;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
I C E P L U S
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
NTice.sys Patch for DriverStudio v3.x
to fix problem of Symbol Loader not
breaking at WinMain
Only tested on Winxp, DS v3.0,3.1,(2.7??)


NTice.sys path: %SYSTEM%\drivers
for example:
"C:\windows\system32\drivers\"

iCePlUs[2004]

Web:iceplus.126.com
Email:iceplus@hotmail.com

That problem is still in the latest Softice? Why don't they ever fix it, it's been there for ages now?!

Mine does break fine at WinMain.. using DS3.1...

I agree with you Crusader.
iceplus, can you tell us more about the patch? Seems like you only nopped some conditional jumps, why?

best regards,
ZaiRoN

Hmm, a patch with no source, hidden imports, altered section characteristics...

Why not an open and honest presentation of the problem and its solution?

The problem I was referring to was that Softice used to refuse to breakpoint at entrypoint/winmain if the PE section it was located in didn't have certain characteristics (like the executable flag etc). Does it always break nowadays, disregarding the PE section flags, or is this what this tool supposedly fixes maybe?

I followed the web address this Iceplus fellow gives

http://iceplus.126.com

There seems to be a discussion about what this patch is all about. The only problem is that it is carried in chinese. Perhaps this person has good intentions but cannot communicate. . .

.text:0003106B BreakLdrProcHandle proc near ; CODE XREF: sub_3163F+3Bp
.text:0003106B
.text:0003106B arg_0= dword ptr 8
.text:0003106B
.text:0003106B 55 push ebp
.text:0003106C 8B EC mov ebp, esp
.text:0003106E 60 pusha
.text:0003106F 8B 5D 08 mov ebx, [ebp+arg_0]
.text:00031072 0F B6 0D D2 2F 0E+ movzx ecx, LoadProcName
.text:00031079 41 inc ecx
.text:0003107A BE D3 2F 0E 00 mov esi, offset unk_E2FD3
.text:0003107F 8D 7B 0E lea edi, [ebx+0Eh]
.text:00031082 FC cld
.text:00031083 E8 24 CC 03 00 call _StringCmpareNoAa ; compare process name
.text:00031088 75 75 jnz short loc_310FF
.text:0003108A 66 A1 F3 2F 0E 00 mov ax, word_E2FF3
.text:00031090 66 83 F8 FF cmp ax, 0FFFFh
.text:00031094 74 05 jz short loc_3109B
.text:00031096 66 39 03 cmp [ebx], ax
.text:00031099 75 64 jnz short loc_310FF
.text:0003109B
.text:0003109B loc_3109B: ; CODE XREF: BreakLdrProcHandle+29j
.text:0003109B 0F B7 43 02 movzx eax, word ptr [ebx+2]
.text:0003109F 0F 02 C8 lar ecx, eax
.text:000310A2 75 5B jnz short loc_310FF ; patch here NO JUMP
.text:000310A4 66 81 E1 00 18 and cx, 1800h ; in DS V3.1, we search "66 81 e1 00 18" to get "BreakLdrProcHandle" address
.text:000310A9 66 81 F9 00 18 cmp cx, 1800h
.text:000310AE 75 4F jnz short loc_310FF ; patch here NO JUMP
.text:000310B0 66 A3 66 E2 0F 00 mov word_FE266, ax
.text:000310B6 C6 05 6C E2 0F 00+ mov byte_FE26C, 3
.text:000310BD E8 6F F3 FF FF call sub_30431
.text:000310C2 72 3B jb short loc_310FF ; patch here NO JUMP
.text:000310C4 8B 0D F9 2F 0E 00 mov ecx, dword_E2FF9
.text:000310CA 03 4B 04 add ecx, [ebx+4]
.text:000310CD 89 0D 68 E2 0F 00 mov AddressInCur, ecx
.text:000310D3 8D 3C 01 lea edi, [ecx+eax]
.text:000310D6 C7 05 6D 41 11 00+ mov BreakViewType, 10004h
.text:000310E0 8B C1 mov eax, ecx
.text:000310E2 E8 AD 71 01 00 call sub_48294
.text:000310E7 A3 01 30 0E 00 mov dword_E3001, eax
.text:000310EC 66 8B 0D 66 E2 0F+ mov cx, word_FE266
.text:000310F3 E8 44 FF 06 00 call sub_A103C
.text:000310F8 C6 05 D1 2F 0E 00+ mov byte_E2FD1, 0
.text:000310FF
.text:000310FF loc_310FF: ; CODE XREF: BreakLdrProcHandle+1Dj
.text:000310FF ; BreakLdrProcHandle+2Ej ...
.text:000310FF 61 popa
.text:00031100 5D pop ebp
.text:00031101 C2 04 00 retn 4
.text:00031101 BreakLdrProcHandle endp

00000:
00001: ;================================================================================
00002: ; SiceLdrBreak Patch V0.1beta
00003: ;
00004: ;================================================================================
00005:
00006: format PE GUI 4.0
00007: entry start
00008:
00009: include '%fasminc%\win32a.inc'
00010: include 'pe.inc'
00011: ;================================================================================
00012: ; DATA
00013: ;================================================================================
00014: section '.data' data readable writeable
00015: hIcon dd 0
00016: hInstance dd 0
00017: flags dd ?
00018: pNewFileName rb 40h
00019:
00020: ofn OPENFILENAME
00021:
00022: hFile dd ?
00023: FileSize dd ?
00024: hMapFile dd ?
00025: pMemory dd ?
00026: pFileFilter db "WDM Files",0,"*.sys",0,0
00027:
00028: pFileName rb 40h
00029:
00030: message db 'Patch error !', 0
00031: message2 db 'Good! Patch succeed !',0dh,0ah,0dh, 0ah,\
00032: 'Please restart your computer!',0
00033: caption db 'SiceLdrBreak Patch', 0
00034:
00035: codebin db 66h,81h,0E1h,00h,18h,66h,81h,0F9h,0,18h
00036: codesize dd $-codebin
00037:
00038: nop1 db 75h,5bh
00039: size_nop1 dd $-nop1
00040: nop2 db 75h, 4fh
00041: size_nop2 dd $-nop2
00042: nop3 db 72h,3bh
00043: size_nop3 dd $-nop3
00044:
00045: ;================================================================================
00046: ; CODE
00047: ;================================================================================
00048: section '.code' code readable executable
00049:
00050: start:
00051:
00052: invoke GetModuleHandle,0
00053: mov dword [hInstance], eax
00054:
00055: invoke DialogBoxParam,eax,37,HWND_DESKTOP,DialogProc,0
00056: or eax,eax
00057: jz exit
00058: exit:
00059: invoke ExitProcess,0
00060:
00061: proc DialogProc,hWnd,msg,wparam,lparam
00062: push ebx esi edi
00063: cmp [msg],WM_INITDIALOG
00064: je WmInitdialog
00065: cmp [msg],WM_COMMAND
00066: je WmCommand
00067: cmp [msg],WM_CLOSE
00068: je WmClose
00069: xor eax,eax
00070: jmp finish
00071: WmInitdialog:
00072: ; set icon
00073: invoke LoadIcon,[hInstance],IDI_FIRST
00074: mov [hIcon],eax
00075: invoke SendMessage,[hWnd],WM_SETICON,1,eax
00076:
00077: mov [ofn.lStructSize],sizeof.OPENFILENAME
00078: mov eax,[hWnd]
00079: mov [ofn.hwndOwner],eax
00080: mov eax,[hInstance]
00081: mov [ofn.hInstance],eax
00082: mov [ofn.lpstrFilter], pFileFilter
00083: mov [ofn.lpstrTitle], caption
00084:
00085: mov [ofn.lpstrFile], pFileName
00086: mov [ofn.nMaxFile],1000h
00087:
00088: jmp processed
00089:
00090: WmCommand:
00091: cmp [wparam],BN_CLICKED shl 16 + ID_File
00092: je getfilename
00093: cmp [wparam],BN_CLICKED shl 16 + ID_Patch
00094: jne processed
00095: ;---------------------------------------------------------------------------------------------
00096: invoke GetDlgItemText,[hWnd],ID_FileName,pFileName,40h
00097: mov [flags],MB_OK
00098:
00099: invoke IsDlgButtonChecked,[hWnd],ID_BackUp
00100: cmp eax,BST_CHECKED
00101: jne not_backup
00102: invoke CopyFile,pFileName,pNewFileName,FALSE
00103:
00104: not_backup:
00105:
00106: invoke CreateFile, pFileName,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,\
00107: 0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0
00108: cmp eax,-1
00109: je failed
00110: mov [hFile], eax
00111: invoke GetFileSize, eax, NULL
00112: mov [FileSize], eax
00113: invoke CreateFileMapping, [hFile],NULL,PAGE_READWRITE,0,0,NULL
00114: mov [hMapFile], eax
00115: invoke MapViewOfFile, [hMapFile],FILE_MAP_ALL_ACCESS,0,0,0
00116: mov [pMemory], eax
00117: ;;;;;;;;;;;;;;;;;;;;Repair NTice;;;;;;;;;;;;;;;;;;;;;;;;;;
00118:
00119: stdcall GetNticeCodeSize, eax
00120: stdcall BinSearch, esi, ecx, codebin, dword [codesize]
