Since the TRW2000 command is fully compatible with Softice, it is suitable for TRW2000 in this article. All operations of Softice have occurred in a debug window that can be activated at any time, in which Windows application and system run can be monitored. I. Introduction of debug window We assume that your Softice is running normally. At this time, press "Ctrl D" button in Windows, you can call out the Softice debug window. When you need to return to the Windows system, press "Ctrl D" Key, you can also use the x command or press the F5 key. The activated debug window is shown in Figure 2.14, divided into a register window, a data window, a code window, a floating point window, and a command window. If it is in the TRW2000 environment, activation is "Ctrl N", and the Softice is different from the TRW2000 has no floating point windows, but there is a stack window. (Figure 1) Softice or TRW2000 debug screenshot 1, the register window can observe the current value of various registers, such as data registers EAX, EBX, ECX, EDX, and control registers (EIP and PSW), etc., there is a little attention. Since we are under the Windows platform, they see the 80386 register set, which is more than one character "E" with the 16-bit register, meaning the 16-bit register extension. 2, the data window displays the data in the specified memory in the data window, which is displayed at the same time as hexadecimal and ASCII, which can be said to be our eyes, so it is necessary to understand the meaning of each part. (Figure 2) No. 0030: This is a segment selector. In Windows protection mode, CS, DS, ES, SS, FS, and GS are not called sector registers, and the sector selector. In the protection mode, the memory is divided into a lot of segments. When using GDT in TRW200, you can see the number, type, start physical address, size, and attributes of the segment. Let's take a look at the number 0030: (Figure 3) This section is 32-bit data type, the length is 4G, we can also see a lot of paragraphs, which may point to the same physical address, but their type, Attributes may vary. If some segments pointing the address is unreadable, but another segment pointing the same physical address is readable! If we put it in the segment selector through the number of the unwritable paragraph, then read and write operation, it will definitely die. But there is no problem to read and write the same place! The memory management of the protection mode is very interesting. Interested in seeing this book, of course, as a beginner can just know a little. 2 Location 00000000: The virtual address of the memory is indicated here. The value of the No. 3 position is the current memory data, expressed in hexadecimal. The value of the 4 position is another representation of the "3" value: ASCII code. 3, the code window shows the code of the current program, because no matter what the program is final, the CPU is performed in a machine language, and the assembly language and the machine language are one or one, so Softice is in order to facilitate our understanding. , Display the monitored code in front of us in front of us. For example: (Figure 4) 1 segment selector; 2 virtual address; 3 machine code: This is the machine code executed by the CPU, which is expressed in hexadecimal. You can open or close this display with Code on / off. 4 Assembly instruction: the program code corresponding to the machine code. 4, the stack window This is the TRW2000 unique, which is convenient to monitor the status of the stack.
5. Command window This is where various commands are executed, and various tips of the execution command at the bottom of the screen are displayed, and the instruction syntax help can be provided. 6. The program isolerge, the so-called foothold, in fact,: at a certain point, the area of the CPU CS: IP (EIP) pointing to the owner of the owner of the owner of a piece of code. In this case, the code of the Softice is not referred to as Kernel32.dll, so it is called kernel32.dll's airspace, in Figure 2.14, the captured name that can be seen is Kernel32! .Text, then how do I Know it is the kernel32.dll file? This is mainly experienced, kernel32.dll is a Windows system file, and the extension is not displayed when it is displayed in Softice, just displays the previous part. Second, Softice Common Order Introduction Due to the large number of Softice commands, the SOFTICE command is described, and several common commands are introduced, and other detailed description Please refer to Appendix's "Softice Manual". 1, g command syntax: g [= start-address] [BREAK-Address] effect: execute the program, then if the address is added, then the address is executed. Note: The g command in TRW2000 is slightly different from Softice. The g command in Softice must be in the current segment. At this time, IP (EIP) is interrupted for the specified value; and the TRW2000 does no local address, as long as IP (EIP) is specified The value stops, and the TRW2000 is very convenient for our operation. 2, P Command Syntax: P [Ret] Role: Single Step Executers. U-way is performed, equivalent to pressing the F10 key. In assembly mode, when the call, int, loop, the REP command, P will not track, until these instructions are executed, the control returns Softice, in other words, the P command is "cross" through these instructions. The p RES command is equivalent to the shortcut key F12. Softice will always perform a single step until it finds a return statement (RET, RETF), that is, let Softice have been executing code until the RET (XXXX) command appears, and then jump out to intercept, at this time, the current IP (EIP) will be On a certain statement after ret (xxxx), it is usually behind a Call XXXXXXXXX. Since we usually use Softice to set breakpoints on some underlying Windows functions, F12 is used. Because the author's authors use the advanced language, Windows advocates "transparency", do not want the programmer to know the underlying operation, but only provide the high-level interface, and quite a certain advanced function calls a certain underlying function, So when you break the point on the underlying function, use F12, you can know what function he uses. 3, T command syntax: t [= start-address] [count] start-address: performs start addresses; Count: Specifies how many times will stop single step tracking. Role: Single step tracking. The t command is equivalent to the function key F8. If the start address is not specified, the instruction pointing from the CS: IP (EIP) will be executed. At this time, T will trace it when encountering a call, loop, etc. Note: The main difference between the F8 and F10 function keys is here, when encountering Call, Loop, F10 is passing, and F8 is followed.
