Results 1 to 8 of 8

Thread: Debugging Softice loading with VMWare

  1. #1
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries

    Debugging Softice loading with VMWare

    I thought I'd continue a new thread for the Softice related discussions that seem to be happening here and there. There was some talk about trying to debug through the early loading of Softice in a VM, perhaps to identify graphic issues or other reasons. Just for fun I decided to try it.

    Here is virtual Windbg on Win10 host with XP target with Softice installed. Break is at loading of siwvid.sys

    VMWare Workstation, install VirtualKD on host and guest.

    After installation, XP will break at new boot.ini with debug OS. Start VirtualKD and wait for connect (might have to fiddle around with order of starting).

    Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
    Opened \\.\pipe\kd_XP_SOFTICE
    Waiting to reconnect...
    Connected to Windows XP 2600 x86 compatible target
    Kernel Debugger connection established.
    *NOTE XP SYMBOLS in shared VM folder
    ************* Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       SRV*D:\Programming\Symbols*
    Deferred                                       SRV*Z:\Symbols*
    kd> lm
    start    end        module name
    804d7000 806eb780   nt         (pdb symbols)          d:\programming\symbols\ntoskrnl.pdb\8592B6763F34476B9BB560395A383F962\ntoskrnl.pdb
    *SET BREAKPOINT on siwvid
    kd> sxe -c ".echo siwvid Loaded;" ld:siwvid.sys
    *CONFIRM EVENT FILTER is set in Windbg
    kd> g
    siwvid Loaded
    8050b897 cc              int     3
    kd> lm
    start    end        module name
    804d7000 806eb780   nt         (pdb symbols)          d:\programming\symbols\ntoskrnl.pdb\8592B6763F34476B9BB560395A383F962\ntoskrnl.pdb
    806ec000 8070c380   hal        (deferred)             
    8070d000 80737000   KDBAZIS    (deferred)    *VIRTUALKD DRIVER         
    f75af000 f75d5e80   siwvid     (deferred)             
    f75d6000 f7602a80   NDIS       (deferred)             
    f7603000 f768f480   Ntfs       (deferred)             
    f7690000 f76a6780   KSecDD     (deferred)             
    f76a7000 f76b8f00   sr         (deferred)             
    f76b9000 f76d7780   fltMgr     (deferred)             
    f76d8000 f76ef800   SCSIPORT   (deferred)             
    f76f0000 f7707480   atapi      (deferred)             
    f7708000 f7726880   ftdisk     (deferred)             
    f7727000 f77d5d60   OsiData    (deferred)             
    f77d6000 f77e6a80   pci        (deferred)             
    f77e7000 f7814d80   ACPI       (deferred)             
    f7836000 f783ec00   isapnp     (deferred)             
    f7846000 f7850500   MountMgr   (deferred)             
    f7856000 f7865c80   vmci       (deferred)             
    f7866000 f7872c80   VolSnap    (deferred)             
    f7876000 f7883d00   vsock      (deferred)             
    f7886000 f788ee00   disk       (deferred)             
    f7896000 f78a2200   CLASSPNP   (deferred)             
    f7ab6000 f7aba800   cpthook    (deferred)             
    f7abe000 f7ac4200   PCIIDEX    (deferred)             
    f7ac6000 f7aca900   PartMgr    (deferred)             
    f7c46000 f7c49000   BOOTVID    (deferred)             
    f7c4a000 f7c4c980   bootcfg    (deferred)             
    f7c4e000 f7c50480   compbatt   (deferred)             
    f7c52000 f7c55700   BATTC      (deferred)             
    f7d36000 f7d37100   WMILIB     (deferred)             
    f7d38000 f7d39580   intelide   (deferred)             
    f7d3a000 f7d3bd00   vmscsi     (deferred)

    That's as far as I've gotten, I haven't traced anything I just wanted to confirm if it was possible to break on Softice loading under VMware. I'm not sure at exactly what point in loading the PE driver file Windbg sxe breaks, presumably before DriverEntry.

    If it's difficult to trace into the driver code from there or find the right breakpoints, there's always the old-fashioned way

    Break on the call in IopLoadDriver which directly calls DriverEntry for any driver.

    kd> x nt!IopLoadDriver
    805a65cf          nt!IopLoadDriver
    805a69c9 ffb570ffffff    push    dword ptr [ebp-90h]
    805a69cf 57              push    edi
    805a69d0 ff572c          call    dword ptr [edi+2Ch] ; Call to DriverEntry
    kd> bp 805a69d0
    kd> g
    Breakpoint 0 hit
    805a69d0 ff572c          call    dword ptr [edi+2Ch]

  2. #2
    do you have us the vm ware image?

    i will try this out but i cant cause the video problem to happen on a vm

    but maybe i can take a look on the process if i see something odd

  3. #3
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    doing lm only shows nt because symbols are loaded only for nt use .reload /f and do lm again to see other modules

    sxe ld:siwvid will break before DriverEntry is Called

    You Can See StackTrace there with kb assuming you are using 32 bit host and 32 bit target

    infact Your Next step of nt!IopLoadDriver will be part of Stack

    kd> kb
     # ChildEBP RetAddr  Args to Child              
    00 f8967398 80506d80 f8967430 f89673ac 00000003 nt!DebugService2+0x10
    01 f89673bc 805a3113 f8967430 f7fa4000 ffffffff nt!DbgLoadImageSymbols+0x42
    02 f8967560 805a378a f89675e4 00000000 00000000 nt!MmLoadSystemImage+0xa80
    03 f8967640 806a09ad 00000358 00000001 00000000 nt!IopLoadDriver+0x371    <<<<<<<<<<
    04 f896769c 806a0735 00034000 00000000 00000000 nt!IopInitializeSystemDrivers+0x16c
    05 f896783c 806a1a6c 80087000 00000000 823c8920 nt!IoInitSystem+0x7a3
    06 f8967dac 8057aeff 80087000 00000000 00000000 nt!Phase1Initialization+0x9b5
    07 f8967ddc 804f88ea 806a12fa 80087000 00000000 nt!PspSystemThreadStartup+0x34
    08 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
    kd> .lastevent
    Last event: Load module Siwvid.SYS at f7fa4000
      debugger time: Sat Jan  4 00:26:17.038 2020 
    kd> ds /c 100 poi(@esp+8)
    821be518  "\WINDOWS\System32\Drivers\Siwvid.SYS"
    you can check the Disassembly at the provided ReturnAddress

    kd> ub 805a378a l1
    805a3785 e833faffff      call    nt!MmLoadSystemImage (805a31bd)
    kd> u 805a378a l10
    805a378a 3bc3            cmp     eax,ebx
    805a378c 8945ac          mov     dword ptr [ebp-54h],eax
    805a378f 0f8c59740000    jl      nt!IopLoadDriver+0x37c (805aabee)
    805a3795 ff7590          push    dword ptr [ebp-70h]
    805a3798 e8a856f5ff      call    nt!RtlImageNtHeader (804f8e45)
    805a379d ff7510          push    dword ptr [ebp+10h]
    805a37a0 8d4598          lea     eax,[ebp-68h]
    805a37a3 ff7590          push    dword ptr [ebp-70h]
    805a37a6 ff758c          push    dword ptr [ebp-74h]
    805a37a9 50              push    eax
    805a37aa e8f5220000      call    nt!IopPrepareDriverLoading (805a5aa4)
    805a37af 3bc3            cmp     eax,ebx
    805a37b1 8945ac          mov     dword ptr [ebp-54h],eax
    805a37b4 0f8cea430400    jl      nt!IopLoadDriver+0x447 (805e7ba4)
    805a37ba 64a124010000    mov     eax,dword ptr fs:[00000124h]
    805a37c0 8a8040010000    mov     al,byte ptr [eax+140h]

    you can use gu to get to the relevent ReturnAddress

    kd> gu
    80506d80 c9              leave
    kd> gu
    805a3113 804b3610        or      byte ptr [ebx+36h],10h
    kd> gu
    805a378a 3bc3            cmp     eax,ebx   <<<<<<
    you can use pc to run upto next call and you will notice
    Apis Like RtlImageHeader,nt!IopPrepareDriverLoading,nt!ObCreateObject etc being called

    kd> r
    eax=f896758c ebx=00000000 ecx=0000bb40 edx=02dd0001 esi=8055b1e0 edi=8055b1c0
    eip=805a37e6 esp=f896755c ebp=f8967640 iopl=0         nv up ei pl zr na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246
    805a37e6 e87b1dfcff      call    nt!ObCreateObject (80565566)
    kd> dd @esp l9
    f896755c  00000000 823b2ad0 f896758c 00000000
    f896756c  00000000 000000c4 00000000 00000000
    f896757c  f89675c0
    kd> dt nt!_OBJECT_ATTRIBUTES poi(@esp+8)
       +0x000 Length           : 0x18
       +0x004 RootDirectory    : (null) 
       +0x008 ObjectName       : 0xf89675b4 _UNICODE_STRING "\Driver\Siwvid"
       +0x00c Attributes       : 0x10
       +0x010 SecurityDescriptor : (null) 
       +0x014 SecurityQualityOfService : (null) 
    kd> dt nt!_OBJECT_TYPE poi(@esp+4)
       +0x000 Mutex            : _ERESOURCE
       +0x038 TypeList         : _LIST_ENTRY [ 0x823b2b08 - 0x823b2b08 ]
       +0x040 Name             : _UNICODE_STRING "Driver"
       +0x048 DefaultObject    : 0x80560960 Void
       +0x04c Index            : 0x1a
       +0x050 TotalNumberOfObjects : 0x43
       +0x054 TotalNumberOfHandles : 0
       +0x058 HighWaterNumberOfObjects : 0x43
       +0x05c HighWaterNumberOfHandles : 1
       +0x060 TypeInfo         : _OBJECT_TYPE_INITIALIZER
       +0x0ac Key              : 0x76697244
       +0x0b0 ObjectLocks      : [4] _ERESOURCE
    kd> dd f89675c0 l1
    f89675c0  00000000
    stepover obCreateObject to take a look at Driver Object
    kd> p
    805a37eb 3bc3            cmp     eax,ebx
    kd> dd f89675c0 l1
    f89675c0  821a5f38 <<<<<<<<<
    kd> !object 821a5f38
    Object: 821a5f38  Type: (823b2ad0) Driver
        ObjectHeader: 821a5f20 (old version)
        HandleCount: 0  PointerCount: 1
        Directory Object: 00000000  Name: \Driver\Siwvid
    after this the Driver_object and all MAJOR_FUNCTION will be setup
    and Driver EntryCalled

    See The Filled in DriverInit which is the siwvid DriverEntry()

    kd> dt nt!_DRIVER_OBJECT 821a5f38
       +0x000 Type             : 0n4
       +0x002 Size             : 0n168
       +0x004 DeviceObject     : (null) 
       +0x008 Flags            : 2
       +0x00c DriverStart      : 0xf7fa4000 Void
       +0x010 DriverSize       : 0x103c0
       +0x014 DriverSection    : 0x821c7108 Void
       +0x018 DriverExtension  : 0x821a5fe0 _DRIVER_EXTENSION
       +0x01c DriverName       : _UNICODE_STRING "\Driver\Siwvid"
       +0x028 FastIoDispatch   : (null) 
       +0x02c DriverInit       : 0xf7faa39a     long  +0
       +0x030 DriverStartIo    : (null) 
       +0x034 DriverUnload     : (null) 
       +0x038 MajorFunction    : [28] 0x804fa87e     long  nt!IopInvalidDeviceRequest+0
    kd> ? @edi
    Evaluate expression: -2112200904 = 821a5f38
    kd> r
    eax=0000000e ebx=00000000 ecx=00000000 edx=01b40001 esi=e14a8146 edi=821a5f38
    eip=805a399a esp=f8967578 ebp=f8967640 iopl=0         nv up ei pl nz na po nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
    805a399a ff572c          call    dword ptr [edi+2Ch]  ds:0023:821a5f64=f7faa39a

    i used a old vpc xp sp3 32 bit target with stock si405wnt installed in it
    and a win 7 sp1 32 bit host
    with named pipe serial connection

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    Quote Originally Posted by Elenil View Post
    do you have us the vm ware image?
    Well, that would be a 4GB image of my own licensed copy of XP with a lot of other stuff installed, so not really.

    There is a free XP image for virtual use from Microsoft if you've got a licensed version of Win7

    I think there's also a vmware virtualization converter that can convert a physical machine into a virtual one.

    You really don't have a copy of XP, with all your fine work with IceStealth?

  5. #5
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    Quote Originally Posted by blabberer View Post
    after this the Driver_object and all MAJOR_FUNCTION will be setup
    and Driver EntryCalled
    Yeah, that would be the good step, get MAJOR_FUNCTION addresses and you can go anywhere.

  6. #6
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries

    Yeah, that would be the good step, get MAJOR_FUNCTION addresses and you can go anywhere.
    a small clarification
    at the point where i make the statement One actually cannot get the Actual MAJOR_FUNCTION Address that belongs to the Driver
    since they are filled in by the Respective Drivers in Their Driver Entry Procedure which has not happened yet. but since this is the DRIVER_OBJECT
    Structure You can set hardware bp on Driver_object ->Driverinit

    os does Something Like this (Pseudo code) this iswin7livekd so minor changes may be there between xp and w7

    kd> u 82fcb04f l20
    82fcb04f 64a124010000    mov     eax,dword ptr fs:[00000124h]
    82fcb055 8a803a010000    mov     al,byte ptr [eax+13Ah]
    82fcb05b 888568ffffff    mov     byte ptr [ebp-98h],al
    82fcb061 8d8560ffffff    lea     eax,[ebp-0A0h]
    82fcb067 50              push    eax
    82fcb068 53              push    ebx
    82fcb069 53              push    ebx
    82fcb06a bfc4000000      mov     edi,0C4h
    82fcb06f 57              push    edi
    82fcb070 53              push    ebx
    82fcb071 53              push    ebx
    82fcb072 8d8510ffffff    lea     eax,[ebp-0F0h]
    82fcb078 50              push    eax
    82fcb079 ff35941bf782    push    dword ptr [nt!IoDriverObjectType (82f71b94)]
    82fcb07f ffb568ffffff    push    dword ptr [ebp-98h]
    82fcb085 e889230600      call    nt!ObCreateObject (8302d413)
    82fcb08a 3bc3            cmp     eax,ebx
    82fcb08c 8945a0          mov     dword ptr [ebp-60h],eax
    82fcb08f 7cae            jl      nt!IopLoadDriver+0x47f (82fcb03f)
    82fcb091 8bb560ffffff    mov     esi,dword ptr [ebp-0A0h]
    82fcb097 57              push    edi
    82fcb098 53              push    ebx
    82fcb099 56              push    esi
    82fcb09a e82164e7ff      call    nt!memset (82e414c0)
    82fcb09f 83c40c          add     esp,0Ch
    82fcb0a2 6a1c            push    1Ch
    82fcb0a4 8d86a8000000    lea     eax,[esi+0A8h]
    82fcb0aa 894618          mov     dword ptr [esi+18h],eax
    82fcb0ad 8930            mov     dword ptr [eax],esi
    82fcb0af 59              pop     ecx
    82fcb0b0 b8e5d0eb82      mov     eax,offset nt!IopInvalidDeviceRequest (82ebd0e5)
    82fcb0b5 6a04            push    4
    kd> dd 00000030:124 l1
    0030:00000124  87ad8030
    kd> ? @$thread
    Evaluate expression: -2018672592 = 87ad8030
    kd> ?? #FIELD_OFFSET( nt!_ETHREAD ,Tcb.PreviousMode)
    long 0x13a
    kd> $$ RequestorMode == KernelMode
    kd> dS poi(nt!IoDriverObjectType)+8
    89e04d08  "Driver"
    kd> $$ [ebp-0f0] == nt!_OBJECT_ATTRIBUTES
    kd> $$objectmode and ReservedareNULL (ebx ==0)
    kd> $$ ObjectSizeToAllocate == 0xc4
    kd> two optinal arguments are NULL again
        ^ No runnable debuggees error in 'two optinal arguments are NULL again'
    kd> $$ out pointer (nt!_DRIVER_OBJECT *) is [ebp-0ah]
    kd> $$ so ObCreateObject(Mode=Kmode,"Driver",ObjAttr,NULL,NULL,0xc4,NULL,NULL,PDRIVER_OBJECT &[ebp-0xa0])
    kd> so at this point this memory contains gibberish
    Debug Options: <none>
    kd> $$ nextmemset is called to init the space notesize = @edi= 0xc4
    after memset all the 0x1b MAJOR_FUNCTION slots are initialised with  nt!IopInvalidDeviceRequest  (so that if the driver fills only IRP_MJ_CONTROL only all other MAJOR_FUNCTION will result in InvalidRequest call
    kd> uf nt!IopInvalidDeviceRequest
    82ebd0e5 8bff            mov     edi,edi
    82ebd0e7 55              push    ebp
    82ebd0e8 8bec            mov     ebp,esp
    82ebd0ea 8b4d0c          mov     ecx,dword ptr [ebp+0Ch]
    82ebd0ed 32d2            xor     dl,dl
    82ebd0ef c74118100000c0  mov     dword ptr [ecx+18h],0C0000010h
    82ebd0f6 ff15a81bf782    call    dword ptr [nt!pIofCompleteRequest (82f71ba8)]
    82ebd0fc b8100000c0      mov     eax,0C0000010h
    82ebd101 5d              pop     ebp
    82ebd102 c20800          ret     8
    Last edited by blabberer; January 3rd, 2020 at 20:30.

  7. #7
    Sorry guys...I missed this new thread. Still working on stabilizing XP re LAN and serial port on 300-series chipset. Lot of finicky detail but interesting to me.

    Need to get up to speed on this subject. In a past thread we discussed kdcom.dll. It is called early in the Windows boot process. I was skimming through the Windows XP book by Russinovich and he claimed kdcom.dll is debug code that used to be in ntoskrnl. It is called early in the boot process, I think right after ntoskrnl and hal. The form of kdcom depends on the usage. kdcom.dll appears to be related to serial communications and there are others like kd1394.dll related to firewire.

    You guys likely know this already, but according Russinovich, ntoskrnl is called first in the boot process by ntldr, then ntos calls hal for a nice to and fro chat. I looked at ntos with LordPE and it's structure is quite different than the usual module. It has more sections. That was the XP ntoskrnl.

    I have noted that my W7 laptop, which is the host in remote sessions, also has a kdusb.dll. XP only has the com and 1394 versions. Have not checked W10 yet but it's supposed to have network capabilities for remote debugging. I mention this only because the kdxxx.dlls may be useful for setting BPs if it is desired to examine Windows during boot. Also, wondered if modules like kdusb.sys might be adapted for use on kernel debugging of an XP or W7 boot? Heck, why stop there, what about the W10 LAN debug module, if it exists?

    I'd like to see where the driver studio message comes from early in the boot process where you can hit a key to turn softice on or off.

    I also noted recently that a 'break' extension is available for boot.ini. Apparently, when set, it breaks the OS during boot and waits for a debugger. Maybe I'm wrong.

  8. #8
    @kayaker ....revisiting your thread on loading softice via vmware. Not at the stage yet of trying it via a remote kernel debug session via a COM port on XP but I fired ice up last night to see what would happen with the XP on the modern chipset and Nvidia GT-730 video card.

    Froze everything after the first window opened but no BSOD. A window comes up with a nice blue border, and the typical ice black background, and a cursor blinks about once, then nothing. It did not like selecting an older nvidia driver in the Settings window, suggesting a Universal driver. When it tested it there was no error. It is obviously the video driver, however.

    However, I got the idea of examining the source of the older nvidia drivers they suggest to see if I could mod the settings to take a newer driver.

    Till I get the remote session going, if it works, I am thinking of playing around with wdbg, or CDB, with a breakpoint written into ice somewhere so it will stop, hopefully before the freeze point. You have given some good BPs in this thread which I'll try as well, just to see if I can trace it to the freeze point. Also, I want to see how it loads. I guess, by the time ice goes into its official debug mode it will create issues with wdbg. But that's part of the fun, is it not.

    The link I provided in the other thread to ARTeam reminded me of the trick by Yates to insert an EB FE to make ice sit and idle. I hope it was Yates who came up with the idea and I am not insulting someone else. The only thing I don't like about that comes from my hardware experience. It gives me the heebies to think of a processor cycling at a millions miles per second at the same instruction.

Similar Threads

  1. Replies: 0
    Last Post: February 19th, 2009, 13:17
  2. VMWare & Softice - Experiences, problems and solutions
    By dELTA in forum Tools of Our Trade (TOT) Messageboard
    Replies: 11
    Last Post: April 20th, 2005, 01:27
  3. VMWare vs. Virtual PC
    By sgdt in forum Off Topic
    Replies: 19
    Last Post: August 2nd, 2004, 17:10
  4. Softice, VMWare and INT3
    By asr in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: May 26th, 2004, 19:53
  5. Softice 4.2.7 loading
    By Snatch in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: October 1st, 2002, 20:54


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts