OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Tuesday, February 3 2009 04:51.54 CST Modified: Tuesday, February 3 2009 04:53.05 CST

Printer Friendly ...

ExcpHook 0.0.5-rc2 released

Author: GynvaelColdwind

# Views: 2438

Yesterday I've finally got some time to finish the changes in the new version of ExcpHook. So, version 0.0.5-rc2 (rc2 of alpha ;p) is ready for download, and might be even usable ;D

ExcpHook Exception Monitor is an exception monitor, made for Windows XP. The monitoring part is kernel-level (technically, in a driver), so in opposite to user-land monitors, ExcpHook does not have to be a debugger for the monitored processes, nor it doesn't have to change their environment/code/data in anyway. Additionally, ExcpHook is not tied up with one process - it monitors every process in the system, letting the user filter out the interesting processes by providing a part of the image name of the process.

Download (source + binary): ExcpHookMonitor_0.0.5-rc2.zip (220KB)

An example of usage:





c:\Tools\ExcpHookMonitor_0.0.5-rc1>ExcpHook.exe excp_

ExcpHook Exception Monitor v0.0.5-rc2 by gynvael.coldwind//vx

(use -h or --help for help)

Filtering results only to ones containing "excp_"

Loading driver...OK

Opening device...OK

Requesting info on driver...OK

Driver: ExcpHook driver v0.0.5-rc2 by gynvael.coldwind//vx.

Driver status: All OK

Entering loop... press ctrl+c to exit



--- Exception detected ---

PID:  1440    First Chance: YES

Exception code: 10000004 (KI_EXCEPTION_ACCESS_VIOLATION)

Exception addr: 0040130a

Image (from OpenProcess): c:\Tools\ExcpHookMonitor_0.0.5-rc1\TestSuite\excp_accviol.c.exe

Image (from EPROCESS)   : excp_accviol.c.

Param count   : 2

Params:

 00000000 88776655

Access Violation Type  : READ

Accessed Memory Address: 88776655

Eax: 00401360    Edx: 77c51ae8    Ecx: 00401360    Ebx: 00004000

Esi: 7c90d950    Edi: 0006a19c    Esp: 0022ff60    Ebp: 0022ff78

Eip: 0040130a

EFlags: 00010247

 CF: 1   PF: 1   AF: 0   ZF: 1   SF: 0   TF: 0

 IF: 1   DF: 0   OF: 0   NT: 0   RF: 1   VM: 0

 AC: 0   ID: 0

 IOPL: 0   VIF: 0   VIP: 0



Stack:

77c2aead 0006a19c 003e29f0 00401305 00000010 00000002 0022ffb0 00401237

00000001 003e2498 003e29f0 00404000 0022ffa4 ffffffff 0022ffa8 00000001



Code:

[0040130a] a1 55667788          MOV EAX, [0x88776655]

[0040130f] 8945 fc              MOV [EBP-0x4], EAX

[00401312] b8 00000000          MOV EAX, 0x0

[00401317] c9                   LEAVE

[00401318] c3                   RET

[00401319] 90                   NOP

[0040131a] 90                   NOP

[0040131b] 90                   NOP

[0040131c] 90                   NOP

[0040131d] 90                   NOP

[0040131e] 90                   NOP

[0040131f] 90                   NOP

[00401320] 55                   PUSH EBP

[00401321] b9 c0304000          MOV ECX, 0x4030c0

[00401326] 89e5                 MOV EBP, ESP

[00401328] eb 14                JMP 0x40133e

Changelog



0.0.4 -> 0.0.5-rc2

 * Fixed 100% CPU eating bug

 * Rewritten the code to use IOCTL insted of Write/Read

 * Added driver status checking mechanism

 * Commented the source code, made it more readable

 * Fixed multiCPU/multicore race condition possibility

 * Fixed BSoD on some systems when patching the kernel

 * Added some more spinlocks here and there

 * Fixed BSoD on some kernel versions, the signature seeking

   mechanism has been changed to a more decent one

 * Added general/control register logging/display

 * Added image name acquiring from EPROCESS

 * Added one-instatnce-at-a-time limit (this is needed due to design)

 * Added disasembly display (using diStorm lib)

 * Added some more minor things

P.S. you can also download ExcpHook as a part of OpenRCE snippets.

Original blog entry...

Blog Comments

zarulshahrin	Posted: Wednesday, February 4 2009 07:28.28 CST
Aha, What a coincidence! I open the website to search for the previous version of this tool and what I found is a new version of it posted yesterday, how cool! Anyway, thank you for your contribution to the community and I would also like to say that I really enjoy reading your technical stuff. So, please don't stop making contribution :-)

GynvaelColdwind	Posted: Wednesday, February 4 2009 16:50.04 CST
@zaruishahrin Glad you like it ;> If you encounter any problems with ExcpHook, please let me know, it's still alpha after all ;>

Active in Last 5 Minutes
	qvp

There are 28,220 total registered users.

Recently Created Topics
Reverse Engineering ...	Jan/23
Career: DoD Agency I...	Jan/22
"Disappearing&q...	Jan/17
Career: Software Sec...	Jan/11
Where is the call st...	Jan/07
IDA Pro 6.1 Breakpoi...	Jan/01
How to create data s...	Dec/30
can i search all mod...	Dec/23
IDA symbol table exp...	Dec/20
An anti-attach trick	Dec/17

Recent Forum Posts
Reverse Engineering ...	NirIzr
"Disappearing&q...	NirIzr
Reverse Engineering ...	charlie
"Disappearing&q...	charlie
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
Looking for value in...	NirIzr

Recent Blog Entries
	waleedassar	Feb/06
OllyDbg v1.10 And Hardware ...
	waleedassar	Jan/31
Yet Another Anti-Debug Trick
	RolfRolles	Jan/22
Finding Bugs in VMs with a ...
	waleedassar	Jan/13
An OllyDbg Bug Disables Sof...
	waleedassar	Jan/01
Another OllyDbg Anti-Debug ...
More ...

Recent Blog Comments
	NirIzr on:	Feb/05
Yet Another Anti-Debug Trick
	trolotou on:	Feb/05
Doudoune Moncler -Pennies F...
	waleedassar on:	Feb/01
Yet Another Anti-Debug Trick
	NirIzr on:	Jan/31
Yet Another Anti-Debug Trick
	jackchen on:	Jan/10
nike mercurial vapor iii
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit