Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

336 lines
8.9 KiB

#include <assert.h>
#include <stdlib.h>
#include <string.h>
#include <memory.h>
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <ctype.h>
#include <stdio.h>
#include <windows.h>
#include "profiler.h"
#include "view.h"
#include "thread.h"
#include "dump.h"
#include "except.h"
#include "memory.h"
#include "clevel.h"
#include "cap.h"
extern BOOL g_bIsWin9X;
CAPFILTER g_execFilter;
pfnExContinue g_pfnExContinue = 0;
BOOL
HookUnchainableExceptionFilter(VOID)
{
BOOL bResult;
pfnRtlAddVectoredExceptionHandler pfnAddExceptionHandler = 0;
PVOID pvResult;
HANDLE hTemp;
DWORD dwExceptionHandler;
DWORD dwResultSize;
PVOID pAlternateHeap;
//
// If we're NT - try for the unchainable filter in ntdll
//
if (FALSE == g_bIsWin9X) {
pfnAddExceptionHandler = (pfnRtlAddVectoredExceptionHandler)GetProcAddress(GetModuleHandleA("NTDLL.DLL"),
"RtlAddVectoredExceptionHandler");
if (0 == pfnAddExceptionHandler) {
return FALSE;
}
pvResult = (*pfnAddExceptionHandler)(1,
(PVOID)ExceptionFilter);
if (0 == pvResult) {
return FALSE;
}
}
else {
//
// Set up exception handler
//
hTemp = CreateFileA(NAME_OF_EXCEPTION_VXD,
0,
0,
0,
0,
FILE_FLAG_DELETE_ON_CLOSE,
0);
if (INVALID_HANDLE_VALUE == hTemp) {
return FALSE;
}
_asm mov dwExceptionHandler, offset Win9XExceptionDispatcher
bResult = DeviceIoControl(hTemp,
INSTALL_RING_3_HANDLER,
&dwExceptionHandler,
sizeof(DWORD),
0,
0,
&dwResultSize,
0);
if (FALSE == bResult) {
return FALSE;
}
//
// Get function pointer for ExContinue
//
g_pfnExContinue = (pfnExContinue)0xbff76702;
}
return TRUE;
}
LONG
ExceptionFilter(struct _EXCEPTION_POINTERS *ExceptionInfo)
{
DWORD dwThreadId;
DWORD dwCounter;
BOOL bResult;
LONG lRet;
PCONTEXT pContext = ExceptionInfo->ContextRecord;
PEXCEPTION_RECORD pRecord = ExceptionInfo->ExceptionRecord;
PVIEWCHAIN pView = 0;
PTHREADFAULT pThreadFault = 0;
CHAR szBuffer[MAX_PATH];
//
// Retrieve thread data
//
dwThreadId = GetCurrentThreadId();
pThreadFault = GetProfilerThreadData();
if (0 == pThreadFault) {
//
// NT only code path
//
pThreadFault = AllocateProfilerThreadData();
if (0 == pThreadFault) {
//
// This wasn't suppose to happen
//
ExitProcess(-1);
}
}
//
// Rehook the view
//
if (STATUS_SINGLE_STEP == pRecord->ExceptionCode) {
//
// Trace is used to map into call or jumps types we can't forward map
//
if (pThreadFault->dwPrevBP) {
//
// If we're a call - patch the return address so we can maintain call level
//
if (pThreadFault->prevBPType == Call) {
//
// Push the return level hook
//
bResult = PushCaller((PVOID)pThreadFault,
(PVOID)pContext->Esp);
if (FALSE == bResult) {
//
// Ooops
//
ExitProcess(-1);
}
}
RestoreAddressFromView(pThreadFault->dwPrevBP,
FALSE);
if ((pThreadFault->prevBPType == Call) ||
(pThreadFault->prevBPType == Jump)) {
//
// Profile this routine if it hasn't been mapped
//
pView = FindView((DWORD)pRecord->ExceptionAddress);
if (0 == pView) {
//
// Add this address as a mapping breakpoint
//
pView = AddViewToMonitor((DWORD)pRecord->ExceptionAddress,
Map);
if (pView) {
bResult = MapCode(pView);
if (FALSE == bResult) {
//
// This is fatal
//
ExitProcess(-1);
}
}
}
}
pThreadFault->dwPrevBP = 0;
pThreadFault->prevBPType = None;
return EXCEPTION_CONTINUE_EXECUTION;
}
//
// Trace exception wasn't generated by us
//
sprintf(szBuffer, "Unhandled Trace %08X\r\n", (DWORD)pRecord->ExceptionAddress);
WriteError(szBuffer);
return EXCEPTION_CONTINUE_SEARCH;
}
//
// Restore the view
//
if (STATUS_BREAKPOINT == pRecord->ExceptionCode) {
//
// Restore any BP that hasn't been restored
//
if (pThreadFault->dwPrevBP) {
RestoreAddressFromView(pThreadFault->dwPrevBP,
FALSE);
if ((DWORD)pRecord->ExceptionAddress == pThreadFault->dwPrevBP) {
pThreadFault->dwPrevBP = 0;
pThreadFault->prevBPType = None;
return EXCEPTION_CONTINUE_EXECUTION;
}
}
/*
//
// Add address to the execution filter
//
bResult = AddToCap(&g_execFilter,
(DWORD)pRecord->ExceptionAddress);
if (FALSE == bResult) {
//
// This is fatal
//
ExitProcess(-1);
}
//
// If we've hit iteration - disable this and the previous breakpoints
//
if (0 != g_execFilter.dwIterationLock) {
for (dwCounter = 0; dwCounter < g_execFilter.dwRunLength; dwCounter++) {
//
// Replace the munged code
//
pView = RestoreAddressFromView(g_execFilter.dwArray[g_execFilter.dwCursor - dwCounter - 1],
TRUE);
//
// Add runtime event to log
//
sprintf(szBuffer, "CAP'ed %08X\r\n", g_execFilter.dwArray[g_execFilter.dwCursor - dwCounter - 1]);
AddToDump(szBuffer,
strlen(szBuffer),
FALSE);
}
//
// Clear breakpoint monitor flags
//
pThreadFault->dwPrevBP = 0;
pThreadFault->prevBPType = None;
return EXCEPTION_CONTINUE_EXECUTION;
}
*/
//
// Replace the munged code
//
pView = RestoreAddressFromView((DWORD)pRecord->ExceptionAddress,
TRUE);
if (pView) {
//
// See if we've mapped this address range in yet
//
if (FALSE == pView->bMapped) {
//
// See if this address is already mapped
//
bResult = MapCode(pView);
if (FALSE == bResult) {
//
// This is fatal
//
ExitProcess(-1);
}
}
//
// Set the trace so the last bp can be rehooked (unless we just executed a map bp)
//
pContext->EFlags |= 0x00000100;
pThreadFault->dwPrevBP = (DWORD)pRecord->ExceptionAddress;
pThreadFault->prevBPType = pView->bpType;
//
// Add runtime event to log
//
if (pView->bpType != ThreadStart) {
WriteExeFlow(dwThreadId,
(DWORD)pRecord->ExceptionAddress,
pThreadFault->dwCallLevel);
}
else {
WriteThreadStart(dwThreadId,
(DWORD)pRecord->ExceptionAddress);
}
return EXCEPTION_CONTINUE_EXECUTION;
}
//
// BP exception wasn't generated by us
//
sprintf(szBuffer, "Unhandled BP %08X\r\n", (DWORD)pRecord->ExceptionAddress);
WriteError(szBuffer);
return EXCEPTION_CONTINUE_SEARCH;
}
//
// Continue searching the chain
//
return EXCEPTION_CONTINUE_SEARCH;
}
VOID
Win9XExceptionDispatcher(struct _EXCEPTION_POINTERS *ExceptionInfo)
{
LONG lResult;
//
// Call exception handler
//
lResult = ExceptionFilter(ExceptionInfo);
if (lResult != EXCEPTION_CONTINUE_EXECUTION) {
//
// Fault not handled - page fault will terminate app
//
return;
}
//
// Set the context results
//
SET_CONTEXT();
//
// This code path is never executed (unless the above call fails)
//
return;
}