View Full Version : icedump question
^DAEMON^
February 13th, 2002, 07:29
hi ho,
iam currently busy with icedump improvements, maybe one of you could help me... i need a way to let sice pop up!
but i don't know if i should do that via int0e (like bpr works),
maybe someone of you could show me another way how to do that!
(please NO int1 or int3!)
^DAEMON^
thx in advance!
death
February 13th, 2002, 08:15
I might be wrong but I think you can use the BoundsChecker interface.
^DAEMON^
February 14th, 2002, 02:18
hmmmm sorry, but how does Boundschecker let Sice popup???
via DevIOWLDRBreak ???
^DAEMON^
Kayaker
February 14th, 2002, 03:55
Hi
The problem with the Boundschecker BCHK interface is that it uses INT 3. I suppose you could use it with the AL=15h service - Set BPM breakpoint, if you can figure out how to fill the breakpoint table with the right info. I've used it with the AL=0Eh service - Execute a SoftICE command, successfully except that with Icedump this trick crashes on the INT 3.
nmtrans.dll DevIO_SetWLDRBreak, as demonstrated in IceLoad (and is how Softice "tells" its vxd you want to break at the program start) will get you to break at WinMain (or DllMain as IceLoad also does), but there's other ways to do this if this is what you want. And that's the question ^DAEMON^, what is it you're trying to do? You're trying to improve Icedump. OK, let's say you want to popup SI on access to - something - say a VMMCall that isn't supported or a read/write to some memory area. Icedump already does that pretty well with detecting accesses to the IDT, LDT and GDT by as you said, hooking INT 0E page faults.
That's probably the way to go I guess. Hook what it is you're trying to hook, create a page fault and let SI handle it. Use VMMCall _Trace_Out_Service as Icedump does to pass info about the access attempt to the user. This doc on Softice Fault Trapping might help if you haven't seen it:
http://www.spiralspace.com/programming/UsingSoftICE/si_page_fault.asp
Just an idea anyway. Don't discount creating an INT 1 in your own code, or in a targets address space though. This is how I popup SI in my loader with I1HERE ON, or break at WinMain, and it works quite well.
Kayaker
^DAEMON^
February 14th, 2002, 07:19
hi kaya
i've added an command to it called:
/HOOK [DLLname] [APIname] [g|i] (global or via import table)
the problems is just that i want to pop up softice when the hook
is getting reached! i don't want to use int1 or int3 as those may mess up any data (for example k.kryptor)
so i need a clean way to let it pop up!
i also took a look @ cmd_trace and cmd_breakr3 yesterday but they also use so like int3
thx for the link, i'll take a look @ this stuff
^DAEMON^
Kilby
February 14th, 2002, 07:46
Off the top of my head, the page fault indeed looks like a natural candidate.
Though so far int 3 mostly serves my needs, and my page faults are seldom deliberate
At the mention of icedump updates, I see the /pedump command needs updated as the current version of securom causes it to lockup (well 1 115 Meg data section is a little large I suppose).
Regards,
Kilby...
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.