Microsoft-specific exception handling mechanisms
Structured Exception Handling
Microsoft Structured Exception Handling is the native exception handling mechanism for Windows and a forerunner technology to VEH. It features the
finally mechanism not present in standard С++ exceptions (but present in most imperative languages introduced later). SEH is set up and handled separately for each thread of execution.
The Microsoft implementation of SEH is based on a patent licensed from Borland, U.S. Patent 5,628,016. Open-source operating systems have resisted adopting a SEH-based mechanism due to this patent.
Microsoft supports SEH as a programming technique at the compiler level only. MS Visual C++ compiler features three non-standard keywords:
__finally — for this purpose. Other exception handling aspects are backed by a number of Win32 API functions, for example,
RaiseException to raise SEH exceptions manually.
Each thread of execution in Windows has a link to an undocumented _EXCEPTION_REGISTRATION_RECORD list at the start of its Thread Information Block. The
__try statement essentially calls a compiler-defined
EH_prolog function. That function allocates an _EXCEPTION_REGISTRATION_RECORD on the stack pointing to
__except_handler3[a] function in
msvcrt.dll,[b] then adds the record to the list's head. At the end of the
__try block a compiler-defined
EH_epilog function is called that does the reverse operation. Either of these compiler-defined routines can be inline. All the programmer-defined
__finally blocks are called from within
__except_handler3. If such blocks are present, _EXCEPTION_REGISTRATION_RECORD being created is extended with a few additional fields used by
In a case of an exception in a user mode code, the operating system[c] parses the thread's _EXCEPTION_REGISTRATION_RECORD list and calls each exception handler in sequence until a handler signals it has handled the exception (by return value) or the list is exhausted. The last one in the list is always the
kernel32!UnhandledExceptionFilter which displayes the General protection fault error message.[d] Then the list is traversed once more giving handlers a chance to clean up any resources used. Finally, the execution returns to kernel mode[e] where the process is either resumed or terminated.
Vectored Exception Handling
Vectored Exception Handling was introduced in Windows XP. Vectored Exception Handling is made available to Windows programmers using languages such as C++ and Visual Basic. VEH does not replace Structured Exception Handling (SEH), rather VEH and SEH coexist with VEH handlers having priority over SEH handlers. Compared with SEH, VEH works more like a traditional notification callback scheme.
- The name varies in different versions of VC runtime
kernel32.dll, as well as other programs linked statically with VC runtime, have this function compiled-in instead
- More specifically,
ntdll!RtlDispatchExceptionsystem routine called from
ntdll!KiUserExceptionDispatcherwhich is in turn called from the
nt!KiDispatchExceptionkernel function. (See Ken Johnson (November 16, 2007). "A catalog of NTDLL kernel mode to user mode callbacks, part 2: KiUserExceptionDispatcher". for details)
- The message can be silenced by altering the process's error mode; the default last handler can be replaced with SetUnhandledExceptionFilter API
- "Vectored Exception Handling in Windows Server 2003 (Through Internet Archive)". Archived from the original on 2008-01-18.
- Matt Miller [aka skape] (September 2006). "Preventing the Exploitation of SEH Overwrites". Uninformed Journal.
- Microsoft Corp. (11/12/2009). "Structured Exception Handling Functions". MSDN Library. Retrieved 2009-11-17. Check date values in:
- Peter Kleissner (February 2009). "Windows Exception Handling". Retrieved 2009-11-21., Compiler based Structured Exception Handling section
- "New Vectored Exception Handling in Windows XP".
- "Windows Server 2003 Discover Improved System Info, New Kernel, Debugging, Security, and UI APIs".
- Microsoft Corp. (2009-11-12). "Structured Exception Handling". MSDN Library. Retrieved 2009-11-17.
- Matt Pietrek (Jan 1997). "A Crash Course on the Depths of Win32 Structured Exception Handling". MSJ 12 (1). Note that the examples given there do not work as-is on modern Windows systems (post XP SP2) due to the changes Microsoft made to address the security issues present in the early SEH design. The examples still work on later versions of Windows if compiled with
- "win32: Safe Structured Exception Handling". Yasm manual.
- US patent 7,480,919 - Safe exceptions
- Johannes Passing (May 20, 2008). "Fun with low level SEH". Covers the obscure details needed to get low-level SEH (and particularly SafeSEH) code to work on more modern Windows.
- Igor Skochinsky (Monday, March 6, 2006 12:02.38 CST). "Reversing Microsoft Visual C++ Part I: Exception Handling". OpenRCE. Retrieved 2009-11-17. Check date values in:
- Matt Miller (2 Feb 2009). "Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP". Technet.
- Stéfan Le Berre, Damien Cauquil (22 Dec 2009). "Bypassing SEHOP". Sysdream.
- Joshua J. Drake (10 Jan 2012). "Old Meets New: Microsoft Windows SafeSEH Incompatibility". An article explaining why Windows 7 SP1 ignores SafeSEH for some older binaries, while Windows XP SP3 honors it.