1. Baidu Encyclopedia
Set exception capture function
When the exception is not handled, the system will call setunhandledexception filter exception handling Function
For example, when some programs make mistakes, they will report to the user that the program makes mistakes. For example, QQ
Part of exception handling
When an exception occurs, such as memory access violation, the CPU hardware will find this problem and generate an exception (you can understand it as an interrupt)
The CPU then switches the code flow to the exception handling service routine. The operating system exception handling service routine will check whether the current process is in debugging state
If yes, notify the debugger that an exception has occurred. If not, the operating system will view the current thread Is the exception frame chain (FS[0]) installed? If so SEH (try... Catch...), call SEH and decide whether to expand globally or locally according to the returned result. If all sehs in the exception chain do not handle this exception and the process is still in debugging state, the operating system will notify the debugger of an exception again (secondary exception). If it has not been processed, the default of the operating system is called exception handling The code is unhandledexception handler, but the operating system allows you to Hook this function through SetUnhandledException Filter function To set. Most exceptions can be caught in this way, but Stack overflow . the overwritten may not be captured.
Most protective shells use exception handling technology to jump out of the normal code instruction flow to confuse Cracker.
2. Online article reference:
Simply use the setunhandledexception filter () function to crash the program gracefully
Although it is a product of a large company, QQ will still collapse under our toss, but it always crashes gracefully and ends with its own dialog box. And send the report, removing the system default send report dialog box.
So I patted my head to make my program crash more decent.
After thinking about the general idea, I think I can use a process to monitor the target program. Indeed, you can get the information about the crash of the target program, know when it crashed, and do additional operations, but there is no way to remove the default send error dialog box.
Then someone said whether they had used a method similar to a hook to check out where this thing was.
Finally, I checked the Internet and found that the function setunhandledexception filter solved everything.
After summarizing the data found in the following, there are three return values of this function:
EXCEPTION_EXECUTE_HANDLER equ one It means that I have handled the exception and can end gracefully
EXCEPTION_CONTINUE_SEARCH equ 0 It means that I don't handle it, and others come, so windows calls the default handler, displays an error box, and ends
EXCEPTION_CONTINUE_EXECUTION equ - one Indicates that the error has been fixed. Please continue from the place where the exception occurred
The specific application methods are as follows:
#include <windows.h>
long __stdcall callback(_EXCEPTION_POINTERS* excp)
{
MessageBox(0,"Error","error",MB_OK);
printf("Error address %x/n",excp->ExceptionRecord->ExceptionAddress);
printf("CPU register:/n");
printf("eax %x ebx %x ecx %x edx %x/n",excp->ContextRecord->Eax,
excp->ContextRecord->Ebx,excp->ContextRecord->Ecx,
excp->ContextRecord->Edx);
return EXCEPTION_EXECUTE_HANDLER;
}
int main(int argc,char* argv[])
{
SetUnhandledExceptionFilter(callback);
_asm int 3 //Just to crash the program
return 0;
}3. Practical use
Operating environment VS2015 QT5.51 Client program
LONG WINAPI catchExceptionFileter(_EXCEPTION_POINTERS* pExceptionInfo)
{
//Get the exception information in pExceptionInfo. For details, see_ EXCEPTION_ Points definition
//Other custom processing (pop-up, report, log, etc.)
}
int main(int argc,char *argv[])
{
//Program other operations
//Exception detection acquisition
LPTOP_LEVEL_EXCEPTION_FILTERpException=SetUnhandledExceptionFilter(catchExceptionFileter);
_asm int 3 //Just to crash the program
}