« Blocked thread, historical information, execution residue, hidden exception, dynamic memory corruption, incorrect stack trace and not my version: pattern cooperation
Unusual in Windows 7 »

FinalExceptionHandler

I looked at thread raw stack in a process dump from Windows Server 2008 and found ntdll!FinalExceptionHandler symbol:

Loading Dump File [App.dmp]
User Mini Dump File with Full Memory: Only application data is available
Windows Server 2008/Windows Vista Version 6001 (Service Pack 1) MP (4 procs) Free x86 compatible

0:000> !teb
TEB at 7ffde000
    ExceptionList:        0022fdd8
    StackBase:            00230000
    StackLimit:           00225000
    SubSystemTib:         00000000
    FiberData:            00001e00
    ArbitraryUserPointer: 00000000
    Self:                 7ffde000
    EnvironmentPointer:   00000000
    ClientId:             00002458 . 00002478
    RpcHandle:            00000000
    Tls Storage:          7ffde02c
    PEB Address:          7ffdf000
    LastErrorValue:       0
    LastStatusValue:      c0000035
    Count Owned Locks:    0
    HardErrorMode:        0

0:000> dds 00225000 00230000
[...]
0022ff7c  00000000
0022ff80  00000000
0022ff84  00000000
0022ff88  0022ff94
0022ff8c  76744911 kernel32!BaseThreadInitThunk+0xe
0022ff90  7ffdf000
0022ff94  0022ffd4
0022ff98  77b5e4b6 ntdll!__RtlUserThreadStart+0x23
0022ff9c  7ffdf000
0022ffa0  2497b80a
0022ffa4  00000000
0022ffa8  00000000
0022ffac  7ffdf000
0022ffb0  00000000
0022ffb4  00000000
0022ffb8  00000000
0022ffbc  0022ffa0
0022ffc0  00000000
0022ffc4  0022ffe4
0022ffc8  77b29834 ntdll!_except_handler4
0022ffcc  530d7826
0022ffd0  00000000
0022ffd4  0022ffec
0022ffd8  77b5e489 ntdll!_RtlUserThreadStart+0x1b
0022ffdc  00401110 App+0x1110
0022ffe0  7ffdf000
0022ffe4  ffffffff
0022ffe8  77bc75de ntdll!FinalExceptionHandler
0022ffec  00000000
0022fff0  00000000
0022fff4  00401110 App+0×1110
0022fff8  7ffdf000
0022fffc  00000000
00230000  78746341

Search on Internet led me to this very interesting review article about Windows memory protection mechanisms:

http://taossa.com/archive/bh08sotirovdowd.pdf

It also explains this new “Final” exception mechanism in W2K8.

I couldn’t find this in raw stack traces on Windows 7 so it might be the case that it is not enabled by default there like in Windows Vista.

- Dmitry Vostokov @ DumpAnalysis.org -

This entry was posted on Friday, April 24th, 2009 at 11:14 am and is filed under Crash Dump Analysis, Security, Vista, Windows 7, Windows Server 2008. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “FinalExceptionHandler”

  1. Dmitry Vostokov Says:
    April 24th, 2009 at 3:36 pm

    I see it also in the exception chain:

    0:000> !exchain
    0022fdd8: kernel32!_except_handler4+0 (7670e289)
    0022ffc4: ntdll!_except_handler4+0 (77b29834)
    0022ffe4: ntdll!FinalExceptionHandler+0 (77bc75de)

  2. Yuhong Bao Says:
    April 30th, 2009 at 7:04 am

    FinalExceptionHandler is part of a feature in Vista SP1 and Server 2008 called SEHOP:
    http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx

  3. Dmitry Vostokov Says:
    April 30th, 2009 at 7:49 am

    Thanks for pointing to SEHOP article!

Leave a Reply

You must be logged in to post a comment.