.text:804FC93E KiDispatchException proc near ; CODE XREF: .text:8050043Cp .text:804FC93E ; sub_805004FA+311p ... .text:804FC93E .text:804FC93E var_3A0 = dword ptr -3A0h .text:804FC93E var_350 = dword ptr -350h .text:804FC93E var_34C = dword ptr -34Ch .text:804FC93E var_340 = dword ptr -340h .text:804FC93E var_300 = dword ptr -300h .text:804FC93E var_2FC = dword ptr -2FCh .text:804FC93E local_pTrapFrame= dword ptr -2F8h .text:804FC93E var_2F4 = dword ptr -2F4h .text:804FC93E local_pExceptionFrame= dword ptr -2F0h .text:804FC93E local_pExceptionREcord= dword ptr -2ECh .text:804FC93E var_2E8 = dword ptr -2E8h .text:804FC93E var_230 = dword ptr -230h .text:804FC93E var_224 = dword ptr -224h .text:804FC93E var_1C = dword ptr -1Ch .text:804FC93E ms_exc = CPPEH_RECORD ptr -18h .text:804FC93E PExceptionRecord= dword ptr 8 .text:804FC93E PExceptionFrame= dword ptr 0Ch .text:804FC93E PTrapFrame= dword ptr 10h .text:804FC93E PreviousMode= dword ptr 14h .text:804FC93E FirstChance= byte ptr 18h .text:804FC93E .text:804FC93E ; FUNCTION CHUNK AT .text:804FCB29 SIZE 0000012B BYTES .text:804FC93E ; FUNCTION CHUNK AT .text:804FCCB2 SIZE 0000003D BYTES .text:804FC93E .text:804FC93E push 390h .text:804FC943 push offset stru_804D8FA0 .text:804FC948 call __SEH_prolog ; .text:804FC948 ; .text:804FC94D mov eax, ds:8054AE40h .text:804FC952 mov [ebp+var_1C], eax ; security cookie crap .text:804FC952 ; .text:804FC955 mov esi, [ebp+PExceptionRecord] .text:804FC958 mov [ebp+local_pExceptionREcord], esi ; .text:804FC958 ; .text:804FC95E mov ecx, [ebp+PExceptionFrame] .text:804FC961 mov [ebp+local_pExceptionFrame], ecx ; .text:804FC961 ; .text:804FC967 mov ebx, [ebp+PTrapFrame] .text:804FC96A mov [ebp+local_pTrapFrame], ebx ; .text:804FC96A ; .text:804FC970 db 3Eh .text:804FC970 mov eax, ds:0FFDFF020h .text:804FC976 inc dword ptr [eax+504h] ; .text:804FC976 ; .text:804FC97C mov [ebp+var_2E8], 10017h ; .text:804FC97C ; .text:804FC986 cmp byte ptr [ebp+PreviousMode], 1 .text:804FC98A jz short loc_804FC995 .text:804FC98C cmp byte ptr ds:8054C4C1h, 0 .text:804FC993 jz short loc_804FC9B2 .text:804FC995 .text:804FC995 loc_804FC995: ; CODE XREF: KiDispatchException+4Cj .text:804FC995 mov [ebp+var_2E8], 1001Fh .text:804FC99F cmp byte ptr ds:80552C00h, 0 .text:804FC9A6 jz short loc_804FC9B2 .text:804FC9A8 mov [ebp+var_2E8], 1003Fh .text:804FC9B2 .text:804FC9B2 loc_804FC9B2: ; CODE XREF: KiDispatchException+55j .text:804FC9B2 ; KiDispatchException+68j .text:804FC9B2 lea eax, [ebp+var_2E8] .text:804FC9B8 push eax .text:804FC9B9 push ecx .text:804FC9BA push ebx .text:804FC9BB call KeContextFromKframes .text:804FC9C0 mov eax, [esi] .text:804FC9C2 cmp eax, 80000003h .text:804FC9C7 jz short IS_STATUS_BREAKPOINT ; .text:804FC9C7 ; .text:804FC9C9 cmp eax, 10000004h .text:804FC9CE jnz short loc_804FCA3D .text:804FC9D0 mov dword ptr [esi], 0C0000005h .text:804FC9D6 cmp byte ptr [ebp+PreviousMode], 1 .text:804FC9DA jnz short loc_804FCA3D .text:804FC9DC lea eax, [ebp+var_2E8] .text:804FC9E2 push eax .text:804FC9E3 push esi .text:804FC9E4 call KiCheckForAtlThunk .text:804FC9E9 test al, al .text:804FC9EB jnz done .text:804FC9F1 cmp byte ptr ds:0FFDF0280h, 1 .text:804FC9F8 jnz short loc_804FCA3D .text:804FC9FA cmp dword ptr [esi+14h], 8 .text:804FC9FE jnz short loc_804FCA3D .text:804FCA00 test byte ptr ds:8054C4EFh, 40h .text:804FCA07 jnz short loc_804FCA30 .text:804FCA09 mov eax, large fs:124h .text:804FCA0F mov eax, [eax+44h] .text:804FCA12 test byte ptr [eax+6Bh], 2 .text:804FCA16 jnz short loc_804FCA30 .text:804FCA18 test byte ptr ds:8054C4EFh, 80h .text:804FCA1F jnz short loc_804FCA3D .text:804FCA21 mov eax, large fs:124h .text:804FCA27 mov eax, [eax+44h] .text:804FCA2A test byte ptr [eax+6Bh], 1 .text:804FCA2E jnz short loc_804FCA3D .text:804FCA30 .text:804FCA30 loc_804FCA30: ; CODE XREF: KiDispatchException+C9j .text:804FCA30 ; KiDispatchException+D8j .text:804FCA30 xor edi, edi .text:804FCA32 mov [esi+14h], edi .text:804FCA35 jmp short loc_804FCA3F .text:804FCA37 ; --------------------------------------------------------------------------- .text:804FCA37 .text:804FCA37 IS_STATUS_BREAKPOINT: ; CODE XREF: KiDispatchException+89j .text:804FCA37 dec [ebp+var_230] ; decrement EIP by 1 .text:804FCA3D .text:804FCA3D loc_804FCA3D: ; CODE XREF: KiDispatchException+90j .text:804FCA3D ; KiDispatchException+9Cj ... .text:804FCA3D xor edi, edi .text:804FCA3F .text:804FCA3F loc_804FCA3F: ; CODE XREF: KiDispatchException+F7j .text:804FCA3F cmp byte ptr [ebp+PreviousMode], 0 .text:804FCA43 jnz short MODE_USER .text:804FCA45 .text:804FCA45 MODE_KERNEL: .text:804FCA45 cmp [ebp+FirstChance], 1 .text:804FCA49 jnz short SECOND_CHANCE .text:804FCA4B .text:804FCA4B FIRST_CHANCE: .text:804FCA4B mov eax, ds:80552F04h .text:804FCA50 cmp eax, edi .text:804FCA52 jz short not_handled .text:804FCA54 push edi .text:804FCA55 push edi .text:804FCA56 lea ecx, [ebp+var_2E8] .text:804FCA5C push ecx .text:804FCA5D push esi .text:804FCA5E push [ebp+local_pExceptionFrame] .text:804FCA64 push ebx .text:804FCA65 call eax ; KiDebugRoutine .text:804FCA67 test al, al .text:804FCA69 jnz done .text:804FCA6F .text:804FCA6F not_handled: ; CODE XREF: KiDispatchException+114j .text:804FCA6F lea eax, [ebp+var_2E8] .text:804FCA75 push eax .text:804FCA76 push esi .text:804FCA77 call RtlDispatchException .text:804FCA7C cmp al, 1 .text:804FCA7E jz short done .text:804FCA80 .text:804FCA80 SECOND_CHANCE: ; CODE XREF: KiDispatchException+10Bj .text:804FCA80 mov eax, ds:80552F04h .text:804FCA85 cmp eax, edi .text:804FCA87 jz BLUE_SCREEN .text:804FCA8D push 1 .text:804FCA8F push edi .text:804FCA90 lea ecx, [ebp+var_2E8] .text:804FCA96 push ecx .text:804FCA97 push esi .text:804FCA98 push [ebp+local_pExceptionFrame] .text:804FCA9E push ebx .text:804FCA9F call eax ; KiDebugRoutine .text:804FCAA1 test al, al .text:804FCAA3 jnz short done .text:804FCAA5 jmp BLUE_SCREEN .text:804FCAAA ; --------------------------------------------------------------------------- .text:804FCAAA .text:804FCAAA MODE_USER: ; CODE XREF: KiDispatchException+105j .text:804FCAAA cmp [ebp+FirstChance], 1 .text:804FCAAE jnz SECOND_CHANCE_ .text:804FCAB4 .text:804FCAB4 FIRST_CHANCE_: ; KiDebugRoutine .text:804FCAB4 cmp ds:80552F04h, edi .text:804FCABA jz short FORWARD_TO_USER_MODE .text:804FCABC mov eax, large fs:124h ; ; current KTHREAD (we're in r0, so fs = KPCR) .text:804FCAC2 mov eax, [eax+44h] .text:804FCAC5 cmp [eax+0BCh], edi ; is DebugPort == 0? .text:804FCACB jz short call_kd .text:804FCACD .text:804FCACD UM_DEBUGGER_PRESENT: .text:804FCACD push 1 .text:804FCACF lea eax, [ebp+var_2E8] .text:804FCAD5 push eax .text:804FCAD6 push esi .text:804FCAD7 call near ptr 80660B1Eh ; KdIsThisAKdTrap .text:804FCADC test al, al .text:804FCADE jz short FORWARD_TO_USER_MODE .text:804FCAE0 .text:804FCAE0 call_kd: ; CODE XREF: KiDispatchException+18Dj .text:804FCAE0 push edi .text:804FCAE1 push [ebp+PreviousMode] .text:804FCAE4 lea eax, [ebp+var_2E8] .text:804FCAEA push eax .text:804FCAEB push esi .text:804FCAEC push [ebp+local_pExceptionFrame] .text:804FCAF2 push ebx .text:804FCAF3 call dword ptr ds:80552F04h ; KiDebugRoutine .text:804FCAF9 test al, al ; handled? .text:804FCAFB jz short FORWARD_TO_USER_MODE .text:804FCAFD .text:804FCAFD done: ; CODE XREF: KiDispatchException+ADj .text:804FCAFD ; KiDispatchException+12Bj ... .text:804FCAFD push [ebp+PreviousMode] .text:804FCB00 push [ebp+var_2E8] .text:804FCB06 lea eax, [ebp+var_2E8] .text:804FCB0C push eax .text:804FCB0D push [ebp+local_pExceptionFrame] .text:804FCB13 push ebx .text:804FCB14 call KeContextToKframes .text:804FCB19 .text:804FCB19 HANDLED_UM_DEBUGGER: ; CODE XREF: KiDispatchException+1F6j .text:804FCB19 ; KiDispatchException+311j ... .text:804FCB19 mov ecx, [ebp+var_1C] .text:804FCB19 KiDispatchException endp ; sp-analysis failed .text:804FCB19 .text:804FCB1C .text:804FCB1C ; =============== S U B R O U T I N E ======================================= .text:804FCB1C .text:804FCB1C .text:804FCB1C sub_804FCB1C proc near .text:804FCB1C call nullsub_1 .text:804FCB21 call __SEH_epilog .text:804FCB26 retn 14h .text:804FCB26 sub_804FCB1C endp .text:804FCB26 .text:804FCB29 ; --------------------------------------------------------------------------- .text:804FCB29 ; START OF FUNCTION CHUNK FOR KiDispatchException .text:804FCB29 .text:804FCB29 FORWARD_TO_USER_MODE: ; CODE XREF: KiDispatchException+17Cj .text:804FCB29 ; KiDispatchException+1A0j ... .text:804FCB29 push edi .text:804FCB2A push 1 ; forward to process's debug port, since it's first chance .text:804FCB2C push esi ; exception record .text:804FCB2D call near ptr 80639E06h ; DbgkForwardException .text:804FCB32 test