Kayaker
February 18th, 2004, 04:41
Hi Guys,
I was doing a bit of exploring tonight, and it looks like ActivateHooks and DeactivateHooks will have to be rereferenced a bit. The others can be found with a new search pattern like bedrock showed. Here's what I've found so far for the record. Some of the Softice internal naming is from The Owl's pioneering work of course, and his original IDB databases are indispensible.
I found that ActivateHooks is called within the ActivateBPs function, and DeactivateHooks is called within the DeactivateBPs function. This is handy. Once they are identified, new search patterns can be devised. The DeactivateHooks function will especially need more looking into since the code pattern seems to have changed so much.
Hopefully you can make sense of the following code, each section has Sten's search pattern from softice.h, then a comparable DS3.1 pattern that might be usable for anyone wanting to make modifications.
Expression2Integer:
Code:
unsigned char PAT_Expression2Integer_DS30[] = // code pattern
{
0x55, // push ebp
0x8B, 0xEC, // mov ebp, esp
0x51, // push ecx
0x51, // push ecx
0x56, // push esi
0x33, 0xF6, // xor esi, esi
0x89, 0x75, 0xF8, // mov [ebp+var_8], esi
0x89, 0x75, 0xFC, // mov [ebp+var_4], esi
0x66, 0x89, 0x35, _XX_, _XX_, _XX_, _XX_, // and word ptr dword_DDCB0, si
0xE8 // call pCreate_fExp2Int
};
DS 3.1:
.text:0007A5D4 55 push ebp
.text:0007A5D5 8B EC mov ebp, esp
.text:0007A5D7 83 EC 0C sub esp, 0Ch
.text:0007A5DA 56 push esi
.text:0007A5DB 33 F6 xor esi, esi
.text:0007A5DD 89 75 FC mov [ebp+var_4], esi
.text:0007A5E0 89 75 F4 mov [ebp+var_C], esi
.text:0007A5E3 89 75 F8 mov [ebp+var_8], esi
.text:0007A5E6 66 89 35 7C 78 11 00 mov word ptr dword_11787C, si
.text:0007A5ED E8 00 72 F9 FF call pCreate_fExp2Int
ActivateBPs:
Code:
unsigned char PAT_ActivateBPs[] = // code pattern
{
0x80, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01, // cmp dw_IsBPActivated,1
0x74, _XX_, // jz short locret_41BD4
0x80, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01, // cmp dwNumberOfBPs?,1
0x74, _XX_, // jz short locret_41BD4
0x83, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x00, // cmp dword_C28AC+1,0
0x74, 0x01, // jz short loc_41BD5
//locret_41BD4:
0xC3 // retn
//loc_41BD5:
};
DS 3.1:
.text:000A2148 pActivateBPs proc near
.text:000A2148
.text:000A2148 80 3D 9C C4 0D 00 01 cmp dw_IsBPActivated, 1
.text:000A214F 74 12 jz short loc_A2163
.text:000A2151 80 3D F7 E8 11 00 01 cmp dwNumberOfBPs, 1
.text:000A2158 74 09 jz short loc_A2163
.text:000A215A 83 3D 8E 8A 10 00 00 cmp dword_108A8E, 0
.text:000A2161 74 08 jz short loc_A216B
.text:000A2163 loc_A2163:
.text:000A2163 60 pusha
.text:000A2164 E8 AB 2A 00 00 call sub_A4C14
DeactivateBPs (no change but DeactivateBPs is important to find DeActivateHooks!):
Code:
unsigned char PAT_DeactivateBPs[] = // code pattern
{
0x80, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x00, // cmp dwNumberOfBPs?, 0
0x75, 0x01, // jnz short loc_418EA
0xC3, // retn
//loc_418EA:
0x60, // pusha
0x06, // push es
0x66, 0x8E, 0x05 // mov es, wNTICE_SS
};
DS 3.1:
.text:000A1E6A pDeactivateBPs proc near
.text:000A1E6A 80 3D F7 E8 11 00 00 cmp dwNumberOfBPs?, 0
.text:000A1E71 75 01 jnz short loc_A1E74
.text:000A1E73 C3 retn
.text:000A1E74 loc_A1E74:
.text:000A1E74 60 pusha
.text:000A1E75 06 push es
.text:000A1E76 66 8E 05 D4 15 0E 00 mov es, wNTICE_SS
ActivateHooks:
Code:
unsigned char PAT_ActivateHooks[] =
{
0x83, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01, // cmp dNumOfCPUs, 1
0x76, 0x0F, // jbe short locret_30979
0xC7, 0x05, _XX_, _XX_, _XX_, _XX_, 0x00, 0x00, 0x00, 0x00, // mov SpinLock, 0
0xE8, _XX_, _XX_, _XX_, _XX_, // call pActivateHooks
0xC3 // retn
};
DS 3.1:
The ActivateHooks call can be found in the pActivateBPs function,
the pattern matches closely pre-DS3.1 versions
.text:000A2188 FF 35 FF 16 0F 00 push dCurrentContext
.text:000A218E C6 05 F7 E8 11 00 01 mov byte_11E8F7, 1
.text:000A2195 C7 05 06 5A 11 00 00 00 00 00 mov dTSS_Base, 0
.text:000A219F C7 05 02 5A 11 00 FF FF FF FF mov dword_115A02, 0FFFFFFFFh
.text:000A21A9 E8 DB EA FF FF call sub_A0C89
.text:000A21AE E8 21 2B 00 00 call pActivateHooks
...
.text:000A4CD4 pActivateHooks proc near
.text:000A4CD4 60 pusha
.text:000A4CD5 E8 50 18 00 00 call sub_A652A
.text:000A4CDA E8 29 B3 FF FF call sub_A0008
.text:000A4CDF E8 30 FF FF FF call sub_A4C14
.text:000A4CE4 C6 05 D8 27 12 00 01 mov byte_1227D8, 1
.text:000A4CEB 61 popa
.text:000A4CEC C3 retn
.text:000A4CEC pActivateHooks endp
DeActivateHooks:
Code:
unsigned char PAT_DeActivateHooks[] =
{
0x83, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01, // cmp dNumOfCPUs, 1
0x76, 0x13, // jbe short loc_3095F
0xF0, 0x0F, 0xBA, 0x2D, _XX_, _XX_, _XX_, _XX_, 0x00, // lock bts SpinLock, 0
0x73, 0x03, // jnb short loc_3095A
0xF9, // stc
0xEB, 0x06, // jmp short locret_30960
// loc_3095A:
0xE8, _XX_, _XX_, _XX_, _XX_, // call pDeActivateHooks
0xF8, // clc
// locret_30960:
0xC3 // retn
};
DS 3.1:
The DeActivateHooks call can be found in the pDeactivateBPs function,
the pattern matches closely pre-DS3.1 versions.
This one is a little trickier, there are now *2* calls, where before there
was only one. One or both of them may be the new DeActivateHooks function.
.text:000A1F47 loc_A1F47: ; CODE XREF: pDeactivateBPs+CDj
.text:000A1F47 E8 A1 2D 00 00 call sub_A4CED
.text:000A1F4C E8 AF 2C 00 00 call sub_A4C00
// one of these 2 calls seem to match what should be the call
// to DeActivateHooks as seen in earlier DS versions
....
.text:000A1F51 B0 01 mov al, 1
.text:000A1F53 E8 3B 68 FA FF call sub_48793
.text:000A1F58 58 pop eax
.text:000A1F59 E8 D2 62 FA FF call pSwitchContext_InWinice
.text:000A1F5E 58 pop eax
.text:000A1F5F A2 B0 9E 0D 00 mov fNOPAGE, al
.text:000A1F64 07 pop es
.text:000A1F65 61 popa
.text:000A1F66 C3 retn
.text:000A1F66 pDeactivateBPs endp
This is just a cursory look at things, I may have made some mistakes, but it should be enough as a guide to where the new functions are in DS 3.1.
As an aside, if you want to trace *into* IceExt, or any other Softice KDExtension, you can set a BPX in NTICE (yes, it seems to work!) at the call which calls the DriverEntry routine of standard KDExtensions. The DriverEntry routine is configured more like a regular DllEntry routine, except that you still need to find the PDRIVER_OBJECT to register a DriverUnload function. You can trace through IceExt live this way.
Code:
NTICE DS3.1
.text:0009A1A3 6A 00 push 0
.text:0009A1A5 6A 01 push 1 ; fwdReason = "DLL_PROCESS_ATTACH"
.text:0009A1A7 FF 76 17 push dword ptr [esi+17h] ; MZ Header
.text:0009A1AA FF 56 1B call dword ptr [esi+1Bh] ; load KDExtension
; DriverEntry_fdwReason_LoadKDExtension
Kayaker