As Yogi Berra once said, it's deja vu all over again.

OK...I've done my duty and searched the archives. There are some quirks using Softice in XP w/SP2, and I was hoping my friend in the kayak would drop by, or another Ice guru.

The issues arising most are:

1)the 'could not find desktop window' when using HWND by itself
2)the 'no LDT' message when BPXing on a proc listed by the PROC command
3)Ice not breaking on a bmsg hwnd wm_command when the addr context has been verified

Ice works 90% of the time for me as it should. I can very seldom get a full listing of current windows, using just 'hwnd' as it used to do. I have to get the proc name using PROC, then apply HWND 'procname'. The other day, they all magically appeared with a straight HWND as they used to in older versions of softice. I have no idea what I did or what the conditions were to have that happen. It's not an addr context thing.

I use SPYXXX occasionally to find the HWND of a window, or to find it's parent. When Ice complains about not being able to find the desktop windows, SPYXXX shows them all. If it can see them, why can't softice?

I set a BMSG on a hwnd the other day, and it failed to go off. I brought up SPYXXX, and when I began to use the little window finder button you can slide over windows, Ice popped up with a HWND I had not asked for. It was for WM_COMMAND. I reset it with ctrl-D, and started to move the SPYXXX button over the open windows, when ICE popped up with my correct HWND and the WM_COMMAND. Of course, it was in the wrong context.

I have verified the addr context many times, all to no avail. I have Sygate personal firewall running in the background, and I have shut it down without removing the driver. I hate to do that at this time, but it might be the only recourse. An older version of Sygate would not allow Ice to load from the desktop (DS32).

What I'm reading in the archives is not all that informative. Can we perhaps go into this a little deeper, or does someone have softice working completely normal on XP with SP2? As I said, mine is 90% normal, and it's functional. I'm just wondering why it wont operate at 100%.

Hi Waxford,

He also said "If you don't know where you are going, you will wind up somewhere else."

Since it's getting a bit cold for kayaking I guess I can try to answer these..

1)the 'could not find desktop window' when using HWND by itself

It turns out that this appears to be a difference in how the active TEB (or TIB) is defined in Win2K and XP. Here's the behaviour I noticed:

In Win2K, HWND by itself *will* list all the current window handles, but only if you're in the context of some user app. So if you type 'ADDR Explorer' then 'HWND' you'll get every system window handle.

In XP however you must *break* into the context of a user app before HWND will work. For example using Loader32 to break at the start of notepad. Then you can type either 'HWND' to get all the window handles, or 'HWND notepad' to get just those from notepad. If you Ctrl-D into Sice from the desktop and try changing the ADDR context to notepad it won't work.

Why?

First off, check these differences: Start notepad and in Win2K type 'QUERY notepad', scroll to the very end and check the address given for the TIB. It should be 0x7ffdE000. Now do the same in XP, it will probably be 0x7ffdF000.

Maybe if you use a dll injection loader which creates its own thread, you'll notice notepad now has 2 entries for the TIB, one at 0x7ffdF000 and one at 0x7ffdE000, one for each thread. Type 'ADDR notepad' and 'HWND' and now it should work.

In the same vein, if you were to Ctrl-D into Sice and type 'ADDR explorer' then type 'HWND' it should also work. Why? Because explorer already has several active threads and the TIB entry for 0x7ffdE000 is valid.


What's so special about the TIB entry at 0x7ffdE000? The ugly explanation..

I broke out IceProbe which as I mentioned before I wrote to manually trace into Softice commands. I selected 'HWND' and began to trace and it led me to the TEB->Win32ClientInfo structure. Surprisingly I could find no information on the definitions of TEB->Win32ClientInfo, a list of long pointers beginning at TEB offset 0x6cc.



In Win2K at least, the TEB/TIB has the static address 0x7ffdE000, so Win32ClientInfo is always at offset 0x7ffde6cc. In XP you'll notice this isn't always the case if you try the 'QUERY' experiment I mentioned above.

