  1. KeContextFromKframesTrapFrame备份到Context,为返回3环做准备。
  2. 判断先前模式,0是内核调用反之是用户层调用。
  3. 是否是第一次机会。
  4. 是否有内核调试器。
  5. 如果没有或者内核调试器不处理。
  6. 调用RtlDispatchException,查找并调用异常处理函数。
  7. 如果返回FALSE,再次判断是否有内核调试器,有调用,没有直接蓝屏。


push    390h
push    offset stru_401FA0
call    __SEH_prolog
mov     eax, ___security_cookie
mov     [ebp+security_cookie], eax
mov     esi, [ebp+ExceptionRecord]
mov     [ebp+var_ExceptionRecord], esi
mov     ecx, [ebp+ExceptionFrame]
mov     [ebp+var_ExceptionFrame], ecx
mov     ebx, [ebp+TrapFrame]
mov     [ebp+var_TrapFrame], ebx
db      3Eh
mov     eax, ds:0FFDFF020h
inc     [eax+_KPRCB.KeExceptionDispatchCount] ; 异常派发数加1
mov     [ebp+Context.ContextFlags], 10017h
cmp     [ebp+PreviousMode], 1
jz      short IsUserMode
cmp     _KdDebuggerEnabled, 0
jz      short KernelModeAndNoDBG

  函数开始开始赋值一波,然后判断否是为3环,但我们是内核的,故不会跳转,然后cmp _KdDebuggerEnabled, 0判断调试器是否开启,具体将会在调试篇进行讲解,这里就不多说了。

KernelModeAndNoDBG:                     ; CODE XREF: KiDispatchException(x,x,x,x,x)+55↑j
                                        ; KiDispatchException(x,x,x,x,x)+68↑j
                lea     eax, [ebp+Context]
                push    eax             ; ContextRecord
                push    ecx             ; ExceptionFrame
                push    ebx             ; TrapFrame
                call    _KeContextFromKframes@12 ; KeContextFromKframes(x,x,x)
                mov     eax, [esi]
                cmp     eax, STATUS_BREAKPOINT
                jz      short IsBreakPoint
                cmp     eax, KI_EXCEPTION_ACCESS_VIOLATION
                jnz     short OtherExceptionProc
                mov     dword ptr [esi], STATUS_ACCESS_VIOLATION
                cmp     [ebp+PreviousMode], 1
                jnz     short OtherExceptionProc
                lea     eax, [ebp+Context]
                push    eax             ; Context
                push    esi             ; ExceptionRecord
                call    _KiCheckForAtlThunk@8 ; KiCheckForAtlThunk(x,x)
                test    al, al
                jnz     loc_425AFD
                cmp     byte ptr ds:0FFDF0280h, 1
                jnz     short OtherExceptionProc
                cmp     dword ptr [esi+14h], 8
                jnz     short OtherExceptionProc
                test    _KeNumberProcessors+0Fh, 40h
                jnz     short loc_425A30
                mov     eax, large fs:_KPCR.PrcbData.CurrentThread
                mov     eax, [eax+_KTHREAD.ApcState.Process]
                test    [eax+_EPROCESS.Pcb.___u27.Flags._bf_0], 2
                jnz     short loc_425A30
                test    _KeNumberProcessors+0Fh, 80h
                jnz     short OtherExceptionProc
                mov     eax, large fs:_KPCR.PrcbData.CurrentThread
                mov     eax, [eax+_KTHREAD.ApcState.Process]
                test    [eax+_EPROCESS.Pcb.___u27.Flags._bf_0], 1
                jnz     short OtherExceptionProc


IsBreakPoint:                           ; CODE XREF: KiDispatchException(x,x,x,x,x)+89↑j
                dec     [ebp+Context._Eip]

OtherExceptionProc:                     ; CODE XREF: KiDispatchException(x,x,x,x,x)+90↑j
                                        ; KiDispatchException(x,x,x,x,x)+9C↑j ...
                xor     edi, edi

