Results 1 to 12 of 12

Thread: Is baseprocessstart still a good bpx?

  1. #1

    Is baseprocessstart still a good bpx?

    Hope I'm not asking a dumb question. I haven't used softice for a while and I just fired it up, set 'bpx baseprocessstart' to catch an app starting up, and I got an error that the function wasn't recognized.

    Part of the problem was that my nms files were out of date after installing SP3, so I updated them. Then I set 'table kernel32' and verified the k32 was in focus. But when I do the bpx baseprocessstart, it still can't find the func.

    I recall this happening before when the system isn't fully initialized. i.e. maybe k32 hasn't been called yet. I just want to verify that baseprocesstart is still used in SP3.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,129
    Blog Entries
    5
    Yup, but it's

    _BaseProcessStart
    _BaseProcessStartThunk

    The way to check is, like you did:
    TABLE KERNEL32

    Then do a wildcard search for the symbol you're looking for, like:
    SYM *BaseProcess*
    since some syms have an underscore or two, or silly @ or ? characters as prefixes.

  3. #3
    Quote Originally Posted by Kayaker View Post
    Yup, but it's

    _BaseProcessStart
    _BaseProcessStartThunk

    Then do a wildcard search for the symbol you're looking for, like:
    SYM *BaseProcess*
    Thanks for quick response, Kayaker. I could swear there was no leading underscore considering the many times I've used it. However, the underscore made no difference.

    I tried SYM *base* and exp *base* but no list is given at all, just a couple of headers and no list. I tried EXP by itself and I get them all listed but there is no baseprocessstart with or without an underscore. The entire EXP list goes through K32, U32, G32, ntoskrnl and hal. K32 version is 5.1.2600.5512.

    Can you think of a function nearby that might work? I tried createprocessA with no luck, then again, I'm activating a 'cpl' file from control panel.

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,129
    Blog Entries
    5
    Sounds like you've got sym/nms problems. If you remember you need to d/l the symbols and convert them to NMS with Symbol Retriever (to say C:/nmsout). And you MUST use updated versions of symsrv.dll and dbghelp.dll (get them from WinDbg and replace the old Softice ones in the SymRtrvr.exe directory).

    Also make sure the appropriate NMS files are loaded (through the Sice Loader or right click on the nms file and default 'Load into Softice'). The rest should work if all is OK.


    Alternate Method 1: Disasm kernel32 in IDA and use the absolute address of BaseProcessStart.


    Method 2: Load any exe into Olly and check the stack window where you'll find the global calling address within BaseProcessStart


    Method 3: BPX NtSetInformationThread if *(esp+8)==9

    NtSetInformationThread is called from BaseProcessStart, 9 is the Class ThreadQuerySetWin32StartAddress. F12 twice, F8 once and you should be back in BaseProcessStart ready to execute the PE (see address in Method 2)


    Method 4: BPX _KiFastSystemCall if eax==E5

    Destination of Method 3, E5 = service index NtSetInformationThread.


    Method 5: Take up knitting as a hobby instead


    It looks like a CPL will call rundll32 as EP, I've no idea where it goes from there.

  5. #5
    Quote Originally Posted by Kayaker View Post
    Sounds like you've got sym/nms problems.
    I have to go out but I'll make a quick reply. Something hairy is happening. Symservers d/l'd a pdb file for ntoskrnl and converted it to a valid nms with all the functions names legible. It d/l's a pdb for k32 with all the files legible in a text editor. However, the nms it makes for k32 has no names in it and is only 40,000 bytes. ntoskernl nms is 837,460.

    I've tried it several times and get a bad nms for k32. I'll have to convert it directly once I recall how to do it.

    Quote Originally Posted by Kayaker View Post
    And you MUST use updated versions of symsrv.dll and dbghelp.dll (get them from WinDbg and replace the old Softice ones in the SymRtrvr.exe directory).Also make sure the appropriate NMS files are loaded (through the Sice Loader or right click on the nms file and default 'Load into Softice').
    I knew about the symsrv.dll trick but not the dbghelp.dll. Thanks

    Quote Originally Posted by Kayaker View Post
    Alternate Method 1: Disasm kernel32 in IDA and use the absolute address of BaseProcessStart.
    Did that, found baseprocessstart at 7C817044. Thanks


    Quote Originally Posted by Kayaker View Post
    Method 2: Load any exe into Olly and check the stack window where you'll find the global calling address within BaseProcessStart
    What's Olly? Just kidding, blabberer.

    Quote Originally Posted by Kayaker View Post
    Method 3: BPX NtSetInformationThread if *(esp+8)==9 NtSetInformationThread is called from BaseProcessStart, 9 is the Class ThreadQuerySetWin32StartAddress. F12 twice, F8 once and you should be back in BaseProcessStart ready to execute the PE (see address in Method 2)
    Found that one last night. It leads directly to rundll32, which leads into shell32 where most of the work seems to be done in loading the cpl file. thanks.


    Quote Originally Posted by Kayaker View Post
    Method 4: BPX _KiFastSystemCall if eax==E5
    Good one...oh great one of the reversing clan. Remember Burns...oh cheiftan o' the puddin' race? Ode to a Haggis:

    Fair fa' your honest, sonsie face,
    Great Chieftan o' the Puddin-race!
    Aboon them a' ye tak your place,
    Painch, tripe, or thairm:
    Weel are ye wordy of a grace
    As lang's my arm.

    Quote Originally Posted by Kayaker View Post
    Method 5: Take up knitting as a hobby instead
    My dear old Scottish granny tried to teach me knitting once but I was too interested in soccer balls, which she called 'a great bag of wind'.

  6. #6
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,513
    Blog Entries
    15
    from cpl it goes to rundll like this

    Code:
    00092368  "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\shell32.d
    000923A8  ll,Control_RunDLL "C:\WINDOWS\system32\main.cpl",Keyboard.......
    or alternatively you can ollydbg with

    control.exe

    ollydbg c:\windows\system32\control.exe

    and put in main.cpl,"yourcpl" and start debugging from BaseProcessStart

  7. #7
    Quote Originally Posted by blabberer View Post
    from cpl it goes to rundll like this
    Thanks blabberer. I have major problems right now. Even nmsym wont translate k32 or ntoskrnl to pdb's successfully.

    If I look at a properly formed nms file in a text editor, I can see all the function names, and the file is quite large...> 800k for ntoskrnl. Using sym retriever or nmsym, the nms files for k32 and ntoskrnl are around 40k and none have names. However, sym retriever made an ntoskrnl last night that was the right size with all the names. I just noticed it butchered u32 as well.

  8. #8

  9. #9
    Quote Originally Posted by evaluator View Post
    thanks, evaluator. I did look but obviously not well enough. Notice you had to answer your own post.

    That could be the problem but I am translating from a PDB file and it works sometimes in the sym retriever. I'm going to update/reload Debugging Tools for Windoze and see if that helps.

    It sucks when you have to fix the tools before you do any reversing.

  10. #10
    Quote Originally Posted by WaxfordSqueers View Post
    It sucks when you have to fix the tools before you do any reversing.
    Making headway. Made an nms for k32 in IDA and it works in softice. Ice complains that the nms file has no datestamp, but what the heck. Now I know where Kayaker got the underscore in front of _baseprocessstart. That's an IDA quirk.

    Reloaded Debugging Tools For Windows but symserver still wont make good nms files even with the latest files from there.

    For anyone interested, a cpl (control panel) file starts in rundll32 which calls shell32. Rundll32 is called from baseprocessstart, in the call right after NtSetInformationThread, as Kayaker indicated. rundll32 sets up a window but doesn't show it. Shell32 calls shlapi (shell lightweight utilities) and comctl32, but I haven't traced the full route yet so you'll have to tune in for the next episode.

    For anyone who hasn't the slightest idea what I'm talking about, using a bpx on baseprocessstart gets around using loader32 to load an app. If you set bpx baseprocessstart or bpx _baseprocessstart@4, using an IDA nms file, then start your app, it will break a few code steps away from the call to the app.

    This is also for anyone who thinks softice wont work on XP with SP3. Working fine so far. Thanks Kayaker and deroko.

  11. #11
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,129
    Blog Entries
    5
    You're probably aware of this, but to skip past the rundll32 route you could always put a CC at the EP of the CPL and enable BPINT3 in Softice. Then open the cpl with Control Panel, it should break, change the original byte back with EB EIP 8B (or whatever the first byte is).

    LordPE will do the same thing with Break 'n Enter if you change the cpl extension to *.dll. However it won't show the window, but might be good enough for tracing purposes.


    As for the underscore in _BaseProcessStart, just to clarify, that was the default syntax for the Softice nms conversion, nothing to do with IDA.


    For the record, I haven't found any apparent problems yet with a currently updated XP3 either, except for the following hooks:

    NTICE: *** API Hook Failure: MiAddValidPageToWorkingSet
    NTICE: *** API Hook Failure: EHCI_RemoveQueueHeadFromPeriodicList

    which are also discussed in the thread

    deciphering osinfo.dat for softice
    http://www.woodmann.com/forum/showthread.php?t=12234

  12. #12
    Quote Originally Posted by Kayaker View Post
    You're probably aware of this....
    I wouldn't count on me being too aware of anything.

    I managed to trace my way through rundll to the cpl app the hard way, but your way sounds a lot easier. Got hung up in u32, however, because it calls DialogBoxParamA. I tried jumping over it, hoping to see a blank window form, but the entire window comes up filled in.

    I'm trying to find out where it gets the information for the window. For example, it refers to pio4 mode and I'd like to know where that comes from. Also, there is a tab for flashing the Silicon Image controller BIOS and it says the chip type is unknown.

    That could come about if the cpl windows is aimed at an add-on card and not an onboard controller. However, both are on the PCI bus and should be recognized.

    rundll calls 'control' in shell32 using the command line "rundll.exe" shell32.dll , Control_Rundll <path> <app.cpl>. Along the way shlwapi.dll is called as well as ole32 and comctl32. I don't see anything in there that interrogates the system parameters to get the info for the cpl window. I'm thinking it must come from a call from u32 back into the cpl app.

    Quote Originally Posted by Kayaker View Post
    As for the underscore in _BaseProcessStart, just to clarify, that was the default syntax for the Softice nms conversion, nothing to do with IDA.
    I found that out. I got the nmsym going to a degree using your bat file. It gave me k32 and u32 but messed up 4 other pdb to nms conversions. Don't know what's going on.

    As far as underscore is concerned, I'm confused. I don't ever recall using an underscore. Then again, read line one above.
    Quote Originally Posted by Kayaker View Post
    For the record, I haven't found any apparent problems yet with a currently updated XP3 either, except for the following hooks.....which are also discussed in the thread: deciphering osinfo.dat for softice.
    Yeah, that's my thread and that's why I thanked you and deroko for the help. He pointed out that ice works with SP3 and that I could ignore MiCopyOnWrite and the othe USB doohickey.

Similar Threads

  1. very good mag
    By 0xf001 in forum Off Topic
    Replies: 2
    Last Post: March 16th, 2006, 13:16
  2. Anyone have any good IDA tutorials (how to use)
    By Chal021 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 7
    Last Post: May 29th, 2004, 02:15
  3. Armadillo + UPX = (any good ?)
    By ssb in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: May 13th, 2003, 02:32
  4. Any good SEH documents out there ?
    By Lord_Soth in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: November 13th, 2001, 21:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •