Howdy!

Finaly i decided to change the OS for the beter, at least i guess so. With this i've got a ltl prob: what IceDump could be applied for SIce from DriverStudio 2.6? If it can of course. I've already tried the latest releases form ver. 6.025 but there is nothing good. And BTW what's the ver of SIce in DS 2.6? By typing ver in SI, it says that it's just SoftIce from DriverStudio 2.6 and that's it.

Bye.

Risotto:

After several posts here and other places about trying to get IceDump to work with D.S. 2.6, someone named "username" clued me in to something I hadn't tried in all my years of using windows. I was also looking for "version 922" of Sice for Win2K as the "correct" version to use with IceDump 6.025, but every time that I tried to use it and installed D.S. 2.6 and typed "ver" in Softice, I got "ver 336" and couldn't understand how they got from 336 to 922 in the build numbers.

What "username" enlightened me on was to go to the ntsice.sys file and select "properties" from the menu given with a right click. That was standard, been there, done that many many times. What I had never done, however, was to then click on one of the other choices in the "item list" on the "version" tab of the properties dialog. I had just stupidly assumed that the version number listed at the top, in this case "file version 4.0.1381.1" was all it showed. WRONG!. Clicking on the "Product Version" line, or any other, gives different information. In this case, clicking on the "Product Version" line showed that I had Product version "4.2.6 (Build 922)."

That stupidity confessed, I must admit I am still no closer getting IceDump to work with this build, despite the statements of the IceDump team that it is supposed to work with this build. So far, no matter what I do in selecting the IceDump from the 922 build folder and attempting to install it, it tells me I have a mismatch or incorrect version. But at least I learned something about "Version" numbering.

If anyone else could shed light on how to get IceDump to work with Build 922 on Win2K, I would be greatful to learn where I am going wrong still.

Regards.

I got them working by recompiling Icedump then patching ntice. Same for getting it to work on Win2k SP3.

robber804:

Could you explain more about the steps you took to get IceDump working with Softice. What did you use to recompile IceDump, what did you patch and what is the SP3 you mention. I'm only aware of a SP2 for Win2K Pro, is that for a server version or something else or just a typo?

I'm aware of patches to make to NTice to hide it from searchers, thanks to imput from +Spl/\j and Solomon, but have not seen anything on "patching" to make Icedump work, unless you are referring to putting icedump, NTice, and NTid.exe in the same folder and running NTid.exe. After I attempted to do that and substituted the new NTice for the original, Softice didn't work.

Any further information on exactly how to get it working would be appreciated.

Regards.

Hi JMI:

May be I'm totally off track, but system components check-sum is strictly verified under NT/2K. So, after patching NTICE.sys, did you re-calc. the checksum and set it correctly. Also, make sure SFP is turned off in Win2K, as it silently brings back a cached copy of system32 files from dllcache directory. This may *not* apply for NTICE.sys but still give it a try...

Signed,
-- FoxThree

FoxThree:

Thanks for the suggestions. I believe I reset the checksum with LordPE, but I'll recheck that I did it correctly. It was the first time I'd used the new version when I tried it. I also tried rebuilding the NTice.sys, IceDump, and NTid.exe process in a temp file, rather than in the system32/drivers directory and perhaps that had some effect on the process.

Still adapting to the Win2K OS. Sure like it generally better than Win98se, which crashed on as average of a couple of times per day, but still having to learn different techniques for debugging and haven't had enough time to play with all the new stuff necessary to learn it very well yet.

Not sure what the SFP is or where to find it. Time for more searching.

Regards.

p.s. O.K. I now know what SFP is, although Micro$oft can't seem to decide whether to call it "System File Protection" or "Windows File Protection (WPF), and how to turn it off. If I understand it correctly, it can only bring back a copy of the file from the system32/dllcache directory (or ask for the file back) and, at least in my dllcache directory, there appears to be no copies of NTice or other Softice files. Seems more likely I screwed up the checksum rebuilding and/or need to run NTid.exe in the system32/drivers directory. Will try that next.

FoxThree:

Seems when I first attempted to correct the checksum in the NTice.sys with LordPE I truely didn't understand what I was doing. That's what happens when one doesn't RTFM and assumes they know what they are doing. What it appears that I did was run NTid.exe and then LordPE. I then clicked the "?" next to checksum and then decided that it was logical to hit the "Rebuild PE" button. Duh! Wrong. All I had to do was hit the "save" button and close the file.

Now that I have Icedump with my D.S. 2.6, I wonder why I wanted it in the first place? The only things that are available currently for that version are the memory dumper and the Bhrama activator and it does not hide Softice from any of +Spl/\j's Detect program, as his patches do, so I'm wondering what it's really useful for on Win2K at this time. I was sure I read reports here of people using TRACEX on Win2K, so I'll have to re-search that issue. Either I misread those threads or misunderstood what they said.

Anyway, thanks for the suggestion. Often the most obvious, and therefore most overlooked, is the answer.

Regards.

I just used NASM & the nticedump.bat (in the wnt directory) to recompile the icedump source, whenever I tried to patch NTice without doing this it would cause my computer to lockup. I'm not sure why this works but it does for me. Service pack 3 is in the RC stage right now, but is very stable, I am using Service Pack 3 Release Canidate for Windows 2000 Professional (not server). Hope this helps and hope it works for you!

NT IceDump for DriverStudio v2.6 often causes a BSOD when I type "PAGEIN D" to do a partial dump.