From Collaborative RCE Tool Library

Jump to: navigation, search

Exception Monitoring Tools


Tool name: Efilter
Rating: 0.0 (0 votes)
Author: Piotr Bania                        
Website: N/A
Current version: 1.0
Last updated: August 14, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Efilter is an automatic exception reporting utility. It is very useful
and handy while doing vulnerability research on any software designed
to work under Windows NT platforms. Due to that it hooks
KiUserExceptionDispatcher function, it acts BEFORE any of program's
active SEH frames take over the exception. In short words it reports
programs exceptions even if they are handled by original program.

Here is some sample screenshot:
- http://pb.specialised.info/all/efilter/efilter.jpg

Since it uses debug messages it requires DebugView utility to show
output messages. (download from: http://www.sysinternals.com)
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ExcpHook
Rating: 0.0 (0 votes)
Author: Gynvael Coldwind                        
Website: http://gynvael.coldwind.pl/
Current version: 0.0.5-rc2
Last updated: February 03, 2009
Direct D/L link: http://gynvael.coldwind.pl/download.php?f=ExcpHookMonitor_0.0.5-rc2.zip
License type: Open Source (BSD Style)
Description: The source code / binary is also available as a part of http://code.google.com/p/openrce-snippets/

ExcpHook is an open source (see license.txt) Exception Monitor for Windows made by Gynvael Coldwind (Team Vexillium).
Currently supported Windows versions: XP SP2 and XP SP3
Please note that this is ALPHA version.

ExcpHook Exception Monitor is an exception monitor, made for Windows XP. The monitoring part is kernel-level (technically, in a driver), so in opposite to user-land monitors, ExcpHook does not have to be a debugger for the monitored processes, nor it doesn't have to change their environment/code/data in anyway. Additionally, ExcpHook is not tied up with one process - it monitors every process in the system, letting the user filter out the interesting processes by providing a part of the image name of the process.

Well, thats it, any comments are welcomed ;)

--- Changelog:
0.0.4 -> 0.0.5-rc2
* Fixed 100% CPU eating bug
* Rewritten the code to use IOCTL insted of Write/Read
* Added driver status checking mechanism
* Commented the source code, made it more readable
* Fixed multiCPU/multicore race condition possibility
* Fixed BSoD on some systems when patching the kernel
* Added some more spinlocks here and there
* Fixed BSoD on some kernel versions, the signature seeking
mechanism has been changed to a more decent one
* Added general/control register logging/display
* Added image name acquiring from EPROCESS
* Added one-instatnce-at-a-time limit (this is needed due to design)
* Added disasembly display (using diStorm lib)
* Added some more minor things

--- Example of usage:
c:\Tools\ExcpHookMonitor_0.0.5-rc1>ExcpHook.exe excp_
ExcpHook Exception Monitor v0.0.5-rc2 by gynvael.coldwind//vx
(use -h or --help for help)
Filtering results only to ones containing "excp_"
Loading driver...OK
Opening device...OK
Requesting info on driver...OK
Driver: ExcpHook driver v0.0.5-rc2 by gynvael.coldwind//vx.
Driver status: All OK
Entering loop... press ctrl+c to exit

--- Exception detected ---
PID: 1440 First Chance: YES
Exception code: 10000004 (KI_EXCEPTION_ACCESS_VIOLATION)
Exception addr: 0040130a
Image (from OpenProcess): c:\Tools\ExcpHookMonitor_0.0.5-rc1\TestSuite\excp_accviol.c.exe
Image (from EPROCESS)  : excp_accviol.c.
Param count  : 2
Params:
00000000 88776655
Access Violation Type  : READ
Accessed Memory Address: 88776655
Eax: 00401360 Edx: 77c51ae8 Ecx: 00401360 Ebx: 00004000
Esi: 7c90d950 Edi: 0006a19c Esp: 0022ff60 Ebp: 0022ff78
Eip: 0040130a
EFlags: 00010247
CF: 1 PF: 1 AF: 0 ZF: 1 SF: 0 TF: 0
IF: 1 DF: 0 OF: 0 NT: 0 RF: 1 VM: 0
AC: 0 ID: 0
IOPL: 0 VIF: 0 VIP: 0

Stack:
77c2aead 0006a19c 003e29f0 00401305 00000010 00000002 0022ffb0 00401237
00000001 003e2498 003e29f0 00404000 0022ffa4 ffffffff 0022ffa8 00000001

Code:
[0040130a] a1 55667788 MOV EAX, [0x88776655]
[0040130f] 8945 fc MOV [EBP-0x4], EAX
[00401312] b8 00000000 MOV EAX, 0x0
[00401317] c9 LEAVE
[00401318] c3 RET
[00401319] 90 NOP
[0040131a] 90 NOP
[0040131b] 90 NOP
[0040131c] 90 NOP
[0040131d] 90 NOP
[0040131e] 90 NOP
[0040131f] 90 NOP
[00401320] 55 PUSH EBP
[00401321] b9 c0304000 MOV ECX, 0x4030c0
[00401326] 89e5 MOV EBP, ESP
[00401328] eb 14 JMP 0x40133e
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: psusp
Rating: 0.0 (0 votes)
Author: EliCZ                        
Website: https://www.openrce.org/blog/view/1472/psusp
Current version:
Last updated: June 15, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: for XP+(x86,x64) suspends a process on an exception or termination.
Useful for MyAppShouldNotCrashForAnyInput.exe *.* testing.
It's less intrusive than AeDebug - heap, locks, ... are left intact.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SEHLoger
Rating: 0.0 (0 votes)
Author: seeQ                        
Website: N/A
Current version: 1.0
Last updated: June 16, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: This program resolves a situation when you need to log all exceptions in victim program.

Works fine with all common protectors like Asprotect, Execryptor, Themida.

Example execryptor.exe:

Exception at : 00761A80 Handler : 00765512 Dr0=0076002E Dr1=0012F9E8 Dr2=0012F9D4 ...
Exception at : 0075F1A0 Handler : 0076D81E Dr0=00400000 Dr1=0012F9E8 Dr2=0012F9D4 ...
Exception at : 00761387 Handler : 00763EF0 Dr0=00000000 Dr1=00000000 Dr2=0012F610 ...
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (20)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (22)
   Needs New Category  (3)