Yesterday I've finally got some time to finish the changes in the new version of ExcpHook. So, version 0.0.5-rc2 (rc2 of alpha ;p) is ready for download, and might be even usable ;D

ExcpHook Exception Monitor is an exception monitor, made for Windows XP. The monitoring part is kernel-level (technically, in a driver), so in opposite to user-land monitors, ExcpHook does not have to be a debugger for the monitored processes, nor it doesn't have to change their environment/code/data in anyway. Additionally, ExcpHook is not tied up with one process - it monitors every process in the system, letting the user filter out the interesting processes by providing a part of the image name of the process.

Download (source + binary): ExcpHookMonitor_0.0.5-rc2.zip (220KB)

An example of usage:

c:\Tools\ExcpHookMonitor_0.0.5-rc1>ExcpHook.exe excp_
ExcpHook Exception Monitor v0.0.5-rc2 by gynvael.coldwind//vx
(use -h or --help for help)
Filtering results only to ones containing "excp_"
Loading driver...OK
Opening device...OK
Requesting info on driver...OK
Driver: ExcpHook driver v0.0.5-rc2 by gynvael.coldwind//vx.
Driver status: All OK
Entering loop... press ctrl+c to exit

--- Exception detected ---
PID:  1440    First Chance: YES
Exception code: 10000004 (KI_EXCEPTION_ACCESS_VIOLATION)
Exception addr: 0040130a
Image (from OpenProcess): c:\Tools\ExcpHookMonitor_0.0.5-rc1\TestSuite\excp_accviol.c.exe
Image (from EPROCESS)   : excp_accviol.c.
Param count   : 2
Params:
 00000000 88776655
Access Violation Type  : READ
Accessed Memory Address: 88776655
Eax: 00401360    Edx: 77c51ae8    Ecx: 00401360    Ebx: 00004000
Esi: 7c90d950    Edi: 0006a19c    Esp: 0022ff60    Ebp: 0022ff78
Eip: 0040130a
EFlags: 00010247
 CF: 1   PF: 1   AF: 0   ZF: 1   SF: 0   TF: 0
 IF: 1   DF: 0   OF: 0   NT: 0   RF: 1   VM: 0
 AC: 0   ID: 0
 IOPL: 0   VIF: 0   VIP: 0

Stack:
77c2aead 0006a19c 003e29f0 00401305 00000010 00000002 0022ffb0 00401237
00000001 003e2498 003e29f0 00404000 0022ffa4 ffffffff 0022ffa8 00000001

Code:
[0040130a] a1 55667788          MOV EAX, [0x88776655]
[0040130f] 8945 fc              MOV [EBP-0x4], EAX
[00401312] b8 00000000          MOV EAX, 0x0
[00401317] c9                   LEAVE
[00401318] c3                   RET
[00401319] 90                   NOP
[0040131a] 90                   NOP
[0040131b] 90                   NOP
[0040131c] 90                   NOP
[0040131d] 90                   NOP
[0040131e] 90                   NOP
[0040131f] 90                   NOP
[00401320] 55                   PUSH EBP
[00401321] b9 c0304000          MOV ECX, 0x4030c0
[00401326] 89e5                 MOV EBP, ESP
[00401328] eb 14                JMP 0x40133e

Changelog:

0.0.4 -> 0.0.5-rc2
 * Fixed 100% CPU eating bug
 * Rewritten the code to use IOCTL insted of Write/Read
 * Added driver status checking mechanism
 * Commented the source code, made it more readable
 * Fixed multiCPU/multicore race condition possibility
 * Fixed BSoD on some systems when patching the kernel
 * Added some more spinlocks here and there
 * Fixed BSoD on some kernel versions, the signature seeking
   mechanism has been changed to a more decent one
 * Added general/control register logging/display
 * Added image name acquiring from EPROCESS
 * Added one-instatnce-at-a-time limit (this is needed due to design)
 * Added disasembly display (using diStorm lib)
 * Added some more minor things

All remarks are welcomed ;>

P.S. you can also download ExcpHook as a part of OpenRCE snippets.