Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 34

Thread: NTice.sys Patch for DriverStudio v3.x,fix problem of Symbol Loader not breaking at Wi

  1. #16
    pLayAr
    Guest

    Wink

    Quote Originally Posted by dELTA
    I guess that would work too, although it might be a bit tedious since you have to single-step to the real EP after this one breaks, right?
    bpx Kernel32!BaseProcessStart+20
    then after ONE single-step, it's the EP
    Last edited by pLayAr; May 22nd, 2004 at 09:31.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #17
    Navin
    Guest
    The problem now is

    :BPX Kernel32!MainProcess
    :Symbol not defined (Kernel32!MainProcess)
    :BPX Kernel32!MainProcess+20
    :Symbol not defined (Kernel32!MainProcess+20)
    :BPX Kernel32
    :Symbol not defined (Kernel32)
    :BPX Kernel
    :Symbol not defined (Kernel)
    :BPX KERNEL
    :Symbol not defined (KERNEL)

    Meantime BPXs on memory addresses sets well

    Do you know what's this?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #18
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Navin, please do a board search for "Symbol not defined winice.dat" and read the Using SoftICE and SoftICE Command Reference pdf manuals. Your problem is very common and is caused by not reading/understanding the instructions provided with Softice.

  4. #19
    Navin
    Guest
    Yup, i've read all related topics. But the problem is much complex

    :exp kernel32! <--- Listing of all functions, but there are no 'MainProcessStart' I've tried also different breakpoints such 'MessageBoxA' etc. They appear in listing (BL), but seems like they don't work, SI doesn't breaks on execution of any API...

    Suggestions, notes, feedback are welcome
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #20
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    seems like they don't work, SI doesn't breaks on execution of any API...
    It could be related with the BreakInSharedMods env variable. Try to set the variable to ON (if you have not already done).
    Since of we are leaving the main discussion of this thread, if your problem has never been happened to someone, please open a new thread.

    Good luck,
    ZaiRoN

  6. #21
    Timbo
    Guest
    Did it work before patch was aplied ? (I don't think so!)
    You have SP2, did you downloded ntoskrnl.pdb (right one !)
    and translated in to nms and load in in winice.dat ?
    If correctly loaded, EXP should be available

    Feedback welcome
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #22
    Navin
    Guest
    Patch doesn't matter, same results. I'm tring now to get ntoskrnl.pdb and other pdb's but not sucessfully till this moment. Symbol loader doesn't want to download pdb's and MS Policy doesn't let me download symbols (have no licens, sorry Bill G., nothong personal)..... Ok, and for the topic - My SI doesn't break on WinMain
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #23
    Navin
    Guest
    If correctly loaded, EXP should be available
    BTW, I can load kernel32.dll, user.dll etc without nms-files. 'exp *' shows listing of all functions (about 300) but there no 'MainProcessStart' ...

    I jumped on this thread till now
    http://woodmann.com/forum/showthread.php?p=36797#post36797
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #24
    pLayAr
    Guest
    must get the nms file ,and then will find the kernel32!BaseProcessStart ( not MainProcessStart)

    another method below,
    use symbol loader to load a file that si can break on Entry Point( or use lordpe's "break & enter"), then "u esp", u will find the point, & this address will NOT change UNTIL your system next update.


    the code is like this:
    _BaseProcessStart:
    push 0c
    push 77e71210
    call __SEH_prolog
    and dword ptr [ebp-4],0
    push 4
    lea eax,[ebp+8]
    push eax
    push 09
    push fe
    call [ __imp__NtSetInformationThread ]
    call [ EBP + 8 ] // here call the new process' Entry Point !!
    push eax // "u esp" at EP will get there

    i hope this helpful
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #25
    Navin
    Guest
    Hm. Can't get even PDB-files (SymbolLoader shows - Error Download). So, there no 'BaseProcessStart' I see BaseProcessInit... etc but not what you said. Ok, i'll try 'break & enter', thanks a lot.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #26
    pLayAr
    Guest
    just follow my step, once break on EP ( any .exe file), u esp( this can see when od load a file), and that the point
    Last edited by pLayAr; May 23rd, 2004 at 11:25.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #27
    Navin
    Guest
    Man, you're my saviour! God bless you
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #28
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310

    Good work!

    Good work, IcePlus!

    But where did you found NTICE symbols such as BreakLdrProcHandle, LoadProcName, StringCmpareNoAa, AddressInCur, BreakViewType ???

    Regards, Bilbo.

  14. #29
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Quote Originally Posted by bilbo
    Good work, IcePlus!

    But where did you found NTICE symbols such as BreakLdrProcHandle, LoadProcName, StringCmpareNoAa, AddressInCur, BreakViewType ???

    Regards, Bilbo.
    I've noticed Iceplus online a few times but not replying, in case she? has trouble formulating an answer in English, I'd say these are made up descriptive names from good intuitive reversing, not any kind of NTICE symbols.

    StringCmpareNoAa is an obvious string check routine from the disassembly.

    LoadProcName is a pointer to a byte value that gives the length of the text that follows (something Sice uses elsewhere as well, i.e. 07h then the string "Notepad"). It's actually a little clearer *without* the descriptive name as to which is the pointer to the text length (unk_E2FD2), and which is the pointer to the string itself (unk_E2FD3)

    .text:00031072 movzx ecx, unk_E2FD2 ; "LoadProcName"
    .text:00031079 inc ecx ; used as a counter in the StringCmpareNoAa call
    .text:0003107A mov esi, offset unk_E2FD3


    AddressInCur - if you look at my listing of (arg_0) you see the value of this variable at [ebx+4] is 01001000, the load address of notepad.

    BreakViewType - The Owl defines this same variable as dBreakReason. See Sten's IceExt source for defines of the various Break Reason values (BREAK_SYMBOL_LOADER equ 0x10004h). More good intuitive reversing here!

    BreakLdrProcHandle - not sure about the handle part, but if you trace back far enough you see the function is called when a module is loaded, string ref to
    NTICE: Load32 START=%x SIZE=%x KPEB=%x MOD=%s',0

    etc...

  15. #30
    iceplus
    Guest
    Quote Originally Posted by Kayaker
    I've noticed Iceplus online a few times but not replying, in case she? has trouble formulating an answer in English.
    ye, I am online everyday .but my english is too bad !
    who is OWL ?
    Last edited by iceplus; May 25th, 2004 at 02:31.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Symbol Loader not loading from CL
    By micmic in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: May 2nd, 2004, 09:38
  2. Patch for DriverStudio to fix problem of Symbol Loader not breaking at WinMain
    By Kayaker in forum Tools of Our Trade (TOT) Messageboard
    Replies: 33
    Last Post: May 17th, 2003, 07:51
  3. annoying bug of SoftICE Symbol Loader :(
    By Solomon in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: October 11th, 2002, 02:51
  4. DriverStudio 2.5 RC1 Loader Problems!
    By DGR in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: October 14th, 2001, 11:11
  5. SoftICE Symbol Loader Problem
    By Lou Cypher in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: April 2nd, 2001, 10:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •