Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

softice loading

All-in-one reversing related discussions
Post Reply
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

softice loading

Post by WaxfordSqueers »

Just out of curiosity, how did softice load during Windows boot? My understanding, which is likely wrong, is that softice loads Windows on top of it. I would think that means softice hooks key windows modules. If that's close, what stops it hooking key W7 - x86 modules?
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Re: softice loading

Post by Kayaker »

Oh you wild and crazy guy, still trying to break things?

For one thing, you might remember that the files osinfo.dat and osinfob.dat were involved in keeping hard coded offsets for Softice hooking key kernel functions, for each Windows version.

At one point I made a rudimentary osinfo parser to try to understand its format, with the possible idea of updating for Win7/32. If you take a look at the screenshot attachments in this thread from my initial crude parser, there was apparently already support in the last osinfo.dat version for Win2K, XP, Server 2003 and early Vista with various unidentified hook offsets.

viewtopic.php?f=3&t=13162&start=17

The driver osidata.sys seems to have related info as you can also see references to function names and service pack numbers, which may function as a backup to the osinfo.dat files.

So in theory, yeah there was a mechanism for updating Softice hooks, the last DS3.2.1 patch included updated cpthook.sys and ntice.sys files as well.

Someone over at exetools tried to run Softice under Vista with attempts at patching, but not suprisingly the idea is fraught with problems.

https://forum.exetools.com/showthread.php?t=11935

K.
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Re: softice loading

Post by WaxfordSqueers »

Kayaker wrote: Sat Oct 09, 2021 8:53 pm Oh you wild and crazy guy, still trying to break things?
You don't know the half of it. I have delusions of grandeur that I may even be able to convert it to 64 bit. It is always in the back of mind, awaiting times when other obligations give me the time.

Reminds me of my dreams as a kid. A friend's dad had an airplane propeller and wheels in his garage and we started making plans to build an airplane. Have not progressed much since age 8.

It's interesting that Amigo at the exetools site actually got it running on Vista. Since Vista is closer to W7 than XP it is encouraging. I noted that he added files to ntoskrnl, which is what I was working on for XP. Over at the win-raid site they have gone so far as to use W8 and W10 files on XP. They (not at win-raid) have replaced ntoskrnl with a modded version and they are using a released code version of Windows to to add functions as code then re-compiling using a DDK.

I noted that deroko contributed to thread. Wonder if he is still around, he helped me in the past with softice issues.
Kayaker wrote: Sat Oct 09, 2021 8:53 pmFor one thing, you might remember that the files osinfo.dat and osinfob.dat were involved in keeping hard coded offsets for Softice hooking key kernel functions, for each Windows version.
Remember them well but never fully understood the implication. If I am reading you correctly, the OSxxxx files could be used to hold functions required for ntoskrnl, or whatever.

The question remains as to whether something is built in to W7 security-wise to prevent hooking windows modules. Seems unlikely if VIsta allows it.
Post Reply