Our Tools
TheOwl's winice dumper (version 4)
Source code, program, everything you need...
TheOwl's winice dumper (version 4)
Source code, program, everything you need...
this is beta release 4 of my winice dumper.
download it here
news.
- commented source code included, although putting it into winice.exe is
another art itself... anyway, you can get a general idea on how it works.
suggested order of reading: init, parser, dumper.
- emulation of PAGEIN when invoked with old syntax: "PAGEIN <address>"
this works in all modes now (V86, ring-3/16, ring-3/32, ring-0/32).
- parser and dumper are more fool-proof (e.g. dumping not committed memory
won't result in a system crash).
- ring transitions from both PM and V86 mode have been enhanced by directly
hacking the client CS:(E)IP registers. this also means that the dumper is
less intrusive and detectable.
- support for paged out memory in V86 mode (previous versions would crash
when one tried to dump paged out memory in V86 mode).
- patcher included for both v3.22 and v3.23 of winice.
usage.
the syntax is as follows:
PAGEIN <address> [<length> <file name>]
if only <address> is specified, the old behaviour will be emulated, but this
time 16 bit modes (V86 and PM) will be supported as well. in fact, ring-3/32
support is somewhat better as well since the client's stack not longer has
to be present (unlike for the old PAGEIN).
both <address> and <length> can be any valid expressions. <address> has to
evaluate to a flat address. e.g. CS:IP will NOT result in a flat address if
used in 16 bit modes, you have to use the flat() operator.
<file name> can be any valid name with drive/path. file will be created or
overwritten if it already exists.
notes.
of course, the entire memory block you're about to dump should have been
previously allocated and committed. nonetheless, trying to dump non-committed
memory pages won't crash the system, but will instead write garbage into
the dump file... well, if you don't know what you dump, you will get it ;-).
the size of the dump file will be smaller than that of the block you
specified if at the end of the block there are non-committed pages. if the
entire block is not committed, you will end up with an empty file.
trying to dump from an address context other than the one you popped up in
won't work (this may be supported in the distant future, but you would have
to come up with strong arguments to convince me to invest my time into it).
interrupts must be enabled. you can try to change IF manually, but chances
are that you will lock up your machine only.
IFSMgr mustn't be reentered when dumping from ring-0 mode. this normally
means, that you won't have a chance to dump while inside file system driver
code. not that if many of you would ever debug FSDs... ;-). generally, be
very careful when dumping from ring-0 mode, there're many circumstances when
it just won't work. one rule of thumb is that if you see the client call
other VxD services then it's probably also safe to invoke the dumper as well
(since it does nothing else but invokes VxD services, those of IFSMgr).
PAGEIN should only be invoked AFTER the DEVICE_INIT phase of the static VxD
initialization procedure. if you're in ring-0 mode, then you can use it
earlier as well, but only with the OLD syntax (i.e. no file dumping while
VxDs are being initialized). hmmm, does it make any sense to page in anything
before DEVICE_INIT at all? ;-)
"ver ice" (v3.22) and "ver sio" (v3.23) had to be killed... oh well
greets and thanks.
Acp,Animadei,Domnar,Fossil,Gij,G-Rom,Groo,Ice-Man,LiuTaoTao,Lordbyte,MadMax,
Marquis,Mave,Pain,tHeRaiN,Randall Flagg,Razzi,Regor,Slava,Xoanon,Zenix