How to know where I am [Archive] - RCE Messageboard's Regroupment

newbcrk

March 7th, 2003, 16:46

:bpx getfiletime
Break due to BPX KERNEL32!GetFileTime (ET=2.15 seconds)
:u 77E7B19A L FF
KERNEL32!GetFileTime
001B:77E7B19A 55 PUSH EBP
001B:77E7B19B 8BEC MOV EBP,ESP
001B:77E7B19D 83EC30 SUB ESP,30
001B:77E7B1A0 8B4508 MOV EAX,[EBP+08]
001B:77E7B1A3 2503000010 AND EAX,10000003
001B:77E7B1A8 83F803 CMP EAX,03
001B:77E7B1AB 0F841A3F0200 JZ 77E9F0CB
001B:77E7B1B1 6A04 PUSH 04
001B:77E7B1B3 8D45D0 LEA EAX,[EBP-30]
001B:77E7B1B6 6A28 PUSH 28
001B:77E7B1B8 50 PUSH EAX
001B:77E7B1B9 8D45F8 LEA EAX,[EBP-08]
001B:77E7B1BC 50 PUSH EAX

Hello , I haven't break at the good place because I am under a api of the kernel .
How to know when I am under my target ; under a API of my target ?
Will it be writte for example
Break due to BPX 'name of my target'!GetFileTime (ET=2.15 seconds)

i press F12 and I have the code .By all apparences I am not under my target too I read call [kernel32getfiletime] and CALL [KERNEL32!CompareFileTime]

Break due to BPX KERNEL32!GetFileTime (ET=1.91 seconds
.................. call [kernel32getfiletime]
:u 77547B33 L FF
001B:77547B33 85C0 TEST EAX,EAX
001B:77547B35 7415 JZ 77547B4C
001B:77547B37 83C324 ADD EBX,24
001B:77547B3A 8D45F8 LEA EAX,[EBP-08]
001B:77547B3D 53 PUSH EBX
001B:77547B3E 50 PUSH EAX
001B:77547B3F FF152C135477 CALL [KERNEL32!CompareFileTime]
001B:77547B45 85C0 TEST EAX,EAX
001B:77547B47 7503 JNZ 77547B4C
001B:77547B49 6A01 PUSH 01
001B:77547B4B 5E POP ESI
001B:77547B4C 57 PUSH EDI
001B:77547B4D FF154C135477 CALL [KERNEL32!CloseHandle]
001B:77547B53 5B POP EBX
001B:77547B54 8BC6 MOV EAX,ESI
001B:77547B56 5F POP EDI
001B:77547B57 5E POP ESI
001B:77547B58 C9 LEAVE
001B:77547B59 C20800 RET 0008
001B:77547B5C 55 PUSH EBP
001B:77547B5D 8BEC MOV EBP,ESP
001B:77547B5F 6AFF PUSH FF
001B:77547B61 68B07B5477 PUSH 77547BB0
Thanks for all ideas

squidge

March 7th, 2003, 17:35

1) Read FAQ's

2) Search board. This has been answered many times already.

3) Download SoftIce tuts.

Winston

March 7th, 2003, 17:40

Hiya newbcrk

From the little info you gave I'm guessin your talkin about SI.

A simple search would have found the answer your lookin for

Need to know how to use them tools, but the answer is right below the code window and lower right. hope is what you lookin for

dELTA

March 8th, 2003, 08:36

Yes, in one of the borders of the softice screen, it usually reports "<current_modulename>!<current_area_or_address>", like you said.

But an API breakpoint will always break in the dll where the API is located, not in the code that's calling it. By looking at the stack directly after the breakpoint hits, you can place another breakpoint that is guaranteed to get you back immeditately after the call inside the caller code (ok, if noone is editing the stack manually before the return, but this should not happen too often).

It will never report like you suggest though ('name of my target'!GetFileTime), since there is no area named "GetFileTime" inside your module, it will most likely just be an address after the exclamation mark once you are back inside your module.

Solomon

March 8th, 2003, 08:52

try conditional breakpoints, such as
"BPX GetFileTime if (pid==XXX)", where XXX is the process ID of your target.

also don't forget the STACK command.

Manko

March 8th, 2003, 09:12

You can use the "addr" command to see a list of processes, and the one you're in will be lit up. And if you some time wich to put a breakpoint and are not in the right process-context you can use addr "name of process" to get into it, to be able to set breakpoints.

And if you are in the right context. That is if the "addr"-command shows your appname lit up in the list.
You can do like salomon sais BUT put _pid in the argument. _pid signifies "THIS PROCESS". Like so:

BPX GetFileTime if pid==_pid" (Remember! This will only work if you're in the right context already... see "addr".)

/Manko

LOUZEW

March 8th, 2003, 16:04

Take a look at bottom of disassembly window (under SI), you'll see the module name you are debugging, if it's an API, F12 to comeback (maybe many F12) !

naides

March 8th, 2003, 16:56

Well every body is giving recipes that should have newbcrk sorta confused now. let me add one more:

type in Sice 'ws' which activates the stack window. You will see a series of module names and addresses, which are none other that the call stack.

Where are you? inside the system dll.
who call the system dll API? the process at the top of the stack list. how do you get back to the calling process? simply click on your target process in the stack window and Sice will take you there. BPX there, where you want to stop in the target process by simply double clicking the code instruction, and let Sice roll.

Simple eh?

newbcrk

March 19th, 2003, 16:00

Thanks at all .My answer is coming late ; 1/my english is bad .
2/As soon as i read "read the FAQ read the tutos" i shut up
Your answers confirm me I was not sure .I was a litlle confused because there are 3 greens lines wich could tell me where I am .
I choose the green line between the code window and the command window after pressing F12 of course