Using softice to debug early loaded drivers
Is there a way for SoftICE to debug the entry of a driver that loads early in the boot sequence?
The steps are as follows.
1. Using regedt32 go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder
2. After 'system reserved' and before 'boot bus extender' add 'Ntice'.
3. If this is version 3.1 or higher you need to go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cpthook and change the value for group from 'boot bus extender' to Ntice. If this is version 3.0 or lower then go to step 4.
4. Run the settings dialog and go to softice initialization settings. Remove the 'x;' from the init string.
6. When softice stops during boot type 'mod'. If a list of loaded modules is NOT returned then do the steps under 'Obtaining a mod list' if the module list is present you can proceed with step 6. Either way continue booting (Hit F5 or type go).
7. Go into the setting dialog under softice then symbols. Here is were you need to add all the symbols you will need for this debug session.
8. Run the icepack.exe utility form the softice directory. This will package up debug symbols, settings and OS info for early use. Run Icepack after any changes.
9. Go to regedit and add the following items (or verify them if they exist).
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\siwsym (Add the key if it does not exist).
DWORD named 'Type' set to 1.
STRING named 'Group' set to 'NTICE'.
DWORD named 'ErrorControl' set to 1.
DWORD named 'Start' set to 0.
DWORD named 'Tag' set to 1.
10. Verify that the siwsym.sys is in the system32\drivers directory if not move it there.
11. Reboot and you will stop with an early loaded softice and be able to set a break on your drivers entry points etc..
NOTE: If you change anything in the settings or recompile etc.. You must rerun the icepack utility.
OBTAINING A MODULE LIST.
1. This step is only needed if the mod command does not work when loading softice early
2. If it exists remove Ntice from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder using regedt32.
3. Check that the 'x;' is remove from softice's init string (Running icepack if presently being used).
4. In the settings dialog under softice symbols add the symbols for ntoskrnl. Steps for this are located below under 'Translating system files'.
5. Reboot the machine.
6. When it stops at boot type 'sym _psLoadedModiuleList'. note the address of the list.
7. Continue booting as normal.
8. Once booted then use regedit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\siwvid and add a DWORD value called 'modPtrLocation' and set its value to the address of the module list obtained in the previous step. NOTE: you may need this under the ntice registry key also depending on the version of softice.
9. Using regedt32 go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder.
10. After 'system reserved' and before 'boot bus extender' add 'Ntice'.
11. Go to step 7 above.
TRANSLATING NTOSKRNL TO GET SYMBOLS
1. Find the correct ntoskrnl.exe for you machine. To do this right click on ntoskrnl.exe and select properties. Then select the version tab and then the original file name view.
2. If the original file name was something other than ntoskrnl.exe then copy and rename the copy of ntoskrnl back to its original name.
3. Copy the ntoskrnl.dbg (or pdb) that matches the original ntoskrnl.exe into the same directory as the exe.
4. Open SoftICE symbol loader.
5. Open the ntoskrnl.exe and translate the executable.
6. If the exe was renamed due to the original file name then rename the resulting nms file back to ntoskrnl.nms
7. Add ntoskrnl.nms to your list of symbol files to load at start using the SoftICE init settings dialog.
To do this:
1. Open symbol loader.
2. From the edit menu choose 'SoftICE initialization settings'.
3. Go to 'symbols' in the left side tree.
4. Use the add button and navigate to the nms file that you made and add it to the list.
<!--- END INSERT ANSWER --->