I'm writing a file protector that is similar to armadillo. So, I want to implement some kind of "nanomites" for anti-dump protection.
However, instead of opening my own process I've decided to hook KiUserExceptionDispatcher.
The problem is I don't know what is being passed to KiUserExceptionDispatchernor am I sure how to continue after I have determined the exception type is a STATUS_BREAKPOINT exception.
I've tried searching Google, but to no avail. All I find are results for KiDispatchException, which is hooked in rootkits.
Can someone provide me a typedef of this function, and tell me what I would do to continue after determining it was indeed a STATUS_BREAKPOINT exception? Would I call NtContinue after modifying the EIP context?
Or if this is not simple as I think it is, should I just stick to the armadillo style? Debugging my own process?
Thanks.
The closest thing to documentation is going to be this MSJ article: A Crash Course on the Depths of Win32 Structured Exception Handling
Which provides this as sample for basic prototype (from Figure 14):
In practice, I've also seen instances where the PEXCEPTION_RECORD was in the 3rd parameter and not the first (at least from WinDbg's perspective). There are also potential differences between x86 and x64 implementations.
Is there a reason you can't add an additional exception vector via AddVectoredExceptionHandler?
Additional reading: Under the Hood: New Vectored Exception Handling in Windows XP