al, al .text:804FCB34 jnz short HANDLED_UM_DEBUGGER .text:804FCB36 .text:804FCB36 UNHANDLED_OR_NO_DEBUG_PORT: ; try to dispatch to SEH? .text:804FCB36 mov [ebp+var_3A0], edi .text:804FCB3C .text:804FCB3C loc_804FCB3C: ; CODE XREF: .text:804FCC9Bj .text:804FCB3C mov [ebp+ms_exc.disabled], edi .text:804FCB3F cmp dword ptr [ebx+78h], 23h .text:804FCB43 jnz short loc_804FCB4B ; ACCESS VIOLATION .text:804FCB45 test byte ptr [ebx+72h], 2 .text:804FCB49 jz short loc_804FCB6D .text:804FCB4B .text:804FCB4B loc_804FCB4B: ; CODE XREF: KiDispatchException+205j .text:804FCB4B mov [ebp+var_350], 0C0000005h ; ACCESS VIOLATION .text:804FCB55 mov [ebp+var_34C], edi .text:804FCB5B mov [ebp+var_340], edi .text:804FCB61 lea eax, [ebp+var_350] .text:804FCB67 push eax .text:804FCB68 call ExRaiseException .text:804FCB6D ; --------------------------------------------------------------------------- .text:804FCB6D .text:804FCB6D loc_804FCB6D: ; CODE XREF: KiDispatchException+20Bj .text:804FCB6D mov eax, 2CCh .text:804FCB72 mov [ebp+var_2FC], eax .text:804FCB78 mov edi, [ebp+var_224] .text:804FCB7E and edi, 0FFFFFFFCh .text:804FCB81 sub edi, eax .text:804FCB83 mov [ebp+var_2F4], edi .text:804FCB89 push 4 .text:804FCB8B push eax .text:804FCB8C push edi .text:804FCB8D call near ptr 8060C4A6h ; ProbeForWrite .text:804FCB92 mov ecx, 0B3h .text:804FCB97 lea esi, [ebp+var_2E8] .text:804FCB9D rep movsd .text:804FCB9F mov eax, [ebp+local_pExceptionREcord] .text:804FCBA5 mov esi, [eax+10h] .text:804FCBA8 lea esi, ds:17h[esi*4] .text:804FCBAF and esi, 0FFFFFFFCh .text:804FCBB2 mov [ebp+var_2FC], esi .text:804FCBB8 mov edi, [ebp+var_2F4] .text:804FCBBE sub edi, esi .text:804FCBC0 mov [ebp+var_300], edi .text:804FCBC6 push 4 .text:804FCBC8 lea eax, [esi+8] .text:804FCBCB push eax .text:804FCBCC lea eax, [edi-8] .text:804FCBCF push eax .text:804FCBD0 call near ptr 8060C4A6h ; ProbeForWrite .text:804FCBD5 mov ecx, esi .text:804FCBD7 mov esi, [ebp+local_pExceptionREcord] .text:804FCBDD mov eax, ecx .text:804FCBDF shr ecx, 2 .text:804FCBE2 rep movsd .text:804FCBE4 mov ecx, eax .text:804FCBE6 and ecx, 3 .text:804FCBE9 rep movsb .text:804FCBEB mov ecx, [ebp+var_2F4] .text:804FCBF1 mov eax, [ebp+var_300] .text:804FCBF7 mov [eax-4], ecx .text:804FCBFA lea edx, [eax-8] .text:804FCBFD mov [edx], eax .text:804FCBFF push 20h .text:804FCC01 push ebx .text:804FCC02 call KiSegSsToTrapFrame .text:804FCC07 push edx ; BugCheckParameter1 .text:804FCC08 push ebx ; int .text:804FCC09 call KiEspToTrapFrame .text:804FCC0E mov eax, [ebp+PreviousMode] .text:804FCC11 mov cl, al .text:804FCC13 neg cl .text:804FCC15 sbb ecx, ecx .text:804FCC17 and ecx, 3 .text:804FCC1A add ecx, 18h .text:804FCC1D mov [ebx+6Ch], ecx .text:804FCC20 mov cl, al .text:804FCC22 neg cl .text:804FCC24 sbb ecx, ecx .text:804FCC26 and ecx, 3 .text:804FCC29 add ecx, 20h .text:804FCC2C mov [ebx+38h], ecx .text:804FCC2F mov [ebx+34h], ecx .text:804FCC32 neg al .text:804FCC34 sbb eax, eax .text:804FCC36 and eax, 3 .text:804FCC39 add eax, 38h .text:804FCC3C mov [ebx+50h], eax .text:804FCC3F and dword ptr [ebx+30h], 0 .text:804FCC43 mov eax, ds:80552F10h .text:804FCC48 mov [ebx+68h], eax .text:804FCC4B or [ebp+ms_exc.disabled], 0FFFFFFFFh .text:804FCC4F jmp HANDLED_UM_DEBUGGER .text:804FCC4F ; END OF FUNCTION CHUNK FOR KiDispatchException .text:804FCC54 ; --------------------------------------------------------------------------- .text:804FCC54 .text:804FCC54 loc_804FCC54: ; DATA XREF: .text:stru_804D8FA0o .text:804FCC54 mov eax, [ebp-14h] .text:804FCC57 push dword ptr [eax] .text:804FCC59 lea eax, [ebp-3A0h] .text:804FCC5F push eax .text:804FCC60 call KiCopyInformation .text:804FCC65 retn .text:804FCC66 ; --------------------------------------------------------------------------- .text:804FCC66 .text:804FCC66 loc_804FCC66: ; DATA XREF: .text:stru_804D8FA0o .text:804FCC66 mov esp, [ebp-18h] .text:804FCC69 cmp dword ptr [ebp-3A0h], 0C00000FDh .text:804FCC73 jnz short loc_804FCCA0 .text:804FCC75 mov edi, [ebp-2ECh] .text:804FCC7B mov eax, [edi+0Ch] .text:804FCC7E mov [ebp-394h], eax .text:804FCC84 push 14h .text:804FCC86 pop ecx .text:804FCC87 lea esi, [ebp-3A0h] .text:804FCC8D rep movsd .text:804FCC8F or dword ptr [ebp-4], 0FFFFFFFFh .text:804FCC93 mov ebx, [ebp-2F8h] .text:804FCC99 xor edi, edi .text:804FCC9B jmp loc_804FCB3C .text:804FCCA0 ; --------------------------------------------------------------------------- .text:804FCCA0 .text:804FCCA0 loc_804FCCA0: ; CODE XREF: .text:804FCC73j .text:804FCCA0 or dword ptr [ebp-4], 0FFFFFFFFh .text:804FCCA4 mov ebx, [ebp-2F8h] .text:804FCCAA xor edi, edi .text:804FCCAC mov esi, [ebp-2ECh] .text:804FCCB2 ; START OF FUNCTION CHUNK FOR KiDispatchException .text:804FCCB2 .text:804FCCB2 SECOND_CHANCE_: ; CODE XREF: KiDispatchException+170j .text:804FCCB2 push 1 .text:804FCCB4 push 1 .text:804FCCB6 push esi .text:804FCCB7 call near ptr 80639E06h ; DbgkForwardException .text:804FCCBC test al, al .text:804FCCBE jnz HANDLED_UM_DEBUGGER .text:804FCCC4 push 1 .text:804FCCC6 push edi .text:804FCCC7 push esi .text:804FCCC8 call near ptr 80639E06h ; DbgkForwardException .text:804FCCCD test al, al .text:804FCCCF jnz HANDLED_UM_DEBUGGER .text:804FCCD5 push dword ptr [esi] ; ExitStatus .text:804FCCD7 push 0FFFFFFFFh ; ProcessHandle .text:804FCCD9 call ZwTerminateProcess .text:804FCCDE .text:804FCCDE BLUE_SCREEN: ; CODE XREF: KiDispatchException+149j .text:804FCCDE ; KiDispatchException+167j .text:804FCCDE push edi ; BugCheckParameter4 .text:804FCCDF push ebx ; BugCheckParameter3 .text:804FCCE0 push dword ptr [esi+0Ch] ; BugCheckParameter2 .text:804FCCE3 push dword ptr [esi] ; BugCheckParameter1 .text:804FCCE5 push 8Eh ; BugCheckCode .text:804FCCEA call KeBugCheckEx .text:804FCCEA ; END OF FUNCTION CHUNK FOR KiDispatchException