffe edi=00000000
eip=778f12fb esp=003efa18 ebp=003efa44 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2c:
778f12fb cc int 3
0:000> bu Kernel32! BasepIsDebugPortPresent
breakpoint 2 redefined
0:000> g
ModLoad: 76450000 764b0000 C:\windows\SysWOW64\IMM32.DLL
ModLoad: 76300000 763cc000 C:\windows\syswow64\MSCTF.dll
(21dc.254c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=7efde000 ecx=8a026cbe edx=1029e4b8 esi=003efcfc edi=003efe34
eip=00c5cb07 esp=003efcfc ebp=003efe40 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
test!main+0xe7:
00c5cb07 c70064000000 mov dword ptr [eax],64h ds:002b:00000000=????????
0:000> g
Breakpoint 1 hit
eax=767176e7 ebx=00000000 ecx=cc090005 edx=0017e108 esi=003ef748 edi=00000000
eip=767176e7 esp=003ef71c ebp=003efee4 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
kernel32!UnhandledExceptionFilter:
767176e7 6a5c push 5Ch
0:000> kv
ChildEBP RetAddr Args to Child
003ef718 778c344f 003ef748 778c332c 00000000 kernel32!UnhandledExceptionFilter (FPO: [SEH])
003ef720 778c332c 00000000 003efee4 7787c540 ntdll!__RtlUserThreadStart+0x62 (FPO: [SEH])
003ef734 778c31d1 00000000 00000000 00000000 ntdll!_EH4_CallFilterFunc+0x12 (FPO: [Uses EBP] [0,0,4])
003ef75c 778ab60d fffffffe 003efed4 003ef898 ntdll!_except_handler4+0x8e (FPO: [4,5,4])
003ef780 778ab5df 003ef848 003efed4 003ef898 ntdll!ExecuteHandler2+0x26 (FPO: [Uses EBP] [5,3,1])
003ef7a4 778ab580 003ef848 003efed4 003ef898 ntdll!ExecuteHandler+0x24 (FPO: [5,0,3])
003ef830 77860133 003ef848 003ef898 003ef848 ntdll!RtlDispatchException+0x127 (FPO: [2,25,4])
003ef830 00000000 003ef848 003ef898 003ef848 ntdll!KiUserExceptionDispatcher+0xf (FPO: [2,0,0]) (CONTEXT @ 00000008)
0:000> g
Breakpoint 2 hit
eax=00000000 ebx=003ef748 ecx=7671792a edx=0017e108 esi=00000000 edi=00000000
eip=76717851 esp=003ef698 ebp=003ef718 iopl=0 nv up ei pl nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000213
kernel32!BasepIsDebugPortPresent:
76717851 8bff mov edi,edi
0:000> kv
ChildEBP RetAddr Args to Child
003ef694 7671773b 9f066c37 00000000 003ef748 kernel32!BasepIsDebugPortPresent (FPO: [0,1,0])
003ef718 778c344f 003ef748 778c332c 00000000 kernel32!UnhandledExceptionFilter+0x9e (FPO: [SEH])
003ef720 778c332c 00000000 003efee4 7787c540 ntdll!__RtlUserThreadStart+0x62 (FPO: [SEH])
003ef734 778c31d1 00000000 00000000 00000000 ntdll!_EH4_CallFilterFunc+0x12 (FPO: [Uses EBP] [0,0,4])
003ef75c 778ab60d fffffffe 003efed4 003ef898 ntdll!_except_handler4+0x8e (FPO: [4,5,4])
003ef780 778ab5df 003ef848 003efed4 003ef898 ntdll!ExecuteHandler2+0x26 (FPO: [Uses EBP] [5,3,1])
003ef7a4 778ab580 003ef848 003efed4 003ef898 ntdll!ExecuteHandler+0x24 (FPO: [5,0,3])
003ef830 77860133 003ef848 003ef898 003ef848 ntdll!RtlDispatchException+0x127 (FPO: [2,25,4])
003ef830 00000000 003ef848 003ef898 003ef848 ntdll!KiUserExceptionDispatcher+0xf (FPO: [2,0,0]) (CONTEXT @ 00000008)
0:000> r
eax=00000000 ebx=003ef748 ecx=7671792a edx=0017e108 esi=00000000 edi=00000000
eip=76717851 esp=003ef698 ebp=003ef718 iopl=0 nv up ei pl nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000213
kernel32!BasepIsDebugPortPresent:
76717851 8bff mov edi,edi
不是很明白 张老师的意思,新手学习阶段。
Re: SetUnhandledExceptionFilter 抓取dump调试过程中的一些疑问
码农
2015-10-12, 19:50 下午
怎么样patch呢? 直接hook住么?