Hi,
Is there a way in windbg to trace execution right from the point first
instruction in MBR executes?
If not windbg is there any other way? I am looking for a way of doing this
on a Windows NT platform.
Thanks
Chandra
chandra97 97 wrote:
Hi,
Is there a way in windbg to trace execution right from the point first
instruction in MBR executes?If not windbg is there any other way? I am looking for a way of doing
this on a Windows NT platform.
No. This should be obvious. The MBR is executed from the BIOS during
reset processing. No operating system has been loaded yet. Indeed,
nothing at all has been loaded yet.
You can certainly use the Bochs simulator to step through the MBR
process. It is a virtual PC simulator that can actually boot Windows.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
AMD also makes a simulator, but it only works on amd64 platforms, and I
don’t recall whether it only simulates that platform as well. If you
can live with these constraints, whatever they actually are, then you
might wish to check out it as well (also free). I can’t speak to much
else about it, but I found it to be quite a bit faster than Bochs, based
on limited usage only, however. Also, supposedly it can be connected to
WinDbg, but I guess that wouldn’t really apply here anyway, given when
you’re connecting. If they would both work for you, I would personally
chose first based on the debugging capabilities provided. I’m really
can’t recommend it (or not recommend it), but I just thought I would
mention it.
For the sake of completeness, you can do this and more a JTAG emulator
(like an Arium ECM-50 or ECM-XDP) and either a motherboard with an XDP
socket or an interposer. While there are a number of advantages to
this, this setup will set you back about $15,000 - $20,000, so I
seriously doubt that this would be a good first step, and wouldn’t ever
be worth it in the majority of cases, even at this low (bare metal) of a
level. The definite advantages are that it would be much faster than
emulation, and more importantly that if you need to debug/disassemble
the BIOS itself, simulators are not generally useful, because in
practice you would be concerned with something to specific for a
simulator, which generally has one “BIOS,” and both the Arium’s provide
some additional capabilities like rudimentary bus analyzer capabilities.
After that, it depends greatly on what the Bochs/AMD simulators
support in the way of debugging capabilities. My vague recollection of
the AMD case is that it supported reasonable ways to utilize most of the
architectural features that the Arium supported - like setting a
breakpoint on SMI, for example - but it had essentially nothing in the
way script support, et. c., not that the Arium is exactly stellar in
this area either. The major disadvantage is clearly price, and the
trick is getting a motherboard that supports the features you want that
can be made to work with/satisfy one of, having has an XDP port (this
essentially in the miracle category), having access to and can budget
for engineering to attach a socket (very doable, if you have the
resources), or you get an interposer that happens to work at all, and if
you’re really lucky, reliably.
Good luck,
mm
Tim Roberts wrote:
chandra97 97 wrote:
> Hi,
>
> Is there a way in windbg to trace execution right from the point first
> instruction in MBR executes?
>
> If not windbg is there any other way? I am looking for a way of doing
> this on a Windows NT platform.No. This should be obvious. The MBR is executed from the BIOS during
reset processing. No operating system has been loaded yet. Indeed,
nothing at all has been loaded yet.You can certainly use the Bochs simulator to step through the MBR
process. It is a virtual PC simulator that can actually boot Windows.
Hello,
* On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97 wrote:
Is there a way in windbg to trace execution right from the point first
instruction in MBR executes?
If you “only” want to disassemble, the article “Disassemble the MBR” at
http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.aspx
might be of help.
But: If you really want to execute step by step, that article won’t help
you.
Regards,
Spiro.
–
Spiro R. Trikaliotis http://opencbm.sf.net/
http://www.trikaliotis.net/ http://www.viceteam.org/
I’ve always used the old SoftIce for DOS.
“Martin O’Brien” wrote in message
news:xxxxx@windbg…
> AMD also makes a simulator, but it only works on amd64 platforms, and I
> don’t recall whether it only simulates that platform as well. If you can
> live with these constraints, whatever they actually are, then you might
> wish to check out it as well (also free). I can’t speak to much else
> about it, but I found it to be quite a bit faster than Bochs, based on
> limited usage only, however. Also, supposedly it can be connected to
> WinDbg, but I guess that wouldn’t really apply here anyway, given when
> you’re connecting. If they would both work for you, I would personally
> chose first based on the debugging capabilities provided. I’m really
> can’t recommend it (or not recommend it), but I just thought I would
> mention it.
>
> For the sake of completeness, you can do this and more a JTAG emulator
> (like an Arium ECM-50 or ECM-XDP) and either a motherboard with an XDP
> socket or an interposer. While there are a number of advantages to this,
> this setup will set you back about $15,000 - $20,000, so I seriously doubt
> that this would be a good first step, and wouldn’t ever be worth it in the
> majority of cases, even at this low (bare metal) of a level. The definite
> advantages are that it would be much faster than emulation, and more
> importantly that if you need to debug/disassemble the BIOS itself,
> simulators are not generally useful, because in practice you would be
> concerned with something to specific for a simulator, which generally has
> one “BIOS,” and both the Arium’s provide some additional capabilities like
> rudimentary bus analyzer capabilities. After that, it depends greatly on
> what the Bochs/AMD simulators support in the way of debugging
> capabilities. My vague recollection of the AMD case is that it supported
> reasonable ways to utilize most of the architectural features that the
> Arium supported - like setting a breakpoint on SMI, for example - but it
> had essentially nothing in the way script support, et. c., not that the
> Arium is exactly stellar in this area either. The major disadvantage is
> clearly price, and the trick is getting a motherboard that supports the
> features you want that can be made to work with/satisfy one of, having has
> an XDP port (this essentially in the miracle category), having access to
> and can budget for engineering to attach a socket (very doable, if you
> have the resources), or you get an interposer that happens to work at all,
> and if you’re really lucky, reliably.
>
> Good luck,
>
> mm
>
>
>
>
>
> Tim Roberts wrote:
>> chandra97 97 wrote:
>>> Hi,
>>>
>>> Is there a way in windbg to trace execution right from the point first
>>> instruction in MBR executes?
>>>
>>> If not windbg is there any other way? I am looking for a way of doing
>>> this on a Windows NT platform.
>>
>> No. This should be obvious. The MBR is executed from the BIOS during
>> reset processing. No operating system has been loaded yet. Indeed,
>> nothing at all has been loaded yet.
>>
>> You can certainly use the Bochs simulator to step through the MBR
>> process. It is a virtual PC simulator that can actually boot Windows.
>>
>
well you dont need all that diskwhatever as suggested in the link if
you are interested in just disassembling mbr code
all you need is windbg only there are many files in os that carry mbr
code embedded in them
for example
windbg -c “ur dmadmin!x86bootcode l100” c:\windows\system32\dmadmin.exe
will get a disassembly of an xp mbr
0:000> ur dmadmin!x86bootcode l100
dmadmin!x86BootCode:
010319f8 33c0 xor ax,ax
010319fa 8ed0 mov ss,ax
010319fc bc007c mov sp,7C00h
010319ff fb sti
01031a00 50 push ax
01031a01 07 pop es
01031a02 50 push ax
01031a03 1f pop ds
01031a04 fc cld
01031a05 be1b7c mov si,7C1Bh
01031a08 bf1b06 mov di,61Bh
regards
On 3/24/08, Spiro Trikaliotis wrote:
> Hello,
>
> * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97 wrote:
> > Is there a way in windbg to trace execution right from the point first
> > instruction in MBR executes?
>
> If you “only” want to disassemble, the article “Disassemble the MBR” at
> http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.aspx
> might be of help.
>
> But: If you really want to execute step by step, that article won’t help
> you.
>
> Regards,
> Spiro.
>
> –
> Spiro R. Trikaliotis http://opencbm.sf.net/
> http://www.trikaliotis.net/ http://www.viceteam.org/
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Dissassembly was never a problem! There are several ways (as suggested). I
personally used IDA.
I really wanted to step through the code on a real machine.
I tried to see Soft-Ice help. No help there.
Does Soft-Ice can really debug MBR code on NT as Alan H suggested?
Thanks
Chandra
On Mon, Mar 24, 2008 at 2:51 PM, raj_r wrote:
> well you dont need all that diskwhatever as suggested in the link if
> you are interested in just disassembling mbr code
>
> all you need is windbg only there are many files in os that carry mbr
> code embedded in them
>
> for example
>
> windbg -c “ur dmadmin!x86bootcode l100” c:\windows\system32\dmadmin.exe
>
> will get a disassembly of an xp mbr
>
> 0:000> ur dmadmin!x86bootcode l100
> dmadmin!x86BootCode:
> 010319f8 33c0 xor ax,ax
> 010319fa 8ed0 mov ss,ax
> 010319fc bc007c mov sp,7C00h
> 010319ff fb sti
> 01031a00 50 push ax
> 01031a01 07 pop es
> 01031a02 50 push ax
> 01031a03 1f pop ds
> 01031a04 fc cld
> 01031a05 be1b7c mov si,7C1Bh
> 01031a08 bf1b06 mov di,61Bh
>
> regards
>
>
> On 3/24/08, Spiro Trikaliotis wrote:
> > Hello,
> >
> > * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97 wrote:
> > > Is there a way in windbg to trace execution right from the point
> first
> > > instruction in MBR executes?
> >
> > If you “only” want to disassemble, the article “Disassemble the MBR” at
> >
> http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.aspx
> > might be of help.
> >
> > But: If you really want to execute step by step, that article won’t help
> > you.
> >
> > Regards,
> > Spiro.
> >
> > –
> > Spiro R. Trikaliotis http://opencbm.sf.net/
> > http://www.trikaliotis.net/ http://www.viceteam.org/
> >
> > —
> > You are currently subscribed to windbg as: xxxxx@gmail.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Chandra,
The version of SoftIce for DOS that I use is 2.80. I think this is the last version released for DOS. It is from 1990, so it’s from the Nu-Mega era.
To use it, you need to be able to boot from a floppy disk, though I’ve had some limited success using CDs. A USB floppy will work if your BIOS can boot from it.
It helps if you are generating and installing your own MBR, because you can insert an int3 as an initial breakpoint, but if you are debugging the standard MBR a hacky workaround is to edit the first byte on disk, making it an int3, which you then restore to its original value in the debugger.
BTW this also works in a VM, where you don’t need the physical floppy, just an image.
Hope this helps,
Alan
“chandra97 97” wrote in message news:xxxxx@windbg…
Dissassembly was never a problem! There are several ways (as suggested). I personally used IDA.
I really wanted to step through the code on a real machine.
I tried to see Soft-Ice help. No help there.
Does Soft-Ice can really debug MBR code on NT as Alan H suggested?
Thanks
Chandra
On Mon, Mar 24, 2008 at 2:51 PM, raj_r wrote:
well you dont need all that diskwhatever as suggested in the link if
you are interested in just disassembling mbr code
all you need is windbg only there are many files in os that carry mbr
code embedded in them
for example
windbg -c “ur dmadmin!x86bootcode l100” c:\windows\system32\dmadmin.exe
will get a disassembly of an xp mbr
0:000> ur dmadmin!x86bootcode l100
dmadmin!x86BootCode:
010319f8 33c0 xor ax,ax
010319fa 8ed0 mov ss,ax
010319fc bc007c mov sp,7C00h
010319ff fb sti
01031a00 50 push ax
01031a01 07 pop es
01031a02 50 push ax
01031a03 1f pop ds
01031a04 fc cld
01031a05 be1b7c mov si,7C1Bh
01031a08 bf1b06 mov di,61Bh
regards
On 3/24/08, Spiro Trikaliotis wrote:
> Hello,
>
> * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97 wrote:
> > Is there a way in windbg to trace execution right from the point first
> > instruction in MBR executes?
>
> If you “only” want to disassemble, the article “Disassemble the MBR” at
> http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.aspx
> might be of help.
>
> But: If you really want to execute step by step, that article won’t help
> you.
>
> Regards,
> Spiro.
>
> –
> Spiro R. Trikaliotis http://opencbm.sf.net/
> http://www.trikaliotis.net/ http://www.viceteam.org/
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
You are currently subscribed to windbg as: xxxxx@gmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Hi Allan,
I’m still not clear if you meant you could debug “NT” MBR from soft-ice.
When you say
“The version of SoftIce for DOS that I use is 2.80. I think this is the last
version released for DOS”
Does this also apply to debugging NT 5.x MBR?
Thanks
Chandra
On Tue, Mar 25, 2008 at 5:47 AM, Alan Hodges
wrote:
> Chandra,
>
> The version of SoftIce for DOS that I use is 2.80. I think this is the
> last version released for DOS. It is from 1990, so it’s from the Nu-Mega
> era.
> To use it, you need to be able to boot from a floppy disk, though I’ve had
> some limited success using CDs. A USB floppy will work if your BIOS can boot
> from it.
>
> It helps if you are generating and installing your own MBR, because you
> can insert an int3 as an initial breakpoint, but if you are debugging the
> standard MBR a hacky workaround is to edit the first byte on disk, making it
> an int3, which you then restore to its original value in the debugger.
>
> BTW this also works in a VM, where you don’t need the physical floppy,
> just an image.
>
> Hope this helps,
> Alan
>
> “chandra97 97” wrote in message news:xxxxx@windbg…
> Dissassembly was never a problem! There are several ways (as suggested).
> I personally used IDA.
>
> I really wanted to step through the code on a real machine.
>
> I tried to see Soft-Ice help. No help there.
>
> Does Soft-Ice can really debug MBR code on NT as Alan H suggested?
>
> Thanks
> Chandra
>
>
>
> On Mon, Mar 24, 2008 at 2:51 PM, raj_r wrote:
>
> > well you dont need all that diskwhatever as suggested in the link if
> > you are interested in just disassembling mbr code
> >
> > all you need is windbg only there are many files in os that carry mbr
> > code embedded in them
> >
> > for example
> >
> > windbg -c “ur dmadmin!x86bootcode l100” c:\windows\system32\dmadmin.exe
> >
> > will get a disassembly of an xp mbr
> >
> > 0:000> ur dmadmin!x86bootcode l100
> > dmadmin!x86BootCode:
> > 010319f8 33c0 xor ax,ax
> > 010319fa 8ed0 mov ss,ax
> > 010319fc bc007c mov sp,7C00h
> > 010319ff fb sti
> > 01031a00 50 push ax
> > 01031a01 07 pop es
> > 01031a02 50 push ax
> > 01031a03 1f pop ds
> > 01031a04 fc cld
> > 01031a05 be1b7c mov si,7C1Bh
> > 01031a08 bf1b06 mov di,61Bh
> >
> > regards
> >
> >
> > On 3/24/08, Spiro Trikaliotis wrote:
> > > Hello,
> > >
> > > * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97 wrote:
> > > > Is there a way in windbg to trace execution right from the point
> > first
> > > > instruction in MBR executes?
> > >
> > > If you “only” want to disassemble, the article “Disassemble the MBR”
> > at
> > >
> > http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.aspx
> > > might be of help.
> > >
> > > But: If you really want to execute step by step, that article won’t
> > help
> > > you.
> > >
> > > Regards,
> > > Spiro.
> > >
> > > –
> > > Spiro R. Trikaliotis
> > http://opencbm.sf.net/
> > > http://www.trikaliotis.net/
> > http://www.viceteam.org/
> > >
> > > —
> > > You are currently subscribed to windbg as: xxxxx@gmail.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
> > —
> > You are currently subscribed to windbg as: xxxxx@gmail.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument:
> ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Although I used SoftICE for years, SoftICE for DOS is before my time.
What follows is a guess. I would imagine that the way it works is that
you first boot normally in to DOS, which loads SoftICE, then you set a
breakpoint in your MBR on the floppy, perhaps load some symbols or
source files, and finally, there is probably some command that you issue
that causes the machine to reboot, but allows SI to persist in memory
and retain state information, like breakpoints, for example. Assuming
that SoftICE doesn’t require the use of DOS services (which seems like a
given), or BIOS services (which is seems likely) at least for its core
services, and that it simulates a handful of services that mess with
this delicate setup, then you probably could use this to step through
other (real mode) operating systems, assuming that they could be loaded
this way, or the BIOS. Or something like that. Maybe. I never tried.
The bottom line is that unless you happen to have a DOS version of
SoftICE (which I believe is included with any version of DriverStudio)
lying around, then this is a dead end, as SoftICE is no longer a product.
Good luck,
mm
7C0:0H
chandra97 97 wrote:
Hi Allan,
I’m still not clear if you meant you could debug “NT” MBR from soft-ice.
When you say“The version of SoftIce for DOS that I use is 2.80. I think this is the
last version released for DOS”Does this also apply to debugging NT 5.x MBR?
Thanks
ChandraOn Tue, Mar 25, 2008 at 5:47 AM, Alan Hodges > mailto:xxxxx> wrote:
>
> Chandra,
>
> The version of SoftIce for DOS that I use is 2.80. I think this is
> the last version released for DOS. It is from 1990, so it’s from the
> Nu-Mega era.
> To use it, you need to be able to boot from a floppy disk, though
> I’ve had some limited success using CDs. A USB floppy will work if
> your BIOS can boot from it.
>
> It helps if you are generating and installing your own MBR, because
> you can insert an int3 as an initial breakpoint, but if you are
> debugging the standard MBR a hacky workaround is to edit the first
> byte on disk, making it an int3, which you then restore to its
> original value in the debugger.
>
> BTW this also works in a VM, where you don’t need the physical
> floppy, just an image.
>
> Hope this helps,
> Alan
>
> “chandra97 97” > mailto:xxxxx> wrote in message news:xxxxx@windbg…
> Dissassembly was never a problem! There are several ways (as
> suggested). I personally used IDA.
>
> I really wanted to step through the code on a real machine.
>
> I tried to see Soft-Ice help. No help there.
>
> Does Soft-Ice can really debug MBR code on NT as Alan H suggested?
>
> Thanks
> Chandra
>
>
>
> On Mon, Mar 24, 2008 at 2:51 PM, raj_r > mailto:xxxxx> wrote:
>
> well you dont need all that diskwhatever as suggested in the
> link if
> you are interested in just disassembling mbr code
>
> all you need is windbg only there are many files in os that
> carry mbr
> code embedded in them
>
> for example
>
> windbg -c “ur dmadmin!x86bootcode l100”
> c:\windows\system32\dmadmin.exe
>
> will get a disassembly of an xp mbr
>
> 0:000> ur dmadmin!x86bootcode l100
> dmadmin!x86BootCode:
> 010319f8 33c0 xor ax,ax
> 010319fa 8ed0 mov ss,ax
> 010319fc bc007c mov sp,7C00h
> 010319ff fb sti
> 01031a00 50 push ax
> 01031a01 07 pop es
> 01031a02 50 push ax
> 01031a03 1f pop ds
> 01031a04 fc cld
> 01031a05 be1b7c mov si,7C1Bh
> 01031a08 bf1b06 mov di,61Bh
>
> regards
>
>
> On 3/24/08, Spiro Trikaliotis > mailto:xxxxx> wrote:
> > Hello,
> >
> > * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97
> wrote:
> > > Is there a way in windbg to trace execution right
> from the point first
> > > instruction in MBR executes?
> >
> > If you “only” want to disassemble, the article
> “Disassemble the MBR” at
> >
> http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.aspx
> > might be of help.
> >
> > But: If you really want to execute step by step, that
> article won’t help
> > you.
> >
> > Regards,
> > Spiro.
> >
> > –
> > Spiro R. Trikaliotis
> http://opencbm.sf.net/
> > http://www.trikaliotis.net/
> http://www.viceteam.org/
> >
> > —
> > You are currently subscribed to windbg as:
> xxxxx@gmail.com mailto:xxxxx
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> mailto:xxxxx
> >
>
> —
> You are currently subscribed to windbg as:
> xxxxx@gmail.com mailto:xxxxx
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> mailto:xxxxx
>
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag
> argument: ‘’
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> mailto:xxxxx
>
></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>
This type of debugging was done frequently on MS-DOS machines in the 1980’s
and early 1990’s. I used Periscope with the board that permitted the
software to be loaded into the card and it configured itself as a BIOS
extension that was executed by the system BIOS before any attempt to load
from a bootable drive. You can just load a MBR into memory at the correct
address using your DOS debugger of choice and step through it. There will
be no source code in most implementations since most boot code was written
in assembler.
