A debugger or debugging tool is a computer program that is used to test and debug other programs . The code to be examined might alternatively be running on an instruction set simulator , a technique that allows great power in its ability to halt when specific conditions are encountered but which...
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
. Crucially, it is designed to run underneath Windows such that the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
is unaware of its presence. Unlike an application debugger, SoftICE is capable of suspending all operations in Windows when instructed. For driver debugging this is critical due to how hardware is accessed and the kernel of the operating system functions. Because of its low-level capabilities, SoftICE is also popular as a software cracking
Software cracking
Software cracking is the modification of software to remove or disable features which are considered undesirable by the person cracking the software, usually related to protection methods: copy protection, trial/demo version, serial number, hardware key, date checks, CD check or software annoyances...
tool.
Microsoft offers two kernel-mode debuggers, WinDbg
WinDbg
WinDbg is a multipurposed debugger for Microsoft Windows, distributed on the web by Microsoft. It can be used to debug user mode applications, drivers, and the operating system itself in kernel mode...
and KD, for no charge. However, the full capabilities of WinDbg and KD are available only when two interlinked computers are used. SoftICE therefore is an exceptionally useful tool for difficult driver related development. The last released version was for Windows XP. Newer versions of Windows are seemingly unsupported as the tool is no longer listed on Compuware's website.
DOS, short for "Disk Operating System", is an acronym for several closely related operating systems that dominated the IBM PC compatible market between 1981 and 1995, or until about 2000 if one includes the partially DOS-based Microsoft Windows versions 95, 98, and Millennium Edition.Related...
and compatible operating systems. SoftICE was originally produced by a company called NuMega, and was subsequently acquired by Compuware
Compuware
Compuware Corporation is a software company with products aimed at the information technology departments of large businesses. The company's services also include testing, development, professional services automation, project and portfolio management, cloud-based collaboration and performance...
in 1997, which in turn sold the property to Micro Focus in 2009. Currently, Micro Focus owns the source code and patents, but is not actively maintaining SoftICE.
Naming
"Soft" refers to software, and the "ICE" part of the name is an allusion
Allusion
An allusion is a figure of speech that makes a reference to, or representation of, people, places, events, literary work, myths, or works of art, either directly or by implication. M. H...
An in-circuit emulator is a hardware device used to debug the software of an embedded system. It was historically in the form of bond-out processor which has many internal signals brought out for the purpose of debugging...
.
History
The original SoftICE for DOS was written in 1987 by NuMega founders Frank Grossman and Jim Moskun. The program, written in 80386 assembly language
Assembly language
An assembly language is a low-level programming language for computers, microprocessors, microcontrollers, and other programmable devices. It implements a symbolic representation of the machine codes and other constants needed to program a given CPU architecture...
, played the role of an operating system and ran software in virtual 8086 mode
Virtual 8086 mode
In the 80386 microprocessor and later, virtual 8086 mode allows the execution of real mode applications that are incapable of running directly in protected mode while the processor is running a protected mode operating system.VM86 mode uses a segmentation scheme identical to that of real mode In...
. It sold for $386.
SoftICE/W (for Windows) was developed in the 1990s, and was instrumental in the Writing of "Undocumented Windows", by Andrew Schulman, David Maxey and Matt Pietrek
Matt Pietrek
Matt Pietrek is a computer specialist and author specializing in MS Windows.Pietrek has written several books on the subject and, for eight years, wrote the column "Under the Hood" in MSJ MSDN Magazine...
. SoftICE/W was derived from an earlier, lesser known product, SoftICE for Netware (32-bit protected mode). One of the key advantages it had over Microsoft's debuggers is that it enabled single machine debugging, rather than requiring a second machine to be connected over a serial port.
The principal developers of SoftICE were Dom Basile ('Mr. SoftICE'), Tom Guinther (Kitchen Sink
Kitchen sink
Kitchen sink is a term often used in the phrase everything but the kitchen sinkKitchen sink may also refer to:* A sink in a kitchen for washing dishes, vegetables, etc* Kitchen Sink, a 1989 short film by Alison Maclean...
, Symbol Engine), Gerald Ryckman (Video Drivers and Kitchen Sink
Kitchen sink
Kitchen sink is a term often used in the phrase everything but the kitchen sinkKitchen sink may also refer to:* A sink in a kitchen for washing dishes, vegetables, etc* Kitchen Sink, a 1989 short film by Alison Maclean...
), Ray Hsu (Video Drivers W95), and Dan Babcock (SoftICE/NT 3.1/3.5: Universal Video Driver, Symbol Engine), with contributions by a variety of NuMega developers including Frank Grossman, Jim Moskun and Matt Pietrek.
In 1995 the codebase for SoftICE/95 was ported to run on the Windows NT platform.
Newer versions of SoftICE patch deep into Microsoft Windows. As such, old versions of SoftICE are rarely compatible with new versions of Windows. Compuware therefore offered SoftICE as a subscription so that it could be kept up to date and in sync with the latest Microsoft Windows version.
It used to be offered as part of Compuware's DriverStudio package but was discontinued in April 2006.
Termination
As of April 3, 2006 the DriverStudio product family has been discontinued because of "a variety of technical and business issues as well as general market conditions". Maintenance support was offered until March 31, 2007.
Anti-SoftICE measures
Software vendors have put in place a wide range of countermeasures to protect themselves from people employing SoftICE as a tool to analyse software.
For example, here is code some vendors used to detect the presence of SoftICE running in the same machine as an early countermeasures:
int 1 vector
add eax, 16 ; eax -> int 3 vector
mov eax, [eax] ; eax
int 3 vector
and eax, 0ffffh ; strip the selector
and ebx, 0ffffh ; part of it
sub eax, ebx ; find displacement
cmp eax, 10h ;
jne HackedVector ; if it isn't equal, then chances are
; SoftICE had tampered with these vectors
More and better such measures have evolved since. While most of them can only deter the less experienced and determined hackers, SoftICE is no longer a tool of choice for someone new to analysing software.
Today vendor's defenses are based on more sophisticated packers/protectors, e.g. Themida, Armadillo or ASProtect which pack the program code and tamper with entry point addresses so it is hard to find the program's original entry point (OEP). That is also true for the program's import address table (IAT). However tools for hiding SoftICE are also available, such as IceStealth and IceExt for Windows NT, or Icedump and IcePatch for Windows 9x.http://www.woodmann.com/collaborative/tools/index.php/Category:SoftICE_Extensions
Alternatives
A commercial kernel-level debugger called Syser claims to continue where SoftICE left off.
An open source kernel debugger similar to SoftICE named Rasta Ring 0 Debugger is available on the project page. It provides low level debugging for Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
NetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,...
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
. This project does not seem to be actively maintained: the last change in CVS occurred in July, 2006. LinICE http://www.linice.com/ is another kernel level debugger with SoftICE look and feel, also not updated for several years.
HyperDBG http://code.google.com/p/hyperdbg/ is a kernel-level debugger leveraging hardware-assisted virtualization, last uploaded in May 2010.
A debugger called BugChecker is a 32-bit single-host kernel debugger for Windows 2000 and XP developed and made available as open-source for educational purposes. BugChecker allows users to trace into both user and kernel code, both on uniprocessor and multiprocessor versions of Windows 2000 and XP.
