|
阅读:964回复:0
扩展SoftICE--1
Extending NuMega\'s SoftIce for Windows 95 using Protected Mode
Debugger services API --------------------- by Iceman As you all know very well Soft-Ice is the best debugger available on the market. A powerful tool which combined with IDA 3.7+ give you the power to reverse just about anything in this wrold.The idea of extending Soft-Ice is not new , I\'ve seen many implementations of new commands (not so many , in fact) but no one used the mechanism of dot commands which I describe below. This paper is accompanied by a sample skeleton VxD which implements an extension to Soft-Ice for Windows95.It provides no real functionality at this time , it is designed to illustrate how .dot commands are implememted.The source code is available , too. You will need at least Windows95 DDK and MASM 6 to build the example VxD , Soft-Ice to see for your own eyes that it\'s works , IDA 3.7 comes handy to follow chapter 7.No more tools required , a basic knowledge of VxD programming still required.Chapter 6 and 7 are not directly related to dot commands , it is more an introduction to basic reverse engineering techniques for VxD\'s.Still, it is linked with the general subject , it show you how you can talk to SoftIce from ring3 user code. The document is structured as below: Chapter 1: VxD introduction. Chapter 2: What are dot command\'s? Chapter 3: INT 41h - protected mode debugger interface. Chapter 4: Extending Soft-Ice Chapter 5: The sample: icecmd.vxd Chapter 6: Moving to ring 3 Chapter 7: How Numega\'s Loader works? Chapter 8: Notes for Windows NT users. Appendix A: Some useful equates for VxD reverse engineering Appendix B: INT 22h - Win32 Protected mode interface requests API Chapter 1: VxD introduction --------------------------- Virtual device drivers , referred further as VxD , are basically 32 bit executables that run at the highest privilege level (on ring0).They are used to manage critical system resources.The executable type is not PE but the older type LE (linear executable).Their importance becomes higher than Microsoft added to Windows95 the ability to dynamically load VxD\'s.In the past , VxD where used almost only for virtualizing hardware devices or to control hardware periphereals.In this days you can see lot of code who heavily relays on VxD to improve execution speed , or to gain access to critical system resources. Now , since the purpose of this material is not to be a VxD programming introductory material I will jump directly to Chapter2.If you want me to write a introductory material to VxD programming mail me directly and if I find the number of requests high enough i will write one.(over 30 requests will do the job) Chapter 2: What are dot commands? ---------------------------------- The protected mode debugger interface API under Windows 95 class OS provides a very convenient way for 32 bit system DLL\'s and VxD to talk to a system debugger.In Windows95 this interface is accessed via INT 41h.Between other things , INT 41h interface allow a VxD to provide debug specific routines which can be called from the system level debugger\'s console. In theory , any system level debugger can be extended in this way.Care must be taken because not all the functions provided by INT 41h API are necessary implemented by your debugger. SoftIce , as well as Microsoft\'s Wdeb386 supports them.Issueing a dot command is as simple as breathing.In debugger\'s console type: .Command where command is the command that you want to be executed.By a more technical point of view two types of dot commands are available.Let\'s see them: A.Debug Query dot commands Now fire up SoftIce and type: .vmm Instantly the command window shows you a menu with several debug options what are not part of SoftIce but implemented through vmm.vxd (Virtual machine manager).What happened behind our back?When you issue a .VxDname command a Debug_Query message will be sent to the specified virtual device.If the ControlDispatch procedure of target VxD supports a handler for this message control will be passed to it.The handler procedure for Debug_Query message must reside in a looked code segment.If it is in pageable code-segment your system may hang if the handler procedure is paged to disk.If the target VxD does not handle Debug_Query message nothing bad happens , so you can experimentate this freely. |
|
最新喜欢: flyfox
|
