• Accueil
• Test de sécurité
• Gouvernance IT
• Formation
• Projets
• Advisories

Exception Monitor

Author:

Axel Meerschaert

Description:

This utility uses the Windows debugging API to attach to running processes and monitor for exceptions. The idea is to specify the name of an executable and tell EMon to automatically attach to the process when it sees it starts up. When an exception occurs, it prints a summary containing the exception, a register dump, a stack dump, and a disassembly listing.

Screenshot:

Download:

EMon.zip

Files:

• EMon.exe: the exception monitor executable
• stack.exe: an example program with a stack based buffer overflow
• fuzz_stack.pl: example fuzzing script for stack.exe
• fuzz_stack.txt: example output for the fuzzing scripts
• heap.exe: an example program with a heap based buffer overflow
• intdiv0: an example program that generates a divide by zero exception
• VulnTrace.dll: A DLL that hooks lstrcpynA and writes debug output which gets displayed by emon (taken from the "Shellcoder's Handbook" by Jack Koziol)
  

Example output:

13:15:54: Start of process: 1948 - heap.exe
13:15:54: Attaching to process id=1948 - heap.exe
13:15:57: ACCESS_VIOLATION at address 7C91142E
** The thread tried to read from or write to a virtual address
   for which it does not have the appropriate access.
** Thread ID=000000FC
** Access violation reading address 61616161
** First chance
** Register Dump:
    EAX=61616161
    EBX=00350000 : 000000C8 00000131 EEFFEEFF 00001000 
    ECX=61616161
    EDX=003506B0 : 61616161 61616161 00000061 00000000 
    EDI=00000005
    ESI=003506A8 : 61616161 61616161 61616161 61616161 
    ESP=0012FC9C : 0012FF28 0012FED0 7FFDF000 000000FC 
    EBP=0012FEBC : 0012FF28 00401149 00350000 00000008 
    EIP=7C91142E : 783B398B 47850F04 3B00022F 3F850FFA 
** Stack Dump:
    0012FC9C: 0012FF28 : 0012FF80 0040106B 00320035 00340036 
    0012FCA0: 0012FED0 : 0012FF80 0012FF30 7FFDF000 CCCCCCCC 
    0012FCA4: 7FFDF000 : 00010000 FFFFFFFF 00400000 00241E90 
    0012FCA8: 000000FC
    0012FCAC: 00013D4E
    0012FCB0: 00000000
    0012FCB4: FF435FE0
    0012FCB8: 0002021D : 00000000 00000000 00000000 00000000 
    0012FCBC: 00000000
    0012FCC0: 00000000
    0012FCC4: 00320001 : 27000000 FF000001 03EEFFEE 01000010 
    0012FCC8: 00000003
    0012FCCC: 00680010
    0012FCD0: 00610065
    0012FCD4: 002E0070 : 0202D0DF 0202D0E0 0202D0E1 0202D0E2 
    0012FCD8: 00780065
** Disassembly listing
    7C91142E: 8B39                 mov                 edi, [ecx]
    7C911430: 3B7804               cmp                 edi, [eax+0x04]
    7C911433: 0F85472F0200         jnz                 +0x00022F47
    7C911439: 3BFA                 cmp                 edi, edx
    7C91143B: 0F853F2F0200         jnz                 +0x00022F3F
    7C911441: 8901                 mov                 [ecx], eax
    7C911443: 894804               mov                 [eax+0x04], ecx
    7C911446: 8A4605               mov                 al, [esi+0x05]
    7C911449: 8845E3               mov                 [ebp-0x1D], al
    7C91144C: 0FB706               movzx               eax, [esi]
** End of exception report
13:15:57: Process terminated with exit code 3221225477
13:15:57: End of Process: 1948 - heap.exe

VulnTrace Example:

17:24:41: Start of process: 1252 - iexplore.exe
17:24:46: Attaching to process id=1252 - iexplore.exe
17:24:50: DLL injected: C:\EMon\VulnTrace.dll
17:24:54: [VulnTrace]: lstrcpynA(0x001cb218:[0], Software\Microsoft\windows\CurrentVersion\Internet Settings, 255)
17:24:54: [VulnTrace]: lstrcpynA(0x001cb218:[0], Software\Microsoft\windows\CurrentVersion\Internet Settings, 256)
17:24:54: [VulnTrace]: lstrcpynA(0x001cb218:[0], Software\Microsoft\Internet Explorer\Toolbar, 255)
17:24:54: [VulnTrace]: lstrcpynA(0x001cb218:[0], Software\Microsoft\Internet Explorer\Toolbar, 256)
17:24:54: [VulnTrace]: lstrcpynA(0x001cb218:[0], Software\Microsoft\Internet Explorer\Toolbar, 255)
17:24:54: [VulnTrace]: lstrcpynA(0x001cb218:[0], Software\Microsoft\Internet Explorer\Toolbar, 256)
17:24:54: [VulnTrace]: lstrcpynA(0x001cb218:[0], Software\Microsoft\Internet Explorer\Toolbar, 255)
17:24:54: [VulnTrace]: lstrcpynA(0x001cb218:[0], Software\Microsoft\Internet Explorer\Toolbar, 256)
17:24:54: [VulnTrace]: lstrcpynA(0x001cb218:[0], Software\Microsoft\Internet Explorer\Toolbar, 255)
17:24:54: [VulnTrace]: lstrcpynA(0x001cb218:[0], Software\Microsoft\Internet Explorer\Toolbar, 256)
17:24:57: [VulnTrace]: lstrcpynA(0x001cb218:[0], Software\Microsoft\Internet Explorer\Toolbar, 255)
17:24:57: [VulnTrace]: lstrcpynA(0x001cb218:[0], Software\Microsoft\Internet Explorer\Toolbar, 256)
17:24:58: [VulnTrace]: lstrcpynA(0x001cb218:[0], Software\Microsoft\Internet Explorer\Toolbar, 255)
17:24:58: [VulnTrace]: lstrcpynA(0x001cb218:[0], Software\Microsoft\Internet Explorer\Toolbar, 256)
17:24:59: Process released
17:25:00: End of Process: 1252 - iexplore.exe