Unable to Ignore All Exceptions

[GNIREENIGNE]

Version: x64dbg, compiled on May 26 2016, 01:07:33 | Windows 7 Home Premium 64-bit SP1

Is there a way to increase the exceptions range for 64-bit targets?

I am unable to ignore all exceptions. Whether I manually add them all via 'add last' or set my exceptions range from 00000000-ffffffff, nothing seems to work. I've also tried running the target while skipping exceptions (shift+F9) to no avail.

The target process never crashed and was able to run without any issues while the debugger was attached.

Are there any workarounds for this? Am I doing something wrong?

Thanks.

Edited May 28, 2016 by GNIREENIGNE

[mrexodia]

You cannot magically make exceptions disappear. However if you want to force the debugger to pass DBG_CONTINUE to ContinueDebugEvent you can do this (on a last chance exception) by running the command 'con'. This will most probably result in a first chance exception again, so it's rather pointless.

[GNIREENIGNE]

Thank you for replying.

Please excuse my ignorance on this topic. The only exceptions that I am currently receiving are last chance exceptions. I wish I understood more about this, as I do not understand why the debugger has to stop. Instead of manually clicking run every time, couldn't the program be set up to include the option to automate this task?

Thanks.

[mrexodia]

First chance exceptions are when an exception happens for the first time, if you run it will pass the exception to the system exception handler (SEH/VEH). If this handler says 'I cannot resolve this exception' a second chance exception will occur in the debugger. This is equivalent to an application crash state (without debugger the application would have crashed). Inside the debugger you can handle the exception somehow (for instance by changing the thread context) and then continue the exception anyway. If the program crashes again you will get another second chance exception.\

You cannot continue a second chance exception, it means that your program is in a crash state and continue wouldn't do anything (only crash it over and over again).

Now with that said, there are anti-debug tricks that might be at play here. https://evilcodecave.wordpress.com/2008/07/24/setunhandledexception-filter-anti-debug-trick is one that might interest you, lots more are documented at https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide.pdf

[GNIREENIGNE]

Thanks, again, for replying, Mr. eXoDia. I love this program, by the way.

Unfortunately, I am now, even more confused. Running the application outside of the debugger does not produce any crashes. Running the application inside the debugger also does not produce any crashes. The only difference is, when ran inside the debugger, the process keeps stopping and I have to keep pressing the run button. The application still runs as expected, I just have to keep pressing the run button to skip the exceptions. The exceptions mostly occur during startup, when everything gets loaded (it's a game). Once you are in the game, exceptions are seldom, if at all.

That said, the anti-debugger tricks aren't really applicable, considering the fact that the target does not actually seem to be crashing.

Unless I am not understanding you...if so, I apologize.

Thanks.

Edited May 31, 2016 by GNIREENIGNE

[mrexodia]

Without any executables or concrete steps to reproduce this I cannot really do anything. All I'm saying is that exception handling (as far as I know) is working correctly.

[GNIREENIGNE]

No worries. I appreciate your feedback. I do know that part of the problem earlier on, was a fault of my own. Evidently, I had to set ownership and proper permissions to all of my folders and sub-directories that I was working in. The thing is, I had already done that a long time ago (or so I thought). Now, the exceptions are very few.

By the way, do you have any plans in implement advanced comments?

Thanks.

[mrexodia]

What do you mean with advanced comments? Currently you can use format strings in your comments, so stuff like:

value in rax: {rax}, string in r13: {s:r13}, addrinfo in [esp+4]: {a:[esp+4]}

Will resolve like

value in rax: 5B30, string in r13: "test", addrinfo in [esp+4]: 00401206 module.Symbolicname

If you have feature requests/issues please add them in http://issues.x64dbg.com so they can be classified and handled properly.

[GNIREENIGNE]

Thanks for replying, Mr. eXoDia.

Regarding advanced comments, I am referring to the same thing as this poster.

I will post the request at the provided link.

Thanks.