Page 5 of 5 FirstFirst 12345
Results 61 to 64 of 64

Thread: soft ice in a VM and Windbg growing pains

  1. #61
    Quote Originally Posted by Kayaker View Post
    Would the "glitch" be visible as a byte difference I wonder, even if not understood as representing such?
    The glitch seems to be related to either the VM config or the firewall. I changed the VM config to

    vmmouse.present = FALSE
    svga.maxFullscreenRefreshTick = 5

    and shut down the firewall. I should have done them one at a time but I got impatient.

    Anyway, stepped into U32 ok. So far, so good. Or as you folks back East say, si tant, si bon. :-)

  2. #62
    Quote Originally Posted by Kayaker View Post
    Oh Boy, now you did it!
    I'll say. Just ran into the problem you described where I got tangled up in VM garbage while tracing the kernel.

    Did you ever find a solution to dealing with that? I backed out using the stack but went too far and activated the app I am tracing. I think you mentioned something about setting a BP as soon as you enter the kernel.

    The problem with this app is that it uses a lot of win32k.sys processing windows. I ran through a waitforinputidle, or something like that, and I think that lead into the VM garbage.

  3. #63

  4. #64
    Quote Originally Posted by Kayaker View Post
    Yeah, that's the one...thanks. For some reason, other than a small interruption from the supposedly turned off firewall (I guess the driver keeps doing its thing), I had a lengthy session in the VM with no interruptions.

    If I run into more crap, I'll explore the use of your TID method.

    In my first venture, I tried to trace right from the mouse capture...bmsg hwnd 203 (WM_LBUTTONDBLCLK) but I got caught up in some hairy win32k stuff, and that lead to the VM stuff. Getting smarter on trek #2, I set a BP in shell32, where I had traced successfully in a non-VM situatation, and it was pretty clear sailing.

    My mind is getting bent with object theory, stuff like SHITEMID lists and PIDLs, apparently pronounced 'piddle'. The IDL is the system's equivalent of a path, with structures beginning with the structure length and ending with a NULL entry to indicate the end of the list.

    My BPX was on _ShellExecuteExA, which takes a pointer to a SHELLEXECUTEINFO structure. As you trace from there through shell32, it interacts with OLE 32, and Shlwapi to parse the path and create IDLs and objects. I am hoping it will sooner or later reveal a connection to the MFT structure in the NTFS file system via NTFS.sys.

    I have already found such a connection via CreateFile to the filecache but it is too far along and the file location seems to have been located in the MFT already. I am trying to understand whether the handle retrieved by CreateFile comes after the MFT has been accessed or before. It seems that by the time CreateFile gets a handle for the file, the file is already loaded into memory.

    If you look at the structure members you can see the file/directory parameters, etc.

Similar Threads

  1. One soft protect by crypkey.
    By banch in forum The Newbie Forum
    Replies: 10
    Last Post: June 7th, 2013, 06:11
  2. newnie want ollydebug soft
    By ugam in forum OllyDbg Support Forums
    Replies: 2
    Last Post: January 6th, 2006, 08:14
  3. win16 soft over nt
    By potros in forum The Newbie Forum
    Replies: 1
    Last Post: September 23rd, 2005, 19:09
  4. can soft-ice for dos be load in the lower memory
    By robertyonghu in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: November 10th, 2001, 22:21
  5. Armadillo protected soft
    By LaptoniC in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: May 7th, 2001, 06:57


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts