阅读:1444回复:3
关于softICE的实现
SoftICE通过hook 8042的驱动在中断后从60端口读出扫描码判断出用户已按下Ctrl+D后,接下来是怎么弄出那个用户输入命令的黑屏界面并获取系统控制?还有在等待用户输入命令时后台CPU是在执行哪些指令循环?
|
|
沙发#
发布于:2004-12-07 08:38
在研究softIce的实现机制?
|
|
|
板凳#
发布于:2004-12-07 09:51
INTRODUCTION
This document contains various informations about SoftICE, NuMega's system debugger for Microsoft operating systems ; unless specified, these informations refer to Windows 95/98/ME SoftICE versions, not the NT/2K ones. My goal here is both to explain how this debugger works and to document some of its hidden features. The ideal target audience is made of advanced SoftICE users and/or curious system coders, thus I will assume you have a good knowledge of x86 processors and Microsoft operating systems. Contributions and corrections are welcome, interesting questions will be considered (but no video/mouse complaint, please!), silly requests will be ignored. I] HOW SOFTICE WORKS ===================== I.1 DOS startup ---------------- Winice.exe is a MZ/LE file, it therefore contains parts of code to be executed in real mode (DOS) and parts to be executed in protected mode (VxD). When executed from DOS (on command line, or from autoexec.bat), winice.exe performs the following steps : 1. change video mode to mode 3 (80x25, text mode, 16 colors) and display SoftICE intro message (SoftICE version, OS, ...) 2. test if Windows is already running in enhanced mode, and quit if so. 3. test if an XMS driver is installed, and quit if not. If installed, SoftICE stores the XMS driver entry point. 4. test if CPU is 386+ by trying to write higher part of eflags, quit if not. 5. parse command line ; documented switches are : /? display help text about these switches /load filename load symbol informations from file /sym number amount of symbol table memory in decimal K /hst number amount of aditional display memory in decimal K /tra number amount of backtrace history memory in decimal K some more undocumented switches are supported : /x break on SoftICE startup /m monochrome video /nmi [on|off] trap Non-Maskable Interrupt /nol [on|off] no capslock/numlock programming /vdd use virtual display device /kbd [on|off] patch keyboard driver [caps/numlock] /pen [on|off] enable pentium support /com[123] use COM port 1-3 for serial debugging /exp filename load exports from file name /l filename load symbol information from file name /l% filename load symbol information from file name /load filename load symbol information from file name /load% filename load symbol information from file name /loadx filename load symbol information from file name /loadx% filename load symbol information from file name /load32 filename load symbol information from file name /load32% filename load symbol information from file name 6. hook the following vectors in the IVT : 2Fh - Microsoft Windows SoftICE handles service 1605h (Windows Init Broadcast) and returns its own ES:BX values for startup infos structure pointer (chained to the previous structure). Previous vector is chained. 68h - Real Mode Debugger services SoftICE handles the following services (previous vector is chained): 43h: D386_Identify, SoftICE returns AX=0F386h. 44h: D386_Prepare_PMode, SoftICE returns a pointer to its protected mode initialisation callback function (PMINIT). This function implements services PMINIT_INIT_IDT, PMINIT_INIT_PAGING, PMINIT_INIT_SPARE_PTE and PMINIT_GET_SIZE_PHYS. 5080h and 5081h: D386_Load_Segment (device driver code/data segment). 9000h: SoftICE specific (SIWVID). 23h - Ctrl-C handler This keyboard sequence can be used to cancel SoftICE loading ; when called SoftICE restores INT 2Fh and INT 68h original handlers, then INT 0Bh or INT 0Ch original handler (the COM ports interrupt, depending on what has been previously hooked according to the /COM command line value). Then SoftICE calls XMS driver services 0Dh and 0Ah and exits. Previous vector is ignored. 7. open video driver (default SIWVID.386) and read parameters. 8. read and parse WINICE.DAT (max size is 16K). 9. read and parse WINICE.BRK (breakpoint history, see 18). This file can contain at most 32 breakpoints, each one described in plaintext (e.g. "BPX GetProcAddress"). 10. read WINICE.VID for video configuration. 11. check for a VGA driver and get ROM Font pointer 8x14 character, 8x16 VGA or 8x8 double dot (see the FONT internal variable). 12. get DOS version and pointer to DOS List of Lists. 13. check that it can find WIN.COM. 14. open KRNL386.EXE, USER.EXE, GDI.EXE, WIN386.EXE, DOS386.EXE. 15. allocate extended memory through XMS driver for symbols, backtrace, exports and history and display the corresponding informations. 16. if required, display more infos and "Press any key to continue". 17. load and execute WIN.COM Here Windows is loading and takes control... 25. If BootGUI=0 in msdos.sys, SoftICE DOS part takes control back when Windows is shut down. Then, it saves a new WINICE.BRK, free allocated memory, restores hooked interrupts 2Fh, 68h, 0Bh/0Ch and exits to DOS. I.2 Protected mode setup ------------------------- Unlike other debuggers, SoftICE is active before any process starts or before any (non-system) static driver is loaded, and this unique feature requires a quite complex protected mode setup. Since usual WIN.COM is executed at step 17, SoftICE can only get control back through hooks (INT2Fh and INT68h in the IVT) and OS callbacks (PMINIT). So at step 17 we are still in real mode, WINICE.EXE executes WIN.COM : 18. To get informations about the real mode situation, Windows issues an Init Broadcast call ; this service (INT2Fh/1605h) is hooked by SoftICE (see step 6), which returns its own Startup Infos structure, where it declares itself as a DOS device driver. 19. Since SoftICE is now registered as a DOS device driver, Windows will allocate new selectors for it and call INT68h/5080h and 5081h for symbolic debugging support. When SoftICE detects that these calls are used for itself, it will use the selector values to calculate the linear address of the start of its protected mode code (which actually is its PMINIT function). 20. Just before switching to protected mode, Windows will issue a D386_Prepare_PMode call, where SoftICE returns the previously calculated PMINIT address. 21. Windows switched to protected mode. During its initialisation, VMM calls the PMINIT routines. Here are the ones SoftICE will react on (in that order) : - PMINIT_INIT_IDT: here SoftICE completes its code for BPINTs and hooks IDT vectors 1,2,3,6,0Bh,0Ch,0Dh,0Eh,41h. - PMINIT_GET_SIZE_PHYS: here SoftICE ignores the service (returns debugger address = debugger size = 0) to force VMM to call the two following ones : - PMINIT_INIT_PAGING: there happens most of SoftICE initialization, which includes PICs setup, TSC calibration, WINICE.DAT parsing (options, macros), video setup, printer setup, keyboard patching, symbols loading, etc. When this service is completed, SoftICE is active and can be used. - PMINIT_INIT_SPARE_PTE: SoftICE maps the complete physical memory (as indicated in WINICE.DAT) into linear address space. Since SoftICE is registered as driver, winice.exe will receive all VxD system messages (SoftICE only handles SYS_CRITICAL_INIT, DEVICE_INIT, INIT_COMPLETE, SYS_CRITICAL_EXIT, W32_DEVICEIOCONTROL, SET_DEVICE_FOCUS, DESTROY_VM). During Windows startup (when static VxDs are loaded), SoftICE will receive the three following messages : 22. SYS_CRITICAL_INIT, where SoftICE - calls Win386_Alive service (INT22h/AX=0) to check that WIN386 is loaded. - gets system VMM version and according to the value, enable (or not) some commands (DEVICE,DRIVER,FOBJ,IRP,OBJDIR). - gets machine infos (MSDOS version numbers, processor type, etc). - hooks PM faults 06, 0Ch, 0Dh, 0Eh VMM faults 06, 0Dh, 0Eh V86 faults 06, 0Ch, 0Dh, 0Eh - hooks the following VMM services (replacing previous ones): Out_Debug_String, In_Debug_Chr, Out_Debug_Chr, Get_Profile_Hex_Int and if VMM version is at least 400h, Trace_Out_Service and Debug_Printf_Service. - hooks port 84h, redirects it to a retn, and completely disable Windows handling of this port. - hooks the following VMM services (chained to previous ones): Enable_Local_Trapping, Disable_Local_Trapping, Enable_Global_Trapping, Disable_Global_Trapping. - installs its Task Switch Callback function (called at each task switch). - hooks the following VMM services (chained to previous ones): _AllocateThreadDataSlot, _FreeThreadDataSlot. - hooks the folowing VMM services (chained to previous ones): _ContextDestroy, _Debug_Flags_Service. - completes the SIWDEBUG DDB and adds it to the device list. - hooks VXDLDR _PELDR_AddExportTable (chained to previous one). - creates 3 new descriptors in GDT, one to access SoftICE's own code, one for INT 41h hooking and one to access first Meg of memory. 23. DEVICE_INIT, where SoftICE - calls services 0 and 1 of SIWVID. - sets the hot key. - installs its page fault handler. 24. INIT_COMPLETE, where SoftICE just clears the carry flag. At this point SoftICE setup is complete and Windows continues loading freely. |
|
地板#
发布于:2004-12-07 11:19
多谢大虾了,如果有2K/XP下的资料就好了:)
我反汇编ntice.sys分析好几天了,但里面的call和条件跳转实在太多,常常是几十字节长的代码不干P事就一个劲地判断、跳转、call,call里面经常没啥不干啥事,就stc、clc之类的设置位命令,还有N多和变量的比较,尤其是在hook过的新的中断处理例程里(我主要是跟了8042的新中断处理例程和INT 3的新中断处理例程),call来jmp去的,竟是一个内核函数都没调用,除了判断键盘输入时对60端口读了一下还有对8259-1的20端口发送键盘的EOI外,竟都没看到IO的命令。。。所以分析得极其郁闷。最后拿纸记它流程图,记了几页纸竟也没发现啥关键的东西。象WinDBG在等待用户输入命令时,被调试系统CPU实际上是在KdpSendWaitContinue里循环等待串口发来的消息,所以我想SoftICE应该也是在一个类似的机制里,比如说是在8042的新驱动里循环等待用户的输入。 [编辑 - 12/7/04 by Sephiroth] |
|