Geek asks and answers

How can I find my own exceptions on the x64 stack?

I have been using WinDbg to debug dump files for some time. There is a good "trick" that works with native x86 programs, you can scan the flag stack CONTEXT_ALL( 0x1003f ).

On x64, the flags CONTEXT_ALLdo not seem to contain 0x1003f ...

Now the problem is that sometimes, when you mix native with managed code, the usual methods for detecting exceptions (like .exc or .lastevent).

What is equivalent to this 0x1003f in x64? is there such a constant?

EDIT:

By the way, if you're interested, theoretically this should be 10003f due to the definitions:

#define CONTEXT_I386    0x00010000
#define CONTEXT_AMD64   0x00100000

#define CONTEXT_CONTROL             0x00000001L // SS:SP, CS:IP, FLAGS, BP
#define CONTEXT_INTEGER             0x00000002L // AX, BX, CX, DX, SI, DI
#define CONTEXT_SEGMENTS            0x00000004L // DS, ES, FS, GS
#define CONTEXT_FLOATING_POINT      0x00000008L // 387 state
#define CONTEXT_DEBUG_REGISTERS     0x00000010L // DB 0-3,6,7
#define CONTEXT_EXTENDED_REGISTERS  0x00000020L // cpu specific extensions
#define CONTEXT_FULL (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS)
#define CONTEXT_ALL (CONTEXT_FULL | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS)

#define CONTEXT_I386_FULL CONTEXT_I386 | CONTEXT_FULL
#define CONTEXT_I386_ALL  CONTEXT_I386 | CONTEXT_ALL
#define CONTEXT_AMD64_FULL CONTEXT_AMD64 | CONTEXT_FULL
#define CONTEXT_AMD64_ALL  CONTEXT_AMD64 | CONTEXT_ALL

But it is not...

+5
1

(ES DS CONTEXT). .

, , , 0x10001f:

0:000> dt ntdll!_context 000df1d0
...
   +0x030 ContextFlags     : 0x10001f
...
   +0x03a SegDs            : 0x2b
   +0x03c SegEs            : 0x2b
...

, ContextFlags , , , @@++ (# FIELD_OFFSET (ntdll! _CONTEXT, ContextFlags)) , .

, , . , , ( , , ).

+2

More articles:


All Articles