2009-02-03:

ExcpHook ver 0.0.5-rc2

excphook:re:windows:security:c++
Yesterday I've finally got some time to finish the changes in the new version of ExcpHook. So, version 0.0.5-rc2 (rc2 of alpha ;p) is ready for download, and might be even usable ;D

ExcpHook Exception Monitor is an exception monitor, made for Windows XP. The monitoring part is kernel-level (technically, in a driver), so in opposite to user-land monitors, ExcpHook does not have to be a debugger for the monitored processes, nor it doesn't have to change their environment/code/data in anyway. Additionally, ExcpHook is not tied up with one process - it monitors every process in the system, letting the user filter out the interesting processes by providing a part of the image name of the process.

Download (source + binary): ExcpHookMonitor_0.0.5-rc2.zip (220KB)

An example of usage:

c:\Tools\ExcpHookMonitor_0.0.5-rc1>ExcpHook.exe excp_
ExcpHook Exception Monitor v0.0.5-rc2 by gynvael.coldwind//vx
(use -h or --help for help)
Filtering results only to ones containing "excp_"
Loading driver...OK
Opening device...OK
Requesting info on driver...OK
Driver: ExcpHook driver v0.0.5-rc2 by gynvael.coldwind//vx.
Driver status: All OK
Entering loop... press ctrl+c to exit

--- Exception detected ---
PID:  1440    First Chance: YES
Exception code: 10000004 (KI_EXCEPTION_ACCESS_VIOLATION)
Exception addr: 0040130a
Image (from OpenProcess): c:\Tools\ExcpHookMonitor_0.0.5-rc1\TestSuite\excp_accviol.c.exe
Image (from EPROCESS)   : excp_accviol.c.
Param count   : 2
Params:
 00000000 88776655
Access Violation Type  : READ
Accessed Memory Address: 88776655
Eax: 00401360    Edx: 77c51ae8    Ecx: 00401360    Ebx: 00004000
Esi: 7c90d950    Edi: 0006a19c    Esp: 0022ff60    Ebp: 0022ff78
Eip: 0040130a
EFlags: 00010247
 CF: 1   PF: 1   AF: 0   ZF: 1   SF: 0   TF: 0
 IF: 1   DF: 0   OF: 0   NT: 0   RF: 1   VM: 0
 AC: 0   ID: 0
 IOPL: 0   VIF: 0   VIP: 0

Stack:
77c2aead 0006a19c 003e29f0 00401305 00000010 00000002 0022ffb0 00401237
00000001 003e2498 003e29f0 00404000 0022ffa4 ffffffff 0022ffa8 00000001

Code:
[0040130a] a1 55667788          MOV EAX, [0x88776655]
[0040130f] 8945 fc              MOV [EBP-0x4], EAX
[00401312] b8 00000000          MOV EAX, 0x0
[00401317] c9                   LEAVE
[00401318] c3                   RET
[00401319] 90                   NOP
[0040131a] 90                   NOP
[0040131b] 90                   NOP
[0040131c] 90                   NOP
[0040131d] 90                   NOP
[0040131e] 90                   NOP
[0040131f] 90                   NOP
[00401320] 55                   PUSH EBP
[00401321] b9 c0304000          MOV ECX, 0x4030c0
[00401326] 89e5                 MOV EBP, ESP
[00401328] eb 14                JMP 0x40133e


Changelog:

0.0.4 -> 0.0.5-rc2
 * Fixed 100% CPU eating bug
 * Rewritten the code to use IOCTL insted of Write/Read
 * Added driver status checking mechanism
 * Commented the source code, made it more readable
 * Fixed multiCPU/multicore race condition possibility
 * Fixed BSoD on some systems when patching the kernel
 * Added some more spinlocks here and there
 * Fixed BSoD on some kernel versions, the signature seeking
   mechanism has been changed to a more decent one
 * Added general/control register logging/display
 * Added image name acquiring from EPROCESS
 * Added one-instatnce-at-a-time limit (this is needed due to design)
 * Added disasembly display (using diStorm lib)
 * Added some more minor things


All remarks are welcomed ;>

P.S. you can also download ExcpHook as a part of OpenRCE snippets.

Comments:

2009-02-03 05:47:29 = lallous
{
Cool tool, thanks for sharing!
}
2009-02-04 15:02:19 = Gynvael Coldwind
{
@lallous
Glad you like it ;>
Let me know if anything goes wrong with it (alpha version still)...
}
2009-02-25 22:44:41 = andrewl
{
Hi Gynvael, tool freezes Windows XP SP2 when active and executing this:

http://andrewl.us/crackme_patched.exe

Exceptions are just access violation and invalid lock sequence.
}
2009-03-01 23:05:08 = Gynvael Coldwind
{
@andrewl
Thanks for the bug report! I'll take a look at it, and try to fix it in 0.0.6 ;>
}
2010-01-12 02:02:58 = number
{
Dude.. For christ sake, this is pretty amazing ;) Thanks, finally i've got something valuable to study again! :D Thanks again!
}
2010-01-16 02:15:43 = Gynvael Coldwind
{
@number
Glad you like it! ;>
The code is not as good as I would like it to be, so take care while studying it ;>
}
2013-12-13 20:19:46 = DethEternityDT
{
Hey gynvael, great work! I was wondering if you knew of any tricks to cause the kernel to NOT pass the exception to the userland exception handler? I have a PAGE_GUARD exception that i want to intercept , do some work, then have the userland program continue execution ( instead of handling the exception). Any ideas? Thanks
}
2014-06-28 01:53:53 = REAP
{
Hello,

Just wanted to say thanks for sharing. Works fine for me on XP-SP3, where other tools don't

Thanks!
}

Add a comment:

Nick:
URL (optional):
Math captcha: 3 ∗ 2 + 7 =