The source code / binary is also available as a part of http://code.google.com/p/openrce-snippets/
ExcpHook is an open source (see license.txt) Exception Monitor for Windows made by Gynvael Coldwind (Team Vexillium). Currently supported Windows versions: XP SP2 and XP SP3 Please note that this is ALPHA version.
ExcpHook Exception Monitor is an exception monitor, made for Windows XP. The monitoring part is kernel-level (technically, in a driver), so in opposite to user-land monitors, ExcpHook does not have to be a debugger for the monitored processes, nor it doesn't have to change their environment/code/data in anyway. Additionally, ExcpHook is not tied up with one process - it monitors every process in the system, letting the user filter out the interesting processes by providing a part of the image name of the process.
Well, thats it, any comments are welcomed ;)
--- Changelog: 0.0.4 -> 0.0.5-rc2 * Fixed 100% CPU eating bug * Rewritten the code to use IOCTL insted of Write/Read * Added driver status checking mechanism * Commented the source code, made it more readable * Fixed multiCPU/multicore race condition possibility * Fixed BSoD on some systems when patching the kernel * Added some more spinlocks here and there * Fixed BSoD on some kernel versions, the signature seeking mechanism has been changed to a more decent one * Added general/control register logging/display * Added image name acquiring from EPROCESS * Added one-instatnce-at-a-time limit (this is needed due to design) * Added disasembly display (using diStorm lib) * Added some more minor things
--- Example of usage: c:\Tools\ExcpHookMonitor_0.0.5-rc1>ExcpHook.exe excp_ ExcpHook Exception Monitor v0.0.5-rc2 by gynvael.coldwind//vx (use -h or --help for help) Filtering results only to ones containing "excp_" Loading driver...OK Opening device...OK Requesting info on driver...OK Driver: ExcpHook driver v0.0.5-rc2 by gynvael.coldwind//vx. Driver status: All OK Entering loop... press ctrl+c to exit
