Debugging applications or drivers are part of every programmer’s day. Nearly every IDE I know has its own debugger. Most of them suck in several ways and often don’t fulfil all the needs the coder has. Especially when developing a ring0 application, such as a driver for a video or audio device. Without a powerful kernel debugger it’s very hard for the coding artist to fix problems, because as you know bigger programming faults lead to bluescreens, followed by a reboot. Referring to the security or antivirus scene a debugger is often used when reversing a binary for vulnerabilities or discovering the functionality of malware. The best disassembler IDA Pro from Datarescue also supports debugging for some time now and improves the reversers work when analyzing an application, particularly when the binary is compressed with an executable packer. Microsoft ships their Visual Studio with a nice debugger which has also the capability of kernel debugging. But almost all debuggers have still some disadvantages. In my opinion currently there’s only one debugger that is nearly perfect, the world famous SoftICE. Formerly created by NuMega, sold to Compuware in 1997 and now implemented in Driverstudio, SoftICE is a fully featured debugger with dozens of commands I’ll try to bring you closer in this essay. Have you ever wondered what the ICE stands for in SoftICE? Quite easy, it means “In Circuit Emulator”. If you don’t know what an ICE is, just google for it ;) This paper will give you a step by step introduction to SoftICE. First we’ll discuss the most important things while installation and configuration as well as covering several problems that can happen. Subsequent to this I will discuss hotkeys, the most important basic and many advanced commands SoftICE has. Furthermore I will give examples how to use them as well as alluding stumbling blocks with some instructions. In the end of the document I prepared a list of useful API calls, which may help when searching for the right breakpoint in future debugging sessions. To reproduce all the things best, discussed here in the following, you should be armed with WinXP or Win2003, Driverstudio v3.2, IceExt v0.67, Spy & Capture v2.70 as well as VMWare Workstation v5.5. Watch the link list at the bottom where to get the tools needed. The reader of this document should have a basic understanding of x86 assembly and the fundamentals of debugging. Ok, let’s getting started now.  

Download file đính kèm theo bài viết!

Đang dự tính viết 1 article về remote debug ring0/ring3 qua Syser/WinDbg/IDA/VS cho anh em REA nhưng chưa viết được. Remote debug có lợi khi debug malware, drivers.