Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   SoftICE crashing on Windows 2003 (https://forum.exetools.com/showthread.php?t=9469)

MarkusO 04-14-2006 22:51

SoftICE crashing on Windows 2003
 
I wanted to debug some program which only runs on a "Windows Server" OS. So I installed Windows 2003 on my PC, installed chipset and graphic drivers and used Windows Update to get the latest patches. Then I disabled the "NX-Bit" which is set to "all applications" as default on Windows 2003.

Then I installed SoftICE from DriverStudio 3.2, replaced the OSINFO(B).DAT included with the latest versions (dated 08/13/05 and 10/20/05) and rebooted my PC.

But my PC crashed with a BSOD in "CptHook.sys". I tried several times without success. When telling the SoftICE boot-loader not to start the hooking engine, Windows boots normally, but I can't load SoftICE.

I checked the system requirements and it says:
Quote:

System Requirements for DriverStudio & SoftICE Driver Suite

Operating systems compatibility

For x86 processors and compatibles, DriverStudio 3.2 and SoftICE Driver Suite 3.2 support the following operating system platforms:

* Windows XP Release, SP1, SP2
* Windows 2000 Release, SP1, SP2, SP3, SP4
* Windows Server 2003 Release, SP1 Beta

For Intel's Itanium and Itanium2 processors:

* Windows XP Release
* Windows Server 2003 Release

For AMD's Opteron/Athlon64 family of processors:

* Windows Server 2003 SP1 Beta 1 (1184)
* Longhorn (Build 4074)

Side Note: DriverStudio 3.2 does not support the following platforms:

* Windows 95 and 98
* Windows NT 4.0

However, the DriverStudio 2.7, which supports Windows 95, Windows 98 and Windows NT, is available on the DriverStudio 3.2 CD-ROM.
I have installed "Windows 2003 SP1 final", so it is not really supported officially, but I guess nothing important has changed between "SP1 beta" and "SP1 final".

Has anybody some idea what the reason for the crashes might be?

ntwizard 04-15-2006 00:26

Yes.. Treat Windows 2003 Server SP1 like Windows XP SP2. This is one reason soft-ice is dead.

I would suggest you do your debugging with no service pack installed. That way you can debug with very few issues. Otherwise you will need to use M$ tools for debugging.

I just had another thought.. M$ has a debug vesion of Windows 2003 server SP1.. I wonder if this help you??

MarkusO 04-15-2006 19:56

If Windows 2003 SP1 would run the same way as Windows XP SP2, then SoftICE would run, since it runs well on WinXP SP2 for me.

I don't have Windows 2003 SP0, since the CD I copied was the official Windows 2003 CD with SP1 already integrated. (no homemade "all-in-one" crap from the internet)

I'm no MSDN subscriber, so I don't have access to the debug version of Windows 2003 SP1.

I checked at what place the code is crashing, but even if it's totally clear what the code does (no unknown variables), I don't understand why it works on Windows XP but not on Windows 2003.

Code:

xor        eax,eax
add        eax,[000130C7]    ; hard coded value: 120h
add        eax,[000130CB]    ; hard coded value: 4h
mov        eax,fs:[eax]
add        eax,[000130CF]    ; hard coded value: 34h
add        eax,[000130D3]    ; hard coded value: 10h
mov        eax,[eax]
add        eax,[000130D7]    ; hard coded value: 18h
mov        eax,[eax]          ; <-- crash location
mov        [edi][1C],eax
retn

So, in short one could write is as:
Code:

mov    eax, fs:[124h]
mov    eax, [eax+44h]
mov    eax, [eax+18]    ; <-- crash location

Even if I'm not aware what value "fs" has a this time, I don't expect it to be the reason for the crash.

MarkusO 04-28-2006 02:38

I still had no luck running SoftICE on Windows 2003 SP1. I finally was able to get Windows 2003 SP0. But SoftICE again crashes at the same location.

Is it possible that SoftICE has problems when too much memory is installed in the computer? (like the "vcache" problem on Win9x with 512 MB RAM)

deroko 04-28-2006 04:08

Quote:

Originally Posted by MarkusO
Code:

mov    eax, fs:[124h]
mov    eax, [eax+44h]
mov    eax, [eax+18]    ; <-- crash location

Even if I'm not aware what value "fs" has a this time, I don't expect it to be the reason for the crash.

fs points to kpcr
kpcr+124h = current thread
curretn thread + 44h = KPROCESS
KPROCESS+18 = DirectoryTableBase (value of cr3 for current process)

Maybe in win2k3 kthread is changed so kthread+44 returns something else.
If you can, install livekd from www.sysinternals.com and tell us what is located at offset 44 of kthread.
I would really love to know :)

MarkusO 04-28-2006 07:35

I'm not used to the build-in debugger of Windows or to LiveKD. But as far as I understood it, you must configure the debugger in the "boot.ini". After that, Windows waits in an infinite loop until somebody attaches to the build-in debugger over a COM port or over Firewire.

But I don't have any serial or 1394 cable available to try this and I also currently don't have a second PC available.

Can you tell me how I should use LiveKD to debug the SoftICE hooking engine?

deroko 04-28-2006 08:19

It is for exploring system, not for debugging :) but you can see anything in ring0 with it, hooks for example if you load it after hooks are performed. Very useful tool and doesn't require two computers to work :)

MarkusO 04-29-2006 19:01

It seems like I'm a bit too stupid to use LiveKD. I did the following:
  • Download and install the Windows 32-bit debugging tools
  • Download LiveKD and copy it into the debugging tools folder.
  • Configure the symbol path in WinDBG.
  • Start LiveKD by running File->Kernel Debug->Local
  • Open register, memory and disassembly windows from the menu
Then I had a command line (perfix: "lkd>") where I could enter my commands. I called "?" to list me the available commands

First I tried to show what's located at "fs:[124]" by entering "d fs:124", but I only got the message "GetContextState failed, 0x80004001" three times followed by "bad segment error at '124'.

Next I only entered "d 124" and got a memory dump, but only filled with "??" as data.

After that I read the help file entry for the "d" command to learn all possible "dump" commands and their correct syntax, but none of them worked, even the dump commands for psysical memory failed.

So how should I read "fs:[124]" from Ring-0 with WinDBG?

deroko 04-30-2006 06:05

gdt from softice
Code:

:gdt
...
0030  Data32    FFDFF000  00001FFF  0    P  RW <--- KPCR
003B  Data32    7FFDE000  00000FFF  3    P  RW <--- TEB

so to read address of fs:[124h] you should type

dd FFDFF000+124 :)

when you get address you might wanna play with it a little bit with:

dt nt!_ETHREAD <address> and so on, to explore state of some interesting structures of system. I don't know if something changed on win2k3 but you can always use wARK to get gdt and you will get address of fs without a problem :) As I said maybe they have changed something in internal structures so maybe fs:[124] doesn't point to CurentThread, to be sure you should explore strucutres with:

dt nt!_structure (eg. dt nt!_KPCR, dt nt!_KPRCB etc...)

Regards

MarkusO 05-01-2006 15:46

Now I'm completely confused. I installed WinXP and Win2003 on a different PC. I also installed SoftICE on both PCs. The interesing point is that SoftICE loads on WinXP and Win2003.

Then I checked the part where SoftICE on Win2003 crashes on the other PC from Ring-0. (the code from above)

On WinXP, [EAX+44] points to some other memory location, so [EAX+18] can be read normally.

On Win2003, [EAX+44] has a value of NULL, so reading [EAX+18] will crash the computer.

The code crashing my computer crashes it always on Windows 2003, but for some reason it is not executed on one of the PCs.

Both computers have a totally different hardware configuration (chipset, count and manufracturer of CPUs, installed RAM), but the software is the same (expect for the hardware drivers).

Has anybody some other idea what the source of the problem might be?

taos 05-01-2006 16:41

Quote:

Originally Posted by MarkusO
Has anybody some other idea what the source of the problem might be?

Syd (stripper author) has the same problem. He thinks that maybe because win2k3sp1 has anti-kernel-patching and his processor has EMT64 and (as I understand) supports this feature, so he has BSOD during kernel patching.

Maybe a patch for win2003...

Kerlingen 05-02-2006 03:34

As far as I know "Patch Guard" is only available in the x64 editions. MarkusO also wrote that it even crashes with SP0 installed, which 100% sure had no support for "Patch Guard" and "NX-Bit".

@MarkusO:
Can you post your hardware details so we might get behind the problem?

deroko 05-02-2006 05:58

crash spot = softice tries to get cr3 value from EPROCESS struct.
Only thing that comes to my mind is that internal structures might be changed.
Can you at least provide us with disassembly of ntoskrnl.exe!PsGetCurrentProcess , I just wanna be sure that internal structs haven't changed.

MarkusO 05-02-2006 16:44

WinXP: ntoskrnl.exe!PsGetCurrentProcess
Code:

mov eax, fs:[124]
mov eax, [eax+44]
ret

Win2003: ntoskrnl.exe!PsGetCurrentProcess
Code:

mov eax, fs:[124]
mov eax, [eax+38]
ret

So the internals structures have changed, but it is still interesting that SoftICE loads on one PC running Win2003 without executing the code at all while the other PC crashes becuase of the changed structure.


All times are GMT +8. The time now is 16:31.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX