Log in

View Full Version : SoftICE + SPTD


ramon
March 2nd, 2007, 14:37
Hi ppl,

I managed to hide Softice, so I can boot up my XP SP2 with sptd loaded and then start sice without a glitch, but then some keys on my keyboard just don't work or are totaly swapped!!??
The most wierd stuff is that the keyboard works very fine when inside sice

Any ideas on this?
Sptd hooks keyboard too?


thanks

Kayaker
March 2nd, 2007, 19:44
Hi

Good job. You may have read the previous thread on this:

http://www.woodmann.com/forum/showthread.php?t=9201

SPTD hooks the i8042prt.sys IAT address for the hal.dll READ_PORT_UCHAR export. This is pretty much what Softice does itself. Since you've already got Softice + SPTD running, it's pretty easy to fix.

Start by running Softice without SPTD enabled (another VM image or set your system up to boot with the /DEBUG option which will disable SPTD). Start Softice and find the IAT for i8042prt.sys:

> map32 i8042prt
- display the .rdata section
- play the "which one doesn't belong?" game and find the import address which is outside of ntoskrnl/hal code address range. (this should be at offset .rdata+160 for Win2K)
- this will be the address of the Softice READ_PORT_UCHAR hook
- u(nassemble) the address and make note of the offset at which the function begins (i.e. ntice!.text+9816B)


Now, repeat the first 3 steps with the SPTD-enabled system. Again you'll notice the IAT of i8042prt.sys is hooked, but now the IAT hook will be that of the SPTD READ_PORT_UCHAR function.

Now you need to replace the SPTD hook address with the NTICE one.

Find the exact image address corresponding to ntice!.text+9816B (or whatever offset you determined was the correct relative offset of the Softice READ_PORT_UCHAR function):
> map32 ntice
- assume start of .text section is BD8BA380
> u BD8BA380+9816B
- change the IAT hook to this address from within Softice itself and you should have Windows keyboard control back

I'm curious how you got Softice+SPTD running. Did you use the strategy from that earlier thread or did you come up with another way of doing it?

Cheers,
Kayaker

DillerInc
March 10th, 2007, 08:58
Quote:
I managed to hide Softice, so I can boot up my XP SP2 with sptd loaded

...could you explain here, how did you manage to do it??

DillerInc
June 2nd, 2007, 13:51
Kayaker
Your stuff conserning i8042prt works great!!Thank you for that information!
Quote:
I'm curious how you got Softice+SPTD running.

...there is an opportunity to get them both running using Rootkit Unhooker.
Tools->Notify Routines
We will probably see two routines.LoadImage among them.We delete this one and now SICE should start without problems.