Log in

View Full Version : The Softice-Won't-Work-In-XP/API-Hook-Failed!!! FAQ


grimani
August 4th, 2005, 21:50
a quick little FAQ for those like me who can't seem to get softice to work and are too scared of mods to ask for help.

disclaimer: i tried a million things to get softice to work. it works now on XP SP2 with all the latest updates (i think), and i think the following steps are why...but accuracy is NOT guaranteed.

(i) what's this API hook failed thing?

softice needs to insert itself in between all system level API calls in order to work. hence it needs to know where in memory critical functions (ntterminateprocess, reside. i guess this is typically stored in the osinfo.dat and osinfob.dat files. unfortunately, yours are out of date.

(ii) why is it out of date?

in my case, i installed security update KB890859 which includes a new version of the kernel, presumably to close holes in the old one.

whenever a new version of the kernel (which lives at c:\windows\system32\ntoskrnl.exe) is released, addresses get all shuffled and new versions of osinfo.dat/osinfob.dat need to be used. since compuware is lazy, you're out of luck.

thankfully, i found a compuware document via google the describes another solution.

(iii) symbols

function names and the like are usually stripped from executables during the compiling process, if they are meant for public consumption. if code is still in development, debug executables are compiled which keep all this information intact.

to debug retail (public) executables, one can generate "symbols" that debuggers then load. symbols are needed by the debugger to figure out what function is what, what parameters it takes, where it is, etc.

so softice, being a debugger, has functionality to load symbols - it's necessary in debugging.

and why isn't softice working? it doesn't know where important functions live...!

clearly the solution is to load symbols for all the important API calls. these reside in a variety of files, including:

hal.dll
ntoskrnl.exe
ntdll.dll
hernel32.dll
user32.dll
csrsrv.dll
basesrv.dll
winsrv.dll

we want to get symbols for them. but microsoft developed/compiled these files, not us..

(iv) downloading symbols with symbol retriever

so we need to get symbols from microsoft. microsoft provides a DDK that apparently contains a pretty comprehensive set of symbols for their code. however, my suspicion is that the DDK is out of date or applies only for vanilla installs of the operating system. so that's out of the question.

alternately, microsoft runs a symbol server (never knew they did that!) thru which 'authorized' programs can download symbols. authorized in this case i think means the symbol retriever that comes with windbg, microsoft's debugging tool.

softice also has a symbol retriever. you can try to run it on the above files. it doesn't work. why? because, as with all things softice, it's out of date and symbol server doesn't want to play ball.

a very helpful post somewhere (here? exetools? i forget) notes though that one can copy the symsrv.dll file from the windbg distribution into the symbolretriever directory in softice and overwrite the old symsrv.dll that softice has.

voila! symbol retriever works.

(v) generating nms files

microsoft debugging information is stored in .dbg or .pdb files. softice, for reasons unknown, uses .nms files. i assume that stands for numega symbols.

but symbol retriever can convert .dbg to .nms. have it do that.

(vi) loading symbols

almost done. we still gotta tell softice to load those damn symbols. edit c:\windows\system32\drivers\winice.dat

that file contains most of the settings that softice looks at while loading. add a new line at the top:
NTSYMBOLS=ON

this will tell softice to use symbol files instead of osinfo.dat.

look to the INIT= line. remove the X;

INIT contains the commands the softice will run after starting up. X means stop debugging and let everything run. if softice don't work you want to see the errors, which means staying in softice. you can put the X; back in later if you'd like.

save the file, now go into the settings program and click on symbols. add all the nms files you generated.

save everything, close all unnecessary programs. now try running softice:

start|run|cmd.exe

net start ntice

cross your fingers and hope for the best. remember that, if even scrushy can be innocent, perhaps there is a god, however blind He may be, after all......



other stuff

(vii) firewalls? antivirus?

firewalls and antivirus programs frequently also hook into the API. certain spying programs that people install to covertly monitor computer usage may also do the same thing.

these things may conflict with softice. i uninstalled norton systemworks (it's a slow piece of shit anyway that takes over the computer) in the middle of my quest to get softice working.

was that necessary? dunno...but softice works now and i'm not about to jeopardize that.

speaking of norton, systemworks has tentacles everywhere, and the uninstaller is a little too ill conceived to kill all of them. search on the norton website for some utilities (they have 4!) that can remove all traces of the beast. i think i had to run all 4...which is a pain, but much better than trouncing through the registry on my own.

(viii) usb, mice, keyboards, and other random woes.

just to make things easy on yourself, disable the mouse just to keep things simple. i have a laptop with an internal usb wifi card. i turned that off too.

if you get softice to work without usb support then you can look into getting usb devices working.

lotta people have keyboard issues, but thankfully i have had none.

finally, i installed softice on my laptop. the touchpad doesn't work. probably a driver issue. it probably won't work on yours either. synaptics has some document somewhere that mentions softice specifically.

(ix) video issues

had none, so won't comment. just try universal video driver

Woodmann
August 4th, 2005, 22:21
BRAVO........

You did an excellent job of troubleshooting.
How about making us an essay/paper ??

Regards, woodmann

JohnWho
August 5th, 2005, 14:34
Is it okay to copy your post and post else where? It will of course be creditted to you

Bu3no
August 24th, 2005, 02:54
What a great troubleshooting guide you wrote there, grimani, was all I needed to get Softice to work on Win XP! I had problems with the symbol retriever too.... well looks like u solved that .

Now if I knew that before making that multi-[ass]boot with win98, I wouldn't even have formated my HD like 4 times before getting the multi-boot to work :P.

Well thnx again!,

csin
September 5th, 2005, 01:52
Compuware has a fix for this issue... You can get it from them or you can dl it from my site... h&&p://w&w.csin.host.sk/DS3.2.1.WinXP Patch.zip

Note, this is for driver studio 3.2.1 ONLY!!!

LOUZEW
September 10th, 2005, 15:34
Well, csin !
How to use this patch ? and where you find it on compuware site. Searched on compuware.com and on frontline site, never find it, let us know please !

Uridium
September 17th, 2005, 22:05
Nice work but doesn't help here... the symbols get imported but the error still remains. Maybe i have to change something to retrieve localized versions? I don't know...

I tried compuwares two OS files as well.. but no luck with them either.

Very strange.. MS kernel update is out for weeks (months) and still no update from compuware yet...

What's 3.2.1? The beta version?

WinXP-SP2 .de
hal.dll - 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ntoskrnl.exe - 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
ntdll.dll - 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
kernel32.dll - 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
user32.dll - 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
csrsrv.dll - 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
basesrv.dll - 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
winsrv.dll - 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)

Edit: h**p://w*w.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx
There are no localized versions...
Quote:
Windows XP and Windows Server™ 2003 do not require localized symbols in order to debug localized versions of the product. Each Windows XP and Windows Server 2003 symbol download package works for debugging all localized versions.

laola
September 20th, 2005, 01:52
Uridium, the symbol packages available for download from the MS website are always outdated. Use the dedicated symbol server to retrieve the proper, current symbol files. To make the symbol retriever work, you will have to download the latest windbg package (free download from MS, just google) and copy the symsrv.dll over to the softice folder. Note that there are at least two instances of symsrv.dll in the softice folder, make sure to replace all of them with the newer version. This way will also deal with localized file versions where needed.
Which particular error do you get? I noticed that SI works better if I set it to manual start and then run it with the net start command. Loading at boot time seems to be a bit unstable, if you need boot time support, you'll probably have to look for another set of tools.
That reminds me of my own wishlist: an ICE for vmware and the like

Uridium
September 20th, 2005, 13:19
Yep, noticed it already.. the ms package symbols cannot be translated with symbol loader. Symbol retriever downloads instead are working but don't help with the problem. Here's a log. Maybe i miss something... 'NTSYMBOLS=ON' is set. Startup mode is 'manual'.

laola
September 20th, 2005, 15:03
While looking at the log I saw this:

NTICE: KDExtensions are disabled KDHeapSize=00000000 and KDStackSize=00000000

Is that intentional?

The rest seems okay until the 0E exception occurs. Doh! Smells a bit fishy indeed. I have no remedy at hand for you, but I'll see if I can get this error, too

Uridium
September 20th, 2005, 15:58
Bt
Quote:
[Originally Posted by laola]Is that intentional?
I don't even know what KDExtensions are... But i didn't change anything beside disabling remote debugging and the initial commands already listed in the log.

<ctrl-d> works everytime but sistart.exe or net start hangs at 99% cpu and the log/console continuously fills up with output like listed in the log above.

'Set BreakInSharedMods ON' doesn't work (->unknown).

Thx for taking care... But don't spend too much time to this. I think (hope) it will be officially fixed soon...

Int03h
October 13th, 2005, 23:35
Was anyone able to donwload the "WinXP Fix" to DriverStudio 3.2.1? The link csin gave is not working.

Uridium
October 14th, 2005, 03:13
I tried it but didnt help/work. Don't have it anymore though. I couldn't find anything related to such patch at compuwares support site. Maybe it was just an internal beta patch fixing something else... Until now softice doesn't run for me wondering why the forum doesn't get spammed by 'Help!!!!!! Softice doesn't work!!!!!" threads.

Kayaker
October 14th, 2005, 18:08
Quote:

<ctrl-d> works everytime but sistart.exe or net start hangs at 99% cpu and the log/console continuously fills up with output like listed in the log above.

wondering why the forum doesn't get spammed by 'Help!!!!!! Softice doesn't work!!!!!" threads

Who says we don't?

I compared your output to my logfile and it looks perfect up until the error message. I can tell you don't have hyperthreading technology, or don't have it enabled, because there is only 1
NTICE: Hooking IOAPIC vector at 93
line, with HT you'd have 2. If you do have HT you should enable it.
As for the KDExtension settings, you can search for that on this board if interested but they're not critical here.

However, Softice poured out its little heart to try to give you useful debugging information, can you not make use of it?


*001
*Int0E Fault in SoftICE at address B05EDECB offset 00096C43
*Fault Code=00000001

If you disassemble Sice and search for the string 'Fault Code=' you can see how it and the previous error messages are created. Since they're part of a larger error handling routine they can't really be traced back to the error very well.

What you should do though is type 'driver ntice' in Softice and get the base address of Sice, then add the offset 00096C43 to it and check the faulting instruction. Also check the address B05EDECB. Also check the value in EDI given in the RawStackDump. Out of curiousity, what *is* your Softice starting address, relative to this output?

I don't know if this is a precise match, but on my XP system, offset 00096C43 happens to match a string parsing routine of system driver names. It's a buffer access instruction which could perfectly cause such a page fault (Int0E) error. You should check this address to see if it accesses such a string buffer. Fault Code=00000001 may mean ACCESS_VIOLATION_WRITE, which is consistent with an EXCEPTION_ACCESS_VIOLATION error.


*FrameEBP RetEIP Syms Symbol
*B09D8CD0 F776F7AC N NTice!.text+00098B4B

You should also check this offset (relative to Sice), as well as the RetEIP disassembly to see if there is any indication where your fault came from.


*NTICE: NTRaiseHardError found at index 00B6. Delta=0000038A

A strange location for this one, it should have occurred earlier in the preload.


*0008:B05580B6 EBFE JMP B05580B6 (JUMP )

I've seen this before in internal Sice crashes. I think it's how Sice (or the system perhaps at this point) handles such an error. The fact that the last 2 messages are interspersed with other NTICE: loading messages (after the preload) indicates the error handling routine is running in a separate system thread while Sice continues to load properly. The EBFE seems to put the thread in an eternal spin lock, this may be an effective way to just halt the thread while allowing the rest of the system to function properly.


*NTICE: Load32 START=00FB0000 SIZE=13000 KPEB=85856590 MOD=browselc
*NTICE: Unload32 MOD=browselc

This occurs 3 times immediately after the error msg. It may mean nothing, but you might actually check to see what is trying to load this and completely disable the program. There is something I saw in the string parsing routine I mentioned (when I used your faulting offset on my system), that leads me to think it might be a driver conflict with another program. It's worth a shot at least.

You might also check this thread and make sure your video settings are OK
http://www.woodmann.com/forum/showthread.php?t=7199

Good luck with it.

Kayaker

dELTA
October 15th, 2005, 05:39
All hail our own Softice god. Damn I'm jealous.

Kayaker
October 15th, 2005, 20:17
Hehe, I'm just trying to assure the doubters that Softice doesn't necessarily suck to the max big time. Maybe I've been lucky but I've never had any major problems with it.

WaxfordSqueers
October 18th, 2005, 03:33
Kayaker...how do you know all this stuff...it just ain't natural? There aren't a lot of people who can reverse softice let alone understand what's going on in the inside. You're an amazing dude.

About driver conflicts...there are at least two threads, including one of my own (http://www.woodmann.com/forum/showthread.php?t=6751&highlight=sygate), which delve into this. The other is (http://www.woodmann.com/forum/showthread.php?t=5335&page=1&pp=15&highlight=wireless+mouse), and you might want to read that since you were involved in the thread somewhere. It would make more sense to you. Talks about netmsg.dll as related to Sygate firewall.

One thread talked about a wireless USB mouse and we both had problems with Sygate firewall. DS 3.2 seems to have addressed the USB mouse issue. When I first loaded DS 3.1, I had all sorts of grief. I'd get the DOS box, and SI would load, but the DOS box would stay on the screen and everything would run super slow. It turned out to be the Sygate Personal firewall (the free one). Since I updated it to version 5.6 build 2808, I've had no problems. I used DS 3.1 extensively after that without a problem.

I loaded DS 3.2 with XP and SP2 and everything worked fine right away. I haven't tested it yet but symbol retriever seems to work ok. The message seems to be that DS 3.1 upward will work fine on XP with SP2 provided there are no driver conflicts and/or the correct drivers are used (osinfo.dat and ntice.sys). DS 3.2 seems to have fixed a lot of problems related to SP2. Reminds me of the good old IRQ conflicts of days gone bye.

I realize many people are probably put off with problems that can occur when trying to load softice on XP. But I have worked in electronics and computers for years and I'm aware that very complex problems can be traced back to very simple causes. With all the drivers and crap that get loaded nowadays in Windows, that would be the first place I'd look for XP/softice issues.

BTW...there's a new version of IceExt out (ver 0.67), which has been updated for DS 3.2. This is an excellent little proggy for hiding Ice and has other useful features, like dumping.

naides
October 18th, 2005, 09:14
One loose thought:
Compuware products are intended for Driver Developers and System Programmers, (Not to mention reversers), which probably would have a dedicated computer or computer lab just for writing and testing their code, So I doubt Compuware developers go out of their way to ensure Sice compatibility with all the drivers, hardware, and other crap an enduser would put in his or her machine. Sice is not a consumer product.

WaxfordSqueers
October 18th, 2005, 14:15
Quote:
[Originally Posted by naides]One loose thought:
I doubt Compuware developers go out of their way to ensure Sice compatibility with all the drivers, hardware, and other crap an enduser would put in his or her machine.


That's a real good point. I have visited a few forums in my searches for problems with Windows XP bugs. There is a good free app called Hijack This and another called Autoruns, from Sysinternals. These apps give you a quick glance at what is loaded at boot time.

It blows me away how much crap people have on their machines as indicated by their postings of logs from Hijack This. I make a conscious effort to make sure nothing loads, including Trojans, except for the bare minimum I need. Just about every app you load these days sneaks an autorun in there somewhere.

I'm sure most people in this forum are aware of the other free helpful apps like Adaware and Spybot Search and Destroy. There's also RegCleaner, a freeware app that reveals a lot of crap left over from apps in the registry.

It's not just Softice that has problems with extraneous drivers and apps. I run audio software that is very sensitive to the number of machine cycles available to it. Real time audio depends on the amount of delay that can be afforded before an echo-like effect is heard...or a jerking/tearing of the audio. Obviously, with a time-slicing OS like XP, the more drivers competing for processor cycles the more likelihood there is of having problems. Firewalls, in particular, and virus monitors, are a big problem when it comes to recording/reproducing good audio.

If you run another free app from good, old Sysinternals, our buddy Filemon, it's amazing too see that the firewall monitors just about every activity happening. Not only that, XP monitors activity as well. It would appear then, that the observation by Naides has great merit. Although it's a pain in the butt, it may be a good idea to dedicate a computer to reversing only.

Kayaker
October 18th, 2005, 19:26
Hi,

I fully agree with naide's synopsis, Softice wasn't developed for the "I can't crack winzip while listening to mp3's and playing Quake tournament on my overclocked hot new gfx card!" type of scenario

Worse comes to worse, the best solution is to run it on VMware on a compatible OS version dedicated for development/reversing. Clean, efficient and BSOD's don't hurt.


A small digression, Re reversing Sice, I've been playing with that on and off for almost 5 years. Of course I've learnt from the works of Spath, TheOwl, Sten. It started with the writing of the backtrace disassembler TraceDump I released with Clandestiny. The KDextension stuff came from study of IceExt.

The thing that's helped the most is being able to define a lot of the ntice variables and procedures, the IDA script by TheOwl being the starting point. I was able to develop a driver which allows me to live trace any of the Sice commands themselves, so having that running in VMWare in conjuction with IDA on the real system is invaluable for at least making an educated guess as to what the procedures are doing.


The only "trick" to the driver and being able to execute a Softice command from GUI mode, is that you must replace the default command window text buffer with one of your own. The reason for this is that the very act of tracing in Softice overwrites this buffer, so immediately screws up the input string going to the command. It's *user* input that fills and modifies this buffer, and even single step tracing overwrites it with "t" for example, and the command fails miserably.

Schrodinger's cat..


The most basic of commands is structured as follows. bUserCommand is the default text buffer address you must replace.

/////////////////////////////////////////////////////////////////
// Each command uses a global command window buffer
// Find where the buffer address is used and replace it.
//////////////////////////////////////////////////////////////////
/* EXAMPLE:
.text:000A2D5E c_Be proc near
.text:000A2D5E
.text:000A2D5E BE A2 F7 10 00 mov esi, offset bUserCommand
.text:000A2D63 E8 E1 71 FC FF call pSkipWord
...
*/

However, the location of bUserCommand is different in every command (around 150 at last count), and there may be more than 1 occurrence or no occurrences of bUserCommand. What you have to do then is do a multilevel disassembly on the command in question, tracing into calls until the main ret is reached again, searching for offsets to patch. The easiest way to do this is to use the internal Disasm function of Sice available through WINDBG_EXTENSION_APIS (detailed elsewhere).

Then it's just a matter of parsing the command index/name table (detailed elsewhere), passing this back to user mode and calling the command with a new modified string buffer. Of course I'd be willing to help anyone who is truly interested in such a line of study.

Softice is an amazingly involved program that includes its interaction with cpthook.sys and other files. Sometimes I'm amazed it works at all, let alone on every system configuration.

Cheers,
Kayaker

countryman
October 18th, 2005, 20:02
I got it and did installed
but failed break point settings
for example) bpx getdlgitemtexta....
i think that softice v4.05 is modified winice.dat file in win98 with notepad.
but compuware driverstudio not modified ntice.dat file in winxp with notepad.
How can i use the Compuware driverstudio v3.2.
Teach me!!!
Please~~~~
have a nice day...
thanx to everyone.

