Exception monitor
 Gynvael Coldwind (GynvaelColdwind) <gynvael vexillium org> |
Sunday, January 13 2008 08:19.21 CST |
Hi,
Recently I've created an Exception Monitor for Windows XP (link to binary+source at the end of the post). It uses a ring0 driver to hook KiExceptionDispatch procedure to detect the exceptions, and then shows information about the exception on stdout (using the ring3 part of the program ofc).
The difference between this method, and the standard debug API method it that this method monitores all of XP processes, and the program does not have to attach to any other process to monitor it, hence it's harder to detect.
The ring0 code sucks. It does not BSoD at my place, but I cannot guarantee it won't BSoD at some other place.
I'm really looking forward to coments regarding the ring0 code, especially constructive ones ;>
The known bugs are:
- It has problems resolving image names of processes that 'exceptioned'.. I'm using OpenProcess(PROCESS_ALL_ACCESS + GetModuleFileNameEx to get the name. If anyone knows a better method, please post.
- Only one instance of the program can be running.
- I'm having a feeling that this code will act badly on multi CPU machines
Well, thats it, any comments are welcomed ;>
Oh yeah, an example of usage:
>ExcpHook.exe excp_
ExcpHook Exception Monitor 0.0.3 by gynvael.coldwind//vx
(use -h or --help for help)
Filtering results only to ones containing "excp_"
Loading driver...OK
Opening device...OK
Requesting info on driver...OK
Driver: ExcpHook driver v0.0.1 by gynvael.coldwind//vx.
Entering loop... press ctrl+c to exit
--- Exception detected ---
PID: 2016 First Chance: YES
Exception code: 10000004 (KI_EXCEPTION_ACCESS_VIOLATION)
Exception addr: 0040130a
Image: D:\code\gynvael\BraveNewWorld\ExceptionCatch\excp_accviolw.exe
Param count : 2
Params:
00000001 88776655
Access Violation Type : WRITE
Accessed Memory Address: 88776655
Disconnecting from driver...OK
Unloading driver...OK
^C
>
And the url (binary+source):
https://www.openrce.org/repositories/users/GynvaelColdwind/ExcpHookMonitor_0.0.3.zip
Take care,
G.C.
Comments
 omeg |
Posted: Sunday, January 13 2008 10:13.38 CST |
|
Good stuff! I've thought about writing something like that when I was "dancing with exceptions" ;) but I was too lazy. The monitor seems to work fine, just some thoughts: - buffer of 64 exceptions is too small - try running my TrashMe which generates hundreds per second or more ;) - x64 version would be nice (have fun with asm there..) |
|
 frankboldewin |
Posted: Sunday, January 13 2008 10:31.51 CST |
|
i had problems with you code. no bsod, but also no results. testsuite tools just crash and no report. i'm using windows xp sp2 german - 32bit - all patches until jan08, if this helps. anyway, thanx for sharing. |
|
|
GynvaelColdwind |
Posted: Sunday, January 13 2008 12:51.06 CST |
|
Thanks for taking time to comment ;> @omeg Yeah, I've seen the effect TrashMe has on ExcpHook ;> I'll enlarge the buffer and add the missing race condition protections in the next version. I'm afraid however I can't port ExcpHook to x64, since I don't own a x64 machine with XP ;< But you are welcome to do so ;> @frankboldewin Hmm this happens if the driver does not find KiExceptionDispatch. I'll contact you regarding this matter by priv msg ;> |
|
 djnemo |
Posted: Monday, January 14 2008 01:53.13 CST |
|
Hi ... there is many other exception handlers for source code mean you should include a header file or use a Unit in Delphi applications. for example : MadExcept Eurekalog now the question is how to use them with for example with MS VisulC++ application without source code ? GynvaelColdwind why your exception handler make CPU usage 100% there is no other solution ? |
|
|
GynvaelColdwind |
Posted: Monday, January 14 2008 04:02.55 CST |
|
@djnemo Hi, thank you for your comment ;> ExcpHook is a monitor, not a handler. It is supposed to aid fuzzing tests and other bughunt research initiatives ;> I guess I forgot to write why I created it ;> Anyway, thank you for Your links, I guess they have some functionality I could import to ExcpHook ;> As for the CPU usage. Hmm It wasn't supposed to eat 100% CPU ;> I'll work on that, thanks ;> |
|
 dELTA |
Posted: Monday, January 14 2008 06:23.40 CST |
|
Nice tool. You can find some more tools very similar to this in the "Exception Monitoring Tools" category of the Collaborative RCE Tools Library: http://www.woodmann.com/collaborative/tools/index.php/Category:Exception_Monitoring_Tools |
|
|
GynvaelColdwind |
Posted: Monday, January 14 2008 12:21.03 CST |
|
@dELTA Thanks for the link ;> I didn't know it ;> Huh someone already added ExcpHook... Woah internet is fast ;>>> |
|
|
djnemo |
Posted: Tuesday, January 15 2008 01:14.47 CST |
|
@GynvaelColdwind i know the different between monitoring and handling (^-^) :x they report good detail and i think not too difficult to add for example :CPU Registers ,Mem Dump ,Loaded Modules ,DisAsm and so ... |
|
|
GynvaelColdwind |
Posted: Tuesday, January 15 2008 02:13.01 CST |
|
@djnemo Sorry, You are right ;> I'll try to add the features in 0.0.5 ;> I'll focus on bug fixing for 0.0.4. ;> |
|
 mjc |
Posted: Monday, January 21 2008 18:43.21 CST |
|
for getting the process name, is the following valid ? Note: I'm not sure what some_length should be in order to be safe. DECLARE_UNICODE_STRING_SIZE(uImageName, some_length); if (GetProcessImageName(NtCurrentProcess(), &uImageName) != STATUS_SUCCESS) DbgPrint("could not get process image name\n"); |
|
|
GynvaelColdwind |
Posted: Tuesday, January 22 2008 02:05.16 CST |
|
@mjc Thanks for your comment ;> About the GetProcessImageName.. Are u talking about the GetProcessImageName posted on this site: http://www.osronline.com/article.cfm?id=472 If so, yes, this is useful. Thanks ! ;> |
|