Our Tools
Our Tools

TheOwl's winice dumper (version 4)
Source code, program, everything you need...

by TheOwl

(16 September 1998)

Well, once more an Outstanding (and generous) wizard sends us a tool that will improve your work tremendously... I wonder if the smartasses at Numega are already using it (they are... :-) and wish you all GOOD WORK, or as our (disappeared ?) +Master would say: "work well" with this incredible tool... Long live TheOwl, a Master cracker that should deserve much more recognition...
           this is beta release 4 of my winice dumper.
           download it here


   - commented source code included, although putting it into winice.exe is
     another art itself... anyway, you can get a general idea on how it works.
     suggested order of reading: init, parser, dumper.

   - emulation of PAGEIN when invoked with old syntax: "PAGEIN <address>"
     this works in all modes now (V86, ring-3/16, ring-3/32, ring-0/32).

   - parser and dumper are more fool-proof (e.g. dumping not committed memory
     won't result in a system crash).

   - ring transitions from both PM and V86 mode have been enhanced by directly
     hacking the client CS:(E)IP registers. this also means that the dumper is 
     less intrusive and detectable.

   - support for paged out memory in V86 mode (previous versions would crash
     when one tried to dump paged out memory in V86 mode).

   - patcher included for both v3.22 and v3.23 of winice.


   the syntax is as follows:

        PAGEIN <address> [<length> <file name>]

   if only <address> is specified, the old behaviour will be emulated, but this
   time 16 bit modes (V86 and PM) will be supported as well. in fact, ring-3/32
   support is somewhat better as well since the client's stack not longer has
   to be present (unlike for the old PAGEIN).

   both <address> and <length> can be any valid expressions. <address> has to
   evaluate to a flat address. e.g. CS:IP will NOT result in a flat address if
   used in 16 bit modes, you have to use the flat() operator.

   <file name> can be any valid name with drive/path. file will be created or
   overwritten if it already exists.


   of course, the entire memory block you're about to dump should have been
   previously allocated and committed. nonetheless, trying to dump non-committed
   memory pages won't crash the system, but will instead write garbage into
   the dump file... well, if you don't know what you dump, you will get it ;-).
   the size of the dump file will be smaller than that of the block you
   specified if at the end of the block there are non-committed pages. if the
   entire block is not committed, you will end up with an empty file.

   trying to dump from an address context other than the one you popped up in
   won't work (this may be supported in the distant future, but you would have
   to come up with strong arguments to convince me to invest my time into it).

   interrupts must be enabled. you can try to change IF manually, but chances
   are that you will lock up your machine only.

   IFSMgr mustn't be reentered when dumping from ring-0 mode. this normally
   means, that you won't have a chance to dump while inside file system driver
   code. not that if many of you would ever debug FSDs... ;-). generally, be
   very careful when dumping from ring-0 mode, there're many circumstances when
   it just won't work. one rule of thumb is that if you see the client call
   other VxD services then it's probably also safe to invoke the dumper as well
   (since it does nothing else but invokes VxD services, those of IFSMgr).

   PAGEIN should only be invoked AFTER the DEVICE_INIT phase of the static VxD
   initialization procedure. if you're in ring-0 mode, then you can use it
   earlier as well, but only with the OLD syntax (i.e. no file dumping while
   VxDs are being initialized). hmmm, does it make any sense to page in anything
   before DEVICE_INIT at all? ;-)

   "ver ice" (v3.22) and "ver sio" (v3.23) had to be killed... oh well

   greets and thanks.

   Marquis,Mave,Pain,tHeRaiN,Randall Flagg,Razzi,Regor,Slava,Xoanon,Zenix

redhomepage redlinks red+ORC redbots wars redstudents' essays redcounter measures
redbots wars redantismut CGI tricks redacademy database redtools redjavascript tricks
redcocktails redsearch_forms redmail_reverser
redIs software reverse engineering illegal?