Page 1 of 2 12 LastLast
Results 1 to 15 of 21

Thread: deciphering osinfo.dat for softice

  1. #1

    deciphering osinfo.dat for softice

    Does anyone know exactly how osinfo.dat and osinfob.dat work in softice?

    I had softice working well on a barebones XP SP2 setup but I am considering updating to SP3 for security reasons. I have recently discovered the vulnerabilities in my wireless router and need SP3 functionality for WPA2 encryption on the wirless signal.

    I tried a trial SP3 update, using system restore to remove SP3 later, and softice worked basically. With SP3, the mouse froze on exit from softice (alt-D). At the same time, I installed it on a VM with XP SP3, and it works, with no mouse freeze on ice exit, but I have apparent issues with osinfo.dat.

    Both in the non-VM and VM versions, softice complains about API Hook Failures for: MiCopyOnWrite and EHCI: RemoveQueueHeadFromPeriodicList, the latter being a USB function. I have noted that I am using a USB mouse and that the freeze comes on exit from ice in non-VM XP but not in VM-based XP with SP3. I suspect the USB hook failure may be related to that.

    According to Deroko (hi Deroko) the MiCopyOnWrite failure doesn't cause a problem and the other hook is USB related. I checked the USB function by loading osinfo.dat as a binary in IDA. It doesn't make a lot of sense to my inexperienced eye but I did notice some code accompanying certain functions that seems to be used as a signature. The code is preceded by a hex byte, which may be telling softice how many bytes to count in for the signature. That would make sense, possibly, if osinfo.dat is looking to compare file versions.

    Also, at the beginning of osinfo.dat, there are several empty field that may be filled in at load time. I really need a way to watch osinfo in action. Any ideas? There are also references to SP0, SP1 and SP2.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,124
    Blog Entries
    5
    Yeah, good luck with that

    I've been taking a look at it, and not for the first time. I think it would really require live tracing of the INIT of ntice.sys to fully understand how the osinfo files are parsed. There may be a way of doing that which I'll mention in a moment.

    The problem as a whole is that those files, and the code, are configured to only support XP sp0,sp1,sp2. It would be difficult to "patch in" support for sp3 even if you did figure out what all the fields are for. I believe some of them are OS specific ETHREAD and EPROCESS offsets as well.

    As well, osidata.sys and siksym.sys seem to contain hardcoded copies of the osinfo.dat files (not sure if they are exact copies, a bit of hex comparing would determine that).


    If you disasm DriverEntry of ntice.sys you'll see where the strings for the osinfo.dat files are pushed and a call is made which reads the files into memory (ExAllocatePool, ZwReadFile). There is also a call which uses the allocated memory block, along with the current Build, Version and Service Pack, to parse through some of the offsets. Here it get really complicated with only a static analysis.


    If you want to try live tracing DriverEntry of ntice.sys and walk through the osinfo.dat handling procs, here is a possible way of doing it. I'd actually be interested to see if someone else is able to do this, unfortunately I kept getting Fatal System Error crashes, even though by all accounts I shouldn't have.

    What you can do is use WinDbg and VMWare to debug loading of ntice.sys, exactly the same as you would do with any driver for remote debugging. Here are the steps:

    Set up VMWare and WinDbg following the instructions at

    http://silverstr.ufies.org/lotr0/windbg-vmware.html
    http://www.catch22.net/tuts/vmware


    Now what you need to do is break on DriverEntry. I don't know if there is a specific, better way to do that with remote debugging, but what I do is to break on the call in IopLoadDriver which directly calls DriverEntry for any driver.

    We've talked about it several times before in various threads, many people are familiar with this, there is a characteristic call in IopLoadDriver
    call dword ptr [edi+2Ch]


    The easiest way to find it is to set a breakpoint at the end of DriverEntry in your own driver and trace back into ntoskrnl, or just figure out the address from a disassembly.


    Code:
    nt!IopLoadDriver
    PAGE:004CF9C9 FF B5 70 FF FF FF     push    [ebp+P]
    PAGE:004CF9CF 57                    push    edi
    PAGE:004CF9D0 FF 57 2C              call    dword ptr [edi+2Ch] ; DriverEntry


    Once you've started the /debug version of VMWare, you start up the remote connection of WinDbg. Once it's ready you can set a breakpoint on the call [edi+2Ch] to catch the loading of ANY driver with (address is 805a69d0 on my system)

    kd> bp 805a69d0

    Now in VMWare start Softice. Softice will show the DOS box and everything will freeze. Go back to Windbg, wait a few moments and the disassembly window should show:

    Code:
    kd> g
    Breakpoint 0 hit
    
    805a69d0 ff572c          call    dword ptr [edi+2Ch]
    Single step into this and you are in ntice.sys!


    Now in theory you should be able to step through everything. In practice I kept getting the Fatal System Error crashes. I could explain where and why and why there *shouldn't* have been a crash, but I won't bother boring you. I'd rather someone else try it and see the results.

    If the VMWare/WinDbg setup doesn't quite work with the quirky Softice, maybe a true remote debugging session with 2 computers might work better.


    Maybe you can solve your specific problems in a simpler way, but I agree it would be nice to have an XP sp3 or sp4 compatible Softice.

    Cheers,
    Kayaker

  3. #3
    Registered User
    Join Date
    Mar 2006
    Posts
    16
    Blog Entries
    1
    Quote Originally Posted by Kayaker View Post
    Maybe you can solve your specific problems in a simpler way, but I agree it would be nice to have an XP sp3 or sp4 compatible Softice.
    It does work actually. I have a pc with Windows XP SP3 and SoftICE couldnt work better there.

  4. #4
    Quote Originally Posted by WaxfordSqueers View Post
    Both in the non-VM and VM versions, softice complains about API Hook Failures for: MiCopyOnWrite and EHCI: RemoveQueueHeadFromPeriodicList, the latter being a USB function. I have noted that I am using a USB mouse and that the freeze comes on exit from ice in non-VM XP but not in VM-based XP with SP3. I suspect the USB hook failure may be related to that.
    You may solve this issue by using PAE version of kernel. It will solve problems with MiCopyOnWrite (I've confirmed this for both sp2/sp3 as I use both of them). I use USB mouse on my laptop and it doesn't cause any problems, I'm really not sure for that RemoveQueueHeadFromPeriodicList is used, but as long as SoftIce work, I don't care

    According to Deroko (hi Deroko) the MiCopyOnWrite failure doesn't cause a problem and the other hook is USB related.
    Hi

    Well MiCopyOnWrite is related to windows memory manager, and CopyOnWrite pages, trick used by windows to save memory when loading images unless write occurs For example ntdll shares same physical address in all processes, but when you write to it then micopyonwrite will copy phyiscal pages to different location so you may write there without touching "real" ntdll. Try writing byte to ntdll from your driver with cr0 WP off, and that change will be visible in all processes, but if you do same thing from r0 process, that write will only reflect your process memory space tnx to micopyonwrite which is called in 2nd example, but not in 1st as you bypass OS write protection by disabling wp in cr0 MiCopyOnWrite will never be called. I assume that SoftICE uses this so it can remove break points when break is set, but due to micopyonwrite page is moved to different physical address.

    Lets take a simple example:
    bpx ntdll!NtCreateFile <---- sets break in all processes
    now you do some writing to ntdll near NtCreateFile which makes NtCreateFile to move to different Physical frame
    bd 0 <---- to delete it in context of process in which write occured

    Without MiCopyOnWrite bd 0 (NtCreateFile break) would be removed only and only from your process, but with knowing and keeping track which physcal frames are "same", softice can remove break point from not changed ntdll (global for all) and from your physical frame. I assume that's the reason why they have hook in MiCopyOnWrite, as it's most logical explanation, at least to me

  5. #5
    Quote Originally Posted by Kayaker View Post
    Yeah, good luck with that
    Hey, Kayaker...how's it going. Ready for the coalition?

    Just a quick note to acknowledge receipt of your welcome and detailed report. I'll get on the VMWare - softice setup but it may take a few days. I'm still running a bare SP2 system on my non-VM side but I'd like to use WinDbg to d/l symbols for the VM, which is SP3. I want to compare the initial bytes in functions like MiCopyOnWrite between SP2 and SP3 to see if osinfo.dat is referencing those bytes.

    Although your method sounds more challenging and exciting, I'm wondering if patching osinfo on an as-needed basis might work too. Right now, softice INIT is only choking on two functions. I don't know if maybe there will be other difficulties along the way.

    As far as patching the whole file for SP3, do you think it might be feasible to patch the SP2 section as-needed? Say, for example, it is using bytes from the function header as a signature, could we just change the bytes? Or is it a lot more complex?

