SoftICE

Last updated

SoftICE
Original author(s) NuMega
Developer(s) Compuware
Initial release1987;37 years ago (1987) (DOS)
Final release
v4.05 / 2000;24 years ago (2000) [1]
Operating system Microsoft Windows
Type Debugger
License Proprietary

SoftICE is a kernel mode debugger for DOS and Windows up to Windows XP. It is designed to run underneath Windows, so that the operating system is unaware of its presence. Unlike an application debugger, SoftICE is capable of suspending all operations in Windows when instructed. Because of its low-level capabilities, SoftICE is also popular as a software cracking tool.

Contents

Microsoft offers two kernel-mode debuggers, WinDbg and KD, without charges. However, the full capabilities of WinDbg and KD are available only when two interlinked computers are used. SoftICE, therefore, is an exceptionally useful tool for difficult driver related development. The last released version was for Windows XP.

Older versions exist for DOS and compatible operating systems. SoftICE was originally produced by the company NuMega, and was subsequently acquired by Compuware in 1997, which in turn sold the property to Micro Focus in 2009. Currently, Micro Focus owns the source code and patents, but is not actively maintaining SoftICE.

Naming

"Soft" refers to software, and "ICE" is an allusion to in-circuit emulator.

History

The original SoftICE for DOS was written in 1987 by NuMega founders Frank Grossman and Jim Moskun. The program, written in 80386 assembly language, played the role of an operating system and ran software in virtual 8086 mode. It sold for $386.

SoftICE/W (for Windows) was developed in the 1990s, and was instrumental in the Writing of "Undocumented Windows", by Andrew Schulman, David Maxey and Matt Pietrek. SoftICE/W was derived from an earlier, lesser known product, SoftICE for NetWare (32-bit protected mode). One of the key advantages it had over Microsoft's debuggers is that it enabled single machine debugging, rather than requiring a second machine to be connected over a serial port.

The principal developers of SoftICE were Dom Basile ('Mr. SoftICE'), Tom Guinther (Kitchen Sink, Symbol Engine), Gerald Ryckman (Video drivers and Kitchen Sink), Ray Hsu (Video drivers for Windows 95), and Dan Babcock (SoftICE/NT 3.1/3.5: Universal video driver, symbol engine), with contributions by a variety of NuMega developers including Frank Grossman, Jim Moskun and Matt Pietrek.

In 1998, the codebase for SoftICE/95 was ported to run on the Windows NT platform.

Newer versions of SoftICE patch deep into Microsoft Windows. As such, old versions of SoftICE are rarely compatible with new versions of Windows. Compuware therefore offered SoftICE as a subscription so that it could be kept up to date and in sync with the latest Microsoft Windows version.

SoftICE was previously offered as part of Compuware's DriverStudio package, but was discontinued in April 2006.

Termination

As of April 3, 2006, the DriverStudio product family has been discontinued because of "a variety of technical and business issues as well as general market conditions". Maintenance support was offered until March 31, 2007.

Anti-SoftICE measures

Software vendors have put in place a wide range of countermeasures to protect themselves from people employing SoftICE as a tool to analyse software.

For example, here is code some vendors used to detect the presence of SoftICE running in the same machine as an early countermeasure:

moveax,dwordptr[pIDT+2]; eax -> IDTaddeax,8; eax -> int 1 vectormovebx,[eax]; ebx == int 1 vectoraddeax,16; eax -> int 3 vectormoveax,[eax]; eax == int 3 vectorandeax,0FFFFh; strip the selectorandebx,0FFFFh; part of itsubeax,ebx; find displacementcmpeax,10hjneHackedVector; not equal, then chances are; SoftICE had tampered with these vectors

More and better such measures have evolved since. While most of them can only deter the less experienced and determined hackers, SoftICE is no longer a tool of choice for someone new to analysing software.

Modern software anti-analysis methods are based on more sophisticated packers/protectors, e.g. Themida, Armadillo or ASProtect which pack the program code and tamper with entry point addresses so it is hard to find the program's original entry point (OEP). That is also true for the program's import address table (IAT). However, tools for hiding SoftICE are also available, such as IceStealth and IceExt for Windows NT, or Icedump and IcePatch for Windows 9x. [2]

Reception

In 1989, BYTE listed Soft-ICE among the "Distinction" winners of the BYTE Awards, stating that, "If you're developing 8086-based applications on an 80386 machine, this is an essential and affordable tool". [3]

Alternatives

A commercial kernel-level debugger called Syser claims to continue where SoftICE left off.

A shareware debugger, but free to use, OllyDbg is a 32-bit assembler-level debugger from Oleh Yuschuk. However, it can only be used for user-mode debugging.

An open source kernel debugger similar to SoftICE named Rasta Ring 0 Debugger (RR0D) is available. [4] [5] It provides low-level debugging for Microsoft Windows, Linux, OpenBSD, NetBSD, and FreeBSD. This project does not seem to be actively maintained. As of June 2016, the last change in its GitHub source code repository occurred in December 2008. [6]

A debugger called BugChecker is a 32-bit single-host kernel debugger for Windows 2000 and XP, developed and made available as open source for educational purposes. BugChecker allows users to trace into both user and kernel code, both on uniprocessor and multiprocessor versions of Windows 2000 and XP. [7]

Many hypervisors allow debugging the kernel running in the virtual machine through exposing some kind of debugger interface that can control the virtualized processor directly. This allows debugging even if the kernel does not have native debugging facilities.

Related Research Articles

<span class="mw-page-title-main">Netwide Assembler</span> Assembler for the Intel x86 architecture

The Netwide Assembler (NASM) is an assembler and disassembler for the Intel x86 architecture. It can be used to write 16-bit, 32-bit (IA-32) and 64-bit (x86-64) programs. It is considered one of the most popular assemblers for Linux and x86 chips.

Bytecode is a form of instruction set designed for efficient execution by a software interpreter. Unlike human-readable source code, bytecodes are compact numeric codes, constants, and references that encode the result of compiler parsing and performing semantic analysis of things like type, scope, and nesting depths of program objects.

x86 assembly language is the name for the family of assembly languages which provide some level of backward compatibility with CPUs back to the Intel 8008 microprocessor, which was launched in April 1972. It is used to produce object code for the x86 class of processors.

NTLDR is the boot loader for all releases of Windows NT operating system from 1993 with the release of Windows NT 3.1 up until Windows XP and Windows Server 2003. From Windows Vista onwards it was replaced by the BOOTMGR bootloader. NTLDR is typically run from the primary storage device, but it can also run from portable storage devices such as a CD-ROM, USB flash drive, or floppy disk. NTLDR can also load a non NT-based operating system given the appropriate boot sector in a file.

DirectSound is a deprecated software component of the Microsoft DirectX library for the Windows operating system, superseded by XAudio2. It provides a low-latency interface to sound card drivers written for Windows 95 through Windows XP and can handle the mixing and recording of multiple audio streams. DirectSound was originally written for Microsoft by John Miles.

Virtual DOS machines (VDM) refer to a technology that allows running 16-bit/32-bit DOS and 16-bit Windows programs when there is already another operating system running and controlling the hardware.

<span class="mw-page-title-main">NuMega</span>

NuMega Technologies, Inc., was a software company founded in 1987 by Frank Grossman and Jim Moskun in Nashua, New Hampshire. The company developed a Kernel mode debugger, now SoftICE, for DOS and the Windows NT family.

WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode.

<span class="mw-page-title-main">Fatal system error</span> Error that stops the operating system

A fatal system error occurs when an operating system halts because it has reached a condition where it can no longer operate safely.

The booting process of Windows NT is the process run to start Windows NT. The process has been changed between releases, with the biggest changes being made with Windows Vista. In versions before Vista, the booting process begins when the BIOS loads the Windows NT bootloader, NTLDR. Starting with Vista, the booting process begins with either the BIOS or UEFI loading the Windows Boot Manager, which replaces NTLDR as the bootloader. Next, the bootloader starts the kernel, which starts the session manager, which begins the login process. Once the user is logged in, File Explorer, the graphical user interface used by Windows NT, is started.

ntoskrnl.exe, also known as the kernel image, contains the kernel and executive layers of the Microsoft Windows NT kernel, and is responsible for hardware abstraction, process handling, and memory management. In addition to the kernel and executive mentioned earlier, it contains the cache manager, security reference monitor, memory manager, scheduler (Dispatcher), and blue screen of death.

In the x86 architecture, the CPUID instruction is a processor supplementary instruction allowing software to discover details of the processor. It was introduced by Intel in 1993 with the launch of the Pentium and SL-enhanced 486 processors.

SCSI Pass Through Direct (SPTD) is a proprietary device driver and application programming interface (API) that provides a method of access to SCSI storage devices. Originally developed in 2004 by Duplex Secure Ltd., it is now owned and maintained by Disc Soft Ltd., the developer of Daemon Tools.

The Microsoft Windows family of operating systems employ some specific exception handling mechanisms.

This article describes the calling conventions used when programming x86 architecture microprocessors.

Turbo Debugger (TD) is a machine-level debugger for DOS executables, intended mainly for debugging Borland Turbo Pascal, and later Turbo C programs, sold by Borland. It is a full-screen debugger displaying both Turbo Pascal or Turbo C source and corresponding assembly-language instructions, with powerful capabilities for setting breakpoints, watching the execution of instructions, monitoring machine registers, etc. Turbo Debugger can be used for programs not generated by Borland compilers, but without showing source statements; it is by no means the only debugger available for non-Borland executables, and not a significant general-purpose debugger.

BoundsChecker is a memory checking and API call validation tool used for C++ software development with Microsoft Visual C++. It was created by NuMega in the early 1990s. When NuMega was purchased by Compuware in 1997, BoundsChecker became part of a larger tool suite, DevPartner Studio. Micro Focus purchased the product line from Compuware in 2009. Comparable tools include Purify, Insure++ and Valgrind.

<span class="mw-page-title-main">Blue screen of death</span> Error screen displayed after a fatal system error on a computer running Microsoft Windows or ReactOS

The blue screen of death is a critical error screen displayed by the Microsoft Windows and ReactOS operating systems in the event of a fatal system error. It indicates a system crash, in which the operating system has reached a critical condition where it can no longer operate safely.

A decompiler is a computer program that translates an executable file to high-level source code. It does therefore the opposite of a typical compiler, which translates a high-level language to a low-level language. While disassemblers translate an executable into assembly language, decompilers go a step further and translate the code into a higher level language such as C or Java, requiring more sophisticated techniques. Decompilers are usually unable to perfectly reconstruct the original source code, thus will frequently produce obfuscated code. Nonetheless, they remain an important tool in the reverse engineering of computer software.

User-Mode Driver Framework (UMDF) is a device-driver development platform first introduced with Microsoft's Windows Vista operating system, and is also available for Windows XP. It facilitates the creation of drivers for certain classes of devices.

References

  1. "NuMega SoftICE 4.05 Release Notes". Archived from the original on 2018-01-01. Retrieved 2012-06-04.
  2. "Category:SoftICE Extensions - Collaborative RCE Tool Library". Woodmann.com. Archived from the original on 2014-07-31. Retrieved 2014-04-24.
  3. "The BYTE Awards". BYTE. January 1989. p. 327.
  4. "RR0D/Presentation". Wiki.droids-corp.org. Archived from the original on 2014-04-24. Retrieved 2014-04-24.
  5. "Rasta Ring 0 Debugger (RR0D) - Collaborative RCE Tool Library". Woodmann.com. 2007-10-18. Archived from the original on 2016-03-04. Retrieved 2014-04-24.
  6. joe. "ice799/rr0d". Github.com. Archived from the original on 2018-12-22. Retrieved 2016-06-05.
  7. "BugChecker". BugChecker. Archived from the original on 2011-10-29. Retrieved 2014-04-24.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.