Results 1 to 4 of 4

Thread: Old winice (vxd) & relocation

  1. #1
    Timbo
    Guest

    Old winice (vxd) & relocation

    I'm trying to understand how the old winice.exe vxd combination
    is relocating. Anyone know how ?? NZ ??
    It's not a PE I know
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,143
    Blog Entries
    5
    Hi

    Not sure exactly what you're getting at, but the vxd is in LE format and will be loaded somewhere above 0C0000000h, the base address for the system shared region in Win9x. The exact starting address can be obtained from the Softice 'VXD' command, or programatically if need be.

    K.

  3. #3
    Timbo
    Guest
    Well i mean
    who calculate something like this
    mov esi, adress
    in hex seen only
    BE 00 00 00 00

    so how come the adress into this zeros,
    i didn't see any reloc section
    (like in ntice.sys 8 -> reloc)
    inside this winice.exe (vxd inside)

    how is it done

    well i really should wipe W9X
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,143
    Blog Entries
    5
    I'm not sure exactly how the OS maps vxd sections, I think it's dependant on load order, size of the sections, available memory, etc., and not to any inherent reloc info. as might exist in PE files. I haven't got things installed any longer to look into it further.

    The easiest thing to do is get the "real" starting address of the driver sections with the 'VXD' command and calculate the offset from the disassembled addresses as seen in IDA. You can then use this raw->virtual offset to unassemble selected instructions and read the real Data variable addresses from the Softice window.

    If you were really interested, you could look into how the Vxd_Desc_Block DDB structure was initialized when a driver is loaded, along with the Device_Location_List, ObjectLocation and other structures which define linear address and other info about a driver. But methinks this is not the case

Similar Threads

  1. vmware's sidt relocation, how?
    By 0rp in forum The Newbie Forum
    Replies: 17
    Last Post: April 29th, 2005, 16:47
  2. Dll relocation?
    By crUsAdEr in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: June 1st, 2004, 21:22
  3. winice.dat
    By golden_123 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: October 19th, 2003, 06:01
  4. IDA disassembly relocation
    By laserman in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: September 22nd, 2002, 12:19
  5. winice.dat
    By mambox in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: May 17th, 2002, 17:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •