Hi
Good job. You may have read the previous thread on this:
http://www.woodmann.com/forum/showthread.php?t=9201
SPTD hooks the i8042prt.sys IAT address for the hal.dll READ_PORT_UCHAR export. This is pretty much what Softice does itself. Since you've already got Softice + SPTD running, it's pretty easy to fix.
Start by running Softice without SPTD enabled (another VM image or set your system up to boot with the /DEBUG option which will disable SPTD). Start Softice and find the IAT for i8042prt.sys:
> map32 i8042prt
- display the .rdata section
- play the "which one doesn't belong?" game and find the import address which is outside of ntoskrnl/hal code address range. (this should be at offset .rdata+160 for Win2K)
- this will be the address of the Softice READ_PORT_UCHAR hook
- u(nassemble) the address and make note of the offset at which the function begins (i.e. ntice!.text+9816B)
Now, repeat the first 3 steps with the SPTD-enabled system. Again you'll notice the IAT of i8042prt.sys is hooked, but now the IAT hook will be that of the SPTD READ_PORT_UCHAR function.
Now you need to replace the SPTD hook address with the NTICE one.
Find the exact image address corresponding to ntice!.text+9816B (or whatever offset you determined was the correct relative offset of the Softice READ_PORT_UCHAR function):
> map32 ntice
- assume start of .text section is BD8BA380
> u BD8BA380+9816B
- change the IAT hook to this address from within Softice itself and you should have Windows keyboard control back
I'm curious how you got Softice+SPTD running. Did you use the strategy from that earlier thread or did you come up with another way of doing it?
Cheers,
Kayaker