4, bpx command syntax: bpx [address] [if express1; command2; ... "] address: The linear address in which the breakpoint is located; if Expression: conditional expression, only the condition is" true ", SoftICE pops up at the breakpoint; do Command: Some commands are automatically executed when Softice pops up. Role: Set (or clear) breakpoints on the executable statement. BPX is used to break down at the instruction, and the program will pop up once it executes it. When the cursor is in the code window, the BPX directly in the BPX will be broken at the cursor where the cursor is located, and then the BPX is canceled. BPX's shortcut is F9, when the cursor is in the code window, press F9 to set (cancel). BPX also uses a function name as an address parameter: format is "BPX Function Name". This function name can be any API function, virtual machine instruction, and DLL file extraction functions, etc. Example :: BPX MessageBoxa (No case sensitive) // URUNETRET will be interrupted;: bpx getWindowTexta if Eax == 8 // When the Toned getWindowTexta function EAX = 8, Softice will be interrupted; bpx getWindowTexta Do "D EAX" // When getWindowTexta is interrupted, the value of EAX is automatically displayed. Note: The TRW2000 is a bit different from the SoftICE condition format. If Softice is: BPX LoadLibrarya do "DD ESP-> 4", the same usage is: BPX LoadLibrarya do "DD * (ESP 4)" in TRW2000. In addition, Softice double-click the instruction line to be turned off, and the TRW2000 can not be pressed, only f9.5, bpm command syntax: bpm [size] address [conditional expression] Do [execution command] size: memory cell size, B is byte (default); W is the word; D is double word; VERB: The operation, R is read; W is written; RW is read and write (default); X is executed. Role: Set the memory access breakpoint. Note: BPM uses DR3-DR0 registers, so you can only set up to four breakpoints. 6, BMSG Command Syntax: BMSG WINDOW-HANDLE [Condition Expression] Do [Performed command] Window-handle: Message window handle, ie, message name: on Windows message, breakpoint. Windows itself is driven by messages, so tracking a message will get a fairly underlying answer. Such as: We Execute the Notepad Program, then Ctrl D Activate Softice Enter:: BMSG WM_CHAR: G and then return to NOTEPAD, just press a button, Softice is activated; the reason is that we set a breakpoint on the button message (Exit SoftICE Don't forget to "BC *" clear the breakpoint you just below).
7, BL command syntax: BL role: Display the current breakpoint Note: Softice will list all breakpoints to the number starting from 0, and the TRW2000 is listed from 1 start number. 8, BC Command Syntax: BC List | * List: You can clear the breakpoint of the specified number, with a space or comma with a space or comma. *: Clear all breakpoints. Role: Clear one or more breakpoints 9, BD command syntax: bd list | * list: can be single, or a series of breakpoints, intermediate space or comma is separated. *: All breakpoints are prohibited: make one or more breakpoints fail. 10, be command syntax: be list | * Run: Make one or more breakpoints to be valid. The breakpoint used to resume the failure of the previous BD command to make it. (Whenever a breakpoint or editing breakpoint is newly defined, the system automatically places it as a valid) 11, BPE command syntax: BPE INDEX_NUMBER: Edit an existing breakpoint. 12, R Command Syntax: R Register Name Ren: Display or change the contents of the register. It can change the value of all registers. One of the frequently used functions of this command is to change the value of the status register (PSW), format: R FL flag. For example, the current z flag bit (zero bit) is set, it will be cleared after executing "R FL Z"; if the C flag is clear, "R FL C" will set it. Note: This command is easy to change the direction on some jump instructions. 13, a command syntax: a [address] role: enter the small assembly status, directly write to the assembly code. If you do not add address value, you are directly assembled at current CS: IP (EIP). Write assembly code in memory with Softice built-in assembler. The assembler supports standard 80x86 instruction sets, including 386, 486, Pentium, Pentium-Pro, MMX coprocessor, new version of Softice also supports AMD's 3D Now!, PII, PIII's unique instruction set. 14, D command syntax: d [size] [address [llength]] size: b byte; w words; d double word; S short real type; l can be realistic; T 10b long real role: Show a memory Regional content. 15. S command syntax: s [-cu] [address l length "address: Search start address length: Search Length (byte length) Data-Lis: can be a series of bytes, or String, strings can be used in single quotes, or you can use double quotes to be enclosed.-C: Size case case-U: Find Unicode encoded strings. Run: Search specific data in memory, if data is found, The data window will be displayed in the data window. If you are found, you will continue to look for, use the S command without parameters. Since the S command ignores the page not in the memory, you can use the 32-bit planar address data segment descriptor 30h to look for the entire 4GB (0 ~ fffffffh) space. Such as: S 30: 0 l ffffffffff "78787878" // The string "78787878" location is found in the memory. Note: The string of the S command in TRW2000 should be single quotes (while Softice can be).
