Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Low level WinNT debugger
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-22-2004, 17:44
auroras
 
Posts: n/a
Quote:
Originally Posted by _kin_
SoftICE have at least two components ALL components load as standard
drivers:
1. siwvid.sys - mostly UI code load as SERVICE_BOOT_START driver

2. ntice.sys - SoftICE heart can load as SERVICE_BOOT_START but also
can load as SERVICE_SYSTEM_START or SERVICE_DEMAND_START drver

Most frequently ntice.sys configured as SERVICE_SYSTEM_START driver

3. Sometimes if ntice.sys load as SERVICE_BOOT_START it use third part:
siwsym.sys - SERVICE_BOOT_START driver where packed symbolic and config
info. This module used because in time when loaded SERVICE_BOOT_START drivers no file I/O services available (this drivers load by NTLDR).

P.S. Sorry for my poor english
Thank you for your reply.

Sorry if this is a dumb question, but if that is the case, what's stopping another driver from loading and debugging softice. Or is there nothing stopping that?
Reply With Quote
  #2  
Old 04-22-2004, 21:50
_kin_
 
Posts: n/a
Quote:
Originally Posted by auroras
Thank you for your reply.

Sorry if this is a dumb question, but if that is the case, what's stopping another driver from loading and debugging softice. Or is there nothing stopping that?
SoftICE has check to prevent debugging itself.

When it loaded (started), It patch some system parts (kernel, keyboard driver and so on) to get control over system. Also, as I know SoftICE change
system IDT and "virtualize" it - in debugger you see system IDT, but real IDT is hidden by SoftICE.
Reply With Quote
  #3  
Old 04-23-2004, 18:35
auroras
 
Posts: n/a
Quote:
Originally Posted by _kin_
SoftICE has check to prevent debugging itself.

Also, as I know SoftICE change system IDT and "virtualize" it - in debugger you see system IDT, but real IDT is hidden by SoftICE.
Ahh...now I see

So is virtualising the IDT a function provided within the Kernel API, or is it some hack that SoftICE comes up with. I haven't come across any documentations on that.

In fact, when I posted a similar question on the Microsoft MSDN list, try to directly handle certain interrupts in a driver, I was told that it couldn't be done, and that it had to go through the IoConnectInterrupt().

Thanks
Reply With Quote
  #4  
Old 08-07-2004, 02:27
omega_red
 
Posts: n/a
Sample IDT dump from Softice (w2k sp4)
Code:
0000  IntG32   0008:80466B36  DPL=0  P   ntoskrnl!Kei386EoiHelper+0590
0001  IntG32   0008:80466C86  DPL=3  P   ntoskrnl!Kei386EoiHelper+06E0
0002  IntG32   0008:0000145E  DPL=0  P
0003  IntG32   0008:80466F5E  DPL=3  P   ntoskrnl!Kei386EoiHelper+09B8
0004  IntG32   0008:804670C2  DPL=3  P   ntoskrnl!Kei386EoiHelper+0B1C
0005  IntG32   0008:80467206  DPL=0  P   ntoskrnl!Kei386EoiHelper+0C60
0006  IntG32   0008:8046736A  DPL=0  P   ntoskrnl!Kei386EoiHelper+0DC4
0007  IntG32   0008:80467903  DPL=0  P   ntoskrnl!Kei386EoiHelper+135D
0008  TaskG    0050:000014B8  DPL=0  P
0009  IntG32   0008:80467CBF  DPL=0  P   ntoskrnl!Kei386EoiHelper+1719
000A  IntG32   0008:80467DC7  DPL=0  P   ntoskrnl!Kei386EoiHelper+1821
000B  IntG32   0008:80467EF3  DPL=0  P   ntoskrnl!Kei386EoiHelper+194D
000C  IntG32   0008:804681F8  DPL=0  P   ntoskrnl!Kei386EoiHelper+1C52
000D  IntG32   0008:80468404  DPL=0  P   ntoskrnl!Kei386EoiHelper+1E5E
000E  IntG32   0008:80468E78  DPL=0  P   ntoskrnl!Kei386EoiHelper+28D2
000F  IntG32   0008:80469213  DPL=0  P   ntoskrnl!Kei386EoiHelper+2C6D
...and from my own descriptor table dumper:
Code:
#0000: 0000 [00000008:80466b36] * 32bit=1, gran=0, present=1, dpl=0, type=[S] 32-bit Interrupt Gate      
#0001: 000b [00000008:b3fcd769] * 32bit=1, gran=1, present=1, dpl=3, type=[S] 32-bit Interrupt Gate      
#0002: 0010 [00000008:b3fcd778] * 32bit=1, gran=1, present=1, dpl=0, type=[S] 32-bit Interrupt Gate      
#0003: 001b [00000008:b3fcd787] * 32bit=1, gran=1, present=1, dpl=3, type=[S] 32-bit Interrupt Gate      
#0004: 0023 [00000008:804670c2] * 32bit=1, gran=0, present=1, dpl=3, type=[S] 32-bit Interrupt Gate      
#0005: 0028 [00000008:80467206] * 32bit=1, gran=0, present=1, dpl=0, type=[S] 32-bit Interrupt Gate      
#0006: 0030 [00000008:b3fcd796] * 32bit=1, gran=1, present=1, dpl=0, type=[S] 32-bit Interrupt Gate      
#0007: 0038 [00000008:80467903] * 32bit=1, gran=0, present=1, dpl=0, type=[S] 32-bit Interrupt Gate      
#0008: 0040 [00000050:000014b8] * 32bit=0, gran=0, present=1, dpl=0, type=[S] Task Gate                  
#0009: 0048 [00000008:80467cbf] * 32bit=1, gran=0, present=1, dpl=0, type=[S] 32-bit Interrupt Gate      
#000a: 0050 [00000008:80467dc7] * 32bit=1, gran=0, present=1, dpl=0, type=[S] 32-bit Interrupt Gate      
#000b: 0058 [00000008:b3fcd7a5] * 32bit=1, gran=1, present=1, dpl=0, type=[S] 32-bit Interrupt Gate      
#000c: 0060 [00000008:b3fcd7b4] * 32bit=1, gran=1, present=1, dpl=0, type=[S] 32-bit Interrupt Gate      
#000d: 0068 [00000008:b3fcd7c3] * 32bit=1, gran=1, present=1, dpl=0, type=[S] 32-bit Interrupt Gate      
#000e: 0070 [00000008:b3fcd7d2] * 32bit=1, gran=1, present=1, dpl=0, type=[S] 32-bit Interrupt Gate      
#000f: 0078 [00000008:80469213] * 32bit=1, gran=0, present=1, dpl=0, type=[S] 32-bit Interrupt Gate
As you can clearly see, real values are NOT the one Softice shows you
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT +8. The time now is 07:06.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )