OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Sunday, January 13 2008 08:19.21 CST

Printer Friendly ...

Exception monitor

Author: GynvaelColdwind

# Views: 5190

Hi,

Recently I've created an Exception Monitor for Windows XP (link to binary+source at the end of the post). It uses a ring0 driver to hook KiExceptionDispatch procedure to detect the exceptions, and then shows information about the exception on stdout (using the ring3 part of the program ofc).
The difference between this method, and the standard debug API method it that this method monitores all of XP processes, and the program does not have to attach to any other process to monitor it, hence it's harder to detect.

The ring0 code sucks. It does not BSoD at my place, but I cannot guarantee it won't BSoD at some other place.
I'm really looking forward to coments regarding the ring0 code, especially constructive ones ;>

The known bugs are:
- It has problems resolving image names of processes that 'exceptioned'.. I'm using OpenProcess(PROCESS_ALL_ACCESS + GetModuleFileNameEx to get the name. If anyone knows a better method, please post.
- Only one instance of the program can be running.
- I'm having a feeling that this code will act badly on multi CPU machines

Well, thats it, any comments are welcomed ;>

Oh yeah, an example of usage:



>ExcpHook.exe excp_

ExcpHook Exception Monitor 0.0.3 by gynvael.coldwind//vx

(use -h or --help for help)

Filtering results only to ones containing "excp_"

Loading driver...OK

Opening device...OK

Requesting info on driver...OK

Driver: ExcpHook driver v0.0.1 by gynvael.coldwind//vx.

Entering loop... press ctrl+c to exit



--- Exception detected ---

PID:  2016    First Chance: YES

Exception code: 10000004 (KI_EXCEPTION_ACCESS_VIOLATION)

Exception addr: 0040130a

Image: D:\code\gynvael\BraveNewWorld\ExceptionCatch\excp_accviolw.exe

Param count   : 2

Params:

  00000001 88776655

Access Violation Type  : WRITE

Accessed Memory Address: 88776655



Disconnecting from driver...OK

Unloading driver...OK

^C

>

And the url (binary+source):
https://www.openrce.org/repositories/users/GynvaelColdwind/ExcpHookMonitor_0.0.3.zip

Take care,
G.C.

Blog Comments

omeg	Posted: Sunday, January 13 2008 10:13.38 CST
Good stuff! I've thought about writing something like that when I was "dancing with exceptions" ;) but I was too lazy. The monitor seems to work fine, just some thoughts: - buffer of 64 exceptions is too small - try running my TrashMe which generates hundreds per second or more ;) - x64 version would be nice (have fun with asm there..)

frankboldewin	Posted: Sunday, January 13 2008 10:31.51 CST
i had problems with you code. no bsod, but also no results. testsuite tools just crash and no report. i'm using windows xp sp2 german - 32bit - all patches until jan08, if this helps. anyway, thanx for sharing.

GynvaelColdwind

Posted: Sunday, January 13 2008 12:51.06 CST

Thanks for taking time to comment ;>

@omeg
Yeah, I've seen the effect TrashMe has on ExcpHook ;> I'll enlarge the buffer and add the missing race condition protections in the next version.
I'm afraid however I can't port ExcpHook to x64, since I don't own a x64 machine with XP ;< But you are welcome to do so ;>

@frankboldewin
Hmm this happens if the driver does not find KiExceptionDispatch. I'll contact you regarding this matter by priv msg ;>

djnemo	Posted: Monday, January 14 2008 01:53.13 CST
Hi ... there is many other exception handlers for source code mean you should include a header file or use a Unit in Delphi applications. for example : MadExcept Eurekalog now the question is how to use them with for example with MS VisulC++ application without source code ? GynvaelColdwind why your exception handler make CPU usage 100% there is no other solution ?

GynvaelColdwind	Posted: Monday, January 14 2008 04:02.55 CST
@djnemo Hi, thank you for your comment ;> ExcpHook is a monitor, not a handler. It is supposed to aid fuzzing tests and other bughunt research initiatives ;> I guess I forgot to write why I created it ;> Anyway, thank you for Your links, I guess they have some functionality I could import to ExcpHook ;> As for the CPU usage. Hmm It wasn't supposed to eat 100% CPU ;> I'll work on that, thanks ;>

dELTA	Posted: Monday, January 14 2008 06:23.40 CST
Nice tool. You can find some more tools very similar to this in the "Exception Monitoring Tools" category of the Collaborative RCE Tools Library: http://www.woodmann.com/collaborative/tools/index.php/Category:Exception_Monitoring_Tools

GynvaelColdwind	Posted: Monday, January 14 2008 12:21.03 CST
@dELTA Thanks for the link ;> I didn't know it ;> Huh someone already added ExcpHook... Woah internet is fast ;>>>

djnemo	Posted: Tuesday, January 15 2008 01:14.47 CST
@GynvaelColdwind i know the different between monitoring and handling (^-^) :x they report good detail and i think not too difficult to add for example :CPU Registers ,Mem Dump ,Loaded Modules ,DisAsm and so ...

GynvaelColdwind	Posted: Tuesday, January 15 2008 02:13.01 CST
@djnemo Sorry, You are right ;> I'll try to add the features in 0.0.5 ;> I'll focus on bug fixing for 0.0.4. ;>

mjc	Posted: Monday, January 21 2008 18:43.21 CST
for getting the process name, is the following valid ? Note: I'm not sure what some_length should be in order to be safe. DECLARE_UNICODE_STRING_SIZE(uImageName, some_length); if (GetProcessImageName(NtCurrentProcess(), &uImageName) != STATUS_SUCCESS) DbgPrint("could not get process image name\n");

GynvaelColdwind	Posted: Tuesday, January 22 2008 02:05.16 CST
@mjc Thanks for your comment ;> About the GetProcessImageName.. Are u talking about the GetProcessImageName posted on this site: http://www.osronline.com/article.cfm?id=472 If so, yes, this is useful. Thanks ! ;>

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit