Page 3 of 3 FirstFirst 123
Results 31 to 42 of 42

Thread: The Softice-Won't-Work-In-XP/API-Hook-Failed!!! FAQ

  1. #31
    Quote Originally Posted by grimani
    a quick little FAQ for those like me who can't seem to get softice to work and are too scared of mods to ask for help---snip---
    (i) what's this API hook failed thing?
    just getting back to comment on your FAQ and compliment you on a job well done. At first, I didn't get a lot about what you were saying but you have come up with a recipe that should get softice working on XP for anyone.

    I hadn't noticed that I had the API hook error as well. It was about osinfo.dat and/or osinfob.dat. I changed them, it went away.

  2. #32
    Quote Originally Posted by Kayaker
    Not being thoroughly convinced, I traced the SET command and Sice does a string comparison on an ascii table which doesn't have the word BREAKINSHAREDMODS in it, so of course it fails and you get the error message.
    I was testing your hippopotamus...er...I mean your hypothesis. I set breakinsharedmods presummably ON in winice.dat and rebooted. I manually started softice and tried 'set breakinsharedmods=off'. I got the error about the variable not being recognized. So I entered 'set' by itself, and up came all the variables the set command affects. Your right, there's no mention of breakinsharedmods but there sure is a lot of interesting variables in there.

    BTW, Kayaker, how did you trace the SET command?

  3. #33
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    BTW, Kayaker, how did you trace the SET command?
    Hi Wax

    The same way I mentioned in an earlier post, with a driver I made, IceProbe to give it a name. You can also trace the SET command in IDA and see it accessing the alphabetical ascii table of supported functions and their corresponding code.

    To embark on such a zoo tour one should set up the Name/Index table as I described in

    Setting up IDA for analysing Softice functions
    http://woodmann.net/forum/showthread.php?t=6529

    When I finish an unrelated current project I may try to release IceProbe as a testing util. Right now it's a mass/mess of unfinished KDExtensions and attempts at hooking the cpthook interface (yes, FGJM still exists..) where some interesting bits reside. The real IDT values for the system interrupts that Softice hooks for example are accessed through cpthook.sys (and tracing the command IDT will get you there). This raises the possibilities of overwriting these hooks with detours of your own, consequences as yet unknown..


    To answer a couple of your earlier questions on VMWare, well, try it and you'll appreciate it. It's really the optimal reversing environment. It's a perfect match, a mirage made in heaven - run a target in Softice (even Softice itself) under the VM (any OS except 9x), stop at any time and use Ctrl-Alt to get back to your main system. Here you've got the disassembly in IDA open which you can update with things like memory contents of variables, stack values, system symbol names,...

    Then you start playing with the jigsaw pieces to put the puzzle together.

    Cheers,
    Kayaker

  4. #34
    Quote Originally Posted by Kayaker
    When I finish an unrelated current project I may try to release IceProbe as a testing util.
    would be interesting to see that.
    Quote Originally Posted by Kayaker
    To answer a couple of your earlier questions on VMWare---snip--- run a target in Softice (even Softice itself) under the VM (any OS except 9x),
    you say any OS but 9x. Does that mean you run XP, 2000, etc. instead on the VM? I'm a bit leary of loading XP under a VM because it uses at least a gig and a half of space. Do you pare it down to a skeleton for VMWare?

    Another thought, how about Visual Softice using VMWare? I'm not up on the networking aspects of VMWare and I know VSI needs two monitors and two os's. Can VMWare emulate that condition?
    Last edited by WaxfordSqueers; October 25th, 2005 at 20:52.

  5. #35
    Quote Originally Posted by Uridium
    Reinstalled windows and its working again..
    Yep.. and no 24h later its broken again.. . But i got em. Kaspersky 5.0.390. SI will not start correctly (startsi.exe@99%). I'll not try going into that since K-labs announced new major release for 11-2005. Just deinstalled and everything's fine again... Btw, IceExt's UnhandledException Protection isn't working any longer (unable to patch)?

  6. #36
    Quote Originally Posted by Uridium
    But i got em. Kaspersky 5.0.390. SI will not start correctly (startsi.exe@99%). ---snip---... Btw, IceExt's UnhandledException Protection isn't working any longer (unable to patch)?
    Was it the Kaspersky virus monitor? If so, why not just turn it off, or stop it loading, either in Windoze Services, if it's there, or whereever it loads. I never use the monitor anyway. Everything...and I mean everything....I download, except maybe txt files, goes through the virus scanner befor I use it. Even jpeg files can be infected now.

    Are you using the very latest IceExt, which is 0.67?

  7. #37
    I use KAV just as an on-demand scanner (like u said). By shutting down the systray symbol the service shuts down as well but it doesn't help. There's somethig else installed/present in the system that corrupts SI. I looked in windows device manager with 'show non-present hardware' but nothing suspicious/KAV related there as well.

    Latest IceExt here v0.67. Still missing the promised ring0 mp3 player mentioned in the readme..

    Btw, why are you asking? What system do you have? I mean, if you would use xpsp2 and iceext67 you would notice yourself...
    Last edited by Uridium; October 26th, 2005 at 19:02.

  8. #38
    Quote Originally Posted by Uridium
    I use KAV just as an on-demand scanner (like u said). By shutting down the systray symbol the service shuts down as well but it doesn't help. There's somethig else installed/present in the system that corrupts SI. I looked in windows device manager with 'show non-present hardware' but nothing suspicious/KAV related there as well.
    IN XP, look under Control Panel/Administrative Tools/Services. Scan the list for AVP or Kaspersky. I have a listing for AVP Control Centre. Right click the listing, if it's there, and hit the 'Stop' button if it's running. Then set it to Disabled in the appropriate window. Don't forget to hit 'Apply' before exiting window.

    Quote Originally Posted by Uridium
    Btw, why are you asking? What system do you have? I mean, if you would use xpsp2 and iceext67 you would notice yourself...
    As I said in an earlier post, I have just loaded 3.2 and IceExt on XP w/SP2. I've done a few BPX's etc to confirm it was running, but that's about all. I asked because I just happened to be on Sten's site and noticed the new IceExt for 3.2. Thought maybe your problem could have been fixed by an upgrade, but apparently not.

    I have used IceExt extensively on 3.1, to hide Ice and to dump processes from memory.

  9. #39
    I'm sure the service is disabled, its something else resident.
    You have to type '!protect on' to see if iceext works.

  10. #40
    Quote Originally Posted by Uridium
    I'm sure the service is disabled, its something else resident.
    You have to type '!protect on' to see if iceext works.
    yes...but did you try what I said anyway?? If not, please smack yourself up the side of the head with some wet noodles.

    Turning the monitor off at the desktop does not get it out of memory. It's running as a service and will keep running till you turn the service off. Same as Windows firewall. You have to go into the path I mentioned and turn it off to get rid of it.

    You're right about IceExt, but I recall something I have to check out. When you first boot into Ice, you have to manually reset a hex bit. I think that might get the UnhandledExceptionFilter going. I'll get back to you. It's something about patching a CC in UnhandledExceptionFilter when you start out.

    ***newsflash ---just remembered. Oh, alright, I admit I looked it up in the archives. You do a 'd unhandledexceptionfilter' and that will bring unhandledexceptionfilter up in the Ice data window. You'll see a CC in the first byte. NOP it. i.e. change the CC to 90, and hit 'Enter'. Now try your
    '!protect on' and you'll see a yes beside unhandledexceptionfilter.

    I'm so happy. It's the simple little things that make the world go round. Now, if I could just get a life.
    Last edited by WaxfordSqueers; October 27th, 2005 at 04:24.

  11. #41
    If i do a 'd unhandledexceptionfilter' the data window is just filled with '??' so nothing to NOP there...

  12. #42
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Hi, try a PAGEIN <address> in the correct context to see if it gets rid of the '??'

Similar Threads

  1. Replies: 0
    Last Post: August 20th, 2011, 23:59
  2. Failed unpack
    By gbrooks3 in forum The Newbie Forum
    Replies: 20
    Last Post: June 20th, 2005, 00:29
  3. about the book <<How Debuggers Work.. >>
    By lordor in forum The Newbie Forum
    Replies: 7
    Last Post: December 6th, 2004, 18:44
  4. Normal Breakpoints Work!
    By telophase in forum The Newbie Forum
    Replies: 5
    Last Post: April 22nd, 2004, 02:43
  5. Makin Revirgin Work in Win95
    By r00t in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: March 22nd, 2002, 18:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •