Log in

View Full Version : RegQueryValueExa Help (New)


mivc
July 17th, 2004, 17:27
Hi,


I've read this question in this form but i still can't make SI to popup on this breakpoint.
The key i want to break on is called RegPass. I set my breakpoint with:

bpx RegQueryValueExa IF *(esp->8)=='RegP' DO "d esp->14;"

SI will not popup when this value is queried. (I've looked with RegMon to see which key is
Queried for the registration)

When i just use bpx RegQueryValueExa, SI will popup each time this function is called and
when i look with ? *esp->8 is see that the strings are in reverse order. For example
if the key was RegPass then *esp->8 will show 4 bytes PgeR, so i tried the following;

bpx RegQueryValueExa IF *(esp->8)=='PgeR' DO "d esp->14;" but this is also not working.

Can someone help me with to solve this problem.

Thanks!!!

JMI
July 17th, 2004, 17:42
Since there are a number of problems discussed in these forums relating to softice and the functioning of breakpoints, you have left out some essential information, such as which OS and which version of SICE you are running, whether you have uncommented relevant sections in the .dat file.

And you question relates to a "Tool of the Trade" and is being moved there.

Your breakpoint looks the same as the one posted in the Rhayader's Softice Tips;

"BPX RegQueryValueExA IF *(ESP->8) == 'Regi' DO "D ESP->14;"
...

3. Now, the expression *(ESP->8) == 'Regi' means that the expression will evaluate to TRUE, only if "the value stored in the address pointed to by the content of [ESP+8]" is "equal" to "Regi". Why only use four character? Well, the * operator, only return DWORD value (32-bit). So, we can only use the first 32-bit which is equal to four character. Also, SoftIce will convert 'Regi' to 0x69676552 (it's Regi in little endian format . So, it's case-sensitive. I probably should note that, there is two equal sign, and it's a single quote. The use of two equal sign and single quote is the same as C language.

Since the * operator return DWORD value, there will be a problem if we want to retrieve only a WORD (16-bit) value. We had to use the SoftIce Word() function. You can see User Guide Chapter 8, sub Forming Expressions, sub Built-in Functions, for the Word() function. But, since most program align values/structures in 4-byte boundary, the use of Word() function is quiet rare. The example that will follow is retrieve 16-bit value, yet we can safely use it without the Word() function. "

He was trying to break on:

HKEY_CURRENT_USER\Software\Microsoft\Developer\Setup\RegisteredOwner
HKEY_CURRENT_USER\Software\Microsoft\Developer\Setup\RegisteredOrganization

so he used the first four letters of "Registered." You say you are looking for "RegPass." It is, as you note, case sensitive, but not reversed. Check your HKEY listing to make sure you do not have an incorrect one. It's "little endian format" so the reversing takes place only in that process.

Provide the additional information and maybe someone can assist.

Regards,

mivc
July 18th, 2004, 10:36
I'am working with Driverstudio 4.3.1 build 1722
With the latest OSINFO.DAT

under Windows 2000 Prof. windows NT 5.0 Build 2195 SP3

The key I'am looking for is
HKEY_CURRENT_USER\Software\JetCar\JetCar\General\RegPass so this

BPX RegQueryValueExA IF *(ESP->8) == 'RegP' DO "D ESP->14;"

Should do it, but it Does not.

The Winice.dat looks like;

NMI=ON
VERBOSE=ON
HST=256
PHYSMB=1024
DRAWSIZE=2048
INIT="color f a 4f 1f e;wl;code on; altscr off; lines 90;width 90; wc 35; wd 35; wr;wf; faults off;wf;set BreakInSharedMods on;X;"
SYM=4096

EXP=C:\WINNT\system32\version.dll
EXP=C:\WINNT\system32\CSRSRV.DLL
EXP=C:\WINNT\system32\NTDLL.DLL
EXP=C:\WINNT\system32\BASESRV.DLL
EXP=C:\WINNT\system32\WINSRV.DLL
EXP=C:\WINNT\system32\VB40032.DLL
EXP=C:\WINNT\system32\msvbvm60.dll
EXP=C:\WINNT\system32\COMCTL32.DLL
EXP=C:\WINNT\system32\comdlg32.DLL
EXP=C:\WINNT\system32\advapi32.DLL
EXP=C:\WINNT\system32\msvcrt.DLL
EXP=C:\WINNT\system32\shell32.DLL
EXP=C:\WINNT\system32\ole32.DLL
EXP=C:\WINNT\system32\oleaut32.DLL
DISASSEMBLYHINTS=ON
LOWERCASE=OFF
CODEMODE=ON
SELECTORS=ON
CHECKSTRINGS=ON
AUTOCONNECT=OFF
NETSUPPORT=OFF
HOSTNAME=COMPMIVC

F1="h;"
F2="^wr;"
F3="^src;"
F4="^rs;"
F5="^x;"
F6="^ec;"
F7="^here;"
F8="^t;"
F9="^bpx;"
F10="^p;"
F11="^G @SS:ESP;"
F12="^p ret;"
SF3="^format;"
AF1="^wr;"
AF2="^wd;"
AF3="^wc;"
AF4="^ww;"
AF5="CLS;"
AF11="^dd dataaddr->0;"
AF12="^dd dataaddr->4;"
CF1="color f a 4f 1f e;wl;code on; altscr off; lines 90; width 90;wc 35; wd 35; wr;wf;wf; faults off;"
CF2="^wr;^wd;^wc;"
MACROS=256
MACRO setWtxt="bpx user32!setWindowTextA do \"d esp->8;\""

MOUSE=ON
ECHOKEYS=OFF
NOLEDS=OFF
NOPAGE=OFF
PENTIUM=ON
THREADP=ON
SIWVIDRANGE=ON
NTSYMBOLS=ON

MENU=Copy , NMPD_COPY , 0
MENU=Paste , NMPD_PASTE , 0
MENU=Copy&Paste , NMPD_COPYANDPASTE , 0
MENU=Display , NMPD_DISPLAY , 0
MENU=Un-Assemble , NMPD_UNASSEMBLE , 0
MENU=What , NMPD_WHAT , 0
MENU=Prev , NMPD_PREV , 0
MENU=Reip , r eip %cp% , 0
MENU=Add Watch , watch %cp% , 0
MENU=Break On Text , bpx %cp% , 0

Can you tell me if there this winice.dat file is OK.

Thanks!!

dELTA
July 18th, 2004, 13:48
Quote:
I'am working with Driverstudio 4.3.1

No you're not...

JMI
July 18th, 2004, 19:07
Actually, you might just mean your working with "Softice 4.3.1 build 1722" from something, maybe, called "Driverstudio 3.1."

Regards,

Kayaker
July 19th, 2004, 04:22
Hi,

The conditional breakpoint
BPX RegQueryValueExA if *esp.8 == 'Regi'
seems like it should work in your case.

A few things to try, sometimes you have to mix things up.

Set the bp IN the context of the program, not before.

See if the area of code of the RegQuery call is Paged Out when you set the bp. It's *possible* the bp might not stick in this case. If so, try displaying that page containing the address in the data window, scrolling if necessary, this tends to page-in the section of code as far as Softice is concerned. Or use IceExt to page the section in, or just trace manually until the code is read in and is visible.

Try with and without Set BreakInSharedMods ON.

Try setting the bp on another registry call used immediately beforehand, such as RegOpenKey or CreateKey or QueryKey, whichever is used. You'll get fewer hits and can probably check each manually.




INT 2E Breakpoints
==================

I think a more reliable way to break on APIs in general, might be to break on the underlying Int2E call where possible, in this case NtQueryValueKey. You're using a BPINT interrupt breakpoint and the IDT vectors, instead of BPX and INT3, one may work where the other doesn't. Plus the code in ntdll is guaranteed to be paged in.

There are a couple of considerations though..

Trace the API for a while and you'll find

mov eax, 09Bh ; NtQueryValueKey
lea edx, [esp+4]
INT 2E

The breakpoint to use to break on *every* call to NtQueryValueKey/RegQueryValueExA would be:

BPINT 2E if eax==9B


Now to set a conditional break you need to "find" where your registry string, now in UNICODE format, is stored on the stack. It is still at esp.8, but is immediately after a standard UNICODE structure (word/word/dword), so actually begins at ((esp.8)+8).


Problem 1 - dealing with the unicode string. The string "Re" becomes dword 0x00520065. Softice doesn't like dwords beginning with 00 and truncates it to 0x520065. Bad things seem to happen then. So what you need to do is shift 1 byte to ((esp.8)+9) which sets the string breakpoint condition to 0x52006500.


Problem 2 - when designing a breakpoint condition referencing the stack you can use ESP or EBP. When setting a bp on the start of a function call or API, you reference with ESP. When setting a bp within a function call (after the standard 'push ebp' prologue has executed), you reference with EBP. Shockingly, this is in the SI manual...

From my testing, for INT 2E we need to use EBP in the conditional breakpoint, ESP will not break even with the "correct" conditional syntax. You will need to confirm on your own system that the UNICODE string is referenced at EBP.C, but should be consistent in ntdll.dll.


After all this you end up with a simple and effective breakpoint condition:

BPINT 2E if eax == 9B && *(ebp.c+9) == 52006500

This should be equivalent to RegQueryValueExA if word(*esp.8) == 'Re'. If you really need the extra 2 characters you can simply add on another && condition.


Cheers,
Kayaker

bilbo
July 19th, 2004, 06:53
Hi, Kayaker,
a very exhaustive answer, as usual!

Be only warned that, starting from Windows XP and where supported (e.g. not on AMD CPUs), M$ has implemented a new kernel entering procedure which seems to be faster.
No more INT 2E but SYSENTER.
See for example from Elicz site:
http://www.anticracking.sk/elicz/infos/FastNTCALL.txt

So BPINT 2E will not work anymore.

Best regards, bilbo

Kayaker
July 19th, 2004, 21:26
Thanks for pointing that out Bilbo. I try to happily ignore the details of XP In this case it's an interesting change. I wonder if an opcode breakpoint on SYSENTER would be of much use?

BPX eip if word(*eip == 0F34) && eax == NTCallNumber && (check stack for defining string/value)

Regards,
Kayaker

bilbo
July 20th, 2004, 02:27
Yup, I didn't think of it!
Unfortunately it does not work!

It looks like BPX EIP does not work on Windows NT derivated operating systems (tried SI ver 4.0.5 on Windows NT and SI ver 4.3.1 on Windows XP). It immediately resolves EIP with the current address!

Could anyone confirm this?

Regards, bilbo

dELTA
July 20th, 2004, 05:41
Doesn't Softice always evaluate all expressions in breakpoints immediately? Otherwise, each such breakpoint would be the equivalent of tracing the program, with all the time penalties that this brings with it and such, right?

mivc
July 20th, 2004, 12:45
Hello Kayaker / Bilbo,


First of all thanks for your replies this problem!

I'am a Newbie on Softice and Assembly, but believe me, i'am a quick learner
and i am dedicated.
I' am reading about PE headers and some protection schemes and i'am looking up anything which i do not understand yet. To solve my first problem, the conditional breakpoint question, you stated 2 things which i do not grab.

First what do you mean about ' Set the bp IN the context of the program, not before.

Second. You said 'See if the area of code of the RegQuery call is Paged Out'
and 'use IceExt to page the section in'

Could you explain what you mean about these.

If this is going to deep to explain, and this will be beyond our goal, it would be fine if you could suggest me to study some articles concerning the above.

Thanks anyway!!

Kayaker
July 20th, 2004, 12:47
Doh! You're right of course, the <address> component of an expression is always resolved to an address immediately. I think an opcode breakpoint like this may have worked with the BPR command where you could specify a range of addresses. Sten needs to develop his BPR equivalent further


Just surmising, what about a break on (KiFastCallEntry + offset)?

Code:

KiFastCallEntry:
MOV ESP, SS:[0xFFDFF040]
MOV ESP, [ESP+4] ;this is ring-0 stack for FastCall
PUSH 0x23 ;imitate ring-3_SS
PUSH EDX ;ring-3_ESP + 4 (see LEA EDX, [ESP+4] above)
SUB DWORD PTR [ESP], 4 ;ring-3_ESP + 4 - 4 (-> ring-3_ESP)

...BREAK and test ring 3 esp here, or...

PUSHFD

OR DWORD PTR [ESP], 0x200 ;imitate ring-3_EFlags, IRQs enabled
PUSH 0x1B ;imitate ring-3_CS
PUSH ECX ;this should be ring-3_EIP ?
;..fill in KeTrapFrame

... OR BREAK and test saved registers in KeTrapFrame
(is this _KTRAP_FRAME?)


;..go to common NTCALL dispatch code




I'd be interested in seeing the SYSENTER code and how the MSR registers themselves are written to. What is the ntdll.dll equivalent counterpart in XP?

K.

Kayaker
July 20th, 2004, 13:06
Quote:
[Originally Posted by mivc]First what do you mean about ' Set the bp IN the context of the program, not before.

Second. You said 'See if the area of code of the RegQuery call is Paged Out'
and 'use IceExt to page the section in'

Hi

1. "IN the context" meaning set the breakpoint while you are IN Softice and stopped at the start, or elsewhere, in the "context" of the target program.

2. You can recognize Paged Out as Softice displaying in the data window all question marks ????????. If the code address you are trying to break on is paged out, Softice may not break sometimes. This is more likely with BPX breakpoints, BPM(x/r/w) breakpoints tend to be more reliable.

IF this is the case, you can page in the memory as I described and see if the breakpoint now sticks.

Good luck,
Kayaker

JMI
July 20th, 2004, 13:08
mivc:

You have forgotted one of the general concepts in operation here, which is that you are supposed to SEARCH the Forums BEFORE you ask a question. This is illustrated by your question about "context" "paged out" and "IceExt." These question have already been asked several times and the answers can be found by a simple search of the Forums, including how to change and/or set the "context" and use IceExt to PageIn.

Go to the main search button and use "softice and context" (without the quote marks) and check out what you find there.

For the second question try both "breakpoint and paged out" and "breakpoint and pages" (again without the quotes) and check out what you find and then come back if you still do not understand and ask a more pointed question. This should also turn up some information about IceExt, which you could search separately.

Regards,

bilbo
July 21st, 2004, 03:36
Kayaker:
Quote:
What is the ntdll.dll equivalent counterpart in XP?

instead of
Code:

mov eax, <syscall>
lea edx, [esp+arg_0]
int 2Eh

on XP platforms you will find:
Code:

mov eax, <syscall>
mov edx, 7FFE0300h
call edx

and, in case SYSENTER is supported,
Code:

7FFE0300:
mov edx, esp
sysenter
ret

with the following MSR settings:
Code:

MSR 174 (ring 0 CS): 8
MSR 175 (ring 0 ESP): 0
MSR 176 (EIP): KiFastCallEntry


mivc:

From SoftIce Command Reference

Quote:
Any breakpoint set on an address below 80000000h (2 GB) is address context sensitive. That is, they are only triggered when the context in which they were set is active. This includes WIN32, WIN16, and DOS V86 applications. Take care to ensure you are in the correct context before setting a breakpoint.

and
Quote:
Use the ADDR command to both display and change address contexts within SoftICE so that process-specific data and code can be viewed.


JMI:

You're right.
Quote:
"The next best thing to knowing something is to know where to find it."
Samuel Johnson

But please don't be too angry!

Regards, bilbo

JMI
July 21st, 2004, 04:57
bilbo:

Why should I be angry? After all, you did find "the Precious."

Regards,

MarQueze
August 19th, 2004, 17:18
MIVC,

I've been struggeling with the same thing using driverstudio 4.3.1 build 1722 on win2k SP4.

Rhayader's syntax doesn't seem to work.

I've taken a step by step approach to tackle this problem.
After a break on RegQueryValueExA on a key named 'Driver' I used the SoftIce expression evaluation function:
?*(ESP->8)=='Driv'
This evaluates to FALSE!!
Although ?*(ESP->8) results in 'virD'

I played around a bit with some different notations and discovered that
?DWORD(*(ESP->8))=='Driv'
evaluated to TRUE

This means the conditional breakpoint should be:
BPX RegQueryValueExA DWORD(*(ESP->8))=='Driv' DO "something usefull"

Please let me know if this works for you too!!



Cheers,

MarQueze