    I'm bothered by the fact they did not use a method in osinfo to find the location of the missing file in SP2. I know there's a lot of naivete in what I'm saying. When they give an error code, "API Hook Failure" it seems they are saying they can't find the file at the expected address.

    I came across this print out of someone's INIT on the net and here's part of it:

    SoftICE (R) - DriverStudio (tm) 4.3.0 (Build 1268)
    Windows NT Version 5.0 - Build 2195 SP 4

    NTICE: IoConnectInterrupt found at 804CF0E3
    NTICE: IoDisconnectInterrupt found at 804CF93B
    NTICE: MiMapViewOfImageSection found at 8044384E
    NTICE: MmUnmapViewOfSection found at 804A240A
    NTICE: MiAddValidPageToWorkingSet found at 80442C25
    NTICE: KeBugCheckEx found at 8042C762
    NTICE: MiCopyOnWrite found at 8044F26B
    NTICE: HalDisplayString found at 8006748C
    NTICE: RtlAssert found at 8045A91B
    NTICE: USBD_AllocateUsbAddress found at ED35331E
    NTICE: USBD_ParseConfigurationDescriptorEx found at ED353D6E
    NTICE: UHCD_RemoveQueueHeadFromSchedule found at ED33A02C
    NTICE: UHCD_InsertQueueHeadInSchedule found at ED339ED6
    NTICE: HalpBiosDisplayReset found at 800670C4
    NTICE: RtlAssert end found at 8045A9CF
    NTICE: NTTerminateProcess found at index 00E0.

    Note that NTICE INIT is looking for MiCopyOnWrite at 8044F26B

    As you say, they came along later with osinfo.dat and actually built it into the driver, but is it doing anything more than looking up pointers where the function 'should' be, then verifying it with a signature?

    I'd be interested in the source of the error message, "API HOOK FAILURE". I'm think it might lead back to the checking routine.

    I'll get back to you.

  6. #6
    Quote Originally Posted by smoke View Post
    It does work actually. I have a pc with Windows XP SP3 and SoftICE couldnt work better there.
    That's good news. Any chance you could give a little more detail? For example, what's the file size of your osinfo.dat and osinfob.dat? When softice first boots, and you ctrl-d into the softice window, type wc plus enter in the bottom window to get rid of the code window. Look at the INIT log and see if you have any errors indicated, such as an API Hook Failure. You may have to scroll up. Any errors should be highlighted.

  7. #7
    Quote Originally Posted by deroko View Post
    You may solve this issue by using PAE version of kernel. It will solve problems with MiCopyOnWrite (I've confirmed this for both sp2/sp3 as I use both of them). I use USB mouse on my laptop...
    Hey, Deroko...how's life? I tried the PAE directive in the VM, which uses XP with SP3. It doesn't get rid of the INIT errors but I haven't tried to use softice extensively in the VM. The USB mouse works fine both in and out of the softice window.

    As far as I understand, using PAE limits the amount of accessible memory in XP. I think the CopyOnWrite function accesses paging memory, doesn't it? Maybe it operates in a different manner with the PAE memory setup.

    Thanks for CopyOnWrite tute. I looked up the EHCI function a phrase at a time and it lead to this Intel spec for EHCI (Enhanced Host Controller Interface), which is a USB 2.0 spec to deal with USB 1.1 and on. The periodic table reference is one of two USB modes: periodic and asynchronous. Async is like RS-232, where the data is irregular. Periodic refers to Interrupts or what they call isochronous, which I think refers to synchronous. Anyway, there are also two other modes, at least, which is fast and slow devices. The periodic list just keeps tract of the modes, whether interrupt driven or isochronous.

    The queue head holds a linked list of transfer descriptors. So I guess the EHCI - RemoveQueueHeadFromPeriodicList is a lot like a message fetch in windows messaging...or it clears the message queue...or whatever. Here's the link to the EHCI spec:

    http://www.intel.com/technology/usb/download/ehci-r10.pdf

    Here's a link that explains USB better:

    http://www.beyondlogic.org/usbnutshell/usb1.htm

  8. #8
    Quote Originally Posted by WaxfordSqueers View Post
    Hey, Deroko...how's life?
    Quite good

    As far as I understand, using PAE limits the amount of accessible memory in XP. I think the CopyOnWrite function accesses paging memory, doesn't it? Maybe it operates in a different manner with the PAE memory setup.
    Actually no, PAE enables to OS to use more then 4GB of RAM, although you as a programer can't go beyond 4GB virtual address space, this allows system to map memory to 36bits which allows total 128GB of RAM, while this is not possible without PAE as physical page size is limited to 32bits.

  9. #9
    Registered User
    Join Date
    Mar 2006
    Posts
    16
    Blog Entries
    1
    Quote Originally Posted by WaxfordSqueers View Post
    That's good news. Any chance you could give a little more detail?
    sure, here's the dump :
    Code:
    NTICE: Using I/O Apic at linear address BA6B5000
    NTICE: Hooking IOAPIC vector at 93
    NTICE: Hooking IOAPIC vector at A3
    NTICE: Pentium TSC calibration, processor set to 1994.0 MHZ
    SoftICE (R) - DriverStudio (tm) 3.2.1 (Build 2560)
    Windows NT Version 5.1 - Build 2600 (Free) SP 3
    smoke
    78858678632a
    Copyright (c) 2004 Compuware Corporation.  All rights reserved.
    NTICE: Inter-processor interrupts will use vector F9
    NTICE: PS/2 device input will use interrupts
    NTICE: PS/2 Mouse Detected
    NTICE: 524K allocated for global heap
    NTICE: 512K allocated for SYM memory
    NTICE: 512K allocated for HST memory
    NTICE: 32K allocated for HEAP memory
    NTICE: 6K allocated for NAME memory
    NTICE: 12K allocated for 32 breakpoints
    NTICE: Top of physical memory is 00000000_77FB0000
    NTICE: EXP=\SystemRoot\system32\kernel32.dll
    NTICE: EXP=\SystemRoot\system32\user32.dll
    NTICE: EXP=\SystemRoot\system32\gdi32.dll
    NTICE: EXP=\SystemRoot\system32\ntkrnlpa.exe
    NTICE: EXP=\SystemRoot\system32\hal.dll
    NTICE: EXP=C:\WINDOWS\SYSTEM32\NTOSKRNL.EXE
           Error: Exports already loaded for this module
    NTICE: EXP=C:\WINDOWS\SYSTEM32\HAL.DLL
           Error: Exports already loaded for this module
    NTICE: EXP=C:\WINDOWS\SYSTEM32\NTDLL.DLL
    NTICE: EXP=C:\WINDOWS\SYSTEM32\KERNEL32.DLL
           Error: Exports already loaded for this module
    NTICE: EXP=C:\WINDOWS\SYSTEM32\USER32.DLL
           Error: Exports already loaded for this module
    NTICE: EXP=C:\WINDOWS\SYSTEM32\DRIVERS\VIDEOPRT.SYS
    NTICE: 154K allocated for 32 bit exports
    NTICE: Loading symbol file win32k
    NTICE: Loaded symbols from
    C:\SYMSERVER\WIN32K.PDB\B8354F59A2A341179030B80ACC7969972\WIN32K.NMS
    NTICE: Loading symbol file videoprt
    NTICE: Loaded symbols from
    C:\SYMSERVER\VIDEOPRT.PDB\66CB8EA979A742EABCB14A11545D6EBE1\VIDEOPRT.NMS
    NTICE: Loading symbol file user32
    NTICE: Loaded symbols from
    C:\SYMSERVER\USER32.PDB\D18A41B74E7F458CAAAC1847E2D8BF022\USER32.NMS
    NTICE: Loading symbol file ntoskrnl
    NTICE: Loaded symbols from
    C:\SYMSERVER\NTKRPAMP.PDB\7D6290E03E32455BB0E035E38816124F1\NTKRPAMP.NMS
    NTICE: Loading symbol file ntdll
    NTICE: Loaded symbols from
    C:\SYMSERVER\NTDLL.PDB\1751003260CA42598C0FB326585000ED2\NTDLL.NMS
    NTICE: Loading symbol file kernel32
    NTICE: Loaded symbols from
    C:\SYMSERVER\KERNEL32.PDB\34560E80F5C54175B208848EF863C5BD2\KERNEL32.NMS
    NTICE: Loading symbol file halmacpi
    NTICE: Loaded symbols from
    C:\SYMSERVER\HALMACPI.PDB\9875FD697ECA4BBB8A475825F6BF885E1\HALMACPI.NMS
    Macro: Memory allocated for 32 Macro entries
    NTICE: *** API Hook Failure: EHCI_RemoveQueueHeadFromPeriodicList
    NTICE: RtlAssert end found at 80855E31
    NTICE: KDExtensions are enabled KDHeapSize=00001FA0 and KDStackSize=00008000
    NTICE: Patching Keyboard using method 0
    NTICE: Keyboard driver found - i8042prt.sys
    NTICE: Keyboard successfully patched using RPUC hook
    NTICE: Keyboard successfully patched lookup table using RPUC hook
    NTICE: Found OHCI Host Controller at Bus 00 Device 13 Function 00
    NTICE: Found OHCI Host Controller at Bus 00 Device 13 Function 01
    NTICE: Found OHCI Host Controller at Bus 00 Device 13 Function 02
    NTICE: Found OHCI Host Controller at Bus 00 Device 13 Function 03
    NTICE: Found OHCI Host Controller at Bus 00 Device 13 Function 04
    NTICE: Found EHCI Host Controller at Bus 00 Device 13 Function 05
    NTICE: Found 6 USB Host Controllers. USB HID support will be available.
    NTICE: 6K allocated for use by USB HID devices
    The only problem seems to be when its trying to hook EHCI_RemoveQueueHeadFromPeriodicList

