Announcement

Collapse
No announcement yet.

ErrorHandling - %Exception_Priv_Instruction (3221225622)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ErrorHandling - %Exception_Priv_Instruction (3221225622)

    I have a customer that SOMEHOW tripped into an error message of:
    Windows_Privledged_Instruction_Error
    Which I found in WinBase.inc
    %EXCEPTION_PRIV_INSTRUCTION = %STATUS_PRIVILEGED_INSTRUCTION
    In turn in NtStatus is defined
    %STATUS_PRIVILEGED_INSTRUCTION = &HC0000096 ' winnt
    and in Hex
    &HC0000096 = 3221225622

    What I can not wrap my head around is the part of CODEPROC(721580,1,0,1688760)
    but from my old-age knowledge I seem to think
    721580 = My Handle
    1 = Message
    0 = wParam
    1688760 = lParam

    Its been Many, Many, MANNY years since I have delved this deep into windows, so I ask help from my great "Obi-Wan"s if they have seen or heard of such an error and where I might start looking?



    Engineer's Motto: If it aint broke take it apart and fix it

    "If at 1st you don't succeed... call it version 1.0"

    "Half of Programming is coding"....."The other 90% is DEBUGGING"

    "Document my code????" .... "WHYYY??? do you think they call it CODE? "

  • #2
    Hi Cliff,


    i´m definitely not Obi-Wan, but nevertheless maybe i can help... i have a few questions:

    - Is the the message box from your application, that is, has your application got an error handler of it´s own, which shows this message ?
    - do you use assembler code in your app, or is it pure PowerBASIC syntax ?
    - can this error be reproduced, or did it happen only one single time ?

    A priviledged instruction (e.g. some IO opcodes, reading from and writing to descriptor tables, and so on - in short operating system stuff) may not be executed in user mode. These instructions are restricted to kernel mode (operating system kernel or drivers).

    So, if you didn´t code one of these instructions intentionally, the only explanation i currently have, is that for whatever reason your code flow got out of sync with what you coded. This can happen e.g with incorrect assembler code resulting in a jump "into" an opcode instead of the correct location. The processor starts executing "garbage" code then and will gpf somewhere later (just like in your case).


    JK

    Comment


    • #3
      I did some more researching and am updating my thought process
      CODEPROC(721580,1,0,1688760)
      721580 = My Handle (Need to figure out a way to find the properties of this handle to figure out what it is)
      1 = Message (Determined to be %WM_CREATE)
      0 = wParam (%WM_CREATE takes no wParam)
      1688760 = lParam (Pointer to CreateStruct)

      Now I know that the function CODEPROC comes from creating a "Notepad-like" window in my MDI window that I think I took from the PB example for Notepad many years ago and will research further

      Juergen....In answer to your questions
      I did add my own error handler at some point in the past, but I do not recognize the MessageBox that appears that allows you to ignore the Exception
      No Assembler code, just PowerBasic and Windows API calls (I know I should not "mix-n-match" but I was working on a pure API version back at the time)
      I am waiting on the customers response if its repeatable or what happens if you ignore the Exception?

      At least I finally got off to a good start, but as we all know "Where you may catch an exception likely may not be where the exception was created"

      Engineer's Motto: If it aint broke take it apart and fix it

      "If at 1st you don't succeed... call it version 1.0"

      "Half of Programming is coding"....."The other 90% is DEBUGGING"

      "Document my code????" .... "WHYYY??? do you think they call it CODE? "

      Comment


      • #4
        Cliff,


        so we can exclude Assembler errors. Mixing API with PowerBASIC´s DDT isn´t a problem at all. IIRC Bob encouraged it and i do it all the time without ever having any problem with it.

        Some Windows APIs may produce crashes when called with improper arguments, Windows 8 and 10 seem to be more picky here than Windows 7.

        It would be interesting to know the exact RVA of the exception. If this message comes from your own handler you can modify it to show the RVA too. Or you could deactivate it and let Windows report the RVA of this exception. Then you could use e.g. IDA for locating the exact crash location in your executable - of course leaving the question, how did i get there and why. But at least you got some place to start at.


        JK

        Comment


        • #5
          Juergen, Forgive me but what is an "RVA"? or an IDA? (The only IDA I can think of is an old IDA computer)
          Engineer's Motto: If it aint broke take it apart and fix it

          "If at 1st you don't succeed... call it version 1.0"

          "Half of Programming is coding"....."The other 90% is DEBUGGING"

          "Document my code????" .... "WHYYY??? do you think they call it CODE? "

          Comment


          • #6
            Cliff,


            RVA (relative virtual address) is where EIP (the processors extended [32 - bit] instruction pointer) points to when the exception occurs. With this information you can reverse engineer your executable to find out where exactly it crashed. IDA is a tool for doing this kind of task.


            JK

            Comment


            • #7
              Juergen,
              EIP I am aware of (mostly from my attempts at ErrorHandling.inc but I have not heard of this IDA tool for troubleshooting....Thanx for the info of something I should research and which Windows OS'es are capable of it.
              Engineer's Motto: If it aint broke take it apart and fix it

              "If at 1st you don't succeed... call it version 1.0"

              "Half of Programming is coding"....."The other 90% is DEBUGGING"

              "Document my code????" .... "WHYYY??? do you think they call it CODE? "

              Comment


              • #8
                Cliff,


                this free version of IDA should be sufficient


                JK

                Comment

                Working...
                X