Quote Originally Posted by blabberer View Post
you either need a neat and clean vm or you have to muck with softice i3here off
Came across a fresh XP vmx file I forgot I had. Loaded Virtual KD and things seems to have cleared up, even though it's loaded with SI.

I'm currently sitting with an XP desktop with a live mouse and windbg seems to be talking to it. I don't have a clue how to proceed and I'm too tired to figure it out at the moment. The windbg window says nt!RtlpBreakWithStatusInstruction followed by 804e3592 cc int 3. That's because I issued a ctrl - break.

I tried tlist | grep explorer, as you suggested in a past thread, but it gets snarky right off, claiming ' ^pass count must be preceeded by whitespace error in 'tlist | grep explorer'.

I described my SI procedure to you. I use SPYXX to find a hwnd in explorer.exe that represents the window holding the notepad.exe reference in explorer. Then I 'bmsg hwnd 0x201' in SI which sets a BP on the hwnd if it's window is double-clicked, 0x201 being the wmsg for double-click.

SI breaks in explorer code then returns to u32 code. From the explorer code I can BP on anything I want so long as I know the context and the function, provided the functions is known to SI. A good bp is the shellexecuteex function described in that link I posted. It has a structure that describes what is being done to the file being loaded.

What I can't figure out at this time is how to begin.

I am proposing a means of attack but you were suggesting going straight to fopen(). I think that's a waste of time but I'm willing to try it. I think you'll find the file is already open.

By definition fopen() "Opens the file whose name is specified in the parameter filename and associates it with a stream that can be identified in future operations by the FILE pointer returned". Createfile() does the same thing. The trick is to find the stream and that search seems to take place long before createfile or fopen comes into play.

What did you have in mind? You're going to be way ahead of me till I get up to speed but I'd like to try getting the hang of your modus operandi as it applies to windbg.