CHAPTER 68. WINDOWS NT CHAPTER 68. WINDOWS NT
So each “handler” field points to a handler and an each “prev” field points to the previous record in the stack. The last record
has0xFFFFFFFF(-1) in the “prev” field.
FS:0 +0: __except_list+4: ...+8: ...TIB...Prev=0xFFFFFFFFHandle handler function...PrevHandle handler function...PrevHandle handler function...StackAfter our handler is installed, we callRaiseException()^33. This is an user exception. The handler checks the code. If
the code is0xE1223344, it returningExceptionContinueExecution, which means that handler corrected the CPU
state (it is usually a correction of the EIP/ESP registers) and theOScan resume the execution of the. If you alter slightly the
code so the handler returnsExceptionContinueSearch, then theOSwill call the other handlers, and it’s unlikely that
one who can handle it will be found, since no one will have any information about it (rather about its code). You will see the
standard Windows dialog about a process crash.
What is the difference between a system exceptions and a user one? Here are the system ones:
as defined in WinBase.h as defined in ntstatus.h numerical value
EXCEPTION_ACCESS_VIOLATION STATUS_ACCESS_VIOLATION 0xC0000005
EXCEPTION_DATATYPE_MISALIGNMENT STATUS_DATATYPE_MISALIGNMENT 0x80000002
EXCEPTION_BREAKPOINT STATUS_BREAKPOINT 0x80000003
EXCEPTION_SINGLE_STEP STATUS_SINGLE_STEP 0x80000004
EXCEPTION_ARRAY_BOUNDS_EXCEEDED STATUS_ARRAY_BOUNDS_EXCEEDED 0xC000008C
EXCEPTION_FLT_DENORMAL_OPERAND STATUS_FLOAT_DENORMAL_OPERAND 0xC000008D
EXCEPTION_FLT_DIVIDE_BY_ZERO STATUS_FLOAT_DIVIDE_BY_ZERO 0xC000008E
EXCEPTION_FLT_INEXACT_RESULT STATUS_FLOAT_INEXACT_RESULT 0xC000008F
EXCEPTION_FLT_INVALID_OPERATION STATUS_FLOAT_INVALID_OPERATION 0xC0000090
EXCEPTION_FLT_OVERFLOW STATUS_FLOAT_OVERFLOW 0xC0000091
EXCEPTION_FLT_STACK_CHECK STATUS_FLOAT_STACK_CHECK 0xC0000092
EXCEPTION_FLT_UNDERFLOW STATUS_FLOAT_UNDERFLOW 0xC0000093
EXCEPTION_INT_DIVIDE_BY_ZERO STATUS_INTEGER_DIVIDE_BY_ZERO 0xC0000094
EXCEPTION_INT_OVERFLOW STATUS_INTEGER_OVERFLOW 0xC0000095
EXCEPTION_PRIV_INSTRUCTION STATUS_PRIVILEGED_INSTRUCTION 0xC0000096
EXCEPTION_IN_PAGE_ERROR STATUS_IN_PAGE_ERROR 0xC0000006
EXCEPTION_ILLEGAL_INSTRUCTION STATUS_ILLEGAL_INSTRUCTION 0xC000001D
EXCEPTION_NONCONTINUABLE_EXCEPTION STATUS_NONCONTINUABLE_EXCEPTION 0xC0000025
EXCEPTION_STACK_OVERFLOW STATUS_STACK_OVERFLOW 0xC00000FD
EXCEPTION_INVALID_DISPOSITION STATUS_INVALID_DISPOSITION 0xC0000026
EXCEPTION_GUARD_PAGE STATUS_GUARD_PAGE_VIOLATION 0x80000001
EXCEPTION_INVALID_HANDLE STATUS_INVALID_HANDLE 0xC0000008
EXCEPTION_POSSIBLE_DEADLOCK STATUS_POSSIBLE_DEADLOCK 0xC0000194
CONTROL_C_EXIT STATUS_CONTROL_C_EXIT 0xC000013AThat is how the code is defined:
31 29 28 27 16 15 0
S U^0 Facility code Error code(^33) MSDN