六、异常信息流(ExceptionStream
)
异常信息流包含异常信息。包括发生异常的线程、异常记录信息、线程上下文等信息。它紧挨着杂项信息流(MiscInfoStream
)后面。
MiscInfoStream
信息如下:
0x124+0n1365=0x678
我们看看ExceptionStream
信息
可知ExceptionStream的RVA为678h=0x124+0n1365。所以,
MiscInfoStream
后面就是ExceptionStream
。大小168字节,ExceptionStream
数据如下:
ExceptionStream
的数据结构如下:
typedef struct MINIDUMP_EXCEPTION_STREAM { ULONG32 ThreadId; ULONG32 __alignment; MINIDUMP_EXCEPTION ExceptionRecord; MINIDUMP_LOCATION_DESCRIPTOR ThreadContext; } MINIDUMP_EXCEPTION_STREAM, *PMINIDUMP_EXCEPTION_STREAM;
成员解释如下:
ThreadId
导致异常的线程的标识符。
__alignment
用于对齐的变量。
ExceptionRecord
一个 MINIDUMP_EXCEPTION 结构,记录异常相关信息.
ThreadContext
一个MINIDUMP_LOCATION_DESCRIPTOR 结构(见Dump文件数据存储格式(一)).指向的是CPU上下文偏移。指向CPU特定的上下文结构的指针,该结构包含异常发生时线程的上下文。用那个上下文结构的解释取决于MINIDUMP_SYSTEM_INFO::ProcessorArchitecture。
MINIDUMP_EXCEPTION结构如下:
typedef struct _MINIDUMP_EXCEPTION { ULONG32 ExceptionCode; ULONG32 ExceptionFlags; ULONG64 ExceptionRecord; ULONG64 ExceptionAddress; ULONG32 NumberParameters; ULONG32 __unusedAlignment; ULONG64 ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]; } MINIDUMP_EXCEPTION, *PMINIDUMP_EXCEPTION;
它包含了异常记录信息,成员如下:
ExceptionCode
异常发生的原因。这是由硬件异常生成的代码,或者是在RaiseException函数中为软件生成的异常指定的代码。以下是由于常见编程错误而可能出现的异常代码。
Value | Meaning |
---|---|
|
The thread tried to read from or write to a virtual address for which it does not have the appropriate access. |
|
The thread tried to access an array element that is out of bounds and the underlying hardware supports bounds checking. |
|
A breakpoint was encountered. |
|
The thread tried to read or write data that is misaligned on hardware that does not provide alignment. For example, 16-bit values must be aligned on 2-byte boundaries; 32-bit values on 4-byte boundaries, and so on. |
|
One of the operands in a floating-point operation is denormal. A denormal value is one that is too small to represent as a standard floating-point value. |
|
The thread tried to divide a floating-point value by a floating-point divisor of zero. |
|
The result of a floating-point operation cannot be represented exactly as a decimal fraction. |
|
This exception represents any floating-point exception not included in this list. |
|
The exponent of a floating-point operation is greater than the magnitude allowed by the corresponding type. |
|
The stack overflowed or underflowed as the result of a floating-point operation. |
|
The exponent of a floating-point operation is less than the magnitude allowed by the corresponding type. |
|
The thread tried to execute an invalid instruction. |
|
The thread tried to access a page that was not present, and the system was unable to load the page. For example, this exception might occur if a network connection is lost while running a program over the network. |
|
The thread tried to divide an integer value by an integer divisor of zero. |
|
The result of an integer operation caused a carry out of the most significant bit of the result. |
|
An exception handler returned an invalid disposition to the exception dispatcher. Programmers using a high-level language such as C should never encounter this exception. |
|
The thread tried to continue execution after a noncontinuable exception occurred. |
|
The thread tried to execute an instruction whose operation is not allowed in the current machine mode. |
|
A trace trap or other single-instruction mechanism signaled that one instruction has been executed. |
|
The thread used up its stack. |
调试控制台进程时可能会出现另一个异常代码。它不是因为编程错误而产生的。当将CTRL+C输入到处理CTRL+C信号并正在调试的控制台进程时,DBG_CONTROL_C异常代码发生。此异常代码不打算由应用程序处理。它仅为调试器而引发,并且仅当调试器附加到控制台进程时才会引发。
ExceptionFlags
此成员可以是零,表示可继续的异常,也可以是表示EXCEPTION_NONCONTINUABLE。任何在EXCEPTION_NONCONTINUABLE_EXCEPTION之后继续执行的尝试都会导致异常。
ExceptionRecord
指向关联的小型转储异常结构的指针。异常记录可以链接在一起,以便在发生嵌套异常时提供附加信息。
ExceptionAddress
发生异常的地址
NumberParameters
与异常关联的参数个数。这是ExceptionInformation数组中定义的元素个数
__unusedAlignment
预留跨平台结构对齐。不要设置。
ExceptionInformation
描述异常的附加参数数组。RaiseException函数可以指定此参数数组。对于大多数异常代码,数组元素是未定义的。对于以下异常代码,数组元素的定义如下。
Exception code | Meaning |
---|---|
|
The first element of the array contains a read/write flag that indicates the type of operation that caused the access violation. If this value is zero, the thread attempted to read the inaccessible data. If this value is 1, the thread attempted to write to an inaccessible address.
The second array element specifies the virtual address of the inaccessible data. |
可以看到这个结构其实就是EXCEPTION_RCORD的变体。
我们可以从这个流得出结论:这个dmp文件包含了异常,这个异常由id=4620的线程产生,在地址0x553070cc处对0x00000000地址进行写操作失败的异常。