1.NtRaiseException(ntdll)->(syscall)SSDT->NtRaiseException(ntoskrnl)->KiRaiseException->KiDispatchException->KiDispatchExceptionToUser(TrapFrame->Rip = (ULONG64)KeUserExceptionDispatcher;)->KiExceptionExit->KiServiceExit2->KiTrapReturn(push eip... iretq) 这里是通过trapFrame的Rip回到的用户态 2.trap(div 0)->CPU->KiTrap00Handler->KiDispatchException->KiEoiHelper->KiTrapReturn
filter = EXCEPTION_EXECUTE_HANDLER RaiseException->RtlRaiseException->NtRaiseException(eip = next instruct,貌似这里栈展开了一次)->Kernel->KiuserExceptionDispatcher->RtlDispatcherException->CallvectoredHandles(如果是try catch这里无反应)->RtlExecuteHandleForException->vcruntime140d.dll(__C_specific_handler特别关键的函数)->调用catch块里面的filter函数,根据返回值(EXCEPTION_EXECUTE_HANDLER),调用RtlUnWindEx->RtlpUnwindInternal这里面还有一个RtlpExecuteHandlerForUnwind,不知道干啥的->RtlRestoreContext将Rip,RSP直接设置到触发异常的函数的handle处理中.
filter = EXCEPTION_CONTINUE_EXECUTION RaiseException->RtlRaiseException->NtRaiseException(eip = next instruct,貌似这里栈展开了一次)->Kernel->KiuserExceptionDispatcher->RtlDispatcherException->CallvectoredHandles(如果是try catch这里无反应)->RtlExecuteHandleForException->vcruntime140d.dll(__C_specific_handler特别关键的函数)->调用catch块里面的filter函数,根据返回值(EXCEPTION_CONTINUE_EXECUTION),直接return->RtlGuardRestoreContext将Context恢复到NtRaiseException之后,也就是陷入内核的Context的RIP中
filter = EXCEPTION_CONTINUE_SEARCH 异常不会被处理,进程被终结
context + 0x4f0 = ExceptionRecord rsp = context
CONTEXT->EIP = CONTEXT + F8
