📄 softice.cpp
字号:
SI_FIND_CODE_PATTERN(tmp, PAT_CodeFlags, ULONG_PTR, 0);
si_CodeFlags = *(PUCHAR*)(tmp+OFS_CodeFlags);
DbgPrint("dwCodeFlags: %d\n", *si_CodeFlags);
IF_SI_CODE_PATTERN_FOUND(tmp, PAT_ReverseCharColor_DS32, ULONG_PTR, 0)
{
si_ReverseCharColor = *(PUCHAR*)(tmp+OFS_ReverseCharColor_DS32);
}
else
IF_SI_CODE_PATTERN_FOUND(tmp, PAT_ReverseCharColor, ULONG_PTR, 0)
{
si_ReverseCharColor = *(PUCHAR*)(tmp+OFS_ReverseCharColor);
}
else
{
SI_REPORT_NOT_FOUND(PAT_ReverseCharColor);
return FALSE;
}
DbgPrint("bReverseCharColor: %d\n", *si_ReverseCharColor);
SI_FIND_CODE_PATTERN(tmp, PAT_CurrentContext, ULONG_PTR, 0);
si_PopupContext = *(PULONG*)(tmp+OFS_PopupContext);
si_CurrentContext = *(PULONG*)(tmp+OFS_CurrentContext);
DbgPrint("dCurrentContext: %08X\n", si_CurrentContext);
DbgPrint("dPopupContext: %08X\n", si_PopupContext);
SI_FIND_CODE_PATTERN(tmp, PAT_PageinTempRegz, ULONG_PTR, 0);
si_PageinTempRegz = *(SiRegs**)(tmp+OFS_PageinTempRegz);
DbgPrint("dPageinTempRegz: %08X\n", si_PageinTempRegz);
SI_FIND_CODE_PATTERN(tmp, PAT_PageinINT3, ULONG_PTR, 0);
si_oPageinINT3 = *(PULONG*)(tmp+OFS_PageinINT3);
DbgPrint("si_oPageinINT3: %08X\n", si_oPageinINT3);
SI_FIND_CODE_PATTERN(tmp, PAT_Pagein_InProgress, ULONG_PTR, 0);
si_Pagein_InProgress = *(PULONG*)(tmp+OFS_Pagein_InProgress);
DbgPrint("si_Pagein_InProgress: %08X\n", si_Pagein_InProgress);
SI_FIND_CODE_PATTERN(tmp, PAT_OldIntTable, ULONG_PTR, 0);
si_OldIntTable = *(PULONG*)(tmp+OFS_OldIntTable);
DbgPrint("si_OldIntTable: %08X\n", si_OldIntTable);
SI_FIND_CODE_PATTERN(tmp, PAT_LoadKDE, ULONG_PTR, 0);
SI_EXTRACT_CALL_OPERAND(tmp+OFS_LoadKDE, si_LoadKDE, TYPE_LoadKDE);
SI_FIND_CODE_PATTERN(si_EnableIRQ, PAT_EnableIRQ, TYPE_EnableIRQ, OFS_EnableIRQ);
SI_FIND_CODE_PATTERN(si_IRQ2INT, PAT_IRQ2INT, TYPE_IRQ2INT, OFS_IRQ2INT);
SI_FIND_CODE_PATTERN(tmp, PAT_IceIsActive, ULONG_PTR, 0);
si_IceIsActive = *(PUCHAR*)((ULONG_PTR)tmp + OFS_IceIsActive);
DbgPrint("si_IceIsActive: %08X\n", si_IceIsActive);
SI_FIND_CODE_PATTERN(si_SendSpecificEOI, PAT_SendSpecificEOI, TYPE_SendSpecificEOI, OFS_SendSpecificEOI);
SI_FIND_CODE_PATTERN(si_INT_0E_Handler, PAT_INT_0E, TYPE_INT_0E, OFS_INT_0E);
IF_SI_CODE_PATTERN_FOUND(tmp, PAT_BangFuncsArray_DS32, ULONG_PTR, 0)
{
si_KDEFuncNum=*(PULONG *)(((PUCHAR)tmp)+OFS_KDEFuncNum_DS32);
si_BangFuncsArray=*(PUCHAR *)(((PUCHAR)tmp)+OFS_BangFuncsArray_DS32);
si_BangFuncsArray -= 4;
}
else
IF_SI_CODE_PATTERN_FOUND(tmp, PAT_BangFuncsArray, ULONG_PTR, 0)
{
si_KDEFuncNum=*(PULONG *)(((PUCHAR)tmp)+OFS_KDEFuncNum);
si_BangFuncsArray=*(PUCHAR *)(((PUCHAR)tmp)+OFS_BangFuncsArray);
si_BangFuncsArray -= 4;
}
else
{
SI_REPORT_NOT_FOUND(PAT_BangFuncsArray);
return FALSE;
}
DbgPrint("si_BangFuncsArray: %08X\n", si_BangFuncsArray);
DbgPrint("si_KDEFuncNum: %08X\n", si_KDEFuncNum);
//-------------------------------------------------------------------------
// si_SetFont
//-------------------------------------------------------------------------
IF_SI_CODE_PATTERN_FOUND(si_SetFont, PAT_SetFont_DS30, TYPE_SetFont, 0)
{
si_Fonts = *(SI_FONT***)((ULONG_PTR)si_SetFont+OFS_FONTS);
si_CurFontIdx = *(PULONG*)((ULONG_PTR)si_SetFont+OFS_CurFontIdx_DS30);
}
else
IF_SI_CODE_PATTERN_FOUND(si_SetFont, PAT_SetFont, TYPE_SetFont, 0)
{
si_Fonts = *(SI_FONT***)((ULONG_PTR)si_SetFont+OFS_FONTS);
si_CurFontIdx = *(PULONG*)((ULONG_PTR)si_SetFont+OFS_CurFontIdx);
}
else
{
SI_REPORT_NOT_FOUND(PAT_SetFont);
return FALSE;
}
DbgPrint("SetFont code: %08X\n", si_SetFont);
SI_EXTRACT_CALL_OPERAND((ULONG_PTR)si_SetFont + OFS_SetFont, si_SetFont, TYPE_SetFont);
DbgPrint("si_Fonts: %08X\n", si_Fonts);
DbgPrint("si_CurFontIdx: %08X\n", si_CurFontIdx);
DbgPrint("si_SetFont: %08X\n", si_SetFont);
//-------------------------------------------------------------------------
// si_ActivateHooks
//-------------------------------------------------------------------------
SI_FIND_CODE_PATTERN(tmp, PAT_ActivateHooks, ULONG_PTR, 0);
SI_EXTRACT_CALL_OPERAND(tmp+OFS_ActivateHooks, si_ActivateHooks, TYPE_ActivateHooks);
DbgPrint("si_ActivateHooks: %08X\n", si_ActivateHooks);
//-------------------------------------------------------------------------
// si_RecordLastBranchInfo
// si_MSR_LAST_BRANCH_0
// si_MSR_LAST_BRANCH_1
//-------------------------------------------------------------------------
SI_FIND_CODE_PATTERN(si_RecordLastBranchInfo, PAT_RecordLastBranchInfo, TYPE_RecordLastBranchInfo, 0);
si_MSR_LAST_BRANCH_0 = *(PULONG*)((ULONG_PTR)si_RecordLastBranchInfo + OFS_MSR_LAST_BRANCH_0);
si_MSR_LAST_BRANCH_1 = (PULONG)((ULONG_PTR)si_MSR_LAST_BRANCH_0 + 4);
DbgPrint("si_MSR_LAST_BRANCH_0: %08X\n", si_MSR_LAST_BRANCH_0);
DbgPrint("si_MSR_LAST_BRANCH_1: %08X\n", si_MSR_LAST_BRANCH_1);
DbgPrint("si_RecordLastBranchInfo: %08X\n", si_RecordLastBranchInfo);
//-------------------------------------------------------------------------
// si_DeActivateHooks
//-------------------------------------------------------------------------
IF_SI_CODE_PATTERN_FOUND(tmp, PAT_DeActivateHooks_DS32, ULONG_PTR, 0)
{
SI_EXTRACT_CALL_OPERAND(tmp+OFS_DeActivateHooks_DS32, si_DeActivateHooks, TYPE_DeActivateHooks);
}
else
IF_SI_CODE_PATTERN_FOUND(tmp, PAT_DeActivateHooks, ULONG_PTR, 0)
{
SI_EXTRACT_CALL_OPERAND(tmp+OFS_DeActivateHooks, si_DeActivateHooks, TYPE_DeActivateHooks);
}
else
{
SI_REPORT_NOT_FOUND(PAT_DeActivateHooks);
return FALSE;
}
DbgPrint("si_DeActivateHooks: %08X\n", si_DeActivateHooks);
//-------------------------------------------------------------------------
// SoftICE internal functions table
//-------------------------------------------------------------------------
unsigned char FT[]="A General Protection Violation has occurred";
si_IceCall= (SoftIceFunc*)(RabSearch(FT, sizeof(FT), si_DataBase, si_DataSize)
+ si_DataBase + strlen((char*)FT)+1);
if ((ULONG_PTR)si_IceCall < (ULONG_PTR)si_DataBase)
{
DbgPrint("ERROR: Can't find SoftICE function table in memory.\n");
return FALSE;
}
DbgPrint("Internal SoftIce function table found at %08X\n", si_IceCall);
unsigned char FN[]="ADDR";
si_IceFuncNames=(char*)(RabSearch(FN, sizeof(FN), si_DataBase, si_DataSize)
+ si_DataBase-12); // to allow "!" commands
if ((ULONG_PTR)si_IceFuncNames < (ULONG_PTR)si_DataBase)
{
DbgPrint("ERROR: Can't find SoftICE function names in memory.\n");
return FALSE;
}
DbgPrint("Internal SoftIce function names found at %08X\n", si_IceFuncNames);
si_CommandLine=*(char**)(((char*)si_IceCall[1])+2);
DbgPrint("Internal SoftIce command line found at %08X\n", si_CommandLine);
si_InitCompleted = TRUE;
return TRUE;
}
/////////////////////////////////////////////////////////////////////////////
//
// si_InstallDumpFilter
//
// Installs my own dump window character filter. So that SoftICE will
// display russian symbols in dump.
/////////////////////////////////////////////////////////////////////////////
static BYTE Patch[] = "\xE8\x00\x00\x00\x00\x90\x90\x90\x90\x90";
// ^^^^ = call MyDumpFilter
static BYTE SavedDumpFilterBytes[10];
void si_InstallDumpFilter(void *MyDumpFilter)
{
if (!si_CodeBase || !si_CodeSize) return;
si_DumpFilter = (BYTE *)(RabSearch(PAT_DumpFilter, sizeof(PAT_DumpFilter),
si_CodeBase, si_CodeSize) + si_CodeBase);
if ((ULONG_PTR)si_DumpFilter < (ULONG_PTR)si_CodeBase)
{
DbgPrint("ERROR: Can't find si_DumpFilter address in memory.\n");
return;
}
// Save old bytes
RtlCopyMemory(SavedDumpFilterBytes, si_DumpFilter, 10);
// Calculate relative offset for the JUMP instruction
*(PULONG)((ULONG_PTR)Patch + 1) = ((ULONG_PTR)MyDumpFilter - (ULONG_PTR)si_DumpFilter - 5);
// Install my patch
__asm cli;
RtlCopyMemory(si_DumpFilter, Patch, 10);
__asm sti;
}
/////////////////////////////////////////////////////////////////////////////
//
// si_RemoveDumpFilter
//
// Removes my own dump window character filter.
/////////////////////////////////////////////////////////////////////////////
void si_RemoveDumpFilter(void)
{
if (si_DumpFilter)
{
__asm cli;
RtlCopyMemory(si_DumpFilter, SavedDumpFilterBytes, 10);
__asm sti;
}
}
/////////////////////////////////////////////////////////////////////////////
//
// si_PutToKbdBufferChar
//
// C-like interface to si_WriteToKbdBufferChar
// Puts one byte to keyboard buffer
/////////////////////////////////////////////////////////////////////////////
void si_PutToKbdBufferChar(const char chr)
{
__asm
{
mov al, chr
call si_WriteToKbdBuffer_char
}
}
/////////////////////////////////////////////////////////////////////////////
//
// si_Exec
//
// Exec SoftIce command
// Returns true==Ok, false - something wrong
//
/////////////////////////////////////////////////////////////////////////////
BOOLEAN si_Exec(PCHAR Cmd, OPTIONAL BOOLEAN bHideInput /* = TRUE */)
{
if (!Cmd)
{
ASSERT(FALSE);
return FALSE;
}
if (bHideInput)
{
si_PutToKbdBufferChar(1); // small trick to prevent SoftICE from
// displaying what we are typing here.
}
while (*Cmd)
{
si_PutToKbdBufferChar(*Cmd);
Cmd++;
}
si_PutToKbdBufferChar(KBD_ENTER);
return TRUE;
}
/////////////////////////////////////////////////////////////////////////////
//
// si_ClearBangFuncsArray
//
// Deletes all entries in the BangFuncArray pointing into IceExt driver
// Should be called prior to unloading IceExt.
//
/////////////////////////////////////////////////////////////////////////////
VOID si_ClearBangFuncsArray( VOID )
{
ULONG si_IceExtBase = 0;
ULONG si_IceExtCodeBase = 0;
ULONG si_IceExtCodeSize = 0;
if (!si_BangFuncsArray || !si_KDEFuncNum) return;
// Find IceExt start in memory
si_IceExtBase = UtGetModuleBaseByAddr((ULONG)&si_Init);
if (si_IceExtBase == 0)
{
DbgPrint("ERROR: Can't find IceExt MZ header in memory.\n");
return;
}
IMAGE_DOS_HEADER *MZ=(IMAGE_DOS_HEADER*)si_IceExtBase;
#include <pshpack1.h>
const struct HDR
{
DWORD signature;
IMAGE_FILE_HEADER hdr;
IMAGE_OPTIONAL_HEADER opt_head;
IMAGE_SECTION_HEADER section_header[2];
} *PE;
#include <poppack.h>
PE=(HDR*)(MZ->e_lfanew+si_IceExtBase);
DbgPrint("Section %4s at %08X\n",PE->section_header[0].Name, PE->section_header[0].VirtualAddress+si_IceExtBase);
si_IceExtCodeBase = si_IceExtBase + PE->opt_head.BaseOfCode;
si_IceExtCodeSize = PE->opt_head.SizeOfCode;
PUCHAR ptr = si_BangFuncsArray;
for (ULONG i = 0; i < *si_KDEFuncNum; i++)
{
// check if this entry points inside IceExt code segment
if (
(*(PULONG)ptr >= si_IceExtCodeBase) &&
(*(PULONG)ptr <= si_IceExtCodeBase+si_IceExtCodeSize)
)
{
// yes it point to IceExt, delete the entry
(*si_KDEFuncNum)--;
RtlMoveMemory(ptr, ptr+ulBangFuncsArrayEntrySize, (*si_KDEFuncNum - i)*ulBangFuncsArrayEntrySize);
i--;
}
else
{
// move to the next entry
ptr += ulBangFuncsArrayEntrySize;
}
}
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -