#1
|
|||
|
|||
Softice under Vista
Hi
I couldn't find a lot about Softice working under Vista, so I decided to start this thread. Softice WORKS under Vista (Vista 6.0.6000.16386 vista_rtm.061101-2205). I used installer of sice (DS) 3.2.1 version 2480 and apply the last patch from Numega, version 2560. Vista is launched via F8 -> disable digital sign check. Sice can be launched only in Automatic or Manual mode. But IT WORKS !! . I have had problems with some sice api hooks. These problems were resolved after I added some exports in ntoskrnl.exe (KeBugCheck2, MiMapViewOfImageSection, MiUnMapViewOfSection, MiCopyOnWrite) and hal.dll (HalpBiosDisplayReset). Then patching of vista OS loader (grldr) was necessary to boot from modified kernel (omiting checksum and digital sign control). Now you can trace, place bpx, mod, map32 etc ). There are still some big problems, of course The biggest are: 1) 'Proc' and 'thread' don't work. I will work on them, 'proc' depends of PsActiveProcessHead and PsIdleProcess etc 2) Loader don't stop at WinMain, both in Vista and XP executables, so you have to place CC at EP manually 3) The easiest way to BSOD: trace the ring3 code, being not nestled deep inside the r3 code, and press ret . Return to ring0 is deadly... . I tried to decipher osidata.sys too. Patching osidata.sys (or osinfo.dat) seems to be the best solution to adjust sice to vista and other OS in future. There is what I found: there are 2 kinds of entrys in osidata.sys 1) "sp-entry" - 0 - dw: length of the structure, they are 19h or 1Bh +2 - 3b:1,0,0 +5 - 4b: OS number f.e. 2,5,0CEh,0Eh = 5.2.3790 = W2K3 SP0 / 1,5,28h,0Ah = 5.1.2600 = XP SP2 / 0,6,D2h,0Fh = 6.0.4050 = Longhorn , etc. (NtBuildNumber). The last Windows release which appears in osidata / osinfo is Longhorn 6.0.5213. +9 - 4b: "sp0"/ "sp1"/ "sp2",0 [I don't know what is this for - we already have SP number from the previously known OS number] +13 - ??? - to discover - may be detailed "build number" of OS, something like "vista_rtm.061101-2205" 2) "api-hook-entry" 0 - dw: length of the structure, always 114h +2 - 3b:1,0,0 +5 - 4b: OS number +11h - "OSI ID" - osidata identifier for function +21h - module name (where API to hook exist), mainly ntoskrnl +49h - function to hook +85h - start search function (big thx for Kayaker for revealing "ver ahk" command) +C1h - db: length of following "start code of API" +C2h - piece of start code of API, which we are looking for - should be unique +EAh - 1,55h,28 dup (0) - ?? - maybe the signature of "api-hook-entry" itself /like 55AA in MBR/ When API is public export (p.e. ntoskrnl!IoConnectInterrupt)- there are nulls in [+85h] and [+C2h]. Else (f.e. MiMapViewOfImageSection - which is not public export, but can only be localised using the PDB), there is a prescription for ntice for specific OS/SP/build? , how to find this function. It looks like that: "to find MiMapViewOfImageSection in XPSP2, goto ntoskrnl export CcopyRead ("start search function") and then look in following code for the 9-bytes piece of code: 55,8B,EC....". The "sp-entry"s and "api-hook-entry"s are grouped in big blocks, one entry after another. The whole osinfo.dat is inserted to osidata.sys, but this is not the case with beta-OS data (osinfob.dat). The Longhorn's 6.0.4050 and 4074 data from osinfob.dat exist, but 6.0.5112, 5219, 5231 not exist in osidata.sys. What is "api-hook-entry"s for, is, I think, auto-explanable , but I'm not sure what is the purpose of "sp-entry"s. I start this thread with hope to interest some of you in this subject, and get your help, of course ) Greetings, happy New Year amigo |
#2
|
|||
|
|||
awesome work, but it's easy to use vmware
|
#3
|
|||
|
|||
purpose
my purpose is to launch sice under live system, not use ollydbg / syser / other OS / vmware etc = not to av0id problem )
|
#4
|
Pls forget SoftIce, use Syser debugger!!!
|
#5
|
|||
|
|||
it will be nice for those who use syser to give their input regarding its use on vista, I really did not see good interest in using this debugger, i am just wondering what is wrong with it.(sorry to hijack the post) Regards. Last edited by britedream; 03-01-2009 at 12:00. |
#6
|
||||
|
||||
I used syser couple of times, and it did some job, but not that great, as after a few sec computer would freeze, or become way too slow. Still sometimes it's much faster to use syser on Vista to find answer instead of using windbg + vmware. It helped me a couple of times to find right answers in Vista
__________________
http://accessroot.com Last edited by deroko; 03-02-2009 at 20:13. |
#7
|
|||
|
|||
Quote:
|
#8
|
|||
|
|||
For me, syser is unusable under Vista, both on real hardware as within a VM,
it will always crash after some minutes |
#9
|
I never tested Syser under Vista but with my WinXpSp3 it works very good. Please consider that Syser is "young" so we need to wait further improvements.
|
#10
|
|||
|
|||
we should give SYSER a fair chance.
Hello,
I am of use SYSER likewise under XP and he becomes better from version to version. Still no comparison to SOFTICE, however, SOFTICE had at the beginning also many problems. I hope that the SYSER team continues and we should give him a fair chance. |
#11
|
|||
|
|||
SICE is one of the best debuggers ever. Its ridiculous, but after SICE died, I quit daily RE, never had time/entusiasm to learn new techniques with alternative tools.
I think Syser is a good replacement for SICE, but we need to await a little more. Amigo is doing a good work. Keep it up. |
#12
|
|||
|
|||
Quote:
I used to be active here by a different handle. And then one fine day, I lost my encrypted volume which contained login credentials of various forums and email IDs. Had to make a new one in 2004 and it was all an egg on downwards spiral for me. Looking forward to learning new tools and techniques of this good old trade which I've been a part of since 1998. Hope to get acquainted with my fellow reversers as well. Have a good day! |
#13
|
||||
|
||||
Well I wouldn't put it in development machine yet. I used it for approx 5min without a problem on Vista and then it would start acting weird. it did a great job, and I don't regret any second of using it for those 5mins.
__________________
http://accessroot.com |
#14
|
|||
|
|||
RAMON, you are right absolutely
Hello RAMON,
you are right absolutely. I have used SOFTICE more than 20 years and have tried long time to put off a change - Gforcedriver from 94 no more updated - no new graphiccard to Gforce 7500 - made a PC only for debugging etc. But now in version 1.99 SYSER is an alternative. I hope the team continues. Regards |
#15
|
|||
|
|||
Windows 7 is coming soon...
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
VB 6.0 -GetProcAddress- ON Vista | ahmadmansoor | General Discussion | 14 | 08-09-2010 16:55 |
IDA and Vista | nino | General Discussion | 2 | 10-12-2008 00:25 |
OllyDbg under Vista | MR.HAANDI | General Discussion | 6 | 12-13-2006 19:12 |
Windows Vista + SoftIce | DrL | General Discussion | 10 | 08-22-2005 15:19 |