Now onto how Sice uses it.. Within the HWND command is the following code snippet which tries to find one of the Win32ClientInfo fields at the absolute address of 0x7ffde6e4. If it can't find it, the code leads to the 'could not find desktop window' error message. If for any reason the TIB is not valid, either because you're in a system context and it doesn't exist/is paged out, or because it's not currently located at address 0x7ffdE000, the code won't find Win32ClientInfo and will fail.



As to exactly what the Win32ClientInfo field at offset 0x7ffde6e4 is I'm not sure. It seems to be an address such as 530650h. Sice then gets another value/address from it at offset +8 and uses it in outputting all the window handles. I assume it's accessing a kernel handle table at some point.

I'd like to know more about the Win32ClientInfo fields, they may point to an interesting kernel structure or two..

In any case, if you play around a bit you should be able to confirm that when you are in a user context, AND there is a valid TIB situated at 7FFDE000h, then 'HWND' should work. Probably the best way to ensure this is just to switch the context to the always present Explorer and use the command from there.


I'm not sure about the other problems. The 'No LDT' msg isn't new but I'm not exactly sure what you're doing to get it. As for the bmsg problems, a simple 'BMSG <hwnd> 111' seems to work OK for notepad wm_command at least. Perhaps you're problem was related to the HWND problem in some manner.

Cheers,
Kayaker

Hey Kayaker...thanks for your in-depth response.

This little problem is beginning to drive me daft.



tried what you suggested. A 'query notepad' returned 7FFDF000 with TIB (E0). Tried a "hwnd explorer' and all the Windows appeared. Then I began to monkey around with the DEX command to setup a couple of data window for ds:esi and es:edi. Thinking I'd had enough of manually entering them each time, I set up a persistent macro, which didn't work. So I rebooted to see if that would help.

After reboot, nothing worked. I tried 'hwnd explorer', making sure it was in the right context with an 'addr explorer', and got the old 'can't find a desktop window'. Tried 'addr notepad' + 'hwnd notepad'...same thing. Monkeyed around some more...don't know what I did...and suddenly 'hwnd explorer' worked, but not 'hwnd notepad'. Tried a couple of other processes with hwnd, and even hwnd by itself...same problem.

The other day, I was fiddling with Silver's DX crackme, when hwnd started working by itself. All windows appeared. I am using IceExt, and I don't know if that's an issue, but I've tried loading Ice with it and without it, and used both !protect on and off. Same problem.

That's when I noted the 'no LDT' error message last. I was trying an addr on dinput8, a directx module. If I use the exp command in Ice, I get about 5 exports listed under Dinput8. In fact, I am using NMS files to load the exports, including one recently made from a pdb file directly from Micro$oft.

I can't recall exactly the command I was applying to dinput8, it was either a hwnd or an addr. It only returned 'no LDT'. Here's what the manual says:

***Win32 applications and drivers do not use LDT selectors. When a Win32
process is active, the Intel CPU’s LDT register is NULL. In this case, the
SoftICE LDT command gives you a No LDT error message. When a VDM or 16-bit WOW process is active, a valid LDT selector is set, and it comes from this GDT selector. During a process context switch, LDT selector information within the kernel process environment block (KPEB) is poked into this selector to set the appropriate base address and limit.***

so, if I type in LDT with a 32 bit app loaded, it returns the error 'no LDT'. Why is softice returning that error message in relation to a command involving Dinput8? That question is more rhetorical than anything, I don't expect you to have the answer.

With regard to the BMSG command, I can get it and the BPX command working 90% of the time. In fact, I usually break into an app using the loader and use the 'G address' command a lot. It never fails.

The app I was working with the other day uses an installation setup from Inno. I think it's OK to use that name in this context. The installation comprises one setup file, setup.exe. and a huge bin file which is compressed with the same compression as 7.zip. Everything goes swimmingly till one data file is being decompressed, when the installer pops up an error message that an access violation has occured at such and such an address with a READ of such and such.

When I try to BMSG hwnd WM_COMMAND on the message box, Ice does not pop up. If I bring up SPYXX and apply it's window finder button, Ice pops up immediately, but the hwnd is wrong. If I move the SPYXX button around, then Ice pops up with the right hwnd, before I've had a chance to hit the OK button. That strikes me as being weird, but it may be related to a conflict between Ice and SPYXX.

I am checking another possibility. The setup.exe file seems to create an image of itself in a temp directory. Maybe that's the file I need to BMSG on.

Does that help?

Kayaker...I skimmed over this part, but went back and checked it. M$oft seems to have diddled Notepad. I got a EULA when I tried to load it from Ice loader and it wont break at the entry point. Tried modding PE header with Lord PE and bpx'ed on getmodulehandle, etc., but it wouldn't break. Have little patience for Bill's games, so I used an app I know will break.

My app broke at the entry point, but there's no way. No matter what I do, the hwnd alone gives me the annoying message about not being able to find a desktop window. The addr context makes no difference. I can bpx on exports or addresses all over the place no problem. At one point, I tried the 'task' command alone and got the 'no LDT'.

I dumped the softice driver and found the message to do with not being able to find the desktop window. They are pushing a value a little before the message that is pretty close to the value you mentioned for the tib using query notepad. Is there a chance this version of the driver may be pointing to the wrong address?

4EC6E push 7FFDE6E4h <---close to tib you gave for XP
4EC73 call sub_749DE
4EC78 cmp eax, edi
4EC7A jz short loc_4EC8F <---- jmp
4EC7C push edi
4EC7D push 8
4EC7F push eax


4EC8F push 0Bh
4EC91 lea eax, [ebp+arg_0]
4EC94 push eax
4EC95 lea eax, [ebp+var_10]
4EC98 push eax
4EC99 mov [ebp+arg_0], edi
4EC9C call sub_4599E
4ECA1 test eax, eax
4ECA3 jz short loc_4ED09 <-----jmp to message
4ECA5 cmp [ebp+var_10], edi
4ECA8 jz short loc_4ED09 <-----jmp to message
4ECAA push edi
4ECAB push 40h
4ECAD push [ebp+var_10]
4ECB0 call sub_74A0E
4ECB5 mov esi, eax
4ECB7 cmp esi, edi
4ECB9 jz short loc_4ED09 <-----jmp to message
4ECBB test byte ptr [ebp+arg_4], 2
4ECBF jnz short loc_4ECC6
4ECC1 call sub_4E17D


4ED09 ; sub_4EB70+138 ...
4ED09 push offset aUnableToFindAD ; "Unable to find a desktop window"
4ED0E call sub_11ACB
4ED13 jmp short loc_4ED2F

That was sort of the point of my post - since Softice uses a static hardcoded address of 0x7ffde6e4, if the current TIB isn't situated at 0x7ffdE000 then the function will fail.

I don't know why in XP the TIB is sometimes at 0x7ffdE000 and sometimes it's at 0x7ffdF000. It seems to depend on the context, maybe it's even a bit variable.

As you've indicated and I noticed too, sometimes HWND would work, and then under what you think is the same conditions, it doesn't work. At that point in time, check the TIB address, that should indicate whether it will work or not. In fact, you can simply display the address 0x7ffde000, if it's paged out HWND will fail, guaranteed.

thanks for reply, Kayaker. I didn't see what you made obvious. The 0x7ffde6e4 is based at 7ffde000. If I change that address in the driver to 7ffdf6e4, would that fix it? I'm a bit leary about altering drivers, and to do it, I'd probably have to rename the driver, and replace it from my Win 98 partition. Of course, I could find the module in memory and try a tweak there.

I also noticed there's a range in the tib listing under 'query', and it's always a range of 0 for notepad.

that is a problem. It was paged out once and I tried to pagein, only to get a crash. Is there another way to page it in? Or is there a reason it's paged out? I'm thinking I might have been using an app that uses the tib base at 7ffde000, if that's possible, when the hwnd worked. I'll keep an eye on it.

There's another possibility that maybe my ice driver is a Win 2k version. As you know, to get DS32 working, you have to change some files, and I don't recall if I changed the driver. I have two versions in my driver directory: 4.3.2.2485 and 5.1.2601.0. The 4.3.2.2485 is active while the other is renamed.

Another thing that just occured to me. I reloaded XP recently (a repair install) and it may have overwritten my osinfo files. I'll check.

I wouldn't alter the driver to change that hardcoded address, it would serve no purpose. The problem is the variability of the TIB base address. I can't explain the variability, just that it seems to exist and effects whether HWND will work or not. And you won't be able to pagein what doesn't exist..

>> I'm thinking I might have been using an app that uses the tib base at 7ffde000,

Exactly

Here's something that might tickle ya. I found the app that allows me to have every hwnd I need. It was Silver's DirectX crackme.

I don't want to give any secrets away that might affect the outcome of Silver's crackme, but I'm sure he'd forgive a few indiscretions aimed at furthering the cause of Ice research.

Anyway, if you d/l the crackme, and fire it up, it's kinda neat in itself. Getting Ice to break is a bit tricky, however. You have to be sure any graphic accelerators are turned off, or in my case (NVidia 6200) down to the first notch in Display settings/Advanced/Troubleshooting. Then you can control-D in to Ice.

Right away, a hwnd gives me all the windows. What gives? A query on the handle of Silver's crackme doesn't list a TIB, rather a Stack(8c) in the range 30000 - 12f000. Hmmmm...could Silver be up to some evil-alley tricks? We'll have to hold him down and force it out of him.

You might also notice that the softice video display is now altered. I'm sure that has something to do with the competition between the Ice video driver and the DX rendering. Does that maybe have something to do with the hwnd's suddenly appearing? It's above my head. It's over to you, good guru of the North.

all tib teb and peb all are variable in xp its not mapped to same address
its some random address and it almost maps from 7ffda000 to 7ffdf000

it was constant in w2k

a blog entry in opnrce which talks about it
https://www.openrce.org/blog/view/44

Um, yup, I just forgot to add a note about that in the readme - "This crackme also fixes sice problems"

Well hey if you can't claim credit for totally unintentional side-effects, what's the point in doing anything! I have absolutely no idea why my crackme would affect sice in this way...

Great to hear someone's attacking my crackme, I haven't heard much activity on it yet. Indiscretions ahoy:



Just one note about this. I totally forgot this would be a side-effect of how I coded the crackme. My original intention was to really force people to figure out how to get (for example) Olly to break and work correctly with a fullscreen DX app. I've discussed this before so rather than spoil the crackme the search feature is at your disposal. Anyway after I coded the first version I realised that I needed to add at least some caps checking to the code otherwise it probably wouldn't load on a significant percentage of machines.

So by doing this you're actually forcing the code to fall back to a backup mechanism (for the technically minded, it switches between HAL, SW and REF rasterisers and HW or SW vertex processing).

Anyway, fair dues, you figured a way round the first issue and for reversers that's just as good a solution as any, but if you'd like to specifically expand on your DX cracking experience (doing the sightseeing, as I put it, rather than just beating it) you can always go back and attempt to patch your way around the problem without altering your driver settings.

I'll stop hijacking your thread now

no problem...hijack away. There are a lot of issues I've stumbled across in Ice trying your crackme. For example, I'm having trouble getting Directx functions to list, or other functions that might help me trap the mouse and keyboard input.

I find function names listed due to my nms files that softice doesn't seem to know about, even thought it lists them as exports. I could give you a specific function if you like but it might compromise your crackme.

BTW...I spoke too soon with regard to your crackme being different. It is in many ways, but I'm back to the same old, same old. At first, on initially breaking into the crackme, I got all hwnd results on everything. After playing a while, it was back to the no desktop window bit.

thanks for info Blabs. There's one url at your posted URL with an article by Matt Pietrek, who once worked for Noo Mega. I'm wondering if I should ask him to fix the Ice driver now that Compu-where?? is defunct. I've communicated with Matt before, he's a pretty nice guy. He was also a pioneer in the modern Windows reversing era, calling it spelunking.

Thanks Kaolin,

Yes that does help. Though it does raise just as many questions
Most of those substructures and variables are not particularly defined either, whether you check ReactOS, Wine, various header files or even "leaked" code. It's not surprising though since any of these structures can change at a moments notice, so it doesn't really matter. The only define that is important is the one of the OS you happen to be working on at the moment.

For example, I'm quite happy that the Win32ClientInfo(CLIENTINFO) pointer that Softice retrieves at TEB+0x6e4 is called PDESKTOPINFO. I can find no clear define for a "DESKTOPINFO" structure, but Sice checks a second pointer at offset +8 of this structure, and this points directly to another structure which visibly lists the primary "Desktop" window, showing it's Class, Handle and Name, and matches the 'HWND' command output. With enough effort one could probably figure out at least some of the relationships and linkages between these various structures. Good enough!

However, just to make the point, in the CLIENTINFO structure you showed, which would be at TEB+0x6cc, PDESKTOPINFO is the 6th DWORD, (or at offset TEB+0x6e0), but according to how Softice defines it, it should be the 7th DWORD (at offset TEB+0x6e4). Again, it doesn't matter if it doesn't match up exactly, the information is still helpful.

Regards,
Kayaker

Very true. Or as my Developmental Biology prof used to love quoting, "Ontogeny recapitulates phylogeny", the new develops from the old.

That's a nice cache of structure defines you've got there The DESKTOPINFO puts it all into perspective, it's apparent now that what the Softice HWND command is accessing at offset 8 is the pointer to 'struct WND *spwnd;'
I found the following definition of the WND structure and all fields match up nicely in Softice. If you search between pvDesktopBase and pvDesktopLimit you can find the WND structure for each window listed by 'HWND'.
It wouldn't be difficult now to create a replacement HWND Softice debugger extension command to replace the one that is defective under XP.

The Windows NT internal WND structure
http://www.winterdom.com/dev/ui/wnd.html
The author includes a small app for dumping the WND structure, which I will attach for reference.



I can update at least one of those WND fields now.
ULONG unk2;
'unk2' is actually a pointer to a pointer to the ETHREAD/KTHREAD/KTEB structure for the window in question.

Thanks again for the info Kaolin

Cheers,
Kayaker

One of the major problems I encountered with university profs was that I tended to listen to them. One math prof actually claimed you could take the square root of -1, under certain circumstances. When I called his claim bs, and to give an example, he got mad at me. I mean, what number times itself equals -1? Now we have quantum mechanics, which tries to define the world as a mathematical probability. They even argue over the probability of whether a cat is alive, dead, or partly alive and dead. There comes a time when you have to say to these profs, "Shaddup, will ya"?


That's easy for you to say. I hope what you mean is that you'll create one and make it available to us more challenged types. When you say debugger extension, are you talking about the kind used in IceExt that begin with an '!'?


BTW...is your Iceprobe available, or do you keep it under lock and key?

Lol, Yes, the cat who may or may not be partly alive, once you stick it in an isolated box and do nasty things to it, but you can't watch.. that sounds familiar

IceProbe - yeah, after digging it out recently I thought I should clean it up and release it, so I got it compiling and running under XP, want to rewrite the GUI in C++, it was originally in MASM but I just can't bear to program in assembly any more (never thought I'd say that). After that I might do a new !HWND extension, since it's handy if working with BMSG. Mind you, Spyxx, Winfrog(Frogsice Winshow) or Icz's mousehook is probably a good substitute for HWND.

I had an older version of SPYXX that wasn't too stable under XP. Have a newer one now (ver 6) that is better. Problem is, you have to get out of softice to use it. It was handy having all the windows and their hwnds under softice.

I'm wondering if you have tried any conditional statements in softice under XP? I can't get any to break. I told you my app has an iteration loop that counts from 0 to 0x200000. It uses EDI to keep count, incrementing it once per iteration. I tried to set a BPX on it as follows:

BPX (address) IF EDI>xxxxxxxx

What I'm trying to do is find out where in the iteration loop the error message occurs. The parameter (address) is the conditional jump at the end of the iteration loop. The parameter xxxxxxxx is a value between 0x0 and 0x200000. I was hoping to keep increasing that value till the error message broke, then playing with it to close in on exactly where the error occurs.

The conditional BPX is completely ignored. I haven't checked to see if it's being cleared, but my normal BPX's are never cleared. I'm wondering if it's something in my system, or whether Ice has another bug under XP with conditional statements?