SoftICE

SoftICE is a kernel mode debugger for DOS and Windows up to Windows XP. Crucially, it is designed to run underneath Windows such that the operating system is unaware of its presence. Unlike an application debugger, SoftICE is capable of suspending all operations in Windows when instructed. For driver debugging this is critical due to how hardware is accessed and the kernel of the operating system functions. Because of its low-level capabilities, SoftICE is also popular as a software cracking tool.

SoftICE
Original author(s)NuMega
Developer(s)Compuware
Initial release1987 (1987) (DOS)
Final release
v4.05 / 2000 (2000)[1]
Operating systemMicrosoft Windows
TypeDebugger
LicenseProprietary

Microsoft offers two kernel-mode debuggers, WinDbg and KD, for no charge. However, the full capabilities of WinDbg and KD are available only when two interlinked computers are used. SoftICE therefore is an exceptionally useful tool for difficult driver related development. The last released version was for Windows XP.

Older versions exist for DOS and compatible operating systems. SoftICE was originally produced by a company called NuMega, and was subsequently acquired by Compuware in 1997, which in turn sold the property to Micro Focus in 2009. Currently, Micro Focus owns the source code and patents, but is not actively maintaining SoftICE.

Naming

"Soft" refers to software, and the "ICE" part of the name is an allusion to in-circuit emulator.

History

The original SoftICE for DOS was written in 1987 by NuMega founders Frank Grossman and Jim Moskun. The program, written in 80386 assembly language, played the role of an operating system and ran software in virtual 8086 mode. It sold for $386.

SoftICE/W (for Windows) was developed in the 1990s, and was instrumental in the Writing of "Undocumented Windows", by Andrew Schulman, David Maxey and Matt Pietrek. SoftICE/W was derived from an earlier, lesser known product, SoftICE for NetWare (32-bit protected mode). One of the key advantages it had over Microsoft's debuggers is that it enabled single machine debugging, rather than requiring a second machine to be connected over a serial port.

The principal developers of SoftICE were Dom Basile ('Mr. SoftICE'), Tom Guinther (Kitchen Sink, Symbol Engine), Gerald Ryckman (Video drivers and Kitchen Sink), Ray Hsu (Video drivers for Windows 95), and Dan Babcock (SoftICE/NT 3.1/3.5: Universal video driver, symbol engine), with contributions by a variety of NuMega developers including Frank Grossman, Jim Moskun and Matt Pietrek.

In 1998 the codebase for SoftICE/95 was ported to run on the Windows NT platform.

Newer versions of SoftICE patch deep into Microsoft Windows. As such, old versions of SoftICE are rarely compatible with new versions of Windows. Compuware therefore offered SoftICE as a subscription so that it could be kept up to date and in sync with the latest Microsoft Windows version.

It used to be offered as part of Compuware's DriverStudio package but was discontinued in April 2006.

Termination

As of April 3, 2006 the DriverStudio product family has been discontinued because of "a variety of technical and business issues as well as general market conditions". Maintenance support was offered until March 31, 2007.

Anti-SoftICE measures

Software vendors have put in place a wide range of countermeasures to protect themselves from people employing SoftICE as a tool to analyse software.

For example, here is code some vendors used to detect the presence of SoftICE running in the same machine as an early countermeasure:

 mov eax, dword ptr [pIDT+2]; eax -> IDT
 add eax, 8                 ; eax -> int 1 vector
 mov ebx, [eax]             ; ebx == int 1 vector
 add eax, 16                ; eax -> int 3 vector
 mov eax, [eax]             ; eax == int 3 vector
 and eax, 0FFFFh            ; strip the selector
 and ebx, 0FFFFh            ; part of it
 sub eax, ebx               ; find displacement
 cmp eax, 10h
jne  HackedVector           ; not equal, then chances are
                            ; SoftICE had tampered with these vectors

More and better such measures have evolved since. While most of them can only deter the less experienced and determined hackers, SoftICE is no longer a tool of choice for someone new to analysing software.

Today vendor's defenses are based on more sophisticated packers/protectors, e.g. Themida, Armadillo or ASProtect which pack the program code and tamper with entry point addresses so it is hard to find the program's original entry point (OEP). That is also true for the program's import address table (IAT). However tools for hiding SoftICE are also available, such as IceStealth and IceExt for Windows NT, or Icedump and IcePatch for Windows 9x.[2]

Reception

BYTE in 1989 listed Soft-ICE as among the "Distinction" winners of the BYTE Awards, stating that "If you're developing 8086-based applications on an 80386 machine, this is an essential and affordable tool".[3]

Alternatives

A commercial kernel-level debugger called Syser claims to continue where SoftICE left off.

A shareware debugger, but free to use, OllyDbg is a 32-bit assembler-level debugger from Oleh Yuschuk. However, it can only be used for user-mode debugging.

An open source kernel debugger similar to SoftICE named Rasta Ring 0 Debugger (RR0D) is available.[4][5] It provides low-level debugging for Microsoft Windows, Linux, OpenBSD, NetBSD, and FreeBSD. This project does not seem to be actively maintained. As of June 2016, the last change in its GitHub source code repository occurred in December 2008.[6]

LinICE is another kernel-level debugger with a SoftICE look and feel. As of 2015, it also has not been updated for several years.[7]

HyperDBG is a kernel-level debugger leveraging hardware-assisted virtualization. As of 2011, it was last updated in May 2010.[8]

A debugger called BugChecker is a 32-bit single-host kernel debugger for Windows 2000 and XP, developed and made available as open source for educational purposes. BugChecker allows users to trace into both user and kernel code, both on uniprocessor and multiprocessor versions of Windows 2000 and XP.[9]

Many hypervisors allow debugging the kernel running in the virtual machine through exposing some kind of debugger interface that can control the virtualized processor directly. This allows debugging even if a kernel does not have native debugging facilities.

gollark: I feel like this is excessively object-oriented and thus apioidal.
gollark: ææææææÆÆÆÆÆÆÆÆÆÆÆÆÆæÆÆÆÆÆæææææÆÆÆÆææææææææÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆææææææææÆÆæææææÆÆææææÆÆÆÆÆÆæ
gollark: HOW UNEXPECTED.
gollark: I mean, apiobeing, you could use a garbage collected language, or a horrible mess of pointers, but frankly it would be hard to manage properly in *any* language.
gollark: Just... don't stick all the mutation stuff onto `Level` itself?

References

  1. NuMega SoftICE 4.05 Release Notes
  2. "Category:SoftICE Extensions - Collaborative RCE Tool Library". Woodmann.com. Retrieved 2014-04-24.
  3. "The BYTE Awards". BYTE. January 1989. p. 327.
  4. "RR0D/Presentation". Wiki.droids-corp.org. Retrieved 2014-04-24.
  5. "Rasta Ring 0 Debugger (RR0D) - Collaborative RCE Tool Library". Woodmann.com. 2007-10-18. Retrieved 2014-04-24.
  6. joe. "ice799/rr0d". Github.com. Retrieved 2016-06-05.
  7. "LinICE Debugger". sites.google.com. Retrieved 2015-07-31.
  8. "hyperdbg - A kernel debugger that leverages hardware-assisted virtualization". Code.google.com. Retrieved 2014-04-24.
  9. "BugChecker". BugChecker. Retrieved 2014-04-24.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.