Results 1 to 4 of 4

Thread: SoftICE + SPTD

  1. #1

    SoftICE + SPTD

    Hi ppl,

    I managed to hide Softice, so I can boot up my XP SP2 with sptd loaded and then start sice without a glitch, but then some keys on my keyboard just don't work or are totaly swapped!!??
    The most wierd stuff is that the keyboard works very fine when inside sice

    Any ideas on this?
    Sptd hooks keyboard too?


    thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Hi

    Good job. You may have read the previous thread on this:

    http://www.woodmann.com/forum/showthread.php?t=9201

    SPTD hooks the i8042prt.sys IAT address for the hal.dll READ_PORT_UCHAR export. This is pretty much what Softice does itself. Since you've already got Softice + SPTD running, it's pretty easy to fix.

    Start by running Softice without SPTD enabled (another VM image or set your system up to boot with the /DEBUG option which will disable SPTD). Start Softice and find the IAT for i8042prt.sys:

    > map32 i8042prt
    - display the .rdata section
    - play the "which one doesn't belong?" game and find the import address which is outside of ntoskrnl/hal code address range. (this should be at offset .rdata+160 for Win2K)
    - this will be the address of the Softice READ_PORT_UCHAR hook
    - u(nassemble) the address and make note of the offset at which the function begins (i.e. ntice!.text+9816B)


    Now, repeat the first 3 steps with the SPTD-enabled system. Again you'll notice the IAT of i8042prt.sys is hooked, but now the IAT hook will be that of the SPTD READ_PORT_UCHAR function.

    Now you need to replace the SPTD hook address with the NTICE one.

    Find the exact image address corresponding to ntice!.text+9816B (or whatever offset you determined was the correct relative offset of the Softice READ_PORT_UCHAR function):
    > map32 ntice
    - assume start of .text section is BD8BA380
    > u BD8BA380+9816B
    - change the IAT hook to this address from within Softice itself and you should have Windows keyboard control back

    I'm curious how you got Softice+SPTD running. Did you use the strategy from that earlier thread or did you come up with another way of doing it?

    Cheers,
    Kayaker

  3. #3
    I managed to hide Softice, so I can boot up my XP SP2 with sptd loaded
    ...could you explain here, how did you manage to do it??

  4. #4
    Kayaker
    Your stuff conserning i8042prt works great!!Thank you for that information!
    I'm curious how you got Softice+SPTD running.
    ...there is an opportunity to get them both running using Rootkit Unhooker.
    Tools->Notify Routines
    We will probably see two routines.LoadImage among them.We delete this one and now SICE should start without problems.

Similar Threads

  1. What is SoftICE?
    By spyrat in forum The Newbie Forum
    Replies: 8
    Last Post: June 10th, 2005, 16:01
  2. SoftICE on XP
    By FlatDot in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: April 8th, 2002, 22:32
  3. SoftICE and Win ME
    By zitterbe in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: July 24th, 2001, 08:47
  4. SoftICE and PFE?
    By stan in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: May 27th, 2001, 23:56
  5. SoftICE 4.05 + W2K
    By baudy in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: April 5th, 2001, 04:22

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •