For you SoftIce Users there is a Great Plugin made for it from this site
http://stenri.pisem.net/
also they have the how to do it in Russian so if any Russians out there that can Translate it to englist Please do..
also they have a screen dump option and i made a program to convert the RAW Dump to Text they also have a Raw dump to BMP conveter..
here is my RAW2TXT convertors link.. includes source.
if you make any inprovements please send me a copy..
ScreenDump Convertor
also Since Microsoft does not Support or sell Win 98 DDK can i post a link here..
http://stenri.pisem.net/
also they have the how to do it in Russian so if any Russians out there that can Translate it to englist Please do..
also they have a screen dump option and i made a program to convert the RAW Dump to Text they also have a Raw dump to BMP conveter..
here is my RAW2TXT convertors link.. includes source.
if you make any inprovements please send me a copy..
ScreenDump Convertor
also Since Microsoft does not Support or sell Win 98 DDK can i post a link here..
Haven't tested it myself, but seems like it's a nice project - opensource icedump for NT, right?
basically yes..
also Since Microsoft does not Support or sell Win 98 DDK can i post a link here..
IceDump was actually a patch created with nmake then was patch with another program... this program creates another service that attaches its self to the softice service..
Thanks Bit didnt know that..
Thanks Bit didnt know that..
the later icedump (for win9x anyway) was a selfloading vxd - icedump for NT isn't really worth talking about, they didn't have the time (motivation?) to evolve it very far.
yeah i remember that... but i was talking about the NT Icedump... this guy with the IceExt has the Tetris and a few of the other things that were in IceDump for win9x so either he used there source and figured it out or might be having some help from the people who helped and made IceDump... only thing that i sort of miss thats not in there is the MP3 player...
heh, the mp3 player is a bit useless imo - get yourself a decent amp ;). Besides it only worked on a very limited set of hardware, and even on supposedly supported hardware I couldn't get it working. The thought of a kernelmode mp3 player is a bit fun, but... wasted time.
yeah i know lol.. but as you said it was fun.. and i got it working :P
The bellow link contains all the new and modded source files to make the new command work.
It also contains the pre-compiled version for those that dont want to compile it.
The New Command is: !dumptext
Note: some of the files were modded so that compiling will work on xp and will cause it not to compile on win 2000 anymore. besure to compair and correct it if your running 2000..
The Files Changed to make run on XP:
source ;Changed to point to the XP libs and point to correct lin name also included my new source file..
make.bat ;changed to delete from right location
inst.bat ;changed to point to right copylocation.
New IceExt Command - dumptext
It also contains the pre-compiled version for those that dont want to compile it.
The New Command is: !dumptext
Note: some of the files were modded so that compiling will work on xp and will cause it not to compile on win 2000 anymore. besure to compair and correct it if your running 2000..
The Files Changed to make run on XP:
source ;Changed to point to the XP libs and point to correct lin name also included my new source file..
make.bat ;changed to delete from right location
inst.bat ;changed to point to right copylocation.
New IceExt Command - dumptext
Example Dump:
EAX=FFDFFCD4 EBX=FFDFF000 ECX=000021AB EDX=00000000 ESI=80541DA0
EDI=80542000 EBP=FFDFF980 ESP=80539558 EIP=8053170E o d I s z a P c
CS=0008 DS=0023 SS=0010 ES=0023 FS=0030 GS=0000
--------------------------------------------------byte--------------PROT---(0)-
0010:00000000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000080 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000090 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:000000A0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:000000B0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:000000C0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:000000D0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:000000E0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:000000F0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000100 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000110 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000120 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000130 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000140 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000150 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000160 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000170 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000180 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:00000190 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:000001A0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:000001B0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:000001C0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
0010:000001D0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ................
-----ntoskrnl!KiDispatchInterrupt+02BD-----------------------------------PROT32-
0008:8053170D 90 NOP
0008:8053170E 90 NOP
0008:8053170F FA CLI
0008:80531710 3B6D00 CMP EBP,[EBP+00]
0008:80531713 740D JZ 80531722
0008:80531715 B102 MOV CL,02
0008:80531717 FF1528464D80 CALL [HAL!HalClearSoftwareInterrupt]
0008:8053171D E841000000 CALL 80531763
0008:80531722 83BB2801000000 CMP DWORD PTR [EBX+00000128],00
0008:80531729 74D9 JZ 80531704
0008:8053172B FB STI
0008:8053172C 8BB328010000 MOV ESI,[EBX+00000128]
0008:80531732 8BBB24010000 MOV EDI,[EBX+00000124]
0008:80531738 83C901 OR ECX,01
0008:8053173B 89B324010000 MOV [EBX+00000124],ESI
0008:80531741 26C6462D02 MOV BYTE PTR ES:[ESI+2D],02
0008:80531746 C7832801000000000000MOV DWORD PTR [EBX+00000128],AL!HalClea
0008:80531750 685B175380 PUSH 8053175B
0008:80531755 9C PUSHFD
0008:80531756 E9ADFDFFFF JMP 80531508
0008:8053175B 8DAB80090000 LEA EBP,[EBX+00000980]
0008:80531761 EBA9 JMP 8053170C
0008:80531763 6A00 PUSH 00
0008:80531765 83EC0C SUB ESP,0C
0008:80531768 833DEC62548000 CMP DWORD PTR [805462EC],00
0008:8053176F 7562 JNZ 805317D3
0008:80531771 892594F9DFFF MOV [FFDFF994],ESP
0008:80531777 8B5500 MOV EDX,[EBP+00]
0008:8053177A 8B0A MOV ECX,[EDX]
0008:8053177C 894D00 MOV [EBP+00],ECX
(DISPATCH)-KTEB(80541DA0)-TID(0000)-ntoskrnl!.text+0005D18D---------------------
mp_PCR_VA_array: F35C3A34
mp_NumOfCPUs: 00000001
ntoskrnl image: 804D4000
ntdll: 77F50000
NTOSKRNL Section .text at: 804D4580
NTOS_TEXT_ADDR: 804D4580
NTOS_TEXT_SIZE: 0005E280
KeServiceDescriptorTable: 805425C0
KeAddSystemServiceTable: 8057CEB8
KeServiceDescriptorTableShadow: 80542580
OLD int 0E handler: F3792FD2
SwapContextPtr: 80531502
ZwCreatFile: 804F86F4
NtCreateFileServiceNum: 00000025
ZwQuerySystemInformation: 804F9194
NtQuerySystemInfoServiceNum: 000000AD
OldINT3: F3792F87
OldINT1: F3792F69
------------------------------------------------------
THD: Worker thread created
:!dumpscreen \??\c:\w.txt
DUMPSCR: \??\c:\w.txt
DumpFile: Duming file '\??\c:\w.txt'
:!dumpscreen \??\c:\w.txt
DUMPSCR: \??\c:\w.txt
dumpscreen. Idle
I corrected a problem in the dumper.. i used to only support width 80 since i had that hard coded.. it now grabs the right info... the link above has been updated with the new files..
IceDump was actually a patch created with nmake then was patch with another program... this program creates another service that attaches its self to the softice service..
..and pathes ntice.sys in memory hardly :-)