Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-14-2006, 22:51
MarkusO
 
Posts: n/a
SoftICE crashing on Windows 2003

I wanted to debug some program which only runs on a "Windows Server" OS. So I installed Windows 2003 on my PC, installed chipset and graphic drivers and used Windows Update to get the latest patches. Then I disabled the "NX-Bit" which is set to "all applications" as default on Windows 2003.

Then I installed SoftICE from DriverStudio 3.2, replaced the OSINFO(B).DAT included with the latest versions (dated 08/13/05 and 10/20/05) and rebooted my PC.

But my PC crashed with a BSOD in "CptHook.sys". I tried several times without success. When telling the SoftICE boot-loader not to start the hooking engine, Windows boots normally, but I can't load SoftICE.

I checked the system requirements and it says:
Quote:
System Requirements for DriverStudio & SoftICE Driver Suite

Operating systems compatibility

For x86 processors and compatibles, DriverStudio 3.2 and SoftICE Driver Suite 3.2 support the following operating system platforms:

* Windows XP Release, SP1, SP2
* Windows 2000 Release, SP1, SP2, SP3, SP4
* Windows Server 2003 Release, SP1 Beta

For Intel's Itanium and Itanium2 processors:

* Windows XP Release
* Windows Server 2003 Release

For AMD's Opteron/Athlon64 family of processors:

* Windows Server 2003 SP1 Beta 1 (1184)
* Longhorn (Build 4074)

Side Note: DriverStudio 3.2 does not support the following platforms:

* Windows 95 and 98
* Windows NT 4.0

However, the DriverStudio 2.7, which supports Windows 95, Windows 98 and Windows NT, is available on the DriverStudio 3.2 CD-ROM.
I have installed "Windows 2003 SP1 final", so it is not really supported officially, but I guess nothing important has changed between "SP1 beta" and "SP1 final".

Has anybody some idea what the reason for the crashes might be?
Reply With Quote
  #2  
Old 04-15-2006, 00:26
ntwizard
 
Posts: n/a
Yes.. Treat Windows 2003 Server SP1 like Windows XP SP2. This is one reason soft-ice is dead.

I would suggest you do your debugging with no service pack installed. That way you can debug with very few issues. Otherwise you will need to use M$ tools for debugging.

I just had another thought.. M$ has a debug vesion of Windows 2003 server SP1.. I wonder if this help you??
Reply With Quote
  #3  
Old 04-15-2006, 19:56
MarkusO
 
Posts: n/a
If Windows 2003 SP1 would run the same way as Windows XP SP2, then SoftICE would run, since it runs well on WinXP SP2 for me.

I don't have Windows 2003 SP0, since the CD I copied was the official Windows 2003 CD with SP1 already integrated. (no homemade "all-in-one" crap from the internet)

I'm no MSDN subscriber, so I don't have access to the debug version of Windows 2003 SP1.

I checked at what place the code is crashing, but even if it's totally clear what the code does (no unknown variables), I don't understand why it works on Windows XP but not on Windows 2003.

Code:
xor         eax,eax
add         eax,[000130C7]     ; hard coded value: 120h
add         eax,[000130CB]     ; hard coded value: 4h
mov         eax,fs:[eax]
add         eax,[000130CF]     ; hard coded value: 34h
add         eax,[000130D3]     ; hard coded value: 10h
mov         eax,[eax]
add         eax,[000130D7]     ; hard coded value: 18h
mov         eax,[eax]          ; <-- crash location
mov         [edi][1C],eax
retn
So, in short one could write is as:
Code:
mov     eax, fs:[124h]
mov     eax, [eax+44h]
mov     eax, [eax+18]     ; <-- crash location
Even if I'm not aware what value "fs" has a this time, I don't expect it to be the reason for the crash.
Reply With Quote
  #4  
Old 04-28-2006, 02:38
MarkusO
 
Posts: n/a
I still had no luck running SoftICE on Windows 2003 SP1. I finally was able to get Windows 2003 SP0. But SoftICE again crashes at the same location.

Is it possible that SoftICE has problems when too much memory is installed in the computer? (like the "vcache" problem on Win9x with 512 MB RAM)
Reply With Quote
  #5  
Old 04-28-2006, 04:08
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 32 Times in 15 Posts
deroko Reputation: 30
Quote:
Originally Posted by MarkusO
Code:
mov     eax, fs:[124h]
mov     eax, [eax+44h]
mov     eax, [eax+18]     ; <-- crash location
Even if I'm not aware what value "fs" has a this time, I don't expect it to be the reason for the crash.
fs points to kpcr
kpcr+124h = current thread
curretn thread + 44h = KPROCESS
KPROCESS+18 = DirectoryTableBase (value of cr3 for current process)

Maybe in win2k3 kthread is changed so kthread+44 returns something else.
If you can, install livekd from www.sysinternals.com and tell us what is located at offset 44 of kthread.
I would really love to know
__________________
http://accessroot.com
Reply With Quote
  #6  
Old 04-28-2006, 07:35
MarkusO
 
Posts: n/a
I'm not used to the build-in debugger of Windows or to LiveKD. But as far as I understood it, you must configure the debugger in the "boot.ini". After that, Windows waits in an infinite loop until somebody attaches to the build-in debugger over a COM port or over Firewire.

But I don't have any serial or 1394 cable available to try this and I also currently don't have a second PC available.

Can you tell me how I should use LiveKD to debug the SoftICE hooking engine?
Reply With Quote
  #7  
Old 04-28-2006, 08:19
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 32 Times in 15 Posts
deroko Reputation: 30
It is for exploring system, not for debugging but you can see anything in ring0 with it, hooks for example if you load it after hooks are performed. Very useful tool and doesn't require two computers to work
__________________
http://accessroot.com
Reply With Quote
  #8  
Old 04-29-2006, 19:01
MarkusO
 
Posts: n/a
It seems like I'm a bit too stupid to use LiveKD. I did the following:
  • Download and install the Windows 32-bit debugging tools
  • Download LiveKD and copy it into the debugging tools folder.
  • Configure the symbol path in WinDBG.
  • Start LiveKD by running File->Kernel Debug->Local
  • Open register, memory and disassembly windows from the menu
Then I had a command line (perfix: "lkd>") where I could enter my commands. I called "?" to list me the available commands

First I tried to show what's located at "fs:[124]" by entering "d fs:124", but I only got the message "GetContextState failed, 0x80004001" three times followed by "bad segment error at '124'.

Next I only entered "d 124" and got a memory dump, but only filled with "??" as data.

After that I read the help file entry for the "d" command to learn all possible "dump" commands and their correct syntax, but none of them worked, even the dump commands for psysical memory failed.

So how should I read "fs:[124]" from Ring-0 with WinDBG?
Reply With Quote
  #9  
Old 04-30-2006, 06:05
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 32 Times in 15 Posts
deroko Reputation: 30
gdt from softice
Code:
:gdt
...
0030  Data32    FFDFF000  00001FFF  0    P   RW <--- KPCR
003B  Data32    7FFDE000  00000FFF  3    P   RW <--- TEB
so to read address of fs:[124h] you should type

dd FFDFF000+124

when you get address you might wanna play with it a little bit with:

dt nt!_ETHREAD <address> and so on, to explore state of some interesting structures of system. I don't know if something changed on win2k3 but you can always use wARK to get gdt and you will get address of fs without a problem As I said maybe they have changed something in internal structures so maybe fs:[124] doesn't point to CurentThread, to be sure you should explore strucutres with:

dt nt!_structure (eg. dt nt!_KPCR, dt nt!_KPRCB etc...)

Regards
__________________
http://accessroot.com

Last edited by deroko; 04-30-2006 at 06:22.
Reply With Quote
  #10  
Old 05-01-2006, 15:46
MarkusO
 
Posts: n/a
Now I'm completely confused. I installed WinXP and Win2003 on a different PC. I also installed SoftICE on both PCs. The interesing point is that SoftICE loads on WinXP and Win2003.

Then I checked the part where SoftICE on Win2003 crashes on the other PC from Ring-0. (the code from above)

On WinXP, [EAX+44] points to some other memory location, so [EAX+18] can be read normally.

On Win2003, [EAX+44] has a value of NULL, so reading [EAX+18] will crash the computer.

The code crashing my computer crashes it always on Windows 2003, but for some reason it is not executed on one of the PCs.

Both computers have a totally different hardware configuration (chipset, count and manufracturer of CPUs, installed RAM), but the software is the same (expect for the hardware drivers).

Has anybody some other idea what the source of the problem might be?
Reply With Quote
  #11  
Old 05-01-2006, 16:41
taos's Avatar
taos taos is offline
The Art Of Silence
 
Join Date: Aug 2004
Location: In front of my screen
Posts: 574
Rept. Given: 65
Rept. Rcvd 44 Times in 18 Posts
Thanks Given: 64
Thanks Rcvd at 78 Times in 33 Posts
taos Reputation: 44
Quote:
Originally Posted by MarkusO
Has anybody some other idea what the source of the problem might be?
Syd (stripper author) has the same problem. He thinks that maybe because win2k3sp1 has anti-kernel-patching and his processor has EMT64 and (as I understand) supports this feature, so he has BSOD during kernel patching.

Maybe a patch for win2003...
Reply With Quote
  #12  
Old 05-02-2006, 03:34
Kerlingen
 
Posts: n/a
As far as I know "Patch Guard" is only available in the x64 editions. MarkusO also wrote that it even crashes with SP0 installed, which 100% sure had no support for "Patch Guard" and "NX-Bit".

@MarkusO:
Can you post your hardware details so we might get behind the problem?
Reply With Quote
  #13  
Old 05-02-2006, 05:58
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 32 Times in 15 Posts
deroko Reputation: 30
crash spot = softice tries to get cr3 value from EPROCESS struct.
Only thing that comes to my mind is that internal structures might be changed.
Can you at least provide us with disassembly of ntoskrnl.exe!PsGetCurrentProcess , I just wanna be sure that internal structs haven't changed.
__________________
http://accessroot.com
Reply With Quote
  #14  
Old 05-02-2006, 16:44
MarkusO
 
Posts: n/a
WinXP: ntoskrnl.exe!PsGetCurrentProcess
Code:
mov eax, fs:[124]
mov eax, [eax+44]
ret
Win2003: ntoskrnl.exe!PsGetCurrentProcess
Code:
mov eax, fs:[124]
mov eax, [eax+38]
ret
So the internals structures have changed, but it is still interesting that SoftICE loads on one PC running Win2003 without executing the code at all while the other PC crashes becuase of the changed structure.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 14:39.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2022 )