ExecView - Executable Image Viewer
Author
Jesse Pool <pool[at]eecg[dot]toronto[dot]edu>
What is ExecView?
ExecView is an application that monitors the Windows operating system for executable images loaded into virtual memory. Every time a new image is loaded, it's logged to file and printed to the screen.
How does it work?
When ExecView starts, it loads a device driver into the Windows kernel called EXECNOTIF.sys. This driver registers a notification routine with Windows, which is called each time an executable image is loaded (via PsSetLoadImageNotifyRoutine). This information is stored in an internal linked list. ExecView then polls the driver every 10 seconds to pick up information collected. Each record is printed to the screen as well as to a file called image_nfo.txt in the same directory as ExecView.exe.
How do I start it?
Simple! Open a command prompt and navigate to the directory where you've saved ExecView and EXECNOTIF.sys and run ExecView.exe. There are no command line arguments.
Ah! How do I stop it?
Stop ExecView by hitting ^C. This'll unload the driver and clean up its resources. It's important to shutdown cleanly, or the EXECNOTIF.sys driver will continue consuming kernel memory (although it'd take a while to exhaust). If you don't exit cleanly, just run ExecView again and it'll clean things up if the driver is loaded.
The Output File
ExecView will generate a log file that can be parsed at a later time. The file is created in the same directory as the ExecView executable and is named image_nfo.txt. The format of the output file is as follows: 
IMAGE|<process id>|<image name>|<loaded addr>|<size>
Download
You'll find everything you need in this zip file. This includes binary images of the ExecView.exe appication and the EXECNOTIF.sys driver (the driver was built for Windows XP). Most importantly, you'll find source code for both components.
Future Work
ExecView is far from a complete product. I had some grand plans for command line options, kernel events, etc. The problem is I just don't have the time! The tool served well enough for my purpose, so I hope others can build off it to their needs. Also, the name "ExecView" is already used by a fairly popular product. If I have time I'd like to change the executable name some like xile.exe, or ispy.exe... you know, something cool. :)
Warning
ExecView is not guaranteed in any way. This software may break stuff: use at your own risk!
Copyright (c) 2006, Jesse Pool. All rights reserved.