|
Low level WinNT debugger
Clarification
Sorry, I wasn't being clear before. But what I really want to know is how SoftICE gets to load so early on in the Windows boot process. Original Post: Hi I was wondering whether anyone knows how low level debuggers like SoftICE work? I am trying to do something similar but the lowest level I can get to is to write a software device driver, which can still be debugged by SoftICE. |
i think that everything is about RING mode, even SICE has your own sys driever in %SystemRoot%\system32\drivers
and my friend show me, somotime, that SICE loads up before windows and on Hercules monitor we see loading every windows modules but inside magic of SICE is (i think) very difficult |
Quote:
Good start point iz learnig how icedump or iceext work from his source code .. ;) Sorry for my bad english iam only human ;o)) |
1. read one books..<Debugging Applications>
2. read win2k souce code in windows/windbg/*/... 3. learn some driver dev.... ok.u can design one debugger named.....XSoftice?? |
I also suggest one good book.
"How debuggers Work",Wiley. It tell you how the debugger works on windows and Unix . |
I don't think Ring 0 code will help. It did back in Win9x, and that's how TRW2000 works. However, I still cannot find any alternatives to SoftICE for WinNT. The problem I see is that the people at NuMega/Compuware seems to know something about WindowsNT that is not published. I can write a low level driver that loads. However, it is not low enough because it can still be debugged by SoftICE! What I want is something that is in the same level at SoftICE, so I can see and maybe alter the loading process of Windows programmatically.
I also suggest one good book. "How debuggers Work",Wiley. It tell you how the debugger works on windows and Unix . Who is the author? And more importantly, do you have a soft copy? And does it tell you about low level debuggers, or just the application level ones (ie the ones written using the Windows Debugging API) "Good start point iz learnig how icedump or iceext work from his source code .. " I am unaware where you can get icedump or iceext's source code.... |
Quote:
Sorry iam only human ;o)) |
auroras:
I don't think "contributing" a certain number of posts means dividing your response into 3 posts and posting part of it every two minutes. That is called padding your post count. I've made one post out of your comments and deleted the other two. Regards, |
Look for "Debugging Applications" by John Robbins. "Inside MS Windows 2000" by David A. Solomon and Mark E. Russinovich may help you.
|
SICE's core is a driver
|
so then if SICE core is kernel driver i think that it can run under ring0 privileges
by u can find some useful thing about Ring mode in very useful virus ezines from 29A labs :) http://29a.host.sk/ |
Look for mamaich's BlindStudio debugger with sources on Elicz's site
|
Quote:
I don't think it is about whether it is a kernel driver, but rather about when SoftICE loads. SoftICE seems to always start first, and can actually debug other kernel drivers when they load. Just wondering how they manage to do that.... Re: BlindStudio Thanks a lot! |
Intel manuals will be useful as well
|
SoftICE have at least two components ALL components load as standard
drivers: 1. siwvid.sys - mostly UI code load as SERVICE_BOOT_START driver 2. ntice.sys - SoftICE heart can load as SERVICE_BOOT_START but also can load as SERVICE_SYSTEM_START or SERVICE_DEMAND_START drver Most frequently ntice.sys configured as SERVICE_SYSTEM_START driver 3. Sometimes if ntice.sys load as SERVICE_BOOT_START it use third part: siwsym.sys - SERVICE_BOOT_START driver where packed symbolic and config info. This module used because in time when loaded SERVICE_BOOT_START drivers no file I/O services available (this drivers load by NTLDR). P.S. Sorry for my poor english |
| All times are GMT +8. The time now is 20:19. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX