IceExt 0.51 - With Installer

[bedrock]

Hey everyone, if you haven't seen it yet then Sten has new version of excellent IceExt plugin available here:

hxxp://stenri.pisem.net/

It now has installer, but my big question to Sten is where does installer put the SRC, i looked everywhere but couldn't find it , the text displays GNU license and says IceExt comes with full source but i dont see the source on my system!

ps. Keep up the great work.

--
bedrock

[Sten]

Quote:

but my big question to Sten is where does installer put the SRC, looked everywhere but couldn't find it.

Is it unworthy for real RE specialist to use custom installation?

Sources are not needed for 90% persent IceExt users, so I decided do not include them by default.

[bedrock]

Quote:

Is it unworthy for real RE specialist to use custom installation?

I guess so

Thanks Sten, i have now found the source

--
bedrock

BSOD when starting IceExt on one of my machine.

I've install IceExt on three machines. two of them worked fine. but on this one, BSOD occured when starting.

All of the machines is:

OS: Windows Server 2003 3790
DS: DS3.0 Build 1268
Software installed: VS6 & VS2003 both.

Machine A is IBM ThinkPad i1200 Notebook with a PIII500 CPU.
Machine B is a desktop PC with I815EP chipset & PIII933 CPU.
Machine C is a desktop PC with VT693 chipset & PIII733 CPU.

IceExt works fine on Machine A&B. BSOD on Machine C.

When BSOD occured, the screen of S-ICE look like this:

Registers:

EAX=C0201C00 EBX=00000000 ECX=FAFBBBA0 EDX=804EB28A
ESI=8056D400 EDI=8056D3C0 EBP=FAFBBB30 ESP=FAFBBB18
EIP=8053E5C2 o d I S z A P C

Display Window:

----------------------------------------------------------------------
- IceExt Version 0.51
- (C) Sten, 2002-2003
----------------------------------------------------------------------
Break due to KeBugCheckEx(unhandled kernal mode exception)
Error=50(PAGE_FAULT_IN_NONPAGED_AREA)
P1=807280CC P2=0 P3=FAFBBBA0 P4=0


I've rebuilt the IceExt.sys with 3790 DDK. Problem exists still.
Version 0.50,0.4x has this problem on Machine C all.

Maybe it's something wrong on my machine.
I give you this message is ONLY inform you.

Thanks for your software.
Best regards.

Sten,
Really, when start IceExt, It is S-ICE popup with the error message I mentioned above. After I "x" from the S-ICE popup, BSOD occured .

[Sten]

Quote:

I've install IceExt on three machines. two of them worked fine. but on this one, BSOD occured when starting.

Thanks, very useful information.
First of all, ensure your machine C supports APIC. (look at the beginning of the SoftICE log. The first line shoud be something like:

NTICE: using IOAPIC at linear addesss FFD04000

Then, you should check what the addresses in parameters P1 and P3 are. (i.e. P1=807280CC P2=0 P3=FAFBBBA0 P4=0). So type in SoftICE

>what 807280§³§³
>what FAFBBBA0

and send me the results.
Also, it a good ice to use STACK command when BSOD occurs.

>stack

(send me results).

The idea is to determine the exact line in IceExt code, where
the fault occurs. If you see in SoftICE something similar to

FAxxxxBC IceExt!.text+10c3

then it is easy to inspect this address (I've included debug symbols in IceExt 0.50 to help in debugging such cases).

I'm having a problem getting this to work as well... Installation goes smoothly, but when I try to start the service, I get the following:

Quote:

System error 1450 has occurred.

Insufficient system resources exist to complete the requested service.

My setup is nothing unusual, WinXPPro+SP1, DS3.0, VS2003. I assure you that there is plenty of memory available; to test, I wrote a quick service of my own that simply allocated a bunch of memory, and it started fine, so I know it's not lack of general resources.

Have you seen this error before, or do you have any ideas about what might be wrong?

[Sten]

Quote:

Insufficient system resources exist to complete the requested service.

IceExt driver returns this terrible error when it's loaded incorrectly (not by NTICE but as ordinary driver). Check, if your SoftICE is configured to start at boot mode (change it to manual) and IceExt service Start parameter in registry should be 3 (however IceExt installer should set IceExt service Start parameter correctly).

Yea, I always have SoftICE's start mode as Manual (doesn't really work well any other way under XP), and as per the readme, I already checked the IceExt reg entry, and it is 3.

I have tried starting ntice manually, then starting IceExt, and got that error. So then I tried starting IceExt without first starting ntice, IceExt started Ntice fine (service dependancy, I'm assuming), but IceExt still gave the error.

Do I need to do something in the SoftICE settings to get it to acknowledge/recognize IceExt, or vice-versa?

Hello,

The IceExt 's !dump and !dumpscreen cmd seem not work on my PC ( an XP (SP1) os with Soft-Ice 2.7).

If I type the cmd like:
!dump \??\c:\dump.dat 400000 1000
nothing happen ! ( no dump.dat create) why ?

The exe-file I try to unpack is an Arma-packed one.

The others cmd work fine like
!bpr,
!tetris ...

Thanks for any kind of help and thanks a lot for IceExt's develppers.

Regards !

Quote:

First of all, ensure your machine C supports APIC. (look at the beginning of the SoftICE log. The first line shoud be something like:

Sten,

after IceExt startting, I cannot find ANY information about IOAPIC.

other information:

A.
Loaded kernel debugger extention IceExt.SYS at F838F000
B.
>what p1
807280CC HAL!HalInitializeProcessor
>what p3
FAFA3BA0 was not identified as any known type.
C.
>Stack
FrameEBP RetEIP Symbol
FAFA3B38 8052FE9C ntolskrnl!KeDeregisterBugCheckReasonCallBack+0171
FAFA3B88 804EA8A5 ntolskrnl!KeSetAffinityThread+D2F6
FAFA3BA0 00000000 ntolskrnl!Kei386EoiHelper+258E

Quote:

The idea is to determine the exact line in IceExt code, where

Not found.

thanks

I've sent the log to you.

Thanks a lot!

something addition.

the iceext.sys i used now is the orginal from you setup.

the mail for the log has failed to send.

================ Fri Sep 12 13:14:23 2003
NTICE: Pentium TSC calibration, processor set to 731.0 MHZ
SoftICE (R) - DriverStudio (tm) 4.3.0 (Build 1268)
Windows NT Version 5.2 - Build 3790 (Free) SP 0
Cobra
Cobra Soft
784887686F72
Copyright (c) 2003 Compuware Corporation. All rights reserved.
NTICE: LPT1 = Port: 0378
NTICE: PS/2 Mouse Detected
NTICE: 512K allocated for SYM memory
NTICE: 256K allocated for HST memory
NTICE: 32K allocated for HEAP memory
NTICE: 2048 bytes allocated for NAME memory
NTICE: EXP=\SystemRoot\system32\kernel32.dll
NTICE: EXP=\SystemRoot\system32\user32.dll
NTICE: EXP=\SystemRoot\system32\gdi32.dll
NTICE: EXP=\SystemRoot\system32\ntoskrnl.exe
NTICE: EXP=\SystemRoot\system32\hal.dll
NTICE: 111K allocated for 32 bit exports
Macro: Memory allocated for 32 Macro entries
NTICE: IoConnectInterrupt found at 805EA94D
NTICE: IoDisconnectInterrupt found at 805EAE2B
NTICE: MiMapViewOfImageSection found at 80589EDE
NTICE: MiUnmapViewOfSection found at 80589CD8
NTICE: MiAddValidPageToWorkingSet found at 804F2B13
NTICE: KeBugCheck2 found at 8053E5C1
NTICE: MiCopyOnWrite found at 804FE966
NTICE: HalDisplayString found at 80718FAE
NTICE: RtlAssert found at 8054952D
NTICE: USBD_ParseConfigurationDescriptorEx found at FB0868A8
NTICE: UhciInsertQh found at FAE7650E
NTICE: UhciUnlinkQh found at FAE76560
NTICE: USBPORT_AllocateUSBAddress found at FA281788
NTICE: HalpBiosDisplayReset found at 80719C08
NTICE: RtlAssert end found at 805495E2
NTICE: NtTerminateProcess Found at 80590CBA
NTICE: KDExtensions are enabled KDHeapSize=00008000 and KDStackSize=00008000
NTICE: Patching Keyboard using method 0
NTICE: Keyboard driver found - i8042prt.sys
NTICE: Keyboard successfully patched using RPUC hook
NTICE: Keyboard successfully patched lookup table using RPUC hook
NTICE: Found UHCI Host Controller at Bus 00 Device 07 Function 02
NTICE: Found 1 USB Host Controllers. USB HID support will be available.
NTICE: 6688 bytes allocated for use by USB HID devices
:LINES 60
:WD 8
:WC 32
:X
NTICE: Load32 START=5F9E0000 SIZE=2F000 KPEB=FF5934D8 MOD=netmsg
NTICE: Exit32 PID=294 MOD=net1
NTICE: Unload32 MOD=netmsg
NTICE: Exit32 PID=CF4 MOD=net
NTICE: Load32 START=73C80000 SIZE=17000 KPEB=FF8D1888 MOD=wbemcons
NTICE: Load32 START=9D0000 SIZE=15000 KPEB=80ECBD88 MOD=appsrvcs
NTICE: Load32 START=76F90000 SIZE=7E000 KPEB=80D9F7D8 MOD=clbcatq
NTICE: Load32 START=77010000 SIZE=C6000 KPEB=80D9F7D8 MOD=comres
NTICE: Load32 START=76540000 SIZE=50000 KPEB=80D9F7D8 MOD=cscui
NTICE: Load32 START=76520000 SIZE=1D000 KPEB=80D9F7D8 MOD=cscdll
NTICE: Load32 START=75EB0000 SIZE=106000 KPEB=80D9F7D8 MOD=browseui
NTICE: Load32 START=765A0000 SIZE=100000 KPEB=80D9F7D8 MOD=setupapi
NTICE: Load32 START=75970000 SIZE=BA000 KPEB=80D9F7D8 MOD=userenv
NTICE: Load32 START=768F0000 SIZE=24000 KPEB=80D9F7D8 MOD=ntshrui
NTICE: Load32 START=71B70000 SIZE=33000 KPEB=80D9F7D8 MOD=uxtheme
NTICE: Load32 START=76920000 SIZE=157000 KPEB=80D9F7D8 MOD=shdocvw
NTICE: Load32 START=71BD0000 SIZE=11000 KPEB=80D9F7D8 MOD=mpr
NTICE: Load32 START=75E90000 SIZE=7000 KPEB=80D9F7D8 MOD=drprov
NTICE: Load32 START=5F120000 SIZE=E000 KPEB=80D9F7D8 MOD=ntlanman
NTICE: Load32 START=5F8A0000 SIZE=16000 KPEB=80D9F7D8 MOD=netui0
NTICE: Load32 START=5F860000 SIZE=31000 KPEB=80D9F7D8 MOD=netui1
NTICE: Load32 START=5CCF0000 SIZE=10000 KPEB=80D9F7D8 MOD=samlib
NTICE: Load32 START=75EA0000 SIZE=9000 KPEB=80D9F7D8 MOD=davclnt
NTICE: Load32 START=768E0000 SIZE=8000 KPEB=80D9F7D8 MOD=linkinfo

[Sten]

2Satyric0n: I was informed there is a bug in my new installer. It does not set registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTice]
"KDExtensions"="IceExt.SYS"

So you may want to check it.

2wps8848:

Quote:

>what p1
807280CC HAL!HalInitializeProcessor

Well, it's up to you now to determine why memory reference to HalInitializeProcessor leads to BSOD.. There is routine inside multicpu.cpp that counts number of CPUs (mp_GetNumberOfCPUs()). And this routine references to HalInitializeProcessor. You can insert breakpoint at the begining
and trace though it..
Do you have a non-standard HAL?

Yeah, it seems your chipset does not support APIC but that should not be the problem. I've just revised IceExt code. Currently, it does not use any APIC specific things.

[Sten]

2donneraza:

Quote:

The exe-file I try to unpack is an Arma-packed one

It's CopyMemII I think. It's unlikely nothing happens at all. There should be some errors the memory is inaccessible or like that.

Quote:

Yeah, it seems your chipset does not support APIC and IceExt from v0.40 uses it.. I'll add some checks into IceExt code.

I think so.

cause, version 0.3x is worked fine on this machine.