Page 1 of 3 123 LastLast
Results 1 to 15 of 42

Thread: The Softice-Won't-Work-In-XP/API-Hook-Failed!!! FAQ

  1. #1
    grimani
    Guest

    The Softice-Won't-Work-In-XP/API-Hook-Failed!!! FAQ

    a quick little FAQ for those like me who can't seem to get softice to work and are too scared of mods to ask for help.

    disclaimer: i tried a million things to get softice to work. it works now on XP SP2 with all the latest updates (i think), and i think the following steps are why...but accuracy is NOT guaranteed.

    (i) what's this API hook failed thing?

    softice needs to insert itself in between all system level API calls in order to work. hence it needs to know where in memory critical functions (ntterminateprocess, reside. i guess this is typically stored in the osinfo.dat and osinfob.dat files. unfortunately, yours are out of date.

    (ii) why is it out of date?

    in my case, i installed security update KB890859 which includes a new version of the kernel, presumably to close holes in the old one.

    whenever a new version of the kernel (which lives at c:\windows\system32\ntoskrnl.exe) is released, addresses get all shuffled and new versions of osinfo.dat/osinfob.dat need to be used. since compuware is lazy, you're out of luck.

    thankfully, i found a compuware document via google the describes another solution.

    (iii) symbols

    function names and the like are usually stripped from executables during the compiling process, if they are meant for public consumption. if code is still in development, debug executables are compiled which keep all this information intact.

    to debug retail (public) executables, one can generate "symbols" that debuggers then load. symbols are needed by the debugger to figure out what function is what, what parameters it takes, where it is, etc.

    so softice, being a debugger, has functionality to load symbols - it's necessary in debugging.

    and why isn't softice working? it doesn't know where important functions live...!

    clearly the solution is to load symbols for all the important API calls. these reside in a variety of files, including:

    hal.dll
    ntoskrnl.exe
    ntdll.dll
    hernel32.dll
    user32.dll
    csrsrv.dll
    basesrv.dll
    winsrv.dll

    we want to get symbols for them. but microsoft developed/compiled these files, not us..

    (iv) downloading symbols with symbol retriever

    so we need to get symbols from microsoft. microsoft provides a DDK that apparently contains a pretty comprehensive set of symbols for their code. however, my suspicion is that the DDK is out of date or applies only for vanilla installs of the operating system. so that's out of the question.

    alternately, microsoft runs a symbol server (never knew they did that!) thru which 'authorized' programs can download symbols. authorized in this case i think means the symbol retriever that comes with windbg, microsoft's debugging tool.

    softice also has a symbol retriever. you can try to run it on the above files. it doesn't work. why? because, as with all things softice, it's out of date and symbol server doesn't want to play ball.

    a very helpful post somewhere (here? exetools? i forget) notes though that one can copy the symsrv.dll file from the windbg distribution into the symbolretriever directory in softice and overwrite the old symsrv.dll that softice has.

    voila! symbol retriever works.

    (v) generating nms files

    microsoft debugging information is stored in .dbg or .pdb files. softice, for reasons unknown, uses .nms files. i assume that stands for numega symbols.

    but symbol retriever can convert .dbg to .nms. have it do that.

    (vi) loading symbols

    almost done. we still gotta tell softice to load those damn symbols. edit c:\windows\system32\drivers\winice.dat

    that file contains most of the settings that softice looks at while loading. add a new line at the top:
    NTSYMBOLS=ON

    this will tell softice to use symbol files instead of osinfo.dat.

    look to the INIT= line. remove the X;

    INIT contains the commands the softice will run after starting up. X means stop debugging and let everything run. if softice don't work you want to see the errors, which means staying in softice. you can put the X; back in later if you'd like.

    save the file, now go into the settings program and click on symbols. add all the nms files you generated.

    save everything, close all unnecessary programs. now try running softice:

    start|run|cmd.exe

    net start ntice

    cross your fingers and hope for the best. remember that, if even scrushy can be innocent, perhaps there is a god, however blind He may be, after all......



    other stuff

    (vii) firewalls? antivirus?

    firewalls and antivirus programs frequently also hook into the API. certain spying programs that people install to covertly monitor computer usage may also do the same thing.

    these things may conflict with softice. i uninstalled norton systemworks (it's a slow piece of shit anyway that takes over the computer) in the middle of my quest to get softice working.

    was that necessary? dunno...but softice works now and i'm not about to jeopardize that.

    speaking of norton, systemworks has tentacles everywhere, and the uninstaller is a little too ill conceived to kill all of them. search on the norton website for some utilities (they have 4!) that can remove all traces of the beast. i think i had to run all 4...which is a pain, but much better than trouncing through the registry on my own.

    (viii) usb, mice, keyboards, and other random woes.

    just to make things easy on yourself, disable the mouse just to keep things simple. i have a laptop with an internal usb wifi card. i turned that off too.

    if you get softice to work without usb support then you can look into getting usb devices working.

    lotta people have keyboard issues, but thankfully i have had none.

    finally, i installed softice on my laptop. the touchpad doesn't work. probably a driver issue. it probably won't work on yours either. synaptics has some document somewhere that mentions softice specifically.

    (ix) video issues

    had none, so won't comment. just try universal video driver
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    BRAVO........

    You did an excellent job of troubleshooting.
    How about making us an essay/paper ??

    Regards, woodmann

  3. #3
    Is it okay to copy your post and post else where? It will of course be creditted to you

  4. #4
    Bu3no
    Guest
    What a great troubleshooting guide you wrote there, grimani, was all I needed to get Softice to work on Win XP! I had problems with the symbol retriever too.... well looks like u solved that .

    Now if I knew that before making that multi-[ass]boot with win98, I wouldn't even have formated my HD like 4 times before getting the multi-boot to work :P.

    Well thnx again!,
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    csin
    Guest
    Compuware has a fix for this issue... You can get it from them or you can dl it from my site... h&&p://w&w.csin.host.sk/DS3.2.1.WinXP Patch.zip

    Note, this is for driver studio 3.2.1 ONLY!!!
    Last edited by csin; September 5th, 2005 at 01:55.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Well, csin !
    How to use this patch ? and where you find it on compuware site. Searched on compuware.com and on frontline site, never find it, let us know please !

  7. #7
    Nice work but doesn't help here... the symbols get imported but the error still remains. Maybe i have to change something to retrieve localized versions? I don't know...

    I tried compuwares two OS files as well.. but no luck with them either.

    Very strange.. MS kernel update is out for weeks (months) and still no update from compuware yet...

    What's 3.2.1? The beta version?

    WinXP-SP2 .de
    hal.dll - 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ntoskrnl.exe - 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
    ntdll.dll - 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    kernel32.dll - 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    user32.dll - 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
    csrsrv.dll - 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    basesrv.dll - 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    winsrv.dll - 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)

    Edit: h**p://w*w.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx
    There are no localized versions...
    Windows XP and Windows Serverô 2003 do not require localized symbols in order to debug localized versions of the product. Each Windows XP and Windows Server 2003 symbol download package works for debugging all localized versions.
    Last edited by Uridium; September 17th, 2005 at 23:37.

  8. #8

    Cool

    Uridium, the symbol packages available for download from the MS website are always outdated. Use the dedicated symbol server to retrieve the proper, current symbol files. To make the symbol retriever work, you will have to download the latest windbg package (free download from MS, just google) and copy the symsrv.dll over to the softice folder. Note that there are at least two instances of symsrv.dll in the softice folder, make sure to replace all of them with the newer version. This way will also deal with localized file versions where needed.
    Which particular error do you get? I noticed that SI works better if I set it to manual start and then run it with the net start command. Loading at boot time seems to be a bit unstable, if you need boot time support, you'll probably have to look for another set of tools.
    That reminds me of my own wishlist: an ICE for vmware and the like
    Double the killers!

  9. #9
    Yep, noticed it already.. the ms package symbols cannot be translated with symbol loader. Symbol retriever downloads instead are working but don't help with the problem. Here's a log. Maybe i miss something... 'NTSYMBOLS=ON' is set. Startup mode is 'manual'.
    Attached Files Attached Files
    Last edited by Uridium; September 20th, 2005 at 13:30.

  10. #10

    Cool

    While looking at the log I saw this:

    NTICE: KDExtensions are disabled KDHeapSize=00000000 and KDStackSize=00000000

    Is that intentional?

    The rest seems okay until the 0E exception occurs. Doh! Smells a bit fishy indeed. I have no remedy at hand for you, but I'll see if I can get this error, too
    Double the killers!

  11. #11
    Bt
    Quote Originally Posted by laola
    Is that intentional?
    I don't even know what KDExtensions are... But i didn't change anything beside disabling remote debugging and the initial commands already listed in the log.

    <ctrl-d> works everytime but sistart.exe or net start hangs at 99% cpu and the log/console continuously fills up with output like listed in the log above.

    'Set BreakInSharedMods ON' doesn't work (->unknown).

    Thx for taking care... But don't spend too much time to this. I think (hope) it will be officially fixed soon...

  12. #12
    Int03h
    Guest
    Was anyone able to donwload the "WinXP Fix" to DriverStudio 3.2.1? The link csin gave is not working.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    I tried it but didnt help/work. Don't have it anymore though. I couldn't find anything related to such patch at compuwares support site. Maybe it was just an internal beta patch fixing something else... Until now softice doesn't run for me wondering why the forum doesn't get spammed by 'Help!!!!!! Softice doesn't work!!!!!" threads.

  14. #14
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    <ctrl-d> works everytime but sistart.exe or net start hangs at 99% cpu and the log/console continuously fills up with output like listed in the log above.

    wondering why the forum doesn't get spammed by 'Help!!!!!! Softice doesn't work!!!!!" threads
    Who says we don't?

    I compared your output to my logfile and it looks perfect up until the error message. I can tell you don't have hyperthreading technology, or don't have it enabled, because there is only 1
    NTICE: Hooking IOAPIC vector at 93
    line, with HT you'd have 2. If you do have HT you should enable it.
    As for the KDExtension settings, you can search for that on this board if interested but they're not critical here.

    However, Softice poured out its little heart to try to give you useful debugging information, can you not make use of it?


    *001
    *Int0E Fault in SoftICE at address B05EDECB offset 00096C43
    *Fault Code=00000001

    If you disassemble Sice and search for the string 'Fault Code=' you can see how it and the previous error messages are created. Since they're part of a larger error handling routine they can't really be traced back to the error very well.

    What you should do though is type 'driver ntice' in Softice and get the base address of Sice, then add the offset 00096C43 to it and check the faulting instruction. Also check the address B05EDECB. Also check the value in EDI given in the RawStackDump. Out of curiousity, what *is* your Softice starting address, relative to this output?

    I don't know if this is a precise match, but on my XP system, offset 00096C43 happens to match a string parsing routine of system driver names. It's a buffer access instruction which could perfectly cause such a page fault (Int0E) error. You should check this address to see if it accesses such a string buffer. Fault Code=00000001 may mean ACCESS_VIOLATION_WRITE, which is consistent with an EXCEPTION_ACCESS_VIOLATION error.


    *FrameEBP RetEIP Syms Symbol
    *B09D8CD0 F776F7AC N NTice!.text+00098B4B

    You should also check this offset (relative to Sice), as well as the RetEIP disassembly to see if there is any indication where your fault came from.


    *NTICE: NTRaiseHardError found at index 00B6. Delta=0000038A

    A strange location for this one, it should have occurred earlier in the preload.


    *0008:B05580B6 EBFE JMP B05580B6 (JUMP )

    I've seen this before in internal Sice crashes. I think it's how Sice (or the system perhaps at this point) handles such an error. The fact that the last 2 messages are interspersed with other NTICE: loading messages (after the preload) indicates the error handling routine is running in a separate system thread while Sice continues to load properly. The EBFE seems to put the thread in an eternal spin lock, this may be an effective way to just halt the thread while allowing the rest of the system to function properly.


    *NTICE: Load32 START=00FB0000 SIZE=13000 KPEB=85856590 MOD=browselc
    *NTICE: Unload32 MOD=browselc

    This occurs 3 times immediately after the error msg. It may mean nothing, but you might actually check to see what is trying to load this and completely disable the program. There is something I saw in the string parsing routine I mentioned (when I used your faulting offset on my system), that leads me to think it might be a driver conflict with another program. It's worth a shot at least.

    You might also check this thread and make sure your video settings are OK
    http://www.woodmann.com/forum/showthread.php?t=7199

    Good luck with it.

    Kayaker

  15. #15
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    All hail our own Softice god. Damn I'm jealous.

Similar Threads

  1. Replies: 0
    Last Post: August 20th, 2011, 23:59
  2. Failed unpack
    By gbrooks3 in forum The Newbie Forum
    Replies: 20
    Last Post: June 20th, 2005, 00:29
  3. about the book <<How Debuggers Work.. >>
    By lordor in forum The Newbie Forum
    Replies: 7
    Last Post: December 6th, 2004, 18:44
  4. Normal Breakpoints Work!
    By telophase in forum The Newbie Forum
    Replies: 5
    Last Post: April 22nd, 2004, 02:43
  5. Makin Revirgin Work in Win95
    By r00t in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: March 22nd, 2002, 18:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •