Dump文件数据存储格式(四）

六、异常信息流(ExceptionStream)

异常信息流包含异常信息。包括发生异常的线程、异常记录信息、线程上下文等信息。它紧挨着杂项信息流(MiscInfoStream)后面。

MiscInfoStream信息如下：

0x124+0n1365=0x678

我们看看ExceptionStream信息

可知ExceptionStream的RVA为678h=0x124+0n1365。所以，MiscInfoStream后面就是ExceptionStream。大小168字节，ExceptionStream数据如下：

ExceptionStream的数据结构如下：

typedef struct MINIDUMP_EXCEPTION_STREAM {
  ULONG32                      ThreadId;
  ULONG32                      __alignment;
  MINIDUMP_EXCEPTION           ExceptionRecord;
  MINIDUMP_LOCATION_DESCRIPTOR ThreadContext;
} MINIDUMP_EXCEPTION_STREAM, *PMINIDUMP_EXCEPTION_STREAM;

成员解释如下：

ThreadId

导致异常的线程的标识符。

__alignment

用于对齐的变量。

ExceptionRecord

一个 MINIDUMP_EXCEPTION 结构，记录异常相关信息.

ThreadContext

一个MINIDUMP_LOCATION_DESCRIPTOR 结构(见Dump文件数据存储格式(一）).指向的是CPU上下文偏移。指向CPU特定的上下文结构的指针，该结构包含异常发生时线程的上下文。用那个上下文结构的解释取决于MINIDUMP_SYSTEM_INFO:：ProcessorArchitecture。

MINIDUMP_EXCEPTION结构如下：

typedef struct _MINIDUMP_EXCEPTION {
  ULONG32 ExceptionCode;
  ULONG32 ExceptionFlags;
  ULONG64 ExceptionRecord;
  ULONG64 ExceptionAddress;
  ULONG32 NumberParameters;
  ULONG32 __unusedAlignment;
  ULONG64 ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
} MINIDUMP_EXCEPTION, *PMINIDUMP_EXCEPTION;

它包含了异常记录信息，成员如下：

ExceptionCode

异常发生的原因。这是由硬件异常生成的代码，或者是在RaiseException函数中为软件生成的异常指定的代码。以下是由于常见编程错误而可能出现的异常代码。

Members

Value	Meaning
EXCEPTION_ACCESS_VIOLATION	The thread tried to read from or write to a virtual address for which it does not have the appropriate access.
EXCEPTION_ARRAY_BOUNDS_EXCEEDED	The thread tried to access an array element that is out of bounds and the underlying hardware supports bounds checking.
EXCEPTION_BREAKPOINT	A breakpoint was encountered.
EXCEPTION_DATATYPE_MISALIGNMENT	The thread tried to read or write data that is misaligned on hardware that does not provide alignment. For example, 16-bit values must be aligned on 2-byte boundaries; 32-bit values on 4-byte boundaries, and so on.
EXCEPTION_FLT_DENORMAL_OPERAND	One of the operands in a floating-point operation is denormal. A denormal value is one that is too small to represent as a standard floating-point value.
EXCEPTION_FLT_DIVIDE_BY_ZERO	The thread tried to divide a floating-point value by a floating-point divisor of zero.
EXCEPTION_FLT_INEXACT_RESULT	The result of a floating-point operation cannot be represented exactly as a decimal fraction.
EXCEPTION_FLT_INVALID_OPERATION	This exception represents any floating-point exception not included in this list.
EXCEPTION_FLT_OVERFLOW	The exponent of a floating-point operation is greater than the magnitude allowed by the corresponding type.
EXCEPTION_FLT_STACK_CHECK	The stack overflowed or underflowed as the result of a floating-point operation.
EXCEPTION_FLT_UNDERFLOW	The exponent of a floating-point operation is less than the magnitude allowed by the corresponding type.
EXCEPTION_ILLEGAL_INSTRUCTION	The thread tried to execute an invalid instruction.
EXCEPTION_IN_PAGE_ERROR	The thread tried to access a page that was not present, and the system was unable to load the page. For example, this exception might occur if a network connection is lost while running a program over the network.
EXCEPTION_INT_DIVIDE_BY_ZERO	The thread tried to divide an integer value by an integer divisor of zero.
EXCEPTION_INT_OVERFLOW	The result of an integer operation caused a carry out of the most significant bit of the result.
EXCEPTION_INVALID_DISPOSITION	An exception handler returned an invalid disposition to the exception dispatcher. Programmers using a high-level language such as C should never encounter this exception.
EXCEPTION_NONCONTINUABLE_EXCEPTION	The thread tried to continue execution after a noncontinuable exception occurred.
EXCEPTION_PRIV_INSTRUCTION	The thread tried to execute an instruction whose operation is not allowed in the current machine mode.
EXCEPTION_SINGLE_STEP	A trace trap or other single-instruction mechanism signaled that one instruction has been executed.
EXCEPTION_STACK_OVERFLOW	The thread used up its stack.

调试控制台进程时可能会出现另一个异常代码。它不是因为编程错误而产生的。当将CTRL+C输入到处理CTRL+C信号并正在调试的控制台进程时，DBG_CONTROL_C异常代码发生。此异常代码不打算由应用程序处理。它仅为调试器而引发，并且仅当调试器附加到控制台进程时才会引发。

ExceptionFlags

此成员可以是零，表示可继续的异常，也可以是表示EXCEPTION_NONCONTINUABLE。任何在EXCEPTION_NONCONTINUABLE_EXCEPTION之后继续执行的尝试都会导致异常。

ExceptionRecord

指向关联的小型转储异常结构的指针。异常记录可以链接在一起，以便在发生嵌套异常时提供附加信息。

ExceptionAddress

发生异常的地址

NumberParameters

与异常关联的参数个数。这是ExceptionInformation数组中定义的元素个数

__unusedAlignment

预留跨平台结构对齐。不要设置。

ExceptionInformation

描述异常的附加参数数组。RaiseException函数可以指定此参数数组。对于大多数异常代码，数组元素是未定义的。对于以下异常代码，数组元素的定义如下。

Table 2

Exception code	Meaning
EXCEPTION_ACCESS_VIOLATION	The first element of the array contains a read/write flag that indicates the type of operation that caused the access violation. If this value is zero, the thread attempted to read the inaccessible data. If this value is 1, the thread attempted to write to an inaccessible address. The second array element specifies the virtual address of the inaccessible data.

可以看到这个结构其实就是EXCEPTION_RCORD的变体。

我们可以从这个流得出结论：这个dmp文件包含了异常，这个异常由id=4620的线程产生，在地址0x553070cc处对0x00000000地址进行写操作失败的异常。