DebugRoutine:                           ; CODE XREF: KiDispatchException(x,x,x,x,x)+F7↑j


                cmp     [ebp+PreviousMode], 0
                jnz     short UserMode
                cmp     [ebp+FirstChance], 1
                jnz     short SecondChance
                mov     eax, _KiDebugRoutine
                cmp     eax, edi        ; edi = 0
                jz      short NoDebugRoutine
                push    edi             ; SecondChance
                push    edi             ; PreviousMode
                lea     ecx, [ebp+Context]
                push    ecx             ; ContextRecord
                push    esi             ; ExceptionRecord
                push    [ebp+var_ExceptionFrame] ; ExceptionFrame
                push    ebx             ; TrapFrame
                call    eax ; _KiDebugRoutine
                test    al, al
                jnz     loc_425AFD

NoDebugRoutine:                         ; CODE XREF: KiDispatchException(x,x,x,x,x)+114↑j
                lea     eax, [ebp+Context]
                push    eax             ; Context
                push    esi             ; ExceptionRecord
                call    _RtlDispatchException@8 ; RtlDispatchException(x,x)
                cmp     al, 1
                jz      short loc_425AFD


 SecondChance:                           ; CODE XREF: KiDispatchException(x,x,x,x,x)+10B↑j
                 mov     eax, _KiDebugRoutine
                 cmp     eax, edi
                 jz      NoDebugRoutine_0
                 push    1               ; SecondChance
                 push    edi             ; PreviousMode
                 lea     ecx, [ebp+Context]
                 push    ecx             ; ContextRecord
                 push    esi             ; ExceptionRecord
                 push    [ebp+var_ExceptionFrame] ; ExceptionFrame
                 push    ebx             ; TrapFrame
                 call    eax ; _KiDebugRoutine
                 test    al, al
                 jnz     short loc_425AFD
                 jmp     NoDebugRoutine_0


NoDebugRoutine_0:                       ; CODE XREF: KiDispatchException(x,x,x,x,x)+149↑j
                                        ; KiDispatchException(x,x,x,x,x)+167↑j
                push    edi             ; BugCheckParameter4
                push    ebx             ; BugCheckParameter3
                push    [esi+_EXCEPTION_RECORD32.ExceptionAddress] ; BugCheckParameter2
                push    [esi+_EXCEPTION_RECORD32.ExceptionCode] ; BugCheckParameter1
                push    KERNEL_MODE_EXCEPTION_NOT_HANDLED ; BugCheckCode
                call    _KeBugCheckEx@20 ; KeBugCheckEx(x,x,x,x,x)




  1. KeContextFromKframesTrapFrame备份到Context,为返回3环做准备。
  2. 判断先前模式,0是内核调用反之是用户层调用。
  3. 是否是第一次机会。
  4. 是否有内核调试器。
  5. 发送给3环调试。


inc     [eax+_KPRCB.KeExceptionDispatchCount] ; 异常派发数加1
mov     [ebp+Context.ContextFlags], 10017h
cmp     [ebp+PreviousMode], 1
jz      short IsUserMode
cmp     _KdDebuggerEnabled, 0
jz      short KernelModeAndNoDBG


IsUserMode:                             ; CODE XREF: KiDispatchException(x,x,x,x,x)+4C↑j
                mov     [ebp+Context.ContextFlags], 1001Fh
                cmp     _KeI386XMMIPresent, 0
                jz      short KernelModeAndNoDBG
                mov     [ebp+Context.ContextFlags], 1003Fh

KernelModeAndNoDBG:                     ; CODE XREF: KiDispatchException(x,x,x,x,x)+55↑j
                                        ; KiDispatchException(x,x,x,x,x)+68↑j
                lea     eax, [ebp+Context]
                push    eax             ; ContextRecord
                push    ecx             ; ExceptionFrame
                push    ebx             ; TrapFrame
                call    _KeContextFromKframes@12 ; KeContextFromKframes(x,x,x)
                mov     eax, [esi]
                cmp     eax, STATUS_BREAKPOINT
                jz      short IsBreakPoint
                cmp     eax, KI_EXCEPTION_ACCESS_VIOLATION
                jnz     short OtherExceptionProc
                mov     dword ptr [esi], STATUS_ACCESS_VIOLATION
                cmp     [ebp+PreviousMode], 1
                jnz     short OtherExceptionProc
                lea     eax, [ebp+Context]
                push    eax             ; Context
                push    esi             ; ExceptionRecord
                call    _KiCheckForAtlThunk@8 ; KiCheckForAtlThunk(x,x)
                test    al, al
                jnz     loc_425AFD
                cmp     byte ptr ds:0FFDF0280h, 1
                jnz     short OtherExceptionProc
                cmp     dword ptr [esi+14h], 8
                jnz     short OtherExceptionProc
                test    _KeNumberProcessors+0Fh, 40h
                jnz     short loc_425A30
                mov     eax, large fs:_KPCR.PrcbData.CurrentThread
                mov     eax, [eax+_KTHREAD.ApcState.Process]
                test    [eax+_EPROCESS.Pcb.___u27.Flags._bf_0], 2
                jnz     short loc_425A30
                test    _KeNumberProcessors+0Fh, 80h
                jnz     short OtherExceptionProc
                mov     eax, large fs:_KPCR.PrcbData.CurrentThread
                mov     eax, [eax+_KTHREAD.ApcState.Process]
                test    [eax+_EPROCESS.Pcb.___u27.Flags._bf_0], 1
                jnz     short OtherExceptionProc


This marks the beginning of an x86 ATL thunk. Control will branch here if the ATL thunk was built in memory marked no execute. If that is the case, then the thunk code will be emulated and control returned to the thread.


DebugRoutine:                           ; CODE XREF: KiDispatchException(x,x,x,x,x)+F7↑j
                cmp     [ebp+PreviousMode], 0
                jnz     short UserMode_0
                cmp     [ebp+FirstChance], 1
                jnz     short SecondChance
                mov     eax, _KiDebugRoutine
                cmp     eax, edi        ; edi = 0
                jz      short NoDebugRoutine
                push    edi             ; SecondChance
                push    edi             ; PreviousMode
                lea     ecx, [ebp+Context]
                push    ecx             ; ContextRecord
                push    esi             ; ExceptionRecord
                push    [ebp+var_ExceptionFrame] ; ExceptionFrame
                push    ebx             ; TrapFrame
                call    eax ; _KiDebugRoutine
                test    al, al
                jnz     loc_425AFD


UserMode_0:                             ; CODE XREF: KiDispatchException(x,x,x,x,x)+105↑j
                cmp     [ebp+FirstChance], 1
                jnz     SecondChance_0
                cmp     _KiDebugRoutine, edi
                jz      short NoDebugRoutine_1
                mov     eax, large fs:_KPCR.PrcbData.CurrentThread
                mov     eax, [eax+_KTHREAD.ApcState.Process]
                cmp     [eax+_EPROCESS.DebugPort], edi
                jz      short NoDebugPort
                push    1
                lea     eax, [ebp+Context]
                push    eax
                push    esi
                call    _KdIsThisAKdTrap@12 ; KdIsThisAKdTrap(x,x,x)
                test    al, al
                jz      short NoDebugRoutine_1

NoDebugPort:                            ; CODE XREF: KiDispatchException(x,x,x,x,x)+18D↑j
                push    edi             ; SecondChance
                push    dword ptr [ebp+PreviousMode] ; PreviousMode
                lea     eax, [ebp+Context]
                push    eax             ; ContextRecord
                push    esi             ; ExceptionRecord
                push    [ebp+var_ExceptionFrame] ; ExceptionFrame
                push    ebx             ; TrapFrame
                call    _KiDebugRoutine
                test    al, al
                jz      short NoDebugRoutine_1


NoDebugRoutine_1:                       ; CODE XREF: KiDispatchException(x,x,x,x,x)+17C↑j
                                        ; KiDispatchException(x,x,x,x,x)+1A0↑j ...
                push    edi             ; SecondChance
                push    1               ; DebugException
                push    esi             ; ExceptionRecord
                call    _DbgkForwardException@12 ; DbgkForwardException(x,x,x)
                test    al, al
                jnz     short EndProc
                mov     [ebp+var_SecondChance], edi



