I was trying to find a reference in the archives to an error I began receiving while trying to load IceExt 0.67. I came across this thread which seems to have been unresolved:

http://www.woodmann.com/forum/showthread.php?t=7303&highlight=iceext

I downloaded the latest version of IceExt (ver 0.7) and tried that. It gave the same 'Extension command not found' in softice. I tried IceExt from the command line, right from the directory I installed to. It gave me an error message that softice was not configured correctly, refering to the KdExtension settings in HKLM\System\CurrentControlSet1\Services\NtIce. There is another thread covering that, but an old IceExt blurb suggested setting the settings to:

KDHeapSize REG_DWORD 0x00008000 (32768)
KDStackSize REG_DWORD 0x00008000 (32768)

I checked that and found my settings were correct in CurrentControlSet1. On a hunch, I looked in CurrentControlSet, CurrentComntrolSet2 and CurrentComntrolSet3, under the NTICE subkey. Two of those keys had the KDHeapSize set to 0x1afo (8096). I changed them all to 0x8000 and, wouldn't you know it, IceExt fired up as usual. Hope that works for everybody.

Wish I could report myself a happy camper. Not so. I was playing with the other problem that can occur when IceExt is loaded, the one where:

d UnhandledExceptionFilter

reveals a data window of ????'s. I'm aware of Kayakers suggestion to do a pagein, but I have gotten around it by waiting till I'm a ways into the app. It usually shows up eventually, probably when kernel32 loads. This time, I wondered what would happen if I put softice into the context for Kernel32. I was flabbergasted to see an error message when I used 'addr kernel32'. It said. 'Context not found'.

Are you kidding me? Kernel32 gets loaded every time by loader32. Why would it be unloaded? So, I tried addr user32...same error. I checked the mods list and saw loader32 sitting there, so I did an addr on it. It worked fine. Neither k32 nor U32 were in the mods list.

Am I missing something here? Is there a way to force kernel32 to load through softice?

you get that message "Ctx not found" because k32 doesn't have it's context
switching context with addr applies only for running processes and involves changing cr3 value of a current process with cr3 value of a other process so you may look in memory of anoither process. Very useful when it comes to amradillo unpacking or any other 2 process protection.

If you really want to debug kernel32.dll I suggest to load it via helper application located here: http://deroko.phearless.org/dllbande.zip (it's break 'n' enter for .dll), but all you need for nice debugging is exports loaded trough loader32.

hope this helps

I was a tired when I wrote this and probably not thinking all that clearly. Still, I used the addr command by itself and found a process that was running. When I typed 'addr process' it still showed 'context not found'. I went back a little while later and it was found again.

I wasn't trying to debug k32. There's a protection feature in IceExt that requires finding UnhandledExceptionFilter and changing the CC inserted at it's first byte by softice to NOP. When you do that, and invoke !protect on, IceExt can apply the protection there. It can't till you remove the CC. Problem is, UnhandledExceptionFilter is often paged out and all you get are ??'s.

yes...it does. Thanks for your help, and for your URL. I'll check it out. You're not related to Phearless Phreddy Pharkas, the Phrontier Pharmacist, are you?

There is a trick posted somwhere on this board by yates to hook export table of k32 so that UnhandledExceptionFilter will point to jmp __old_UnhandledExceptionFilter. I use that stuff to hide sice from uef detection.



nope phearless is serbin/croatian ezine

I was looking at the source for your dllbande. It looks pretty cool.

You're away ahead of me with your knowledge of these kinds of things. When you talk about loading a dll like that, and finding it's entry point in memory, what then? If you start tracing through it with softice, aren't you afraid it might do something wild. User apps are predictable, if you know what the app does, but kernel32 could initiate all kind of wierd things.

Then you trace packer/protector, but when it comes to .dll unpacking task is much easier then one present in .exe files. All protected .dlls, before entry point is called, must store at entry of packer jmp to DllEntryPoint, if they don't do that then whole task of unpacking will be performed when dllentrypoint is called with thread_attach/thread_detach/process_detach so in most cases it is easy to find oep of a .dll.
bpm.p entry_of_packed_dll x and you wait for 2nd break (thread_attach) and trace a little bit till it jumps to DllEntry
dllbande is just tool that might be useful sometimes, it's like -> better have one when you don't need it, then need it when you don't have it



Well no, whenever I'm tired of tracing I just type "r eip exitprocess" and terminate app Also before tracing system .dlls my advice is to retrieve .pdb files and load them into IDA. dword_xxx always become some nice variable, if you use Symbol retriever or Mostek plugin i2s or mapsym or idasym then debugging in sice becomes much easier anyway system .dlls don't have anything interesting in their DllEntry. More fun is to trace some exports of k32 and ntdll.

I haven't tried an unpack with an app that uses a dll. I traced an Asprotected app from the beginning of code right through to the process OEP, so I know about the call to the OEP. I'll have to try one with a dll.

Your method is interesting though. I liked your source code for dllbande. It is very orderly and well commented, making it easy to follow.

I noticed at one point you did a call to OpenFile. Is that all the code you need to do that? A couple of times I thought of adding code to an app that had the Save function crippled, just to see if I could do it. I thought there might be problems with the transition from the old code to the patch, but yours seems to go right from one into the other. I know I'd have to add the GetSaveFilename code.

I want to get into that Ring 0 stuff as well. Thanks for posting your source. It makes it all seem less intimidating.


that's interesting too. I always thought of r eip as pertaining to the code you're in. Are you saying you can all any eip with that command? I mean, if you type "r eip exitprocess", does that change the EIP to the entry point of exitprocess?

I loaded some NMS files into IDA as binaries, and compiled all the strings using the 'a' command. Then I copied them to a text editor, set up a macro to get rid of the junk, and printed out those that interested me for reference when I was setting BPX's.

I'll have to try that with the PDB file itself. Thanks for tip. Also, I'll check out your advice on the IDA/Ice connection.

Yep, but don't do that while softice is in ring0 only when you are in context of ring3 application.



No,no, use NMS with symbol loader and load them directly into softice. When you don't have .pdb then you should use i2s/mapsym/idasym to make your debugging much easier in softice

Yes...I understand that. I have NMS files loaded, and thanks to Kayaker, I have learned to use the 'table' command properly to see which NMS files are in focus. The reason I print out the names of certain functions is for convenience. It's easier to see them on a printed sheet than scrolling by on the screen. I know Mostek has a utility for that, which I tried, but it seems to print a lot of information I don't need for each function. I just need the proper name for use in a 'bpx' command.

That's not normally an issue for me with ordinary API names, but with some functions the names are pretty wild, and not easily available by Google or in an API function reference. The 'wild' names are self-explanatory much of the time.

I'm wondering if you have found a way to get the 'hwnd' command working properly? On my system, softice can't find a 'desktop window' for most applications. That's on an XP SP2 system with the latest updates. I have another thread going about that, and Kayaker has been helpful, but I'm wondering if you had encountered the problem.

about hwnd, yep I have same problem. I have updated XP from sp0(no-sp) to sp2 and hwnd stoped working, and because I never used that command in softice for any debugging it didn't bother me a lot

I don't really need it either but it was handy to see which window was the parent for bmsg commands. I can use spyxx, but it means getting out of softice.

Only boring thing is to assemble jmp $ before you exit sice, but you will get used to it