Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

soft ice in a VM and Windbg growing pains

Questions concerning tools (other than OllyDbg) - IDA Pro, SoftIce, member contributions, etc.
<b>NOTE:</b> You must <b>always</b> make sure you cannot find what you are looking for in our <a href="/collaborative/tools">Collaborative RCE Tool Library</a> before asking for <b>any</b> tools that can do this or that though!
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

blabberer wrote:thats is 3 os (one xp which is a physical machine and host for two vms running windows 98 side by side )
Win 98...AAAAAARRRRRRGH!! Dual Win98....double AAAAAARRRRRRGH!!.

Actually, my ploy in this post is to con you into using softice so much that you'll like it. :devil: I gather from your blog that you have never given it much of a shot. I have spent hundreds of hours on it and I swear by it, when it's running. :D Running on XP with SP3, it's so solid it's sickening. It never crashes no matter what routes I take through Ring 0.

Sysini files...triple AAAAAARRRRRRGH!!

I'll have a closer look at your blog when my head clears. Thanks for the link.
blabberer wrote:instead of this i think you should do
this end is client and other end is physical host in the vm (not sure i dont have vmware installed to provide you correct info)
I'll work it out. I just wondered if there was an advantage to having the host in the VM or elsewhere.
blabberer wrote:as far as usb debugging is concerned reports are that it doesn't work properly
Technically, I'm not using USB, I am using serial with the USB acting as a conduit to the serial interface. I figured as long as Windbg sees a legitimate serial interface with full RS232 handshaking it should not care what is on the other side of the serial - USB adapter.

I have to study this more but the config for Windbg seems only concerned about what Windbg sees. If it's talking to a serial port, it should be happy. That may answer the question I posed to you. Since the only serial port I have is on the desktop, Windbg will have to be on the desktop.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

Technically, I'm not using USB
i dont know i replied back what i read around

if you buy it and if it worked post back the details :)
my ploy in this post is to con you into using softice so much that you'll like it
i never said i disliked it

like you qualified your statement with if it ran it ran solid :) it never runned or ranned

and i didn't have the expertise / skill / time / internet connection to scavenge / download megabytes ( no not talking about dvd rip of 4.4 gb much much smaller mbs at 28.8 kbps meant days together )to make it run while i was crawling

and i found free alternatives that were much more stable and support for them too from official channels were easily available so never used softice much
that is all
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

blabberer wrote:i never said i disliked it

i found free alternatives that were much more stable and support for them too from official channels were easily available so never used softice much
that is all
I can't help but hearing that in the voice of Tom Selleck in the movie Quigley Down Under. In a final scene, the overconfident bad guy assumes the injured Quigley doesn't know how to use a Colt revolver very well, so challenges him to an unfair duel. After shooting all the bad guys before they can even draw their guns, Quigley walks over to the dying villian and drawls,

"I said I never had much use for one. Never said I didn't know how to use it."
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

blabberer wrote:...much much smaller mbs at 28.8 kbps meant days together )
I painfully recall days the old pre-internet days on BBS's running x-modem, y-modem and z-modem. 9600 baud was the order of the day with some people actually running 300 baud. 28k was like lightning and 56k seemed impossible. Then again, in the early 80s, a removable disk drive cartridge was 18" in diameter and held all of 5 megs. You get 3 1/2" disks these days holding a third of a terabyte (1000 gigabytes), with three of them holding a terabyte. The track density was 1000 tracks per inch circa 1980. I used to repair computers in which the CPU was transistorized.

When I look at my thumb drive, which is essentially the length of my thumb, and holds 20 gigs of data, the mind boggles.

I got interested in softice reading Matt Pietrek's book on Windows 95 in which he talked openly about 'spelunking', which was his name for reverse engineering. He worked for Numega, I think on the Boundschecker program. In those days, softice was not that big in size.
Elenil
Senior Member
Posts: 140
Joined: Tue Sep 30, 2008 7:53 pm

Post by Elenil »

whats is the actual state now ?
like hwnd command is working but its still not accepting valid handles ?
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Elenil wrote:whats is the actual state now ?
like hwnd command is working but its still not accepting valid handles ?
No...hwnd only works after using 'addr explorer', then a 'hwnd' by itself lists all the window handles.

If I select any of the valid handles and use

bmsg <hwnd> <message>

I get an error message stating that the window handle is invalid.

I have confirmed the handles using SPYXX and the cdb debugger from Debugger Tools for Windows. Softice even displays all the correct handles with the HWND command but when I enter one in BMSG it claims the handle is invalid.

I have moved on from that problem for now. I am currently creating a new VM with a fresh windows install and a fresh installation of ice.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

I am currently creating a new VM

that sounds as if it is a mammoth project :)

you can reuse the virtual hard drives

make one vhd and use it on 100's different virtual machines
one with softice
one with visual studio
one with malware
one with network
one without network
one with page file
one without page file


all you have to do is save away a copy of a fresh vm to some place

when you want to make xpsp3hotdog version

copy the saved vm to a new folder and use the option with an existing vhd instead of create new vhd

install hotdogs and you have xpsp3hotdogs vm in say 15 minutes at the max including a break to the piss room
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

blabberer wrote:I am currently creating a new VM

that sounds as if it is a mammoth project :)
It shouldn't be but I get right into it with hammers, saws, and whatnot and by the time I finish it is a mammoth project.
blabberer wrote:you can reuse the virtual hard drives
Yeah...I do reuse them. I even have DOS and Win 98SE setup. I may even try Linus again to see if they have advanced from the dark days of Unix, pre-1980. They were making headway with their GUIs, like KDE (I hated Gnome), but their command line setup was still a horror show for a newbie.

With my present VM install, I wanted to be absolutely sure I had a clean install of XP so I started from square one.

Right now I am getting grief from that piece of crap otherwise known as Internet Explorer. I am trying to d/l Comodo's free firewall/antivirus package and IE tells me it can't connect to a certain site. So I d/led Firefox, which I should have done right off rather than fiddle with that over-bloated monstrosity. When Firefox asked if I wanted to make it the default, I said, "yes, please".

What kind of addled brain would one need to design something like IE? I tred to download a file that is fairly large and IE insisted on saving it as a link to my desktop. When I refused the offer and guided it to another directory, it d/l'd the large file as a link. Have you ever seen a file with a .lnk extension that is 145 megs long?

I see now what the problem was, I was trying to open the aforementioned lnk file before it was fully downloaded, but IE did not know that. It kept telling me it was a lnk file.

Then I opened its brother, File Explorer. There's another joke. If you want a dual pane situation, you have to open another instance of file explorer. Why...after all these years, have they not built in functionality to have a dual pane setup? Give up...I'll tell you why? They want you to do it there way. What you want as a user means nothing to msoft. Who else would gear an OS (win 8) at touch screens? Prefer a mouse...to bad...msoft is telling you how the future will be.

When you open explorer to view files, it insists on opening in documents and settings, and as you try to click on the file you want, it goes on resizing, forcing you to chase your desired directory with the mouse.

I had to edit this post to ad another whine. When you open file explorer under normal conditions, it lists the files but does not tell you the directory or path. That is pure Unix bs and that's what microsoft is trying to implement. In Unix, everything is a file, even a directory, and that's how msoft has designed the NTFS file system. I am discovering all that from my MFT project/thread which is on hold till I get softice running again.

It may be of interest to you to realize that the old DOS-style directory/file path is now merely a wrapper around the namespace base that msoft bases file explorer on. Yes...there is yet another hidden file system between the user and the MFT on an NTFS system. You might say the MFT is part of that hidden file system, and it gets processed by shell32 and shlwapi in conjunction with ole32. I haven't gotten into objects yet which have totally obfuscated the real hardware lying underneath the msoft OS.

The shell in shell32 is related to the shell the user sees. The user sees files and directories and shell32 translated them into item lists that break the path into objects.

To me, having grown up with computers in the early 80s. that kind of thinking is a major step backwards.

End of whine.

Talk about Big Brother. Microsoft knows best which directory you want to start in and how you will think in the future, which is actually the dark Unix past.
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

WaxfordSqueers wrote:End of whine.
Happy(er) camper, here (happier than I wuz while whining about msoft in my last post).

No more error messages on bmsg...just the sweet acceptance of handles, and the subsequent listing of bl's showing the set breakpoint.

The clean install of both XP and ice seems to have done the trick. :yay:

Speaking of :yay: 's, where's JMI these days? He used those a lot.
Elenil
Senior Member
Posts: 140
Joined: Tue Sep 30, 2008 7:53 pm

Post by Elenil »

if you want wax you can use the patch ntice function (i can think you need the ds 3.2 to work this instead of the older softice dunno if its possible just to replace the ntice file on the old version of ntice)
this makes the hwnd command work on every exe - so you dont need the spy++

theres a rare scenario it does not work with the addr command but useally it should be fine and it work 100 % if you was in proper context like after a breakpoint in the executable
JMI
Senior Member
Posts: 5329
Joined: Wed Apr 25, 2001 2:00 pm

Post by JMI »

He's still here, just very busy at the moment. :)
JMI
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

JMI wrote:He's still here, just very busy at the moment. :)
Glad to hear you are alive and well, JMI. :yay:
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

WaxfordSqueers wrote:Happy(er) camper, here
A bit premature...sigh!!

Got ice to break in the VM on a bmsg and traced till a jump came to User32!CallWindowProcA. Upon entering U32, the mouse and kbrd disappeared. There is a blinking cursor in the ice window but I cannot access it.

Even worse, can't get out of the ice window.

May have something to do with the entries in the VM config file for softice. There are two versions of them, one for older VMs and one for newer VMs. I am using

vmmouse.present = FALSE
svga.forceTraces = "TRUE"

NOT

vmmouse.present = FALSE
svga.maxFullscreenRefreshTick = 5

I don't want to shut softice down yet and was hoping someone in the know was hovering (or paddling) nearby.
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Oh Boy, now you did it! If you're locked up in Sice I'm not sure what you could do, other than maybe suspending the VM, change to the RefreshTick config, and resume to see if that fixes it. Might be borked now though.

Interesting if you could do an exact snapshot with and without the glitch, and binary compare the snapshots. Would the "glitch" be visible as a byte difference I wonder, even if not understood as representing such?
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Kayaker wrote: If you're locked up in Sice I'm not sure what you could do
Played around a bit and found that ctrl-alt-esc gets me out of ice and the vm. I can get right back to the host. However, if I re-enter the vm, I'm back in ice with a frozen mouse cursor and a blinking cursor in the command window. Weird.

I'll see if I can get a snapshot somehow.
Locked