IceExt 0.51 - With Installer
 

Hey everyone, if you haven't seen it yet then Sten has new version of excellent IceExt plugin available here:

hxxp://stenri.pisem.net/

It now has installer, but my big question to Sten is where does installer put the SRC, i looked everywhere but couldn't find it :(, the text displays GNU license and says IceExt comes with full source but i dont see the source on my system!

ps. Keep up the great work.

--
bedrock

Is it unworthy for real RE specialist to use custom installation? :D

Sources are not needed for 90% persent IceExt users, so I decided do not include them by default.

I guess so :o

Thanks Sten, i have now found the source :)

--
bedrock

BSOD when starting IceExt on one of my machine.

I've install IceExt on three machines. two of them worked fine. but on this one, BSOD occured when starting.

All of the machines is:

OS: Windows Server 2003 3790
DS: DS3.0 Build 1268
Software installed: VS6 & VS2003 both.

Machine A is IBM ThinkPad i1200 Notebook with a PIII500 CPU.
Machine B is a desktop PC with I815EP chipset & PIII933 CPU.
Machine C is a desktop PC with VT693 chipset & PIII733 CPU.

IceExt works fine on Machine A&B. BSOD on Machine C.

When BSOD occured, the screen of S-ICE look like this:

Registers:

EAX=C0201C00 EBX=00000000 ECX=FAFBBBA0 EDX=804EB28A
ESI=8056D400 EDI=8056D3C0 EBP=FAFBBB30 ESP=FAFBBB18
EIP=8053E5C2 o d I S z A P C

Display Window:

----------------------------------------------------------------------
- IceExt Version 0.51
- (C) Sten, 2002-2003
----------------------------------------------------------------------
Break due to KeBugCheckEx(unhandled kernal mode exception)
Error=50(PAGE_FAULT_IN_NONPAGED_AREA)
P1=807280CC P2=0 P3=FAFBBBA0 P4=0


I've rebuilt the IceExt.sys with 3790 DDK. Problem exists still.
Version 0.50,0.4x has this problem on Machine C all.

Maybe it's something wrong on my machine.
I give you this message is ONLY inform you.

Thanks for your software.
Best regards.

Sten,
Really, when start IceExt, It is S-ICE popup with the error message I mentioned above. After I "x" from the S-ICE popup, BSOD occured .

Thanks, very useful information.
First of all, ensure your machine C supports APIC. (look at the beginning of the SoftICE log. The first line shoud be something like:

NTICE: using IOAPIC at linear addesss FFD04000

Then, you should check what the addresses in parameters P1 and P3 are. (i.e. P1=807280CC P2=0 P3=FAFBBBA0 P4=0). So type in SoftICE

>what 807280����
>what FAFBBBA0

and send me the results.
Also, it a good ice to use STACK command when BSOD occurs.

>stack

(send me results).

The idea is to determine the exact line in IceExt code, where
the fault occurs. If you see in SoftICE something similar to

FAxxxxBC IceExt!.text+10c3

then it is easy to inspect this address (I've included debug symbols in IceExt 0.50 to help in debugging such cases).

I'm having a problem getting this to work as well... Installation goes smoothly, but when I try to start the service, I get the following:

My setup is nothing unusual, WinXPPro+SP1, DS3.0, VS2003. I assure you that there is plenty of memory available; to test, I wrote a quick service of my own that simply allocated a bunch of memory, and it started fine, so I know it's not lack of general resources.

Have you seen this error before, or do you have any ideas about what might be wrong?

IceExt driver returns this terrible :) error when it's loaded incorrectly (not by NTICE but as ordinary driver). Check, if your SoftICE is configured to start at boot mode (change it to manual) and IceExt service Start parameter in registry should be 3 (however IceExt installer should set IceExt service Start parameter correctly).

Yea, I always have SoftICE's start mode as Manual (doesn't really work well any other way under XP), and as per the readme, I already checked the IceExt reg entry, and it is 3.

I have tried starting ntice manually, then starting IceExt, and got that error. So then I tried starting IceExt without first starting ntice, IceExt started Ntice fine (service dependancy, I'm assuming), but IceExt still gave the error.

Do I need to do something in the SoftICE settings to get it to acknowledge/recognize IceExt, or vice-versa?

Hello,

The IceExt 's !dump and !dumpscreen cmd seem not work on my PC ( an XP (SP1) os with Soft-Ice 2.7).

If I type the cmd like:
!dump \??\c:\dump.dat 400000 1000
nothing happen ! ( no dump.dat create) why ?

The exe-file I try to unpack is an Arma-packed one.

The others cmd work fine like
!bpr,
!tetris ...

Thanks for any kind of help and thanks a lot for IceExt's develppers.

Regards !

Sten,

after IceExt startting, I cannot find ANY information about IOAPIC.

other information:

A.
Loaded kernel debugger extention IceExt.SYS at F838F000
B.
>what p1
807280CC HAL!HalInitializeProcessor
>what p3
FAFA3BA0 was not identified as any known type.
C.
>Stack
FrameEBP RetEIP Symbol
FAFA3B38 8052FE9C ntolskrnl!KeDeregisterBugCheckReasonCallBack+0171
FAFA3B88 804EA8A5 ntolskrnl!KeSetAffinityThread+D2F6
FAFA3BA0 00000000 ntolskrnl!Kei386EoiHelper+258E

Not found.

thanks

I've sent the log to you.

Thanks a lot!

something addition.

the iceext.sys i used now is the orginal from you setup.

the mail for the log has failed to send.:confused:

================ Fri Sep 12 13:14:23 2003
NTICE: Pentium TSC calibration, processor set to 731.0 MHZ
SoftICE (R) - DriverStudio (tm) 4.3.0 (Build 1268)
Windows NT Version 5.2 - Build 3790 (Free) SP 0
Cobra
Cobra Soft
784887686F72
Copyright (c) 2003 Compuware Corporation. All rights reserved.
NTICE: LPT1 = Port: 0378
NTICE: PS/2 Mouse Detected
NTICE: 512K allocated for SYM memory
NTICE: 256K allocated for HST memory
NTICE: 32K allocated for HEAP memory
NTICE: 2048 bytes allocated for NAME memory
NTICE: EXP=\SystemRoot\system32\kernel32.dll
NTICE: EXP=\SystemRoot\system32\user32.dll
NTICE: EXP=\SystemRoot\system32\gdi32.dll
NTICE: EXP=\SystemRoot\system32\ntoskrnl.exe
NTICE: EXP=\SystemRoot\system32\hal.dll
NTICE: 111K allocated for 32 bit exports
Macro: Memory allocated for 32 Macro entries
NTICE: IoConnectInterrupt found at 805EA94D
NTICE: IoDisconnectInterrupt found at 805EAE2B
NTICE: MiMapViewOfImageSection found at 80589EDE
NTICE: MiUnmapViewOfSection found at 80589CD8
NTICE: MiAddValidPageToWorkingSet found at 804F2B13
NTICE: KeBugCheck2 found at 8053E5C1
NTICE: MiCopyOnWrite found at 804FE966
NTICE: HalDisplayString found at 80718FAE
NTICE: RtlAssert found at 8054952D
NTICE: USBD_ParseConfigurationDescriptorEx found at FB0868A8
NTICE: UhciInsertQh found at FAE7650E
NTICE: UhciUnlinkQh found at FAE76560
NTICE: USBPORT_AllocateUSBAddress found at FA281788
NTICE: HalpBiosDisplayReset found at 80719C08
NTICE: RtlAssert end found at 805495E2
NTICE: NtTerminateProcess Found at 80590CBA
NTICE: KDExtensions are enabled KDHeapSize=00008000 and KDStackSize=00008000
NTICE: Patching Keyboard using method 0
NTICE: Keyboard driver found - i8042prt.sys
NTICE: Keyboard successfully patched using RPUC hook
NTICE: Keyboard successfully patched lookup table using RPUC hook
NTICE: Found UHCI Host Controller at Bus 00 Device 07 Function 02
NTICE: Found 1 USB Host Controllers. USB HID support will be available.
NTICE: 6688 bytes allocated for use by USB HID devices
:LINES 60
:WD 8
:WC 32
:X
NTICE: Load32 START=5F9E0000 SIZE=2F000 KPEB=FF5934D8 MOD=netmsg
NTICE: Exit32 PID=294 MOD=net1
NTICE: Unload32 MOD=netmsg
NTICE: Exit32 PID=CF4 MOD=net
NTICE: Load32 START=73C80000 SIZE=17000 KPEB=FF8D1888 MOD=wbemcons
NTICE: Load32 START=9D0000 SIZE=15000 KPEB=80ECBD88 MOD=appsrvcs
NTICE: Load32 START=76F90000 SIZE=7E000 KPEB=80D9F7D8 MOD=clbcatq
NTICE: Load32 START=77010000 SIZE=C6000 KPEB=80D9F7D8 MOD=comres
NTICE: Load32 START=76540000 SIZE=50000 KPEB=80D9F7D8 MOD=cscui
NTICE: Load32 START=76520000 SIZE=1D000 KPEB=80D9F7D8 MOD=cscdll
NTICE: Load32 START=75EB0000 SIZE=106000 KPEB=80D9F7D8 MOD=browseui
NTICE: Load32 START=765A0000 SIZE=100000 KPEB=80D9F7D8 MOD=setupapi
NTICE: Load32 START=75970000 SIZE=BA000 KPEB=80D9F7D8 MOD=userenv
NTICE: Load32 START=768F0000 SIZE=24000 KPEB=80D9F7D8 MOD=ntshrui
NTICE: Load32 START=71B70000 SIZE=33000 KPEB=80D9F7D8 MOD=uxtheme
NTICE: Load32 START=76920000 SIZE=157000 KPEB=80D9F7D8 MOD=shdocvw
NTICE: Load32 START=71BD0000 SIZE=11000 KPEB=80D9F7D8 MOD=mpr
NTICE: Load32 START=75E90000 SIZE=7000 KPEB=80D9F7D8 MOD=drprov
NTICE: Load32 START=5F120000 SIZE=E000 KPEB=80D9F7D8 MOD=ntlanman
NTICE: Load32 START=5F8A0000 SIZE=16000 KPEB=80D9F7D8 MOD=netui0
NTICE: Load32 START=5F860000 SIZE=31000 KPEB=80D9F7D8 MOD=netui1
NTICE: Load32 START=5CCF0000 SIZE=10000 KPEB=80D9F7D8 MOD=samlib
NTICE: Load32 START=75EA0000 SIZE=9000 KPEB=80D9F7D8 MOD=davclnt
NTICE: Load32 START=768E0000 SIZE=8000 KPEB=80D9F7D8 MOD=linkinfo

2Satyric0n: I was informed there is a bug in my new installer. It does not set registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTice]
"KDExtensions"="IceExt.SYS"

So you may want to check it.

2wps8848:
Well, it's up to you now to determine why memory reference to HalInitializeProcessor leads to BSOD.. There is routine inside multicpu.cpp that counts number of CPUs (mp_GetNumberOfCPUs()). And this routine references to HalInitializeProcessor. You can insert breakpoint at the begining
and trace though it..
Do you have a non-standard HAL?

Yeah, it seems your chipset does not support APIC but that should not be the problem. I've just revised IceExt code. Currently, it does not use any APIC specific things.

2donneraza:

It's CopyMemII I think. It's unlikely nothing happens at all. There should be some errors the memory is inaccessible or like that.

I think so. :)

cause, version 0.3x is worked fine on this machine.

to Sten:
What dose this means?

On this machine, I pluged a PCI 2 USB2.0 Card. Which can not work. The card is manufactured by a small company and is very cheap. Maybe some bugs exists with it. I've try it on two machines. It cannot work on both of them.

:o
I'm sorry for the mistakes in the reply above.
It should like this one. :)
What dose this means?

On this machine, I pluged a PCI 2 USB2.0 Card. Which can not work. The card is manufactured by a small company and is very cheap. Maybe some bugs exists with it. I've try it on two machines. It cannot work on both of them.

Sten, adding that registry entry worked great. Runs perfectly now. Thanks very much!

I mean, do you have a hal.dll from manufacturer other than Microsoft?

I've checked the hal.dll file.
I's from MS.

in the property of it, i can get some information like this.
5.2.3790.0
Hardware Abstraction Layer DLL
� Microsoft Corporation. All rights reserved.
5.2.3790.0 (srv03_rtm.030324-2048)

I've try to bpx on HalInitializeProcessor. cannot break at there.
error & BSOD ocurred.

I have no the ability to debug drivers.

HalInitializeProcessor executes only at system startup for each processor in the system. It's useless to set breakpoint there.

What I asked you was to insert INT 3 instruction in IceExt source code (at the beginning of mp_GetNumberOfCPUs). Then recompile IceExt and run it. (ensure you have i3here ON or DRV). Then just trace through this routine.

You can also use

!PTE HalInitializeProteccor

command. Send me the results. (but beware! there is bug in !PTE implementation in IceExt 0.51 so some PTE bits are decoded incorrectly - this will be fixed soon).

You have SoftICE installed. So you DO have the ability to debug drivers. :D
The only thing you need is some patience. :cool:

to Sten:
OK. I'll try it the next week. Today is friday. I'll go home a few min later.
:)

I'm looking for a new job.
all cmd of IceExt cannot be used now. :)

I'll insert int 3 and trace it.

I've modified the source code and traced into it.

error occured at here in the file multicpu.cpp

DWORD __declspec(naked) mp_GetNumberOfCPUs()
{
__asm
{
pushad
int 3
mov ecx, 128
mov edi, offset HalInitializeProcessor
mov edi, [edi]
cld

search_some_bytes:
mov al, 89h
repne scasb <====!!!! error ocurred here
jnz short return_default
..........
retn
}
}

cause my PC has only one CPU. so, i modified this function like this

DWORD __declspec(naked) mp_GetNumberOfCPUs()
{
__asm{
xor eax,eax
inc eax
retn
}
}

after rebuild, IceExt works fine.

Hi All!

First of all IceExt 0.53 has been released.

wps8848:
Well, mp_GetNumberOfCPUs() is not very good name for this routine. It has a side effect - on multicpu platforms it sets mp_PCR_VA_array variable. For one-cpu computer mp_PCR_VA_array has default value so you patch works quite well.
I dediced to rename this routine to the mp_AnalyzeHalInitProcessor.

Now you have a choice - to patch this routine in the every next build :-) or to dig a little deeper in order to determine why 89h byte can not be found in your HalInitializeProcessor or why read access to HalInitiailzeProcessor routine lead to BSOD..

As I described earlier you can do something like this:

db HalInitializeProcessor

If you seen some question marks - that's bad..
And more poverfull command:

!PTE HalInitializeProcessor

should tell you everything about the memory page where the HalInitializeProcessor is located.

Sten,
I have done as your sugests.

I use db & !pte on two of my machines.
the result is different.
the dumped file is in the attachment.
two files included.

err.bin the screen i dumped using !dumpscreen on the machine BSOD occurs there
ok.bin the screen i dumped using !dumpscreen on the machine worked fine

use SiwRender.exe translate them to BMP yourself.

best regards.

Ok. So HalInitializeProcessor is inaccessible on you system where IceExt fails. Quite strange..
I'll code simple workaroung in the next IceExt version.

why ?when is rebuild the ICeExt.sys is error on the build lib kosxxxx.lib
 

please send your iceext.sys to my [email protected]
thk

Re: why ?when is rebuild the ICeExt.sys is error on the build lib kosxxxx.lib
 

I am sorry for so much latency. I read your post just now.

to rebuild it with w2k3 DDK, do like this.

1. modify the file "sources" in the SRC.
in the file , something like this
# *********************************************************************
# remove ntoskrnlnt4.lib if you don't have it
# I'm using old library for NT4 compability
# *********************************************************************
TARGETLIBS=$(BASEDIR)\LIB\W2K\i386\ntoskrnlnt4.lib $(BASEDIR)\LIB\W2K\i386\hal.lib ntice.lib

I modified it as this
TARGETLIBS=$(BASEDIR)\LIB\Wnet\i386\ntoskrnl.lib $(BASEDIR)\LIB\Wnet\i386\hal.lib ntice.lib

2. modify the file "make.bat" (maybe not needed)

et SAVEDDIR=%CD%

call %BASEDIR%\bin\setenv.bat %BASEDIR% fre wnet
cd /d %SAVEDDIR%

set SAVEDDIR=

del .\objfre_wnet_x86\i386\*.res

prefast build
prefast list