"Peter Oberndorfer" kumbayo84@arcor.de wrote:
The strange thing is my testcase [patch 2/3] shows/(should show) that the debugger gets a unmodified eip for a first chance exception
- if (de.u.Exception.dwFirstChance)
- {
- /* debugger gets first chance exception with unmodified ctx.Eip */
- ok((DWORD)ctx.Eip == (DWORD)code_mem_address + 0xb, "Eip at %x instead of 0x%x\n",
- ctx.Eip, (DWORD)code_mem_address + 0xb);
and the modified one when the application did not handle the exception
Could that be due to an error in your test?
Unfortunetely i don't own that book :-( Could you please verify in the pseudocode that the modified context gets sent to the debugger, and not some unmodified copy?
The pseudocode of KiDispatchException as the very first thing calls KeContextFromKframes and then unconditionally decrements context.Eip in the case of STATUS_BREAKPOINT.
Or maybe they unfix the context again in the send_to_debugger function ;-) Or the pseudo code is not fully correct.
That's a possibility, yes.