This article's tone or style may not reflect the encyclopedic tone used on Wikipedia.(January 2009) |
Original author(s) | NuMega |
---|---|
Developer(s) | Compuware |
Initial release | 1987 | (DOS)
Final release | v4.05 / 2000[1] |
Operating system | Microsoft Windows |
Type | Debugger |
License | Proprietary |
SoftICE is a kernel mode debugger for DOS and Windows up to Windows XP. It is designed to run underneath Windows, so that the operating system is unaware of its presence. Unlike an application debugger, SoftICE is capable of suspending all operations in Windows when instructed. Because of its low-level capabilities, SoftICE is also popular as a software cracking tool.
Microsoft offers two kernel-mode debuggers, WinDbg and KD, without charges. However, the full capabilities of WinDbg and KD are available only when two interlinked computers are used. SoftICE, therefore, is an exceptionally useful tool for difficult driver related development. The last released version was for Windows XP.
Older versions exist for DOS and compatible operating systems. SoftICE was originally produced by the company NuMega, and was subsequently acquired by Compuware in 1997, which in turn sold the property to Micro Focus in 2009. Currently, Micro Focus owns the source code and patents, but is not actively maintaining SoftICE.
"Soft" refers to software, and "ICE" is an allusion to in-circuit emulator.
The original SoftICE for DOS was written in 1987 by NuMega founders Frank Grossman and Jim Moskun. The program, written in 80386 assembly language, played the role of an operating system and ran software in virtual 8086 mode. It sold for $386.
SoftICE/W (for Windows) was developed in the 1990s, and was instrumental in the Writing of "Undocumented Windows", by Andrew Schulman, David Maxey and Matt Pietrek. SoftICE/W was derived from an earlier, lesser known product, SoftICE for NetWare (32-bit protected mode). One of the key advantages it had over Microsoft's debuggers is that it enabled single machine debugging, rather than requiring a second machine to be connected over a serial port.
The principal developers of SoftICE were Dom Basile ('Mr. SoftICE'), Tom Guinther (Kitchen Sink, Symbol Engine), Gerald Ryckman (Video drivers and Kitchen Sink), Ray Hsu (Video drivers for Windows 95), and Dan Babcock (SoftICE/NT 3.1/3.5: Universal video driver, symbol engine), with contributions by a variety of NuMega developers including Frank Grossman, Jim Moskun and Matt Pietrek.
In 1998, the codebase for SoftICE/95 was ported to run on the Windows NT platform.
Newer versions of SoftICE patch deep into Microsoft Windows. As such, old versions of SoftICE are rarely compatible with new versions of Windows. Compuware therefore offered SoftICE as a subscription so that it could be kept up to date and in sync with the latest Microsoft Windows version.
SoftICE was previously offered as part of Compuware's DriverStudio package, but was discontinued in April 2006.
As of April 3, 2006, the DriverStudio product family has been discontinued because of "a variety of technical and business issues as well as general market conditions". Maintenance support was offered until March 31, 2007.
Software vendors have put in place a wide range of countermeasures to protect themselves from people employing SoftICE as a tool to analyse software.
For example, here is code some vendors used to detect the presence of SoftICE running in the same machine as an early countermeasure:
moveax,dwordptr[pIDT+2]; eax -> IDTaddeax,8; eax -> int 1 vectormovebx,[eax]; ebx == int 1 vectoraddeax,16; eax -> int 3 vectormoveax,[eax]; eax == int 3 vectorandeax,0FFFFh; strip the selectorandebx,0FFFFh; part of itsubeax,ebx; find displacementcmpeax,10hjneHackedVector; not equal, then chances are; SoftICE had tampered with these vectors
More and better such measures have evolved since. While most of them can only deter the less experienced and determined hackers, SoftICE is no longer a tool of choice for someone new to analysing software.
Modern software anti-analysis methods are based on more sophisticated packers/protectors, e.g. Themida, Armadillo or ASProtect which pack the program code and tamper with entry point addresses so it is hard to find the program's original entry point (OEP). That is also true for the program's import address table (IAT). However, tools for hiding SoftICE are also available, such as IceStealth and IceExt for Windows NT, or Icedump and IcePatch for Windows 9x. [2]
In 1989, BYTE listed Soft-ICE among the "Distinction" winners of the BYTE Awards, stating that, "If you're developing 8086-based applications on an 80386 machine, this is an essential and affordable tool". [3]
A commercial kernel-level debugger called Syser claims to continue where SoftICE left off.
A shareware debugger, but free to use, OllyDbg is a 32-bit assembler-level debugger from Oleh Yuschuk. However, it can only be used for user-mode debugging.
An open source kernel debugger similar to SoftICE named Rasta Ring 0 Debugger (RR0D) is available. [4] [5] It provides low-level debugging for Microsoft Windows, Linux, OpenBSD, NetBSD, and FreeBSD. This project does not seem to be actively maintained. As of June 2016 [update] , the last change in its GitHub source code repository occurred in December 2008. [6]
A debugger called BugChecker is a 32-bit single-host kernel debugger for Windows 2000 and XP, developed and made available as open source for educational purposes. BugChecker allows users to trace into both user and kernel code, both on uniprocessor and multiprocessor versions of Windows 2000 and XP. [7]
A modern successor to SoftICE named BugChecker (unrelated to the one mentioned above) was released by Vito Plantamura in 2023. Unlike the other local kernel debuggers, it supports Windows XP to Windows 11, both 32-bit and 64-bit. To achieve this, the debugger spoofs the machine as being debugged by a second system by intercepting serial cable communication, and then and draws its display directly to the framebuffer. This method significantly improves stability and compatibility compared to previous approaches, including that of SoftICE itself. [8]
Many hypervisors allow debugging the kernel running in the virtual machine through exposing some kind of debugger interface that can control the virtualized processor directly. This allows debugging even if the kernel does not have native debugging facilities.
Bytecode is a form of instruction set designed for efficient execution by a software interpreter. Unlike human-readable source code, bytecodes are compact numeric codes, constants, and references that encode the result of compiler parsing and performing semantic analysis of things like type, scope, and nesting depths of program objects.
x86 assembly language is the name for the family of assembly languages which provide some level of backward compatibility with CPUs back to the Intel 8008 microprocessor, which was launched in April 1972. It is used to produce object code for the x86 class of processors.
NTLDR is the boot loader for all releases of Windows NT operating system from 1993 with the release of Windows NT 3.1 up until Windows XP and Windows Server 2003. From Windows Vista onwards it was replaced by the BOOTMGR bootloader. NTLDR is typically run from the primary storage device, but it can also run from portable storage devices such as a CD-ROM, USB flash drive, or floppy disk. NTLDR can also load a non NT-based operating system given the appropriate boot sector in a file.
DirectSound is a deprecated software component of the Microsoft DirectX library for the Windows operating system, superseded by XAudio2. It provides a low-latency interface to sound card drivers written for Windows 95 through Windows XP and can handle the mixing and recording of multiple audio streams. DirectSound was originally written for Microsoft by John Miles.
In computing, a named pipe is an extension to the traditional pipe concept on Unix and Unix-like systems, and is one of the methods of inter-process communication (IPC). The concept is also found in OS/2 and Microsoft Windows, although the semantics differ substantially. A traditional pipe is "unnamed" and lasts only as long as the process. A named pipe, however, can last as long as the system is up, beyond the life of the process. It can be deleted if no longer used. Usually a named pipe appears as a file, and generally processes attach to it for IPC.
Virtual DOS machines (VDM) refer to a technology that allows running 16-bit/32-bit DOS and 16-bit Windows programs when there is already another operating system running and controlling the hardware.
NuMega Technologies, Inc., was a software company founded in 1987 by Frank Grossman and Jim Moskun in Nashua, New Hampshire. The company developed a Kernel mode debugger, now SoftICE, for DOS and the Windows NT family.
WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode.
An error occurs when an operating system halts because it has reached a condition where it can no longer operate safely.
ntoskrnl.exe, also known as the kernel image, contains the kernel and executive layers of the Microsoft Windows NT kernel, and is responsible for hardware abstraction, process handling, and memory management. In addition to the kernel and executive layers, it contains the cache manager, security reference monitor, memory manager, scheduler (Dispatcher), and blue screen of death.
In the x86 architecture, the CPUID instruction is a processor supplementary instruction allowing software to discover details of the processor. It was introduced by Intel in 1993 with the launch of the Pentium and SL-enhanced 486 processors.
SCSI Pass Through Direct (SPTD) is a proprietary device driver and application programming interface (API) that provides a method of access to SCSI storage devices. Originally developed in 2004 by Duplex Secure Ltd., it is now owned and maintained by Disc Soft Ltd., the developer of Daemon Tools.
The Microsoft Windows family of operating systems employ some specific exception handling mechanisms.
This article describes the calling conventions used when programming x86 architecture microprocessors.
Turbo Debugger (TD) is a machine-level debugger for DOS executables, intended mainly for debugging Borland Turbo Pascal, and later Turbo C programs, sold by Borland. It is a full-screen debugger displaying both Turbo Pascal or Turbo C source and corresponding assembly-language instructions, with powerful capabilities for setting breakpoints, watching the execution of instructions, monitoring machine registers, etc. Turbo Debugger can be used for programs not generated by Borland compilers, but without showing source statements; it is by no means the only debugger available for non-Borland executables, and not a significant general-purpose debugger.
BoundsChecker is a memory checking and API call validation tool used for C++ software development with Microsoft Visual C++. It was created by NuMega in the early 1990s. When NuMega was purchased by Compuware in 1997, BoundsChecker became part of a larger tool suite, DevPartner Studio. Micro Focus purchased the product line from Compuware in 2009. Comparable tools include Purify, Insure++ and Valgrind.
C# Open Source Managed Operating System (Cosmos) is a toolkit for building GUI and command-line based operating systems, written mostly in the programming language C# and small amounts of a high-level assembly language named X#. Cosmos is a backronym, in that the acronym was chosen before the meaning. It is open-source software released under a BSD license.
The blue screen of death is a critical error screen displayed by the Microsoft Windows and ReactOS operating systems in the event of a fatal system error. It indicates a system crash, in which the operating system has reached a critical condition where it can no longer operate safely.
A decompiler is a computer program that translates an executable file to high-level source code. It does therefore the opposite of a typical compiler, which translates a high-level language to a low-level language. While disassemblers translate an executable into assembly language, decompilers go a step further and translate the code into a higher level language such as C or Java, requiring more sophisticated techniques. Decompilers are usually unable to perfectly reconstruct the original source code, thus will frequently produce obfuscated code. Nonetheless, they remain an important tool in the reverse engineering of computer software.