The source code / binary is also available as a part of
486K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3y4G2k6r3g2Q4x3X3g2Y4L8$3!0Y4L8r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6H3i4K6u0r3L8%4m8W2L8Y4u0U0k6g2)9J5k6s2y4F1K9i4m8H3k6i4c8K6i4K6u0r3

ExcpHook is an open source (see license.txt) Exception Monitor for Windows made
by Gynvael Coldwind (Team Vexillium).
Currently supported Windows versions: XP SP2 and XP SP3
Please note that this is ALPHA version.

ExcpHook Exception Monitor is an exception monitor, made for Windows XP. The
monitoring part is kernel-level (technically, in a driver), so in opposite to user-land
monitors, ExcpHook does not have to be a debugger for the monitored processes,
nor it doesn't have to change their environment/code/data in anyway.
Additionally, ExcpHook is not tied up with one process - it monitors every process
in the system, letting the user filter out the interesting processes by providing a
part of the image name of the process.

Well, thats it, any comments are welcomed ;)

--- Changelog:
0.0.4 -> 0.0.5-rc2
* Fixed 100% CPU eating bug
* Rewritten the code to use IOCTL insted of Write/Read
* Added driver status checking mechanism
* Commented the source code, made it more readable
* Fixed multiCPU/multicore race condition possibility
* Fixed BSoD on some systems when patching the kernel
* Added some more spinlocks here and there
* Fixed BSoD on some kernel versions, the signature seeking
mechanism has been changed to a more decent one
* Added general/control register logging/display
* Added image name acquiring from EPROCESS
* Added one-instatnce-at-a-time limit (this is needed due to design)
* Added disasembly display (using diStorm lib)
* Added some more minor things

--- Example of usage:
c:\Tools\ExcpHookMonitor_0.0.5-rc1>ExcpHook.exe excp_
ExcpHook Exception Monitor v0.0.5-rc2 by gynvael.coldwind//vx
(use -h or --help for help)
Filtering results only to ones containing "excp_"
Loading driver...OK
Opening device...OK
Requesting info on driver...OK
Driver: ExcpHook driver v0.0.5-rc2 by gynvael.coldwind//vx.
Driver status: All OK
Entering loop... press ctrl+c to exit

--- Exception detected ---
PID: 1440 First Chance: YES
Exception code: 10000004 (KI_EXCEPTION_ACCESS_VIOLATION)
Exception addr: 0040130a
Image (from OpenProcess): c:\Tools\ExcpHookMonitor_0.0.5-rc1\TestSuite\excp_accviol.c.exe
Image (from EPROCESS) : excp_accviol.c.
Param count : 2
Params:
00000000 88776655
Access Violation Type : READ
Accessed Memory Address: 88776655
Eax: 00401360 Edx: 77c51ae8 Ecx: 00401360 Ebx: 00004000
Esi: 7c90d950 Edi: 0006a19c Esp: 0022ff60 Ebp: 0022ff78
Eip: 0040130a
EFlags: 00010247
CF: 1 PF: 1 AF: 0 ZF: 1 SF: 0 TF: 0
IF: 1 DF: 0 OF: 0 NT: 0 RF: 1 VM: 0
AC: 0 ID: 0
IOPL: 0 VIF: 0 VIP: 0

Stack:
77c2aead 0006a19c 003e29f0 00401305 00000010 00000002 0022ffb0 00401237
00000001 003e2498 003e29f0 00404000 0022ffa4 ffffffff 0022ffa8 00000001

Code:
[0040130a] a1 55667788 MOV EAX, [0x88776655]
[0040130f] 8945 fc MOV [EBP-0x4], EAX
[00401312] b8 00000000 MOV EAX, 0x0
[00401317] c9 LEAVE
[00401318] c3 RET
[00401319] 90 NOP
[0040131a] 90 NOP
[0040131b] 90 NOP
[0040131c] 90 NOP
[0040131d] 90 NOP
[0040131e] 90 NOP
[0040131f] 90 NOP
[00401320] 55 PUSH EBP
[00401321] b9 c0304000 MOV ECX, 0x4030c0
[00401326] 89e5 MOV EBP, ESP
[00401328] eb 14 JMP 0x40133e

720K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3N6&6L8Y4k6S2k6h3I4Q4x3X3g2U0L8$3I4V1N6$3W2F1k6q4)9J5k6i4m8D9i4K6u0r3k6r3!0%4L8X3I4G2j5h3c8Q4x3X3g2H3K9s2m8Q4x3@1k6X3i4K6y4p5c8i4S2U0M7p5S2G2L8$3E0y4L8$3&6A6N6r3!0J5i4K6g2X3x3q4)9J5k6e0m8Q4x3X3f1#2i4K6u0V1M7X3x3J5i4K6u0W2P5X3W2H3

[培训]科锐逆向工程师培训第53期2025年7月8日开班！