deciphering osinfo.dat for softice [Archive] - RCE Messageboard's Regroupment

View Full Version : deciphering osinfo.dat for softice

WaxfordSqueers

December 2nd, 2008, 00:01

Does anyone know exactly how osinfo.dat and osinfob.dat work in softice?

I had softice working well on a barebones XP SP2 setup but I am considering updating to SP3 for security reasons. I have recently discovered the vulnerabilities in my wireless router and need SP3 functionality for WPA2 encryption on the wirless signal.

I tried a trial SP3 update, using system restore to remove SP3 later, and softice worked basically. With SP3, the mouse froze on exit from softice (alt-D). At the same time, I installed it on a VM with XP SP3, and it works, with no mouse freeze on ice exit, but I have apparent issues with osinfo.dat.

Both in the non-VM and VM versions, softice complains about API Hook Failures for: MiCopyOnWrite and EHCI: RemoveQueueHeadFromPeriodicList, the latter being a USB function. I have noted that I am using a USB mouse and that the freeze comes on exit from ice in non-VM XP but not in VM-based XP with SP3. I suspect the USB hook failure may be related to that.

According to Deroko (hi Deroko) the MiCopyOnWrite failure doesn't cause a problem and the other hook is USB related. I checked the USB function by loading osinfo.dat as a binary in IDA. It doesn't make a lot of sense to my inexperienced eye but I did notice some code accompanying certain functions that seems to be used as a signature. The code is preceded by a hex byte, which may be telling softice how many bytes to count in for the signature. That would make sense, possibly, if osinfo.dat is looking to compare file versions.

Also, at the beginning of osinfo.dat, there are several empty field that may be filled in at load time. I really need a way to watch osinfo in action. Any ideas? There are also references to SP0, SP1 and SP2.

Kayaker

December 3rd, 2008, 00:16

Yeah, good luck with that

I've been taking a look at it, and not for the first time. I think it would really require live tracing of the INIT of ntice.sys to fully understand how the osinfo files are parsed. There may be a way of doing that which I'll mention in a moment.

The problem as a whole is that those files, and the code, are configured to only support XP sp0,sp1,sp2. It would be difficult to "patch in" support for sp3 even if you did figure out what all the fields are for. I believe some of them are OS specific ETHREAD and EPROCESS offsets as well.

As well, osidata.sys and siksym.sys seem to contain hardcoded copies of the osinfo.dat files (not sure if they are exact copies, a bit of hex comparing would determine that).

If you disasm DriverEntry of ntice.sys you'll see where the strings for the osinfo.dat files are pushed and a call is made which reads the files into memory (ExAllocatePool, ZwReadFile). There is also a call which uses the allocated memory block, along with the current Build, Version and Service Pack, to parse through some of the offsets. Here it get really complicated with only a static analysis.

If you want to try live tracing DriverEntry of ntice.sys and walk through the osinfo.dat handling procs, here is a possible way of doing it. I'd actually be interested to see if someone else is able to do this, unfortunately I kept getting Fatal System Error crashes, even though by all accounts I shouldn't have.

What you can do is use WinDbg and VMWare to debug loading of ntice.sys, exactly the same as you would do with any driver for remote debugging. Here are the steps:

Set up VMWare and WinDbg following the instructions at

http://silverstr.ufies.org/lotr0/windbg-vmware.html
http://www.catch22.net/tuts/vmware

Now what you need to do is break on DriverEntry. I don't know if there is a specific, better way to do that with remote debugging, but what I do is to break on the call in IopLoadDriver which directly calls DriverEntry for any driver.

We've talked about it several times before in various threads, many people are familiar with this, there is a characteristic call in IopLoadDriver
call dword ptr [edi+2Ch]

The easiest way to find it is to set a breakpoint at the end of DriverEntry in your own driver and trace back into ntoskrnl, or just figure out the address from a disassembly.

Code:



nt!IopLoadDriver

PAGE:004CF9C9 FF B5 70 FF FF FF     push    [ebp+P]

PAGE:004CF9CF 57                    push    edi

PAGE:004CF9D0 FF 57 2C              call    dword ptr [edi+2Ch] ; DriverEntry

Once you've started the /debug version of VMWare, you start up the remote connection of WinDbg. Once it's ready you can set a breakpoint on the call [edi+2Ch] to catch the loading of ANY driver with (address is 805a69d0 on my system)

kd> bp 805a69d0

Now in VMWare start Softice. Softice will show the DOS box and everything will freeze. Go back to Windbg, wait a few moments and the disassembly window should show:

Code:



kd> g

Breakpoint 0 hit



805a69d0 ff572c          call    dword ptr [edi+2Ch]

Single step into this and you are in ntice.sys!

Now in theory you should be able to step through everything. In practice I kept getting the Fatal System Error crashes. I could explain where and why and why there *shouldn't* have been a crash, but I won't bother boring you. I'd rather someone else try it and see the results.

If the VMWare/WinDbg setup doesn't quite work with the quirky Softice, maybe a true remote debugging session with 2 computers might work better.

Maybe you can solve your specific problems in a simpler way, but I agree it would be nice to have an XP sp3 or sp4 compatible Softice.

Cheers,
Kayaker

smoke

December 3rd, 2008, 10:51

Quote:

[Originally Posted by Kayaker;78040]
Maybe you can solve your specific problems in a simpler way, but I agree it would be nice to have an XP sp3 or sp4 compatible Softice.

It does work actually. I have a pc with Windows XP SP3 and SoftICE couldnt work better there.

deroko

December 3rd, 2008, 11:34

Quote:

[Originally Posted by WaxfordSqueers;78018]
Both in the non-VM and VM versions, softice complains about API Hook Failures for: MiCopyOnWrite and EHCI: RemoveQueueHeadFromPeriodicList, the latter being a USB function. I have noted that I am using a USB mouse and that the freeze comes on exit from ice in non-VM XP but not in VM-based XP with SP3. I suspect the USB hook failure may be related to that.

You may solve this issue by using PAE version of kernel. It will solve problems with MiCopyOnWrite (I've confirmed this for both sp2/sp3 as I use both of them). I use USB mouse on my laptop and it doesn't cause any problems, I'm really not sure for that RemoveQueueHeadFromPeriodicList is used, but as long as SoftIce work, I don't care

Quote:

According to Deroko (hi Deroko) the MiCopyOnWrite failure doesn't cause a problem and the other hook is USB related.

Well MiCopyOnWrite is related to windows memory manager, and CopyOnWrite pages, trick used by windows to save memory when loading images unless write occurs

For example ntdll shares same physical address in all processes, but when you write to it then micopyonwrite will copy phyiscal pages to different location so you may write there without touching "real" ntdll. Try writing byte to ntdll from your driver with cr0 WP off, and that change will be visible in all processes, but if you do same thing from r0 process, that write will only reflect your process memory space tnx to micopyonwrite which is called in 2nd example, but not in 1st as you bypass OS write protection by disabling wp in cr0 MiCopyOnWrite will never be called. I assume that SoftICE uses this so it can remove break points when break is set, but due to micopyonwrite page is moved to different physical address.

Lets take a simple example:
bpx ntdll!NtCreateFile <---- sets break in all processes
now you do some writing to ntdll near NtCreateFile which makes NtCreateFile to move to different Physical frame
bd 0 <---- to delete it in context of process in which write occured

Without MiCopyOnWrite bd 0 (NtCreateFile break) would be removed only and only from your process, but with knowing and keeping track which physcal frames are "same", softice can remove break point from not changed ntdll (global for all) and from your physical frame. I assume that's the reason why they have hook in MiCopyOnWrite, as it's most logical explanation, at least to me

WaxfordSqueers

December 3rd, 2008, 12:01

Quote:

[Originally Posted by Kayaker;78040]Yeah, good luck with that

Hey, Kayaker...how's it going. Ready for the coalition?

Just a quick note to acknowledge receipt of your welcome and detailed report. I'll get on the VMWare - softice setup but it may take a few days. I'm still running a bare SP2 system on my non-VM side but I'd like to use WinDbg to d/l symbols for the VM, which is SP3. I want to compare the initial bytes in functions like MiCopyOnWrite between SP2 and SP3 to see if osinfo.dat is referencing those bytes.

Although your method sounds more challenging and exciting, I'm wondering if patching osinfo on an as-needed basis might work too. Right now, softice INIT is only choking on two functions. I don't know if maybe there will be other difficulties along the way.

As far as patching the whole file for SP3, do you think it might be feasible to patch the SP2 section as-needed? Say, for example, it is using bytes from the function header as a signature, could we just change the bytes? Or is it a lot more complex?

I'm bothered by the fact they did not use a method in osinfo to find the location of the missing file in SP2. I know there's a lot of naivete in what I'm saying. When they give an error code, "API Hook Failure" it seems they are saying they can't find the file at the expected address.

I came across this print out of someone's INIT on the net and here's part of it:

SoftICE (R) - DriverStudio (tm) 4.3.0 (Build 1268)
Windows NT Version 5.0 - Build 2195 SP 4

NTICE: IoConnectInterrupt found at 804CF0E3
NTICE: IoDisconnectInterrupt found at 804CF93B
NTICE: MiMapViewOfImageSection found at 8044384E
NTICE: MmUnmapViewOfSection found at 804A240A
NTICE: MiAddValidPageToWorkingSet found at 80442C25
NTICE: KeBugCheckEx found at 8042C762
NTICE: MiCopyOnWrite found at 8044F26B
NTICE: HalDisplayString found at 8006748C
NTICE: RtlAssert found at 8045A91B
NTICE: USBD_AllocateUsbAddress found at ED35331E
NTICE: USBD_ParseConfigurationDescriptorEx found at ED353D6E
NTICE: UHCD_RemoveQueueHeadFromSchedule found at ED33A02C
NTICE: UHCD_InsertQueueHeadInSchedule found at ED339ED6
NTICE: HalpBiosDisplayReset found at 800670C4
NTICE: RtlAssert end found at 8045A9CF
NTICE: NTTerminateProcess found at index 00E0.

Note that NTICE INIT is looking for MiCopyOnWrite at 8044F26B

As you say, they came along later with osinfo.dat and actually built it into the driver, but is it doing anything more than looking up pointers where the function 'should' be, then verifying it with a signature?

I'd be interested in the source of the error message, "API HOOK FAILURE". I'm think it might lead back to the checking routine.

I'll get back to you.

WaxfordSqueers

December 3rd, 2008, 12:12

Quote:

[Originally Posted by smoke;78047]It does work actually. I have a pc with Windows XP SP3 and SoftICE couldnt work better there.

That's good news. Any chance you could give a little more detail? For example, what's the file size of your osinfo.dat and osinfob.dat? When softice first boots, and you ctrl-d into the softice window, type wc plus enter in the bottom window to get rid of the code window. Look at the INIT log and see if you have any errors indicated, such as an API Hook Failure. You may have to scroll up. Any errors should be highlighted.

WaxfordSqueers

December 3rd, 2008, 13:36

Quote:

[Originally Posted by deroko;78049]You may solve this issue by using PAE version of kernel. It will solve problems with MiCopyOnWrite (I've confirmed this for both sp2/sp3 as I use both of them). I use USB mouse on my laptop...

Hey, Deroko...how's life? I tried the PAE directive in the VM, which uses XP with SP3. It doesn't get rid of the INIT errors but I haven't tried to use softice extensively in the VM. The USB mouse works fine both in and out of the softice window.

As far as I understand, using PAE limits the amount of accessible memory in XP. I think the CopyOnWrite function accesses paging memory, doesn't it? Maybe it operates in a different manner with the PAE memory setup.

Thanks for CopyOnWrite tute. I looked up the EHCI function a phrase at a time and it lead to this Intel spec for EHCI (Enhanced Host Controller Interface), which is a USB 2.0 spec to deal with USB 1.1 and on. The periodic table reference is one of two USB modes: periodic and asynchronous. Async is like RS-232, where the data is irregular. Periodic refers to Interrupts or what they call isochronous, which I think refers to synchronous. Anyway, there are also two other modes, at least, which is fast and slow devices. The periodic list just keeps tract of the modes, whether interrupt driven or isochronous.

The queue head holds a linked list of transfer descriptors. So I guess the EHCI - RemoveQueueHeadFromPeriodicList is a lot like a message fetch in windows messaging...or it clears the message queue...or whatever. Here's the link to the EHCI spec:

http://www.intel.com/technology/usb/download/ehci-r10.pdf

Here's a link that explains USB better:

http://www.beyondlogic.org/usbnutshell/usb1.htm

deroko

December 3rd, 2008, 14:35

Quote:

[Originally Posted by WaxfordSqueers;78053]Hey, Deroko...how's life?

Quite good

Quote:

As far as I understand, using PAE limits the amount of accessible memory in XP. I think the CopyOnWrite function accesses paging memory, doesn't it? Maybe it operates in a different manner with the PAE memory setup.

Actually no, PAE enables to OS to use more then 4GB of RAM, although you as a programer can't go beyond 4GB virtual address space, this allows system to map memory to 36bits which allows total 128GB of RAM, while this is not possible without PAE as physical page size is limited to 32bits.

smoke

December 3rd, 2008, 15:49

Quote:

[Originally Posted by WaxfordSqueers;78051]That's good news. Any chance you could give a little more detail?

sure, here's the dump

Code:



NTICE: Using I/O Apic at linear address BA6B5000

NTICE: Hooking IOAPIC vector at 93

NTICE: Hooking IOAPIC vector at A3

NTICE: Pentium TSC calibration, processor set to 1994.0 MHZ

SoftICE (R) - DriverStudio (tm) 3.2.1 (Build 2560)

Windows NT Version 5.1 - Build 2600 (Free) SP 3

smoke

78858678632a

Copyright (c) 2004 Compuware Corporation.  All rights reserved.

NTICE: Inter-processor interrupts will use vector F9

NTICE: PS/2 device input will use interrupts

NTICE: PS/2 Mouse Detected

NTICE: 524K allocated for global heap

NTICE: 512K allocated for SYM memory

NTICE: 512K allocated for HST memory

NTICE: 32K allocated for HEAP memory

NTICE: 6K allocated for NAME memory

NTICE: 12K allocated for 32 breakpoints

NTICE: Top of physical memory is 00000000_77FB0000

NTICE: EXP=\SystemRoot\system32\kernel32.dll

NTICE: EXP=\SystemRoot\system32\user32.dll

NTICE: EXP=\SystemRoot\system32\gdi32.dll

NTICE: EXP=\SystemRoot\system32\ntkrnlpa.exe

NTICE: EXP=\SystemRoot\system32\hal.dll

NTICE: EXP=C:\WINDOWS\SYSTEM32\NTOSKRNL.EXE

       Error: Exports already loaded for this module

NTICE: EXP=C:\WINDOWS\SYSTEM32\HAL.DLL

       Error: Exports already loaded for this module

NTICE: EXP=C:\WINDOWS\SYSTEM32\NTDLL.DLL

NTICE: EXP=C:\WINDOWS\SYSTEM32\KERNEL32.DLL

       Error: Exports already loaded for this module

NTICE: EXP=C:\WINDOWS\SYSTEM32\USER32.DLL

       Error: Exports already loaded for this module

NTICE: EXP=C:\WINDOWS\SYSTEM32\DRIVERS\VIDEOPRT.SYS

NTICE: 154K allocated for 32 bit exports

NTICE: Loading symbol file win32k

NTICE: Loaded symbols from

C:\SYMSERVER\WIN32K.PDB\B8354F59A2A341179030B80ACC7969972\WIN32K.NMS

NTICE: Loading symbol file videoprt

NTICE: Loaded symbols from

C:\SYMSERVER\VIDEOPRT.PDB\66CB8EA979A742EABCB14A11545D6EBE1\VIDEOPRT.NMS

NTICE: Loading symbol file user32

NTICE: Loaded symbols from

C:\SYMSERVER\USER32.PDB\D18A41B74E7F458CAAAC1847E2D8BF022\USER32.NMS

NTICE: Loading symbol file ntoskrnl

NTICE: Loaded symbols from

C:\SYMSERVER\NTKRPAMP.PDB\7D6290E03E32455BB0E035E38816124F1\NTKRPAMP.NMS

NTICE: Loading symbol file ntdll

NTICE: Loaded symbols from

C:\SYMSERVER\NTDLL.PDB\1751003260CA42598C0FB326585000ED2\NTDLL.NMS

NTICE: Loading symbol file kernel32

NTICE: Loaded symbols from

C:\SYMSERVER\KERNEL32.PDB\34560E80F5C54175B208848EF863C5BD2\KERNEL32.NMS

NTICE: Loading symbol file halmacpi

NTICE: Loaded symbols from

C:\SYMSERVER\HALMACPI.PDB\9875FD697ECA4BBB8A475825F6BF885E1\HALMACPI.NMS

Macro: Memory allocated for 32 Macro entries

NTICE: *** API Hook Failure: EHCI_RemoveQueueHeadFromPeriodicList

NTICE: RtlAssert end found at 80855E31

NTICE: KDExtensions are enabled KDHeapSize=00001FA0 and KDStackSize=00008000

NTICE: Patching Keyboard using method 0

NTICE: Keyboard driver found - i8042prt.sys

NTICE: Keyboard successfully patched using RPUC hook

NTICE: Keyboard successfully patched lookup table using RPUC hook

NTICE: Found OHCI Host Controller at Bus 00 Device 13 Function 00

NTICE: Found OHCI Host Controller at Bus 00 Device 13 Function 01

NTICE: Found OHCI Host Controller at Bus 00 Device 13 Function 02

NTICE: Found OHCI Host Controller at Bus 00 Device 13 Function 03

NTICE: Found OHCI Host Controller at Bus 00 Device 13 Function 04

NTICE: Found EHCI Host Controller at Bus 00 Device 13 Function 05

NTICE: Found 6 USB Host Controllers. USB HID support will be available.

NTICE: 6K allocated for use by USB HID devices

The only problem seems to be when its trying to hook EHCI_RemoveQueueHeadFromPeriodicList

And the sizes of osinfo and osinfob:

Code:



osinfo filesize:  474.346 bytes

osinfob filesize: 356.884 bytes

WaxfordSqueers

December 4th, 2008, 04:30

Quote:

[Originally Posted by deroko;78055]Actually no, PAE enables to OS to use more then 4GB of RAM....

thanks for clarification. Any thoughts on USB? I note that smoke is using a PS/2 mouse yet he gets API Hook Failure on EHCI function as well. He hasn't complained about any mouse malfunctions in or out of ice. Also, I don't get that problem under SP3 in VM where mouse is emulated.

WaxfordSqueers

December 4th, 2008, 04:39

Quote:

[Originally Posted by smoke;78057]sure, here's the dump :

smoke...thanks for dump. The EHCI_RemoveQueueHeadFromPeriodicList is a strange one. You are using a PS/2 mouse and I'm using a USB mouse. Probably why mine freezes on exit from ice under SP3.

Then again, I note you are using the latest osinfo.dat files. For whatever reason, I am not. I did at one time and think I rolled them back when I went back to a barebones SP2 setup. I'll have to try your version again with SP3.

deroko

December 4th, 2008, 10:32

did you apply latest patches for softice? I'm using usb mouse on my live system (hate using vmware) and it works without a problem, even if ApiHookFailure occurs on EHCI_xxx + all symbols are up to date

oh, and I'm using sp3 also...

WaxfordSqueers

December 4th, 2008, 11:38

Quote:

[Originally Posted by deroko;78070]did you apply latest patches for softice? I'm using usb mouse on my live system (hate using vmware) and it works without a problem, even if ApiHookFailure occurs on EHCI_xxx + all symbols are up to date oh, and I'm using sp3 also...

I'm looking at that right now. I had SP2 for a long time and I was updating it from Micro$oft. After one set of upgrades, softice stopped working, but I wasn't using it and did not know that. So, I don't know which upgrade caused the problem. I rolled back to plain SP2, with a repair install, and that fixed it.

For some reason, I reinstalled older osinfo.dat files and did not upgrade them again. They worked great with a bare SP2 install, but with a full SP3 the mouse froze on exit from ice. When smoke posted his osinfo file size, I realized I was using an older version. I will reinstall SP3 and try it with the newer osinfo files. It does work in the VM with SP3 and the latest osinfo files

I'm interested in Kayaker's idea of tracing through NTICE while it loads, however, so I want to try that too.

deroko

December 6th, 2008, 10:07

ups, wrong calculation 2^36 = 64 gb for PAE, not 128gb

my bad

WaxfordSqueers

December 6th, 2008, 12:29

Quote:

[Originally Posted by deroko;78093]ups, wrong calculation 2^36 = 64 gb for PAE, not 128gb my bad

Either way, It will be a while before I turn PAE on again.

Kayaker

December 9th, 2008, 23:57

Here's a little undocumented VER command that displays all the ntice hooks present.

Just type into Softice
ver ahk

Presumably that stands for something like "all hooks"

This is the output from my xpsp2 system. EHCI_RemoveQueueHeadFromPeriodicList shows OK status. If you guys are finding that the hook has failed, it's possible it's because of the UsbEHCI.sys version. Maybe you could downgrade to an earlier version?

Code:



:ver ahk



NT API Hook function 0: IoConnectInterrupt

   Hook address :    805AE6C1   Module: Ntoskrnl.exe

   Handler      :    EC39BF90   StartSearchFn:

   RetHandler   :    EC39C060

   OSI ID       :    FA000001

   First byte   :    0

   Enable *     :    0 (=0)

   Status       :    OK

NT API Hook function 1: IoDisconnectInterrupt

   Hook address :    805AE124   Module: Ntoskrnl.exe

   Handler      :    EC39C088   StartSearchFn:

   RetHandler   :    EC39C09B

   OSI ID       :    FA000002

   First byte   :    0

   Enable *     :    0 (=0)

   Status       :    OK

NT API Hook function 2: MiMapViewOfImageSection

   Hook address :    805877F6   Module: Ntoskrnl.exe

   Handler      :    EC39C0C5   StartSearchFn: NtQuerySystemInformation

   RetHandler   :    EC39C1E0

   OSI ID       :    FA000004

   First byte   :    0

   Enable *     :    0 (=0)

   Status       :    OK

NT API Hook function 3: MiUnmapViewOfSection

   Hook address :    80580367   Module: Ntoskrnl.exe

   Handler      :    EC39C486   StartSearchFn: FsRtlGetFileSize

   RetHandler   :    0

   OSI ID       :    FA000006

   First byte   :    0

   Enable *     :    0 (=0)

   Status       :    OK

NT API Hook function 4: MiAddValidPageToWorkingSet

   Hook address :    804EAA28   Module: Ntoskrnl.exe

   Handler      :    EC39D3FE   StartSearchFn: KeReleaseSemaphore

   RetHandler   :    EC39D3FF

   OSI ID       :    FA000008

   First byte   :    0

   Enable *     :    0 (=0)

   Status       :    OK

NT API Hook function 5: KeBugCheck2

   Hook address :    80536CAC   Module: Ntoskrnl.exe

   Handler      :    EC39D458   StartSearchFn: KeDeregisterBugCheckReasonCallback

   RetHandler   :    0

   OSI ID       :    FA000009

   First byte   :    0

   Enable *     :    0 (=0)

   Status       :    OK

NT API Hook function 6: MiCopyOnWrite

   Hook address :    804FBF5C   Module: Ntoskrnl.exe

   Handler      :    EC39C5D6   StartSearchFn: PsGetProcessSectionBaseAddress

   RetHandler   :    EC39C5DC

   OSI ID       :    FA00000B

   First byte   :    0

   Enable *     :    0 (=0)

   Status       :    OK

NT API Hook function 7: HalDisplayString

   Hook address :    80708916   Module: hal.dll

   Handler      :    EC39D5CF   StartSearchFn:

   RetHandler   :    0

   OSI ID       :    FA00000C

   First byte   :    0

   Enable *     :    0 (=0)

   Status       :    OK

NT API Hook function 8: RtlAssert

   Hook address :    80542D48   Module: Ntoskrnl.exe

   Handler      :    EC39D5D7   StartSearchFn:

   RetHandler   :    EC39D62F

   OSI ID       :    FA00000D

   First byte   :    0

   Enable *     :    0 (=0)

   Status       :    OK

NT API Hook function 9: HidP_TranslateUsageAndPagesToI8042ScanCodes

   Hook address :    0   Module: HidParse.sys

   Handler      :    EC39CB4A   StartSearchFn:

   RetHandler   :    EC39CB74

   OSI ID       :    FA00000E

   First byte   :    0

   Enable *     :    EC3DA394 (=1)

   Status       :    NOT FOUND

NT API Hook function 11: USBD_ParseConfigurationDescriptorEx

   Hook address :    0   Module: Usbd.sys

   Handler      :    0   StartSearchFn:

   RetHandler   :    0

   OSI ID       :    FA000011

   First byte   :    0

   Enable *     :    EC3D00CC (=0)

   Status       :    NOT FOUND

NT API Hook function 12: KbdHid_PnpComplete

   Hook address :    0   Module: Kbdhid.sys

   Handler      :    EC39D696   StartSearchFn:

   RetHandler   :    EC39D697

   OSI ID       :    FA000012

   First byte   :    0

   Enable *     :    EC3DA394 (=1)

   Status       :    NOT FOUND

NT API Hook function 13: MouHid_PnpComplete

   Hook address :    0   Module: Mouhid.sys

   Handler      :    EC39D6B0   StartSearchFn:

   RetHandler   :    EC39D6B1

   OSI ID       :    FA000013

   First byte   :    0

   Enable *     :    EC3DA394 (=1)

   Status       :    NOT FOUND

NT API Hook function 17: UhciInsertQh

   Hook address :    F8A895AA   Module: UsbUHCI.sys

   Handler      :    EC39CBEC   StartSearchFn:

   RetHandler   :    0

   OSI ID       :    FA000017

   First byte   :    0

   Enable *     :    EC3DA394 (=1)

   Status       :    OK

NT API Hook function 18: UhciUnlinkQh

   Hook address :    F8A89604   Module: UsbUHCI.sys

   Handler      :    EC39CBF6   StartSearchFn:

   RetHandler   :    0

   OSI ID       :    FA000018

   First byte   :    0

   Enable *     :    EC3DA394 (=1)

   Status       :    OK

NT API Hook function 19: USBPORT_AllocateUSBAddress

   Hook address :    F7C3562A   Module: UsbPort.sys

   Handler      :    EC39D671   StartSearchFn:

   RetHandler   :    EC39D672

   OSI ID       :    FA000019

   First byte   :    0

   Enable *     :    EC3DA394 (=1)

   Status       :    OK

NT API Hook function 20: OHCI_RemoveEndpointFromSchedule

   Hook address :    0   Module: UsbOHCI.sys

   Handler      :    EC39CBDF   StartSearchFn:

   RetHandler   :    0

   OSI ID       :    FA00001A

   First byte   :    0

   Enable *     :    EC3DA394 (=1)

   Status       :    NOT FOUND

NT API Hook function 21: HalpBiosDisplayReset

   Hook address :    8070854C   Module: Hal.dll

   Handler      :    EC39C0B4   StartSearchFn: KeFlushWriteBuffer

   RetHandler   :    0

   OSI ID       :    FA00001B

   First byte   :    0

   Enable *     :    0 (=0)

   Status       :    OK

NT API Hook function 22: NtTerminateProcess

   Hook address :    8058CE77   Module: Ntoskrnl.exe

   Handler      :    EC39BD8B   StartSearchFn: ExRundownCompleted

   RetHandler   :    0

   OSI ID       :    FA000026

   First byte   :    0

   Enable *     :    0 (=0)

   Status       :    OK

NT API Hook function 23: EHCI_RemoveQueueHeadFromPeriodicList

   Hook address :    F8A90CC4   Module: UsbEHCI.sys

   Handler      :    EC39CC00   StartSearchFn:

   RetHandler   :    0

   OSI ID       :    FA00001F

   First byte   :    0

   Enable *     :    EC3DA394 (=1)

   Status       :    OK

NT API Hook function 24: Int2dPatch

   Hook address :    0   Module: Ntoskrnl.exe

   Handler      :    0   StartSearchFn: IoConnectInterrupt

   RetHandler   :    0

   OSI ID       :    FA000023

   First byte   :    0

   Enable *     :    EC4686BC (=0)

   Status       :    NOT FOUND

NT API Hook function 25: UnhandledExceptionFilter

   Hook address :    7C862B8A   Module: kernel32.dll

   Handler      :    EC39BE64   StartSearchFn:

   RetHandler   :    0

   OSI ID       :    FA000024

   First byte   :    0

   Enable *     :    EC3DA39C (=1)

   Status       :    OK

Kayaker

WaxfordSqueers

December 11th, 2008, 08:42

Quote:

[Originally Posted by Kayaker;78153]Here's a little undocumented VER command that displays all the ntice hooks present. Just type into Softice ver ahk

thanks Kayaker.

leosmi06

April 17th, 2009, 16:38

There was a switch "NTSyms" in WinICE.DAT.

"NTSyms = ON"

"SoftICE hooks a number of functions in the kernel. Normally it finds these functions using data from the OSINFO.DAT file. If this option is ON, SoftICE instead looks for this information in loaded symbol tables and registry entries. This can sometimes allow the debugger to run on an OS version for which it has no valid OSINFO file."

Did anybody try this with XP SP3 or after installing Windows Updates?

WaxfordSqueers

April 18th, 2009, 23:31

Quote:

[Originally Posted by smoke;78057]sure, here's the dump :....The only problem seems to be when its trying to hook EHCI_RemoveQueueHeadFromPeriodicList

I was just reading through this thread again and it seems I did not respond to you. Sorry about that, I'm not normally so rude.

I got ice going with SP3 using deroko's suggestion of dropping back the NVidia driver version (6.14.10.8198 works).

I have the same problem as you with EHCI_RemoveQueueHeadFromPeriodicList plus MiCopyOnWrite. Other than that, it seems to work.

thanks again for response.

WaxfordSqueers

April 18th, 2009, 23:36

Quote:

[Originally Posted by leosmi06;80173]There was a switch "NTSyms" in WinICE.DAT.

"NTSyms = ON"....Did anybody try this with XP SP3 or after installing Windows Updates?

I have always had NTsyms on. As I said in reply to Smoke, deroko's suggestion of cutting back the NVidia driver version seemed to solve the problem.

With regard to updates, I cleaned my system of updates back to a raw SP2 at one time to solve some problems. After deroko told me he had ice working on SP3, I loaded the entire upgrade at once, and it seemed to work. I have not loaded any updates beyond the bare SP3 install.

WaxfordSqueers

April 18th, 2009, 23:40

Quote:

[Originally Posted by Kayaker;78153]Here's a little undocumented VER command that displays all the ntice hooks present.

Kayaker....sorry I didn't get back to you after all the work you did on this. Had some health problems lately, nothing serious, but enough to take my mind off interesting things like RE.

I'm going to make a post in the 'off-topic' area regarding a current problem I'm having with a SATA setup using an optical drive.