“Martin O’Brien” wrote in message
news:xxxxx@windbg…
> Although I used SoftICE for years, SoftICE for DOS is before my time. What
> follows is a guess. I would imagine that the way it works is that you
> first boot normally in to DOS, which loads SoftICE, then you set a
> breakpoint in your MBR on the floppy, perhaps load some symbols or source
> files, and finally, there is probably some command that you issue that
> causes the machine to reboot, but allows SI to persist in memory and
> retain state information, like breakpoints, for example. Assuming that
> SoftICE doesn’t require the use of DOS services (which seems like a
> given), or BIOS services (which is seems likely) at least for its core
> services, and that it simulates a handful of services that mess with this
> delicate setup, then you probably could use this to step through other
> (real mode) operating systems, assuming that they could be loaded this
> way, or the BIOS. Or something like that. Maybe. I never tried.
>
> The bottom line is that unless you happen to have a DOS version of SoftICE
> (which I believe is included with any version of DriverStudio) lying
> around, then this is a dead end, as SoftICE is no longer a product.
>
>
> Good luck,
>
> mm
>
>
>
>
>
> 7C0:0H
>
> chandra97 97 wrote:
>> Hi Allan,
>>
>> I’m still not clear if you meant you could debug “NT” MBR from soft-ice.
>> When you say
>>
>> “The version of SoftIce for DOS that I use is 2.80. I think this is the
>> last version released for DOS”
>>
>> Does this also apply to debugging NT 5.x MBR?
>>
>> Thanks
>> Chandra
>>
>> On Tue, Mar 25, 2008 at 5:47 AM, Alan Hodges >> mailto:xxxxx> wrote:
>>
>> Chandra,
>> The version of SoftIce for DOS that I use is 2.80. I think this is
>> the last version released for DOS. It is from 1990, so it’s from the
>> Nu-Mega era.
>> To use it, you need to be able to boot from a floppy disk, though
>> I’ve had some limited success using CDs. A USB floppy will work if
>> your BIOS can boot from it.
>> It helps if you are generating and installing your own MBR, because
>> you can insert an int3 as an initial breakpoint, but if you are
>> debugging the standard MBR a hacky workaround is to edit the first
>> byte on disk, making it an int3, which you then restore to its
>> original value in the debugger.
>> BTW this also works in a VM, where you don’t need the physical
>> floppy, just an image.
>> Hope this helps,
>> Alan
>>
>> “chandra97 97” >> mailto:xxxxx> wrote in message
>> news:xxxxx@windbg…
>> Dissassembly was never a problem! There are several ways (as
>> suggested). I personally used IDA.
>>
>> I really wanted to step through the code on a real machine.
>>
>> I tried to see Soft-Ice help. No help there.
>>
>> Does Soft-Ice can really debug MBR code on NT as Alan H
>> suggested?
>>
>> Thanks
>> Chandra
>>
>>
>>
>> On Mon, Mar 24, 2008 at 2:51 PM, raj_r >> mailto:xxxxx> wrote:
>>
>> well you dont need all that diskwhatever as suggested in the
>> link if
>> you are interested in just disassembling mbr code
>>
>> all you need is windbg only there are many files in os that
>> carry mbr
>> code embedded in them
>>
>> for example
>>
>> windbg -c “ur dmadmin!x86bootcode l100”
>> c:\windows\system32\dmadmin.exe
>>
>> will get a disassembly of an xp mbr
>>
>> 0:000> ur dmadmin!x86bootcode l100
>> dmadmin!x86BootCode:
>> 010319f8 33c0 xor ax,ax
>> 010319fa 8ed0 mov ss,ax
>> 010319fc bc007c mov sp,7C00h
>> 010319ff fb sti
>> 01031a00 50 push ax
>> 01031a01 07 pop es
>> 01031a02 50 push ax
>> 01031a03 1f pop ds
>> 01031a04 fc cld
>> 01031a05 be1b7c mov si,7C1Bh
>> 01031a08 bf1b06 mov di,61Bh
>>
>> regards
>>
>>
>> On 3/24/08, Spiro Trikaliotis >> mailto:xxxxx> wrote:
>> > Hello,
>> >
>> > * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97
>> wrote:
>> > > Is there a way in windbg to trace execution right
>> from the point first
>> > > instruction in MBR executes?
>> >
>> > If you “only” want to disassemble, the article
>> “Disassemble the MBR” at
>> >
>>
>> http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.aspx
>> > might be of help.
>> >
>> > But: If you really want to execute step by step, that
>> article won’t help
>> > you.
>> >
>> > Regards,
>> > Spiro.
>> >
>> > –
>> > Spiro R. Trikaliotis
>> http://opencbm.sf.net/
>> > http://www.trikaliotis.net/
>> http://www.viceteam.org/
>> >
>> > —
>> > You are currently subscribed to windbg as:
>> xxxxx@gmail.com mailto:xxxxx
>> > To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>> mailto:xxxxx
>> >
>>
>> —
>> You are currently subscribed to windbg as:
>> xxxxx@gmail.com mailto:xxxxx
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>> mailto:xxxxx
>>
>>
>>
>> —
>> You are currently subscribed to windbg as: unknown lmsubst tag
>> argument: ‘’
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>> mailto:xxxxx
>>
>>
></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>
NO, you cannot debug NT, at all, since NT does not exist at that point in time. It’s still out on the HDD waiting for the NtLdr to be loaded to bootstrap things into place. What you have been told is that you can boot to DOS from a floppy, maybe a CD, run SoftIce and step through and into any MBR you can get into memory. But … you can do a lot of that by simply using a command line window in WinXp 32 and using the debug command. Trapping the reset vector (0xF000:FFF0) to do some real live stepping into real live code will require you to use SoftIce or boot to something that can intercept the reset vector such as Periscope with a board.
–
The personal opinion of
Gary G. Little
“chandra97 97” wrote in message news:xxxxx@windbg…
Hi Allan,
I’m still not clear if you meant you could debug “NT” MBR from soft-ice. When you say
“The version of SoftIce for DOS that I use is 2.80. I think this is the last version released for DOS”
Does this also apply to debugging NT 5.x MBR?
Thanks
Chandra
On Tue, Mar 25, 2008 at 5:47 AM, Alan Hodges wrote:
Chandra,
The version of SoftIce for DOS that I use is 2.80. I think this is the last version released for DOS. It is from 1990, so it’s from the Nu-Mega era.
To use it, you need to be able to boot from a floppy disk, though I’ve had some limited success using CDs. A USB floppy will work if your BIOS can boot from it.
It helps if you are generating and installing your own MBR, because you can insert an int3 as an initial breakpoint, but if you are debugging the standard MBR a hacky workaround is to edit the first byte on disk, making it an int3, which you then restore to its original value in the debugger.
BTW this also works in a VM, where you don’t need the physical floppy, just an image.
Hope this helps,
Alan
“chandra97 97” wrote in message news:xxxxx@windbg…
Dissassembly was never a problem! There are several ways (as suggested). I personally used IDA.
I really wanted to step through the code on a real machine.
I tried to see Soft-Ice help. No help there.
Does Soft-Ice can really debug MBR code on NT as Alan H suggested?
Thanks
Chandra
On Mon, Mar 24, 2008 at 2:51 PM, raj_r wrote:
well you dont need all that diskwhatever as suggested in the link if
you are interested in just disassembling mbr code
all you need is windbg only there are many files in os that carry mbr
code embedded in them
for example
windbg -c “ur dmadmin!x86bootcode l100” c:\windows\system32\dmadmin.exe
will get a disassembly of an xp mbr
0:000> ur dmadmin!x86bootcode l100
dmadmin!x86BootCode:
010319f8 33c0 xor ax,ax
010319fa 8ed0 mov ss,ax
010319fc bc007c mov sp,7C00h
010319ff fb sti
01031a00 50 push ax
01031a01 07 pop es
01031a02 50 push ax
01031a03 1f pop ds
01031a04 fc cld
01031a05 be1b7c mov si,7C1Bh
01031a08 bf1b06 mov di,61Bh
regards
On 3/24/08, Spiro Trikaliotis wrote:
> Hello,
>
> * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97 wrote:
> > Is there a way in windbg to trace execution right from the point first
> > instruction in MBR executes?
>
> If you “only” want to disassemble, the article “Disassemble the MBR” at
> http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.aspx
> might be of help.
>
> But: If you really want to execute step by step, that article won’t help
> you.
>
> Regards,
> Spiro.
>
> –
> Spiro R. Trikaliotis http://opencbm.sf.net/
> http://www.trikaliotis.net/ http://www.viceteam.org/
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
You are currently subscribed to windbg as: xxxxx@gmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
I created a virtual floppy drive (A:) on a VM. Then copied over binaries for
debugging win16 that ship with SoftICE 2.8 into the floppy drive. I set up
the softICE in A:\CONFIG.SYS file with
device=c:\SoftICE\S-ICE.exe /SYM 50
I rebooted the machine and it booted ok with a message saying SoftICE is
active.
Then I copied over my custom MBR over the default MBR in A: drive, leaving
the partition table same as before. I had edited my custom MBR by putting
breakpoint at the very first instruction. I reboot the VM machine to boot
into the A: drive thinking MBR will break into SoftICE. The machine just sat
there hung. I tried several changes in this setting but no help.
Is there a step that I’m missing?
Thanks in advance.
Chandra
On Tue, Mar 25, 2008 at 4:14 PM, Gary G. Little
wrote:
> NO, you cannot debug NT, at all, since NT does not exist at that point in
> time. It’s still out on the HDD waiting for the NtLdr to be loaded to
> bootstrap things into place. What you have been told is that you can boot to
> DOS from a floppy, maybe a CD, run SoftIce and step through and into any MBR
> you can get into memory. But … you can do a lot of that by simply using a
> command line window in WinXp 32 and using the debug command. Trapping the
> reset vector (0xF000:FFF0) to do some real live stepping into real live code
> will require you to use SoftIce or boot to something that can intercept the
> reset vector such as Periscope with a board.
>
> –
> The personal opinion of
> Gary G. Little
> “chandra97 97” wrote in message news:xxxxx@windbg…
>
> Hi Allan,
>
> I’m still not clear if you meant you could debug “NT” MBR from soft-ice.
> When you say
>
> “The version of SoftIce for DOS that I use is 2.80. I think this is the
> last version released for DOS”
>
> Does this also apply to debugging NT 5.x MBR?
>
> Thanks
> Chandra
>
> On Tue, Mar 25, 2008 at 5:47 AM, Alan Hodges
> wrote:
>
> > Chandra,
> >
> > The version of SoftIce for DOS that I use is 2.80. I think this is the
> > last version released for DOS. It is from 1990, so it’s from the Nu-Mega
> > era.
> > To use it, you need to be able to boot from a floppy disk, though I’ve
> > had some limited success using CDs. A USB floppy will work if your BIOS can
> > boot from it.
> >
> > It helps if you are generating and installing your own MBR, because you
> > can insert an int3 as an initial breakpoint, but if you are debugging the
> > standard MBR a hacky workaround is to edit the first byte on disk, making it
> > an int3, which you then restore to its original value in the debugger.
> >
> > BTW this also works in a VM, where you don’t need the physical floppy,
> > just an image.
> >
> > Hope this helps,
> > Alan
> >
> > “chandra97 97” wrote in message news:xxxxx@windbg
> > …
> > Dissassembly was never a problem! There are several ways (as
> > suggested). I personally used IDA.
> >
> > I really wanted to step through the code on a real machine.
> >
> > I tried to see Soft-Ice help. No help there.
> >
> > Does Soft-Ice can really debug MBR code on NT as Alan H suggested?
> >
> > Thanks
> > Chandra
> >
> >
> >
> > On Mon, Mar 24, 2008 at 2:51 PM, raj_r wrote:
> >
> > > well you dont need all that diskwhatever as suggested in the link if
> > > you are interested in just disassembling mbr code
> > >
> > > all you need is windbg only there are many files in os that carry mbr
> > > code embedded in them
> > >
> > > for example
> > >
> > > windbg -c “ur dmadmin!x86bootcode l100”
> > > c:\windows\system32\dmadmin.exe
> > >
> > > will get a disassembly of an xp mbr
> > >
> > > 0:000> ur dmadmin!x86bootcode l100
> > > dmadmin!x86BootCode:
> > > 010319f8 33c0 xor ax,ax
> > > 010319fa 8ed0 mov ss,ax
> > > 010319fc bc007c mov sp,7C00h
> > > 010319ff fb sti
> > > 01031a00 50 push ax
> > > 01031a01 07 pop es
> > > 01031a02 50 push ax
> > > 01031a03 1f pop ds
> > > 01031a04 fc cld
> > > 01031a05 be1b7c mov si,7C1Bh
> > > 01031a08 bf1b06 mov di,61Bh
> > >
> > > regards
> > >
> > >
> > > On 3/24/08, Spiro Trikaliotis wrote:
> > > > Hello,
> > > >
> > > > * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97 wrote:
> > > > > Is there a way in windbg to trace execution right from the
> > > point first
> > > > > instruction in MBR executes?
> > > >
> > > > If you “only” want to disassemble, the article “Disassemble the MBR”
> > > at
> > > >
> > > http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.aspx
> > > > might be of help.
> > > >
> > > > But: If you really want to execute step by step, that article won’t
> > > help
> > > > you.
> > > >
> > > > Regards,
> > > > Spiro.
> > > >
> > > > –
> > > > Spiro R. Trikaliotis
> > > http://opencbm.sf.net/
> > > > http://www.trikaliotis.net/
> > > http://www.viceteam.org/
> > > >
> > > > —
> > > > You are currently subscribed to windbg as: xxxxx@gmail.com
> > > > To unsubscribe send a blank email to
> > > xxxxx@lists.osr.com
> > > >
> > >
> > > —
> > > You are currently subscribed to windbg as: xxxxx@gmail.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
> >
> > —
> > You are currently subscribed to windbg as: unknown lmsubst tag argument:
> > ‘’
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument:
> ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Chandra,
You will need to do a warm reboot if you want to keep SoftIce in memory.
IIRC you can use the SoftIce hotkey to break into the debugger and then let
SoftIce do a warm reboot for you. I believe the SoftIce command is
something like INT19. If all else fails you can use debug to create a 2 byte
int19.com executable containing a single int 19h instruction and then run
the program from the DOS prompt to force the warm reboot.
I seem to recall that SoftIce had some trouble staying loaded through a warm
reboot on some machines depending upon what gets done by the ROMBIOS int 19h
handler so your mileage may vary.
John Hensley
www.resqware.com
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of chandra97 97
Sent: Thursday, March 27, 2008 1:45 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Debugging 16-bit MBR code in windbg
I created a virtual floppy drive (A:) on a VM. Then copied over binaries for
debugging win16 that ship with SoftICE 2.8 into the floppy drive. I set up
the softICE in A:\CONFIG.SYS file with
device=c:\SoftICE\S-ICE.exe /SYM 50
I rebooted the machine and it booted ok with a message saying SoftICE is
active.
Then I copied over my custom MBR over the default MBR in A: drive, leaving
the partition table same as before. I had edited my custom MBR by putting
breakpoint at the very first instruction. I reboot the VM machine to boot
into the A: drive thinking MBR will break into SoftICE. The machine just sat
there hung. I tried several changes in this setting but no help.
Is there a step that I’m missing?
Thanks in advance.
Chandra
On Tue, Mar 25, 2008 at 4:14 PM, Gary G. Little
wrote:
NO, you cannot debug NT, at all, since NT does not exist at that point in
time. It’s still out on the HDD waiting for the NtLdr to be loaded to
bootstrap things into place. What you have been told is that you can boot to
DOS from a floppy, maybe a CD, run SoftIce and step through and into any MBR
you can get into memory. But … you can do a lot of that by simply using a
command line window in WinXp 32 and using the debug command. Trapping the
reset vector (0xF000:FFF0) to do some real live stepping into real live code
will require you to use SoftIce or boot to something that can intercept the
reset vector such as Periscope with a board.
–
The personal opinion of
Gary G. Little
“chandra97 97” wrote in message news:xxxxx@windbg…
Hi Allan,
I’m still not clear if you meant you could debug “NT” MBR from soft-ice.
When you say
“The version of SoftIce for DOS that I use is 2.80. I think this is the last
version released for DOS”
Does this also apply to debugging NT 5.x MBR?
Thanks
Chandra
On Tue, Mar 25, 2008 at 5:47 AM, Alan Hodges
wrote:
Chandra,
The version of SoftIce for DOS that I use is 2.80. I think this is the last
version released for DOS. It is from 1990, so it’s from the Nu-Mega era.
To use it, you need to be able to boot from a floppy disk, though I’ve had
some limited success using CDs. A USB floppy will work if your BIOS can boot
from it.
It helps if you are generating and installing your own MBR, because you can
insert an int3 as an initial breakpoint, but if you are debugging the
standard MBR a hacky workaround is to edit the first byte on disk, making it
an int3, which you then restore to its original value in the debugger.
BTW this also works in a VM, where you don’t need the physical floppy, just
an image.
Hope this helps,
Alan
“chandra97 97” wrote in message news:xxxxx@windbg…
Dissassembly was never a problem! There are several ways (as suggested). I
personally used IDA.
I really wanted to step through the code on a real machine.
I tried to see Soft-Ice help. No help there.
Does Soft-Ice can really debug MBR code on NT as Alan H suggested?
Thanks
Chandra
On Mon, Mar 24, 2008 at 2:51 PM, raj_r wrote:
well you dont need all that diskwhatever as suggested in the link if
you are interested in just disassembling mbr code
all you need is windbg only there are many files in os that carry mbr
code embedded in them
for example
windbg -c “ur dmadmin!x86bootcode l100” c:\windows\system32\dmadmin.exe
will get a disassembly of an xp mbr
0:000> ur dmadmin!x86bootcode l100
dmadmin!x86BootCode:
010319f8 33c0 xor ax,ax
010319fa 8ed0 mov ss,ax
010319fc bc007c mov sp,7C00h
010319ff fb sti
01031a00 50 push ax
01031a01 07 pop es
01031a02 50 push ax
01031a03 1f pop ds
01031a04 fc cld
01031a05 be1b7c mov si,7C1Bh
01031a08 bf1b06 mov di,61Bh
regards
On 3/24/08, Spiro Trikaliotis wrote:
> Hello,
>
> * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97 wrote:
> > Is there a way in windbg to trace execution right from the point
first
> > instruction in MBR executes?
>
> If you “only” want to disassemble, the article “Disassemble the MBR” at
>
http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.asp
x
> might be of help.
>
> But: If you really want to execute step by step, that article won’t help
> you.
>
> Regards,
> Spiro.
>
> –
> Spiro R. Trikaliotis http://opencbm.sf.net/
> http://www.trikaliotis.net/ http://www.viceteam.org/
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
You are currently subscribed to windbg as: xxxxx@gmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
— You are currently subscribed to windbg as: xxxxx@msn.com To unsubscribe
send a blank email to xxxxx@lists.osr.com
Hi Chandra,
After you have booted from the virtual floppy, and copied over your custom MBR, you will need disconnect the virtual floppy, or change the VM boot device order to avoid booting from floppy again before the next step.
Then you need to break into SoftIce with Ctrl+D and then issue the “boot” command. This should cause the VM to do a warm reboot from the hard disk with your MBR.
Alan
“chandra97 97” wrote in message news:xxxxx@windbg…
I created a virtual floppy drive (A:) on a VM. Then copied over binaries for debugging win16 that ship with SoftICE 2.8 into the floppy drive. I set up the softICE in A:\CONFIG.SYS file with
device=c:\SoftICE\S-ICE.exe /SYM 50
I rebooted the machine and it booted ok with a message saying SoftICE is active.
Then I copied over my custom MBR over the default MBR in A: drive, leaving the partition table same as before. I had edited my custom MBR by putting breakpoint at the very first instruction. I reboot the VM machine to boot into the A: drive thinking MBR will break into SoftICE. The machine just sat there hung. I tried several changes in this setting but no help.
Is there a step that I’m missing?
Thanks in advance.
Chandra
On Tue, Mar 25, 2008 at 4:14 PM, Gary G. Little wrote:
NO, you cannot debug NT, at all, since NT does not exist at that point in time. It’s still out on the HDD waiting for the NtLdr to be loaded to bootstrap things into place. What you have been told is that you can boot to DOS from a floppy, maybe a CD, run SoftIce and step through and into any MBR you can get into memory. But … you can do a lot of that by simply using a command line window in WinXp 32 and using the debug command. Trapping the reset vector (0xF000:FFF0) to do some real live stepping into real live code will require you to use SoftIce or boot to something that can intercept the reset vector such as Periscope with a board.
–
The personal opinion of
Gary G. Little
“chandra97 97” wrote in message news:xxxxx@windbg…
Hi Allan,
I’m still not clear if you meant you could debug “NT” MBR from soft-ice. When you say
“The version of SoftIce for DOS that I use is 2.80. I think this is the last version released for DOS”
Does this also apply to debugging NT 5.x MBR?
Thanks
Chandra
On Tue, Mar 25, 2008 at 5:47 AM, Alan Hodges wrote:
Chandra,
The version of SoftIce for DOS that I use is 2.80. I think this is the last version released for DOS. It is from 1990, so it’s from the Nu-Mega era.
To use it, you need to be able to boot from a floppy disk, though I’ve had some limited success using CDs. A USB floppy will work if your BIOS can boot from it.
It helps if you are generating and installing your own MBR, because you can insert an int3 as an initial breakpoint, but if you are debugging the standard MBR a hacky workaround is to edit the first byte on disk, making it an int3, which you then restore to its original value in the debugger.
BTW this also works in a VM, where you don’t need the physical floppy, just an image.
Hope this helps,
Alan
“chandra97 97” wrote in message news:xxxxx@windbg…
Dissassembly was never a problem! There are several ways (as suggested). I personally used IDA.
I really wanted to step through the code on a real machine.
I tried to see Soft-Ice help. No help there.
Does Soft-Ice can really debug MBR code on NT as Alan H suggested?
Thanks
Chandra
On Mon, Mar 24, 2008 at 2:51 PM, raj_r wrote:
well you dont need all that diskwhatever as suggested in the link if
you are interested in just disassembling mbr code
all you need is windbg only there are many files in os that carry mbr
code embedded in them
for example
windbg -c “ur dmadmin!x86bootcode l100” c:\windows\system32\dmadmin.exe
will get a disassembly of an xp mbr
0:000> ur dmadmin!x86bootcode l100
dmadmin!x86BootCode:
010319f8 33c0 xor ax,ax
010319fa 8ed0 mov ss,ax
010319fc bc007c mov sp,7C00h
010319ff fb sti
01031a00 50 push ax
01031a01 07 pop es
01031a02 50 push ax
01031a03 1f pop ds
01031a04 fc cld
01031a05 be1b7c mov si,7C1Bh
01031a08 bf1b06 mov di,61Bh
regards
On 3/24/08, Spiro Trikaliotis wrote:
> Hello,
>
> * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97 wrote:
> > Is there a way in windbg to trace execution right from the point first
> > instruction in MBR executes?
>
> If you “only” want to disassemble, the article “Disassemble the MBR” at
> http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.aspx
> might be of help.
>
> But: If you really want to execute step by step, that article won’t help
> you.
>
> Regards,
> Spiro.
>
> –
> Spiro R. Trikaliotis http://opencbm.sf.net/
> http://www.trikaliotis.net/ http://www.viceteam.org/
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
You are currently subscribed to windbg as: xxxxx@gmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
When I try to warm boot softICE using the “BOOT” command the VM gets hung. I
am using DOS 6.22 and SoftICE 2.8. I have no entry in config.sys for any
driver except softICE. I tried creating INT19.COM batch as JohnH suggested.
No mileage using INT19.COM either!
Is there a specific DOS version that is compatible to SoftICE 2.8 where this
works?
Thanks
Chandra
On Thu, Mar 27, 2008 at 5:56 PM, Alan Hodges
wrote:
> Hi Chandra,
>
> After you have booted from the virtual floppy, and copied over your custom
> MBR, you will need disconnect the virtual floppy, or change the VM boot
> device order to avoid booting from floppy again before the next step.
> Then you need to break into SoftIce with Ctrl+D and then issue the “boot”
> command. This should cause the VM to do a warm reboot from the hard disk
> with your MBR.
>
> Alan
>
>
> “chandra97 97” wrote in message news:xxxxx@windbg…
> I created a virtual floppy drive (A:) on a VM. Then copied over binaries
> for debugging win16 that ship with SoftICE 2.8 into the floppy drive. I
> set up the softICE in A:\CONFIG.SYS file with
>
> device=c:\SoftICE\S-ICE.exe /SYM 50
>
> I rebooted the machine and it booted ok with a message saying SoftICE is
> active.
>
> Then I copied over my custom MBR over the default MBR in A: drive, leaving
> the partition table same as before. I had edited my custom MBR by putting
> breakpoint at the very first instruction. I reboot the VM machine to boot
> into the A: drive thinking MBR will break into SoftICE. The machine just sat
> there hung. I tried several changes in this setting but no help.
>
> Is there a step that I’m missing?
>
> Thanks in advance.
> Chandra
>
>
>
>
> On Tue, Mar 25, 2008 at 4:14 PM, Gary G. Little
> wrote:
>
> > NO, you cannot debug NT, at all, since NT does not exist at that point
> > in time. It’s still out on the HDD waiting for the NtLdr to be loaded to
> > bootstrap things into place. What you have been told is that you can boot to
> > DOS from a floppy, maybe a CD, run SoftIce and step through and into any MBR
> > you can get into memory. But … you can do a lot of that by simply using a
> > command line window in WinXp 32 and using the debug command. Trapping the
> > reset vector (0xF000:FFF0) to do some real live stepping into real live code
> > will require you to use SoftIce or boot to something that can intercept the
> > reset vector such as Periscope with a board.
> >
> > –
> > The personal opinion of
> > Gary G. Little
> > “chandra97 97” wrote in message news:xxxxx@windbg
> > …
> >
> > Hi Allan,
> >
> > I’m still not clear if you meant you could debug “NT” MBR from soft-ice.
> > When you say
> >
> > “The version of SoftIce for DOS that I use is 2.80. I think this is the
> > last version released for DOS”
> >
> > Does this also apply to debugging NT 5.x MBR?
> >
> > Thanks
> > Chandra
> >
> > On Tue, Mar 25, 2008 at 5:47 AM, Alan Hodges
> > wrote:
> >
> > > Chandra,
> > >
> > > The version of SoftIce for DOS that I use is 2.80. I think this is the
> > > last version released for DOS. It is from 1990, so it’s from the Nu-Mega
> > > era.
> > > To use it, you need to be able to boot from a floppy disk, though I’ve
> > > had some limited success using CDs. A USB floppy will work if your BIOS can
> > > boot from it.
> > >
> > > It helps if you are generating and installing your own MBR, because
> > > you can insert an int3 as an initial breakpoint, but if you are debugging
> > > the standard MBR a hacky workaround is to edit the first byte on disk,
> > > making it an int3, which you then restore to its original value in the
> > > debugger.
> > >
> > > BTW this also works in a VM, where you don’t need the physical floppy,
> > > just an image.
> > >
> > > Hope this helps,
> > > Alan
> > >
> > > “chandra97 97” wrote in message
> > > news:xxxxx@windbg…
> > > Dissassembly was never a problem! There are several ways (as
> > > suggested). I personally used IDA.
> > >
> > > I really wanted to step through the code on a real machine.
> > >
> > > I tried to see Soft-Ice help. No help there.
> > >
> > > Does Soft-Ice can really debug MBR code on NT as Alan H suggested?
> > >
> > > Thanks
> > > Chandra
> > >
> > >
> > >
> > > On Mon, Mar 24, 2008 at 2:51 PM, raj_r wrote:
> > >
> > > > well you dont need all that diskwhatever as suggested in the link
> > > > if
> > > > you are interested in just disassembling mbr code
> > > >
> > > > all you need is windbg only there are many files in os that carry
> > > > mbr
> > > > code embedded in them
> > > >
> > > > for example
> > > >
> > > > windbg -c “ur dmadmin!x86bootcode l100”
> > > > c:\windows\system32\dmadmin.exe
> > > >
> > > > will get a disassembly of an xp mbr
> > > >
> > > > 0:000> ur dmadmin!x86bootcode l100
> > > > dmadmin!x86BootCode:
> > > > 010319f8 33c0 xor ax,ax
> > > > 010319fa 8ed0 mov ss,ax
> > > > 010319fc bc007c mov sp,7C00h
> > > > 010319ff fb sti
> > > > 01031a00 50 push ax
> > > > 01031a01 07 pop es
> > > > 01031a02 50 push ax
> > > > 01031a03 1f pop ds
> > > > 01031a04 fc cld
> > > > 01031a05 be1b7c mov si,7C1Bh
> > > > 01031a08 bf1b06 mov di,61Bh
> > > >
> > > > regards
> > > >
> > > >
> > > > On 3/24/08, Spiro Trikaliotis wrote:
> > > > > Hello,
> > > > >
> > > > > * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97 wrote:
> > > > > > Is there a way in windbg to trace execution right from the
> > > > point first
> > > > > > instruction in MBR executes?
> > > > >
> > > > > If you “only” want to disassemble, the article “Disassemble the
> > > > MBR” at
> > > > >
> > > > http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.aspx
> > > > > might be of help.
> > > > >
> > > > > But: If you really want to execute step by step, that article
> > > > won’t help
> > > > > you.
> > > > >
> > > > > Regards,
> > > > > Spiro.
> > > > >
> > > > > –
> > > > > Spiro R. Trikaliotis
> > > > http://opencbm.sf.net/
> > > > > http://www.trikaliotis.net/
> > > > http://www.viceteam.org/
> > > > >
> > > > > —
> > > > > You are currently subscribed to windbg as: xxxxx@gmail.com
> > > > > To unsubscribe send a blank email to
> > > > xxxxx@lists.osr.com
> > > > >
> > > >
> > > > —
> > > > You are currently subscribed to windbg as: xxxxx@gmail.com
> > > > To unsubscribe send a blank email to
> > > > xxxxx@lists.osr.com
> > > >
> > >
> > >
> > > —
> > > You are currently subscribed to windbg as: unknown lmsubst tag
> > > argument: ‘’
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
> >
> > —
> > You are currently subscribed to windbg as: unknown lmsubst tag argument:
> > ‘’
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument:
> ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Chandra,
I created an MS-DOS 6.22 VM-Ware VM with SoftICE 2.8 and did a bit of
testing to see if I could get the debugger to remain across a warm boot.
Putting a break point on int 19h and then tracing through the ROMBIOS warm
boot code reveals the VM-Ware ROMBIOS emulation is doing a reload of the
global descriptor table causing SoftICE to fault.
I was however able to get SoftICE to remain loaded across a warm boot by
manually bypassing the ROMBIOS int 19h handler using a tiny bit of code to
simulate a warm boot after DOS has restored the interrupted vectors. This is
how I did it:
First you will need to use debug to create a binary executable named
loadboot.bin containing these executable instructions. Or you can download
the file from www.resqware.com/public/loadboot.bin and copy it into your VM.
MOV AX,5000
MOV ES,AX
MOV SI,0111
MOV DI,0000
MOV CX,0020
REPZ
MOVSB
INT 3
XOR AX,AX
CLI
MOV SS,AX
MOV SP,7C00
STI
MOV DS,AX
MOV ES,AX
MOV AX,0201
MOV BX,7C00
MOV CX,0001
MOV DX,0080
INT 13
JB 0111
PUSH ES
PUSH BX
RETF
From the DOS prompt use the SoftICE loader tool to load the executable file
into memory:
LDR LOADBOOT.BIN
Now issue these commands:
i3here on
bpint 19
bpm 0:7c00 x
g
boot
g
rcs 5000
rip 0
g
bc *
At this point the debugger should be stopped on the first instruction in the
MBR that was loaded from the hard drive.
Regards,
…John
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of chandra97 97
Sent: Friday, March 28, 2008 4:25 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Debugging 16-bit MBR code in windbg
When I try to warm boot softICE using the “BOOT” command the VM gets hung. I
am using DOS 6.22 and SoftICE 2.8. I have no entry in config.sys for any
driver except softICE. I tried creating INT19.COM batch as JohnH suggested.
No mileage using INT19.COM either!
Is there a specific DOS version that is compatible to SoftICE 2.8 where this
works?
Thanks
Chandra
On Thu, Mar 27, 2008 at 5:56 PM, Alan Hodges
wrote:
Hi Chandra,
After you have booted from the virtual floppy, and copied over your custom
MBR, you will need disconnect the virtual floppy, or change the VM boot
device order to avoid booting from floppy again before the next step.
Then you need to break into SoftIce with Ctrl+D and then issue the “boot”
command. This should cause the VM to do a warm reboot from the hard disk
with your MBR.
Alan
“chandra97 97” wrote in message news:xxxxx@windbg…
I created a virtual floppy drive (A:) on a VM. Then copied over binaries for
debugging win16 that ship with SoftICE 2.8 into the floppy drive. I set up
the softICE in A:\CONFIG.SYS file with
device=c:\SoftICE\S-ICE.exe /SYM 50
I rebooted the machine and it booted ok with a message saying SoftICE is
active.
Then I copied over my custom MBR over the default MBR in A: drive, leaving
the partition table same as before. I had edited my custom MBR by putting
breakpoint at the very first instruction. I reboot the VM machine to boot
into the A: drive thinking MBR will break into SoftICE. The machine just sat
there hung. I tried several changes in this setting but no help.
Is there a step that I’m missing?
Thanks in advance.
Chandra
On Tue, Mar 25, 2008 at 4:14 PM, Gary G. Little
wrote:
NO, you cannot debug NT, at all, since NT does not exist at that point in
time. It’s still out on the HDD waiting for the NtLdr to be loaded to
bootstrap things into place. What you have been told is that you can boot to
DOS from a floppy, maybe a CD, run SoftIce and step through and into any MBR
you can get into memory. But … you can do a lot of that by simply using a
command line window in WinXp 32 and using the debug command. Trapping the
reset vector (0xF000:FFF0) to do some real live stepping into real live code
will require you to use SoftIce or boot to something that can intercept the
reset vector such as Periscope with a board.
–
The personal opinion of
Gary G. Little
“chandra97 97” wrote in message news:xxxxx@windbg…
Hi Allan,
I’m still not clear if you meant you could debug “NT” MBR from soft-ice.
When you say
“The version of SoftIce for DOS that I use is 2.80. I think this is the last
version released for DOS”
Does this also apply to debugging NT 5.x MBR?
Thanks
Chandra
On Tue, Mar 25, 2008 at 5:47 AM, Alan Hodges
wrote:
Chandra,
The version of SoftIce for DOS that I use is 2.80. I think this is the last
version released for DOS. It is from 1990, so it’s from the Nu-Mega era.
To use it, you need to be able to boot from a floppy disk, though I’ve had
some limited success using CDs. A USB floppy will work if your BIOS can boot
from it.
It helps if you are generating and installing your own MBR, because you can
insert an int3 as an initial breakpoint, but if you are debugging the
standard MBR a hacky workaround is to edit the first byte on disk, making it
an int3, which you then restore to its original value in the debugger.
BTW this also works in a VM, where you don’t need the physical floppy, just
an image.
Hope this helps,
Alan
“chandra97 97” wrote in message news:xxxxx@windbg…
Dissassembly was never a problem! There are several ways (as suggested). I
personally used IDA.
I really wanted to step through the code on a real machine.
I tried to see Soft-Ice help. No help there.
Does Soft-Ice can really debug MBR code on NT as Alan H suggested?
Thanks
Chandra
On Mon, Mar 24, 2008 at 2:51 PM, raj_r wrote:
well you dont need all that diskwhatever as suggested in the link if
you are interested in just disassembling mbr code
all you need is windbg only there are many files in os that carry mbr
code embedded in them
for example
windbg -c “ur dmadmin!x86bootcode l100” c:\windows\system32\dmadmin.exe
will get a disassembly of an xp mbr
0:000> ur dmadmin!x86bootcode l100
dmadmin!x86BootCode:
010319f8 33c0 xor ax,ax
010319fa 8ed0 mov ss,ax
010319fc bc007c mov sp,7C00h
010319ff fb sti
01031a00 50 push ax
01031a01 07 pop es
01031a02 50 push ax
01031a03 1f pop ds
01031a04 fc cld
01031a05 be1b7c mov si,7C1Bh
01031a08 bf1b06 mov di,61Bh
regards
On 3/24/08, Spiro Trikaliotis wrote:
> Hello,
>
> * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97 wrote:
> > Is there a way in windbg to trace execution right from the point
first
> > instruction in MBR executes?
>
> If you “only” want to disassemble, the article “Disassemble the MBR” at
>
http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.asp
x
> might be of help.
>
> But: If you really want to execute step by step, that article won’t help
> you.
>
> Regards,
> Spiro.
>
> –
> Spiro R. Trikaliotis http://opencbm.sf.net/
> http://www.trikaliotis.net/ http://www.viceteam.org/
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
You are currently subscribed to windbg as: xxxxx@gmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
— You are currently subscribed to windbg as: xxxxx@msn.com To unsubscribe
send a blank email to xxxxx@lists.osr.com
That seems to work!! I appreciate the help.
Thanks
Chandra
On Fri, Mar 28, 2008 at 9:06 PM, John Hensley wrote:
> Chandra,
>
> I created an MS-DOS 6.22 VM-Ware VM with SoftICE 2.8 and did a bit of
> testing to see if I could get the debugger to remain across a warm boot.
> Putting a break point on int 19h and then tracing through the ROMBIOS warm
> boot code reveals the VM-Ware ROMBIOS emulation is doing a reload of the
> global descriptor table causing SoftICE to fault.
>
> I was however able to get SoftICE to remain loaded across a warm boot by
> manually bypassing the ROMBIOS int 19h handler using a tiny bit of code to
> simulate a warm boot after DOS has restored the interrupted vectors. This is
> how I did it:
>
> First you will need to use debug to create a binary executable named
> loadboot.bin containing these executable instructions. Or you can
> download the file from www.resqware.com/public/loadboot.bin and copy it
> into your VM.
>
> MOV AX,5000
> MOV ES,AX
> MOV SI,0111
> MOV DI,0000
> MOV CX,0020
> REPZ
> MOVSB
> INT 3
> XOR AX,AX
> CLI
> MOV SS,AX
> MOV SP,7C00
>
> STI
> MOV DS,AX
> MOV ES,AX
>
> MOV AX,0201
> MOV BX,7C00
> MOV CX,0001
> MOV DX,0080
> INT 13
> JB 0111
> PUSH ES
> PUSH BX
> RETF
>
> From the DOS prompt use the SoftICE loader tool to load the executable
> file into memory:
>
> LDR LOADBOOT.BIN
>
> Now issue these commands:
>
> i3here on
> bpint 19
> bpm 0:7c00 x
> g
> boot
> g
> rcs 5000
> rip 0
> g
> bc *
>
> At this point the debugger should be stopped on the first instruction in
> the MBR that was loaded from the hard drive.
>
> Regards,
> ?.John
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *chandra97 97
> Sent: Friday, March 28, 2008 4:25 PM
> To: Kernel Debugging Interest List
> Subject: Re: [windbg] Debugging 16-bit MBR code in windbg
>
>
>
> When I try to warm boot softICE using the “BOOT” command the VM gets hung.
> I am using DOS 6.22 and SoftICE 2.8. I have no entry in config.sys for any
> driver except softICE. I tried creating INT19.COM batch as JohnH
> suggested. No mileage using INT19.COM either!
>
> Is there a specific DOS version that is compatible to SoftICE 2.8 where
> this works?
>
> Thanks
> Chandra
>
> On Thu, Mar 27, 2008 at 5:56 PM, Alan Hodges
> wrote:
>
> Hi Chandra,
>
>
>
> After you have booted from the virtual floppy, and copied over your custom
> MBR, you will need disconnect the virtual floppy, or change the VM boot
> device order to avoid booting from floppy again before the next step.
>
> Then you need to break into SoftIce with Ctrl+D and then issue the “boot”
> command. This should cause the VM to do a warm reboot from the hard disk
> with your MBR.
>
>
>
> Alan
>
>
>
> “chandra97 97” wrote in message news:xxxxx@windbg
> …
>
> I created a virtual floppy drive (A:) on a VM. Then copied over binaries
> for debugging win16 that ship with SoftICE 2.8 into the floppy drive. I
> set up the softICE in A:\CONFIG.SYS file with
>
> device=c:\SoftICE\S-ICE.exe /SYM 50
>
> I rebooted the machine and it booted ok with a message saying SoftICE is
> active.
>
> Then I copied over my custom MBR over the default MBR in A: drive, leaving
> the partition table same as before. I had edited my custom MBR by putting
> breakpoint at the very first instruction. I reboot the VM machine to boot
> into the A: drive thinking MBR will break into SoftICE. The machine just sat
> there hung. I tried several changes in this setting but no help.
>
> Is there a step that I’m missing?
>
> Thanks in advance.
>
> Chandra
>
>
>
> On Tue, Mar 25, 2008 at 4:14 PM, Gary G. Little <
> xxxxx@seagate.com> wrote:
>
> NO, you cannot debug NT, at all, since NT does not exist at that point in
> time. It’s still out on the HDD waiting for the NtLdr to be loaded to
> bootstrap things into place. What you have been told is that you can boot to
> DOS from a floppy, maybe a CD, run SoftIce and step through and into any MBR
> you can get into memory. But … you can do a lot of that by simply using a
> command line window in WinXp 32 and using the debug command. Trapping the
> reset vector (0xF000:FFF0) to do some real live stepping into real live code
> will require you to use SoftIce or boot to something that can intercept the
> reset vector such as Periscope with a board.
>
>
>
> –
> The personal opinion of
> Gary G. Little
>
> “chandra97 97” wrote in message news:xxxxx@windbg…
>
> Hi Allan,
>
> I’m still not clear if you meant you could debug “NT” MBR from soft-ice.
> When you say
>
> “The version of SoftIce for DOS that I use is 2.80. I think this is the
> last version released for DOS”
>
>
> Does this also apply to debugging NT 5.x MBR?
>
> Thanks
> Chandra
>
>
>
> On Tue, Mar 25, 2008 at 5:47 AM, Alan Hodges
> wrote:
>
> Chandra,
>
>
>
> The version of SoftIce for DOS that I use is 2.80. I think this is the
> last version released for DOS. It is from 1990, so it’s from the Nu-Mega
> era.
>
> To use it, you need to be able to boot from a floppy disk, though I’ve had
> some limited success using CDs. A USB floppy will work if your BIOS can boot
> from it.
>
>
>
> It helps if you are generating and installing your own MBR, because you
> can insert an int3 as an initial breakpoint, but if you are debugging the
> standard MBR a hacky workaround is to edit the first byte on disk, making it
> an int3, which you then restore to its original value in the debugger.
>
>
>
> BTW this also works in a VM, where you don’t need the physical floppy,
> just an image.
>
>
>
> Hope this helps,
>
> Alan
>
> “chandra97 97” wrote in message news:xxxxx@windbg
> …
>
> Dissassembly was never a problem! There are several ways (as suggested).
> I personally used IDA.
>
> I really wanted to step through the code on a real machine.
>
> I tried to see Soft-Ice help. No help there.
>
> Does Soft-Ice can really debug MBR code on NT as Alan H suggested?
>
> Thanks
> Chandra
>
>
> On Mon, Mar 24, 2008 at 2:51 PM, raj_r wrote:
>
> well you dont need all that diskwhatever as suggested in the link if
> you are interested in just disassembling mbr code
>
> all you need is windbg only there are many files in os that carry mbr
> code embedded in them
>
> for example
>
> windbg -c “ur dmadmin!x86bootcode l100” c:\windows\system32\dmadmin.exe
>
> will get a disassembly of an xp mbr
>
> 0:000> ur dmadmin!x86bootcode l100
> dmadmin!x86BootCode:
> 010319f8 33c0 xor ax,ax
> 010319fa 8ed0 mov ss,ax
> 010319fc bc007c mov sp,7C00h
> 010319ff fb sti
> 01031a00 50 push ax
> 01031a01 07 pop es
> 01031a02 50 push ax
> 01031a03 1f pop ds
> 01031a04 fc cld
> 01031a05 be1b7c mov si,7C1Bh
> 01031a08 bf1b06 mov di,61Bh
>
> regards
>
>
>
> On 3/24/08, Spiro Trikaliotis wrote:
> > Hello,
> >
> > * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97 wrote:
> > > Is there a way in windbg to trace execution right from the point
> first
> > > instruction in MBR executes?
> >
> > If you “only” want to disassemble, the article “Disassemble the MBR” at
> >
> http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.aspx
> > might be of help.
> >
> > But: If you really want to execute step by step, that article won’t help
> > you.
> >
> > Regards,
> > Spiro.
> >
> > –
> > Spiro R. Trikaliotis http://opencbm.sf.net/
> > http://www.trikaliotis.net/ http://www.viceteam.org/
> >
> > —
>
> > You are currently subscribed to windbg as: xxxxx@gmail.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> >
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
>
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument:
> ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument:
> ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument:
> ‘’
>
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> — You are currently subscribed to windbg as: xxxxx@msn.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument:
> ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Thanks for that John - I tried the latest VmWare after Chandry reported his situation and come across the same problem, but I hadn’t yet had time to investigate.
I think the VmWare BIOS must have been modified sometime in the last few releases, because I know this was working about a year ago without the LGDT trap.
Alan
“John Hensley” wrote in message news:xxxxx@windbg…
Chandra,
I created an MS-DOS 6.22 VM-Ware VM with SoftICE 2.8 and did a bit of testing to see if I could get the debugger to remain across a warm boot. Putting a break point on int 19h and then tracing through the ROMBIOS warm boot code reveals the VM-Ware ROMBIOS emulation is doing a reload of the global descriptor table causing SoftICE to fault.
I was however able to get SoftICE to remain loaded across a warm boot by manually bypassing the ROMBIOS int 19h handler using a tiny bit of code to simulate a warm boot after DOS has restored the interrupted vectors. This is how I did it:
First you will need to use debug to create a binary executable named loadboot.bin containing these executable instructions. Or you can download the file from www.resqware.com/public/loadboot.bin and copy it into your VM.
MOV AX,5000
MOV ES,AX
MOV SI,0111
MOV DI,0000
MOV CX,0020
REPZ
MOVSB
INT 3
XOR AX,AX
CLI
MOV SS,AX
MOV SP,7C00
STI
MOV DS,AX
MOV ES,AX
MOV AX,0201
MOV BX,7C00
MOV CX,0001
MOV DX,0080
INT 13
JB 0111
PUSH ES
PUSH BX
RETF
From the DOS prompt use the SoftICE loader tool to load the executable file into memory:
LDR LOADBOOT.BIN
Now issue these commands:
i3here on
bpint 19
bpm 0:7c00 x
g
boot
g
rcs 5000
rip 0
g
bc *
At this point the debugger should be stopped on the first instruction in the MBR that was loaded from the hard drive.
Regards,
…John
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of chandra97 97
Sent: Friday, March 28, 2008 4:25 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Debugging 16-bit MBR code in windbg
When I try to warm boot softICE using the “BOOT” command the VM gets hung. I am using DOS 6.22 and SoftICE 2.8. I have no entry in config.sys for any driver except softICE. I tried creating INT19.COM batch as JohnH suggested. No mileage using INT19.COM either!
Is there a specific DOS version that is compatible to SoftICE 2.8 where this works?
Thanks
Chandra
On Thu, Mar 27, 2008 at 5:56 PM, Alan Hodges wrote:
Hi Chandra,
After you have booted from the virtual floppy, and copied over your custom MBR, you will need disconnect the virtual floppy, or change the VM boot device order to avoid booting from floppy again before the next step.
Then you need to break into SoftIce with Ctrl+D and then issue the “boot” command. This should cause the VM to do a warm reboot from the hard disk with your MBR.
Alan
“chandra97 97” wrote in message news:xxxxx@windbg…
I created a virtual floppy drive (A:) on a VM. Then copied over binaries for debugging win16 that ship with SoftICE 2.8 into the floppy drive. I set up the softICE in A:\CONFIG.SYS file with
device=c:\SoftICE\S-ICE.exe /SYM 50
I rebooted the machine and it booted ok with a message saying SoftICE is active.
Then I copied over my custom MBR over the default MBR in A: drive, leaving the partition table same as before. I had edited my custom MBR by putting breakpoint at the very first instruction. I reboot the VM machine to boot into the A: drive thinking MBR will break into SoftICE. The machine just sat there hung. I tried several changes in this setting but no help.
Is there a step that I’m missing?
Thanks in advance.
Chandra
On Tue, Mar 25, 2008 at 4:14 PM, Gary G. Little wrote:
NO, you cannot debug NT, at all, since NT does not exist at that point in time. It’s still out on the HDD waiting for the NtLdr to be loaded to bootstrap things into place. What you have been told is that you can boot to DOS from a floppy, maybe a CD, run SoftIce and step through and into any MBR you can get into memory. But … you can do a lot of that by simply using a command line window in WinXp 32 and using the debug command. Trapping the reset vector (0xF000:FFF0) to do some real live stepping into real live code will require you to use SoftIce or boot to something that can intercept the reset vector such as Periscope with a board.
–
The personal opinion of
Gary G. Little
“chandra97 97” wrote in message news:xxxxx@windbg…
Hi Allan,
I’m still not clear if you meant you could debug “NT” MBR from soft-ice. When you say
“The version of SoftIce for DOS that I use is 2.80. I think this is the last version released for DOS”
Does this also apply to debugging NT 5.x MBR?
Thanks
Chandra
On Tue, Mar 25, 2008 at 5:47 AM, Alan Hodges wrote:
Chandra,
The version of SoftIce for DOS that I use is 2.80. I think this is the last version released for DOS. It is from 1990, so it’s from the Nu-Mega era.
To use it, you need to be able to boot from a floppy disk, though I’ve had some limited success using CDs. A USB floppy will work if your BIOS can boot from it.
It helps if you are generating and installing your own MBR, because you can insert an int3 as an initial breakpoint, but if you are debugging the standard MBR a hacky workaround is to edit the first byte on disk, making it an int3, which you then restore to its original value in the debugger.
BTW this also works in a VM, where you don’t need the physical floppy, just an image.
Hope this helps,
Alan
“chandra97 97” wrote in message news:xxxxx@windbg…
Dissassembly was never a problem! There are several ways (as suggested). I personally used IDA.
I really wanted to step through the code on a real machine.
I tried to see Soft-Ice help. No help there.
Does Soft-Ice can really debug MBR code on NT as Alan H suggested?
Thanks
Chandra
On Mon, Mar 24, 2008 at 2:51 PM, raj_r wrote:
well you dont need all that diskwhatever as suggested in the link if
you are interested in just disassembling mbr code
all you need is windbg only there are many files in os that carry mbr
code embedded in them
for example
windbg -c “ur dmadmin!x86bootcode l100” c:\windows\system32\dmadmin.exe
will get a disassembly of an xp mbr
0:000> ur dmadmin!x86bootcode l100
dmadmin!x86BootCode:
010319f8 33c0 xor ax,ax
010319fa 8ed0 mov ss,ax
010319fc bc007c mov sp,7C00h
010319ff fb sti
01031a00 50 push ax
01031a01 07 pop es
01031a02 50 push ax
01031a03 1f pop ds
01031a04 fc cld
01031a05 be1b7c mov si,7C1Bh
01031a08 bf1b06 mov di,61Bh
regards
On 3/24/08, Spiro Trikaliotis wrote:
> Hello,
>
> * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97 wrote:
> > Is there a way in windbg to trace execution right from the point first
> > instruction in MBR executes?
>
> If you “only” want to disassemble, the article “Disassemble the MBR” at
> http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.aspx
> might be of help.
>
> But: If you really want to execute step by step, that article won’t help
> you.
>
> Regards,
> Spiro.
>
> –
> Spiro R. Trikaliotis http://opencbm.sf.net/
> http://www.trikaliotis.net/ http://www.viceteam.org/
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
You are currently subscribed to windbg as: xxxxx@gmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
— You are currently subscribed to windbg as: xxxxx@msn.com To unsubscribe send a blank email to xxxxx@lists.osr.com
I’m glad you were able to get it working. You can also cut out all of the
typing by creating a macro in the s-ice.dat file like this:
F1= “i3here on;bpint 19;bpm 0:7c00 x;g;boot;g;rcs 5000;rip 0;g;bc *;”
Then you will be able to use LDR to load the code into SoftICE and then hit
the F1 key to start debugging at the first instruction in the MBR code.
.John
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of chandra97 97
Sent: Saturday, March 29, 2008 6:53 AM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Debugging 16-bit MBR code in windbg
That seems to work!! I appreciate the help.
Thanks
Chandra
On Fri, Mar 28, 2008 at 9:06 PM, John Hensley wrote:
Chandra,
I created an MS-DOS 6.22 VM-Ware VM with SoftICE 2.8 and did a bit of
testing to see if I could get the debugger to remain across a warm boot.
Putting a break point on int 19h and then tracing through the ROMBIOS warm
boot code reveals the VM-Ware ROMBIOS emulation is doing a reload of the
global descriptor table causing SoftICE to fault.
I was however able to get SoftICE to remain loaded across a warm boot by
manually bypassing the ROMBIOS int 19h handler using a tiny bit of code to
simulate a warm boot after DOS has restored the interrupted vectors. This is
how I did it:
First you will need to use debug to create a binary executable named
loadboot.bin containing these executable instructions. Or you can download
the file from www.resqware.com/public/loadboot.bin and copy it into your VM.
MOV AX,5000
MOV ES,AX
MOV SI,0111
MOV DI,0000
MOV CX,0020
REPZ
MOVSB
INT 3
XOR AX,AX
CLI
MOV SS,AX
MOV SP,7C00
STI
MOV DS,AX
MOV ES,AX
MOV AX,0201
MOV BX,7C00
MOV CX,0001
MOV DX,0080
INT 13
JB 0111
PUSH ES
PUSH BX
RETF
From the DOS prompt use the SoftICE loader tool to load the executable file
into memory:
LDR LOADBOOT.BIN
Now issue these commands:
i3here on
bpint 19
bpm 0:7c00 x
g
boot
g
rcs 5000
rip 0
g
bc *
At this point the debugger should be stopped on the first instruction in the
MBR that was loaded from the hard drive.
Regards,
…John
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of chandra97 97
Sent: Friday, March 28, 2008 4:25 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Debugging 16-bit MBR code in windbg
When I try to warm boot softICE using the “BOOT” command the VM gets hung. I
am using DOS 6.22 and SoftICE 2.8. I have no entry in config.sys for any
driver except softICE. I tried creating INT19.COM batch as JohnH suggested.
No mileage using INT19.COM either!
Is there a specific DOS version that is compatible to SoftICE 2.8 where this
works?
Thanks
Chandra
On Thu, Mar 27, 2008 at 5:56 PM, Alan Hodges
wrote:
Hi Chandra,
After you have booted from the virtual floppy, and copied over your custom
MBR, you will need disconnect the virtual floppy, or change the VM boot
device order to avoid booting from floppy again before the next step.
Then you need to break into SoftIce with Ctrl+D and then issue the “boot”
command. This should cause the VM to do a warm reboot from the hard disk
with your MBR.
Alan
“chandra97 97” wrote in message news:xxxxx@windbg…
I created a virtual floppy drive (A:) on a VM. Then copied over binaries for
debugging win16 that ship with SoftICE 2.8 into the floppy drive. I set up
the softICE in A:\CONFIG.SYS file with
device=c:\SoftICE\S-ICE.exe /SYM 50
I rebooted the machine and it booted ok with a message saying SoftICE is
active.
Then I copied over my custom MBR over the default MBR in A: drive, leaving
the partition table same as before. I had edited my custom MBR by putting
breakpoint at the very first instruction. I reboot the VM machine to boot
into the A: drive thinking MBR will break into SoftICE. The machine just sat
there hung. I tried several changes in this setting but no help.
Is there a step that I’m missing?
Thanks in advance.
Chandra
On Tue, Mar 25, 2008 at 4:14 PM, Gary G. Little
wrote:
NO, you cannot debug NT, at all, since NT does not exist at that point in
time. It’s still out on the HDD waiting for the NtLdr to be loaded to
bootstrap things into place. What you have been told is that you can boot to
DOS from a floppy, maybe a CD, run SoftIce and step through and into any MBR
you can get into memory. But … you can do a lot of that by simply using a
command line window in WinXp 32 and using the debug command. Trapping the
reset vector (0xF000:FFF0) to do some real live stepping into real live code
will require you to use SoftIce or boot to something that can intercept the
reset vector such as Periscope with a board.
–
The personal opinion of
Gary G. Little
“chandra97 97” wrote in message news:xxxxx@windbg…
Hi Allan,
I’m still not clear if you meant you could debug “NT” MBR from soft-ice.
When you say
“The version of SoftIce for DOS that I use is 2.80. I think this is the last
version released for DOS”
Does this also apply to debugging NT 5.x MBR?
Thanks
Chandra
On Tue, Mar 25, 2008 at 5:47 AM, Alan Hodges
wrote:
Chandra,
The version of SoftIce for DOS that I use is 2.80. I think this is the last
version released for DOS. It is from 1990, so it’s from the Nu-Mega era.
To use it, you need to be able to boot from a floppy disk, though I’ve had
some limited success using CDs. A USB floppy will work if your BIOS can boot
from it.
It helps if you are generating and installing your own MBR, because you can
insert an int3 as an initial breakpoint, but if you are debugging the
standard MBR a hacky workaround is to edit the first byte on disk, making it
an int3, which you then restore to its original value in the debugger.
BTW this also works in a VM, where you don’t need the physical floppy, just
an image.
Hope this helps,
Alan
“chandra97 97” wrote in message news:xxxxx@windbg…
Dissassembly was never a problem! There are several ways (as suggested). I
personally used IDA.
I really wanted to step through the code on a real machine.
I tried to see Soft-Ice help. No help there.
Does Soft-Ice can really debug MBR code on NT as Alan H suggested?
Thanks
Chandra
On Mon, Mar 24, 2008 at 2:51 PM, raj_r wrote:
well you dont need all that diskwhatever as suggested in the link if
you are interested in just disassembling mbr code
all you need is windbg only there are many files in os that carry mbr
code embedded in them
for example
windbg -c “ur dmadmin!x86bootcode l100” c:\windows\system32\dmadmin.exe
will get a disassembly of an xp mbr
0:000> ur dmadmin!x86bootcode l100
dmadmin!x86BootCode:
010319f8 33c0 xor ax,ax
010319fa 8ed0 mov ss,ax
010319fc bc007c mov sp,7C00h
010319ff fb sti
01031a00 50 push ax
01031a01 07 pop es
01031a02 50 push ax
01031a03 1f pop ds
01031a04 fc cld
01031a05 be1b7c mov si,7C1Bh
01031a08 bf1b06 mov di,61Bh
regards
On 3/24/08, Spiro Trikaliotis wrote:
> Hello,
>
> * On Fri, Mar 21, 2008 at 03:02:33PM -0400 chandra97 97 wrote:
> > Is there a way in windbg to trace execution right from the point
first
> > instruction in MBR executes?
>
> If you “only” want to disassemble, the article “Disassemble the MBR” at
>
http://blogs.msdn.com/ntdebugging/archive/2008/03/06/disassemble-the-mbr.asp
x
> might be of help.
>
> But: If you really want to execute step by step, that article won’t help
> you.
>
> Regards,
> Spiro.
>
> –
> Spiro R. Trikaliotis http://opencbm.sf.net/
> http://www.trikaliotis.net/ http://www.viceteam.org/
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
You are currently subscribed to windbg as: xxxxx@gmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
— You are currently subscribed to windbg as: xxxxx@msn.com To unsubscribe
send a blank email to xxxxx@lists.osr.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
— You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com