|
|
|
|
|
|
|
|
|
|
|
|
注: 此篇是針對 IceDump 6.015 ,而更高版本的IceDump的命令操作有較大改動,具體參考其Readme.
翻譯: IceWorldhttp://iceworld.126.com/
時間: 2000年5月18日
形式: 中英文對照
this is release 6 of the winice dumper.
-----
news. (新功能)
-----
- source code included as usual, it's a dynamic VxD now,
no need to patch
winice itself (happens runtime). stuff in static code and data segments
(_STEXT and _SDATA) can be changed, but you must reboot before loading
the new version.
同以往一樣,包括程式源代碼。winice dumper現是一個動態虛擬設備驅動程式,不必要補綴winice本身 (執行時間時發生) 。添加的靜態代碼和資料段 (_STEXT
and _SDATA)可以改變,但是在裝入新版本時您必需重新啟動電腦。
- the new PAGEIN command has a new syntax which eventually
will let it do
stuff it was never meant to ;-), see the details somewhere below...
新的進入頁面命令是一個新的搆造,現最終可以完成填充功能。具體請看下面:
- certain subcommands need to call win32 API functions
whose addresses are
looked up by using winice's internal symbol tables. for this to work
you
need to have kernel32 and user32 exports loaded into winice (winice.dat
or loader32/file/load exports).
某些幾命令需調用win32 API功能,這些地址看起來是應用了winice的國內符號表。要使這些功能生效您必需在winice中(winice.dat
or loader32/file/load exports)調用kernel32和user32耑口。
- and you thought it was impossible... so we're proud
to present the first
mp3 decoder/player that runs in kernel mode (of win9x in our case)
and
keeps working even if you enter winice. since all this requires direct
hardware programming, we support non-PCI based SB compatible cards
'only'
for now.
您或許認為這是不可能的。而我們現以開發出第一個在kernel mode下執行的MP3
decoder/player, 並能在您執行winice時同時執行。由於這些功能需直接的硬體支持,到目前為止,我們僅提供在基於SB的non-PCI兼容卡。
anyway, a BIG thank you goes to fossil, who coded this
stuff. and no,
he's NOT gonna do the vcd player ;-)
不管如何,非常感謝Fosiil寫了這個stuff, 並且他並不打算開發Vcd player.
- even though the Procdump32 project has officially been
declared dead,
its achievements won't go down the tube: from now on icedump features
G-RoM's Phoenix v2.0+ engine, along with a new subcommand which lets
you dump a full PE file directly from icedump, no external tools are
needed anymore. i think there's not much else to explain what all this
means... thanks G-RoM ;-)
盡管Procdump32計划已正式被取消,它的成就不再應用於顯象管: 從現在起,icedump的象征: G-RoM's
Phoenix v2.0+ engine,伴隨著一個全新的可以讓您直接從icedump完全傾卸PE文件的幾命令,不需要任何外部工具,我覺得沒有必要解釋這意味著什麼。感謝G-ROm!
------
usage.(用法)
------
first of all, you have to run icedump.exe from the directory
corresponding
to your winice version to load the dynamic VxD (it's a self-loading
VxD
before you start to look for a separate *.vxd file ;-). if the VxD
cannot
find winice or recognize its version, it will simply not load, no harm
will be done. if for any reason you simply want to unload the VxD,
you
should execute 'icedump u' and that's it. note that icedump cannot
be
loaded as a static VxD since it does not act on DEVICE_INIT and the
like,
but you can add support for that if you really need it.
首先,您必需從相應winice版本目錄下執行icedump.exe來裝入動態的VxD(這是一個自動裝入的VxD,在您開始尋找一個單獨的*.vxd文件前) 。
若VxD無法找到winice或無法辨認其版本,它就不會加載,不會產生任何危害。若其於某種原因您想卸載VxD,您只需執行'icedump
u'即可。需注意的是: icedump不可以當作靜態VxD載入,由於它無法完成象DEVICE_INIT之類的功能,但您若確實需要可增加這種支持。
------------------
----------------------------------------
the good old one, which you should be familiar with.
in short, both
--------------------------------------
load first <length> bytes from <file> at <address>.
sort of opposite of
-------------------------------------------
notify Procdump/Bhrama (yeah, the one by G-Rom ;-) to
initiate dumping.
F3="PAGEIN B ProcDump32 - Dumper Server;"
some parameters/flags can be set by 'O B', look at them
somewhere below.
keep in mind the following when using Procdump/Bhrama:
1. the Bhrama server's window name can be changed in
v1.5.0+ only, this
2. the various Procdump options can be changed in v1.5.0+
only (and in
for older versions you have to change then reassemble
the source code
3. EIP (and the entry point in the dumped PE image) cannot
be specified
4. when you issue a PAGEIN B command, winice will temporarily
resume
5. the client's stack will be modified since Bhrama is
called in the
suspend specified thread/process AND exit winice. this
subcommand is able
TID/PID must be valid ring-3 handles, either obfuscated
or not (will be
suspend specified thread/process. attempting to suspend
the current thread
TID/PID must be valid ring-3 handles, either obfuscated
or not (will be
resume specified thread/process. (恢復指定的thread/process)
TID/PID must be valid ring-3 handles, either obfuscated
or not (will be
kill specified process. attempting to kill the current
process will result
PID must be a valid ring-3 handle, either obfuscated
or not (will be
dump the winice console to a file. note that only the
Universal Video Driver
in mode 1, the default mode, the attribute byte will
be stripped giving
in mode 0, raw mode, the attribute bytes will also be
dumped. (內容字節也會被dumped)
mode 2 dumps the screen to a HTML file. a utility, ScreenDump
clean, is
- the lines and arrows are replaced with text equivalents. (線和箭頭會由等量純文字取代)
mode 3 has now been implemented which dumps the screen
into a LaTeX
NOTE: mode 3 is limited to softice console screens with a maximum of
255
------------------------
change page table entry flags for the page specified
by <addr>.
pP: not present/present(無/有)
this command directly modifies the PTEs in the page tables,
so for the
change bits in EFLAGS that winice normally doesn't let
you. right now only
change content of specified <FPU register> to <value>.
<FPU register number>
--------
PAGEIN O N - toggle (拴牢) screendump expert mode on/off
icedump options menu. allows you to change various icedump
parameters.
you can alter the base filename/path using the "O N F"
command, the current
by default, the expert mode allows up to 40 characters
for the path and
i (Ghiri) will possibly implement an auto-mode for normal
dumps.
PAGEIN O D - toggle memdump expert mode on/off
the above four commands have now been implemented for
auto-memdump. to use,
PAGEIN D <address> <length>.
notes: when altering the filename, you can specify path
and mask. for
PAGEIN O B R - Recompute (驗証) PE Object size on/off',0
These are the potential options u wish to set for ProcDump
rebuild. These
PAGEIN O T V - Update PE Virtual Object size on/off',0
These are the Phoenix v2.0 internal options. The rebuild
PE header option
Import rebuilder method (Bhrama/Phoenix):入口重建模式
* 0 : No rebuild (不重建)
Doesn't try at all to locate import section, leaves the
related import
* 1 : Use import informations 使用import訊息
Read actual import information, and use them to recreate
a valid import
* 2 : Rebuild import table.重建入口表
Detect import table and fix it up if found.探測入口表並修復所發現錯誤
* 3 : Full Import rebuild (DEFAULT).完全入口重建 (預設)
Detect import table, generate a new import section, generate
import
control your cd-rom, without parameters it will stop
playing the CD,
volume has to be set outside winice, but you know who
to bug for support,
control the mp3 VxDs (you should have started YogaPlay
first and loaded
--------------------------
mp3 playing support requires you to run YogaPlay, the GUI for the VxDs
that
are in mp3\vxd and which should be copied into windows\system or YogaPlay's
own directory. YogaPlay lets you choose the mp3 files (which are eventually
uploaded to the VxDs as a playlist, icedump itself doesn't let you
do that)
to be played, and gives you a basic control over playing them. if you
need
anything fancier, go code it yourself, source code for YogaPlay is
included
(courtesy of fossil). inside winice you have to use the 'M' subcommand,
see
the description somewhere below.
MP3播放支持需執行YogaPlay來支持,支持VxDs的GUI (圖形用戶界面) 在目錄mp3\vxd下,您必需把它們拷貝到windows\system下或YogaPlay's本身所在目錄。YogaPlay允許您選擇MP3文件 (最終上載到VxDs的播放清單,icedump本身無法完成此功能) 來播放,並提供您一個基本的
?
command reference. (命令參數)
------------------
PAGEIN D <address> [<length> <filename>]
----------------------------------------
<address> and <length> can be any expression that winice can
evaluate,
<filename> can specify any drive/path. using <address> alone
will
simulate the old PAGEIN behaviour (i.e. bring in a page). attempting
to dump non-committed memory won't cause a crash, however no other
sanity
checks are made, so be careful, especially when dumping from ring-0
(i.e.
when the current CS is a ring-0 selector, dumping memory belonging
to
a ring-0 data selector has nothing to do with this). for win32 processes
you will probably want to use the 'B or 'T' subcommands since they
will
rebuild a working PE image. have a look at the 'O' subcommand as well.
舊參數裡最好的一個,您應該很熟悉。簡而言之,<地址> 和 <長度>都可以是winice認可的表達式。<文件名>可以是指定的任何驅動器/路徑。只用參數<地址>是模仿舊的PAGEIN的習慣, (也就是說,產生一個page)。試圖dump
non-committed (承諾) memory不會產生當機,然而不會產生驗証,因此一定要小心,特別是當dumping從ring-0時 (就是: 當當前CS是ring-0的選擇器,dumping記憶體屬於ring-0數據選擇器將與此無任何關系) 。對win32來說,您可能會用'B'或'T'幾命令,由於它們會重建一個運作PE
image.請同時參閱'o'幾命令。
PAGEIN L <address> <length> <filename>
--------------------------------------
'D', same rules apply. (相同規則適用)
PAGEIN B <Bhrama dumper server window name>
-------------------------------------------
you have to supply the window name only as you can see it in the caption
bar. now, to make your own life easier, you should assign this to a
F key
in winice.dat:
應用Procdump/Bhrama(由G-Rom編寫) 來初始化dumping. 您僅必須提供視窗的名稱,您可以從標題條找到它。現在,為了使您的工作簡單化,您必須賦值F
key至winice.dat中。
一些參數/標志可以設為'o B',請看以下。
在用Procdump/Bhrama時請注意以下各點:
raises detectability issues with older versions...
Bhrama server的視窗名稱只可改變在v.1.5.0+,這可以增加與舊版本的可檢測性能。
Procdump/Bhrama itself, still not on the PAGEIN command line).
各種Procdump的選項僅可以改變在v.1.5.0+ (Procdump/Bhrama本身,仍不在PAGEIN命令行裡)
or you can try to change it in memory (advanced users will find their
way there, i'm not going to explain it here).
舊版本用戶可以重新組合源代碼,或在記憶體時改變它 (高級用戶自有自己的辦法,我就不多解釋了)
anywhere, instead the current one is used. however only v1.5.0+ will
properly calculate the entry point from the EIP, for older versions
you have to substract the image base from the entry point written by
Procdump and manually update the PE header.
EIP (dumped PE image的入口點) 不能指定在何處,現在版本可以。然而僅在V.1.5.0+時可以准確
計算從EIP的入口點,對於舊版本,楞以減去從入口點起的image base並手工更新PE指針。
this is because v1.4.x expects an RVA and i can supply a VA only.
v1.5.0+ will try to detect this situation and automagically recompute
the entry point. note, that the current solution will fail if the
original entry point falls above 0x800000 or so (i.e. for PE images
over 4 MBytes this may be a problem).
這是因為v.1.4.x設相了一個RVA (記錄錄音通知) 並僅可支持VA。v.1.5.0+會探測這種情景並自動驗算入口點。注意,當前的解決方案可能失效若舊的入口點在下降在0X800000或以上 (就是PE
images 超過4MBytes將產生問題) 。
execution of the entire system (so that you could specify the file
name for Bhrama), however you are not supposed to (ab)use this fact
and do anything else besides what you are asked to do (namely, select
the file name ;-). not observing this simple rule will very easily
end you up in a system crash... also, try to avoid setting breakpoints
which may trigger during this period (e.g. those set for APIs, window
handlers or messages and the like).
當您執行PAGEIN B命令,winice將暫時恢復執行整個系統 (以便您可以為Bhrama指定文件名),而您不可假設這種事實並做其它事情除了系統要求的 (即,選擇文件名) ,不留意此簡單規則將容易產生系統當機。同時應盡量減少設定斷點,這些可能會在這個階段引發 (如: 為API提供的那些設定,視窗操作者
?
client's context, this can potentially be detected by the client...
client的堆疊必需修改因為Bhrama是從client上下文前後關系中call,這會潛在地被client刪除。
--------------------
PAGEIN X <TID>|<PID>
--------------------
to suspend the current thread (or the process owning it). note that
no
breakpoint is inserted at the current EIP so when you resume such a
thread
winice will NOT break in. if you want to (and probably you do ;-) then
you
have to manually insert a breakpoint somewhere.
延緩指定思路/流程和退出winice。該幾命令可以延緩當前thread (或流程固有的) 。注意不能在當前EIP中插入斷點否則當您恢復a
thread時,winice將無法工作。如您想要這麼做,那麼您必須手工在某處加入一個斷點。
automagically taken care of). use THREAD/PROC to get them.
TID/PID必須是有效的ring-3 handles,或模糊或無。用THREAD/PROC來獲得它們。
--------------------
PAGEIN S <TID>|<PID>
--------------------
or the process owning it will result in an error message but will do
no
harm to the system/winice (in case of a process the other threads will
be
suspended though). note that no breakpoint is inserted at the current
EIP
so when you resume such a thread winice will NOT break in. if you want
to
(and probably you do ;-) then you have to manually insert a breakpoint
somewhere.
延緩指定的thread/process。嘗試延緩當前thread或流程固有的將導致一個出錯訊息,但不會對系統winice產生危害 (以防流程或其它threads被延緩) 注意不能在當前EIP中插入斷點否則當您恢復a
thread時,winice將無法工作。如您想要這麼做,那麼您必須手工在某處加入一個斷點。
automagically taken care of). use THREAD/PROC to get them. (同上)
--------------------
PAGEIN R <TID>|<PID>
--------------------
automagically taken care of). use THREAD/PROC to get them.(同上)
--------------
PAGEIN K <PID>
--------------
in an error message but will do no harm to the system/winice.
去掉指定的process.試圖去掉當前的process將導致出錯訊息但不會對系統winice有任何影響。
automagically taken care of). use PROC to get it. (同上)
---------------------
PAGEIN N [<filename>]
---------------------
mode is supported (i.e. in text mode you will get the DOS window's
content
and not that of winice). generally the same rules apply as for the
'D'
subcommand. when no <filename> is specified icedump will toggle
the
screendumper between mode 0, mode 1 and mode 2 operation.
dump winice控制台到一個文件。注意僅支持通用的視頻驅動模式 (就是,在純文字模式您將得到DOS視窗的內容並不是winice的) 一般來說,相同的規則適用於D幾命令。當無指定的<文件名>時,icedump將在mode
0, mode 1 and mode 2的操作中拴牢screendumper。
an ASCII output. 預設的模式,內容字節將被剝離ASCII輸出。
provided to convert a raw dump into an ASCII or HTML dump. notes on
mode 2:
mode 2 dumps 螢幕至一個HTML文件。一個非常有效的,ScreenDump清潔器,被用來轉換Raw
dump為ASCII或HTMLdump.注意事項:
- the standalone RAW->HTML converter is in the HTML directory. (獨立的RAW->HTML轉換器在HTML目錄。)
- the Opera browser does not display the dump properly as the table
elements are too long.瀏覽器無法正常顯示dump由於table elements 太長。
formatted file. to include the dump in your LaTeX document, include
the line
"\usepackage{icedump}" then either copy and paste the dump contents,
or
include it via an \input command. Note that icedump requires you to
have the
packages: 'amssymb' and 'color' (dvips). If these are already in your
LaTeX
path, then the icedump package will use them automatically. You should
also
put the icedump.sty in your LaTeX path. An example file can be found
in the
w9x/latex directory. A standalone converter will be available once
somebody
can be bothered to rip out the code from icedump :)
mode 3可以實現dump螢幕為一個LaTeX格式的文件。要在您的LaTeX文件中包含dump,使用行"\usepackage{icedump}",
那麼可拷貝或 ?貼任一dump內容,或通過一個\input命令來實現。注意icedump要求您具備如下packages:
'amssymb' and 'color' (dvips)。如您已在LaTeX路徑中設定它們,icedump將自動使用它們。您也必需在LaTeX路徑中包含文件icedump.sty。示范文件在w9x/latex目錄中。一個獨立的轉換器是很有用的除非您可忍受遺失編碼的困擾。
columns.
注意: mode 3 限制Softice控制螢幕最大列為255。
PAGEIN P <addr> pPrWsUcC
------------------------
改變<addr>所指定的頁面表格入口標志
rW: read only/read-write (只讀/讀寫)
sU: supervisor/user (超級用戶/一般用戶)
cC: not committed/committed(承諾)
virtual address range 0x00000000-0x7FFFFFFF you have to be careful
since
on a context switch the PTEs describing this range will be overwritten
and
won't be restored when the scheduler switches the context back. other
PTEs
describing non-pagelocked pages will suffer the same fate after a page-out
page-in cycle (or so i think at least). if there's demand for more
intelligent behaviour, do it yourself ;-).
該命令直接在頁面表格中改變PTEs,因此對於虛地址范圍0x00000000-0x7FFFFFFF需特別小心,因為在上下關聯PTE描述的轉換時,這個范圍將被重寫並且當調度程式轉換上下關系回來時不可恢復。其它PTE描述在一個頁面進出循環中non-pagelocked
pages會產生相同的結果 (起麻我這麼認為) 。您可以根據自己所需編制更有效的)
-----------
PAGEIN E tT
-----------
T (trap) is supported (and it doesn't work since it's under winice
control
and would require a bit more hacking ;-).
改變winice通常無法讓您改變的EFLAGS中的比特。現在支持T (trap), (在winice控制下它無法執行並且需要一個額外的比特)
--------------------------------------
PAGEIN F <FPU register number> <value>
--------------------------------------
must be in the range of 0...7 (for ST0...ST7). <value> will be parsed
as an
extended real (80 bits). if there's demand to be able to modify other
parts
of the FPU state (eg. MMX or SSE part), let us know (or do it yourself
;-).
改變指定內容的<FPU register> to <value>。<FPU register number>范圍在0...7
(for ST0...ST7)之間。<value>可以解析一個擴展實(80 bits)。如您需要修改其它FPU狀態 (如MMX
或SSE) ,請告知我們 (或您自己想辦法)
PAGEIN O
--------
PAGEIN O N F <filename> - alter (改變) base filename
PAGEIN O N D <number> - alter current dump number
PAGEIN O N V - show current screendump options
currently only the screendump options have been implemented. a new
feature
is the expert mode, which when turned on will allow you to perform
screendumps with the command "PAGEIN N". icedump will automatically
name
the file for you incrementally. by default, it will save them to
c:\default.000, c:\default.001 etc.
icedump選項選單,充許您改變各種各樣的icedump參數。目前僅screendump選項可用。新增的功能在專家模式裡,當開啟時充許您在screendumps中執行命令"PAGEIN
N"。icedump會自動為增加的文件命名。預設狀態,會保存在c:\default.000, c:\default.001等。
dump number using the "O N D" command, view current screendump options
with
"O N V" and toggle expert mode on and off using "O N".
您可用"O N F"命令來改變基本文件名/路徑,當前預設的是用命令"O N D",用"O
N V"查看當前screendump選項,"O N"來開啟專家模式的開/關。
filename. if you need more, you can easily modify one of the EQUates
in the
source code. you probably want to modify the default name too. make
all the
modifications you need (they are in one place) and recompile with nasm.
預設狀態,專家模式充許您用40字串來指定文件名和路徑。如您需更多,您可在源代碼中改變EQUates來實現。也許您也需更改當前的文件名,請更改所有您要更改的 (它們都在同一處) 並用nasm重新編譯。
我(Ghiri)可能為正常狀態下dumps建立一個自動模式。
PAGEIN O D F <filename> - alter base filename
PAGEIN O D D <number> - alter current dump number
PAGEIN O D V - show current memdump options
turn on the expert mode and issue the command:
上述四個命令現已為auto-memdump開放。要使用它,開啟專家模式並執行命令。
example, if you set the base filename to 'c:\temp\dump-*.dmp', icedump
will auto-generate filenames like 'c:\temp\dump-001.dmp'. the number
of
positions can be changed by altering an EQUate in the code. make sure
you have a valid filename.
注意: 當改變文件名時,您可用指定路徑。例如,當您設定文件名在'c:\temp\dump-*.dmp,icedump將自動產生一個文件名如'c:\temp\dump-001.dmp'。在代碼中改變EQUate可以改變數字的位置。確認文件名合法有效。
PAGEIN O B S - PE structure (結搆) Reorganize (改組) on/off',0
PAGEIN O B H - Restore (恢復) PE header on/off',0
PAGEIN O B I [0..3] - Import mode [0..3]',0 輸入模式
options won't apply in ProcDump if the checkbox 'User conf.' is set.
以下是一些您可能會用到的用來重建ProcDump選項。如在checkbox 'User conf有設定,這些參數不可使用。
PAGEIN O T P - Update PE Physical Object size on/off',0
PAGEIN O T R - PE structure Reorganize on/off',0
PAGEIN O T B - Rebuild PE header on/off',0
PAGEIN O T I [0..3] - Import mode [0..3]',0
PAGEIN O T C - Import caving attempt on/off',0
only recomputes RVA offset nothing more.
這些是Phoenix v2.0內在選項。重建PE header選項僅僅只是驗算RVA offset。
information untouched. (無需事實上位入口區,不要改變相關入口訊息)
table.讀實際入口訊息,並用它來重建一個合法的入口表。
function names & ordinals. 探測入口表,產生一個新的入口面,入口函數名和序數。
------------------
PAGEIN C [<track>]
------------------
otherwise it will attempt to play the specified track. this subcommand
can be invoked from all execution modes (like 'D') but be careful when
you use it from a ring-0 client (you will most likely crash your system
if you just blindly break into winice and attempt to use this command).
控制您的光碟機,沒有參數表示停止播放CD,否則它從嘗試播放一個指定的軌道。該幾命令適用所有的執行模式 (如'D') ,但當您從ring-0
client用它時要十分小心。 (可能會導致系統當機如您winice中盲目地調用並嘗試此命令)
don't you ;-)
------------------
PAGEIN M <0,n,+,->
------------------
a tracklist). '0' stops playing, 'n' (a playlist index, counted from
1)
will play the specified track, '+' and '-' will skip to the next and
previous track respectively.
控制mp3 VxDs (您必須先執行YogaPlay並載入一個tracklist) 。'0'表示停止播放,'n' (播放清單索引,從1開始計數) : 播放指定的軌道;'+'
and '-': 分別表示跳到下一個軌道和前一個軌道。
PAGEIN I <imports-address>
--------------------------
<imagebase> <EIP>