Softice under Vista

[amigo]

Hi
I couldn't find a lot about Softice working under Vista, so I decided to start this thread. Softice WORKS under Vista (Vista 6.0.6000.16386 vista_rtm.061101-2205). I used installer of sice (DS) 3.2.1 version 2480 and apply the last patch from Numega, version 2560. Vista is launched via F8 -> disable digital sign check. Sice can be launched only in Automatic or Manual mode. But IT WORKS !! . I have had problems with some sice api hooks. These problems were resolved after I added some exports in ntoskrnl.exe (KeBugCheck2, MiMapViewOfImageSection, MiUnMapViewOfSection, MiCopyOnWrite) and hal.dll (HalpBiosDisplayReset). Then patching of vista OS loader (grldr) was necessary to boot from modified kernel (omiting checksum and digital sign control). Now you can trace, place bpx, mod, map32 etc ). There are still some big problems, of course The biggest are:
1) 'Proc' and 'thread' don't work. I will work on them, 'proc' depends of PsActiveProcessHead and PsIdleProcess etc
2) Loader don't stop at WinMain, both in Vista and XP executables, so you have to place CC at EP manually
3) The easiest way to BSOD: trace the ring3 code, being not nestled deep inside the r3 code, and press ret . Return to ring0 is deadly...
.
I tried to decipher osidata.sys too. Patching osidata.sys (or osinfo.dat) seems to be the best solution to adjust sice to vista and other OS in future. There is what I found: there are 2 kinds of entrys in osidata.sys
1) "sp-entry" -
0 - dw: length of the structure, they are 19h or 1Bh
+2 - 3b:1,0,0
+5 - 4b: OS number f.e. 2,5,0CEh,0Eh = 5.2.3790 = W2K3 SP0 / 1,5,28h,0Ah = 5.1.2600 = XP SP2 / 0,6,D2h,0Fh = 6.0.4050 = Longhorn , etc. (NtBuildNumber). The last Windows release which appears in osidata / osinfo is Longhorn 6.0.5213.
+9 - 4b: "sp0"/ "sp1"/ "sp2",0 [I don't know what is this for - we already have SP number from the previously known OS number]
+13 - ??? - to discover - may be detailed "build number" of OS, something like "vista_rtm.061101-2205"

2) "api-hook-entry"
0 - dw: length of the structure, always 114h
+2 - 3b:1,0,0
+5 - 4b: OS number
+11h - "OSI ID" - osidata identifier for function
+21h - module name (where API to hook exist), mainly ntoskrnl
+49h - function to hook
+85h - start search function (big thx for Kayaker for revealing "ver ahk" command)
+C1h - db: length of following "start code of API"
+C2h - piece of start code of API, which we are looking for - should be unique
+EAh - 1,55h,28 dup (0) - ?? - maybe the signature of "api-hook-entry" itself /like 55AA in MBR/

When API is public export (p.e. ntoskrnl!IoConnectInterrupt)- there are nulls in [+85h] and [+C2h]. Else (f.e. MiMapViewOfImageSection - which is not public export, but can only be localised using the PDB), there is a prescription for ntice for specific OS/SP/build? , how to find this function. It looks like that: "to find MiMapViewOfImageSection in XPSP2, goto ntoskrnl export CcopyRead ("start search function") and then look in following code for the 9-bytes piece of code: 55,8B,EC....". The "sp-entry"s and "api-hook-entry"s are grouped in big blocks, one entry after another. The whole osinfo.dat is inserted to osidata.sys, but this is not the case with beta-OS data (osinfob.dat). The Longhorn's 6.0.4050 and 4074 data from osinfob.dat exist, but 6.0.5112, 5219, 5231 not exist in osidata.sys. What is "api-hook-entry"s for, is, I think, auto-explanable , but I'm not sure what is the purpose of "sp-entry"s.

I start this thread with hope to interest some of you in this subject, and get your help, of course )
Greetings, happy New Year
amigo