WaxfordSqueers
October 18th, 2005, 20:32
Quote:
[Originally Posted by Kayaker]Of course I'd be willing to help anyone who is truly interested in such a line of study.
Kayaker


Kayaker...I appreciate the offer. I classify myself as an advanced newbie and as such would be wasting your time. I am interested in what you say about VMWare, however. I've used it on games that need to run in an older environment like Win 95, but I found it a little sluggish at times on a 2 gig Celeron with 512 Meg RAM.

Are you referring to the Microsoft VM (2004) or VMWare itself? Also, are you running an XP emulation or running an older version of softice on an emulation of Win 98? I know there's a network available with the VM's, but how good is it? Can you communicate between the VM and the actual machine via the network, or do you hop in and out of the VM?

My problem with respect to learning the deeper stuff is the mammoth amount of time it can take. I know a lot of you guys who do the deeper stuff are accomplished programmers in assembler and C, and some of you have taken it down to Ring 0, VxD's etc. Even though I've read a lot of theory on the Windows and Intel structure, I'm still struggling with concrete examples of how it should be applied.

I started a few years ago, with my first big project being Quine's reversal of an original IDA dll. Because I had the time, I spent weeks at times doing nothing but reversing. As I said earlier, it's a mammoth task wading through superflous material to get at what you want. There's so much to learn, and trying to learn it all seems to be a mistake. It spreads you too thin and you can become a jack of all trades, so to speak, and a master of none. At the same time, if you don't make it a full time job, you don't get far.

I'd like to hear from other people and how they get around the time constraints and the learning curve. My biggest problem is perhaps trying to do too much at once, then giving up in the frustration of the magnitude of it all. Also, there's the issue of constantly changing software technology. I finally got comfortable with Win 98 and the older softice with K32, U32, etc., then along comes XP with KD Extensions and everything. Then again, I had to make the jump from 16 bit to 32 bit apps and survived.

Uridium
October 24th, 2005, 15:47
Reinstalled windows and its working again.. But 'set breakinsharedmods on' is an unknown variable now? Still working for someone? I know about the involved context/paging problem (thus CW doesn't recommend its use) but i'm wondering why it is disabled now (i'm sure it worked before with 3.2). Does the change come with the latest osinfo.dat?

WaxfordSqueers
October 25th, 2005, 00:04
Quote:
[Originally Posted by Uridium]Reinstalled windows and its working again.. But 'set breakinsharedmods on' is an unknown variable now? Still working for someone? I know about the involved context/paging problem (thus CW doesn't recommend its use) but i'm wondering why it is disabled now (i'm sure it worked before with 3.2). Does the change come with the latest osinfo.dat?


Who's CW? I can't vouch for 3.2 because I haven't worked on it enough. But it loaded easily and it found the symbols from 3.1. I have downloaded the entire Microsoft symbol package, and I know if you play with it long enough, you can load all the symbols. Kayaker put out a blurb a while back on how to do it methodically.

With respect to the context question, I don't know why people are making such a fuss over it. I may be all wet, but if you go back into the app you're working on (i.e. it's name will show up in the softice window) and set your BP's there, there wont be a problem. If you're in a common export like Kernel32.dll you should be a able to set a BP as well.

I'm thinking of everything else as a sub-routine and my app as the main thread. For example, if my app calls K32, I see K32 as the sub-routine and it will in most cases return control to my app at some point. I realize C++ types would look down their noses at that, but till someone gives me a good reason for thinking otherwise, I'm going to use the good old main program with sub-routines. If people want to conceptualize everything into objects and containers, let em. Some people aren't happy until they have developed jargon that makes no sense.

I imagine there may be situations where you need to change the context from another thread in order to set a BP. I have had success by simply returning to my main app and setting the BP there. Maybe someone with more expertise could explain what would happen with re-entrant situations. If I'm in a thread other than my own app, T1, and I set a BP in a third thread,T3, while my app is in the middle of the action, then I'd have to be very careful. I don't encounter that at all.

I reversed an Asprotected app using 3.1 and had no context problems whatsoever. I don't see why 3.2 would be any different. In fact, 3.2 should address problems that were encountered when moving up to XP SP2.

It bothers me to see people giving up on softice because they can't get it going in XP. If it was an issue, do you think Compuware would be keeping quiet about it? There are no problems with softice and XP SP2. Look through this thread and you'll find the answer.

The only thing I can say about the 'set breakinsharedmods' command, is read what the command says. It says to break in shared mods. We all know what shared mods are, like K32, U32, etc. Like I said, in 3.1, I had no problems breaking in shared mods even without the command set.

Finally, I have nothing bad to say about Ollydebug, but it works in user mode and I can't see how it can do things softice must be able to do working at Ring 0. That's why softice must be harder to setup because it digs under the operating system itself. How they accomplished that at Compuware, especially with XP, makes them look like rocket-scientists to me. It's an excellent debugger and well worth the time to get it going.

