Page 2 of 5 FirstFirst 12345 LastLast
Results 16 to 30 of 64

Thread: soft ice in a VM and Windbg growing pains

  1. #16
    Quote Originally Posted by blabberer View Post
    i run bat file all the time and face no problems whatsoever in fact i run several versions of cdb.exe as and when i need it and use a bat file for accessing the cdb.exe that's spread all over my disk partitions
    First of all, thanks for your help. You are going above and beyond with your detailed analysis. I hate to be such a bother. Kayaker is good that way too. Much appreciated.

    Off hand, I would say the mistake I am making is not feeding cdb a command line. Then again, with a straight cmd.lnk, I'd have to change the command line each time I used the lnk. I'll need to examine your bat file more closely.

    Meantime...ahooooga, ahooooga....I got it going. It was an SxS thingy. Visual C++ (2005) apparently doesn't use SxS and the required dlls cannot be found by cdb. I upgraded to the 4 meg version of the Visual C++ redistributable package and that seemed to solve the problem. Also, I reinstalled dotnet framework files up to dotnet 3.5.

    I managed to use the !hwnd command in sdbgext but it's not formatted like SPYXX and one has to be careful. Both SPYXX and !hwnd agree on the handles, so now I have to work on finding why softice is not recognizing the handle from SPYXX. I have to follow up on a suggestion from Kayaker as well, to see if it's happening only with the one app.

    Quote Originally Posted by blabberer View Post
    ntsd is similar to cdb but runs in its own console and can run without console too (useful for remote over network debugging )
    I thought you said you could not copy and paste from ntsd. I was able to copy and paste but the process is slightly different in the ntsd window. With the normal cmd window used by cbt, you highlight the txt to be copied by right-clicking and selecting 'mark', I think it is, then drag the mouse over the text, go to drop-down menu at top left side of screen and select edit>copy. I have downloaded a reg mod for the cmd window by which I can just drag the mouse over text in a cmd window to mark it then I go to the drop-down box at the top LH side of the window, where I select edit>copy.

    With ntsd, the mark feature is in the drop down box, so you have to repeat the process to 'mark' then 'copy'.

    Quote Originally Posted by blabberer View Post
    the srror no 14001 is described as some side by side error...seems to be a vc runtime redist package issue check what run time is required and install it
    I did that earlier today. I had not noticed that there are two redistributable packages for 2008, one is ver 9.0.21022.8 and has a size of 1.73 MB. The other is 9.0.30729.17 and has a size of 4.02 Mb. I used the larger one.

    One other thing. I upgraded the windows installer (I think it was to version 3) and checked to make sure Internet Explorer was at least version 6 with SP1. Mine was SP3. Both are requirements on the sdbgext site along with the Visual C++ redistributable package (4 Mb version 2008).

    Net Framework may have been an issue, mine seemed to be wonky. The upgrade to dotnet 3.5 is a major upgrade that addresses all previous versions and upgrades them. It's a large package, several hundred megs.
    Last edited by WaxfordSqueers; August 16th, 2013 at 06:48.

  2. #17
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    Much appreciated.
    thanks and welcome

    i dont remember saying you cant copy from ntsd (you can copy from cdb . ntsd , windbg , i386kd , kd , ntkd)
    in fact windbg can store a lot lot of data to copy than the plain consoles of other debuggers

    if i am working in console it is easy to use cdb (dont have to juggle windows just type on the prompt and be done with it ) that is all


    if you just want to select drag and copy on right click without going to any corners enable quick edit mode by going to the corner once and telling it i dont want to come back here again

    right click -> properties -> options -> edit option -> check mark quick edit mode (no mark copy corners needed hence forth )
    same --------------------------------------------> check mark quick insert (no edit

  3. #18
    Quote Originally Posted by Kayaker View Post
    So this BMSG invalid handle message, does this happen with every handle of every app in your new VM/Sice setup, or is it just this one situation?
    Seems to.

    Here's the confusing part. If I do an addr explorer to get into that context, then use hwnd, I get all the windows listed. I can verify from the list of windows handles supplied by softice that the window handle is valid. SPYXX, cdb and softice all supply the same window handle for the same window. Yet when I do a 'bmsg <hwnd> <msg>' with the same handle, ice tells me the handle is invalid.

    I have selected several hwnds from the softice display, including the desktop, and all of them return the invalid handle message. I have noticed that many hwnds have 6 figure values, like 1000138, whereas those I am having trouble with have only 5 figures. That's probably not significant.

    I may have to reload ice, but the part worrying me is that my problem may lie with Windows itself. I have XP SP3 loaded in the VM and ice works fine with a bare bones XP SP3 on my desktop, but I may have loaded hotfixes beyond SP3 in the VM. It's too long to go into here but the best solution seems to be creating a new VM disk and loading it with a fresh SP3 version of XP.

