soft ice in a VM and Windbg growing pains [Archive]

WaxfordSqueers

August 12th, 2013, 08:12

My new system with it's new mobo and ATI driven vid card doesn't like softice, so I bit the bullet and installed ice in a VM. It works fine, my symbols are all loaded, but when I follow my usual procedure for setting a bmsg command, ice claims the hwnd is invalid.

Normally, I fire up SPYXX, which lists all the handles for window processes running on my system. I used the HWND indicated by SPYXX in softice, in the VM, as follows:

BMSG 400BA 203

but when I hit 'Enter' it gives me the invalid handle message.

Under normal XP that was ALWAYS accepted and broke in a specific app on a double-click (WMSG 203).

I turned to Windbg to see if I could verify the hwnd, but wouldn't you know that Windows being about...guess what...windows, Windbg does not seem to have any commands to dump window's handles. It will give you any other kind of handle except a HWND.

OK...I know I'm likely doing something wrong. I am running windbg in local mode under an lkd> prompt.

I presume I am out of luck with softice and an advanced video card driver. In setup, it detects my display adapter OK and the Test button returns claiming my display adapter is OK (Universal Video Driver). But when I hit 'Apply' then OK, it insists on a reboot for Visual Softice which I am not using. After the reboot, it just keeps rebooting until I set it back to the last known good configuration.

I am wondering if anyone running softice under a VM has encounter a similar situation with it not recognizing HWNDs?

Could some kind soul, well-versed in Windbg, show me how to find a Windows handle for a process?

Aimless

August 12th, 2013, 09:23

A quickie --- have you checked your CONTEXT, before doing a BMSG?

Have Phun

blabberer

August 12th, 2013, 13:13

Quote:

[Originally Posted by WaxfordSqueers;95197]show me how to find a Windows handle for a process?

you can use windbg i used cdb because it is easy to copy paste answers directly from console
the -c "g" will save you one key press and the app will run without breaking
( i forgot what but there is a command line option to ignore initial break)
win.exe is the good old iczelions tut03

C:\>cdb -c "g;" f:\masm32\icztutes\tute03\win.exe

xxxxxx cut off spew xxxxxxxxxxxxxxx

0:000> cdb: Reading initial command 'g;'

xxxxxxxxxxxxx win.exe is running here cut off spew xxxxxxxxxxxx

hit ctrl+break in windbg ctrl+c in cdb to break in

ntdll!DbgBreakPoint:
7c90120e cc int 3
0:001> ~0s change to main thread
eax=7c91930f ebx=7ffdf000 ecx=00162d80 edx=00160608 esi=0013ff60 edi=00000000
eip=7c90e514 esp=0013ff20 ebp=0013ff44 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
7c90e514 c3 ret

0:000> .load sdbgext load sdbgext extension by skywing

run the command !hwnd without parameters to enumerate all the window handles of the current thread

0:000> !hwnd
Window 00100258
Name Our First Window
Class SimpleWinClass
Window 001401c2
Name M
Class MSCTFIME UI
Window 0011025a
Name Default IME
Class IME

0:000> bp user32!TranslateMessage lets confirm the handle
0:000> g

move the mouse over the Win Window

Breakpoint 0 hit
eax=0013ff60 ebx=7ffdf000 ecx=00000000 edx=7c90e514 esi=7c96e5df edi=00000000
eip=7e418bf6 esp=0013ff54 ebp=0013ffac iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
user32!TranslateMessage:
7e418bf6 8bff mov edi,edi
0:000> dd esp l4

0013ff54 00401106 0013ff60 00100258 00100258
0:000>

lets check if it is mouse move

Code:



0:000> !usermsg 13ff60

hwnd:

Window    00100258

Name      Our First Window

Class     SimpleWinClass

WndProc   00000000

Style     WS_OVERLAPPED

ExStyle   WS_EX_WINDOWEDGE WS_EX_LEFT WS_EX_LTRREADING WS_EX_RIGHTSCROLLBAR

HInstance 00400000

ParentWnd 00000000

Id        00000000

UserData  00000000

Unicode   FALSE

ThreadId  00000478

ProcessId 00000d4c

Message: 0x0200

wParam: 0

lParam: 57032f

Time: 2cb53f6

pt: (929, 262)  xy co-ordinates

WaxfordSqueers

August 12th, 2013, 17:49

Quote:

[Originally Posted by Aimless;95198]A quickie --- have you checked your CONTEXT, before doing a BMSG? Have Phun

Yessir!! I would never come on here without checking that first.

Did the addr command on my app and made sure it had the star beside it. Mind you, it's doing peculiar things. Did 'table' as well. When I do addr 'app', I get the blue highlighted text telling me my ole32 nms time stamp is bad and that I should use some tools to fix it. I don't think that would affect the handle being declared invalid. Normally, I get that message when I do the 'table' command.

It's probably something dumb. I read on the Net that people have experienced that intermittently.

WaxfordSqueers

August 12th, 2013, 18:02

Quote:

[Originally Posted by blabberer;95203] 0:000> .load sdbgext load sdbgext extension by skywing

run the command !hwnd without parameters to enumerate all the window handles of the current thread

Thanks for explanation Blabs. My brain is a bit fried right now and I wont do your full post justice by trying to decipher it right now. It's good to know there is a !hwnd command, and the TranlateMessage sounds useful.

Unfortunately I am on the bad part of the Windbg learning curve right now but I had it running in the VM with softice. I have to take another look at the pipe command to see if I can get it operating between the VM and the main machine.

I have much more memory and disk space, with a dual core processor and the VM seems rock solid.

blabberer

August 13th, 2013, 05:18

put this too in your decipher queue

find explorer.exe and attach to it non invasively for getting the list of it windows in one of its thread and compare it to spyxx output

C:\>tlist | grep explorer
484 explorer.exe Program Manager

C:\>cdb -pv -p 484

*** wait with pending attach

WARNING: Process 484 is not attached as a debuggee
The process can be examined but debug events will not be received

0:000> ~ list all threads in explorer.exe
. 0 Id: 1e4.bd0 Suspend: 1 Teb: 7ffdf000 Unfrozen
********* cut off **************
13 Id: 1e4.964 Suspend: 1 Teb: 7ffa5000 Unfrozen
0:000> .load sdbgext
0:000> !hwnd
Window 00040046 Name Class tooltips_class32
Window 0002008a Name Class WorkerW
Window 0002009c Name Class DDEMLEvent
Window 00020104 Name Class DDEMLMom
Window 00040042 Name Class tooltips_class32
Window 00040040 Name Program Manager Class Progman
ChildWindow 0003006e Name Class SHELLDLL_DefView
ChildWindow 00040044 Name FolderView Class SysListView32
Window 00020076Name M Class MSCTFIME UI
Window 0002007a Name Default IME Class IME
0:000> .detach
Detached
NoTarget> q
WARNING: The debugger does not have a current process or thread
WARNING: Many commands will not work
quit:

C:\>

WaxfordSqueers

August 14th, 2013, 11:28

Quote:

[Originally Posted by blabberer;95203]C:\>cdb -c "g;" f:\masm32\icztutes\tute03\win.exe

thanks again for explanation. Using one of your expressions:

xxxxxx cut off spew xxxxxxxxxxxxxxx

I have done that and here is the rest of the spew from my cdb attempt in the VM:

(574.6a0): Break instruction exception - code 80000003 (first chance)
eax=7ffd9000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c90120e esp=0359ffcc ebp=0359fff4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
ntdll!DbgBreakPoint:
7c90120e cc int 3

0:013> .load sdbgext

The call to LoadLibrary(sdbgext) failed, Win32 error 0n14001
"This application has failed to start because the application configuration
is incorrect. Reinstalling the application may fix this problem."
Please check your debugger configuration and/or network access.

0:013> I typed quit here because I was too tired and it did not like verbosity. It accepted q instead to end the cdb session.

As you can see, there is something wrong with the sdbgext load. I downloaded the file and put sdbgext.dll in my %root%\program files\debugging tools for windows (x86)\ folder.

I have not had time yet to check out the error message but thought you might know off the top of your noggin. Maybe I'm supposed to be using windbg instead of cdb. Or maybe it's an administrator thing although I am logged into XP pro as administrator.

Question: It's a hassle typing out the entire path to debugging tools. Is there any reason I could not move the debugging tools to a simple directory, like c:\dt4w\ ?

I used to have a nifty app with which I could right click on an explorer directory and get it to open a cmd prompt right at that directory. Ring a bell?

blabberer

August 14th, 2013, 15:16

put sdbgext in winext folder in windbg installation

i dont understand the statement of typing full path

have you installed windbg to default location ? if yes starting windbg is a matter of just selecting (start->programs->debug.....\windbg shortcut ) in start menu

the shortcut is automatically added to All users (common) start menu by windbg installation

Code:





C:\Documents and Settings\All Users>dir /s /b windbg*

C:\Documents and Settings\All Users\Start Menu\Programs\Debugging Tools for Wind

ows (x86)\WinDbg.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Windows Kits\Debugging T

ools for Windows (X86)\WinDbg (X86).lnk



C:\Documents and Settings\All Users>

adding cdb to this is just a matter of changing to the directory and copying an existing lnk as cdb.lnk and editing it properties to point to cdb.exe

Code:





C:\Documents and Settings\All Users>cd "Start Menu\Programs\Debugging Tools for

Windows (x86)"



C:\Documents and Settings\All Users\Start Menu\Programs\Debugging Tools for Wind

ows (x86)>copy WinDbg.lnk cdb.lnk

        1 file(s) copied.



right click properties edit windbg.exe to cdb.exe

if you dont want t0 move your mouse

add the installation path to your environment variable

mycomputer -> properties->advanced -> environment variables->path

add ;c:\pr.......\x86\ to existing data (notice the semicolon seperator )

or create a file name cdb.bat and put it in your c:\windows folder

and in cdb.bat

write this line
"c:\prg........\x86\cdb.exe"

and to answer your question after installation you can xcopy the whole folder from c:\pr......\x86 to where ever you fancy even to z:\mywindbghell
and windbg will work smoothly from there (remember to copy the whole folder structure as it is )

Kayaker

August 14th, 2013, 16:28

Quote:

[Originally Posted by WaxfordSqueers;95232]I used to have a nifty app with which I could right click on an explorer directory and get it to open a cmd prompt right at that directory. Ring a bell?

Yup. Create *.reg, double click.

Code:



REGEDIT4



[HKEY_CLASSES_ROOT\exefile\shell\Run In Dos]



[HKEY_CLASSES_ROOT\exefile\shell\Run In Dos\command]

@="C:\\WINDOWS\\system32\\cmd.exe  /k \"%1\""



[HKEY_CLASSES_ROOT\comfile\shell\Run In DOS]



[HKEY_CLASSES_ROOT\comfile\shell\Run In DOS\command]

@="C:\\WINDOWS\\system32\\cmd.exe  /k \"%1\""

Code:



REGEDIT4



[HKEY_CLASSES_ROOT\Directory\shell\DosHere]

@="DOS &Prompt Here"



[HKEY_CLASSES_ROOT\Directory\shell\DosHere\command]

@="C:\\WINDOWS\\system32\\cmd.exe /k cd \"%1\""





[HKEY_CLASSES_ROOT\Drive\shell\DosHere]

@="DOS &Prompt Here"



[HKEY_CLASSES_ROOT\Drive\shell\DosHere\command]

@="C:\\WINDOWS\\system32\\cmd.exe /k cd \"%1\""





[HKEY_CLASSES_ROOT\*\shell\Dos Here]



[HKEY_CLASSES_ROOT\*\shell\Dos Here\Command]

@="C:\\WINDOWS\\system32\\cmd.exe /k"

btw, sometimes I use Iczelion's tutorial 24 mousehook app to get a window handle, if I don't need the full blown Spy++, gives the same info.

http://www.woodmann.com/RCE-CD-SITES/Iczelion/tut24.html
http://win32assembly.programminghorizon.com/tut24.html

So this BMSG invalid handle message, does this happen with every handle of every app in your new VM/Sice setup, or is it just this one situation?

Elenil

August 14th, 2013, 19:59

this video card problem i really dont know what it is

1 example
asus 7800 gt -> bsod
msi 7800 gt -> all well

the thing is those 2 cards looks almost indentical in hardware only the msi logo and asus logo seems to be diffrent maybe some kind of internal settings ?

however this worked on my xp computer

cpu

4 3.8 ghz
ram: 4 gb ram ddr3 800 mhz
grafic card: msi 6870 gt
ati driver version
8.0.873.0 (2012)

dunno about the newer versions but i think it works

nvidia cards have this problems more often

WaxfordSqueers

August 14th, 2013, 20:05

Quote:

[Originally Posted by blabberer;95233]put sdbgext in winext folder in windbg installation

Thanks for that.

Quote:

[Originally Posted by blabberer;95233]i dont understand the statement of typing full path

I know that windbg is a GUI, so I keep it as a link on my desktop, which I double-click to start. I presumed cdb was a DOS-based app which needed to be opened in a cmd window, hence the rigmarole of changing directories to the program files\debugging tools for windows (x86) directory.

I tried double clicking cdb but it just flickered a cmd window and went away.

I had to actually start a cmd window and start cdb from the DOS prompt.

Quote:

[Originally Posted by blabberer;95233]and in cdb.bat

write this line
"c:\prg........\x86\cdb.exe"

I may be a bit thick but I'm not getting this part at all. How does that statement "c:\prg........\x86\cdb.exe" start cdb from a bat file?

I am not up on modern bat files but in the ones I have done years ago, you had to tell it to change directories, as in:

cd C:\pro.....\....(x86)
cdb.exe

However, that's the same as going into the c:\pf\dt4w(x86) directory and double-clicking cdb.exe.

It doesn't work. As far as I can see, you have to open a command window first. If cdb in in your environment variable path, you can just type cdb <enter> and it should open in the cmd window at any prompt, otherwise you have to change to the tools directory and do a 'cdb <enter>'.

I can see an advantage using a bat file if you have a lengthy command line argument that you use repeatedly. It would work in the situation you described in another reply for opening an exe file with cdb but each time you opened another exe, you'd have to modify the bat file.

I have never gotten into scripts but I wonder if there is a way to write a script for opening cdb so you could enter a different exe each time while keeping a complex command line argument as the basis for the script.

I am obviously answering my own question since I knew how to set up path statements in the environment block but years of brain damage prevented me from cluing in to that. :-)

All starting cdb at a cmd prompt gets me is a help file on how to do it right.

Am I confusing something? It seems that cdb, being a command line app, can only be started by typing cdb at a cmd prompt.

I have read that the other command-line debugger is equivalent to cdb with the exception that it opens it's own window. You have pointed out the advantage of cdb....that you can copy and paste from a cmd window.

WaxfordSqueers

August 16th, 2013, 00:52

[Originally Posted by Kayaker;95234]Yup. Create *.reg, double click.

Thanks Kayaker. I just found the reg file on the Net but had not tested it since installing. Just tested it and the 'Command Prompt Here' command is in the context menu. Worked great, but thanks for the reg files. I will copy them and put them away in case I lose it again.

[QUOTE][Originally Posted by Kayaker;95234]btw, sometimes I use Iczelion's tutorial 24 mousehook app to get a window handle, if I don't need the full blown Spy++, gives the same info.

Thanks for the tip. I normally only use SPYXX for a quick HWND lookup but sometimes I use it to track down a mouse click or WM_Command derivation. I have been meaning to do the Iczelion tutes and I'll look that one up.

[Originally Posted by Kayaker;95234]So this BMSG invalid handle message, does this happen with every handle of every app in your new VM/Sice setup, or is it just this one situation?I'll have to try and see then get back to you. I only have a few apps loaded in the VM and I'll need to find one where I can look up a HWND and try it on ice.

WaxfordSqueers

August 16th, 2013, 00:58

Quote:

[Originally Posted by Elenil;95235]this video card problem i really dont know what it is

Sorry. Elenil, I missed your reply...I wasn't ignoring you.

You make a good point. I found in the past that certain nVidia drivers did not work with softice.

I am using ATI driver version 8.751.0.0. I'll try finding an earlier version. The card is an Asus EAH 3450.

Alternately, I have on-board Intel video. I could switch the display to the on-board vid driver and see if that works.

WaxfordSqueers

August 16th, 2013, 01:47

Quote:

[Originally Posted by blabberer;95233]put sdbgext in winext folder in windbg installation

Followed all your instructions to a tee.

1)double-clicking on cdb.lnk brings up a cmd window briefly then it disappears.

2)put sdbgext.dll in winext directory.

3)created environment paths to winext and added environment variable for _NT_DEBUGGER_EXTENSION_PATH = c:\PF\DT4W\winext. Of course, I wrote out the full path.

4)added Visual C++ redistribution package (2005) as recommended on sdbgext site. Was not sure whether newer version would work better.

5)Tried other debugger ntsd.exe with same result.

6)keep getting following error after .load sdbgext:

The call to LoadLibrary(sdbgext.dll) failed, win32 error 0n14001.
"This application failed to start because application configuration is incorrect. Reinstalling the application may fix this problem".

Please check your debugger configuration and/or network access.

There is mention of a tools.ini and ntsd.ini file but neither exist on my system. I have searched the entire disk with no luck.

blabberer

August 16th, 2013, 05:43

i run bat file all the time and face no problems whatsoever in fact i run several versions of cdb.exe as and when i need it and use a bat file for accessing the cdb.exe that's spread all over my disk partitions

a sample of my bat file posted below it can run two versions of cdb (6.6.7.5 version and the windows 8 6.9200 version cdb.exe) and it can take the executable path as well copy paste edit the path of cdb as per your system and put the bat file in path like "c:\windows" or in "c:\windows\system32" to experiment

also pasting the output of running the bat file for all possible path

Code:



@ECHO OFF



IF "%1" == "6675" GOTO 6675

IF "%1" == "6920" GOTO 6920

IF "%1" == "" GOTO ERROR



:6920

ECHO "USING WIN8 CDB.EXE"

IF "%2" == "" GOTO ERROR

"C:\Program Files\Windows Kits\8.0\Debuggers\x86\CDB.EXE" %2

GOTO END



:6675

ECHO "USING 6.6..7.5 VERSION CDB WITH SON OF STRIKE"

IF "%2" == "" GOTO ERROR

"E:\6.6.7.5Debugging Tools for Windows\CDB.EXE" %2

GOTO END



:ERROR

ECHO "USAGE VERSIONNUMBER , PATH TO EXE"



:END

PAUSE

output of running this bat file several times from without args to semi args to right args

Code:





C:\>RUNCDB  no arguments passed

"USAGE VERSIONNUMBER , PATH TO EXE"

Press any key to continue . . .



C:\>RUNCDB 6675   only version number passed

"USING 6.6..7.5 VERSION CDB WITH SON OF STRIKE"

"USAGE VERSIONNUMBER , PATH TO EXE"

Press any key to continue . . .



C:\>RUNCDB 6920   only version number passed

"USING WIN8 CDB.EXE"

"USAGE VERSIONNUMBER , PATH TO EXE"

Press any key to continue . . .



C:\>RUNCDB 6675 F:\masm32\icztutes\tute03\win.exe   6.6.7.5 version and path to exe 



"USING 6.6..7.5 VERSION CDB WITH SON OF STRIKE"



Microsoft (R) Windows Debugger  Version 6.6.0007.5

Copyright (c) Microsoft Corporation. All rights reserved.



CommandLine: F:\masm32\icztutes\tute03\win.exe

Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols



Executable search path is:



(b98.8dc): Break instruction exception - code 80000003 (first chance)

eax=00251eb4 ebx=7ffdd000 ecx=00000007 edx=00000080 esi=00251f48 edi=00251eb4

eip=7c90120e esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

ntdll!DbgBreakPoint:

7c90120e cc              int     3

0:000> Q

quit:

Press any key to continue . . .  



C:\>RUNCDB 6920 F:\masm32\icztutes\tute03\win.exe   6.9200 version and path to exe 



"USING WIN8 CDB.EXE"



Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86

Copyright (c) Microsoft Corporation. All rights reserved.



CommandLine: F:\masm32\icztutes\tute03\win.exe

Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols





(c88.a48): Break instruction exception - code 80000003 (first chance)

eax=00251eb4 ebx=7ffdc000 ecx=00000007 edx=00000080 esi=00251f48 edi=00251eb4

eip=7c90120e esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

ntdll!DbgBreakPoint:

7c90120e cc              int     3

0:000> Q

quit:

Press any key to continue . . .



C:\>

Quote:

double clicking cdb flicks and disappears

yes it is a classic console app you need cmd.exe to execute it to see what it yells

Quote:

running cdb.exe alone prints help and exits

again a classic console looks if there are arguments and if it found no arguments prints help and exits

Code:



if (argv[1] == "" 

{

yellhelp();

die();

}

else

{

ntsd is similar to cdb but runs in its own console and can run without console too (useful for remote over network debugging )

Quote:

*.ini does not exist in my system

they do not exist in any system you need to create them
you can also create several more ini like symsrv exclusions.ini that will stop looking for unavailable symbols in ms symbol server

Quote:

created env for winext

is not needed just stuffing the sdbgext.dll into winext folder should be enough to use .load sdbgext (no extension only file name)
windbg /cdb / ntsd knows how to find it in winext folder

the srror no 14001 is described as some side by side error

Code:



Query: 14001



0x000036B1    ERROR_SXS_CANT_GEN_ACTCTX

 The application has failed to start because its side-by-side configuration is i

ncorrect. See the application event log for more detail.

googling gets me this

http://www.stevestechspot.com/default,month,2008-02.aspx
http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx

seems to be a vc runtime redist package issue check what run time is required and install it

edit missied the .lnk part in first pass

Quote:

1)double-clicking on cdb.lnk brings up a cmd window briefly then it disappears.

right click the lnk -> properties and edit the target line to make cdb open in a console you would need to enter cdb again but lnk will open the cmd.exe in right path

C:\WINDOWS\system32\cmd.exe /k "<your path>\cdb.exe"

WaxfordSqueers

August 16th, 2013, 06:40

Quote:

[Originally Posted by blabberer;95241]i run bat file all the time and face no problems whatsoever in fact i run several versions of cdb.exe as and when i need it and use a bat file for accessing the cdb.exe that's spread all over my disk partitions

First of all, thanks for your help. You are going above and beyond with your detailed analysis. I hate to be such a bother. Kayaker is good that way too. Much appreciated.

Off hand, I would say the mistake I am making is not feeding cdb a command line. Then again, with a straight cmd.lnk, I'd have to change the command line each time I used the lnk. I'll need to examine your bat file more closely.

Meantime...ahooooga, ahooooga....I got it going. It was an SxS thingy. Visual C++ (2005) apparently doesn't use SxS and the required dlls cannot be found by cdb. I upgraded to the 4 meg version of the Visual C++ redistributable package and that seemed to solve the problem. Also, I reinstalled dotnet framework files up to dotnet 3.5.

I managed to use the !hwnd command in sdbgext but it's not formatted like SPYXX and one has to be careful. Both SPYXX and !hwnd agree on the handles, so now I have to work on finding why softice is not recognizing the handle from SPYXX. I have to follow up on a suggestion from Kayaker as well, to see if it's happening only with the one app.

Quote:

[Originally Posted by blabberer;95241]ntsd is similar to cdb but runs in its own console and can run without console too (useful for remote over network debugging )

I thought you said you could not copy and paste from ntsd. I was able to copy and paste but the process is slightly different in the ntsd window. With the normal cmd window used by cbt, you highlight the txt to be copied by right-clicking and selecting 'mark', I think it is, then drag the mouse over the text, go to drop-down menu at top left side of screen and select edit>copy. I have downloaded a reg mod for the cmd window by which I can just drag the mouse over text in a cmd window to mark it then I go to the drop-down box at the top LH side of the window, where I select edit>copy.

With ntsd, the mark feature is in the drop down box, so you have to repeat the process to 'mark' then 'copy'.

Quote:

[Originally Posted by blabberer;95241]the srror no 14001 is described as some side by side error...seems to be a vc runtime redist package issue check what run time is required and install it

I did that earlier today. I had not noticed that there are two redistributable packages for 2008, one is ver 9.0.21022.8 and has a size of 1.73 MB. The other is 9.0.30729.17 and has a size of 4.02 Mb. I used the larger one.

One other thing. I upgraded the windows installer (I think it was to version 3) and checked to make sure Internet Explorer was at least version 6 with SP1. Mine was SP3. Both are requirements on the sdbgext site along with the Visual C++ redistributable package (4 Mb version 2008).

Net Framework may have been an issue, mine seemed to be wonky. The upgrade to dotnet 3.5 is a major upgrade that addresses all previous versions and upgrades them. It's a large package, several hundred megs.

blabberer

August 16th, 2013, 07:07

Quote:

Much appreciated.

thanks and welcome

i dont remember saying you cant copy from ntsd (you can copy from cdb . ntsd , windbg , i386kd , kd , ntkd)
in fact windbg can store a lot lot of data to copy than the plain consoles of other debuggers

if i am working in console it is easy to use cdb (dont have to juggle windows just type on the prompt and be done with it ) that is all

if you just want to select drag and copy on right click without going to any corners

enable quick edit mode by going to the corner once and telling it i dont want to come back here again

right click -> properties -> options -> edit option -> check mark quick edit mode (no mark copy corners needed hence forth )
same --------------------------------------------> check mark quick insert (no edit

WaxfordSqueers

August 16th, 2013, 09:30

Quote:

[Originally Posted by Kayaker;95234]So this BMSG invalid handle message, does this happen with every handle of every app in your new VM/Sice setup, or is it just this one situation?

Seems to.

Here's the confusing part. If I do an addr explorer to get into that context, then use hwnd, I get all the windows listed. I can verify from the list of windows handles supplied by softice that the window handle is valid. SPYXX, cdb and softice all supply the same window handle for the same window. Yet when I do a 'bmsg <hwnd> <msg>' with the same handle, ice tells me the handle is invalid.

I have selected several hwnds from the softice display, including the desktop, and all of them return the invalid handle message. I have noticed that many hwnds have 6 figure values, like 1000138, whereas those I am having trouble with have only 5 figures. That's probably not significant.

I may have to reload ice, but the part worrying me is that my problem may lie with Windows itself. I have XP SP3 loaded in the VM and ice works fine with a bare bones XP SP3 on my desktop, but I may have loaded hotfixes beyond SP3 in the VM. It's too long to go into here but the best solution seems to be creating a new VM disk and loading it with a fresh SP3 version of XP.

I'm wondering, is there a way to debug softice using windbg? I am loading ice from the desktop, can I attach to it with windbg or would I be headed for BSODville?

BTW...while researching on the Net, I noticed quite a few reference to the same error message regarding an invalid window handle. No one seems to have a clue what causes it. It does not seem to be related to VMs only.

Kayaker

August 16th, 2013, 13:19

That's weird, if you get a good list with HWND while in Explorer context, Sice should at least accept the BMSG request, even if the combination of hwnd/msg wouldn't produce a break result itself.

I use XP3 without any updates (other than .NET4) and don't have any issues, using the files from the last patch

http://www.woodmann.com/collaborative/tools/Compuware_DriverStudio_Version_3.2_patch

If you really wanted to debug this, my IceProbe tool would be the one to use to trace the Softice command, not even sure if Windbg would work without conflict. There must be a simpler solution to this.

Elenil

August 16th, 2013, 16:26

wax have you tryed the "patch ntice" function of icestealth ? it will patch the ntice files in "other folder" to your actual os
(then make sure you replace your ntice files from system32/drivers folder)

this makes sure softice find some of his things

also there was a kernel security upgrade (5.1.2600.6165 and above ?) (13.12.2011) that does no longer make softice to work without "patch ntice"

just a suggestion maybe it does solve the problem maybe not

WaxfordSqueers

August 17th, 2013, 05:04

Quote:

[Originally Posted by Elenil;95247]

wax have you tryed the "patch ntice" function of icestealth ? it will patch the ntice files in "other folder" to your actual os (then make sure you replace your ntice files from system32/drivers folder)

I am not too sure what you mean, Elenil. I don't see a "patch ntice" function specifically. Do you mean the functions checked under Load Old and Load New?

There are three under Load Old already checked. Do I just leave them checked?

OK...I tried it but icestealth wanted to call out and I don't have an Internet connection on the VM at this time, I had one a few days ago but it disappeared and I'm working on it. I don't think icestealth did anything because NTice.sys is still the same size.

I'll try to get the Net connection going and get back to you.

Elenil

August 17th, 2013, 05:31

in menu it has "Patch SoftICE"

then click (Patch SoftICE in "other" Folder)

after this the files in IceStealth\other get patched to your actual os

this fix a lot of problems

after this copy the other folder to your system32\drivers dir and replace the old files

you also can try to spawn the keyboard set thing or not overwrite your winice.dat

WaxfordSqueers

August 17th, 2013, 05:59

Quote:

[Originally Posted by Elenil;95249]in menu it has "Patch SoftICE"

menu???...what menu????

Ah...I see the problem, I am running version 1.5 and you are up to ver 1.8.

Just downloaded 1.8...I'll get back to you.

blabberer

August 17th, 2013, 07:06

@wax

Quote:

'm wondering, is there a way to debug softice using windbg?

yes sirreee no problem sirreee

@k

Quote:

not even sure if Windbg would work without conflict

what conflict you envisage

i have been to siwvid.entrypoint and ntice.entrypoint before (just to be sure i did it again and paste the output below)

host xpsp3
target ms vpc xp sp3 without virtual machine addons
plain si405wnt installed with 4.05 patches (3 drivers replaced both package from exelab)
i3here off
(else ctrl+break in host windbg will be trapped by sice in target and the black beauty will wake up from sleep as if some one pressed ctrl+d in target )

sxe -ibp;reboot
bp iopinitializeBuiltinDriver+ XXXX (indirect call [REG32+const])
g;r

till you see siwvid and then ntice

Code:





kd> g;r

Breakpoint 0 hit

eax=80093d40 ebx=812d3eb8 ecx=29180008 edx=29170007 esi=00000000 edi=812d3e84

eip=806a9ef9 esp=fac475f8 ebp=fac47630 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!IopInitializeBuiltinDriver+0x25d:

*** ERROR: Module load completed but symbols could not be loaded for Siwvid.sys

806a9ef9 ff532c          call    dword ptr [ebx+2Ch]  ds:0023:812d3ee4=fa658b1c

kd> dd esp l2

fac475f8  812d3eb8 80093d40

kd> !ustr poi(esp+4)

String(116,116) at 80093d40: \Registry\Machine\System\CurrentControlSet\Services\Siwvid

kd> dt nt!_DRIVER_OBJECT poi(esp)

   +0x000 Type             : 0n4

   +0x002 Size             : 0n168

   +0x004 DeviceObject     : (null) 

   +0x008 Flags            : 2

   +0x00c DriverStart      : 0xfa652000 Void

   +0x010 DriverSize       : 0x1d320

   +0x014 DriverSection    : 0x81329108 Void

   +0x018 DriverExtension  : 0x812d3f60 _DRIVER_EXTENSION

   +0x01c DriverName       : _UNICODE_STRING "\Driver\Siwvid"

   +0x024 HardwareDatabase : 0x8068fa90 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"

   +0x028 FastIoDispatch   : (null) 

   +0x02c DriverInit       : 0xfa658b1c     long  +0

   +0x030 DriverStartIo    : (null) 

   +0x034 DriverUnload     : (null) 

   +0x038 MajorFunction    : [28] 0x804fa87e     long  nt!IopInvalidDeviceRequest+0

kd> gu

nt!IopInitializeBootDrivers+0x2d2:

806aa011 894618          mov     dword ptr [esi+18h],eax

kd> !drvobj 812d3eb8 2

Driver object (812d3eb8) is for:

 \Driver\Siwvid

DriverEntry:   fa658b1c	Siwvid

DriverStartIo: 00000000	

DriverUnload:  00000000	

AddDevice:     00000000	



Dispatch routines:

[00] IRP_MJ_CREATE                      fa659134	Siwvid+0x7134

[02] IRP_MJ_CLOSE                       fa659134	Siwvid+0x7134

[0e] IRP_MJ_DEVICE_CONTROL        fa659134	Siwvid+0x7134



removed all ERROR_NOT_IMPLEMENTED CALLS



kd> !grep -i -e "cmp" -c "uf fa659134"



fa659168 81f90068409c    cmp     ecx,9C406800h

fa659170 81f90468409c    cmp     ecx,9C406804h

fa659178 81f90868409c    cmp     ecx,9C406808h 

fa659180 81f90c68409c    cmp     ecx,9C40680Ch

kd> $ control codes for siwvid   IRP Tail.overlay.CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode





kd> g;r

Breakpoint 0 hit

eax=80093a60 ebx=812d35c8 ecx=2add0008 edx=2adc0007 esi=00000000 edi=812d3592

eip=806a9ef9 esp=fac475f8 ebp=fac47630 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!IopInitializeBuiltinDriver+0x25d:

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for NTice.sys - 

806a9ef9 ff532c          call    dword ptr [ebx+2Ch]  ds:0023:812d35f4=fa641300

kd> dd esp l2

fac475f8  812d35c8 80093a60

kd> !ustr poi(esp+4)

String(114,114) at 80093a60: \Registry\Machine\System\CurrentControlSet\Services\NTice

kd> dt nt!_DRIVER_OBJECT poi(esp)

   +0x000 Type             : 0n4

   +0x002 Size             : 0n168

   +0x004 DeviceObject     : (null) 

   +0x008 Flags            : 2

   +0x00c DriverStart      : 0xfa509000 Void

   +0x010 DriverSize       : 0x148f40

   +0x014 DriverSection    : 0x813290a0 Void

   +0x018 DriverExtension  : 0x812d3670 _DRIVER_EXTENSION

   +0x01c DriverName       : _UNICODE_STRING "\Driver\NTice"

   +0x024 HardwareDatabase : 0x8068fa90 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"

   +0x028 FastIoDispatch   : (null) 

   +0x02c DriverInit       : 0xfa641300     long  NTice!adjust_fdiv+0

   +0x030 DriverStartIo    : (null) 

   +0x034 DriverUnload     : (null) 

   +0x038 MajorFunction    : [28] 0x804fa87e     long  nt!IopInvalidDeviceRequest+0



kd> gu  this int 3 was trapped by sice in target you need to set i3here off for bps to be redirected to windbg on reboot 

kayaker know a permanent way to disable i3here ?

Break instruction exception - code 80000003 (first chance)

*******************************************************************************

*                                                                             *

*   You are seeing this message because you pressed either                    *

*       CTRL+C (if you run kd.exe) or,                                        *

*       CTRL+BREAK (if you run WinDBG),                                       *

*   on your debugger machine's keyboard.                                      *

*                                                                             *

*                   THIS IS NOT A BUG OR A SYSTEM CRASH                       *

*                                                                             *

* If you did not intend to break into the debugger, press the "g" key, then   *

* press the "Enter" key now.  This message might immediately reappear.  If it *

* does, press "g" and "Enter" again.                                          *

*                                                                             *

*******************************************************************************

nt!RtlpBreakWithStatusInstruction:

804e3592 cc              int     3



kd> !drvobj 812d35c8 2

Driver object (812d35c8) is for:

 \Driver\NTice

DriverEntry:   fa641300	NTice!adjust_fdiv

DriverStartIo: 00000000	

DriverUnload:  00000000	

AddDevice:     00000000	



Dispatch routines:

[00] IRP_MJ_CREATE                      fa556528	NTice!chkstk+0x4fe



[02] IRP_MJ_CLOSE                       fa556528	NTice!chkstk+0x4fe

[0e] IRP_MJ_DEVICE_CONTROL              fa556912	NTice!chkstk+0x8e8

[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL     fa556948	NTice!chkstk+0x91e

[10] IRP_MJ_SHUTDOWN                    fa556544	NTice!chkstk+0x51a



kd> !grep -i -e "cmp     ecx" -c "uf fa5565ca"



fa556629 3bc8            cmp     ecx,eax

fa556637 81f90060409c    cmp     ecx,9C406000h

fa556643 81f90460409c    cmp     ecx,9C406004h

fa55664b 81f90860409c    cmp     ecx,9C406008h

fa556653 81f90c60409c    cmp     ecx,9C40600Ch

fa55665b 81f91060409c    cmp     ecx,9C406010h

fa556663 81f91460409c    cmp     ecx,9C406014h

fa556735 81f91c60409c    cmp     ecx,9C40601Ch

fa556741 81f92060409c    cmp     ecx,9C406020h

fa55674d 81f92460409c    cmp     ecx,9C406024h

fa556759 81f94860409c    cmp     ecx,9C406048h

fa556761 81f94c60409c    cmp     ecx,9C40604Ch

fa556769 81f95060409c    cmp     ecx,9C406050h

kd> $ control codes for ntice devioctl  IRP Tail.overlay.CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode

WaxfordSqueers

August 17th, 2013, 07:33

Quote:

[Originally Posted by blabberer;95251]@wax ...yes sirreee no problem sirreee

Verrrrrry interrrrrrrresting!!!

Need to absorb all this. Right now I have embarked on yet another deviation from my initial chore of tracking a file seek to the MFT on a hard drive. To get back to that I need to fix softice, fix XP SP3 on a VM, and fix the Internet connection in the VM. Either that or learn everything about windb and/or cdb really quickly, which looks highly unlikely.

It would also be nice to get a pipe going between the VM and my desktop so I could use Windbg remotely. In the interim, I took time out to rebuild my system, having to troubleshoot an XP install disk that gave me a BSOD when I tried a repair install. With a new mother board that is apparently to be expected, but no one tells you that.

Sigh...the life of a reverser is fraught with peril.

WaxfordSqueers

August 17th, 2013, 07:35

Quote:

[Originally Posted by Elenil;95249]in menu it has "Patch SoftICE"

no good E., icestealth wants those symbols from Microsoft and would not consider symbols I stuck in the 'Other' directory.

WaxfordSqueers

August 17th, 2013, 08:10

Quote:

[Originally Posted by Elenil;95249]in menu it has "Patch SoftICE"

E.....something really weird is going on. I just downloaded icestealth 1.8 from the RCE cache and every time I used the icestealth.exe file, it gets deleted. I checked it with an old copy of AVP and it showed no viruses but that copy virus database is a least a year old.

The only other time I have seen that was with certain reversing tools many years ago. Some apps would delete the executable if they detected it.

I have no idea what could be on my VM system that would delete Icestealth. I have hardly anything on it.

I have a firewall running on the VM.

WaxfordSqueers

August 17th, 2013, 11:10

Quote:

[Originally Posted by Elenil;95249]in menu it has "Patch SoftICE"

Re the disappearing icestealth.....I figured it out. Pretty smart.

Kayaker

August 17th, 2013, 11:16

Quote:

[Originally Posted by WaxfordSqueers;95254]I have a firewall running on the VM.

Hello? Dumb question, but have you tried BMSG without the firewall? Just a shot in the dark.

Kayaker

August 17th, 2013, 11:19

You're right blabs, as I wrote that I realized it should be no different from debugging any other driver if using a Windbg pipe. I didn't want to add that and perhaps VirtualKD to the mix at the moment, but what the hay..

The interfering I3here can be turned off in winice.dat, i.e.
FAULTS OFF; I3HERE OFF;

The problem now is, can you find and trace a BMSG command?

http://www.woodmann.com/forum/entry.php?96-IceProbe-SoftIce-Command-Tracer

Setting up IDA for analysing Softice functions
http://www.woodmann.com/forum/showthread.php?t=6529

WaxfordSqueers

August 17th, 2013, 11:43

Quote:

[Originally Posted by Kayaker;95256]Hello? Dumb question, but have you tried BMSG without the firewall? Just a shot in the dark.

Do you mean with it disabled or completely removed?

WaxfordSqueers

August 17th, 2013, 11:45

Quote:

[Originally Posted by Kayaker;95257]The problem now is, can you find and trace a BMSG command?

http://www.woodmann.com/forum/entry.php?96-IceProbe-SoftIce-Command-Tracer

Setting up IDA for analysing Softice functions
http://www.woodmann.com/forum/showthread.php?t=6529

Excellent stuff kayaker, now I have no excuse for not exploring further. I have been under the impression that you had not released Iceprobe but that you were considering it.

Kayaker

August 17th, 2013, 11:50

Re IceStealth and the one-time internet connection required to download the pdb files. Elenil can clarify this if he likes. You can download the symbols outside of the VM by copying the files (ntoskrnl/ntkrnlpa, services, etc.) to your real system and grab the pdb's for those specific file versions. I think I used Windbg symchk one time, another time the Softice symbol retriever (which works as standalone without Sice). Then just copy them back to the VM, without ever having opened it to the net.

IceStealth is good if you need to hide Sice from something, and Elenil did a wonderful job at doing that, great work. You probably want to have a VM with a virgin Sice as well though for other work. I seem to recall not being able to use Loader32 to add modules or dump the history buffer after enabling it (yes, Sice was hidden well, even from itself

WaxfordSqueers

August 17th, 2013, 12:57

Quote:

[Originally Posted by Elenil;95249]after this the files in IceStealth\other get patched to your actual os this fix a lot of problems

I'm having all sorts of problems with icestealth that I never had before on version 1.5.

When I used the Patch Softice command, I get an error message "NTOSKRNL.PDB File Error While Patch NTICE Code 1".

I have manually loaded the pdb's for ntoskrnl and services in the 'other folder'. Halaacpi is not on my system but it is in a driver pack as halaacpi.dl_. My system uses hal.dll. I am reluctant to get the pdb for halaacpi because that hal is for a different OS.

Anyway, I now have all three of the required pdbs in the 'other' folder and I am still getting the same error as above.

I have suspected that I have hotfixes on my VM system that have changed versions of ntoskrnl. You said later versions of the OS worked OK.

My current version of ntoskrnl is 5.1.2600.5512 (xpsp.080413-2111).

Kayaker

August 17th, 2013, 13:25

Well this is funny. I tried IceProbe with the BMSG command. Easy peasy, but the problem is again context. Once you've issued the command and are tracing it in Softice, you're in the IceProbe context. BMSG won't work on any other context (notepad, explorer). However, it also won't work (Invalid window handle message) if you use the IceProbe window as the target, for example 'BMSG <iceprobe hwnd> WM_MENUSELECT'. That BSMG will be set if issued from the Sice window, but not if through IceProbe, if you get the meaning. Not sure why, but as we all know, context is a funny thing.

In this particular case, what could be done then is to use IceProbe to get the running address of the BMSG command (simply issue the command once and note the address the tracing break begins on). Then use Windbg remote and blabberer's technique and set a BP on that address. Issue your BMSG in Softice and Windbg should break and you can begin tracing from there. The context at least should be correct.

Please, do try IceProbe for fun, but I think it would difficult to figure out from the BMSG code how Softice is parsing the handle table and why it's not working in your particular situation. You remember the issues we brought up with the related HWND command:

http://www.woodmann.com/forum/showthread.php?9643-Softice-and-breakpoints-revisited

Install a virgin Softice/XP, test BMSG on notepad and go from there.

WaxfordSqueers

August 17th, 2013, 14:17

Quote:

[Originally Posted by Kayaker;95262]Install a virgin Softice/XP, test BMSG on notepad and go from there.

Yeah, that's the next step. I just wanted to exhaust all the possibilities before they exhaust me.

I did uninstall my firewall but it did not help the softice problem. It did solve the icestealth problem. I was able to call out, get it's PDB files, then patch ntice. That's one plus.

The firewall is the old Sygate, and I used it because it's a standalone firewall with no other bells and whistles. It's a good one too. There are features on there that would suit the most paranoid of users. Too bad Symantec got into the act. They seem to eat up good apps like Sygate and Partition Magic and discard them.

Anyway, I need a break. Appreciate your time K., and sorry for continually dragging you into softice issues. Thanks for iceprobe.

I am still trying to focus on the initial problem with reversing the MFT file on an NTFS system. I have diverged greatly into areas that don't seem related but are related.

I'll reload XP onto the VM fresh...same with ice. I'll let you know what happens but it'll be a few days.

WaxfordSqueers

August 17th, 2013, 14:19

Quote:

[Originally Posted by Elenil;95247]

wax have you tryed the "patch ntice" function of icestealth ?

See my last reply to Kayaker. I got it going but not softice. The patch did not help. Thanks anyway, it was worth the try. I am now satisfied there is something really wrong and I need to install XP and ice again.

Elenil

August 17th, 2013, 18:00

Quote:

[Originally Posted by WaxfordSqueers;95261]I'm having all sorts of problems with icestealth that I never had before on version 1.5.

When I used the Patch Softice command, I get an error message "NTOSKRNL.PDB File Error While Patch NTICE Code 1".

I have manually loaded the pdb's for ntoskrnl and services in the 'other folder'. Halaacpi is not on my system but it is in a driver pack as halaacpi.dl_. My system uses hal.dll. I am reluctant to get the pdb for halaacpi because that hal is for a different OS.

Anyway, I now have all three of the required pdbs in the 'other' folder and I am still getting the same error as above.

I have suspected that I have hotfixes on my VM system that have changed versions of ntoskrnl. You said later versions of the OS worked OK.

My current version of ntoskrnl is 5.1.2600.5512 (xpsp.080413-2111).

you may take a look on the readmefile
"if you wanna place the .PDB files manual plz first create a \SYM folder
then copy your .PDB files in the \sym folder like this : ntoskrnl.pdb\1592B6763F33476B9BB560395B383FA62\ntoskrnl.pdb"

in other folder icestealth wont find the sym files

create a \sym - folder (icestealth\sym not icestealth\other)

be sure you not just copy without checksum its the microsoft dll what searching it this way

in other case i think a firewall is blocking the microsoft symbol dll "symsrv.dll" it downloads the 3 files manually

the error just indicates me that it not even loaded the ntoskrnl.pdb file (what i have set to be the first 1 to load)

the thing with the hal.dll is that if you request the hal.pdb file it will load the halaacpi.pdb file microsoft has some kind of fused pdb file

ahh and if you have replaced the files you have to make the computer reboot its not enough to have softice not started and start it after the files was replaced

blabberer

August 18th, 2013, 06:28

Quote:

[Originally Posted by Kayaker;95257]The interfering I3here can be turned off in winice.dat, i.e.FAULTS OFF; I3HERE OFF;

thanks that should save a few keypress and round trips

Quote:

The problem now is, can you find and trace a BMSG command?

i think so yes (tell me if you notice anything amiss)

windbg waiting in host on a pipe to vm
target xp sp3 vm with siw405nt boot start running
ctrl+d
i3here off
bm hit space auto complete hit enter
sice tells Parameters Required
ctrl+d ((we got our clue lets start windbagging)

ctrl+break

windbg breaks

Code:



.reload /f

kd> lm m ntic*

start    end        module name

fa509000 fa651f40   NTice      (export symbols)       NTice.sys

kd> s -a fa509000 l?(fa651f40-fa509000) "Parameters requir"

fa5c88d3  50 61 72 61 6d 65 74 65-72 73 20 72 65 71 75 69  Parameters requi

kd> # *fa5c88d3 fa509000 l?(fa651f40-fa509000)

NTice+0x2ebea:

fa537bea bed3885cfa      mov     esi,offset NTice!initterm+0x36561 (fa5c88d3)

NTice+0x2ec78:

fa537c78 bed3885cfa      mov     esi,offset NTice!initterm+0x36561 (fa5c88d3)

NTice+0x2f5e6:

fa5385e6 bed3885cfa      mov     esi,offset NTice!initterm+0x36561 (fa5c88d3)

NTice+0x3125d:

fa53a25d b8d3885cfa      mov     eax,offset NTice!initterm+0x36561 (fa5c88d3)

NTice+0x3138b:

fa53a38b bed3885cfa      mov     esi,offset NTice!initterm+0x36561 (fa5c88d3)

NTice+0x317a4:

fa53a7a4 bed3885cfa      mov     esi,offset NTice!initterm+0x36561 (fa5c88d3)

NTice+0x31d03:

fa53ad03 bed3885cfa      mov     esi,offset NTice!initterm+0x36561 (fa5c88d3)

NTice+0x32117:

fa53b117 bed3885cfa      mov     esi,offset NTice!initterm+0x36561 (fa5c88d3)

NTice+0x32395:

fa53b395 bed3885cfa      mov     esi,offset NTice!initterm+0x36561 (fa5c88d3)

NTice+0x32483:

fa53b483 bed3885cfa      mov     esi,offset NTice!initterm+0x36561 (fa5c88d3)

NTice+0x369c7:

fa53f9c7 b8d3885cfa      mov     eax,offset NTice!initterm+0x36561 (fa5c88d3)

NTice+0x38417:

fa541417 b8d3885cfa      mov     eax,offset NTice!initterm+0x36561 (fa5c88d3)

NTice+0x3e037:

fa547037 8d05d3885cfa    lea     eax,[NTice!initterm+0x36561 (fa5c88d3)]

NTice+0x3f034:

fa548034 8d05d3885cfa    lea     eax,[NTice!initterm+0x36561 (fa5c88d3)]



kd> u fa5385e6 l2

NTice+0x2f5e6:

fa5385e6 bed3885cfa      mov     esi,offset NTice!initterm+0x36561 (fa5c88d3)

fa5385eb e82ab2ffff      call    NTice+0x2a81a (fa53381a)

kd> u fa53ad03 l2

NTice+0x31d03:

fa53ad03 bed3885cfa      mov     esi,offset NTice!initterm+0x36561 (fa5c88d3)

fa53ad08 e80d8bffff      call    NTice+0x2a81a (fa53381a)

kd> $ there is a fat chance this function is called from our bmSG lets breakdance





kd> bp fa53381a

kd> g lets do ctrl+d + bm<space><enter> in target vm 

Breakpoint 0 hit

eax=00000004 ebx=00000003 ecx=00000000 edx=00001701 esi=fa5b8576 edi=fa5b88d1

eip=fa53381a esp=fa5aab00 ebp=f9e38d54 iopl=0         nv up ei ng nz ac pe cy

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000297

NTice+0x2a81a:

fa53381a 53              push    ebx

kd> kb

ChildEBP RetAddr  Args to Child              

WARNING: Stack unwind information not available. Following frames may be wrong.

fa5aaafc fa533700 fa5b0901 00000000 00000019 NTice+0x2a81a

fa5aab18 fa52ac68 97000000 00000003 00000000 NTice+0x2a700

00000000 00000000 00000000 00000000 00000000 NTice+0x21c68





kd> ub fa533700 l2

NTice+0x2a6f6:

fa5336f6 be76855bfa      mov     esi,offset NTice!initterm+0x26204 (fa5b8576)

fa5336fb e81a010000      call    NTice+0x2a81a (fa53381a)



kd> DB fa5b8576

fa5b8576  3a 62 6d 53 47 00 00 00-00 00 00 00 00 00 00 00  :bmSG...........

fa5b8586  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................



kd> uf fa53381a

NTice+0x2a81a:

fa53381a 53              push    ebx

fa53381b 8a3d15655bfa    mov     bh,byte ptr [NTice!initterm+0x241a3 (fa5b6515)]

fa533821 e802010000      call    NTice+0x2a928 (fa533928)

fa533826 5b              pop     ebx

fa533827 c3              ret





kd> uf fa53381a

NTice+0x2a81a:

fa53381a 53              push    ebx

fa53381b 8a3d15655bfa    mov     bh,byte ptr [NTice!initterm+0x241a3 (fa5b6515)]

fa533821 e802010000      call    NTice+0x2a928 (fa533928)

fa533826 5b              pop     ebx

fa533827 c3              ret

kd> uf fa533928

NTice+0x2a928:

fa533928 833dd82663fa00  cmp     dword ptr [NTice!adjust_fdiv+0x1fde8 (fa6326d8)],0

fa53392f 7401            je      NTice+0x2a932 (fa533932)



NTice+0x2a931:

fa533931 c3              ret



NTice+0x2a932:

fa533932 50              push    eax

fa533933 53              push    ebx

fa533934 51              push    ecx

fa533935 52              push    edx

fa533936 56              push    esi

fa533937 57              push    edi

fa533938 e859000000      call    NTice+0x2a996 (fa533996)

fa53393d 8a3560855bfa    mov     dh,byte ptr [NTice!initterm+0x261ee (fa5b8560)]

fa533943 0235435e5bfa    add     dh,byte ptr [NTice!initterm+0x23ad1 (fa5b5e43)]

fa533949 b200            mov     dl,0

fa53394b b320            mov     bl,20h

fa53394d 8b0dc4135bfa    mov     ecx,dword ptr [NTice!initterm+0x1f052 (fa5b13c4)]

fa533953 e85bb4ffff      call    NTice+0x25db3 (fa52edb3)

fa533958 e841b3ffff      call    NTice+0x25c9e (fa52ec9e)

fa53395d fe0560855bfa    inc     byte ptr [NTice!initterm+0x261ee (fa5b8560)]

fa533963 a04e5e5bfa      mov     al,byte ptr [NTice!initterm+0x23adc (fa5b5e4e)]

fa533968 380560855bfa    cmp     byte ptr [NTice!initterm+0x261ee (fa5b8560)],al

fa53396e 720b            jb      NTice+0x2a97b (fa53397b)



NTice+0x2a970:

fa533970 fe0d60855bfa    dec     byte ptr [NTice!initterm+0x261ee (fa5b8560)]

fa533976 e8e6030000      call    NTice+0x2ad61 (fa533d61)



NTice+0x2a97b:

fa53397b 5f              pop     edi

fa53397c 5e              pop     esi

fa53397d 5a              pop     edx

fa53397e 59              pop     ecx

fa53397f 5b              pop     ebx

fa533980 58              pop     eax

fa533981 c3              ret

direct bmSG or wrapper should be nearby somehwre its back to tracing again

scrape the net for this driver and check with your idb etc

Code:



==================================================

Filename          : ntice.sys

MD5               : e9f99bae4269c95190461036c325077a

SHA1              : 1eb378b984f9ad24afd86f414cc8ca4b83a53339

CRC32             : c85e8094

SHA-256           : 9bafdbe77306ef377a6c972acd7deca5e45ccb059843c8bc83809eb10e8eface

SHA-512           : e3caf20b6915bb76b57800994467363dc4f13ea38d291feeedb4985ced744ede053d7691afb6b0e75db3c321165019dbf406 8b205fa4ed5e346ea0a10f7838c3

Full Path         : C:\Documents and Settings\Admin\Desktop\New Folder (2)\nticexppatch\windows\system32\drivers\ntice.sys

Modified Time     : 07/11/2001 02:09:10

Created Time      : 17/08/2013 02:59:56

File Size         : 1,347,462

File Version      : 4.2.6 (Build 922)

Product Version   : 4.2.6 (Build 922)

Identical         : 

Extension         : sys

File Attributes   : A

==================================================

Kayaker

August 18th, 2013, 22:23

Lol, I knew you'd try it. Hence the subtle challenge - social engineering

Clever using a Bad Cracker message to get inside. Yep, the "Parameters required" string is at offset 000BF8D3, so with your driver base fa509000 + BF8D3 = FA5C88D3.
You got all the cross references, the one for BMSG would be the one at NTice+0x31d03:, so I think your fat chance is correct.

For your driver version BMSG begins here:

Code:



:00031B7E                   c_Bmsg          proc near               ; DATA XREF: .data:000B10BB

:00031B7E 55                                push    ebp

:00031B7F 8B EC                             mov     ebp, esp

:00031B81 83 EC 1C                          sub     esp, 1Ch

:00031B84 E8 78 7D 01 00                    call    UpdateCurrentContext

:00031B89 BE 77 F5 0A 00                    mov     esi, offset bUserCommand

:00031B8E E8 8D 43 FF FF                    call    VerifyString

:00031B93 E8 F3 A6 FF FF                    call    SkipWord

:00031B98 0F 82 65 01 00 00                 jb      loc_31D03  // msgParametersRequired

If you want to confirm, just use IceProbe, it works with Softice 4.05 up to DS32.

btw, I forgot how glitchy the mouse was in v4.05... yikes.

blabberer

August 19th, 2013, 04:23

Quote:

If you want to confirm, just use IceProbe, it works with Softice 4.05 up to DS32.

heh socimoreengi ?

well i was going to zero in on that exact function yesterday

but didnt

here is how
see above i did a db esi and it was ;bmSG notice colon (doubt no 1)
glancing through fa53381a it doesnt look like it handles windows (gut )
more like a printf and where the heck is the String ?? Parameters Required
string isnt anywhere near the top of stack (doubt no 2)

lets see how many times this gets hit

go (it get hits exactly two times) woot that is a jackpot without the jack

lets play casino royale put all the stakes into one poker bluff

Code:





kd> bp fa53381a

kd> g;da esi;kb;

Breakpoint 0 hit

fa5b8576  ":bmSG"

ChildEBP RetAddr  Args to Child              

WARNING: Stack unwind information not available. Following frames may be wrong.

00000000 00000000 00000000 00000000 00000000 NTice+0x2a81a

kd> g;da esi;kb;

Breakpoint 0 hit

fa5c88d3  "Parameters required"

ChildEBP RetAddr  Args to Child              

WARNING: Stack unwind information not available. Following frames may be wrong.

fa5aaafc fa53375e fa5b0901 00000000 00000019 NTice+0x2a81a

00000000 00000000 00000000 00000000 00000000 NTice+0x2a75e



lets repeat encore twice



kd> g;da esi;kb;

Breakpoint 0 hit

fa5b8576  ":bmSG"

ChildEBP RetAddr  Args to Child              

WARNING: Stack unwind information not available. Following frames may be wrong.

00000000 00000000 00000000 00000000 00000000 NTice+0x2a81a

kd> g;da esi;kb;

Breakpoint 0 hit

fa5c88d3  "Parameters required"

ChildEBP RetAddr  Args to Child              

WARNING: Stack unwind information not available. Following frames may be wrong.

fa5aaafc fa53375e fa5b0901 00000000 00000019 NTice+0x2a81a

00000000 00000000 00000000 00000000 00000000 NTice+0x2a75e

kd> ub fa53375e l2

NTice+0x2a755:

fa533755 c1e002          shl     eax,2

fa533758 ff900f9f5bfa    call    dword ptr NTice!initterm+0x27b9d (fa5b9f0f)[eax]

kd> r

eax=000001ac ebx=00000006 ecx=00000000 edx=00001701 esi=fa5c88d3 edi=fa5b8aae

eip=fa53381a esp=fa5aaadc ebp=fa5aaafc iopl=0         nv up ei pl zr na pe cy

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000247

NTice+0x2a81a:

fa53381a 53              push    ebx

kd> bc *

kd> bl



kd> bp fa533758

kd> g

Breakpoint 0 hit

NTice+0x2a758:

fa533758 ff900f9f5bfa    call    dword ptr NTice!initterm+0x27b9d (fa5b9f0f)[eax]

kd> r

eax=000001ac ebx=00000006 ecx=00000000 edx=00001701 esi=fa5b8576 edi=fa5b8aae

eip=fa533758 esp=fa5aab04 ebp=00000000 iopl=0         nv up ei pl nz ac pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000216

NTice+0x2a758:

fa533758 ff900f9f5bfa    call    dword ptr NTice!initterm+0x27b9d (fa5b9f0f)[eax] ds:0023:fa5ba0bb=fa53ab7e

kd> $ after reading the post i am sure i broke right

kd> ? ntice+31b7e

Evaluate expression: -95179906 = fa53ab7e

ice what cone or cup

WaxfordSqueers

August 19th, 2013, 04:40

Quote:

[Originally Posted by Elenil;95265]you may take a look on the readmefile

E....look at the post before this one. I left a message for you saying that I had success getting icestealth working. I think it was a firewall issue. I forgot that the firewall I am using checks drivers and other OS functions.

I removed the firewall and got icestealth working, but softice still does not accept a valid window's handle. I am going to reinstall win xp in the vm with a fresh install of ice.

First, I slept for nearly 24 hours. I was exhausted from lack of sleep trying to get this problem solved.

WaxfordSqueers

August 19th, 2013, 04:58

Quote:

[Originally Posted by blabberer;95267] i think so yes (tell me if you notice anything amiss)

Good stuff, Blabs.

In your setup, are you running softice as a target in the VM, with Windbg as the host on another machine? So, if I am setting up the VM, do I mark in serial port config that the VM end is the target?

Also, I'm looking into buying a serial port to USB adapter, with the idea of using the USB end on my laptop and the serial port end in my desktop, where the VM resides. That was before setting up the VM and before finding that ice is not working with my new ATI driver. I am still interested in whether the concept will work. Don't know as yet whether Windbg allows output to a USB port aimed at a serial port after the data is converted to serial form..

I have not bought it yet because I have a query in with the manufacturer as to whether it has full RS 232 handshaking.

blabberer

August 19th, 2013, 06:16

Quote:

that the VM end is the target?

iirc vmware asks if this end is a server or client (msvpc wouldnt want to know which end is what?)

i dont know if it asks if it is a target now

you may check my blog entry for photos

http://www.woodmann.com/forum/entry.php?234-connect-two-virtual-machines-on-one-physical-host-and-use-wdeb386-to-debug-win98-app

as the title says it was some experiment where i was running two virtual machines on one physical host

thats is 3 os (one xp which is a physical machine and host for two vms running windows 98 side by side )
and i managed to connect both the vm for a kernel debuggin session
that again is windows 98 kernel debugging another windows 98 on a physical host running windows xp

there i designate one vm as server (other end is vm)
and other vm as client (other end is vm)

instead of this i think you should do
this end is client and other end is physical host in the vm (not sure i dont have vmware installed to provide you correct info)

but i think you should be able to make out with the above explanation and the photos in the blog entry

as far as usb debugging is concerned reports are that it doesn't work properly
it needs a special type of usb cable and even when it has that special cable from authorized and approved by ms hardware vendor it may not work
is what i gather from the cloud (never used one so no first hand experience)

reports are that usb debugging works kinda ok only in windows 8.1 preview release few months ago

Kayaker

August 19th, 2013, 11:12

Quote:

[Originally Posted by blabberer;95271]
ice what cone or cup

With a cherry on top!

WaxfordSqueers

August 19th, 2013, 14:23

Quote:

[Originally Posted by blabberer;95274]thats is 3 os (one xp which is a physical machine and host for two vms running windows 98 side by side )

Win 98...AAAAAARRRRRRGH!! Dual Win98....double AAAAAARRRRRRGH!!.

Actually, my ploy in this post is to con you into using softice so much that you'll like it.

I gather from your blog that you have never given it much of a shot. I have spent hundreds of hours on it and I swear by it, when it's running.

Running on XP with SP3, it's so solid it's sickening. It never crashes no matter what routes I take through Ring 0.

Sysini files...triple AAAAAARRRRRRGH!!

I'll have a closer look at your blog when my head clears. Thanks for the link.

Quote:

[Originally Posted by blabberer;95274]instead of this i think you should do
this end is client and other end is physical host in the vm (not sure i dont have vmware installed to provide you correct info)

I'll work it out. I just wondered if there was an advantage to having the host in the VM or elsewhere.

Quote:

[Originally Posted by blabberer;95274]as far as usb debugging is concerned reports are that it doesn't work properly

Technically, I'm not using USB, I am using serial with the USB acting as a conduit to the serial interface. I figured as long as Windbg sees a legitimate serial interface with full RS232 handshaking it should not care what is on the other side of the serial - USB adapter.

I have to study this more but the config for Windbg seems only concerned about what Windbg sees. If it's talking to a serial port, it should be happy. That may answer the question I posed to you. Since the only serial port I have is on the desktop, Windbg will have to be on the desktop.

blabberer

August 19th, 2013, 15:44

Quote:

Technically, I'm not using USB

i dont know i replied back what i read around

if you buy it and if it worked post back the details

Quote:

my ploy in this post is to con you into using softice so much that you'll like it

i never said i disliked it

like you qualified your statement with if it ran it ran solid

it never runned or ranned

and i didn't have the expertise / skill / time / internet connection to scavenge / download megabytes ( no not talking about dvd rip of 4.4 gb much much smaller mbs at 28.8 kbps meant days together )to make it run while i was crawling

and i found free alternatives that were much more stable and support for them too from official channels were easily available so never used softice much
that is all

Kayaker

August 19th, 2013, 16:25

Quote:

[Originally Posted by blabberer;95278]i never said i disliked it

i found free alternatives that were much more stable and support for them too from official channels were easily available so never used softice much
that is all

I can't help but hearing that in the voice of Tom Selleck in the movie Quigley Down Under. In a final scene, the overconfident bad guy assumes the injured Quigley doesn't know how to use a Colt revolver very well, so challenges him to an unfair duel. After shooting all the bad guys before they can even draw their guns, Quigley walks over to the dying villian and drawls,

"I said I never had much use for one. Never said I didn't know how to use it."

WaxfordSqueers

August 19th, 2013, 17:25

Quote:

[Originally Posted by blabberer;95278]...much much smaller mbs at 28.8 kbps meant days together )

I painfully recall days the old pre-internet days on BBS's running x-modem, y-modem and z-modem. 9600 baud was the order of the day with some people actually running 300 baud. 28k was like lightning and 56k seemed impossible. Then again, in the early 80s, a removable disk drive cartridge was 18" in diameter and held all of 5 megs. You get 3 1/2" disks these days holding a third of a terabyte (1000 gigabytes), with three of them holding a terabyte. The track density was 1000 tracks per inch circa 1980. I used to repair computers in which the CPU was transistorized.

When I look at my thumb drive, which is essentially the length of my thumb, and holds 20 gigs of data, the mind boggles.

I got interested in softice reading Matt Pietrek's book on Windows 95 in which he talked openly about 'spelunking', which was his name for reverse engineering. He worked for Numega, I think on the Boundschecker program. In those days, softice was not that big in size.

Elenil

August 19th, 2013, 22:42

whats is the actual state now ?
like hwnd command is working but its still not accepting valid handles ?

WaxfordSqueers

August 21st, 2013, 02:29

Quote:

[Originally Posted by Elenil;95282]whats is the actual state now ?
like hwnd command is working but its still not accepting valid handles ?

No...hwnd only works after using 'addr explorer', then a 'hwnd' by itself lists all the window handles.

If I select any of the valid handles and use

bmsg <hwnd> <message>

I get an error message stating that the window handle is invalid.

I have confirmed the handles using SPYXX and the cdb debugger from Debugger Tools for Windows. Softice even displays all the correct handles with the HWND command but when I enter one in BMSG it claims the handle is invalid.

I have moved on from that problem for now. I am currently creating a new VM with a fresh windows install and a fresh installation of ice.

blabberer

August 21st, 2013, 04:21

I am currently creating a new VM

that sounds as if it is a mammoth project

you can reuse the virtual hard drives

make one vhd and use it on 100's different virtual machines
one with softice
one with visual studio
one with malware
one with network
one without network
one with page file
one without page file

all you have to do is save away a copy of a fresh vm to some place

when you want to make xpsp3hotdog version

copy the saved vm to a new folder and use the option with an existing vhd instead of create new vhd

install hotdogs and you have xpsp3hotdogs vm in say 15 minutes at the max including a break to the piss room

WaxfordSqueers

August 21st, 2013, 15:42

Quote:

[Originally Posted by blabberer;95296]I am currently creating a new VM

that sounds as if it is a mammoth project

It shouldn't be but I get right into it with hammers, saws, and whatnot and by the time I finish it is a mammoth project.

Quote:

[Originally Posted by blabberer;95296]you can reuse the virtual hard drives

Yeah...I do reuse them. I even have DOS and Win 98SE setup. I may even try Linus again to see if they have advanced from the dark days of Unix, pre-1980. They were making headway with their GUIs, like KDE (I hated Gnome), but their command line setup was still a horror show for a newbie.

With my present VM install, I wanted to be absolutely sure I had a clean install of XP so I started from square one.

Right now I am getting grief from that piece of crap otherwise known as Internet Explorer. I am trying to d/l Comodo's free firewall/antivirus package and IE tells me it can't connect to a certain site. So I d/led Firefox, which I should have done right off rather than fiddle with that over-bloated monstrosity. When Firefox asked if I wanted to make it the default, I said, "yes, please".

What kind of addled brain would one need to design something like IE? I tred to download a file that is fairly large and IE insisted on saving it as a link to my desktop. When I refused the offer and guided it to another directory, it d/l'd the large file as a link. Have you ever seen a file with a .lnk extension that is 145 megs long?

I see now what the problem was, I was trying to open the aforementioned lnk file before it was fully downloaded, but IE did not know that. It kept telling me it was a lnk file.

Then I opened its brother, File Explorer. There's another joke. If you want a dual pane situation, you have to open another instance of file explorer. Why...after all these years, have they not built in functionality to have a dual pane setup? Give up...I'll tell you why? They want you to do it there way. What you want as a user means nothing to msoft. Who else would gear an OS (win 8) at touch screens? Prefer a mouse...to bad...msoft is telling you how the future will be.

When you open explorer to view files, it insists on opening in documents and settings, and as you try to click on the file you want, it goes on resizing, forcing you to chase your desired directory with the mouse.

I had to edit this post to ad another whine. When you open file explorer under normal conditions, it lists the files but does not tell you the directory or path. That is pure Unix bs and that's what microsoft is trying to implement. In Unix, everything is a file, even a directory, and that's how msoft has designed the NTFS file system. I am discovering all that from my MFT project/thread which is on hold till I get softice running again.

It may be of interest to you to realize that the old DOS-style directory/file path is now merely a wrapper around the namespace base that msoft bases file explorer on. Yes...there is yet another hidden file system between the user and the MFT on an NTFS system. You might say the MFT is part of that hidden file system, and it gets processed by shell32 and shlwapi in conjunction with ole32. I haven't gotten into objects yet which have totally obfuscated the real hardware lying underneath the msoft OS.

The shell in shell32 is related to the shell the user sees. The user sees files and directories and shell32 translated them into item lists that break the path into objects.

To me, having grown up with computers in the early 80s. that kind of thinking is a major step backwards.

End of whine.

Talk about Big Brother. Microsoft knows best which directory you want to start in and how you will think in the future, which is actually the dark Unix past.

WaxfordSqueers

August 21st, 2013, 22:17

Quote:

[Originally Posted by WaxfordSqueers;95299]End of whine.

Happy(er) camper, here (happier than I wuz while whining about msoft in my last post).

No more error messages on bmsg...just the sweet acceptance of handles, and the subsequent listing of bl's showing the set breakpoint.

The clean install of both XP and ice seems to have done the trick.

Speaking of

's, where's JMI these days? He used those a lot.

Elenil

August 24th, 2013, 09:11

if you want wax you can use the patch ntice function (i can think you need the ds 3.2 to work this instead of the older softice dunno if its possible just to replace the ntice file on the old version of ntice)
this makes the hwnd command work on every exe - so you dont need the spy++

theres a rare scenario it does not work with the addr command but useally it should be fine and it work 100 % if you was in proper context like after a breakpoint in the executable

JMI

August 24th, 2013, 14:30

He's still here, just very busy at the moment.

WaxfordSqueers

August 29th, 2013, 17:39

Quote:

[Originally Posted by JMI;95319]He's still here, just very busy at the moment.

Glad to hear you are alive and well, JMI.

WaxfordSqueers

August 29th, 2013, 17:47

Quote:

[Originally Posted by WaxfordSqueers;95302]Happy(er) camper, here

A bit premature...sigh!!

Got ice to break in the VM on a bmsg and traced till a jump came to User32!CallWindowProcA. Upon entering U32, the mouse and kbrd disappeared. There is a blinking cursor in the ice window but I cannot access it.

Even worse, can't get out of the ice window.

May have something to do with the entries in the VM config file for softice. There are two versions of them, one for older VMs and one for newer VMs. I am using

vmmouse.present = FALSE
svga.forceTraces = "TRUE"

NOT

vmmouse.present = FALSE
svga.maxFullscreenRefreshTick = 5

I don't want to shut softice down yet and was hoping someone in the know was hovering (or paddling) nearby.

Kayaker

August 29th, 2013, 18:10

Oh Boy, now you did it! If you're locked up in Sice I'm not sure what you could do, other than maybe suspending the VM, change to the RefreshTick config, and resume to see if that fixes it. Might be borked now though.

Interesting if you could do an exact snapshot with and without the glitch, and binary compare the snapshots. Would the "glitch" be visible as a byte difference I wonder, even if not understood as representing such?

WaxfordSqueers

August 29th, 2013, 18:15

Quote:

[Originally Posted by Kayaker;95335] If you're locked up in Sice I'm not sure what you could do

Played around a bit and found that ctrl-alt-esc gets me out of ice and the vm. I can get right back to the host. However, if I re-enter the vm, I'm back in ice with a frozen mouse cursor and a blinking cursor in the command window. Weird.

I'll see if I can get a snapshot somehow.

WaxfordSqueers

August 29th, 2013, 18:44

Quote:

[Originally Posted by Kayaker;95335]Would the "glitch" be visible as a byte difference I wonder, even if not understood as representing such?

The glitch seems to be related to either the VM config or the firewall. I changed the VM config to

vmmouse.present = FALSE
svga.maxFullscreenRefreshTick = 5

and shut down the firewall. I should have done them one at a time but I got impatient.

Anyway, stepped into U32 ok. So far, so good. Or as you folks back East say, si tant, si bon. :-)

WaxfordSqueers

August 29th, 2013, 20:15

Quote:

[Originally Posted by Kayaker;95335]Oh Boy, now you did it!

I'll say. Just ran into the problem you described where I got tangled up in VM garbage while tracing the kernel.

Did you ever find a solution to dealing with that? I backed out using the stack but went too far and activated the app I am tracing. I think you mentioned something about setting a BP as soon as you enter the kernel.

The problem with this app is that it uses a lot of win32k.sys processing windows. I ran through a waitforinputidle, or something like that, and I think that lead into the VM garbage.

Kayaker

August 29th, 2013, 20:54

You mean this?

http://www.woodmann.com/forum/showthread.php?15244-synchronization-issues

It was just a thought.

WaxfordSqueers

August 30th, 2013, 05:30

Quote:

[Originally Posted by Kayaker;95339]You mean this? http://www.woodmann.com/forum/showthread.php?15244-synchronization-issues It was just a thought.

Yeah, that's the one...thanks. For some reason, other than a small interruption from the supposedly turned off firewall (I guess the driver keeps doing its thing), I had a lengthy session in the VM with no interruptions.

If I run into more crap, I'll explore the use of your TID method.

In my first venture, I tried to trace right from the mouse capture...bmsg hwnd 203 (WM_LBUTTONDBLCLK) but I got caught up in some hairy win32k stuff, and that lead to the VM stuff. Getting smarter on trek #2, I set a BP in shell32, where I had traced successfully in a non-VM situatation, and it was pretty clear sailing.

My mind is getting bent with object theory, stuff like SHITEMID lists and PIDLs, apparently pronounced 'piddle'. The IDL is the system's equivalent of a path, with structures beginning with the structure length and ending with a NULL entry to indicate the end of the list.

My BPX was on _ShellExecuteExA, which takes a pointer to a SHELLEXECUTEINFO structure. As you trace from there through shell32, it interacts with OLE 32, and Shlwapi to parse the path and create IDLs and objects. I am hoping it will sooner or later reveal a connection to the MFT structure in the NTFS file system via NTFS.sys.

I have already found such a connection via CreateFile to the filecache but it is too far along and the file location seems to have been located in the MFT already. I am trying to understand whether the handle retrieved by CreateFile comes after the MFT has been accessed or before. It seems that by the time CreateFile gets a handle for the file, the file is already loaded into memory.

http://msdn.microsoft.com/en-us/library/windows/desktop/bb762154%28v=vs.85%29.aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/bb759784%28v=vs.85%29.aspx

If you look at the structure members you can see the file/directory parameters, etc.