WaxfordSqueers
October 25th, 2005, 02:15
Quote:
[Originally Posted by Uridium]But 'set breakinsharedmods on' is an unknown variable now? ---snip--- I know about the involved context/paging problem (thus CW doesn't recommend its use)


Did some digging around and found this morsel about softice:

******

Operating behavior of breakpoints in shared ring 3 modules.

In versions of SoftICE prior to 3.0, breakpoints set in shared ring3 modules would hit according to the description as defined in the Using SoftICE book, Chapter 7, "Understanding Breakpoint Contexts." In 3.0, we changed this so that breakpoints would only hit within the context in which the breakpoints were set. For Version 3.1, we have now added a SoftICE environment variable to toggle the behavior of shared ring3 breakpoints. By default, breakpoints only trigger in the context in which they were set. To change to the pre-3.0 behavior, from the SoftICE command line, issue the command set BreakInSharedMods on. Note that all breakpoints will have to be cleared with a bc * and then reset after changing this value. For shared ring 3 module breakpoints, it is possible for your application (or another application that is sharing the module) to end up crashing. This is due to copies of the physical pages that the code pages reside on being present and SoftICE not tracking these copies. Any such ring 3's left around in memory will cause crashes. There is currently no easy workaround. One possible solution would be to issue the set i3here on command to allow for user mode int3's to trigger SoftICE, and then modify the byte in memory, replacing it with the original code byte.

***********

The first part of that about BreakInSharedMods is pretty straight forward to me. In fact, I read on another board that it's better left alone. That is, don't set it. The second part is a bit baffling. It's saying to me that if I'm debugging an app that is using a module shared by another app, that the other app or the module 'might' crash. It also seems to be saying that the other app could change the code pages, and when softice goes looking for them, they're not there. How often does that situation exist, where two different apps are sharing the same mod?

That doesn't seem a humungous issue to me...certainly not enough to stop using softice. Kayaker...if you're paddling around out there, what do you make of this? Need your expertise.

I think this faulting/BreakInSharedMods is a red herring. I'd be willing to bet those people having trouble setting up 3.1/3.2 just haven't bothered to read all the information required to set it up. Between the docs that come with SI and what's available in this forum and others, I think there's now plenty of info to set up 3.1 or 3.2.

That's my story, and I'm sticking to it.

Uridium
October 25th, 2005, 13:26
You don't need to tell me what breakinsharedmods is doing, i know already. I'm just curious why its gone out of a sudden and whats responsible for that. In some cases its very useful to have.

M4yH3M3d
October 25th, 2005, 15:31
I know this is my first post and please forgive me if am a bit flaky, I have been up 36 hours working on something and I didnt want to goto sleep a few hours ago for the fear of not waking up to pick my daughter up at school.

As far as SI goes, for RE tools even to this day I dont see its power equaled among the other tools out there. Alot of people know the risk's they take when they use a kernal level debugger but I can only speak for myself, I am willing to take that risk because even though I could wind up formatting my HD because I did something half-hazardly the time it saves me over switching between IDA olydbg and a dynamic mem tool is well worth it. (and believe me I have had to format 4-5 times when I first started using SI because I didnt know about nice little sites like this and the old Fravia site which I actually read alot of the 300 essays over there before coming here.

SI is not and easy program to get knowledgable about without making mistakes that is the process of learning some of these things. I started using SI with no knowledge of ASM barely able to do accounting sheets in VB but I seemed to be good or have a knack of guessing correctly more then incorrectly while I educated myself on what exactly all of the 0's and 1's were for in the computer. Im still a nublet in many respects I read the Author of the topic's post and some of the responses probably 2-3 times before some of it sunk in. I have actually never had a problem getting the program to work on XP I just recently started using it again after smashing my head up against the wall trying to use 3 tools at once with only 1.5 gigs of ram and not getting what I wanted out of my search. I suppose I could have tried to read more articles but I dont know an easier way and have not been successful using any other tool to get past an exe that has been Obfs! And believe me I have about 40 ways of how not to do it with the other tools.

Anyway hopefully at some point after I read and attempt some of the things being done on this forum I will have more to contribute then just my opinion. Also probably would help if I would keep nodding off while I'm typing.

Kayaker
October 25th, 2005, 17:14
Oh what strange twists and turns these threads sometimes take..
Nope, DS3.2 no longer supports the SET BREAKINSHAREDMODS command. A look at the SET command in the Sice manual will tell you which commands it does support, and this isn't one of them. Not being thoroughly convinced, I traced the SET command with IceProbe and Sice does a string comparison on an ascii table which doesn't have the word BREAKINSHAREDMODS in it, so of course it fails and you get the error message.

You can't fight it if the code ain't there, but only the CW guys know why they reverted to the old method of context sensitive breakpoints.

WaxfordSqueers
October 25th, 2005, 17:27
Quote:
[Originally Posted by Uridium]You don't need to tell me what breakinsharedmods is doing, i know already. I'm just curious why its gone out of a sudden and whats responsible for that. In some cases its very useful to have.


Didn't mean to imply you didn't understand BreakinSharedMods. I couldn't get the drift of your post...what you were on about.

Looking at your winice.log, it seems that ice can't understand the 'set' command. I would guess you have included that in Winice.dat as:
'set BreakinSharedMods=ON'

If you have, take out the 'set' and leave only:
BreakinSharedMods=ON

I think you would only use the 'set' command at the prompt in the softice
window.

Also...you have this line in your winice.log.txt:

NTICE: KDExtensions are disabled KDHeapSize=00000000 and KDStackSize=00000000

When I used IceExt, it prompted me to change those values in the registry at:

HKLM/System/ControlSet001/Services/NTice

If you highlight the NTice key, you'll see about 20 entries. Both KDHeapSize and KDStackSize are listed with zero values hopefully. If so, and they are Dwords, just change the 0x00000000 to 0x00008000 in both of them.

If they are not even listed, you'll have to add them. Here's how they're listed in my reg:

KDExtensions REG_SZ
KDHeapSize REG_DWORD 0x00008000 (32768)
KDStackSize REG_DWORD 0x00008000 (32768)

I don't know what significance the KDExtensions entry has, but it's in mine as above.

After that, I got an indication that KDExtensions are enabled. Voila!! Don't know what it means, but I like it.

Also, I increased my EXP memory allocation in Symbol Loader to 1024K. I don't know what an optimum size is nowadays but I have run into problems in the past by not having enough memory allocated to exports.

WaxfordSqueers
October 25th, 2005, 17:34
Quote:
[Originally Posted by M4yH3M3d]Anyway hopefully at some point after I read and attempt some of the things being done on this forum I will have more to contribute then just my opinion. Also probably would help if I would keep nodding off while I'm typing.


You sound like a typical reverser...sleep-challenged.

If you have anything to contribute, the more the merrier.

WaxfordSqueers
October 25th, 2005, 17:43
Quote:
[Originally Posted by grimani]a quick little FAQ for those like me who can't seem to get softice to work and are too scared of mods to ask for help---snip---
(i) what's this API hook failed thing?


just getting back to comment on your FAQ and compliment you on a job well done. At first, I didn't get a lot about what you were saying but you have come up with a recipe that should get softice working on XP for anyone.

I hadn't noticed that I had the API hook error as well. It was about osinfo.dat and/or osinfob.dat. I changed them, it went away.

WaxfordSqueers
October 25th, 2005, 18:54
Quote:
[Originally Posted by Kayaker]Not being thoroughly convinced, I traced the SET command and Sice does a string comparison on an ascii table which doesn't have the word BREAKINSHAREDMODS in it, so of course it fails and you get the error message.


I was testing your hippopotamus...er...I mean your hypothesis. I set breakinsharedmods presummably ON in winice.dat and rebooted. I manually started softice and tried 'set breakinsharedmods=off'. I got the error about the variable not being recognized. So I entered 'set' by itself, and up came all the variables the set command affects. Your right, there's no mention of breakinsharedmods but there sure is a lot of interesting variables in there.

BTW, Kayaker, how did you trace the SET command?

Kayaker
October 25th, 2005, 20:17
Quote:
BTW, Kayaker, how did you trace the SET command?

Hi Wax

The same way I mentioned in an earlier post, with a driver I made, IceProbe to give it a name. You can also trace the SET command in IDA and see it accessing the alphabetical ascii table of supported functions and their corresponding code.

To embark on such a zoo tour one should set up the Name/Index table as I described in

Setting up IDA for analysing Softice functions
http://woodmann.net/forum/showthread.php?t=6529

When I finish an unrelated current project I may try to release IceProbe as a testing util. Right now it's a mass/mess of unfinished KDExtensions and attempts at hooking the cpthook interface (yes, FGJM still exists..) where some interesting bits reside. The real IDT values for the system interrupts that Softice hooks for example are accessed through cpthook.sys (and tracing the command IDT will get you there). This raises the possibilities of overwriting these hooks with detours of your own, consequences as yet unknown..


To answer a couple of your earlier questions on VMWare, well, try it and you'll appreciate it. It's really the optimal reversing environment. It's a perfect match, a mirage made in heaven - run a target in Softice (even Softice itself) under the VM (any OS except 9x), stop at any time and use Ctrl-Alt to get back to your main system. Here you've got the disassembly in IDA open which you can update with things like memory contents of variables, stack values, system symbol names,...

Then you start playing with the jigsaw pieces to put the puzzle together.

Cheers,
Kayaker

WaxfordSqueers
October 25th, 2005, 20:49
Quote:
[Originally Posted by Kayaker]When I finish an unrelated current project I may try to release IceProbe as a testing util.


would be interesting to see that.
Quote:
[Originally Posted by Kayaker]To answer a couple of your earlier questions on VMWare---snip--- run a target in Softice (even Softice itself) under the VM (any OS except 9x),


you say any OS but 9x. Does that mean you run XP, 2000, etc. instead on the VM? I'm a bit leary of loading XP under a VM because it uses at least a gig and a half of space. Do you pare it down to a skeleton for VMWare?

Another thought, how about Visual Softice using VMWare? I'm not up on the networking aspects of VMWare and I know VSI needs two monitors and two os's. Can VMWare emulate that condition?

Uridium
October 26th, 2005, 12:53
Quote:
[Originally Posted by Uridium]Reinstalled windows and its working again..
Yep.. and no 24h later its broken again.. . But i got em. Kaspersky 5.0.390. SI will not start correctly (startsi.exe@99%). I'll not try going into that since K-labs announced new major release for 11-2005. Just deinstalled and everything's fine again... Btw, IceExt's UnhandledException Protection isn't working any longer (unable to patch)?

WaxfordSqueers
October 26th, 2005, 18:45
Quote:
[Originally Posted by Uridium]But i got em. Kaspersky 5.0.390. SI will not start correctly (startsi.exe@99%). ---snip---... Btw, IceExt's UnhandledException Protection isn't working any longer (unable to patch)?


Was it the Kaspersky virus monitor? If so, why not just turn it off, or stop it loading, either in Windoze Services, if it's there, or whereever it loads. I never use the monitor anyway. Everything...and I mean everything....I download, except maybe txt files, goes through the virus scanner befor I use it. Even jpeg files can be infected now.

Are you using the very latest IceExt, which is 0.67?

Uridium
October 26th, 2005, 18:58
I use KAV just as an on-demand scanner (like u said). By shutting down the systray symbol the service shuts down as well but it doesn't help. There's somethig else installed/present in the system that corrupts SI. I looked in windows device manager with 'show non-present hardware' but nothing suspicious/KAV related there as well.

Latest IceExt here v0.67. Still missing the promised ring0 mp3 player mentioned in the readme..

Btw, why are you asking? What system do you have? I mean, if you would use xpsp2 and iceext67 you would notice yourself...

WaxfordSqueers
October 26th, 2005, 22:45
Quote:
[Originally Posted by Uridium]I use KAV just as an on-demand scanner (like u said). By shutting down the systray symbol the service shuts down as well but it doesn't help. There's somethig else installed/present in the system that corrupts SI. I looked in windows device manager with 'show non-present hardware' but nothing suspicious/KAV related there as well.


IN XP, look under Control Panel/Administrative Tools/Services. Scan the list for AVP or Kaspersky. I have a listing for AVP Control Centre. Right click the listing, if it's there, and hit the 'Stop' button if it's running. Then set it to Disabled in the appropriate window. Don't forget to hit 'Apply' before exiting window.

Quote:
[Originally Posted by Uridium]Btw, why are you asking? What system do you have? I mean, if you would use xpsp2 and iceext67 you would notice yourself...
As I said in an earlier post, I have just loaded 3.2 and IceExt on XP w/SP2. I've done a few BPX's etc to confirm it was running, but that's about all. I asked because I just happened to be on Sten's site and noticed the new IceExt for 3.2. Thought maybe your problem could have been fixed by an upgrade, but apparently not.

I have used IceExt extensively on 3.1, to hide Ice and to dump processes from memory.

Uridium
October 26th, 2005, 23:41
I'm sure the service is disabled, its something else resident.
You have to type '!protect on' to see if iceext works.

WaxfordSqueers
October 27th, 2005, 04:03
Quote:
[Originally Posted by Uridium]I'm sure the service is disabled, its something else resident.
You have to type '!protect on' to see if iceext works.


yes...but did you try what I said anyway?? If not, please smack yourself up the side of the head with some wet noodles.

Turning the monitor off at the desktop does not get it out of memory. It's running as a service and will keep running till you turn the service off. Same as Windows firewall. You have to go into the path I mentioned and turn it off to get rid of it.

You're right about IceExt, but I recall something I have to check out. When you first boot into Ice, you have to manually reset a hex bit. I think that might get the UnhandledExceptionFilter going. I'll get back to you. It's something about patching a CC in UnhandledExceptionFilter when you start out.

***newsflash ---just remembered. Oh, alright, I admit I looked it up in the archives. You do a 'd unhandledexceptionfilter' and that will bring unhandledexceptionfilter up in the Ice data window. You'll see a CC in the first byte. NOP it. i.e. change the CC to 90, and hit 'Enter'. Now try your
'!protect on' and you'll see a yes beside unhandledexceptionfilter.

I'm so happy. It's the simple little things that make the world go round. Now, if I could just get a life.

Uridium
December 16th, 2005, 12:43
If i do a 'd unhandledexceptionfilter' the data window is just filled with '??' so nothing to NOP there...

Kayaker
December 16th, 2005, 16:47
Hi, try a PAGEIN <address> in the correct context to see if it gets rid of the '??'