Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

soft ice in a VM and Windbg growing pains

Questions concerning tools (other than OllyDbg) - IDA Pro, SoftIce, member contributions, etc.
<b>NOTE:</b> You must <b>always</b> make sure you cannot find what you are looking for in our <a href="/collaborative/tools">Collaborative RCE Tool Library</a> before asking for <b>any</b> tools that can do this or that though!
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

blabberer wrote:i run bat file all the time and face no problems whatsoever in fact i run several versions of cdb.exe as and when i need it and use a bat file for accessing the cdb.exe that's spread all over my disk partitions
First of all, thanks for your help. You are going above and beyond with your detailed analysis. I hate to be such a bother. Kayaker is good that way too. Much appreciated.

Off hand, I would say the mistake I am making is not feeding cdb a command line. Then again, with a straight cmd.lnk, I'd have to change the command line each time I used the lnk. I'll need to examine your bat file more closely.

Meantime...ahooooga, ahooooga....I got it going. It was an SxS thingy. Visual C++ (2005) apparently doesn't use SxS and the required dlls cannot be found by cdb. I upgraded to the 4 meg version of the Visual C++ redistributable package and that seemed to solve the problem. Also, I reinstalled dotnet framework files up to dotnet 3.5.

I managed to use the !hwnd command in sdbgext but it's not formatted like SPYXX and one has to be careful. Both SPYXX and !hwnd agree on the handles, so now I have to work on finding why softice is not recognizing the handle from SPYXX. I have to follow up on a suggestion from Kayaker as well, to see if it's happening only with the one app.
blabberer wrote:ntsd is similar to cdb but runs in its own console and can run without console too (useful for remote over network debugging )
I thought you said you could not copy and paste from ntsd. I was able to copy and paste but the process is slightly different in the ntsd window. With the normal cmd window used by cbt, you highlight the txt to be copied by right-clicking and selecting 'mark', I think it is, then drag the mouse over the text, go to drop-down menu at top left side of screen and select edit>copy. I have downloaded a reg mod for the cmd window by which I can just drag the mouse over text in a cmd window to mark it then I go to the drop-down box at the top LH side of the window, where I select edit>copy.

With ntsd, the mark feature is in the drop down box, so you have to repeat the process to 'mark' then 'copy'.
blabberer wrote:the srror no 14001 is described as some side by side error...seems to be a vc runtime redist package issue check what run time is required and install it
I did that earlier today. I had not noticed that there are two redistributable packages for 2008, one is ver 9.0.21022.8 and has a size of 1.73 MB. The other is 9.0.30729.17 and has a size of 4.02 Mb. I used the larger one.

One other thing. I upgraded the windows installer (I think it was to version 3) and checked to make sure Internet Explorer was at least version 6 with SP1. Mine was SP3. Both are requirements on the sdbgext site along with the Visual C++ redistributable package (4 Mb version 2008).

Net Framework may have been an issue, mine seemed to be wonky. The upgrade to dotnet 3.5 is a major upgrade that addresses all previous versions and upgrades them. It's a large package, several hundred megs.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

Much appreciated.

thanks and welcome

i dont remember saying you cant copy from ntsd (you can copy from cdb . ntsd , windbg , i386kd , kd , ntkd)
in fact windbg can store a lot lot of data to copy than the plain consoles of other debuggers

if i am working in console it is easy to use cdb (dont have to juggle windows just type on the prompt and be done with it ) that is all


if you just want to select drag and copy on right click without going to any corners :) enable quick edit mode by going to the corner once and telling it i dont want to come back here again

right click -> properties -> options -> edit option -> check mark quick edit mode (no mark copy corners needed hence forth )
same --------------------------------------------> check mark quick insert (no edit
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Kayaker wrote:So this BMSG invalid handle message, does this happen with every handle of every app in your new VM/Sice setup, or is it just this one situation?
Seems to.

Here's the confusing part. If I do an addr explorer to get into that context, then use hwnd, I get all the windows listed. I can verify from the list of windows handles supplied by softice that the window handle is valid. SPYXX, cdb and softice all supply the same window handle for the same window. Yet when I do a 'bmsg <hwnd> <msg>' with the same handle, ice tells me the handle is invalid.

I have selected several hwnds from the softice display, including the desktop, and all of them return the invalid handle message. I have noticed that many hwnds have 6 figure values, like 1000138, whereas those I am having trouble with have only 5 figures. That's probably not significant.

I may have to reload ice, but the part worrying me is that my problem may lie with Windows itself. I have XP SP3 loaded in the VM and ice works fine with a bare bones XP SP3 on my desktop, but I may have loaded hotfixes beyond SP3 in the VM. It's too long to go into here but the best solution seems to be creating a new VM disk and loading it with a fresh SP3 version of XP.

I'm wondering, is there a way to debug softice using windbg? I am loading ice from the desktop, can I attach to it with windbg or would I be headed for BSODville?

BTW...while researching on the Net, I noticed quite a few reference to the same error message regarding an invalid window handle. No one seems to have a clue what causes it. It does not seem to be related to VMs only.
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

That's weird, if you get a good list with HWND while in Explorer context, Sice should at least accept the BMSG request, even if the combination of hwnd/msg wouldn't produce a break result itself.

I use XP3 without any updates (other than .NET4) and don't have any issues, using the files from the last patch

http://www.woodmann.com/collaborative/t ... _3.2_patch

If you really wanted to debug this, my IceProbe tool would be the one to use to trace the Softice command, not even sure if Windbg would work without conflict. There must be a simpler solution to this.
Elenil
Senior Member
Posts: 140
Joined: Tue Sep 30, 2008 7:53 pm

Post by Elenil »

[SPOILER][/SPOILER]wax have you tryed the "patch ntice" function of icestealth ? it will patch the ntice files in "other folder" to your actual os
(then make sure you replace your ntice files from system32/drivers folder)

this makes sure softice find some of his things

also there was a kernel security upgrade (5.1.2600.6165 and above ?) (13.12.2011) that does no longer make softice to work without "patch ntice"

just a suggestion maybe it does solve the problem maybe not
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Elenil wrote:[SPOILER][/SPOILER]wax have you tryed the "patch ntice" function of icestealth ? it will patch the ntice files in "other folder" to your actual os (then make sure you replace your ntice files from system32/drivers folder)
I am not too sure what you mean, Elenil. I don't see a "patch ntice" function specifically. Do you mean the functions checked under Load Old and Load New?

There are three under Load Old already checked. Do I just leave them checked?

OK...I tried it but icestealth wanted to call out and I don't have an Internet connection on the VM at this time, I had one a few days ago but it disappeared and I'm working on it. I don't think icestealth did anything because NTice.sys is still the same size.

I'll try to get the Net connection going and get back to you.
Elenil
Senior Member
Posts: 140
Joined: Tue Sep 30, 2008 7:53 pm

Post by Elenil »

in menu it has "Patch SoftICE"

then click (Patch SoftICE in "other" Folder)

after this the files in IceStealth\other get patched to your actual os

this fix a lot of problems

after this copy the other folder to your system32\drivers dir and replace the old files


you also can try to spawn the keyboard set thing or not overwrite your winice.dat
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Elenil wrote:in menu it has "Patch SoftICE"
menu???...what menu????

Ah...I see the problem, I am running version 1.5 and you are up to ver 1.8. :p

Just downloaded 1.8...I'll get back to you.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

@wax
'm wondering, is there a way to debug softice using windbg?
yes sirreee no problem sirreee

@k
not even sure if Windbg would work without conflict
what conflict you envisage

i have been to siwvid.entrypoint and ntice.entrypoint before (just to be sure i did it again and paste the output below)

host xpsp3
target ms vpc xp sp3 without virtual machine addons
plain si405wnt installed with 4.05 patches (3 drivers replaced both package from exelab)
i3here off
(else ctrl+break in host windbg will be trapped by sice in target and the black beauty will wake up from sleep as if some one pressed ctrl+d in target )

sxe -ibp;reboot
bp iopinitializeBuiltinDriver+ XXXX (indirect call [REG32+const])
g;r

till you see siwvid and then ntice

Code: Select all


kd> g;r
[B]Breakpoint 0 hit[/B]
eax=80093d40 ebx=812d3eb8 ecx=29180008 edx=29170007 esi=00000000 edi=812d3e84
eip=806a9ef9 esp=fac475f8 ebp=fac47630 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246
[B]nt!IopInitializeBuiltinDriver+0x25d:[/B]
*** ERROR: Module load completed but symbols could not be loaded for [B]Siwvid.sys[/B]
806a9ef9 ff532c          call    dword ptr [ebx+2Ch]  ds:0023:812d3ee4=fa658b1c
[B]kd> dd esp l2[/B]
fac475f8  [B]812d3eb8 80093d40[/B]
kd> [B]!ustr poi(esp+4)[/B]
String(116,116) at 80093d40: \Registry\Machine\System\CurrentControlSet\Services\Siwvid
kd> [B]dt nt!_DRIVER_OBJECT poi(esp)[/B]
   +0x000 Type             : 0n4
   +0x002 Size             : 0n168
   +0x004 DeviceObject     : (null) 
   +0x008 Flags            : 2
   +0x00c DriverStart      : 0xfa652000 Void
   +0x010 DriverSize       : 0x1d320
   +0x014 DriverSection    : 0x81329108 Void
   +0x018 DriverExtension  : 0x812d3f60 _DRIVER_EXTENSION
   +0x01c DriverName       : _UNICODE_STRING "\Driver\Siwvid"
   +0x024 HardwareDatabase : 0x8068fa90 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
   +0x028 FastIoDispatch   : (null) 
   +0x02c DriverInit       : 0xfa658b1c     long  +0
   +0x030 DriverStartIo    : (null) 
   +0x034 DriverUnload     : (null) 
   +0x038 MajorFunction    : [28] 0x804fa87e     long  nt!IopInvalidDeviceRequest+0
[B]kd> gu[/B]
nt!IopInitializeBootDrivers+0x2d2:
806aa011 894618          mov     dword ptr [esi+18h],eax
[B]kd> !drvobj 812d3eb8 2[/B]
Driver object (812d3eb8) is for:
 \Driver\Siwvid
[B]DriverEntry:   fa658b1c	Siwvid[/B]
DriverStartIo: 00000000	
DriverUnload:  00000000	
AddDevice:     00000000	

Dispatch routines:
[00] IRP_MJ_CREATE                      [B]fa659134	Siwvid+0x7134[/B]
[02] IRP_MJ_CLOSE                       [B]fa659134	Siwvid+0x7134[/B]
[0e] IRP_MJ_DEVICE_CONTROL        [B]fa659134	Siwvid+0x7134[/B]

removed all ERROR_NOT_IMPLEMENTED CALLS

[B]kd> !grep -i -e "cmp" -c "uf fa659134"[/B]

fa659168 81f90068409c    cmp     ecx,[B]9C406800h[/B]
fa659170 81f90468409c    cmp     ecx,[B]9C406804h[/B]
fa659178 81f90868409c    cmp     ecx,[B]9C406808h[/B] 
fa659180 81f90c68409c    cmp     ecx,[B]9C40680Ch[/B]
kd> $ control codes for siwvid   IRP Tail.overlay.CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode


[B]kd> g;r[/B]
Breakpoint 0 hit
eax=80093a60 ebx=812d35c8 ecx=2add0008 edx=2adc0007 esi=00000000 edi=812d3592
eip=806a9ef9 esp=fac475f8 ebp=fac47630 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246
nt!IopInitializeBuiltinDriver+0x25d:
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for [B]NTice.sys - [/B]
806a9ef9 ff532c          call    dword ptr [ebx+2Ch]  ds:0023:812d35f4=fa641300
[B]kd> dd esp l2[/B]
fac475f8  [B]812d35c8 80093a60[/B]
kd> !ustr poi(esp+4)
String(114,114) at 80093a60: \Registry\Machine\System\CurrentControlSet\Services\NTice
kd> dt nt!_DRIVER_OBJECT poi(esp)
   +0x000 Type             : 0n4
   +0x002 Size             : 0n168
   +0x004 DeviceObject     : (null) 
   +0x008 Flags            : 2
   +0x00c DriverStart      : 0xfa509000 Void
   +0x010 DriverSize       : 0x148f40
   +0x014 DriverSection    : 0x813290a0 Void
   +0x018 DriverExtension  : 0x812d3670 _DRIVER_EXTENSION
   +0x01c DriverName       : _UNICODE_STRING "\Driver\NTice"
   +0x024 HardwareDatabase : 0x8068fa90 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
   +0x028 FastIoDispatch   : (null) 
   +0x02c DriverInit       : 0xfa641300     long  NTice!adjust_fdiv+0
   +0x030 DriverStartIo    : (null) 
   +0x034 DriverUnload     : (null) 
   +0x038 MajorFunction    : [28] 0x804fa87e     long  nt!IopInvalidDeviceRequest+0

[B]kd> gu  this int 3 was trapped by sice in target you need to set i3here off for bps to be redirected to windbg on reboot 
kayaker know a permanent way to disable i3here ?[/B]
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
*                                                                             *
*   You are seeing this message because you pressed either                    *
*       CTRL+C (if you run kd.exe) or,                                        *
*       CTRL+BREAK (if you run WinDBG),                                       *
*   on your debugger machine's keyboard.                                      *
*                                                                             *
*                   THIS IS NOT A BUG OR A SYSTEM CRASH                       *
*                                                                             *
* If you did not intend to break into the debugger, press the "g" key, then   *
* press the "Enter" key now.  This message might immediately reappear.  If it *
* does, press "g" and "Enter" again.                                          *
*                                                                             *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
804e3592 cc              int     3

[B]kd> !drvobj 812d35c8 2[/B]
Driver object (812d35c8) is for:
 \Driver\NTice
[B]DriverEntry:   fa641300	NTice!adjust_fdiv[/B]
DriverStartIo: 00000000	
DriverUnload:  00000000	
AddDevice:     00000000	

Dispatch routines:
[00] IRP_MJ_CREATE                      fa556528	NTice!chkstk+0x4fe

[02] IRP_MJ_CLOSE                       fa556528	NTice!chkstk+0x4fe
[0e] IRP_MJ_DEVICE_CONTROL              fa556912	NTice!chkstk+0x8e8
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL     fa556948	NTice!chkstk+0x91e
[10] IRP_MJ_SHUTDOWN                    fa556544	NTice!chkstk+0x51a

kd> !grep -i -e "cmp     ecx" -c "uf fa5565ca"

fa556629 3bc8            cmp     ecx,eax
fa556637 81f90060409c    cmp     ecx,9C406000h
fa556643 81f90460409c    cmp     ecx,9C406004h
fa55664b 81f90860409c    cmp     ecx,9C406008h
fa556653 81f90c60409c    cmp     ecx,9C40600Ch
fa55665b 81f91060409c    cmp     ecx,9C406010h
fa556663 81f91460409c    cmp     ecx,9C406014h
fa556735 81f91c60409c    cmp     ecx,9C40601Ch
fa556741 81f92060409c    cmp     ecx,9C406020h
fa55674d 81f92460409c    cmp     ecx,9C406024h
fa556759 81f94860409c    cmp     ecx,9C406048h
fa556761 81f94c60409c    cmp     ecx,9C40604Ch
fa556769 81f95060409c    cmp     ecx,9C406050h
kd> $ control codes for ntice devioctl  IRP Tail.overlay.CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode

WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

blabberer wrote:@wax ...yes sirreee no problem sirreee
Verrrrrry interrrrrrrresting!!!

Need to absorb all this. Right now I have embarked on yet another deviation from my initial chore of tracking a file seek to the MFT on a hard drive. To get back to that I need to fix softice, fix XP SP3 on a VM, and fix the Internet connection in the VM. Either that or learn everything about windb and/or cdb really quickly, which looks highly unlikely.

It would also be nice to get a pipe going between the VM and my desktop so I could use Windbg remotely. In the interim, I took time out to rebuild my system, having to troubleshoot an XP install disk that gave me a BSOD when I tried a repair install. With a new mother board that is apparently to be expected, but no one tells you that.

Sigh...the life of a reverser is fraught with peril.
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Elenil wrote:in menu it has "Patch SoftICE"
no good E., icestealth wants those symbols from Microsoft and would not consider symbols I stuck in the 'Other' directory.
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Elenil wrote:in menu it has "Patch SoftICE"
E.....something really weird is going on. I just downloaded icestealth 1.8 from the RCE cache and every time I used the icestealth.exe file, it gets deleted. I checked it with an old copy of AVP and it showed no viruses but that copy virus database is a least a year old.

The only other time I have seen that was with certain reversing tools many years ago. Some apps would delete the executable if they detected it.

I have no idea what could be on my VM system that would delete Icestealth. I have hardly anything on it.

I have a firewall running on the VM.
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Elenil wrote:in menu it has "Patch SoftICE"
Re the disappearing icestealth.....I figured it out. Pretty smart. :devil:
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

WaxfordSqueers wrote:I have a firewall running on the VM.
Hello? Dumb question, but have you tried BMSG without the firewall? Just a shot in the dark.
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

You're right blabs, as I wrote that I realized it should be no different from debugging any other driver if using a Windbg pipe. I didn't want to add that and perhaps VirtualKD to the mix at the moment, but what the hay..

The interfering I3here can be turned off in winice.dat, i.e.
FAULTS OFF; I3HERE OFF;

The problem now is, can you find and trace a BMSG command?

http://www.woodmann.com/forum/entry.php ... and-Tracer

Setting up IDA for analysing Softice functions
http://www.woodmann.com/forum/showthread.php?t=6529
Locked