I am reading this article about SEH on Windows. and here is the source code for myseh.cpp
I was debugging myseh.cpp. I set 2 breakpoints in printf("Hello from an exception handler\n");in line: 24 and DWORD handler = (DWORD)_except_handler;in line: 36 respectively.
Then I ran it and it broke on the line: 36. I saw the stack trace as follows.
Along the way, an AccessViolationException occurred because mov [eax], 1
it then broke on the line: 24. I saw the stack trace as follows.
The same stream, but the frame has main disappeared! Instead _except_handle. And ESP jumped from 0018f6c8to 0018ef34, this is a big gap between 0018f6c8and 0018ef34
After handling the Exception.
I know that it _except_handleshould run in user mode, and not in kernel mode. After returning, the _except_handlethread turned to ring0, and then the Windows kernel changed CONTEXT EAXto &scratch, and then returned to ring3. Thus, the flow was continuous.
I am curious to know about the window mechanism associated with the exception: Why is there no frame calling main?
WHY ESP jumped from 0018f6c8to 0018ef34? (I mean a big step). Do these ESP addresses belong to the same thread? The kernel played some tricks on ESP in ring3 ??? If so, WHY did he choose the address 0018ef34as the return frame of the handler? Many thanks!
source
share