SoftICE crashing on Windows 2003

Yes.. Treat Windows 2003 Server SP1 like Windows XP SP2. This is one reason soft-ice is dead.

I would suggest you do your debugging with no service pack installed. That way you can debug with very few issues. Otherwise you will need to use M$ tools for debugging.

I just had another thought.. M$ has a debug vesion of Windows 2003 server SP1.. I wonder if this help you??

If Windows 2003 SP1 would run the same way as Windows XP SP2, then SoftICE would run, since it runs well on WinXP SP2 for me.

I don't have Windows 2003 SP0, since the CD I copied was the official Windows 2003 CD with SP1 already integrated. (no homemade "all-in-one" crap from the internet)

I'm no MSDN subscriber, so I don't have access to the debug version of Windows 2003 SP1.

I checked at what place the code is crashing, but even if it's totally clear what the code does (no unknown variables), I don't understand why it works on Windows XP but not on Windows 2003.

Code:

xor         eax,eax
add         eax,[000130C7]     ; hard coded value: 120h
add         eax,[000130CB]     ; hard coded value: 4h
mov         eax,fs:[eax]
add         eax,[000130CF]     ; hard coded value: 34h
add         eax,[000130D3]     ; hard coded value: 10h
mov         eax,[eax]
add         eax,[000130D7]     ; hard coded value: 18h
mov         eax,[eax]          ; <-- crash location
mov         [edi][1C],eax
retn

So, in short one could write is as:

Code:

mov     eax, fs:[124h]
mov     eax, [eax+44h]
mov     eax, [eax+18]     ; <-- crash location

Even if I'm not aware what value "fs" has a this time, I don't expect it to be the reason for the crash.

I still had no luck running SoftICE on Windows 2003 SP1. I finally was able to get Windows 2003 SP0. But SoftICE again crashes at the same location.

Is it possible that SoftICE has problems when too much memory is installed in the computer? (like the "vcache" problem on Win9x with 512 MB RAM)

[deroko]

Quote:

Originally Posted by MarkusO

Code:

mov     eax, fs:[124h]
mov     eax, [eax+44h]
mov     eax, [eax+18]     ; <-- crash location

Even if I'm not aware what value "fs" has a this time, I don't expect it to be the reason for the crash.

fs points to kpcr
kpcr+124h = current thread
curretn thread + 44h = KPROCESS
KPROCESS+18 = DirectoryTableBase (value of cr3 for current process)

Maybe in win2k3 kthread is changed so kthread+44 returns something else.
If you can, install livekd from www.sysinternals.com and tell us what is located at offset 44 of kthread.
I would really love to know

I'm not used to the build-in debugger of Windows or to LiveKD. But as far as I understood it, you must configure the debugger in the "boot.ini". After that, Windows waits in an infinite loop until somebody attaches to the build-in debugger over a COM port or over Firewire.

But I don't have any serial or 1394 cable available to try this and I also currently don't have a second PC available.

Can you tell me how I should use LiveKD to debug the SoftICE hooking engine?