SEH相关数据结构（续）

继上一篇SEH相关数据结构，还有三个结构体很重要。

它们是EXCEPTION_POINTERS、EXCEPTION_RECORD、CONTEXT

当一个异常发生时，操作系统向引起异常的线程的堆栈里压入EXCEPTION_POINTERS结构：

typedef struct _EXCEPTION_POINTERS {
    PEXCEPTION_RECORD ExceptionRecord;
    PCONTEXT ContextRecord;
} EXCEPTION_POINTERS, *PEXCEPTION_POINTERS;

上篇文章的程序跟踪到此处时

00401017    8B06            mov eax,dword ptr ds:[esi]

Shift+F7进入异常刚发生时的系统代码处，EXCEPTION_POINTERS结构就在当前栈顶，那么当前堆栈的数据就是此结构的两个成员EXCEPTION_RECORD、CONTEXT。

EXCEPTION_RECORD结构

typedef struct _EXCEPTION_RECORD {
    DWORD    ExceptionCode;
    DWORD ExceptionFlags;
    struct _EXCEPTION_RECORD *ExceptionRecord;
    PVOID ExceptionAddress;
    DWORD NumberParameters;
    ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
    } EXCEPTION_RECORD;

这个结构包含有关最近发生异常的详细信息，这些信息独立于CPU。

这个ExceptionCode字段定义了产生异常的原因，下表列出了一些常见的异常原因：

异常原因	对应值	说明
STATUS_GUARD_PAGE_VIOLATION	080000001h	读写属性为PAGE_GUARD的页面
EXCEPTION_BREAKPOINT	080000003h	断点异常
EXCEPTION_SINGLE_STEP	080000004h	单步中断
EXCEPTION_INVALID_HANDLE	0C0000008h	向一个函数传递了一个无效句柄
EXCEPTION_ACCESS_VIOLATION	0C0000005h	读写内存冲突
EXCEPTION_ILLEGAL_INSTRUCTION	0C000001Dh	遇到无效指令
EXCEPTION_IN_PAGE_ERROR	0C0000006h	存取不存在的页面
EXCEPTION_INT_DIVIDE_BY_ZERO	0C0000094h	除零错误
EXCEPTION_STACK_OVERFLOW	0C00000FDh	堆栈溢出

00401017    8B06            mov eax,dword ptr ds:[esi]

这句会引发一个STATUS_GUARD_PAGE_VIOLATION异常，异常代码是0C0000005h

在堆栈中数据窗口跟随，发现如下：

0018FAD0  05 00 00 C0 00 00 00 00 00 00 00 00 17 10 40 00  ..?.......@.
0018FAE0  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............

CONTEXT结构

CONTEXT结构是Win32API一个几乎唯一与处理器相关的结构，包括了线程运行时处理器各主要寄存器的完整镜像，用于保存线程运行环境。

其结构如下：

typedef struct _CONTEXT {

    //
    // The flags values within this flag control the contents of
    // a CONTEXT record.
    //
    // If the context record is used as an input parameter, then
    // for each portion of the context record controlled by a flag
    // whose value is set, it is assumed that that portion of the
    // context record contains valid context. If the context record
    // is being used to modify a threads context, then only that
    // portion of the threads context will be modified.
    //
    // If the context record is used as an IN OUT parameter to capture
    // the context of a thread, then only those portions of the thread's
    // context corresponding to set flags will be returned.
    //
    // The context record is never used as an OUT only parameter.
    //

    DWORD ContextFlags;

    //
    // This section is specified/returned if CONTEXT_DEBUG_REGISTERS is
    // set in ContextFlags.  Note that CONTEXT_DEBUG_REGISTERS is NOT
    // included in CONTEXT_FULL.
    //

    DWORD   Dr0;
    DWORD   Dr1;
    DWORD   Dr2;
    DWORD   Dr3;
    DWORD   Dr6;
    DWORD   Dr7;

    //
    // This section is specified/returned if the
    // ContextFlags word contians the flag CONTEXT_FLOATING_POINT.
    //

    FLOATING_SAVE_AREA FloatSave;

    //
    // This section is specified/returned if the
    // ContextFlags word contians the flag CONTEXT_SEGMENTS.
    //

    DWORD   SegGs;
    DWORD   SegFs;
    DWORD   SegEs;
    DWORD   SegDs;

    //
    // This section is specified/returned if the
    // ContextFlags word contians the flag CONTEXT_INTEGER.
    //

    DWORD   Edi;
    DWORD   Esi;
    DWORD   Ebx;
    DWORD   Edx;
    DWORD   Ecx;
    DWORD   Eax;

    //
    // This section is specified/returned if the
    // ContextFlags word contians the flag CONTEXT_CONTROL.
    //

    DWORD   Ebp;
    DWORD   Eip;
    DWORD   SegCs;              // MUST BE SANITIZED
    DWORD   EFlags;             // MUST BE SANITIZED
    DWORD   Esp;
    DWORD   SegSs;

    //
    // This section is specified/returned if the ContextFlags word
    // contains the flag CONTEXT_EXTENDED_REGISTERS.
    // The format and contexts are processor specific
    //

    BYTE    ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION];

} CONTEXT;

我们可以看一下regEip处的内容，发现它正好是我们异常发生处的地址。又一个值得深入理解的结构~~~~