Hi,
I am running softice and I found an interesting pointer, I know this pointer stores a known structure. Unfortunately, I don't have symbols (.DBG) for the binary.

Is it possible to cast the pointer to the specified structure, like this:
? (MyStruct*) 0x0012FC60

You should be able to. If it's a known structure as you say, load the NMS file for the appropriate system module where it's defined. Then use the TABLE command to load that particular symbol table (you can only use one at a time). Then use the TYPES command to get a list of known structures and the correct spelling to use.

i.e.
TABLE ntdll

TYPES LIST*
outputs
>LIST_ENTRY64
>LIST_ENTRY32

TYPES LIST_ENTRY32
outputs structure definition

Then much like you've written, cast the structure type

? (LIST_ENTRY32) address

Not too sure if you can use a * dereference pointer like you've written, you might have to dereference the address itself, if you know what I mean.


If it's a user (program) defined structure, or isn't present in any system NMS file, then you could probably use Mostek's Ida2Softice to create an NMS file for your program file where the structure is predefined by you, and follow the same procedure.

Actually the structure is available in a common COM header file oaidl.h.
It is the VARIANT structure. What should I do here?

Compile a C++ source (.cpp) file that uses this structure and use SoftIce Symbols Loader to get the .NMS file and then load it in SoftIce??

Yeah you could do that. In MS Visual C++6 I use a Custom Build setting for debug versions to produce NMS files. Under Custom Build are the following two lines:

Commands:
$(DRIVERWORKS)\bin\nmsym /trans:source,package,always $(TARGETPATH)

Outputs:
.\Debug\$(TARGETNAME).nms


In theory if you define the VARIANT structure it should be included in the TYPES listing for that symbol file and you can then make use of it.

If you can't do it that way then you might be able to read the structure into IDA (parse as a header file include) into any old test program, then create an NMS file for it using I2S as I mentioned above. Then load the NMS into Softice. It probably doesn't matter what NMS module contains the structure definition, as long as you can get Softice to recognize it through the TABLE and TYPE commands.


If you happen to have VMWare, the /system32/V2iDiskLib.dll file has the tagVARIANT structure already defined and will be recognized by IDA.