; This code is from 32 bit XP pro sp3, latest updates as of 2010-07-14. ; To redirect ALL exceptions to kernel debugger (kd), regardless if the target process ; has a user mode debugger attached, you need to patch the jump at 804fe603 to always occur. ; You can do this physically, or use a bp, like: ; ba e1 804fe603 "r zf=1;g" nt!KiDispatchException: 804fe476 6890030000 push 390h 804fe47b 68b8994d80 push offset nt!KiFindFirstSetLeft+0x120 (804d99b8) 804fe480 e81bd70300 call nt!_SEH_prolog (8053bba0) 804fe485 a160435580 mov eax,dword ptr [nt!__security_cookie (80554360)] 804fe48a 8945e4 mov dword ptr [ebp-1Ch],eax 804fe48d 8b7508 mov esi,dword ptr [ebp+8] ; esi = EXCEPTION FRAME 804fe490 89b514fdffff mov dword ptr [ebp-2ECh],esi 804fe496 8b4d0c mov ecx,dword ptr [ebp+0Ch] ; ecx = EXCEPTION RECORD 804fe499 898d10fdffff mov dword ptr [ebp-2F0h],ecx 804fe49f 8b5d10 mov ebx,dword ptr [ebp+10h] ; ebx = CONTEXT FRAME 804fe4a2 899d08fdffff mov dword ptr [ebp-2F8h],ebx 804fe4a8 64a120000000 mov eax,dword ptr fs:[00000020h] 804fe4ae ff8004050000 inc dword ptr [eax+504h] 804fe4b4 c78518fdffff17000100 mov dword ptr [ebp-2E8h],10017h 804fe4be 807d1401 cmp byte ptr [ebp+14h],1 804fe4c2 7409 je nt!KiDispatchException+0x57 (804fe4cd) 804fe4c4 803d415a558000 cmp byte ptr [nt!KdDebuggerEnabled (80555a41)],0 804fe4cb 741d je nt!KiDispatchException+0x74 (804fe4ea) 804fe4cd c78518fdffff1f000100 mov dword ptr [ebp-2E8h],1001Fh 804fe4d7 803d20c3558000 cmp byte ptr [nt!KeI386XMMIPresent (8055c320)],0 804fe4de 740a je nt!KiDispatchException+0x74 (804fe4ea) 804fe4e0 c78518fdffff3f000100 mov dword ptr [ebp-2E8h],1003Fh 804fe4ea 8d8518fdffff lea eax,[ebp-2E8h] 804fe4f0 50 push eax 804fe4f1 51 push ecx 804fe4f2 53 push ebx 804fe4f3 e8e8f7ffff call nt!KeContextFromKframes (804fdce0) 804fe4f8 8b06 mov eax,dword ptr [esi] 804fe4fa 3d03000080 cmp eax,80000003h 804fe4ff 746e je nt!KiDispatchException+0xf9 (804fe56f) 804fe501 3d04000010 cmp eax,10000004h 804fe506 756d jne nt!KiDispatchException+0xff (804fe575) 804fe508 c706050000c0 mov dword ptr [esi],0C0000005h 804fe50e 807d1401 cmp byte ptr [ebp+14h],1 804fe512 7561 jne nt!KiDispatchException+0xff (804fe575) 804fe514 8d8518fdffff lea eax,[ebp-2E8h] 804fe51a 50 push eax 804fe51b 56 push esi 804fe51c e86df7ffff call nt!KiCheckForAtlThunk (804fdc8e) 804fe521 84c0 test al,al 804fe523 0f850c010000 jne nt!KiDispatchException+0x1bf (804fe635) 804fe529 803d8002dfff01 cmp byte ptr ds:[0FFDF0280h],1 804fe530 7543 jne nt!KiDispatchException+0xff (804fe575) 804fe532 837e1408 cmp dword ptr [esi+14h],8 804fe536 753d jne nt!KiDispatchException+0xff (804fe575) 804fe538 f6056f5a558040 test byte ptr [nt!KeFeatureBits+0x3 (80555a6f)],40h 804fe53f 7527 jne nt!KiDispatchException+0xf2 (804fe568) 804fe541 64a124010000 mov eax,dword ptr fs:[00000124h] 804fe547 8b4044 mov eax,dword ptr [eax+44h] 804fe54a f6406b02 test byte ptr [eax+6Bh],2 804fe54e 7518 jne nt!KiDispatchException+0xf2 (804fe568) 804fe550 f6056f5a558080 test byte ptr [nt!KeFeatureBits+0x3 (80555a6f)],80h 804fe557 751c jne nt!KiDispatchException+0xff (804fe575) 804fe559 64a124010000 mov eax,dword ptr fs:[00000124h] 804fe55f 8b4044 mov eax,dword ptr [eax+44h] 804fe562 f6406b01 test byte ptr [eax+6Bh],1 804fe566 750d jne nt!KiDispatchException+0xff (804fe575) 804fe568 33ff xor edi,edi 804fe56a 897e14 mov dword ptr [esi+14h],edi 804fe56d eb08 jmp nt!KiDispatchException+0x101 (804fe577) 804fe56f ff8dd0fdffff dec dword ptr [ebp-230h] 804fe575 33ff xor edi,edi 804fe577 807d1400 cmp byte ptr [ebp+14h],0 ; PREVIOUS MODE 804fe57b 7565 jne nt!KiDispatchException+0x16c (804fe5e2) ; === KERNEL MODE === 804fe57d 807d1801 cmp byte ptr [ebp+18h],1 ; FIRST CHANCE 804fe581 7535 jne nt!KiDispatchException+0x142 (804fe5b8) ; --- FIRST CHANCE --- 804fe583 a164c65580 mov eax,dword ptr [nt!KiDebugRoutine (8055c664)] 804fe588 3bc7 cmp eax,edi ; edi = 0, check if kd attached 804fe58a 741b je nt!KiDispatchException+0x131 (804fe5a7) ; no kd attached, pass exception down the chain ; kd attached, call debug handler 804fe58c 57 push edi ; 0 = first chance 804fe58d 57 push edi ; previous mode (0 = kernel) 804fe58e 8d8d18fdffff lea ecx,[ebp-2E8h] 804fe594 51 push ecx ; context frame 804fe595 56 push esi ; exception record 804fe596 ffb510fdffff push dword ptr [ebp-2F0h] ; exception frame 804fe59c 53 push ebx ; trap frame 804fe59d ffd0 call eax ; KiDebugRoutine 804fe59f 84c0 test al,al ; handled? 804fe5a1 0f858e000000 jne nt!KiDispatchException+0x1bf (804fe635) ; handled 804fe5a7 8d8518fdffff lea eax,[ebp-2E8h] ; not handled, continue dispatching 804fe5ad 50 push eax 804fe5ae 56 push esi 804fe5af e8e6290300 call nt!RtlDispatchException (80530f9a) 804fe5b4 3c01 cmp al,1 804fe5b6 747d je nt!KiDispatchException+0x1bf (804fe635) ; handled ; --- SECOND CHANCE --- 804fe5b8 a164c65580 mov eax,dword ptr [nt!KiDebugRoutine (8055c664)] 804fe5bd 3bc7 cmp eax,edi ; check if kd attached 804fe5bf 0f8451020000 je nt!KiDispatchException+0x3a0 (804fe816) ; still unhandled, 2nd chance, no kd attached - BUGCHECK 804fe5c5 6a01 push 1 ; = second chance 804fe5c7 57 push edi ; previous mode (0 = kernel) 804fe5c8 8d8d18fdffff lea ecx,[ebp-2E8h] 804fe5ce 51 push ecx ; context frame 804fe5cf 56 push esi ; exception record 804fe5d0 ffb510fdffff push dword ptr [ebp-2F0h] ; exception frame 804fe5d6 53 push ebx ; trap frame 804fe5d7 ffd0 call eax ; KiDebugRoutine 804fe5d9 84c0 test al,al 804fe5db 7558 jne nt!KiDispatchException+0x1bf (804fe635) ; kd handled exception 804fe5dd e934020000 jmp nt!KiDispatchException+0x3a0 (804fe816) ; kd didn't handle, BUGCHECK ; === USER MODE === 804fe5e2 807d1801 cmp byte ptr [ebp+18h],1 ; FIRST CHANCE 804fe5e6 0f85fe010000 jne nt!KiDispatchException+0x374 (804fe7ea) ; --- FIRST CHANCE --- 804fe5ec 393d64c65580 cmp dword ptr [nt!KiDebugRoutine (8055c664)],edi 804fe5f2 746d je nt!KiDispatchException+0x1eb (804fe661) ; no kd attached, forward to user mode 804fe5f4 64a124010000 mov eax,dword ptr fs:[00000124h] ; current KTHREAD (we're in r0, so fs = KPCR) 804fe5fa 8b4044 mov eax,dword ptr [eax+44h] ; K/EPROCESS 804fe5fd 39b8bc000000 cmp dword ptr [eax+0BCh],edi ; DebugPort ; !!! patch following jump to always occur 804fe603 7413 je nt!KiDispatchException+0x1a2 (804fe618) ; process has no debug port, call kd handler 804fe605 6a01 push 1 ; user mode 804fe607 8d8518fdffff lea eax,[ebp-2E8h] 804fe60d 50 push eax ; context frame 804fe60e 56 push esi ; exception record 804fe60f e8fcdc1600 call nt!KdIsThisAKdTrap (8066c310) ; should we call kd 804fe614 84c0 test al,al 804fe616 7449 je nt!KiDispatchException+0x1eb (804fe661) ; no, forward to user mode ; call kd handler 804fe618 57 push edi ; 0 = first chance 804fe619 ff7514 push dword ptr [ebp+14h] ; previous mode 804fe61c 8d8518fdffff lea eax,[ebp-2E8h] 804fe622 50 push eax ; context frame 804fe623 56 push esi ; exception record 804fe624 ffb510fdffff push dword ptr [ebp-2F0h] ; exception frame 804fe62a 53 push ebx ; trap frame 804fe62b ff1564c65580 call dword ptr [nt!KiDebugRoutine (8055c664)] ; call kd 804fe631 84c0 test al,al ; handled? 804fe633 742c je nt!KiDispatchException+0x1eb (804fe661) ; if not handled, forward to user mode ; exception was handled 804fe635 ff7514 push dword ptr [ebp+14h] 804fe638 ffb518fdffff push dword ptr [ebp-2E8h] 804fe63e 8d8518fdffff lea eax,[ebp-2E8h] 804fe644 50 push eax 804fe645 ffb510fdffff push dword ptr [ebp-2F0h] 804fe64b 53 push ebx 804fe64c e871f9ffff call nt!KeContextToKframes (804fdfc2) ; return 804fe651 8b4de4 mov ecx,dword ptr [ebp-1Ch] 804fe654 e86ffbfeff call nt!__security_check_cookie (804ee1c8) 804fe659 e87dd50300 call nt!_SEH_epilog (8053bbdb) 804fe65e c21400 ret 14h ; forward to user mode 804fe661 57 push edi ; 0 = first chance 804fe662 6a01 push 1 ; forward to process's debug port, since it's first chance 804fe664 56 push esi ; exception record 804fe665 e8244f1400 call nt!DbgkForwardException (8064358e) 804fe66a 84c0 test al,al ; returns 0 if process has no debug port OR it has, but exception was not handled 804fe66c 75e3 jne nt!KiDispatchException+0x1db (804fe651) ; exception was handled by process's usermode debugger ; process has no usermode debugger or the debugger didn't handle the exception ; attempt to dispatch it to SEH 804fe66e 89bd60fcffff mov dword ptr [ebp-3A0h],edi 804fe674 897dfc mov dword ptr [ebp-4],edi 804fe677 837b7823 cmp dword ptr [ebx+78h],23h 804fe67b 7506 jne nt!KiDispatchException+0x20d (804fe683) 804fe67d f6437202 test byte ptr [ebx+72h],2 804fe681 7422 je nt!KiDispatchException+0x22f (804fe6a5) 804fe683 c785b0fcffff050000c0 mov dword ptr [ebp-350h],0C0000005h 804fe68d 89bdb4fcffff mov dword ptr [ebp-34Ch],edi 804fe693 89bdc0fcffff mov dword ptr [ebp-340h],edi 804fe699 8d85b0fcffff lea eax,[ebp-350h] 804fe69f 50 push eax 804fe6a0 e8ef880400 call nt!ExRaiseException (80546f94) 804fe6a5 b8cc020000 mov eax,2CCh 804fe6aa 898504fdffff mov dword ptr [ebp-2FCh],eax 804fe6b0 8bbddcfdffff mov edi,dword ptr [ebp-224h] 804fe6b6 83e7fc and edi,0FFFFFFFCh 804fe6b9 2bf8 sub edi,eax 804fe6bb 89bd0cfdffff mov dword ptr [ebp-2F4h],edi 804fe6c1 6a04 push 4 804fe6c3 50 push eax 804fe6c4 57 push edi 804fe6c5 e8b2731100 call nt!ProbeForWrite (80615a7c) 804fe6ca b9b3000000 mov ecx,0B3h 804fe6cf 8db518fdffff lea esi,[ebp-2E8h] 804fe6d5 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 804fe6d7 8b8514fdffff mov eax,dword ptr [ebp-2ECh] 804fe6dd 8b7010 mov esi,dword ptr [eax+10h] 804fe6e0 8d34b517000000 lea esi,[esi*4+17h] 804fe6e7 83e6fc and esi,0FFFFFFFCh 804fe6ea 89b504fdffff mov dword ptr [ebp-2FCh],esi 804fe6f0 8bbd0cfdffff mov edi,dword ptr [ebp-2F4h] 804fe6f6 2bfe sub edi,esi 804fe6f8 89bd00fdffff mov dword ptr [ebp-300h],edi 804fe6fe 6a04 push 4 804fe700 8d4608 lea eax,[esi+8] 804fe703 50 push eax 804fe704 8d47f8 lea eax,[edi-8] 804fe707 50 push eax 804fe708 e86f731100 call nt!ProbeForWrite (80615a7c) 804fe70d 8bce mov ecx,esi 804fe70f 8bb514fdffff mov esi,dword ptr [ebp-2ECh] 804fe715 8bc1 mov eax,ecx 804fe717 c1e902 shr ecx,2 804fe71a f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 804fe71c 8bc8 mov ecx,eax 804fe71e 83e103 and ecx,3 804fe721 f3a4 rep movs byte ptr es:[edi],byte ptr [esi] 804fe723 8b8d0cfdffff mov ecx,dword ptr [ebp-2F4h] 804fe729 8b8500fdffff mov eax,dword ptr [ebp-300h] 804fe72f 8948fc mov dword ptr [eax-4],ecx 804fe732 8d50f8 lea edx,[eax-8] 804fe735 8902 mov dword ptr [edx],eax 804fe737 6a20 push 20h 804fe739 53 push ebx 804fe73a e873f4ffff call nt!KiSegSsToTrapFrame (804fdbb2) 804fe73f 52 push edx 804fe740 53 push ebx 804fe741 e8bcf3ffff call nt!KiEspToTrapFrame (804fdb02) 804fe746 8b4514 mov eax,dword ptr [ebp+14h] 804fe749 8ac8 mov cl,al 804fe74b f6d9 neg cl 804fe74d 1bc9 sbb ecx,ecx 804fe74f 83e103 and ecx,3 804fe752 83c118 add ecx,18h 804fe755 894b6c mov dword ptr [ebx+6Ch],ecx 804fe758 8ac8 mov cl,al 804fe75a f6d9 neg cl 804fe75c 1bc9 sbb ecx,ecx 804fe75e 83e103 and ecx,3 804fe761 83c120 add ecx,20h 804fe764 894b38 mov dword ptr [ebx+38h],ecx 804fe767 894b34 mov dword ptr [ebx+34h],ecx 804fe76a f6d8 neg al 804fe76c 1bc0 sbb eax,eax 804fe76e 83e003 and eax,3 804fe771 83c038 add eax,38h 804fe774 894350 mov dword ptr [ebx+50h],eax 804fe777 83633000 and dword ptr [ebx+30h],0 804fe77b a170c65580 mov eax,dword ptr [nt!KeUserExceptionDispatcher (8055c670)] ; set eip to KeUserExceptionDispatcher 804fe780 894368 mov dword ptr [ebx+68h],eax 804fe783 834dfcff or dword ptr [ebp-4],0FFFFFFFFh 804fe787 e9c5feffff jmp nt!KiDispatchException+0x1db (804fe651) ; handled 804fe78c 8b45ec mov eax,dword ptr [ebp-14h] 804fe78f ff30 push dword ptr [eax] 804fe791 8d8560fcffff lea eax,[ebp-3A0h] 804fe797 50 push eax 804fe798 e841f4ffff call nt!KiCopyInformation (804fdbde) 804fe79d c3 ret 804fe79e 8b65e8 mov esp,dword ptr [ebp-18h] 804fe7a1 81bd60fcfffffd0000c0 cmp dword ptr [ebp-3A0h],0C00000FDh 804fe7ab 752b jne nt!KiDispatchException+0x362 (804fe7d8) 804fe7ad 8bbd14fdffff mov edi,dword ptr [ebp-2ECh] 804fe7b3 8b470c mov eax,dword ptr [edi+0Ch] 804fe7b6 89856cfcffff mov dword ptr [ebp-394h],eax 804fe7bc 6a14 push 14h 804fe7be 59 pop ecx 804fe7bf 8db560fcffff lea esi,[ebp-3A0h] 804fe7c5 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 804fe7c7 834dfcff or dword ptr [ebp-4],0FFFFFFFFh 804fe7cb 8b9d08fdffff mov ebx,dword ptr [ebp-2F8h] 804fe7d1 33ff xor edi,edi 804fe7d3 e99cfeffff jmp nt!KiDispatchException+0x1fe (804fe674) 804fe7d8 834dfcff or dword ptr [ebp-4],0FFFFFFFFh 804fe7dc 8b9d08fdffff mov ebx,dword ptr [ebp-2F8h] 804fe7e2 33ff xor edi,edi 804fe7e4 8bb514fdffff mov esi,dword ptr [ebp-2ECh] ; --- SECOND CHANCE USER MODE --- 804fe7ea 6a01 push 1 ; second chance 804fe7ec 6a01 push 1 ; forward to debug port 804fe7ee 56 push esi ; exception record 804fe7ef e89a4d1400 call nt!DbgkForwardException (8064358e) 804fe7f4 84c0 test al,al 804fe7f6 0f8555feffff jne nt!KiDispatchException+0x1db (804fe651) ; handled ; process has no usermode debugger or the debugger didn't handle the exception 804fe7fc 6a01 push 1 ; second chance 804fe7fe 57 push edi ; forward to exception port 804fe7ff 56 push esi ; exception record 804fe800 e8894d1400 call nt!DbgkForwardException (8064358e) 804fe805 84c0 test al,al 804fe807 0f8544feffff jne nt!KiDispatchException+0x1db (804fe651) ; exception handled ; still not handled - terminate process 804fe80d ff36 push dword ptr [esi] 804fe80f 6aff push 0FFFFFFFFh 804fe811 e83a290000 call nt!ZwTerminateProcess (80501150) ; bug check 804fe816 57 push edi 804fe817 53 push ebx 804fe818 ff760c push dword ptr [esi+0Ch] 804fe81b ff36 push dword ptr [esi] 804fe81d 688e000000 push 8Eh ; KERNEL_MODE_EXCEPTION_NOT_HANDLED 804fe822 e801b7ffff call nt!KeBugCheckEx (804f9f28) 804fe827 cc int 3