#1
|
|||
|
|||
SoftICE crashing on Windows 2003
I wanted to debug some program which only runs on a "Windows Server" OS. So I installed Windows 2003 on my PC, installed chipset and graphic drivers and used Windows Update to get the latest patches. Then I disabled the "NX-Bit" which is set to "all applications" as default on Windows 2003.
Then I installed SoftICE from DriverStudio 3.2, replaced the OSINFO(B).DAT included with the latest versions (dated 08/13/05 and 10/20/05) and rebooted my PC. But my PC crashed with a BSOD in "CptHook.sys". I tried several times without success. When telling the SoftICE boot-loader not to start the hooking engine, Windows boots normally, but I can't load SoftICE. I checked the system requirements and it says: Quote:
Has anybody some idea what the reason for the crashes might be? |
#2
|
|||
|
|||
Yes.. Treat Windows 2003 Server SP1 like Windows XP SP2. This is one reason soft-ice is dead.
I would suggest you do your debugging with no service pack installed. That way you can debug with very few issues. Otherwise you will need to use M$ tools for debugging. I just had another thought.. M$ has a debug vesion of Windows 2003 server SP1.. I wonder if this help you?? |
#3
|
|||
|
|||
If Windows 2003 SP1 would run the same way as Windows XP SP2, then SoftICE would run, since it runs well on WinXP SP2 for me.
I don't have Windows 2003 SP0, since the CD I copied was the official Windows 2003 CD with SP1 already integrated. (no homemade "all-in-one" crap from the internet) I'm no MSDN subscriber, so I don't have access to the debug version of Windows 2003 SP1. I checked at what place the code is crashing, but even if it's totally clear what the code does (no unknown variables), I don't understand why it works on Windows XP but not on Windows 2003. Code:
xor eax,eax add eax,[000130C7] ; hard coded value: 120h add eax,[000130CB] ; hard coded value: 4h mov eax,fs:[eax] add eax,[000130CF] ; hard coded value: 34h add eax,[000130D3] ; hard coded value: 10h mov eax,[eax] add eax,[000130D7] ; hard coded value: 18h mov eax,[eax] ; <-- crash location mov [edi][1C],eax retn Code:
mov eax, fs:[124h] mov eax, [eax+44h] mov eax, [eax+18] ; <-- crash location |
#4
|
|||
|
|||
I still had no luck running SoftICE on Windows 2003 SP1. I finally was able to get Windows 2003 SP0. But SoftICE again crashes at the same location.
Is it possible that SoftICE has problems when too much memory is installed in the computer? (like the "vcache" problem on Win9x with 512 MB RAM) |
#5
|
||||
|
||||
Quote:
kpcr+124h = current thread curretn thread + 44h = KPROCESS KPROCESS+18 = DirectoryTableBase (value of cr3 for current process) Maybe in win2k3 kthread is changed so kthread+44 returns something else. If you can, install livekd from www.sysinternals.com and tell us what is located at offset 44 of kthread. I would really love to know
__________________
http://accessroot.com |
#6
|
|||
|
|||
I'm not used to the build-in debugger of Windows or to LiveKD. But as far as I understood it, you must configure the debugger in the "boot.ini". After that, Windows waits in an infinite loop until somebody attaches to the build-in debugger over a COM port or over Firewire.
But I don't have any serial or 1394 cable available to try this and I also currently don't have a second PC available. Can you tell me how I should use LiveKD to debug the SoftICE hooking engine? |
#7
|
||||
|
||||
It is for exploring system, not for debugging but you can see anything in ring0 with it, hooks for example if you load it after hooks are performed. Very useful tool and doesn't require two computers to work
__________________
http://accessroot.com |
#8
|
|||
|
|||
It seems like I'm a bit too stupid to use LiveKD. I did the following:
First I tried to show what's located at "fs:[124]" by entering "d fs:124", but I only got the message "GetContextState failed, 0x80004001" three times followed by "bad segment error at '124'. Next I only entered "d 124" and got a memory dump, but only filled with "??" as data. After that I read the help file entry for the "d" command to learn all possible "dump" commands and their correct syntax, but none of them worked, even the dump commands for psysical memory failed. So how should I read "fs:[124]" from Ring-0 with WinDBG? |
#9
|
||||
|
||||
gdt from softice
Code:
:gdt ... 0030 Data32 FFDFF000 00001FFF 0 P RW <--- KPCR 003B Data32 7FFDE000 00000FFF 3 P RW <--- TEB dd FFDFF000+124 when you get address you might wanna play with it a little bit with: dt nt!_ETHREAD <address> and so on, to explore state of some interesting structures of system. I don't know if something changed on win2k3 but you can always use wARK to get gdt and you will get address of fs without a problem As I said maybe they have changed something in internal structures so maybe fs:[124] doesn't point to CurentThread, to be sure you should explore strucutres with: dt nt!_structure (eg. dt nt!_KPCR, dt nt!_KPRCB etc...) Regards
__________________
http://accessroot.com Last edited by deroko; 04-30-2006 at 06:22. |
#10
|
|||
|
|||
Now I'm completely confused. I installed WinXP and Win2003 on a different PC. I also installed SoftICE on both PCs. The interesing point is that SoftICE loads on WinXP and Win2003.
Then I checked the part where SoftICE on Win2003 crashes on the other PC from Ring-0. (the code from above) On WinXP, [EAX+44] points to some other memory location, so [EAX+18] can be read normally. On Win2003, [EAX+44] has a value of NULL, so reading [EAX+18] will crash the computer. The code crashing my computer crashes it always on Windows 2003, but for some reason it is not executed on one of the PCs. Both computers have a totally different hardware configuration (chipset, count and manufracturer of CPUs, installed RAM), but the software is the same (expect for the hardware drivers). Has anybody some other idea what the source of the problem might be? |
#11
|
||||
|
||||
Quote:
Maybe a patch for win2003... |
#12
|
|||
|
|||
As far as I know "Patch Guard" is only available in the x64 editions. MarkusO also wrote that it even crashes with SP0 installed, which 100% sure had no support for "Patch Guard" and "NX-Bit".
@MarkusO: Can you post your hardware details so we might get behind the problem? |
#13
|
||||
|
||||
crash spot = softice tries to get cr3 value from EPROCESS struct.
Only thing that comes to my mind is that internal structures might be changed. Can you at least provide us with disassembly of ntoskrnl.exe!PsGetCurrentProcess , I just wanna be sure that internal structs haven't changed.
__________________
http://accessroot.com |
#14
|
|||
|
|||
WinXP: ntoskrnl.exe!PsGetCurrentProcess
Code:
mov eax, fs:[124] mov eax, [eax+44] ret Code:
mov eax, fs:[124] mov eax, [eax+38] ret |
|
|