00121: cmp eax, -1
00122: jz failed
00123: add esi, eax
00124: sub esi, 8h
00125: stdcall BinSearch, esi, 30h, nop1, dword [size_nop1]
00126: cmp eax, -1
00127: jz failed
00128: add esi, eax
00129: mov word [esi], 9090h
00130: stdcall BinSearch, esi, 30h, nop2, dword [size_nop2]
00131: cmp eax, -1
00132: jz failed
00133: add esi, eax
00134: mov word [esi], 9090h
00135: stdcall BinSearch, esi, 30h, nop3, dword [size_nop3]
00136: add esi, eax
00137: mov word [esi], 9090h
00138: stdcall RepairCheckNum, [pMemory]
00139: invoke MessageBox, [hWnd],message2,caption,MB_OK
00140:
00141: ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
00142: invoke UnmapViewOfFile,[pMemory]
00143: invoke CloseHandle,[hMapFile]
00144: invoke CloseHandle,[hFile]
00145: jmp processed
00146: ;---------------------------------------------------------------------------------------------
00147: getfilename:
00148: mov [ofn.Flags],OFN_EXPLORER+OFN_FILEMUSTEXIST+OFN_HIDEREADONLY
00149: mov [ofn.lpstrTitle],NULL
00150: invoke GetOpenFileName, ofn
00151: or eax,eax
00152: jz failed
00153: invoke SetDlgItemText,[hWnd],ID_FileName,pFileName
00154: invoke lstrcpy,pNewFileName,pFileName
00155: invoke lstrlen,pNewFileName
00156: mov esi, pNewFileName
00157: add esi, eax
00158: mov dword [esi],'.bak'
00159: jmp processed
00160: ;----------------------------------------------------------------------------------------------
00161: load_out_of_memory:
00162: invoke CloseHandle,ebx
00163: failed:
00164: invoke MessageBox,[hWnd],message,caption,MB_OK
00165: jmp processed
00166: ;----------------------------------------------------------------------------------------------
00167: WmClose:
00168: invoke EndDialog,[hWnd],0
00169:
00170:
00171: processed:
00172: mov eax,1
00173: finish:
00174: pop edi esi ebx
00175: return
00176: endp
00177:
00178: ;--------------------------------------------------------------------------------
00179: proc GetNticeCodeSize, pMem
00180:
00181: mov esi, [pMem]
00182: mov eax, dword [esi+IMAGE_DOS_HEADER.e_lfanew]
00183: add eax, esi
00184:
00185: mov esi, dword [eax+IMAGE_NT_HEADERS.OptionalHeader+IMAGE_OPTIONAL_HEADER32.BaseOfCode]
00186: mov ecx, dword [eax+IMAGE_NT_HEADERS.OptionalHeader+IMAGE_OPTIONAL_HEADER32.BaseOfData]
00187: sub ecx, esi
00188: add esi, [pMem]
00189: return
00190: endp
00191:
00192: proc RepairCheckNum, pMem
00193:
00194: mov esi, [pMem]
00195: mov edi,[esi+IMAGE_DOS_HEADER.e_lfanew]
00196: add edi,esi
00197: mov dword [edi+IMAGE_NT_HEADERS.OptionalHeader+IMAGE_OPTIONAL_HEADER32.CheckSum],0
00198:
00199: mov ecx,[FileSize]
00200: inc ecx
00201: shr ecx,1
00202: xor eax,eax
00203: clc
00204:
00205: cal_checksum:
00206: adc ax,word [esi]
00207: inc esi
00208: inc esi
00209: loop cal_checksum
00210: mov ebx,[FileSize]
00211: add eax,ebx
00212: mov dword [edi+IMAGE_NT_HEADERS.OptionalHeader+IMAGE_OPTIONAL_HEADER32.CheckSum], eax
00213:
00214: return
00215: endp
00216:
00217: ;===========================================================
00218: proc BinSearch,lpSource,sLen,lpPattern,pLen
00219:
00220: push ebx
00221: push esi
00222: push edi
00223: ; ----------------
00224: ; setup loop code
00225: ; ----------------
00226:
00227: mov esi, [lpSource]
00228: mov edi, [lpPattern]
00229: mov al, [edi] ; get 1st char in pattern
00230:
00231: mov ecx, [sLen]
00232: add esi, ecx ; add source length
00233: neg ecx ; invert sign
00234: dec [pLen]
00235:
00236: jmp Scan_Loop
00237:
00238: ; ---------------------------
00239:
00240: Pre_Match:
00241: lea ebx, [esi+ecx] ; put current scan address in EBX
00242: mov edx, [pLen] ; put pattern length into EDX
00243:
00244: Test_Match:
00245: mov ah, [ebx+edx-1] ; load last byte of pattern length in main string
00246: cmp ah, [edi+edx-1] ; compare it with last byte in pattern
00247: jne Pre_Scan ; exit loop on mismatch
00248:
00249: sub edx, 1
00250: jnz Test_Match
00251: jmp Match
00252:
00253: Pre_Scan:
00254: add ecx, 1 ; start on next byte
00255:
00256: Scan_Loop:
00257: cmp al, [esi+ecx] ; scan for 1st byte of pattern
00258: je Pre_Match ; test if it matches
00259: add ecx, 1
00260: js Scan_Loop ; exit on sign inversion
00261:
00262: ;-----------------------------
00263:
00264: No_Match: ; fall through here on no match
00265: mov eax, -1
00266: jmp isOut
00267:
00268: Match:
00269: add ecx, [sLen]
00270: mov eax, ecx
00271:
00272: isOut:
00273: pop edi
00274: pop esi
00275: pop ebx
00276:
00277: return
00278: endp
00279:
00280: ;================================================================================
00281: ; IAT
00282: ;================================================================================
00283: section '.idata' import data readable writeable
00284:
00285: library kernel,'KERNEL32.DLL',\
00286: user,'USER32.DLL',\
00287: comdlg32,'comdlg32.dll'
00288:
00289: import kernel,\
00290: GetModuleHandle,'GetModuleHandleA',\
00291: lstrlen,'lstrlenA',\
00292: lstrcpy,'lstrcpyA',\
00293: CopyFile,'CopyFileA',\
00294: CreateFile,'CreateFileA',\
00295: GetFileSize,'GetFileSize',\
00296: CreateFileMapping,'CreateFileMappingA',\
00297: MapViewOfFile,'MapViewOfFile',\
00298: UnmapViewOfFile,'UnmapViewOfFile',\
00299: CloseHandle,'CloseHandle',\
00300: ExitProcess,'ExitProcess'
00301:
00302: import user,\
00303: DialogBoxParam,'DialogBoxParamA',\
00304: LoadIcon,'LoadIconA',\
00305: SendMessage,'SendMessageA',\
00306: CheckRadioButton,'CheckRadioButton',\
00307: GetDlgItemText,'GetDlgItemTextA',\
00308: SetDlgItemText,'SetDlgItemTextA',\
00309: IsDlgButtonChecked,'IsDlgButtonChecked',\
00310: MessageBox,'MessageBoxA',\
00311: EndDialog,'EndDialog'
00312:
00313: import comdlg32,\
00314: GetOpenFileName,'GetOpenFileNameA'
00315:
00316: ;================================================================================
00317: ; RSRC
00318: ;================================================================================
00319: section '.rsrc' resource data readable
00320:
00321: ID_Patch = 101
00322: ID_File = 102
00323: ID_FileName = 201
00324: ID_BackUp = 401
00325: IDI_MAIN = 501
00326: IDI_FIRST = 502
00327: IDB_LOGO = 601
00328:
00329: directory RT_DIALOG,dialogs,\
00330: RT_ICON,icons,\
00331: RT_GROUP_ICON,grpicons,\
00332: RT_BITMAP,image
00333:
00334: resource icons,\
00335: IDI_MAIN,LANG_NEUTRAL,icon_data
00336: resource grpicons,\
00337: IDI_FIRST,LANG_NEUTRAL,main_icon
00338: resource dialogs,\
00339: 37,LANG_ENGLISH+SUBLANG_DEFAULT,demonstration
00340: resource image,\
00341: IDB_LOGO,LANG_ENGLISH,LogoBMP
00342: icon main_icon,icon_data,'main.ico'
00343:
00344: bitmap LogoBMP,'logo.bmp'
00345:
00346: dialog demonstration,'NTiceLdrPatch for DS v3.x',200,200,168,80,WS_CAPTION+WS_POPUP+WS_SYSMENU+DS_MODALFRAME
00347: dialogitem 'STATIC','NTice:',-1,5,40,70,8,WS_VISIBLE
00348: dialogitem 'EDIT','',ID_FileName,30,40,120,10,WS_VISIBLE+BS_FLAT+WS_TABSTOP,WS_EX_STATICEDGE
00349: dialogitem 'STATIC','IcePlus[2004]',-1,5,60,70,8,WS_VISIBLE+WS_DISABLED
00350: dialogitem 'BUTTON','&BackUp',ID_BackUp,75,60,40,10,WS_VISIBLE+WS_TABSTOP+BS_AUTOCHECKBOX+BS_FLAT
00351: dialogitem 'BUTTON','&Patch',ID_Patch,125,59,40,12,WS_VISIBLE+WS_TABSTOP,WS_EX_STATICEDGE
00352: dialogitem 'BUTTON','...',ID_File,153,40,11,11,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON,WS_EX_STATICEDGE
00353: dialogitem 'STATIC',601,-1,0,0,250,50,WS_VISIBLE+SS_BITMAP,WS_EX_STATICEDGE
00354: enddialog
00355: section '.reloc' fixups data readable discardable
00356:
00357:

Thank you Iceplus
I feel better running patch code if its purpose isn't hidden, plus it makes the post more interesting


The key seems to be the LAR (Load Access Rights) instruction, if it fails so does the rest, hence the extra jump patches.

Description:
----------------------------------

Loads the access rights from the segment descriptor specified by the second operand (source operand) into the first operand (destination operand) and sets the ZF flag in the EFLAGS register. The source operand (which can be a register or a memory location) contains the segment selector for the segment descriptor being accessed. The destination operand is a general-purpose register.

The processor performs access checks as part of the loading process. Once loaded in the destination register, software can perform additional checks on the access rights information.

When the operand size is 32 bits, the access rights for a segment descriptor include the type and DPL fields and the S, P, AVL, D/B, and G flags, all of which are located in the second doubleword (bytes 4 through 7) of the segment descriptor. The doubleword is masked by 00FXFF00H before it is loaded into the destination operand. When the operand size is 16 bits, the access rights include the type and DPL fields. Here, the two lower-order bytes of the doubleword are masked by FF00H before being loaded into the destination operand.

This instruction performs the following checks before it loads the access rights in the destination register:

Checks that the segment selector is not null. Checks that the segment selector points to a descriptor that is within the limits of the GDT or LDT being accessed Checks that the descriptor type is valid for this instruction. All code and data segment descriptors are valid for (can be accessed with) the LAR instruction. The valid system segment and gate descriptor types are given in the following table. If the segment is not a conforming code segment, it checks that the specified segment descriptor is visible at the CPL (that is, if the CPL and the RPL of the segment selector are less than or equal to the DPL of the segment selector).

If the segment descriptor cannot be accessed or is an invalid type for the instruction, the ZF flag is cleared and no access rights are loaded in the destination operand.
----------------------------------


In this case, the Softice code can be traced live and you can follow what's happening. There *are* certain areas of ntice code where a standard BPX will break, and this appears to be one of them. The code can be found with a standard byte search and you can set a BP on the proc start, for example:

:driver ntice
Start - BEF25000 Size - 175880
:s BEF25000 L 175880 8D 7B 0E FC E8

will find the code
lea edi, [ebx+0Eh] ; pointer to "NOTEPAD"
cld

Start Loader32.exe with notepad and it should break.


What I found is that the single argument (arg_0) of the function is a pointer to this data:



With the valid segment selector 001B (user mode programs in Win2K), this function *should* succeed and loader32 will break at Winmain.

mov ebx, [ebp+arg_0]
...
movzx eax, word ptr [ebx+2] ; 001B
lar ecx, eax ; ecx was 0, now 00CFFB00
jnz exit
and cx, 1800h ; ecx = 00CF1800
cmp cx, 1800h
...


Why this might be failing for Iceplus in XP I couldn't say, if the segment selector is passed correctly then there may be some other issue with access rights going on.

Btw, the call
.text:000310BD call sub_30431
is a call to the function pMapSelectorToLinAddr (The Owl's definition)


Regards,
Kayaker

Hi,Kayaker!THanks for your annotation.
When segment selector is 001BH,Break at winmain is succeed.when it is 0023H,cann't break at winmain!why??

Hi

Right you are. 23h is a DATA segment selector (DS) and obviously doesn't meet the security requirements. If I change the .code section characteristics of notepad to C0000040, MAP32 shows the section address beginning at 23:1001000 instead of 1B:1001000, and loader32 doesn't break at Winmain.

What occurs now is

mov ebx, [ebp+arg_0]
...
movzx eax, word ptr [ebx+2] ; 0023
lar ecx, eax ; ecx was 0, now 00CF1000
jnz exit ; no jump
and cx, 1800h ; ecx = 00CF1000
cmp cx, 1800h ; this compare fails!
jnz exit


Also, a packed file such as UPX normally doesn't break at Winmain with loader32, but if you change the section characteristics of the *first* section to E0000020 (executable), the segment selector becomes 001B and loader32 will break. (Interestingly it's the first section UPX0 that needs changing, even though the Entry Point is in the 2nd section UPX1).


So I guess this little security trick of changing the characteristics of the first section fools not only W32Dasm but Loader32 as well. Either change it manually, or in the case of crc checks, your ntice.sys patch would seem to be useful.

Cheers,
Kayaker

any one who use
bpx Kernel32!BaseProcessStart ?

I guess that would work too, although it might be a bit tedious since you have to single-step to the real EP after this one breaks, right?

Guys, I still can't make SoftICE (DS 3.1) break on WinMain. IcePlus's patch doesn't work for me. OS: WinXP Pro SP2. Hope you would suggest another solvation...

bpx Kernel32!BaseProcessStart+20
then after ONE single-step, it's the EP

The problem now is

:BPX Kernel32!MainProcess
:Symbol not defined (Kernel32!MainProcess)
:BPX Kernel32!MainProcess+20
:Symbol not defined (Kernel32!MainProcess+20)
:BPX Kernel32
:Symbol not defined (Kernel32)
:BPX Kernel
:Symbol not defined (Kernel)
:BPX KERNEL
:Symbol not defined (KERNEL)

Meantime BPXs on memory addresses sets well

Do you know what's this?

Navin, please do a board search for "Symbol not defined winice.dat" and read the Using SoftICE and SoftICE Command Reference pdf manuals. Your problem is very common and is caused by not reading/understanding the instructions provided with Softice.

Yup, i've read all related topics. But the problem is much complex

:exp kernel32! <--- Listing of all functions, but there are no 'MainProcessStart' I've tried also different breakpoints such 'MessageBoxA' etc. They appear in listing (BL), but seems like they don't work, SI doesn't breaks on execution of any API...

Suggestions, notes, feedback are welcome

It could be related with the BreakInSharedMods env variable. Try to set the variable to ON (if you have not already done).
Since of we are leaving the main discussion of this thread, if your problem has never been happened to someone, please open a new thread.

Good luck,
ZaiRoN

Did it work before patch was aplied ? (I don't think so!)
You have SP2, did you downloded ntoskrnl.pdb (right one !)
and translated in to nms and load in in winice.dat ?
If correctly loaded, EXP should be available

Feedback welcome

Patch doesn't matter, same results. I'm tring now to get ntoskrnl.pdb and other pdb's but not sucessfully till this moment. Symbol loader doesn't want to download pdb's and MS Policy doesn't let me download symbols (have no licens, sorry Bill G., nothong personal)..... Ok, and for the topic - My SI doesn't break on WinMain

BTW, I can load kernel32.dll, user.dll etc without nms-files. 'exp *' shows listing of all functions (about 300) but there no 'MainProcessStart' ...

I jumped on this thread till now
http://woodmann.com/forum/showthread.php?p=36797#post36797

must get the nms file ,and then will find the kernel32!BaseProcessStart ( not MainProcessStart)

another method below,
use symbol loader to load a file that si can break on Entry Point( or use lordpe's "break & enter", then "u esp", u will find the point, & this address will NOT change UNTIL your system next update.


the code is like this:
_BaseProcessStart:
push 0c
push 77e71210
call __SEH_prolog
and dword ptr [ebp-4],0
push 4
lea eax,[ebp+8]
push eax
push 09
push fe
call [ __imp__NtSetInformationThread ]
call [ EBP + 8 ] // here call the new process' Entry Point !!
push eax // "u esp" at EP will get there

i hope this helpful

Hm. Can't get even PDB-files (SymbolLoader shows - Error Download). So, there no 'BaseProcessStart' I see BaseProcessInit... etc but not what you said. Ok, i'll try 'break & enter', thanks a lot.

just follow my step, once break on EP ( any .exe file), u esp( this can see when od load a file), and that the point

Man, you're my saviour! God bless you

Good work, IcePlus!

But where did you found NTICE symbols such as BreakLdrProcHandle, LoadProcName, StringCmpareNoAa, AddressInCur, BreakViewType ???

Regards, Bilbo.

I've noticed Iceplus online a few times but not replying, in case she? has trouble formulating an answer in English, I'd say these are made up descriptive names from good intuitive reversing, not any kind of NTICE symbols.

StringCmpareNoAa is an obvious string check routine from the disassembly.

LoadProcName is a pointer to a byte value that gives the length of the text that follows (something Sice uses elsewhere as well, i.e. 07h then the string "Notepad". It's actually a little clearer *without* the descriptive name as to which is the pointer to the text length (unk_E2FD2), and which is the pointer to the string itself (unk_E2FD3)

.text:00031072 movzx ecx, unk_E2FD2 ; "LoadProcName"
.text:00031079 inc ecx ; used as a counter in the StringCmpareNoAa call
.text:0003107A mov esi, offset unk_E2FD3


AddressInCur - if you look at my listing of (arg_0) you see the value of this variable at [ebx+4] is 01001000, the load address of notepad.

BreakViewType - The Owl defines this same variable as dBreakReason. See Sten's IceExt source for defines of the various Break Reason values (BREAK_SYMBOL_LOADER equ 0x10004h). More good intuitive reversing here!

BreakLdrProcHandle - not sure about the handle part, but if you trace back far enough you see the function is called when a module is loaded, string ref to
NTICE: Load32 START=%x SIZE=%x KPEB=%x MOD=%s',0

etc...

ye, I am online everyday .but my english is too bad !
who is OWL ?

Using the "Search" button at the top of the Forums and entering "owl", without the quotes, would have gotten you all the posts by him or with his name. He was one of the original authors of the "icedump" program."

You can read more here:

http://www.woodmann.net/krobar/beginner/25.htm

Regards,

Thanks Kayaker for your explanations...

You know, I hoped for some "a la M$" source leak...
Bilbo

I Wish!! I salivate over the idea of a debug version of Softice, and would gladly give up someone else's first born child for a copy of ntice.pdb

Thank you !