    I'm wondering, is there a way to debug softice using windbg? I am loading ice from the desktop, can I attach to it with windbg or would I be headed for BSODville?

    BTW...while researching on the Net, I noticed quite a few reference to the same error message regarding an invalid window handle. No one seems to have a clue what causes it. It does not seem to be related to VMs only.

  4. #19
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    That's weird, if you get a good list with HWND while in Explorer context, Sice should at least accept the BMSG request, even if the combination of hwnd/msg wouldn't produce a break result itself.

    I use XP3 without any updates (other than .NET4) and don't have any issues, using the files from the last patch

    http://www.woodmann.com/collaborative/tools/index.php/Compuware_DriverStudio_Version_3.2_patch

    If you really wanted to debug this, my IceProbe tool would be the one to use to trace the Softice command, not even sure if Windbg would work without conflict. There must be a simpler solution to this.

  5. #20
    wax have you tryed the "patch ntice" function of icestealth ? it will patch the ntice files in "other folder" to your actual os
    (then make sure you replace your ntice files from system32/drivers folder)

    this makes sure softice find some of his things

    also there was a kernel security upgrade (5.1.2600.6165 and above ?) (13.12.2011) that does no longer make softice to work without "patch ntice"

    just a suggestion maybe it does solve the problem maybe not

  6. #21
    Quote Originally Posted by Elenil View Post
    wax have you tryed the "patch ntice" function of icestealth ? it will patch the ntice files in "other folder" to your actual os (then make sure you replace your ntice files from system32/drivers folder)
    I am not too sure what you mean, Elenil. I don't see a "patch ntice" function specifically. Do you mean the functions checked under Load Old and Load New?

    There are three under Load Old already checked. Do I just leave them checked?

    OK...I tried it but icestealth wanted to call out and I don't have an Internet connection on the VM at this time, I had one a few days ago but it disappeared and I'm working on it. I don't think icestealth did anything because NTice.sys is still the same size.

    I'll try to get the Net connection going and get back to you.

  7. #22
    in menu it has "Patch SoftICE"

    then click (Patch SoftICE in "other" Folder)

    after this the files in IceStealth\other get patched to your actual os

    this fix a lot of problems

    after this copy the other folder to your system32\drivers dir and replace the old files


    you also can try to spawn the keyboard set thing or not overwrite your winice.dat

  8. #23
    Quote Originally Posted by Elenil View Post
    in menu it has "Patch SoftICE"
    menu???...what menu????

    Ah...I see the problem, I am running version 1.5 and you are up to ver 1.8.

    Just downloaded 1.8...I'll get back to you.

  9. #24
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    @wax
    'm wondering, is there a way to debug softice using windbg?
    yes sirreee no problem sirreee

    @k

    not even sure if Windbg would work without conflict
    what conflict you envisage

    i have been to siwvid.entrypoint and ntice.entrypoint before (just to be sure i did it again and paste the output below)

    host xpsp3
    target ms vpc xp sp3 without virtual machine addons
    plain si405wnt installed with 4.05 patches (3 drivers replaced both package from exelab)
    i3here off
    (else ctrl+break in host windbg will be trapped by sice in target and the black beauty will wake up from sleep as if some one pressed ctrl+d in target )

    sxe -ibp;reboot
    bp iopinitializeBuiltinDriver+ XXXX (indirect call [REG32+const])
    g;r

    till you see siwvid and then ntice


    Code:
    kd> g;r
    Breakpoint 0 hit
    eax=80093d40 ebx=812d3eb8 ecx=29180008 edx=29170007 esi=00000000 edi=812d3e84
    eip=806a9ef9 esp=fac475f8 ebp=fac47630 iopl=0         nv up ei pl zr na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246
    nt!IopInitializeBuiltinDriver+0x25d:
    *** ERROR: Module load completed but symbols could not be loaded for Siwvid.sys
    806a9ef9 ff532c          call    dword ptr [ebx+2Ch]  ds:0023:812d3ee4=fa658b1c
    kd> dd esp l2
    fac475f8  812d3eb8 80093d40
    kd> !ustr poi(esp+4)
    String(116,116) at 80093d40: \Registry\Machine\System\CurrentControlSet\Services\Siwvid
    kd> dt nt!_DRIVER_OBJECT poi(esp)
       +0x000 Type             : 0n4
       +0x002 Size             : 0n168
       +0x004 DeviceObject     : (null) 
       +0x008 Flags            : 2
       +0x00c DriverStart      : 0xfa652000 Void
       +0x010 DriverSize       : 0x1d320
       +0x014 DriverSection    : 0x81329108 Void
       +0x018 DriverExtension  : 0x812d3f60 _DRIVER_EXTENSION
       +0x01c DriverName       : _UNICODE_STRING "\Driver\Siwvid"
       +0x024 HardwareDatabase : 0x8068fa90 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
       +0x028 FastIoDispatch   : (null) 
       +0x02c DriverInit       : 0xfa658b1c     long  +0
       +0x030 DriverStartIo    : (null) 
       +0x034 DriverUnload     : (null) 
       +0x038 MajorFunction    : [28] 0x804fa87e     long  nt!IopInvalidDeviceRequest+0
    kd> gu
    nt!IopInitializeBootDrivers+0x2d2:
    806aa011 894618          mov     dword ptr [esi+18h],eax
    kd> !drvobj 812d3eb8 2
    Driver object (812d3eb8) is for:
     \Driver\Siwvid
    DriverEntry:   fa658b1c	Siwvid
    DriverStartIo: 00000000	
    DriverUnload:  00000000	
    AddDevice:     00000000	
    
    Dispatch routines:
    [00] IRP_MJ_CREATE                      fa659134	Siwvid+0x7134
    [02] IRP_MJ_CLOSE                       fa659134	Siwvid+0x7134
    [0e] IRP_MJ_DEVICE_CONTROL        fa659134	Siwvid+0x7134
    
    removed all ERROR_NOT_IMPLEMENTED CALLS
    
    kd> !grep -i -e "cmp" -c "uf fa659134"
    
    fa659168 81f90068409c    cmp     ecx,9C406800h
    fa659170 81f90468409c    cmp     ecx,9C406804h
    fa659178 81f90868409c    cmp     ecx,9C406808h 
    fa659180 81f90c68409c    cmp     ecx,9C40680Ch
    kd> $ control codes for siwvid   IRP Tail.overlay.CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode
    
    
    kd> g;r
    Breakpoint 0 hit
    eax=80093a60 ebx=812d35c8 ecx=2add0008 edx=2adc0007 esi=00000000 edi=812d3592
    eip=806a9ef9 esp=fac475f8 ebp=fac47630 iopl=0         nv up ei pl zr na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246
    nt!IopInitializeBuiltinDriver+0x25d:
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for NTice.sys - 
    806a9ef9 ff532c          call    dword ptr [ebx+2Ch]  ds:0023:812d35f4=fa641300
    kd> dd esp l2
    fac475f8  812d35c8 80093a60
    kd> !ustr poi(esp+4)
    String(114,114) at 80093a60: \Registry\Machine\System\CurrentControlSet\Services\NTice
    kd> dt nt!_DRIVER_OBJECT poi(esp)
       +0x000 Type             : 0n4
       +0x002 Size             : 0n168
       +0x004 DeviceObject     : (null) 
       +0x008 Flags            : 2
       +0x00c DriverStart      : 0xfa509000 Void
       +0x010 DriverSize       : 0x148f40
       +0x014 DriverSection    : 0x813290a0 Void
       +0x018 DriverExtension  : 0x812d3670 _DRIVER_EXTENSION
       +0x01c DriverName       : _UNICODE_STRING "\Driver\NTice"
       +0x024 HardwareDatabase : 0x8068fa90 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
       +0x028 FastIoDispatch   : (null) 
       +0x02c DriverInit       : 0xfa641300     long  NTice!adjust_fdiv+0
       +0x030 DriverStartIo    : (null) 
       +0x034 DriverUnload     : (null) 
       +0x038 MajorFunction    : [28] 0x804fa87e     long  nt!IopInvalidDeviceRequest+0
    
    kd> gu  this int 3 was trapped by sice in target you need to set i3here off for bps to be redirected to windbg on reboot 
    kayaker know a permanent way to disable i3here ?
    Break instruction exception - code 80000003 (first chance)
    *******************************************************************************
    *                                                                             *
    *   You are seeing this message because you pressed either                    *
    *       CTRL+C (if you run kd.exe) or,                                        *
    *       CTRL+BREAK (if you run WinDBG),                                       *
    *   on your debugger machine's keyboard.                                      *
    *                                                                             *
    *                   THIS IS NOT A BUG OR A SYSTEM CRASH                       *
    *                                                                             *
    * If you did not intend to break into the debugger, press the "g" key, then   *
    * press the "Enter" key now.  This message might immediately reappear.  If it *
    * does, press "g" and "Enter" again.                                          *
    *                                                                             *
    *******************************************************************************
    nt!RtlpBreakWithStatusInstruction:
    804e3592 cc              int     3
    
    kd> !drvobj 812d35c8 2
    Driver object (812d35c8) is for:
     \Driver\NTice
    DriverEntry:   fa641300	NTice!adjust_fdiv
    DriverStartIo: 00000000	
    DriverUnload:  00000000	
    AddDevice:     00000000	
    
    Dispatch routines:
    [00] IRP_MJ_CREATE                      fa556528	NTice!chkstk+0x4fe
    
    [02] IRP_MJ_CLOSE                       fa556528	NTice!chkstk+0x4fe
    [0e] IRP_MJ_DEVICE_CONTROL              fa556912	NTice!chkstk+0x8e8
    [0f] IRP_MJ_INTERNAL_DEVICE_CONTROL     fa556948	NTice!chkstk+0x91e
    [10] IRP_MJ_SHUTDOWN                    fa556544	NTice!chkstk+0x51a
    
    kd> !grep -i -e "cmp     ecx" -c "uf fa5565ca"
    
    fa556629 3bc8            cmp     ecx,eax
    fa556637 81f90060409c    cmp     ecx,9C406000h
    fa556643 81f90460409c    cmp     ecx,9C406004h
    fa55664b 81f90860409c    cmp     ecx,9C406008h
    fa556653 81f90c60409c    cmp     ecx,9C40600Ch
    fa55665b 81f91060409c    cmp     ecx,9C406010h
    fa556663 81f91460409c    cmp     ecx,9C406014h
    fa556735 81f91c60409c    cmp     ecx,9C40601Ch
    fa556741 81f92060409c    cmp     ecx,9C406020h
    fa55674d 81f92460409c    cmp     ecx,9C406024h
    fa556759 81f94860409c    cmp     ecx,9C406048h
    fa556761 81f94c60409c    cmp     ecx,9C40604Ch
    fa556769 81f95060409c    cmp     ecx,9C406050h
    kd> $ control codes for ntice devioctl  IRP Tail.overlay.CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode

  10. #25
    Quote Originally Posted by blabberer View Post
    @wax ...yes sirreee no problem sirreee
    Verrrrrry interrrrrrrresting!!!

    Need to absorb all this. Right now I have embarked on yet another deviation from my initial chore of tracking a file seek to the MFT on a hard drive. To get back to that I need to fix softice, fix XP SP3 on a VM, and fix the Internet connection in the VM. Either that or learn everything about windb and/or cdb really quickly, which looks highly unlikely.

    It would also be nice to get a pipe going between the VM and my desktop so I could use Windbg remotely. In the interim, I took time out to rebuild my system, having to troubleshoot an XP install disk that gave me a BSOD when I tried a repair install. With a new mother board that is apparently to be expected, but no one tells you that.

    Sigh...the life of a reverser is fraught with peril.

  11. #26
    Quote Originally Posted by Elenil View Post
    in menu it has "Patch SoftICE"
    no good E., icestealth wants those symbols from Microsoft and would not consider symbols I stuck in the 'Other' directory.

  12. #27
    Quote Originally Posted by Elenil View Post
    in menu it has "Patch SoftICE"
    E.....something really weird is going on. I just downloaded icestealth 1.8 from the RCE cache and every time I used the icestealth.exe file, it gets deleted. I checked it with an old copy of AVP and it showed no viruses but that copy virus database is a least a year old.

    The only other time I have seen that was with certain reversing tools many years ago. Some apps would delete the executable if they detected it.

    I have no idea what could be on my VM system that would delete Icestealth. I have hardly anything on it.

    I have a firewall running on the VM.

  13. #28
    Quote Originally Posted by Elenil View Post
    in menu it has "Patch SoftICE"
    Re the disappearing icestealth.....I figured it out. Pretty smart.

  14. #29
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Quote Originally Posted by WaxfordSqueers View Post
    I have a firewall running on the VM.
    Hello? Dumb question, but have you tried BMSG without the firewall? Just a shot in the dark.

  15. #30
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    You're right blabs, as I wrote that I realized it should be no different from debugging any other driver if using a Windbg pipe. I didn't want to add that and perhaps VirtualKD to the mix at the moment, but what the hay..

    The interfering I3here can be turned off in winice.dat, i.e.
    FAULTS OFF; I3HERE OFF;

    The problem now is, can you find and trace a BMSG command?

    http://www.woodmann.com/forum/entry.php?96-IceProbe-SoftIce-Command-Tracer

    Setting up IDA for analysing Softice functions
    http://www.woodmann.com/forum/showthread.php?t=6529

Similar Threads

  1. One soft protect by crypkey.
    By banch in forum The Newbie Forum
    Replies: 10
    Last Post: June 7th, 2013, 06:11
  2. newnie want ollydebug soft
    By ugam in forum OllyDbg Support Forums
    Replies: 2
    Last Post: January 6th, 2006, 08:14
  3. win16 soft over nt
    By potros in forum The Newbie Forum
    Replies: 1
    Last Post: September 23rd, 2005, 19:09
  4. can soft-ice for dos be load in the lower memory
    By robertyonghu in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: November 10th, 2001, 22:21
  5. Armadillo protected soft
    By LaptoniC in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: May 7th, 2001, 06:57

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •