Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-06-2009, 13:36
amigo amigo is offline
Friend
 
Join Date: Dec 2002
Posts: 30
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
amigo Reputation: 0
Softice under Vista

Hi
I couldn't find a lot about Softice working under Vista, so I decided to start this thread. Softice WORKS under Vista (Vista 6.0.6000.16386 vista_rtm.061101-2205). I used installer of sice (DS) 3.2.1 version 2480 and apply the last patch from Numega, version 2560. Vista is launched via F8 -> disable digital sign check. Sice can be launched only in Automatic or Manual mode. But IT WORKS !! . I have had problems with some sice api hooks. These problems were resolved after I added some exports in ntoskrnl.exe (KeBugCheck2, MiMapViewOfImageSection, MiUnMapViewOfSection, MiCopyOnWrite) and hal.dll (HalpBiosDisplayReset). Then patching of vista OS loader (grldr) was necessary to boot from modified kernel (omiting checksum and digital sign control). Now you can trace, place bpx, mod, map32 etc ). There are still some big problems, of course The biggest are:
1) 'Proc' and 'thread' don't work. I will work on them, 'proc' depends of PsActiveProcessHead and PsIdleProcess etc
2) Loader don't stop at WinMain, both in Vista and XP executables, so you have to place CC at EP manually
3) The easiest way to BSOD: trace the ring3 code, being not nestled deep inside the r3 code, and press ret . Return to ring0 is deadly...
.
I tried to decipher osidata.sys too. Patching osidata.sys (or osinfo.dat) seems to be the best solution to adjust sice to vista and other OS in future. There is what I found: there are 2 kinds of entrys in osidata.sys
1) "sp-entry" -
0 - dw: length of the structure, they are 19h or 1Bh
+2 - 3b:1,0,0
+5 - 4b: OS number f.e. 2,5,0CEh,0Eh = 5.2.3790 = W2K3 SP0 / 1,5,28h,0Ah = 5.1.2600 = XP SP2 / 0,6,D2h,0Fh = 6.0.4050 = Longhorn , etc. (NtBuildNumber). The last Windows release which appears in osidata / osinfo is Longhorn 6.0.5213.
+9 - 4b: "sp0"/ "sp1"/ "sp2",0 [I don't know what is this for - we already have SP number from the previously known OS number]
+13 - ??? - to discover - may be detailed "build number" of OS, something like "vista_rtm.061101-2205"

2) "api-hook-entry"
0 - dw: length of the structure, always 114h
+2 - 3b:1,0,0
+5 - 4b: OS number
+11h - "OSI ID" - osidata identifier for function
+21h - module name (where API to hook exist), mainly ntoskrnl
+49h - function to hook
+85h - start search function (big thx for Kayaker for revealing "ver ahk" command)
+C1h - db: length of following "start code of API"
+C2h - piece of start code of API, which we are looking for - should be unique
+EAh - 1,55h,28 dup (0) - ?? - maybe the signature of "api-hook-entry" itself /like 55AA in MBR/

When API is public export (p.e. ntoskrnl!IoConnectInterrupt)- there are nulls in [+85h] and [+C2h]. Else (f.e. MiMapViewOfImageSection - which is not public export, but can only be localised using the PDB), there is a prescription for ntice for specific OS/SP/build? , how to find this function. It looks like that: "to find MiMapViewOfImageSection in XPSP2, goto ntoskrnl export CcopyRead ("start search function") and then look in following code for the 9-bytes piece of code: 55,8B,EC....". The "sp-entry"s and "api-hook-entry"s are grouped in big blocks, one entry after another. The whole osinfo.dat is inserted to osidata.sys, but this is not the case with beta-OS data (osinfob.dat). The Longhorn's 6.0.4050 and 4074 data from osinfob.dat exist, but 6.0.5112, 5219, 5231 not exist in osidata.sys. What is "api-hook-entry"s for, is, I think, auto-explanable , but I'm not sure what is the purpose of "sp-entry"s.

I start this thread with hope to interest some of you in this subject, and get your help, of course )
Greetings, happy New Year
amigo
Reply With Quote
  #2  
Old 01-07-2009, 14:17
Av0id Av0id is offline
VIP
 
Join Date: Jan 2006
Posts: 399
Rept. Given: 112
Rept. Rcvd 111 Times in 69 Posts
Thanks Given: 0
Thanks Rcvd at 15 Times in 15 Posts
Av0id Reputation: 100-199 Av0id Reputation: 100-199
awesome work, but it's easy to use vmware
Reply With Quote
  #3  
Old 01-13-2009, 20:51
amigo amigo is offline
Friend
 
Join Date: Dec 2002
Posts: 30
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
amigo Reputation: 0
purpose

my purpose is to launch sice under live system, not use ollydbg / syser / other OS / vmware etc = not to av0id problem )
Reply With Quote
  #4  
Old 02-08-2009, 21:11
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 285
Rept. Given: 51
Rept. Rcvd 315 Times in 103 Posts
Thanks Given: 36
Thanks Rcvd at 168 Times in 57 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Pls forget SoftIce, use Syser debugger!!!
Reply With Quote
  #5  
Old 03-01-2009, 11:58
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
Quote:
Originally Posted by arlequim View Post
Pls forget SoftIce, use Syser debugger!!!

it will be nice for those who use syser to give their input regarding its use on vista, I really did not see good interest in using this debugger, i am just wondering what is wrong with it.(sorry to hijack the post)

Regards.

Last edited by britedream; 03-01-2009 at 12:00.
Reply With Quote
  #6  
Old 03-02-2009, 09:02
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 32 Times in 15 Posts
deroko Reputation: 30
I used syser couple of times, and it did some job, but not that great, as after a few sec computer would freeze, or become way too slow. Still sometimes it's much faster to use syser on Vista to find answer instead of using windbg + vmware. It helped me a couple of times to find right answers in Vista
__________________
http://accessroot.com

Last edited by deroko; 03-02-2009 at 20:13.
Reply With Quote
  #7  
Old 03-06-2009, 21:48
dubya dubya is offline
Friend
 
Join Date: Feb 2004
Posts: 7
Rept. Given: 2
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 1 Time in 1 Post
dubya Reputation: 0
Quote:
Originally Posted by deroko View Post
I used syser couple of times, and it did some job, but not that great, as after a few sec computer would freeze, or become way too slow. Still sometimes it's much faster to use syser on Vista to find answer instead of using windbg + vmware. It helped me a couple of times to find right answers in Vista
How stable is it under XP and inside a virtual machine? Is it safe enough to put it on a development/production machine running Vista SP1?
Reply With Quote
  #8  
Old 03-07-2009, 00:47
nuemga2000 nuemga2000 is offline
Friend
 
Join Date: Jan 2002
Posts: 55
Rept. Given: 1
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
nuemga2000 Reputation: 2
For me, syser is unusable under Vista, both on real hardware as within a VM,
it will always crash after some minutes
Reply With Quote
  #9  
Old 03-07-2009, 01:23
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 285
Rept. Given: 51
Rept. Rcvd 315 Times in 103 Posts
Thanks Given: 36
Thanks Rcvd at 168 Times in 57 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
I never tested Syser under Vista but with my WinXpSp3 it works very good. Please consider that Syser is "young" so we need to wait further improvements.
Reply With Quote
  #10  
Old 03-07-2009, 02:57
ripred
 
Posts: n/a
we should give SYSER a fair chance.

Hello,
I am of use SYSER likewise under XP and he becomes better from version to version. Still no comparison to SOFTICE, however, SOFTICE had at the beginning also many problems. I hope that the SYSER team continues and we should give him a fair chance.
Reply With Quote
  #11  
Old 03-07-2009, 10:49
Ramon Ramon is offline
Friend
 
Join Date: Jan 2002
Location: JAPAN
Posts: 24
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 1 Time in 1 Post
Ramon Reputation: 0
SICE is one of the best debuggers ever. Its ridiculous, but after SICE died, I quit daily RE, never had time/entusiasm to learn new techniques with alternative tools.

I think Syser is a good replacement for SICE, but we need to await a little more.

Amigo is doing a good work. Keep it up.
Reply With Quote
  #12  
Old 03-07-2009, 16:25
dubya dubya is offline
Friend
 
Join Date: Feb 2004
Posts: 7
Rept. Given: 2
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 1 Time in 1 Post
dubya Reputation: 0
Quote:
Originally Posted by Ramon View Post
SICE is one of the best debuggers ever. Its ridiculous, but after SICE died, I quit daily RE, never had time/entusiasm to learn new techniques with alternative tools.
Almost the same here as well. When Compuware took over SICE development and marketing, it marked the end of an era. Because of the numerous patches and driver issues it was not really very intuitive and productive using SICE on development machines later on.

I used to be active here by a different handle. And then one fine day, I lost my encrypted volume which contained login credentials of various forums and email IDs. Had to make a new one in 2004 and it was all an egg on downwards spiral for me.

Looking forward to learning new tools and techniques of this good old trade which I've been a part of since 1998. Hope to get acquainted with my fellow reversers as well.

Have a good day!
Reply With Quote
  #13  
Old 03-07-2009, 19:32
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 32 Times in 15 Posts
deroko Reputation: 30
Quote:
Originally Posted by dubya View Post
How stable is it under XP and inside a virtual machine? Is it safe enough to put it on a development/production machine running Vista SP1?
Well I wouldn't put it in development machine yet. I used it for approx 5min without a problem on Vista and then it would start acting weird. it did a great job, and I don't regret any second of using it for those 5mins.
__________________
http://accessroot.com
Reply With Quote
  #14  
Old 03-07-2009, 23:49
ripred
 
Posts: n/a
RAMON, you are right absolutely

Hello RAMON,

you are right absolutely. I have used SOFTICE more than 20 years and have tried long time to put off a change - Gforcedriver from 94 no more updated - no new graphiccard to Gforce 7500 - made a PC only for debugging etc.

But now in version 1.99 SYSER is an alternative. I hope the team continues.

Regards
Reply With Quote
  #15  
Old 03-09-2009, 15:20
mood561
 
Posts: n/a
Windows 7 is coming soon...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VB 6.0 -GetProcAddress- ON Vista ahmadmansoor General Discussion 14 08-09-2010 16:55
IDA and Vista nino General Discussion 2 10-12-2008 00:25
OllyDbg under Vista MR.HAANDI General Discussion 6 12-13-2006 19:12
Windows Vista + SoftIce DrL General Discussion 10 08-22-2005 15:19


All times are GMT +8. The time now is 12:33.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )