扩展SoftICE－－2

B.Registered dot commands

Fire up SoftIce again and type:

.my

(This command should be available even if you don\'t have the debug version of W95).You
are in reverse engineering business and still using a retail build of your OS? Belief me , you
miss a LOT of cool things.Get a debug build for at least vmm.vxd , vwin386.vxd , vxdldr.vxd ,
and ring3 kernel components.
What you see now on your screen is the valid ranges of physical memory.At this point
is important for us to know how the debugger called this code and not how to get valid
boundaries of physical memory.Things are a little more complicated now.Implementing a dot
command of this type impose a certain architecture to the server VxD.Be careful.Here the dot
command is .M and not .MY. The Y following .M is merely a parameter passed to handler for this
command.When the server VxD is initializing it\'s debug interface , usually but not necessary
inside the procedure that handles Device_Init message broadcasted by virtual machine manager,
it must call a function called RegisterDotCommand (INT 41h , AX=70h) to register the command in
question to the system debugger (see chapter 3 for details).Basically , registering a dot
command  provides the system debugger with an entry point which will be called when that
command will be issued.To see which dot commands are registered in your system simply type

.?
This will show you all the dot commands available , in the order in which they where
registered.

 
Chapter 3: INT 41h - protected mode debugger interface.
-------------------------------------------------------


The Protected Mode Debugger Interface API is implemented via INT 41h.This interrupt
calls into the system debugger through a 32 bit interrupt gate , directing it to perform
various actions.The called function is identified by the value contained in AX register.
This interface is partial undocumented , you can find some useful things by reading the
debugsys.inc file that comes with Windows 95 DDK.In this file the API is documented at the
bare minimum , but it\'s better than nothing.Anyway , for those of you who don\'t posses the
DDK I will list below some of the most useful functions.


AX=00h --  Display character on debug terminal
 entry :
AL = character to display
   
AX=01h -- Read character from debug terminal
 returns:  
        AL = readed char

AX=02h -- Displays a string on debug terminal
         entry:  
DS:ESI pointer to null terminated string to display

AX=12h -- Displays a string on debug terminal (called by 16 bit code )
 entry:  
        DS:SI pointer to null terminated string to display

AX=40h -- Run debugee until specified  CS:IP  is reached
 entry :
 CX = desired CS
 BX = desires IP

AX=70h -- Register dot command (32 bit code )
 entry:  
 BL = dot command to register
 ESI = linear address of the handler routine
 EDI = linear address of the help text
 returns:
 AX == 0 if successful
         AX != 0 if registration failed

AX=71h -- Register dot command (called by 16 bit code )
  entry:  
 BL = dot command to register
 CX:SI = linear address of the handler routine
 DX:DI = linear address of the help text
 returns:
 AX == 0 if successful
         AX != 0 if registration failed
     
        AX=72h -- Unregister dot command (unregister dot commands registered by both 70h & 71h)
 entry:
           BL = dot command to de-register


AX=73h -- Debug prinf ( C like printf function >> output on debugger terminal ) 32 bit
 entry:
DS:ESI = address of format string
DS:EDI = address of first parameter passed ( all parameter are DWORD\'s )
 returns:
EAX = nr. of characters printed on debug terminal

AX=74h -- Debug printf (C like printf function >> out on debugger terminal) 16 bit
 entry:
DS:SI = address of format string
ES:DI = address of the start of the word or dword arguments
 returns:
AX = nr of chars outputed

AX=75h -- Get Register Set
  entry :
DS:ESI = address of a SaveRegs_Struc type  structure

AX=76h -- Set Alternate Register Set
   entry:
CX = thread ID (0 for current thread)
DS:ESI =  address of a SaveRegs_Struc type structure


AX=77h -- Get Command Line Chararacter
   entry:
BL = 0 -> get char ,  text pointer not incremented , leading space not ignored
  = 1 -> get char , increment text pointer , leading blank is skipped
  = 2 -? get char , text pointer not incremented ,leading blank is skipped
   exit:
AL = command line character retrieved
       AH = 0 if EOL encountered , !0 if more characters await parsing

AX=78h -- Evaluate Expression
 entry:
ds:esi expression to evaluate

 returns:
AX: -> 0, returns a data value
   -> !0 returns a linear address
CX = TID
EBX = evaluated value

AX=79h -- Verify Memory
 entry:
ECX = length of memory region
DS:ESI = starting address of memory to verify

 returns:
AX: -> 0 OK
    -> !0 memory range is invalid

AX=7A -- Directs debugger to dump current registers

AX=7b -- Directs debugger to perform a stack dump
entry:
     BX:  -> 01h - verbose stack dump
  -> 02h - 16 bit stack dump
  -> 04h - 32 bit stack dump


AX=7dh -- Execute Debugger Command
    entry:
DS:ESI = pointer to the command script
CX = size in bytes of script

Some structures:

SaveRegs_Struc struc
Debug_EAX dd ?
Debug_EBX dd ?
Debug_ECX dd ?
Debug_EDX dd ?
Debug_ESP dd ?
Debug_EBP dd ?
Debug_ESI dd ?
Debug_EDI dd ?
Debug_ES dw ?
Debug_SS dw ?
Debug_DS dw ?
Debug_FS dw ?
Debug_GS dw ?
Debug_EIP dd ?
Debug_CS dw ?
dd ?
Debug_EFlags dd ?
Debug_CR0 dd ?
Debug_GDT dq ?
Debug_IDT dq ?
Debug_LDT dw ?
Debug_TR dw ?
Debug_CR2 dd ?
Debug_CR3 dd ?
Debug_DR0 dd ?
Debug_DR1 dd ?
Debug_DR2 dd ?
Debug_DR3 dd ?
Debug_DR6 dd ?
Debug_DR7 dd ?
Debug_DR7_2 dd ?
Debug_TR6 dd ?
Debug_TR7 dd ?
Debug_TrapNumber dw -1
Debug_ErrorCode dw 0
SaveRegs_Struc ends

There are more functions implemented through INT 41h.There is no point in list them
here because those are advanced things and are beyond the purpose of this paper who is
wanted to be a introductory and didactic material.If someone really wants them I suggest
browsing the DDK or directly e-mail me and I will try to help.