Page 3 of 3 FirstFirst 123
Results 31 to 40 of 40

Thread: newbie's question about softice

  1. #31
    Quote Originally Posted by naides
    each module's dllmain gets called right after the system loads the module---snip---(disassembly a couple of dll and you will see the sort of boring stuff dllmain does).
    thanks for the advice. The pdf that JMI posted, that came from disavowed's URL, goes into that too. It's an interesting read. Also, author Jeffrey Richter is good at going into what compiler switches can do. I found it really interesting that the compiler can tell by the kind of Main( ) function you use, whether it's a 32 bit Windoze file, a 16 bit or a DOS app. Also, it can tell whether it's ANSI or Unicode. Pretty smart critters them thar compilers.

    I find it interesting too that authors/programming gurus like Richter and Pietrek are really reversers at heart. Richter seems to like sub-classing and hooking functions. It's worth reading one of his books on 32 bit Windoze.

    Quote Originally Posted by naides
    Even if you coded the dll yourself, most of the dllmain stuff is taken care by the compiler/linker, so you would never know that this action is taking place behind courtains.
    I've got barely enough knowledge about C/Assembler to write a basic program...if I had to. It is amazing how much goes on between the source code and the final exe, though.

    Quote Originally Posted by naides
    On the other hand, you can take control from the dllmain and execute any code , function, or even a dirty trick you choose to execute.
    If I remember correctly you use those compiler directives like "pragma" to achieve that if you are coding in a dll module in C or C++ .
    that's what the pdf article goes into but it's related to a debugger taking control in a normal process. The article talks about malware intercepting the dll.

  2. #32
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by WaxfordSqueers
    I tried to follow your URL's but was blocked by requirements of registering.
    Hmm... it's a URL to another page on this site. Are your cookies enabled?

    Quote Originally Posted by WaxfordSqueers
    I had no knowledge of your history and I hope I didn't raise your hackles in any way. My mention of he/she was totally inadvertant.
    Don't worry about it

  3. #33
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by WaxfordSqueers
    The article talks about a debugger. Is it possible to do this under normal loading conditions?
    Yes, it is. The debugger has nothing to do with it. It just allows you to more easily see what's happening.

  4. #34
    Quote Originally Posted by disavowed
    Hmm... it's a URL to another page on this site. Are your cookies enabled?
    It wasn't the URL's you gave for this site, it was: http://www.security-assessment.com/Whitepapers/PreDebug.pdf. JMI tracked the pdf file down elsewhere on the net.

  5. #35
    Quote Originally Posted by disavowed
    You've presumed correctly.
    I finally got around to following up your link at Web4Lib. You were in pretty heady company there with them librarians.

    I remember when I first went on a hacking/cracking site how paranoid I felt. I could just imagine a bunch of evil-looking hackers waiting for me to connect, and what they could do to my system. The average John Q. Public out there must think the most Machiavellian plots are being hatched on even sites like ours. Paranoia is a peculiar property of the human brain, if you take it in the purest sense of it's meaning, i.e. fear of fear itself.
    Last edited by WaxfordSqueers; November 6th, 2005 at 03:00.

  6. #36
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    just a plug for my ollydbg plugin that deals with TLS and Dllmain entry stuff
    you can try downloading this plugin for ollydbg
    (it comes with source as well as two sample programs that have tls enabled stuff
    and they too come with source)
    http://www.reversing.be/article.php?story=20050603193932184

    also browse through this thread in exetools for some insights into tls stuff
    http://forum.exetools.com/showthread.php?t=7363

  7. #37
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    A short article on TLS callbacks from Ilfaks blog:

    http://www.hexblog.com/2005/10/tls_callbacks.html

    Not very detailed, but still maybe something for the novice...

  8. #38
    Quote Originally Posted by dELTA
    A short article on TLS callbacks from Ilfaks blog:--snip--
    Thanks for URL, Delta. Unfortunately, Ilfak didn't go into the TLS Callback in detail but your URL lead me to his blog. I'll d/l his sample and try to run it through the IDA debugger once I learn how to use it.

    I read some of the other articles with great interest. If the IDA debugger is stable, it will surely be a major contender with softice and Olly. I like the fact that you can modify the debugger behaviour using plugins, and although it seems that's already plausible with Olly, IDA had a big headstart with respect to plugins.

  9. #39
    Quote Originally Posted by blabberer
    just a plug for my ollydbg plugin--snip---also browse through this thread in exetools for some insights into tls stuff
    http://forum.exetools.com/showthread.php?t=7363
    Thanks for info blabberer. Unfortunately I'm somewhat Olly-challenged at the moment, although I intend learning it. You might follow Delta's URL in the next post to yours to see how IDA is coming along with it's debigger (Clouseau, or spelling???) using plugins.

    I remember stepping through the SEH minefield in an Asprotected app and found it interesting that the IDA debugger can bypass the SEH's using plugins and features of the debugger. Makes you want to say...hmmm.

  10. #40
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    well 2.some console version didnt have a debugger and neither 4.3 freeware gui version has one yeah i read that article some time back and it seems the disassembler too can identify tls callbacks it seems havent tried it yet i am deadlist challenged

    as far as side stepping seh minefield you can try options -->debugging options-->
    pass following custom exceptions to program in ollydbg so that some exceptions like
    eedfade badbabe 2badbabe deafbabe deadbeef exceptions can be passed to the program apart from standard int3 singlestep and access violation exceptions

Similar Threads

  1. Hi newbie here Had a question.
    By magus in forum The Newbie Forum
    Replies: 0
    Last Post: August 10th, 2012, 09:41
  2. newbie question
    By zombie in forum The Newbie Forum
    Replies: 5
    Last Post: November 22nd, 2008, 05:55
  3. A newbie question.
    By DaddyJTHC in forum The Newbie Forum
    Replies: 3
    Last Post: March 2nd, 2004, 06:30
  4. softice for a newbie
    By cornel in forum Tools of Our Trade (TOT) Messageboard
    Replies: 8
    Last Post: January 13th, 2002, 17:26
  5. softice for a newbie
    By cornel in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: January 13th, 2002, 17:26

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •