Hi Guys,

I've a problem with SEH under XP. It's about the following code:

SUB EAX, EAX
PUSH OFFSET xhandler
PUSH FS:
MOV FS:, ESP ;install SEH handler

xor ebx, ebx
div ebx ;raise exception
nop
nop

SUB EAX, EAX ;uninstall SEH
POP FS:
POP EAX

and my xhandler looks as follows:

xhandler PROC

ExcInfo EQU
xContext EQU
MOV EDX, xContext
ASSUME EDX: PTR CONTEXT2
add .cx_Eip,2
ASSUME EDX: NOTHING
SUB EAX, EAX
ret
xhandler ENDP

This works ok in Ring0 under NT ! It executes my xhandler correctly and then continues the main program.
However, under windows XP, the div by zero causes a blue screen crash ! I tried the same routine in Ring3 on XP, which worked fine.

Then I replaced the 'div ebx' with 'int 3' in my Ring0 KMD and... it worked on XP ! My exception handler was called and handled the exception.

My question is however: why does the Division by zero in Ring0 cause a crash on XP ? I put a breakpoint on the first instruction of my xhandler, but XP crashes before this breakpoint is reached, so my guess is that XP doesn't route the div by zero exception to my xhandler. Can anybody give me some insight please ? Thanks in advance,

Dante
Posted on 2002-02-09 15:13:21 by _dante_
Why do you need to div by 0?
Posted on 2002-02-09 21:55:10 by CodeLover
I don't. I could use 'int 3' instead. However, I'm very curious WHY the div by 0 doesn't route to my exception handler...
Posted on 2002-02-09 22:38:36 by _dante_
maybe it would be if irql <= Acp
did you check if it is?
Posted on 2002-02-09 23:02:08 by tired
I did'nt know you could even do it with NT....
see post ( Ring0 Why Not's) just for some additional info

Good to know someone is getting close to it...
Posted on 2002-02-10 00:27:20 by cmax
How do I check the IRQ level ?
The STOP message that XP gives me is: STOP 0x0000007F (0x00000000, 0x00000000, 0x00000000, 0x00000000).
The 7F means "UNEXPECTED_KERNEL_MODE_TRAP" and the first of the four zero blocks means that a 'division by zero' occured (wow :-)

From the M$ site:
This Stop message, also known as Stop 0x7F, means that one of two types of problems occurred in kernel-mode, either a kind of condition that the kernel is not allowed to have or catch (a bound trap), or a kind of error that is always fatal. Occasionally, this message can be caused by software problems, but the most common cause is hardware failure.

So, it seems that a division by zero is simply not allowed in Ring0 ? But why does it work on NT then ???
Posted on 2002-02-10 09:51:38 by _dante_
KeGetCurrentIrql
Posted on 2002-02-10 18:47:40 by tired
Hi tired,

I thought that an exception only occured if the IRQL of the exception was higher than the current IRQL ? I checked under NT, the IRQL of the routine BEFORE the division by zero occurs is 0 (=passive level), so the irql <= APC, which I thought would be correct ? But you say that it shouldn't be !?!? Could you help me out here please and explain it a little bit ? Thanks in advance !
Dante
Posted on 2002-02-13 08:15:37 by _dante_

Hi Guys,

I've a problem with SEH under XP. It's about the following code:

SUB EAX, EAX
PUSH OFFSET xhandler
PUSH FS:
MOV FS:, ESP ;install SEH handler

xor ebx, ebx
div ebx ;raise exception
nop
nop

SUB EAX, EAX ;uninstall SEH
POP FS:
POP EAX

and my xhandler looks as follows:

xhandler PROC

ExcInfo EQU
xContext EQU
MOV EDX, xContext
ASSUME EDX: PTR CONTEXT2
add .cx_Eip,2
ASSUME EDX: NOTHING
SUB EAX, EAX
ret
xhandler ENDP

This works ok in Ring0 under NT ! It executes my xhandler correctly and then continues the main program.
However, under windows XP, the div by zero causes a blue screen crash ! I tried the same routine in Ring3 on XP, which worked fine.

Then I replaced the 'div ebx' with 'int 3' in my Ring0 KMD and... it worked on XP ! My exception handler was called and handled the exception.

My question is however: why does the Division by zero in Ring0 cause a crash on XP ? I put a breakpoint on the first instruction of my xhandler, but XP crashes before this breakpoint is reached, so my guess is that XP doesn't route the div by zero exception to my xhandler. Can anybody give me some insight please ? Thanks in advance,

Dante


I think the problem is simply that with this line of your code:


add [EDX].cx_Eip,2

You assume that execution should continue 2 bytes after the faulty instruction. Good if the faulty instruction is only 2 bytes long.. otherwise, crash.
Posted on 2002-03-31 05:57:50 by Maverick