1

I'm reversing a program that dynamically loads SetUnhandledExceptionFilter and uses it to set a function as an exception handler. It then calls int 2D - so that execution transfers to the function only when the program is not being debugged.

I want to see how the function behaves dynamically - specifically because I'm having trouble understanding how it works with its EXCEPTION_POINTER* parameter - but I can't really do that because execution won't even transfer there while I'm debugging.

How can I make IDA execute int 2D so that I can see execution transfer to the exception handler function and see its behavior dynamically?

I tried following the advice in this answer, but it didn't help: changing 0x2DCD to 0x2DFF had the exact same effect - the program crashed.

Community
  • 1
Tristan
  • 11
  • 2

1 Answers1

2

The KERNEL32.UnhandledExceptionFilter() is special, because it checks for the presence of a debugger, and refuses to call the process-defined UnhandledExceptionFilter() if one is present. In order to reach the process-defined routine, you need to set a breakpoint on NTDLL.NtQueryInformationProcess(), and check for these parameters on the stack: -1, 7, a pointer, 4, 0. When you see it, you can step over the function, change the return value to -1, and resume execution. Then the filter function will be called.

peter ferrie
  • 4,709
  • 4
  • 19
  • 33