Debugging a driver under SoftIce

Hi !

I'm a complete newbye on softice and after quite some times of searching I still can't get to work well for me. I'm using SoftIce from DriverStudio 3.1

I'm developping a kernel mode driver and I want to put a break point at DriverEntry.
From what I understood of the manual I have to use the symbol loader, open my driver check in Translation settings 'Symbols and source code" and load.
(I would have thought that I'd have to check Stop at WinMain, Main, DllMain, etc ... but it's grayed out so I can't)
I then hit ctrl - D, type "file fsdInit.c", press F3 to show the source code, choose the right ligne and press F9 to set the break point and then it should break when I get out of Soft Ice and I type "net start mydriver.sys" but it doesn't. What did I do wrong ?

As I parsed this forum and the woodman forum, I found something about having to type ADDR or ATTACH before so that the breakpoint would work and that it was a change compared to the older softice but I didn't understand anything.

So please help a poor newbye...

Regards,

[JMI]

In Softice 3.0 and 3.1 breakpoints are context sensitive. That means that they work only within the "context" of the process within which they are set. While D.S. 3.0 had no option, D.S. 3.1 has an option to have breakpoints operate like they did in former versions of Softice. Those threads you say you reviewed should have made this clear.

Softice also comes with a manual. You should have reviewed the ADDR and ATTACH instructions in that manual. Again those threads explained how these worked. ADDR in on page 8 and ATTACH on page 22.

Reading these threads:
http://66.98.132.48/forum/showthread.php?t=5470

http://www.exetools.com/forum/showthread.php?s=&threadid=2548&highlight=sice

should have explained it to you.

You set ADDR you type ADDR (process name/id), then you should be able to bpx <whatever...>

You can use ATTACH instead of ADDR if you want. "ATTACH <process name/id>" causes an automatic "ADDR <process name/id>" every time you Ctrl+D.

Another good idea reported in those threads is to let the SYMBOL LOADER load the application, stop at the ENTRYPOINT (it does all this automatically) and then put in your breakpoints.

another reported solution was to:

Put a breakpoint at entrypoint (be sure to type first bpint3 in sice), start the program and when it breaks start puting breakpoints for the apis u'r interested to spy. After that replace the CC byte with the original one and press F5. Each time a function u'r bp sice will popup.

Regards,

As suggested in JMI's post, a perfectly working method would be to put:

__asm { int 3 };

on the very first line of DriverEntry, and typing "I3HERE ON" in the softice window. typing "net start drivername" will open the softice window (when it reaches the line with int 3), and you will be able to debug the DriverEntry.

when you don't have the source, you patch the first byte of DriverEntry to CCh, remember the old byte. use 'bpint 3' in softice, and when it breaks, you put back the old byte.

remember that if your driver starts automatically at boot-time, and you forget to patch back the byte before rebooting/shutting down, your computer could enter an infinite reboot cycle (unless you have a debugger loader).

[xobor]

a time ago I did the trick with bpx function for putting debug infos to stream

KdDebug??? (I guess, didn't remember exactly)

maybe this can help

regards

Thanks for your answers but I still don't really get it,

When I try putting __asm { int 3 }; at the beggining of DriverEntry and I start the driver, I get a page fault even through I did put I3HERE ON in the softice initalisation. (I tryed doing bpint3 to before loading the driver but to no avail)
When I get the page fault, I don't get any readable code (not even asm) in the code windows of softice, is it normal ?
So have you guys any idea on what I could do to be able to trace my driver with the softice displaying my source code of it ?

JMI, what I dind't understand of ATTACH and ADDR was that you had to have the process allready running when you use them under softice which is not the case since I want to trace the driver at the beggining.

As for using the Symbol Loader, it works perfectly when trying to debug an application but you can't tell it to stop at the entrypoint for a driver.

Well anyway thanks again for having all been quick to answer and please if you have any idea about what I'm doing wrong.

Regards

Tried to put the driver in an infinited loop at the entrypoint?
And then attached SI?

[xobor]

via symbol loader make sym file for your driver, set all paths to your sources and add sym file for your driver to files loaded after sice starts then use as first line in your code some function eg kddebugprint and set breakpoint

regards

I finally got it to work but it's weird. For some unknown reasons, since I installed DriverStudio, when I start my driver I get a page fault before even entering DriverEntry. I guess that while testing i did something wrong with the registry settings telling windows about my driver or somethign like this.

Anyway as I found this out (blame me I should have tried before to load the driver when softice wasn't loaded and see that there was a problem),
I tried it on a older windows installation I had on vmware and it worked without any problem whatsoever... (using exactly the same steps I described at the top of this thread)

I guess I should try to understand what went wrong with my windows but I'm too lazy

Well anyway, thanks a lot to all of you for helping me !

Regards,

What you have done in your first message sounds correct to me. You may have missed somthing simple in the line of doing that but principally that is the only way to debug a KMD. It is possible, as you have suggested, there is something wrong in the way your driver is being loaded so you actually never reach the entry point so you'd better put some trace messages in your driver and check the debug window (Hey, did you know that you can see the debug outputs of the KMDs in SoftIce too?) just to be sure that your driver is actually being loaded correctly and the entry point functions. Sometimes using the debug output is enough to debug many types of driver routines. For example, it is not a very good idea to debug an interrupt routing using SoftIce while debug messages can help a lot in that case.
JMI, while what you have written is perfect for normal applications, it does not help at all when you need to debug a Kernel Mode Driver. A driver has no process by itself and you can not ATTACH to it.

[xobor]

what was your previous windows installation on which your driver works ok ? Time ago i had to ported my own driver rfom NT4 to win2000 and i had the similar problem , in driver entry when I used some function it ended with pf
i had no time so i landed with windriver



regards