The Big Softice Howto: A Step by Step Guide
The Big Softice Howto: A Step by Step Guide
www.reconstructer.org
Page 1 of 24 04/04/2006
Table of Contents
ABSTRACT ...................................................................... 3 INSTALLATION & BASIC CONFIGURATION..................... 4 CONFIGURING THE WINICE.DAT .................................... 6 SOFTICE COMMANDS & HOTKEYS..................................10 ICEEXT A USEFUL SOFTICE EXTENSION .....................20 SETTING THE RIGHT BREAKPOINT USEFUL APIS .......22 CONCLUSION ................................................................24 REFERENCES .................................................................24
www.reconstructer.org
Page 2 of 24 04/04/2006
Abstract
Debugging applications or drivers are part of every programmers day. Nearly every IDE I know has its own debugger. Most of them suck in several ways and often dont fulfil all the needs the coder has. Especially when developing a ring0 application, such as a driver for a video or audio device. Without a powerful kernel debugger its very hard for the coding artist to fix problems, because as you know bigger programming faults lead to bluescreens, followed by a reboot. Referring to the security or antivirus scene a debugger is often used when reversing a binary for vulnerabilities or discovering the functionality of malware. The best disassembler IDA Pro from Datarescue also supports debugging for some time now and improves the reversers work when analyzing an application, particularly when the binary is compressed with an executable packer. Microsoft ships their Visual Studio with a nice debugger which has also the capability of kernel debugging. But almost all debuggers have still some disadvantages. In my opinion currently theres only one debugger that is nearly perfect, the world famous SoftICE. Formerly created by NuMega, sold to Compuware in 1997 and now implemented in Driverstudio, SoftICE is a fully featured debugger with dozens of commands Ill try to bring you closer in this essay. Have you ever wondered what the ICE stands for in SoftICE? Quite easy, it means In Circuit Emulator. If you dont know what an ICE is, just google for it ;) This paper will give you a step by step introduction to SoftICE. First well discuss the most important things while installation and configuration as well as covering several problems that can happen. Subsequent to this I will discuss hotkeys, the most important basic and many advanced commands SoftICE has. Furthermore I will give examples how to use them as well as alluding stumbling blocks with some instructions. In the end of the document I prepared a list of useful API calls, which may help when searching for the right breakpoint in future debugging sessions. To reproduce all the things best, discussed here in the following, you should be armed with WinXP or Win2003, Driverstudio v3.2, IceExt v0.67, Spy & Capture v2.70 as well as VMWare Workstation v5.5. Watch the link list at the bottom where to get the tools needed. The reader of this document should have a basic understanding of x86 assembly and the fundamentals of debugging. Ok, lets getting started now.
www.reconstructer.org
Page 3 of 24 04/04/2006
www.reconstructer.org
Page 4 of 24 04/04/2006
After all the files were copied to the system, the setup confronts us with several configuration settings. For the setup process only one section is of importance at the moment, the Video section. By default the radio button Universal Video Driver is set, which is good. Now click Detect to let the setup detect your display adapter. Afterwards click Test to test if your video driver was properly detected or not. If everything is fine a Messagebox should appear and tells us that the detection completed successfully as seen below in the screenshot.
When this operation fails its fairly telltale that your video driver is not supported. You can try now Full screen VGA mode or contact the Compuware support for a hotfix to your problem if youre a registered member. If you plan to install SoftICE under VMWare, e.g. when debugging malware etc., its mandatory that the VMWare Tools are installed as well, otherwise the detection fails. Thats it for moment pals! Now finish the installation and reboot to activate SoftICE properly. If you wonder why we left the other configuration options alone, its because were discussing most of them separately, when we take a look at the configuration file SoftICE has, after the reboot was successful.
The big SoftICE howto File: The big SoftICE howto.pdf www.reconstructer.org Page 5 of 24 04/04/2006
Note that these values are only initial values when SoftICE gets started. You always have the ability to adjust every parameter, e.g. if the code window should be 40 lines instead of 50 lines just type wc 40 in the debugger and so on.
CODEMODE=ON
I personally like it when the mnemonic codes to the disassembly are visible while debugging, so Ive set CODEMODE=ON. If you want to turn them off sometimes, then type code off in the debugger.
www.reconstructer.org
Page 6 of 24 04/04/2006
The last important things for me are the exported API names SoftICE shows me instead of just a call to a memory address while debugging. It can improve the reversing speed drastically if you immediately know which function is behind a call to an address ;) Note that by default some DLLs can be found already at the bottom of our winice.dat file. Theyre just commented out with a semicolon. Just delete the semicolon to activate these exports. So here we go with the list:
EXP=\SystemRoot\System32\hal.dll EXP=\SystemRoot\System32\ntoskrnl.exe EXP=\SystemRoot\System32\ntdll.dll EXP=\SystemRoot\System32\kernel32.dll EXP=\SystemRoot\System32\user32.dll EXP=\SystemRoot\System32\csrsrv.dll EXP=\SystemRoot\System32\basesrv.dll EXP=\SystemRoot\System32\winsrv.dll EXP=\SystemRoot\System32\gdi32.dll EXP=\SystemRoot\System32\advapi32.dll EXP=\SystemRoot\System32\ws2_32.dll EXP=\SystemRoot\System32\msvbvm60.dll EXP=\SystemRoot\System32\msvcrt.dll EXP=\SystemRoot\System32\netapi32.dll EXP=\SystemRoot\System32\rpcrt4.dll EXP=\SystemRoot\System32\dnsapi.dll EXP=\SystemRoot\System32\comctl32.dll EXP=\SystemRoot\System32\comdlg32.dll EXP=\SystemRoot\System32\ole32.dll EXP=\SystemRoot\System32\oleaut32.dll EXP=\SystemRoot\System32\shell32.dll
Ok, now save the winice.dat and lets get ready to rumble. ;)
www.reconstructer.org
Page 7 of 24 04/04/2006
Important Note: When you have installed SoftICE in VMWare I advise you first to add two parameters to your VMWare configuration file, e.g. W2K3SRV.vmx, otherwise you wont see the debugging screen after breaking into it. This is due to the fact that the Universal Video Driver will not draw properly in SoftICE. Here are the needed values:
vmmouse.present = FALSE svga.maxFullscreenRefreshTick = 5
To activate these settings shut down the potentially running VMWare session and reboot the OS of your choice. So everything should be fine now and right after starting SoftICE the hotkey CTRL+D brings us to our expected debugging screen which should look like the screenshot on the next side now.
www.reconstructer.org
Page 8 of 24 04/04/2006
www.reconstructer.org
Page 9 of 24 04/04/2006
Outputs:
breakpoint on execution bpx[.t.|.p| ] address [IF expression] [DO bp-action] ex: BPX 282FE0
And so forth. Just use help and a command and you will get more info. Even for assembly instructions SoftICE has a small help called opinfo.
opinfo xor
But lets stay at the processes first. After typing proc we see several processes, their Process-IDs (PID), Threads etcetera.
www.reconstructer.org
Page 10 of 24 04/04/2006
If we want to enter the address space of a running process now, we have to tell this SoftICE by typing:
addr <processname> or <pid>
For example:
addr explorer
or
addr 11c
This is due to the fact that a CPU doesnt know about processes at all, it only knows page tables and the operating system has to handle this. So strictly keep in mind that you always have to use addr before SoftICE is able to display the memory space of a given process! Sometimes addressing the PID makes more sense, e.g. when a program is started more than once and you need to debug a specific one. Subsequently after addressing explorer.exe, lets have a look at the 32 bit section map of the process.
map32 explorer
This outputs us owner, object names like .text, .data, .rsrc, .reloc and so forth, the start addresses of the object names as well as their length and type. In case this is all Greek to you, I strongly suggest you to read something about the PE file format. Every newbie in the field of reverse engineering should also have knowledge about file formats like PE, ELF or COFF, especially when trying to reverse malware, because they are very often crunched and/or crypted with an executable packer/crypter. And without an understanding of the given file format I think its nearly impossible to rebuild the binary after unpacking. Ok, now some commands youll need all the time. d Display virtual or physical memory Example: d ss:esp or d 401000 This will show you the content of ss:esp in the data window and respectively 401000.
The big SoftICE howto File: The big SoftICE howto.pdf www.reconstructer.org Page 11 of 24 04/04/2006
Btw, keep in mind that SoftICE always addresses in hexadecimal, which means for the case of 401000 = 4198400 in decimal. Also note that all commands in SoftICE are case-insensitive. e Edit memory Example:
e ss:esp or e 401000
Now you can edit the values in memory at ss:esp in the data window. If you have finished editing, just type ESC for leaving back to the command window. And some code window actions. u Unassembles instructions Example:
u cs:eip or u 401000
The example displays the assembly at cs:eip in the code window. a Assemble code Example:
a cs:eip
or
a 401000
Sometimes its useful to add/edit code in a debugging session, to directly see what happened after these changes, eg if a driver makes trouble and you want to see if the hotfix make things better. ;) So right after entering a <address>, its possible to write assembly code. If youre done just hit enter once more. r Display or change the contents of a register Example:
r eip
Switches to register eip and could be edited now. Pressing ESC switches back to the command window.
r eax=deadbeef
www.reconstructer.org
Page 12 of 24 04/04/2006
The next command searches for data in memory. s Search for data Example:
S 0 L ffff windows
Searches from offset 0 till offset ffff for the string windows
S u 0 L ffff windows
Same search as above, but in Unicode style with one zero byte between each letter.
S 0 L ffff 77 69 6e 64 6f 77 73
Likewise, the same search as in our first example, but this time in hex. So after we know how to handle the basic stuff in SoftICE, its time for another very important field every debugger supports. Im speaking of breakpoints. SoftICE has dozens of possibilities to halt a process and even react dynamically, but lets acquire this step by step. The most often used breakpoint command in SoftICE is certainly BPX. BPX Breakpoint on execution Example:
bpx 401000
This simple command halts execution when reaching address 0x401000. Quite easy, so lets get more tricky ;)
bpx setfocus if(pid==0x6a4)
www.reconstructer.org
Page 13 of 24 04/04/2006
What about some macro magic? Start Notepad.exe and break into SoftICE using CTRL+D. Now search the pid of Notepad.exe using proc and enter the following:
addr notepad macro shregkey = d *(esp+8) bpx regopenkeyexa if (pid==0x42c) do shregkey
Got it? Ok, some explanation. ;) With addr notepad we set the address context of notepad you know. The command macro shregkey means that if chosen, the contents of where esp+8 points to is shown in the data window. The last command bpx regopenkeyexa if defines to break into SoftICE when regopenkeyexa() is called by notepad.exe (in my case 0x42c) and executes the shregkey macro and shows the second parameter of regopenkeyexa() which is lpSubKey. Cool eh? In addition its also possible to define variables in a macro definition.
macro shregkey = d %1 bpx regopenkeyexa if (pid==0x42c) do shregkey *(esp+8)
These are really easy examples of whats feasible. In real-life situations, macros can, for example, help when debugging crypted malware, when manual tracing would take to long by hand. bl List current breakpoints Theres nothing more to say here. ;)
www.reconstructer.org
Page 14 of 24 04/04/2006
This one clears breakpoint 0 of the breakpoints list. Sometimes a breakpoint just needs to be inactive rather than clearing it. bd Disable breakpoint Example:
bd 0
This one disables breakpoint 0 until getting reactivated by using: be Enable breakpoint Example:
be 0
SoftICE breaks when a process is reading or writing from memory address 401000 + eax. bpint Breakpoint on interrupt Example:
bpint 2e if (eax==95)
Break on interrupt 2e if eax has the value 95 hex. A nice list to software interrupts can be found here:
http://www.ctyme.com/rbrown.htm
or
http://www.cs.cmu.edu/~ralf/files.html
www.reconstructer.org
Page 15 of 24 04/04/2006
Break if port 1f7 gets read accessed. A very complete list of I/O ports can be found here:
http://mudlist.eorbit.net/~adam/pickey/ports.html
Or here:
http://www.i-clique.com/dalhousie/cs4122/docs/ioports.pdf
The last breakpoint I am introducing here is called bmsg, which is a little bit more complicated to use and requires more explanation first. bmsg Breakpoint on Windows Message Everyone whos familiar with Windows programming should know what window messages do. SoftICE has a short command that lists all the messages windows supports. wmsg Display window messages Further Windows programming works with handles to address the right window when sending or receiving messages. And again SoftICE has a command called hwnd that shows us all the handles a process has. hwnd Display window handle information Now start explorer.exe and break into SoftICE and enter:
wmsg wm_destroy
Now we see several infos this class has, eg handle, tid, module etcetera.
The big SoftICE howto File: The big SoftICE howto.pdf www.reconstructer.org Page 16 of 24 04/04/2006
Armed with a windows message and a handle to the process explorer.exe, we are now able to enter the following command.
bmsg 2c032e 2
The first parameter is our handle we got from hwnd explorewclass and the second is the wm_destroy value 0002. If the explorer.exe will be closed now, our breakpoint gets triggered. As searching for handles in processes is always a pain for me, I am using a small tool to recognize a special window handle, eg an edit box like in notepad. The tool is called spy & capture and is freeware. For a link, scroll to the bottom and look at the references. Below is a screenshot how to use it. In my opinion its fairly idiot proof. ;)
Note: When using SoftICE in VMWare dont wonder if you wont get a list of handles with hwnd. Even the handles grabbed with Spy & Capture are illegal under bmsg. Dont ask me why. :(
www.reconstructer.org
Page 17 of 24 04/04/2006
This executes 4 single instructions. The command t can be used without a parameter as well and the default hotkey is F8. p Step skipping calls, interrupts and so forth. The command p is usually used without any parameter. If p is used with the parameter ret SoftICE executes the program until one of the next ret instructions is encountered. The default hotkey for p is F10. The hotkey for p ret is F12 and is useful after SoftICE halted the programs flow because of a breakpoint in an external function. Example: 1. 2. 3. 4. 5. Start Notepad.exe and enter SoftICE using CTRL+D addr notepad bpx dialogboxparamw Leave SoftICE with x or F5 In Notepad click Help --> About Notepad and SoftICE should break
As you see now, the function DialogBoxParamW() is placed in the user32.dll. To get a clue whos the caller of this function press F12. Subsequently, the About Notepad Dialogbox should appear. Press OK and youre back in SoftICE and now in shell32.dll, which was the caller of the function DialogBoxParamW(), another Windows library. Pressing F12 again we see that DialogBoxParamW() was called by the function ShellAboutW(). And hitting F12 a last time were back into Notepad.exe, the original caller of the upper operations. The last hotkey avowed here is F6 and switches between code and command window. For all other hotkeys and their meaning consult the winice.dat
www.reconstructer.org
Page 18 of 24 04/04/2006
rs Restore program screen Im using this command when its temporarily needed to hide the SoftICE screen, e.g. for viewing new appearances after tracing some code. Press any key to switch back to SoftICE. faults Enable/disable SoftICE fault trapping Example:
faults off
As SoftICE always reports every unhandled exception, its sometimes needed to turn off fault trapping for some time, to avoid an infinite loop. To reactivate fault trapping use faults on. i3here Direct Interrupt to SoftICE Example:
i3here on
Every time an interrupt 3 occurs, mnemonic code 0xcc, SoftICE halts. Other parameters are off or drv for drivers only. exp Display export symbols Example:
exp dialogbox*
Will show all export symbols matching the regular expression dialogbox*, exp without a parameter, shows all known exports. cls Clear window This one clears the code window. In the end lets do some maths with SoftICE.
? ? ? ? ? ? eax+1a 10-7 -100/2 esi*eax 10%3 10>>2 or eax<<4 Addition Subtraction Division Multiplication Modulo Logical shift right/left
www.reconstructer.org
Page 19 of 24 04/04/2006
To see what commands IceExt has. Otherwise their might be a small problem me and some friends had with version 0.67.
To fix this problem cut and paste the 3 liner below into a file called Fix_KDHeapSize.reg, save and execute it. To activate the changes, reboot the system and start IceExt again.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTice] "KDHeapSize"=dword:00008000
www.reconstructer.org
Page 20 of 24 04/04/2006
Here are some of the features IceExt adds to SoftICE. !dump Dump memory to disk Example:
!dump \??\c:\unpackedmalware.bin 400000 fc00
Very useful, for example, if a malware was compressed with an unknown packer before. The first parameter is the file to write, the second is the start address and the third is the length. !dumpscreen Dump SoftICE screen to disk in RAW format Example:
!dumpscreen \??\c:\SoftICEScreen.raw
In cases where you dont have the debugger running under VMWare it isnt possible to make a snapshot of the current SoftICE screen. The feature !dumpscreen eliminates this obstacle. To convert the saved .raw file into a .bmp file use the tool SiwRender. This commandline tool can be found in the directory %ProgramFiles%\IceExt\SiwRender. Before the tool is used assure that the settings in the SiwRender.ini are equal to your current SoftICE window settings, eg font, width and height. Otherwise adjust them like in the example below. SiwRender.ini:
[Main] FontName = 8x8std.fnt FontWidth = 8 FontHeight = 8 ScreenWidth = 80 ScreenHeight = 90
Some applications and malware use several techniques to protect themselves from getting debugged. This nice feature works as a bypass for some of the common Anti-SoftICE tricks. It protects from MeltICE, UEF tricks, NtQuerySystemInformation and CR4 Debug Extensions bit protection.
The big SoftICE howto File: The big SoftICE howto.pdf www.reconstructer.org Page 21 of 24 04/04/2006
File:
INI-File:
GetPrivateProfileStringA / GetPrivateProfileStringW GetPrivateProfileIntA / GetPrivateProfileIntW GetPrivateProfileSectionA / GetPrivateProfileSectionW GetPrivateProfileStructA / GetPrivateProfileStructW WritePrivateProfileStringA / WritePrivateProfileStringW WritePrivateProfileSectionA / WritePrivateProfileSectionW WritePrivateProfileStructA / WritePrivateProfileStructW
Registry:
RegCreateKeyA / RegCreateKeyW RegCreateKeyExA / RegCreateKeyExW RegDeleteKeyA / RegDeleteKeyW RegQueryValue / RegQueryValueEx RegEnumKeyA / RegEnumKeyW RegEnumKeyExA / RegEnumKeyExW RegEnumValueA / RegEnumValueW RegSetValueA / RegSetValueW RegSetValueExA / RegSetValueExW RegOpenKeyA /RegOpenKeyW RegOpenKeyExA /RegOpenKeyExW RegCloseKey
www.reconstructer.org
Page 22 of 24 04/04/2006
Directory:
CreateDirectoryA / CreateDirectoryW CreateDirectoryExA / CreateDirectoryExW GetCurrentDirectoryA / GetCurrentDirectoryW GetSystemDirectoryA / GetSystemDirectoryW GetWindowsDirectoryA / GetWindowsDirectoryW RemoveDirectoryA / RemoveDirectoryW
Message boxes:
MessageBoxA / MessageBoxW MessageBoxExA / MessageBoxExW MessageBoxIndirectA / MessageBoxIndirectW MessageBoxTimeoutA / MessageBoxTimeoutW SoftModalMessageBox MessageBeep
Dialog boxes:
CreateWindowExA / CreateWindowExW CreateDialogIndirectParamA / CreateDialogIndirectParamW CreateDialogParamA / CreateDialogParamW DialogBoxIndirectParamA / DialogBoxIndirectParamW DialogBoxParamA / DialogBoxParamW ShowWindow EndDialog
Edit boxes:
GetWindowTextA / GetWindowTextW GetDlgItemTextA / GetDlgItemTextW GetDlgItemInt SetWindowTextA / SetWindowTextW SetDlgItemTextA / SetDlgItemTextW SetDlgItemInt
Time:
CDROM:
For further info on these API calls consult the MSDN library from Microsoft. Note that other programming languages than C/C++ have other API calls as listed above, e.g. Visual Basic for instance uses RtcMsgBox() instead of MessageBox().
The big SoftICE howto File: The big SoftICE howto.pdf www.reconstructer.org Page 23 of 24 04/04/2006
Conclusion
After studying this paper the reader now should have a better understanding how to use the most powerful debugger ever created. As a matter of course this essay hasnt covered all available commands SoftICE offers, but with the information given, it should be no problem now to expand the knowledge. I hope you found this document useful. If you have questions, comments or a constructive review, just drop me a mail. Happy reversing!
References
Driverstudio v3.2 IceExt v.67
http://stenri.pisem.net http://www.compuware.com/products/driverstudio/782_ENG_HTML.htm
http://www.vmware.com/products/ws/ http://programmerstools.org/node/348
Big thanks go to Sten, Trapflag and Marc Schnefeld for reviewing this essay.
www.reconstructer.org
Page 24 of 24 04/04/2006