OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Tuesday, February 3 2009 04:51.54 CST Modified: Tuesday, February 3 2009 04:53.05 CST

Printer Friendly ...

ExcpHook 0.0.5-rc2 released

Author: GynvaelColdwind

# Views: 2864

Yesterday I've finally got some time to finish the changes in the new version of ExcpHook. So, version 0.0.5-rc2 (rc2 of alpha ;p) is ready for download, and might be even usable ;D

ExcpHook Exception Monitor is an exception monitor, made for Windows XP. The monitoring part is kernel-level (technically, in a driver), so in opposite to user-land monitors, ExcpHook does not have to be a debugger for the monitored processes, nor it doesn't have to change their environment/code/data in anyway. Additionally, ExcpHook is not tied up with one process - it monitors every process in the system, letting the user filter out the interesting processes by providing a part of the image name of the process.

Download (source + binary): ExcpHookMonitor_0.0.5-rc2.zip (220KB)

An example of usage:





c:\Tools\ExcpHookMonitor_0.0.5-rc1>ExcpHook.exe excp_

ExcpHook Exception Monitor v0.0.5-rc2 by gynvael.coldwind//vx

(use -h or --help for help)

Filtering results only to ones containing "excp_"

Loading driver...OK

Opening device...OK

Requesting info on driver...OK

Driver: ExcpHook driver v0.0.5-rc2 by gynvael.coldwind//vx.

Driver status: All OK

Entering loop... press ctrl+c to exit



--- Exception detected ---

PID:  1440    First Chance: YES

Exception code: 10000004 (KI_EXCEPTION_ACCESS_VIOLATION)

Exception addr: 0040130a

Image (from OpenProcess): c:\Tools\ExcpHookMonitor_0.0.5-rc1\TestSuite\excp_accviol.c.exe

Image (from EPROCESS)   : excp_accviol.c.

Param count   : 2

Params:

 00000000 88776655

Access Violation Type  : READ

Accessed Memory Address: 88776655

Eax: 00401360    Edx: 77c51ae8    Ecx: 00401360    Ebx: 00004000

Esi: 7c90d950    Edi: 0006a19c    Esp: 0022ff60    Ebp: 0022ff78

Eip: 0040130a

EFlags: 00010247

 CF: 1   PF: 1   AF: 0   ZF: 1   SF: 0   TF: 0

 IF: 1   DF: 0   OF: 0   NT: 0   RF: 1   VM: 0

 AC: 0   ID: 0

 IOPL: 0   VIF: 0   VIP: 0



Stack:

77c2aead 0006a19c 003e29f0 00401305 00000010 00000002 0022ffb0 00401237

00000001 003e2498 003e29f0 00404000 0022ffa4 ffffffff 0022ffa8 00000001



Code:

[0040130a] a1 55667788          MOV EAX, [0x88776655]

[0040130f] 8945 fc              MOV [EBP-0x4], EAX

[00401312] b8 00000000          MOV EAX, 0x0

[00401317] c9                   LEAVE

[00401318] c3                   RET

[00401319] 90                   NOP

[0040131a] 90                   NOP

[0040131b] 90                   NOP

[0040131c] 90                   NOP

[0040131d] 90                   NOP

[0040131e] 90                   NOP

[0040131f] 90                   NOP

[00401320] 55                   PUSH EBP

[00401321] b9 c0304000          MOV ECX, 0x4030c0

[00401326] 89e5                 MOV EBP, ESP

[00401328] eb 14                JMP 0x40133e

Changelog



0.0.4 -> 0.0.5-rc2

 * Fixed 100% CPU eating bug

 * Rewritten the code to use IOCTL insted of Write/Read

 * Added driver status checking mechanism

 * Commented the source code, made it more readable

 * Fixed multiCPU/multicore race condition possibility

 * Fixed BSoD on some systems when patching the kernel

 * Added some more spinlocks here and there

 * Fixed BSoD on some kernel versions, the signature seeking

   mechanism has been changed to a more decent one

 * Added general/control register logging/display

 * Added image name acquiring from EPROCESS

 * Added one-instatnce-at-a-time limit (this is needed due to design)

 * Added disasembly display (using diStorm lib)

 * Added some more minor things

P.S. you can also download ExcpHook as a part of OpenRCE snippets.

Original blog entry...

Blog Comments

zarulshahrin	Posted: Wednesday, February 4 2009 07:28.28 CST
Aha, What a coincidence! I open the website to search for the previous version of this tool and what I found is a new version of it posted yesterday, how cool! Anyway, thank you for your contribution to the community and I would also like to say that I really enjoy reading your technical stuff. So, please don't stop making contribution :-)

GynvaelColdwind	Posted: Wednesday, February 4 2009 16:50.04 CST
@zaruishahrin Glad you like it ;> If you encounter any problems with ExcpHook, please let me know, it's still alpha after all ;>

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit