Page 1 of 1

softice loading

Posted: Fri Oct 08, 2021 11:08 pm
by WaxfordSqueers
Just out of curiosity, how did softice load during Windows boot? My understanding, which is likely wrong, is that softice loads Windows on top of it. I would think that means softice hooks key windows modules. If that's close, what stops it hooking key W7 - x86 modules?

Re: softice loading

Posted: Sat Oct 09, 2021 8:53 pm
by Kayaker
Oh you wild and crazy guy, still trying to break things?

For one thing, you might remember that the files osinfo.dat and osinfob.dat were involved in keeping hard coded offsets for Softice hooking key kernel functions, for each Windows version.

At one point I made a rudimentary osinfo parser to try to understand its format, with the possible idea of updating for Win7/32. If you take a look at the screenshot attachments in this thread from my initial crude parser, there was apparently already support in the last osinfo.dat version for Win2K, XP, Server 2003 and early Vista with various unidentified hook offsets.

viewtopic.php?f=3&t=13162&start=17

The driver osidata.sys seems to have related info as you can also see references to function names and service pack numbers, which may function as a backup to the osinfo.dat files.

So in theory, yeah there was a mechanism for updating Softice hooks, the last DS3.2.1 patch included updated cpthook.sys and ntice.sys files as well.

Someone over at exetools tried to run Softice under Vista with attempts at patching, but not suprisingly the idea is fraught with problems.

https://forum.exetools.com/showthread.php?t=11935

K.

Re: softice loading

Posted: Sat Oct 09, 2021 10:24 pm
by WaxfordSqueers
Kayaker wrote: Sat Oct 09, 2021 8:53 pm Oh you wild and crazy guy, still trying to break things?
You don't know the half of it. I have delusions of grandeur that I may even be able to convert it to 64 bit. It is always in the back of mind, awaiting times when other obligations give me the time.

Reminds me of my dreams as a kid. A friend's dad had an airplane propeller and wheels in his garage and we started making plans to build an airplane. Have not progressed much since age 8.

It's interesting that Amigo at the exetools site actually got it running on Vista. Since Vista is closer to W7 than XP it is encouraging. I noted that he added files to ntoskrnl, which is what I was working on for XP. Over at the win-raid site they have gone so far as to use W8 and W10 files on XP. They (not at win-raid) have replaced ntoskrnl with a modded version and they are using a released code version of Windows to to add functions as code then re-compiling using a DDK.

I noted that deroko contributed to thread. Wonder if he is still around, he helped me in the past with softice issues.
Kayaker wrote: Sat Oct 09, 2021 8:53 pmFor one thing, you might remember that the files osinfo.dat and osinfob.dat were involved in keeping hard coded offsets for Softice hooking key kernel functions, for each Windows version.
Remember them well but never fully understood the implication. If I am reading you correctly, the OSxxxx files could be used to hold functions required for ntoskrnl, or whatever.

The question remains as to whether something is built in to W7 security-wise to prevent hooking windows modules. Seems unlikely if VIsta allows it.