From Collaborative RCE Tool Library

Jump to: navigation, search

Exception Monitoring Tools


Tool name: Efilter
Rating: 0.0 (0 votes)
Author: Piotr Bania                        
Website: N/A
Current version: 1.0
Last updated: August 14, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Efilter is an automatic exception reporting utility. It is very useful
and handy while doing vulnerability research on any software designed
to work under Windows NT platforms. Due to that it hooks
KiUserExceptionDispatcher function, it acts BEFORE any of program's
active SEH frames take over the exception. In short words it reports
programs exceptions even if they are handled by original program.

Here is some sample screenshot:
- http://pb.specialised.info/all/efilter/efilter.jpg

Since it uses debug messages it requires DebugView utility to show
output messages. (download from: http://www.sysinternals.com)
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ExcpHook
Rating: 0.0 (0 votes)
Author: Gynvael Coldwind                        
Website: http://vexillium.org/?sec
Current version: 0.0.4
Last updated: January 22, 2008
Direct D/L link: http://vexillium.org/dl.php?excphook004
License type: Free / Open Source
Description: The source code / binary is also available as a part of http://code.google.com/p/openrce-snippets/

ExcpHook is an open source (see license.txt) Exception Monitor for Windows made by Gynvael Coldwind (Team Vexillium).
Currently supported Windows versions: XP SP2
Please note that this is ALPHA version.

It uses a ring0 driver to hook KiExceptionDispatch procedure to detect the exceptions, and then shows information about the exception on stdout (using the ring3 part of the program ofc).
The difference between this method, and the standard debug API method it that this method monitors all of XP processes, and the program does not have to attach to any other process to monitor it, hence it's harder to detect.

The ring0 code sucks. It does not BSoD at my place, but I cannot guarantee it won't BSoD at some other place.
I'm really looking forward to comments regarding the ring0 code, especially constructive ones ;)

The known bugs are:
- The code tends to BSoD on multi CPU machines (will be fixed)

Well, thats it, any comments are welcomed ;)

Example of usage:

>ExcpHook.exe excp_
ExcpHook Exception Monitor 0.0.4 by gynvael.coldwind//vx
(use -h or --help for help)
Filtering results only to ones containing "excp_"
Loading driver...OK
Opening device...OK
Requesting info on driver...OK
Driver: ExcpHook driver v0.0.1 by gynvael.coldwind//vx.
Entering loop... press ctrl+c to exit

--- Exception detected ---
PID: 2016 First Chance: YES
Exception code: 10000004 (KI_EXCEPTION_ACCESS_VIOLATION)
Exception addr: 0040130a
Image: D:\code\gynvael\BraveNewWorld\ExceptionCatch\excp_accviolw.exe
Param count  : 2
Params:
00000001 88776655
Access Violation Type  : WRITE
Accessed Memory Address: 88776655

Disconnecting from driver...OK
Unloading driver...OK
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SEHLoger
Rating: 0.0 (0 votes)
Author: seeQ                        
Website: N/A
Current version: 1.0
Last updated: June 16, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: This program resolves a situation when you need to log all exceptions in victim program.

Works fine with all common protectors like Asprotect, Execryptor, Themida.

Example execryptor.exe:

Exception at : 00761A80 Handler : 00765512 Dr0=0076002E Dr1=0012F9E8 Dr2=0012F9D4 ...
Exception at : 0075F1A0 Handler : 0076D81E Dr0=00400000 Dr1=0012F9E8 Dr2=0012F9D4 ...
Exception at : 00761387 Handler : 00763EF0 Dr0=00000000 Dr1=00000000 Dr2=0012F610 ...
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Code Ripping Tools  (1)
   Crypto Tools  (2)
   Firefox Extensions  (1)
   Hex Editors  (10)
   Memory Patchers  (3)
   Packers  (10)
   Profiler Tools  (9)
   Resource Editors  (7)
   String Finders  (5)
   Tool Hiding Tools  (1)
   Tracers  (10)