Hope I'm not asking a dumb question. I haven't used softice for a while and I just fired it up, set 'bpx baseprocessstart' to catch an app starting up, and I got an error that the function wasn't recognized.

Part of the problem was that my nms files were out of date after installing SP3, so I updated them. Then I set 'table kernel32' and verified the k32 was in focus. But when I do the bpx baseprocessstart, it still can't find the func.

I recall this happening before when the system isn't fully initialized. i.e. maybe k32 hasn't been called yet. I just want to verify that baseprocesstart is still used in SP3.

Yup, but it's

_BaseProcessStart
_BaseProcessStartThunk

The way to check is, like you did:
TABLE KERNEL32

Then do a wildcard search for the symbol you're looking for, like:
SYM *BaseProcess*
since some syms have an underscore or two, or silly @ or ? characters as prefixes.

Thanks for quick response, Kayaker. I could swear there was no leading underscore considering the many times I've used it. However, the underscore made no difference.

I tried SYM *base* and exp *base* but no list is given at all, just a couple of headers and no list. I tried EXP by itself and I get them all listed but there is no baseprocessstart with or without an underscore. The entire EXP list goes through K32, U32, G32, ntoskrnl and hal. K32 version is 5.1.2600.5512.

Can you think of a function nearby that might work? I tried createprocessA with no luck, then again, I'm activating a 'cpl' file from control panel.

Sounds like you've got sym/nms problems. If you remember you need to d/l the symbols and convert them to NMS with Symbol Retriever (to say C:/nmsout). And you MUST use updated versions of symsrv.dll and dbghelp.dll (get them from WinDbg and replace the old Softice ones in the SymRtrvr.exe directory).

Also make sure the appropriate NMS files are loaded (through the Sice Loader or right click on the nms file and default 'Load into Softice'). The rest should work if all is OK.


Alternate Method 1: Disasm kernel32 in IDA and use the absolute address of BaseProcessStart.


Method 2: Load any exe into Olly and check the stack window where you'll find the global calling address within BaseProcessStart


Method 3: BPX NtSetInformationThread if *(esp+8)==9

NtSetInformationThread is called from BaseProcessStart, 9 is the Class ThreadQuerySetWin32StartAddress. F12 twice, F8 once and you should be back in BaseProcessStart ready to execute the PE (see address in Method 2)


Method 4: BPX _KiFastSystemCall if eax==E5

Destination of Method 3, E5 = service index NtSetInformationThread.


Method 5: Take up knitting as a hobby instead


It looks like a CPL will call rundll32 as EP, I've no idea where it goes from there.

I have to go out but I'll make a quick reply. Something hairy is happening. Symservers d/l'd a pdb file for ntoskrnl and converted it to a valid nms with all the functions names legible. It d/l's a pdb for k32 with all the files legible in a text editor. However, the nms it makes for k32 has no names in it and is only 40,000 bytes. ntoskernl nms is 837,460.

I've tried it several times and get a bad nms for k32. I'll have to convert it directly once I recall how to do it.



I knew about the symsrv.dll trick but not the dbghelp.dll. Thanks

Did that, found baseprocessstart at 7C817044. Thanks


What's Olly? Just kidding, blabberer.

Found that one last night. It leads directly to rundll32, which leads into shell32 where most of the work seems to be done in loading the cpl file. thanks.


Good one...oh great one of the reversing clan. Remember Burns...oh cheiftan o' the puddin' race? Ode to a Haggis:

Fair fa' your honest, sonsie face,
Great Chieftan o' the Puddin-race!
Aboon them a' ye tak your place,
Painch, tripe, or thairm:
Weel are ye wordy of a grace
As lang's my arm.

My dear old Scottish granny tried to teach me knitting once but I was too interested in soccer balls, which she called 'a great bag of wind'.

from cpl it goes to rundll like this



or alternatively you can ollydbg with

control.exe

ollydbg c:\windows\system32\control.exe

and put in main.cpl,"yourcpl" and start debugging from BaseProcessStart

Thanks blabberer. I have major problems right now. Even nmsym wont translate k32 or ntoskrnl to pdb's successfully.

If I look at a properly formed nms file in a text editor, I can see all the function names, and the file is quite large...> 800k for ntoskrnl. Using sym retriever or nmsym, the nms files for k32 and ntoskrnl are around 40k and none have names. However, sym retriever made an ntoskrnl last night that was the right size with all the names. I just noticed it butchered u32 as well.

hey! look what i found..
http://www.woodmann.com/forum/showthread.php?t=12497

thanks, evaluator. I did look but obviously not well enough. Notice you had to answer your own post.

That could be the problem but I am translating from a PDB file and it works sometimes in the sym retriever. I'm going to update/reload Debugging Tools for Windoze and see if that helps.

It sucks when you have to fix the tools before you do any reversing.

Making headway. Made an nms for k32 in IDA and it works in softice. Ice complains that the nms file has no datestamp, but what the heck. Now I know where Kayaker got the underscore in front of _baseprocessstart. That's an IDA quirk.

Reloaded Debugging Tools For Windows but symserver still wont make good nms files even with the latest files from there.

For anyone interested, a cpl (control panel) file starts in rundll32 which calls shell32. Rundll32 is called from baseprocessstart, in the call right after NtSetInformationThread, as Kayaker indicated. rundll32 sets up a window but doesn't show it. Shell32 calls shlapi (shell lightweight utilities) and comctl32, but I haven't traced the full route yet so you'll have to tune in for the next episode.

For anyone who hasn't the slightest idea what I'm talking about, using a bpx on baseprocessstart gets around using loader32 to load an app. If you set bpx baseprocessstart or bpx _baseprocessstart@4, using an IDA nms file, then start your app, it will break a few code steps away from the call to the app.

This is also for anyone who thinks softice wont work on XP with SP3. Working fine so far. Thanks Kayaker and deroko.

You're probably aware of this, but to skip past the rundll32 route you could always put a CC at the EP of the CPL and enable BPINT3 in Softice. Then open the cpl with Control Panel, it should break, change the original byte back with EB EIP 8B (or whatever the first byte is).

LordPE will do the same thing with Break 'n Enter if you change the cpl extension to *.dll. However it won't show the window, but might be good enough for tracing purposes.


As for the underscore in _BaseProcessStart, just to clarify, that was the default syntax for the Softice nms conversion, nothing to do with IDA.


For the record, I haven't found any apparent problems yet with a currently updated XP3 either, except for the following hooks:

NTICE: *** API Hook Failure: MiAddValidPageToWorkingSet
NTICE: *** API Hook Failure: EHCI_RemoveQueueHeadFromPeriodicList

which are also discussed in the thread

deciphering osinfo.dat for softice
http://www.woodmann.com/forum/showthread.php?t=12234

I wouldn't count on me being too aware of anything.

I managed to trace my way through rundll to the cpl app the hard way, but your way sounds a lot easier. Got hung up in u32, however, because it calls DialogBoxParamA. I tried jumping over it, hoping to see a blank window form, but the entire window comes up filled in.

I'm trying to find out where it gets the information for the window. For example, it refers to pio4 mode and I'd like to know where that comes from. Also, there is a tab for flashing the Silicon Image controller BIOS and it says the chip type is unknown.

That could come about if the cpl windows is aimed at an add-on card and not an onboard controller. However, both are on the PCI bus and should be recognized.

rundll calls 'control' in shell32 using the command line "rundll.exe" shell32.dll , Control_Rundll <path> <app.cpl>. Along the way shlwapi.dll is called as well as ole32 and comctl32. I don't see anything in there that interrogates the system parameters to get the info for the cpl window. I'm thinking it must come from a call from u32 back into the cpl app.

I found that out. I got the nmsym going to a degree using your bat file. It gave me k32 and u32 but messed up 4 other pdb to nms conversions. Don't know what's going on.

As far as underscore is concerned, I'm confused. I don't ever recall using an underscore. Then again, read line one above.
Yeah, that's my thread and that's why I thanked you and deroko for the help. He pointed out that ice works with SP3 and that I could ignore MiCopyOnWrite and the othe USB doohickey.