nikolatesla20
October 25th, 2002, 14:52
Of course anyone who's intimately familiar with SoftIce will probably already know this, but I finally figured it out (it seems).
Even with DriverStudio 2.7, I could not get SI to BPX on anything in XP with SP1. In fact, you would know why, if you go into SI and do a "U messageboxa". It shows you nothing. No code. So it basically doesn't even know where the code is.
If you read thru the SI release notes, it states that you can make SI load the symbols for ntoskrnl.exe. Since binaries of the exe will be different in SP1, I think this "breaks" it. (Even though compuware says 2.7 supports XP with SP1, I can't get it to work, on two different computers with SP1). To make SI load the symbols and work correctly do this:
1. Get the symbols for ntoskrnl.exe from microsoft. I just used the nice handly utility that comes with DriverStudio 2.7, It's called Symbol Retriever. You can open this up, and select the file you want symbols for (ntoskrnl.exe) and click "Get symbols". It will automatically go to m$'s site and download the current symbols for that file and convert them to *.nms format. Nice huh?
2. NOw, go to Symbol loader and "Edit -> Softice INitialization Settings".
3. Go to "Symbols", and add the ntoskrnl.nms file that you just downloaded/created with the symbol retriever.
4. Go to "Advanced" and enter "NTSYMBOLS=ON" in the text box and press "Add".
5. Reboot.
After this SoftICE should work correctly and see the correct addresses. I just tried it on XP SP1 which SI wasn't working correct, and it fixed it just fine.
Oh, and Read the SI Manual If you are newb !
-nt20
Even with DriverStudio 2.7, I could not get SI to BPX on anything in XP with SP1. In fact, you would know why, if you go into SI and do a "U messageboxa". It shows you nothing. No code. So it basically doesn't even know where the code is.
If you read thru the SI release notes, it states that you can make SI load the symbols for ntoskrnl.exe. Since binaries of the exe will be different in SP1, I think this "breaks" it. (Even though compuware says 2.7 supports XP with SP1, I can't get it to work, on two different computers with SP1). To make SI load the symbols and work correctly do this:
1. Get the symbols for ntoskrnl.exe from microsoft. I just used the nice handly utility that comes with DriverStudio 2.7, It's called Symbol Retriever. You can open this up, and select the file you want symbols for (ntoskrnl.exe) and click "Get symbols". It will automatically go to m$'s site and download the current symbols for that file and convert them to *.nms format. Nice huh?
2. NOw, go to Symbol loader and "Edit -> Softice INitialization Settings".
3. Go to "Symbols", and add the ntoskrnl.nms file that you just downloaded/created with the symbol retriever.
4. Go to "Advanced" and enter "NTSYMBOLS=ON" in the text box and press "Add".
5. Reboot.
After this SoftICE should work correctly and see the correct addresses. I just tried it on XP SP1 which SI wasn't working correct, and it fixed it just fine.
Oh, and Read the SI Manual If you are newb !
-nt20
. Softice not breaking on winmain is a completely seperate error. That is what Kayakers patch is for. I fear that people are mixing those 2 glitches up. Though I fear people are breaking at winmain too much. Yes it is a useful technique but often completely unnecessary. I rarely if ever require a break upon entry. Of course I am more of a dead code reverser but still even if you are investigating a serial check on load I am sure you can find an API that will lead you right into the code you want to look at not the entry point ie RegQueryValueEx or CreateFile, etc... Yes I realize entry point can be useful but it seems far overrated to me. If you dont have it you can probably find a way to do what you need anyway