The article explains Windowsβ SEH and VEH mechanisms, focusing on x64 implementations and how exception tables, unwind info, and the Windows NT layer orchestrate exception dispatch and stack unwinding. It also contrasts SEH with VEH and demonstrates how these mechanisms complicate reverse engineering and tracing control flow.
#KernelException #RUNTIME_FUNCTION
#KernelException #RUNTIME_FUNCTION
Keypoints
- Windows uses SEH and VEH for runtime error handling in executables.
- 64-bit SEH relies on the Exception Directory and RUNTIME_FUNCTION entries.
- UNWIND_INFO and UNWIND_CODE define how to unwind the stack during exceptions.
- RtlLookupFunctionEntry and RtlVirtualUnwind drive exception dispatch and stack restoration.
- VEH is process-wide and registered via AddVectoredExceptionHandler, differing from SEHβs per-function model.
Read More: https://blog.elmo.sg/posts/structured-exception-handler-x64/