    And the sizes of osinfo and osinfob:
    Code:
    osinfo filesize:  474.346 bytes
    osinfob filesize: 356.884 bytes

  10. #10
    Quote Originally Posted by deroko View Post
    Actually no, PAE enables to OS to use more then 4GB of RAM....
    thanks for clarification. Any thoughts on USB? I note that smoke is using a PS/2 mouse yet he gets API Hook Failure on EHCI function as well. He hasn't complained about any mouse malfunctions in or out of ice. Also, I don't get that problem under SP3 in VM where mouse is emulated.

  11. #11
    Quote Originally Posted by smoke View Post
    sure, here's the dump :
    smoke...thanks for dump. The EHCI_RemoveQueueHeadFromPeriodicList is a strange one. You are using a PS/2 mouse and I'm using a USB mouse. Probably why mine freezes on exit from ice under SP3.

    Then again, I note you are using the latest osinfo.dat files. For whatever reason, I am not. I did at one time and think I rolled them back when I went back to a barebones SP2 setup. I'll have to try your version again with SP3.

  12. #12
    did you apply latest patches for softice? I'm using usb mouse on my live system (hate using vmware) and it works without a problem, even if ApiHookFailure occurs on EHCI_xxx + all symbols are up to date oh, and I'm using sp3 also...

  13. #13
    Quote Originally Posted by deroko View Post
    did you apply latest patches for softice? I'm using usb mouse on my live system (hate using vmware) and it works without a problem, even if ApiHookFailure occurs on EHCI_xxx + all symbols are up to date oh, and I'm using sp3 also...
    I'm looking at that right now. I had SP2 for a long time and I was updating it from Micro$oft. After one set of upgrades, softice stopped working, but I wasn't using it and did not know that. So, I don't know which upgrade caused the problem. I rolled back to plain SP2, with a repair install, and that fixed it.

    For some reason, I reinstalled older osinfo.dat files and did not upgrade them again. They worked great with a bare SP2 install, but with a full SP3 the mouse froze on exit from ice. When smoke posted his osinfo file size, I realized I was using an older version. I will reinstall SP3 and try it with the newer osinfo files. It does work in the VM with SP3 and the latest osinfo files

    I'm interested in Kayaker's idea of tracing through NTICE while it loads, however, so I want to try that too.

  14. #14
    ups, wrong calculation 2^36 = 64 gb for PAE, not 128gb my bad

  15. #15
    Quote Originally Posted by deroko View Post
    ups, wrong calculation 2^36 = 64 gb for PAE, not 128gb my bad
    Either way, It will be a while before I turn PAE on again.

Similar Threads

  1. to softice or not to softice
    By WaxfordSqueers in forum Tools of Our Trade (TOT) Messageboard
    Replies: 19
    Last Post: December 31st, 2007, 17:41
  2. softice help
    By PETER in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: September 11th, 2002, 06:31
  3. softice help
    By PETER in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: September 6th, 2002, 15:10
  4. Doing it without softice
    By blink4me in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: July 5th, 2002, 23:32
  5. softice
    By Dan in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: October 30th, 2001, 00:33

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •