Page 1 of 3 123 LastLast
Results 1 to 15 of 34

Thread: NTice.sys Patch for DriverStudio v3.x,fix problem of Symbol Loader not breaking at Wi

  1. #1
    iceplus
    Guest

    Thumbs up NTice.sys Patch for DriverStudio v3.x,fix problem of Symbol Loader not breaking at Wi

    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    I C E P L U S
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    NTice.sys Patch for DriverStudio v3.x
    to fix problem of Symbol Loader not
    breaking at WinMain
    Only tested on Winxp, DS v3.0,3.1,(2.7??)


    NTice.sys path: %SYSTEM%\drivers
    for example:
    "C:\windows\system32\drivers\"

    iCePlUs[2004]

    Web:iceplus.126.com
    Email:iceplus@hotmail.com
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    That problem is still in the latest Softice? Why don't they ever fix it, it's been there for ages now?!

  3. #3
    Mine does break fine at WinMain.. using DS3.1...

  4. #4
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    I agree with you Crusader.
    iceplus, can you tell us more about the patch? Seems like you only nopped some conditional jumps, why?

    best regards,
    ZaiRoN

  5. #5
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Hmm, a patch with no source, hidden imports, altered section characteristics...

    Why not an open and honest presentation of the problem and its solution?

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    The problem I was referring to was that Softice used to refuse to breakpoint at entrypoint/winmain if the PE section it was located in didn't have certain characteristics (like the executable flag etc). Does it always break nowadays, disregarding the PE section flags, or is this what this tool supposedly fixes maybe?

  7. #7
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by Kayaker
    Hmm, a patch with no source, hidden imports, altered section characteristics...

    Why not an open and honest presentation of the problem and its solution?
    I followed the web address this Iceplus fellow gives

    http://iceplus.126.com

    There seems to be a discussion about what this patch is all about. The only problem is that it is carried in chinese. Perhaps this person has good intentions but cannot communicate. . .
    Last edited by naides; May 19th, 2004 at 14:43.

  8. #8
    iceplus
    Guest

    in DS 3.0, Break at winmain code:

    .text:0003106B BreakLdrProcHandle proc near ; CODE XREF: sub_3163F+3Bp
    .text:0003106B
    .text:0003106B arg_0= dword ptr 8
    .text:0003106B
    .text:0003106B 55 push ebp
    .text:0003106C 8B EC mov ebp, esp
    .text:0003106E 60 pusha
    .text:0003106F 8B 5D 08 mov ebx, [ebp+arg_0]
    .text:00031072 0F B6 0D D2 2F 0E+ movzx ecx, LoadProcName
    .text:00031079 41 inc ecx
    .text:0003107A BE D3 2F 0E 00 mov esi, offset unk_E2FD3
    .text:0003107F 8D 7B 0E lea edi, [ebx+0Eh]
    .text:00031082 FC cld
    .text:00031083 E8 24 CC 03 00 call _StringCmpareNoAa ; compare process name
    .text:00031088 75 75 jnz short loc_310FF
    .text:0003108A 66 A1 F3 2F 0E 00 mov ax, word_E2FF3
    .text:00031090 66 83 F8 FF cmp ax, 0FFFFh
    .text:00031094 74 05 jz short loc_3109B
    .text:00031096 66 39 03 cmp [ebx], ax
    .text:00031099 75 64 jnz short loc_310FF
    .text:0003109B
    .text:0003109B loc_3109B: ; CODE XREF: BreakLdrProcHandle+29j
    .text:0003109B 0F B7 43 02 movzx eax, word ptr [ebx+2]
    .text:0003109F 0F 02 C8 lar ecx, eax
    .text:000310A2 75 5B jnz short loc_310FF ; patch here NO JUMP
    .text:000310A4 66 81 E1 00 18 and cx, 1800h ; in DS V3.1, we search "66 81 e1 00 18" to get "BreakLdrProcHandle" address
    .text:000310A9 66 81 F9 00 18 cmp cx, 1800h
    .text:000310AE 75 4F jnz short loc_310FF ; patch here NO JUMP
    .text:000310B0 66 A3 66 E2 0F 00 mov word_FE266, ax
    .text:000310B6 C6 05 6C E2 0F 00+ mov byte_FE26C, 3
    .text:000310BD E8 6F F3 FF FF call sub_30431
    .text:000310C2 72 3B jb short loc_310FF ; patch here NO JUMP
    .text:000310C4 8B 0D F9 2F 0E 00 mov ecx, dword_E2FF9
    .text:000310CA 03 4B 04 add ecx, [ebx+4]
    .text:000310CD 89 0D 68 E2 0F 00 mov AddressInCur, ecx
    .text:000310D3 8D 3C 01 lea edi, [ecx+eax]
    .text:000310D6 C7 05 6D 41 11 00+ mov BreakViewType, 10004h
    .text:000310E0 8B C1 mov eax, ecx
    .text:000310E2 E8 AD 71 01 00 call sub_48294
    .text:000310E7 A3 01 30 0E 00 mov dword_E3001, eax
    .text:000310EC 66 8B 0D 66 E2 0F+ mov cx, word_FE266
    .text:000310F3 E8 44 FF 06 00 call sub_A103C
    .text:000310F8 C6 05 D1 2F 0E 00+ mov byte_E2FD1, 0
    .text:000310FF
    .text:000310FF loc_310FF: ; CODE XREF: BreakLdrProcHandle+1Dj
    .text:000310FF ; BreakLdrProcHandle+2Ej ...
    .text:000310FF 61 popa
    .text:00031100 5D pop ebp
    .text:00031101 C2 04 00 retn 4
    .text:00031101 BreakLdrProcHandle endp
    Last edited by iceplus; May 19th, 2004 at 20:26.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    iceplus
    Guest

    CODE for FASM 1.52

    00000:
    00001: ;================================================================================
    00002: ; SiceLdrBreak Patch V0.1beta
    00003: ;
    00004: ;================================================================================
    00005:
    00006: format PE GUI 4.0
    00007: entry start
    00008:
    00009: include '%fasminc%\win32a.inc'
    00010: include 'pe.inc'
    00011: ;================================================================================
    00012: ; DATA
    00013: ;================================================================================
    00014: section '.data' data readable writeable
    00015: hIcon dd 0
    00016: hInstance dd 0
    00017: flags dd ?
    00018: pNewFileName rb 40h
    00019:
    00020: ofn OPENFILENAME
    00021:
    00022: hFile dd ?
    00023: FileSize dd ?
    00024: hMapFile dd ?
    00025: pMemory dd ?
    00026: pFileFilter db "WDM Files",0,"*.sys",0,0
    00027:
    00028: pFileName rb 40h
    00029:
    00030: message db 'Patch error !', 0
    00031: message2 db 'Good! Patch succeed !',0dh,0ah,0dh, 0ah,\
    00032: 'Please restart your computer!',0
    00033: caption db 'SiceLdrBreak Patch', 0
    00034:
    00035: codebin db 66h,81h,0E1h,00h,18h,66h,81h,0F9h,0,18h
    00036: codesize dd $-codebin
    00037:
    00038: nop1 db 75h,5bh
    00039: size_nop1 dd $-nop1
    00040: nop2 db 75h, 4fh
    00041: size_nop2 dd $-nop2
    00042: nop3 db 72h,3bh
    00043: size_nop3 dd $-nop3
    00044:
    00045: ;================================================================================
    00046: ; CODE
    00047: ;================================================================================
    00048: section '.code' code readable executable
    00049:
    00050: start:
    00051:
    00052: invoke GetModuleHandle,0
    00053: mov dword [hInstance], eax
    00054:
    00055: invoke DialogBoxParam,eax,37,HWND_DESKTOP,DialogProc,0
    00056: or eax,eax
    00057: jz exit
    00058: exit:
    00059: invoke ExitProcess,0
    00060:
    00061: proc DialogProc,hWnd,msg,wparam,lparam
    00062: push ebx esi edi
    00063: cmp [msg],WM_INITDIALOG
    00064: je WmInitdialog
    00065: cmp [msg],WM_COMMAND
    00066: je WmCommand
    00067: cmp [msg],WM_CLOSE
    00068: je WmClose
    00069: xor eax,eax
    00070: jmp finish
    00071: WmInitdialog:
    00072: ; set icon
    00073: invoke LoadIcon,[hInstance],IDI_FIRST
    00074: mov [hIcon],eax
    00075: invoke SendMessage,[hWnd],WM_SETICON,1,eax
    00076:
    00077: mov [ofn.lStructSize],sizeof.OPENFILENAME
    00078: mov eax,[hWnd]
    00079: mov [ofn.hwndOwner],eax
    00080: mov eax,[hInstance]
    00081: mov [ofn.hInstance],eax
    00082: mov [ofn.lpstrFilter], pFileFilter
    00083: mov [ofn.lpstrTitle], caption
    00084:
    00085: mov [ofn.lpstrFile], pFileName
    00086: mov [ofn.nMaxFile],1000h
    00087:
    00088: jmp processed
    00089:
    00090: WmCommand:
    00091: cmp [wparam],BN_CLICKED shl 16 + ID_File
    00092: je getfilename
    00093: cmp [wparam],BN_CLICKED shl 16 + ID_Patch
    00094: jne processed
    00095: ;---------------------------------------------------------------------------------------------
    00096: invoke GetDlgItemText,[hWnd],ID_FileName,pFileName,40h
    00097: mov [flags],MB_OK
    00098:
    00099: invoke IsDlgButtonChecked,[hWnd],ID_BackUp
    00100: cmp eax,BST_CHECKED
    00101: jne not_backup
    00102: invoke CopyFile,pFileName,pNewFileName,FALSE
    00103:
    00104: not_backup:
    00105:
    00106: invoke CreateFile, pFileName,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,\
    00107: 0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0
    00108: cmp eax,-1
    00109: je failed
    00110: mov [hFile], eax
    00111: invoke GetFileSize, eax, NULL
    00112: mov [FileSize], eax
    00113: invoke CreateFileMapping, [hFile],NULL,PAGE_READWRITE,0,0,NULL
    00114: mov [hMapFile], eax
    00115: invoke MapViewOfFile, [hMapFile],FILE_MAP_ALL_ACCESS,0,0,0
    00116: mov [pMemory], eax
    00117: ;;;;;;;;;;;;;;;;;;;;Repair NTice;;;;;;;;;;;;;;;;;;;;;;;;;;
    00118:
    00119: stdcall GetNticeCodeSize, eax
    00120: stdcall BinSearch, esi, ecx, codebin, dword [codesize]
    00121: cmp eax, -1
    00122: jz failed
    00123: add esi, eax
    00124: sub esi, 8h
    00125: stdcall BinSearch, esi, 30h, nop1, dword [size_nop1]
    00126: cmp eax, -1
    00127: jz failed
    00128: add esi, eax
    00129: mov word [esi], 9090h
    00130: stdcall BinSearch, esi, 30h, nop2, dword [size_nop2]
    00131: cmp eax, -1
    00132: jz failed
    00133: add esi, eax
    00134: mov word [esi], 9090h
    00135: stdcall BinSearch, esi, 30h, nop3, dword [size_nop3]
    00136: add esi, eax
    00137: mov word [esi], 9090h
    00138: stdcall RepairCheckNum, [pMemory]
    00139: invoke MessageBox, [hWnd],message2,caption,MB_OK
    00140:
    00141: ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    00142: invoke UnmapViewOfFile,[pMemory]
    00143: invoke CloseHandle,[hMapFile]
    00144: invoke CloseHandle,[hFile]
    00145: jmp processed
    00146: ;---------------------------------------------------------------------------------------------
    00147: getfilename:
    00148: mov [ofn.Flags],OFN_EXPLORER+OFN_FILEMUSTEXIST+OFN_HIDEREADONLY
    00149: mov [ofn.lpstrTitle],NULL
    00150: invoke GetOpenFileName, ofn
    00151: or eax,eax
    00152: jz failed
    00153: invoke SetDlgItemText,[hWnd],ID_FileName,pFileName
    00154: invoke lstrcpy,pNewFileName,pFileName
    00155: invoke lstrlen,pNewFileName
    00156: mov esi, pNewFileName
    00157: add esi, eax
    00158: mov dword [esi],'.bak'
    00159: jmp processed
    00160: ;----------------------------------------------------------------------------------------------
    00161: load_out_of_memory:
    00162: invoke CloseHandle,ebx
    00163: failed:
    00164: invoke MessageBox,[hWnd],message,caption,MB_OK
    00165: jmp processed
    00166: ;----------------------------------------------------------------------------------------------
    00167: WmClose:
    00168: invoke EndDialog,[hWnd],0
    00169:
    00170:
    00171: processed:
    00172: mov eax,1
    00173: finish:
    00174: pop edi esi ebx
    00175: return
    00176: endp
    00177:
    00178: ;--------------------------------------------------------------------------------
    00179: proc GetNticeCodeSize, pMem
    00180:
    00181: mov esi, [pMem]
    00182: mov eax, dword [esi+IMAGE_DOS_HEADER.e_lfanew]
    00183: add eax, esi
    00184:
    00185: mov esi, dword [eax+IMAGE_NT_HEADERS.OptionalHeader+IMAGE_OPTIONAL_HEADER32.BaseOfCode]
    00186: mov ecx, dword [eax+IMAGE_NT_HEADERS.OptionalHeader+IMAGE_OPTIONAL_HEADER32.BaseOfData]
    00187: sub ecx, esi
    00188: add esi, [pMem]
    00189: return
    00190: endp
    00191:
    00192: proc RepairCheckNum, pMem
    00193:
    00194: mov esi, [pMem]
    00195: mov edi,[esi+IMAGE_DOS_HEADER.e_lfanew]
    00196: add edi,esi
    00197: mov dword [edi+IMAGE_NT_HEADERS.OptionalHeader+IMAGE_OPTIONAL_HEADER32.CheckSum],0
    00198:
    00199: mov ecx,[FileSize]
    00200: inc ecx
    00201: shr ecx,1
    00202: xor eax,eax
    00203: clc
    00204:
    00205: cal_checksum:
    00206: adc ax,word [esi]
    00207: inc esi
    00208: inc esi
    00209: loop cal_checksum
    00210: mov ebx,[FileSize]
    00211: add eax,ebx
    00212: mov dword [edi+IMAGE_NT_HEADERS.OptionalHeader+IMAGE_OPTIONAL_HEADER32.CheckSum], eax
    00213:
    00214: return
    00215: endp
    00216:
    00217: ;===========================================================
    00218: proc BinSearch,lpSource,sLen,lpPattern,pLen
    00219:
    00220: push ebx
    00221: push esi
    00222: push edi
    00223: ; ----------------
    00224: ; setup loop code
    00225: ; ----------------
    00226:
    00227: mov esi, [lpSource]
    00228: mov edi, [lpPattern]
    00229: mov al, [edi] ; get 1st char in pattern
    00230:
    00231: mov ecx, [sLen]
    00232: add esi, ecx ; add source length
    00233: neg ecx ; invert sign
    00234: dec [pLen]
    00235:
    00236: jmp Scan_Loop
    00237:
    00238: ; ---------------------------
    00239:
    00240: Pre_Match:
    00241: lea ebx, [esi+ecx] ; put current scan address in EBX
    00242: mov edx, [pLen] ; put pattern length into EDX
    00243:
    00244: Test_Match:
    00245: mov ah, [ebx+edx-1] ; load last byte of pattern length in main string
    00246: cmp ah, [edi+edx-1] ; compare it with last byte in pattern
    00247: jne Pre_Scan ; exit loop on mismatch
    00248:
    00249: sub edx, 1
    00250: jnz Test_Match
    00251: jmp Match
    00252:
    00253: Pre_Scan:
    00254: add ecx, 1 ; start on next byte
    00255:
    00256: Scan_Loop:
    00257: cmp al, [esi+ecx] ; scan for 1st byte of pattern
    00258: je Pre_Match ; test if it matches
    00259: add ecx, 1
    00260: js Scan_Loop ; exit on sign inversion
    00261:
    00262: ;-----------------------------
    00263:
    00264: No_Match: ; fall through here on no match
    00265: mov eax, -1
    00266: jmp isOut
    00267:
    00268: Match:
    00269: add ecx, [sLen]
    00270: mov eax, ecx
    00271:
    00272: isOut:
    00273: pop edi
    00274: pop esi
    00275: pop ebx
    00276:
    00277: return
    00278: endp
    00279:
    00280: ;================================================================================
    00281: ; IAT
    00282: ;================================================================================
    00283: section '.idata' import data readable writeable
    00284:
    00285: library kernel,'KERNEL32.DLL',\
    00286: user,'USER32.DLL',\
    00287: comdlg32,'comdlg32.dll'
    00288:
    00289: import kernel,\
    00290: GetModuleHandle,'GetModuleHandleA',\
    00291: lstrlen,'lstrlenA',\
    00292: lstrcpy,'lstrcpyA',\
    00293: CopyFile,'CopyFileA',\
    00294: CreateFile,'CreateFileA',\
    00295: GetFileSize,'GetFileSize',\
    00296: CreateFileMapping,'CreateFileMappingA',\
    00297: MapViewOfFile,'MapViewOfFile',\
    00298: UnmapViewOfFile,'UnmapViewOfFile',\
    00299: CloseHandle,'CloseHandle',\
    00300: ExitProcess,'ExitProcess'
    00301:
    00302: import user,\
    00303: DialogBoxParam,'DialogBoxParamA',\
    00304: LoadIcon,'LoadIconA',\
    00305: SendMessage,'SendMessageA',\
    00306: CheckRadioButton,'CheckRadioButton',\
    00307: GetDlgItemText,'GetDlgItemTextA',\
    00308: SetDlgItemText,'SetDlgItemTextA',\
    00309: IsDlgButtonChecked,'IsDlgButtonChecked',\
    00310: MessageBox,'MessageBoxA',\
    00311: EndDialog,'EndDialog'
    00312:
    00313: import comdlg32,\
    00314: GetOpenFileName,'GetOpenFileNameA'
    00315:
    00316: ;================================================================================
    00317: ; RSRC
    00318: ;================================================================================
    00319: section '.rsrc' resource data readable
    00320:
    00321: ID_Patch = 101
    00322: ID_File = 102
    00323: ID_FileName = 201
    00324: ID_BackUp = 401
    00325: IDI_MAIN = 501
    00326: IDI_FIRST = 502
    00327: IDB_LOGO = 601
    00328:
    00329: directory RT_DIALOG,dialogs,\
    00330: RT_ICON,icons,\
    00331: RT_GROUP_ICON,grpicons,\
    00332: RT_BITMAP,image
    00333:
    00334: resource icons,\
    00335: IDI_MAIN,LANG_NEUTRAL,icon_data
    00336: resource grpicons,\
    00337: IDI_FIRST,LANG_NEUTRAL,main_icon
    00338: resource dialogs,\
    00339: 37,LANG_ENGLISH+SUBLANG_DEFAULT,demonstration
    00340: resource image,\
    00341: IDB_LOGO,LANG_ENGLISH,LogoBMP
    00342: icon main_icon,icon_data,'main.ico'
    00343:
    00344: bitmap LogoBMP,'logo.bmp'
    00345:
    00346: dialog demonstration,'NTiceLdrPatch for DS v3.x',200,200,168,80,WS_CAPTION+WS_POPUP+WS_SYSMENU+DS_MODALFRAME
    00347: dialogitem 'STATIC','NTice:',-1,5,40,70,8,WS_VISIBLE
    00348: dialogitem 'EDIT','',ID_FileName,30,40,120,10,WS_VISIBLE+BS_FLAT+WS_TABSTOP,WS_EX_STATICEDGE
    00349: dialogitem 'STATIC','IcePlus[2004]',-1,5,60,70,8,WS_VISIBLE+WS_DISABLED
    00350: dialogitem 'BUTTON','&BackUp',ID_BackUp,75,60,40,10,WS_VISIBLE+WS_TABSTOP+BS_AUTOCHECKBOX+BS_FLAT
    00351: dialogitem 'BUTTON','&Patch',ID_Patch,125,59,40,12,WS_VISIBLE+WS_TABSTOP,WS_EX_STATICEDGE
    00352: dialogitem 'BUTTON','...',ID_File,153,40,11,11,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON,WS_EX_STATICEDGE
    00353: dialogitem 'STATIC',601,-1,0,0,250,50,WS_VISIBLE+SS_BITMAP,WS_EX_STATICEDGE
    00354: enddialog
    00355: section '.reloc' fixups data readable discardable
    00356:
    00357:
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Thank you Iceplus
    I feel better running patch code if its purpose isn't hidden, plus it makes the post more interesting


    The key seems to be the LAR (Load Access Rights) instruction, if it fails so does the rest, hence the extra jump patches.

    Description:
    ----------------------------------

    Loads the access rights from the segment descriptor specified by the second operand (source operand) into the first operand (destination operand) and sets the ZF flag in the EFLAGS register. The source operand (which can be a register or a memory location) contains the segment selector for the segment descriptor being accessed. The destination operand is a general-purpose register.

    The processor performs access checks as part of the loading process. Once loaded in the destination register, software can perform additional checks on the access rights information.

    When the operand size is 32 bits, the access rights for a segment descriptor include the type and DPL fields and the S, P, AVL, D/B, and G flags, all of which are located in the second doubleword (bytes 4 through 7) of the segment descriptor. The doubleword is masked by 00FXFF00H before it is loaded into the destination operand. When the operand size is 16 bits, the access rights include the type and DPL fields. Here, the two lower-order bytes of the doubleword are masked by FF00H before being loaded into the destination operand.

    This instruction performs the following checks before it loads the access rights in the destination register:

    Checks that the segment selector is not null. Checks that the segment selector points to a descriptor that is within the limits of the GDT or LDT being accessed Checks that the descriptor type is valid for this instruction. All code and data segment descriptors are valid for (can be accessed with) the LAR instruction. The valid system segment and gate descriptor types are given in the following table. If the segment is not a conforming code segment, it checks that the specified segment descriptor is visible at the CPL (that is, if the CPL and the RPL of the segment selector are less than or equal to the DPL of the segment selector).

    If the segment descriptor cannot be accessed or is an invalid type for the instruction, the ZF flag is cleared and no access rights are loaded in the destination operand.
    ----------------------------------


    In this case, the Softice code can be traced live and you can follow what's happening. There *are* certain areas of ntice code where a standard BPX will break, and this appears to be one of them. The code can be found with a standard byte search and you can set a BP on the proc start, for example:

    :driver ntice
    Start - BEF25000 Size - 175880
    :s BEF25000 L 175880 8D 7B 0E FC E8

    will find the code
    lea edi, [ebx+0Eh] ; pointer to "NOTEPAD"
    cld

    Start Loader32.exe with notepad and it should break.


    What I found is that the single argument (arg_0) of the function is a pointer to this data:

    Code:
    01 00 1B 00 00 10 00 01 CA 65 00 00 00 00 4E 4F .........e....NO
    54 45 50 41 44                                  TEPAD
    With the valid segment selector 001B (user mode programs in Win2K), this function *should* succeed and loader32 will break at Winmain.

    mov ebx, [ebp+arg_0]
    ...
    movzx eax, word ptr [ebx+2] ; 001B
    lar ecx, eax ; ecx was 0, now 00CFFB00
    jnz exit
    and cx, 1800h ; ecx = 00CF1800
    cmp cx, 1800h
    ...


    Why this might be failing for Iceplus in XP I couldn't say, if the segment selector is passed correctly then there may be some other issue with access rights going on.

    Btw, the call
    .text:000310BD call sub_30431
    is a call to the function pMapSelectorToLinAddr (The Owl's definition)


    Regards,
    Kayaker

  11. #11
    iceplus
    Guest
    Hi,Kayaker!THanks for your annotation.
    When segment selector is 001BH,Break at winmain is succeed.when it is 0023H,cann't break at winmain!why??
    Last edited by iceplus; May 20th, 2004 at 04:44.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Hi

    Right you are. 23h is a DATA segment selector (DS) and obviously doesn't meet the security requirements. If I change the .code section characteristics of notepad to C0000040, MAP32 shows the section address beginning at 23:1001000 instead of 1B:1001000, and loader32 doesn't break at Winmain.

    What occurs now is

    mov ebx, [ebp+arg_0]
    ...
    movzx eax, word ptr [ebx+2] ; 0023
    lar ecx, eax ; ecx was 0, now 00CF1000
    jnz exit ; no jump
    and cx, 1800h ; ecx = 00CF1000
    cmp cx, 1800h ; this compare fails!
    jnz exit


    Also, a packed file such as UPX normally doesn't break at Winmain with loader32, but if you change the section characteristics of the *first* section to E0000020 (executable), the segment selector becomes 001B and loader32 will break. (Interestingly it's the first section UPX0 that needs changing, even though the Entry Point is in the 2nd section UPX1).


    So I guess this little security trick of changing the characteristics of the first section fools not only W32Dasm but Loader32 as well. Either change it manually, or in the case of crc checks, your ntice.sys patch would seem to be useful.

    Cheers,
    Kayaker

  13. #13
    pLayAr
    Guest
    any one who use
    bpx Kernel32!BaseProcessStart ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    I guess that would work too, although it might be a bit tedious since you have to single-step to the real EP after this one breaks, right?

  15. #15
    Navin
    Guest
    Guys, I still can't make SoftICE (DS 3.1) break on WinMain. IcePlus's patch doesn't work for me. OS: WinXP Pro SP2. Hope you would suggest another solvation...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Symbol Loader not loading from CL
    By micmic in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: May 2nd, 2004, 09:38
  2. Patch for DriverStudio to fix problem of Symbol Loader not breaking at WinMain
    By Kayaker in forum Tools of Our Trade (TOT) Messageboard
    Replies: 33
    Last Post: May 17th, 2003, 07:51
  3. annoying bug of SoftICE Symbol Loader :(
    By Solomon in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: October 11th, 2002, 02:51
  4. DriverStudio 2.5 RC1 Loader Problems!
    By DGR in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: October 14th, 2001, 11:11
  5. SoftICE Symbol Loader Problem
    By Lou Cypher in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: April 2nd, 2001, 10:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •