Results 1 to 6 of 6

Thread: on mp systems running sice

  1. #1 on mp systems running sice

    SoftICE uses drX to perform step over. One interesting question is how does it do that on MP system? It could happen that thread is running at one CPU, but code which is executed in certain procedure could switch to different CPU, and still SoftICE manages to stepover correctly. How is that possible? Using IPI, of course.

    The best example is this code if steped over in SoftICE:

            KeSetAffinityThread(cur_thread, 1<<0);
            KeSetAffinityThread(cur_thread, 1<<1);
    both calls will be steped over correctly, and that's because SoftICE sends IPI with Shorthand = All excluding self set in ICR to set drXes on both CPUs.

    I also wrote earlier that softice changes NMI handler from TaskGate to IdtGate on single cpu machine, but when I viewed IDT on MP system from SoftICE, it used TaskGate to hook NMI. So there are certain rules which have to be followed when drX access occurs from NMI and TaskGate.

    Handler must NOT iret if access to drX occurs from NMI, because iret will unblock NMI. Handler also must not use DbgPrint, or anything else that can trigger iret when executing from NMI...

    Also if we are in NMI, SoftIce won't clear NT flag in eflags, so any iret will lead to previous task. We can avoid this problem by clearing NT flag, but again, we unblock NMI using iret, so this is sidenote, not a real problem.

    This problem with iret is solved easily, by changing the way we return from int1 when it's caused from NMI:

    __s0:           str     ax              ;get task register
                    cmp     ax, 58h         ;check if it is NMI
                    je      __nmi
                    pop     es              ;not NMI so exit normally
                    pop     ds
                    pop     fs
    __nmi:          mov     eax, [esp.regEflags]            
                    push    eax             ;NMI!! - restore eflags                
                    pop     es              ;r0 epilog
                    pop     ds
                    pop     fs
                    retn    8               ;ret to interupted code and
                                            ;clear cs/eflags stored on 
    Bingo... dr7.GD is now working in mp system running sice

  2. #2
    I've uploaded source code at, if anyone is interested

  3. #3
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Ring -1
    Blog Entries
    Excellent information in perfect bite size as usual.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  4. #4
    And as always, thanks for sharing with our readers.


  5. #5
    nice post as always deroko :P

  6. #6
    I've got report that code freezes sice on amd dual core, not sure why as I don't have one available for testing.
    I've tested code on intel core 2 duo and amd athlon with sice and it worked without a problem

Similar Threads

  1. Embembeded systems
    By tazBRC in forum Off Topic
    Replies: 2
    Last Post: April 26th, 2010, 21:29
  2. Realtime systems and OS dependency
    By Hero in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: September 17th, 2006, 12:34
  3. keyboard problem with SoftICE on NT systems
    By quasar in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: March 31st, 2004, 03:40
  4. Replies: 6
    Last Post: August 25th, 2003, 13:02
  5. help running sice with win me
    By bazzzzz in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: May 4th, 2001, 10:28


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts