RasieException

RasieException是SEH API，SEH != 进内核，RasieException并不必然导致用户态内核态切换。事实上这个API被调用以后会首 

先尝试在用户态进行处理，如果没有任何处理者可用，则直接调用ExitProcess退出进程，这个调用倒是要进内核。 





Raising an exception causes the exception dispatcher to go through the following search for an exception handler: 





 1.The system first attempts to notify the process's debugger, if any. 





 2.If the process is not being debugged, or if the associated debugger does not handle the exception, the system attempts to locate a frame-based exception handler by searching the stack frames of the thread in which the exception occurred. The system searches
the current stack frame first, then proceeds backward through preceding stack frames. 





 3.If no frame-based handler can be found, or no frame-based handler handles the exception, the system makes a second attempt to notify the process's debugger. 





 4.If the process is not being debugged, or if the associated debugger does not handle the exception, the system provides default handling based on the exception type. For most exceptions, the default action is to call the ExitProcess function.

。 





软件异常登记 





软件异常是通过直接或者间接调用内核服务NtRaiseException而产生的。而用户态中可以通过RaiseException API，或者Try-catch等高级语言来调用这个内核服务，而通过RaiseException来登记软件异常的过程可以简单表述如下： 





RaiseException在初始化一个EXCEPTION_RECORD结构体之后，开始调用NTDLL中的RtlRaiseException; RtlRaiseException在初始化CONTEXT结构体之后，开始调用内核中NtRaiseException, NtRaiseException再调用另外一个内核函数KiRaiseException。接下来KiRaiseException会调用KiDispatchException开始异常的分发。 





如果是由 KiDispatchException 进行那4步处理的话，显然 Ki 前缀已经进内核态了。