Jump to content

SoftICE: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Line 44: Line 44:
</pre>
</pre>


These measures have evolved since, not only in quantity but in quality. While most of them can only deter the less experienced and determined hackers, it has become true that '''SoftICE''' is no longer a newbie tool of choice. That is certainly a relief for software vendors.
These measures have evolved since, not only in quantity but in quality. While most of them can only deter the less experienced and determined hackers, it has become true that '''SoftICE''' is no longer a newbie tool of choice. That is certainly a relief for software vendors, who saw in '''SoftICE''' their [[Nemesis]].


Today vendor's defenses are based on more sophisticated tools, like [[ASProtect]] or [[PECompact]] which packs the program code and tampers with entry point addresses so it is hard to find the real program entry point. That is also true for the program [[DLL]]'s [[Import Adress Table | IAT]] as well, wich is messed up so hacking isn't anymore the field day it used to be.
Today vendor's defenses are based on more sophisticated tools, like [[ASProtect]] or [[PECompact]] which packs the program code and tampers with entry point addresses so it is hard to find the real program entry point. That is also true for the program [[DLL]]'s [[Import Adress Table | IAT]] as well, wich is messed up so hacking isn't anymore the field day it used to be.

Revision as of 20:59, 4 January 2009

SoftICE is a kernel mode debugger for Microsoft Windows. Crucially, it is designed to run underneath Windows such that the operating system is unaware of its presence. Unlike an application debugger, SoftICE is capable of suspending all operations in Windows when instructed. For driver debugging this is critical due to how hardware is accessed and the kernel of the operating system functions. Since its low-level capabilities, SoftICE is also popular as a software cracking tool.

Microsoft offers two kernel-mode debuggers, WinDbg and KD, for no charge. However, the full capabilities of WinDbg and KD are available only when two interlinked computers are used. SoftICE therefore is an exceptionally useful tool for difficult driver related development and continues to function well even with Microsoft's latest operating system versions.

Older versions exist for DOS and compatible operating systems. SoftICE was originally produced by a company called NuMega, and was subsequently acquired by Compuware.

Naming

"Soft" refers to software, and the "ICE" part of the name is an allusion to in-circuit emulator.

History

The original SoftICE for DOS was written in 1987 by NuMega founders Frank Grossman and Jim Moskun. The program, written in 80386 assembly language, played the role of an operating system and ran software in virtual 8086 mode. It sold for $386.

SoftICE/W (for Windows) was developed in the 1990 time frame, and was instrumental in the Writing of "Undocumented Windows", by Andrew Schulman, David Maxey and Matt Pietrek. SoftIce/W was derived from an earlier, lesser known product, SoftICE for Netware (32-bit protected mode). One of the key advantages it had over Microsoft's debuggers is that it enabled single machine debugging, rather than requiring a second machine to be connected over a serial port.

The principal developers of SoftICE were Dom Basile ('Mr. SoftICE'), Tom Guinther (Kitchen Sink, Symbol Engine), Gerald Ryckman (Video Drivers and Kitchen Sink), Ray Hsu (Video Drivers W95), and Dan Babcock (SoftICE/NT 3.1/3.5: Universal Video Driver, Symbol Engine), with contributions by a variety of NuMega developers including Frank Grossman, Jim Moskun and Matt Pietrek.

In 1995 the codebase for SoftICE/95 was ported to run on the Windows NT platform.

Newer versions of SoftICE patch deep into Microsoft Windows. As such, old versions of SoftICE are rarely compatible with new versions of Windows. Compuware therefore offers SoftICE as a subscription so that it can be kept up to date and in sync with the latest Microsoft Windows version.

It used to be offered as part of Compuware's DriverStudio package but was discontinued in April 2006.

Termination

As of April 3, 2006 the DriverStudio product family has been discontinued because of "a variety of technical and business issues as well as general market conditions". Maintenance support was offered until March 31, 2007.

Anti - SoftICE measures

Probably most of those "technical and business issues" leading to the abandonment of SoftICE have to do with lots of countermeasures software vendors have put in place in order to fend themselves from hackers employing SoftICE as tool.

These counter measures vary in a wide range. For example here we have a code some vendors used to detect the presence of SoftICE running in the same machine in the early stages of the counter measures tactics:

    mov eax, dword ptr [pIDT+2] ; eax -> IDT
    add eax,8                   ; eax -> int 1 vector
    mov ebx, [eax]              ; ebx == int 1 vector
    add eax, 16                 ; eax -> int 3 vector
    mov eax, [eax]              ; eax == int 3 vector
    and eax, 0ffffh             ; strip the selector
    and ebx, 0ffffh             ; part of it
    sub eax, ebx                ; find displacement
    cmp eax, 10h                ; 
    jne HackedVector            ; if it isn't equal then chances are
                                ; SoftICE had tampered these vectors

These measures have evolved since, not only in quantity but in quality. While most of them can only deter the less experienced and determined hackers, it has become true that SoftICE is no longer a newbie tool of choice. That is certainly a relief for software vendors, who saw in SoftICE their Nemesis.

Today vendor's defenses are based on more sophisticated tools, like ASProtect or PECompact which packs the program code and tampers with entry point addresses so it is hard to find the real program entry point. That is also true for the program DLL's IAT as well, wich is messed up so hacking isn't anymore the field day it used to be.

Of course SoftICE isn't dead yet, but it is more difficult to be used, and that may have led to it's discontinuation.

Alternatives

Both commercial and opensource alternatives exist for the SoftICE.

Commercial Alternatives

Syser Debugger aims to be a comprehensive replacement for SoftICE, running on 32-bit versions of Windows Vista/XP/2003/2000, including SMP, HyperThreading and multi-core CPUs.

Open Source Alternatives

An open source kernel debugger similar to SoftICE named Rasta Ring 0 Debugger is available on the project page. It provides low level debugging for Microsoft Windows, Linux, OpenBSD, NetBSD, and FreeBSD.

Eulogy for SoftIce