Softice under Vista
 

Hi
I couldn't find a lot about Softice working under Vista, so I decided to start this thread. Softice WORKS under Vista (Vista 6.0.6000.16386 vista_rtm.061101-2205). I used installer of sice (DS) 3.2.1 version 2480 and apply the last patch from Numega, version 2560. Vista is launched via F8 -> disable digital sign check. Sice can be launched only in Automatic or Manual mode. But IT WORKS !! :). I have had problems with some sice api hooks. These problems were resolved after I added some exports in ntoskrnl.exe (KeBugCheck2, MiMapViewOfImageSection, MiUnMapViewOfSection, MiCopyOnWrite) and hal.dll (HalpBiosDisplayReset). Then patching of vista OS loader (grldr) was necessary to boot from modified kernel (omiting checksum and digital sign control). Now you can trace, place bpx, mod, map32 etc :)). There are still some big problems, of course :) The biggest are:
1) 'Proc' and 'thread' don't work. I will work on them, 'proc' depends of PsActiveProcessHead and PsIdleProcess etc
2) Loader don't stop at WinMain, both in Vista and XP executables, so you have to place CC at EP manually
3) The easiest way to BSOD: trace the ring3 code, being not nestled deep inside the r3 code, and press ret :). Return to ring0 is deadly...
.
I tried to decipher osidata.sys too. Patching osidata.sys (or osinfo.dat) seems to be the best solution to adjust sice to vista and other OS in future. There is what I found: there are 2 kinds of entrys in osidata.sys
1) "sp-entry" -
0 - dw: length of the structure, they are 19h or 1Bh
+2 - 3b:1,0,0
+5 - 4b: OS number f.e. 2,5,0CEh,0Eh = 5.2.3790 = W2K3 SP0 / 1,5,28h,0Ah = 5.1.2600 = XP SP2 / 0,6,D2h,0Fh = 6.0.4050 = Longhorn , etc. (NtBuildNumber). The last Windows release which appears in osidata / osinfo is Longhorn 6.0.5213.
+9 - 4b: "sp0"/ "sp1"/ "sp2",0 [I don't know what is this for - we already have SP number from the previously known OS number]
+13 - ??? - to discover - may be detailed "build number" of OS, something like "vista_rtm.061101-2205"

2) "api-hook-entry"
0 - dw: length of the structure, always 114h
+2 - 3b:1,0,0
+5 - 4b: OS number
+11h - "OSI ID" - osidata identifier for function
+21h - module name (where API to hook exist), mainly ntoskrnl
+49h - function to hook
+85h - start search function (big thx for Kayaker for revealing "ver ahk" command)
+C1h - db: length of following "start code of API"
+C2h - piece of start code of API, which we are looking for - should be unique
+EAh - 1,55h,28 dup (0) - ?? - maybe the signature of "api-hook-entry" itself /like 55AA in MBR/

When API is public export (p.e. ntoskrnl!IoConnectInterrupt)- there are nulls in [+85h] and [+C2h]. Else (f.e. MiMapViewOfImageSection - which is not public export, but can only be localised using the PDB), there is a prescription for ntice for specific OS/SP/build? , how to find this function. It looks like that: "to find MiMapViewOfImageSection in XPSP2, goto ntoskrnl export CcopyRead ("start search function") and then look in following code for the 9-bytes piece of code: 55,8B,EC....". The "sp-entry"s and "api-hook-entry"s are grouped in big blocks, one entry after another. The whole osinfo.dat is inserted to osidata.sys, but this is not the case with beta-OS data (osinfob.dat). The Longhorn's 6.0.4050 and 4074 data from osinfob.dat exist, but 6.0.5112, 5219, 5231 not exist in osidata.sys. What is "api-hook-entry"s for, is, I think, auto-explanable :), but I'm not sure what is the purpose of "sp-entry"s.

I start this thread with hope to interest some of you in this subject, and get your help, of course :))
Greetings, happy New Year :)
amigo

awesome work, but it's easy to use vmware

purpose
 

my purpose is to launch sice under live system, not use ollydbg / syser / other OS / vmware etc = not to av0id problem :))

Pls forget SoftIce, use Syser debugger!!! ;)

it will be nice for those who use syser to give their input regarding its use on vista, I really did not see good interest in using this debugger, i am just wondering what is wrong with it.(sorry to hijack the post)

Regards.

I used syser couple of times, and it did some job, but not that great, as after a few sec computer would freeze, or become way too slow. Still sometimes it's much faster to use syser on Vista to find answer instead of using windbg + vmware. It helped me a couple of times to find right answers in Vista :)

How stable is it under XP and inside a virtual machine? Is it safe enough to put it on a development/production machine running Vista SP1?

For me, syser is unusable under Vista, both on real hardware as within a VM,
it will always crash after some minutes

I never tested Syser under Vista but with my WinXpSp3 it works very good. Please consider that Syser is "young" so we need to wait further improvements.

we should give SYSER a fair chance.
 

Hello,
I am of use SYSER likewise under XP and he becomes better from version to version. Still no comparison to SOFTICE, however, SOFTICE had at the beginning also many problems. I hope that the SYSER team continues and we should give him a fair chance.

SICE is one of the best debuggers ever. Its ridiculous, but after SICE died, I quit daily RE, never had time/entusiasm to learn new techniques with alternative tools.

I think Syser is a good replacement for SICE, but we need to await a little more.

Amigo is doing a good work. Keep it up.

Almost the same here as well. When Compuware took over SICE development and marketing, it marked the end of an era. Because of the numerous patches and driver issues it was not really very intuitive and productive using SICE on development machines later on.

I used to be active here by a different handle. And then one fine day, I lost my encrypted volume which contained login credentials of various forums and email IDs. Had to make a new one in 2004 and it was all an egg on downwards spiral for me.

Looking forward to learning new tools and techniques of this good old trade which I've been a part of since 1998. Hope to get acquainted with my fellow reversers as well.

Have a good day! ;)

Well I wouldn't put it in development machine yet. I used it for approx 5min without a problem on Vista and then it would start acting weird. it did a great job, and I don't regret any second of using it for those 5mins.

RAMON, you are right absolutely
 

Hello RAMON,

you are right absolutely. I have used SOFTICE more than 20 years and have tried long time to put off a change - Gforcedriver from 94 no more updated - no new graphiccard to Gforce 7500 - made a PC only for debugging etc.

But now in version 1.99 SYSER is an alternative. I hope the team continues.

Regards

Windows 7 is coming soon...