Debugging question

[mifki]

Ok, so to kickstart the forum again, i've been needing help with this for a while, and the best answer i have got is to use SoftICE. But first the question

 

Q: I am trying to trace a installshield installation, I have to be able to break into iKernel.exe (InstallShield Engine) and trace the functions it calls, i can not just attach a debugger as it is not able to break into the process and show me a trace, I know this can be done with IDA Pro, and many other debuggers. But i do not know how to do it, one way we had done it before was to attach the debugger to the Setup.exe (which loads the Installshield Engine, and have it automatically reak into the Engine process just after it started, thus allowing us to trace its functions. But to put it simply, we have forgotton how we did it and we lost the documentaion on how we did it. So i am asking for any ideas on how to be able to trace the Ikernel.exe process.

 

Thanks

Kiko

[n0oNE]

why are you need of that ?

[sbeehre]

because he wants to find out how intels firmware updates sets boot options in the EFI Firmware on their boards from within windows.

[mifki]

Simon is correct.

btw, off-topic- I was just looking through old archives of win2osx, man i miss that site

[n0oNE]

but why you are need to trace install sheld's executables ? thous executables are like a template.. there is static executables.. everything that you need is in CAB archyves, there is scripts about how the install sheald shoud work, or maby i didnt understand what are you trying to do. for extracting thous cab files there is some tools (i6comp is latest) or if there is only executable somthere i saw tool to extract from that. so if you could tel my that exactly you are looking for maby i could try to find out

[mifki]

i decompiled the script, but its really cryptic. We can ether trace the setup or the startupdisk.cpl (from a apple running windows) to be able to find out how it writes to the efi nvram (to set boot from csm or efi).

[n0oNE]

i decompiled the script, but its really cryptic. We can ether trace the setup or the startupdisk.cpl (from a apple running windows) to be able to find out how it writes to the efi nvram (to set boot from csm or efi).

 

hm.. how its writes on nwram i tink you can find answer on intels northbridge specifications. what it's writs and exaclty there.. thats should be question.. could you send me thous files ? i mean that setup file and startupdisk.cpl i know ASM a litle bit i could try to find that you are looking for

[sjoer]

Doesnt it spawn a tempfile and runs calls from that?

 

(might sound like a dumbs answer, but I use windows only on my brothers pc I use Linux and OSX mainly)

 

I can remember alot of microsoft {censored} (installers etc) call from temp files (for example if I wanted a x86 package only to install on x64 I had to move the installer pack quickly enough to find my new file and not trow error about x86 OS .....

 

(my 2 grams)

[mifki]

Its a temp nvram file on the floppy, so it writes and saves your settings, but only on the floppy

[Mildred]

Why don't you look at efibootmgr ? http://linux.dell.com/efibootmgr/

It is supposed to be able to change the EFI settings from a gnu/linux system. And of course it's open source. But I never used it yet.

[mifki]

That is for systems booting with elilo (EFI-LILO) so it is only for systems that already have efi booting enabled iirc.

[rogabean]

Been there. Tried that. Kiko is right... it wasn't of much use to us.