Low level WinNT debugger

Clarification

Sorry, I wasn't being clear before. But what I really want to know is how SoftICE gets to load so early on in the Windows boot process.


Original Post:

Hi

I was wondering whether anyone knows how low level debuggers
like SoftICE work? I am trying to do something similar but
the lowest level I can get to is to write a software device
driver, which can still be debugged by SoftICE.

[zEr0]

i think that everything is about RING mode, even SICE has your own sys driever in %SystemRoot%\system32\drivers

and my friend show me, somotime, that SICE loads up before windows and on Hercules monitor we see loading every windows modules

but inside magic of SICE is (i think) very difficult

[N0P]

Quote:

Originally Posted by zEr0

i think that everything is about RING mode, even SICE has your own sys driever in %SystemRoot%\system32\drivers

and some API hooking ,modifiyng registry,IDT,GDT and other...
Good start point iz learnig how icedump or iceext work from his source code ..


Sorry for my bad english iam only human ;o))

1. read one books..<Debugging Applications>

2. read win2k souce code in windows/windbg/*/...

3. learn some driver dev....

ok.u can design one debugger named.....XSoftice??

[wenij]

I also suggest one good book.
"How debuggers Work",Wiley.
It tell you how the debugger works on windows and Unix .

I don't think Ring 0 code will help. It did back in Win9x, and that's how TRW2000 works. However, I still cannot find any alternatives to SoftICE for WinNT. The problem I see is that the people at NuMega/Compuware seems to know something about WindowsNT that is not published. I can write a low level driver that loads. However, it is not low enough because it can still be debugged by SoftICE! What I want is something that is in the same level at SoftICE, so I can see and maybe alter the loading process of Windows programmatically.

I also suggest one good book.
"How debuggers Work",Wiley.
It tell you how the debugger works on windows and Unix .

Who is the author? And more importantly, do you have a soft copy?

And does it tell you about low level debuggers, or just the application level ones (ie the ones written using the Windows Debugging API)

"Good start point iz learnig how icedump or iceext work from his source code .. "

I am unaware where you can get icedump or iceext's source code....

[N0P]

Quote:

Originally Posted by auroras

Quote:
"Good start point iz learnig how icedump or iceext work from his source code .. "

I am unaware where you can get icedump or iceext's source code....

.. source code is included with exe file try search google for thiz ... or try search CrudeICE it iz free clone of softICe ... EDITED > it have source code included too < sorry thiz iz not true - big mistake, sorry

Sorry iam only human ;o))

Intel manuals will be useful as well

SoftICE have at least two components ALL components load as standard
drivers:
1. siwvid.sys - mostly UI code load as SERVICE_BOOT_START driver

2. ntice.sys - SoftICE heart can load as SERVICE_BOOT_START but also
can load as SERVICE_SYSTEM_START or SERVICE_DEMAND_START drver

Most frequently ntice.sys configured as SERVICE_SYSTEM_START driver

3. Sometimes if ntice.sys load as SERVICE_BOOT_START it use third part:
siwsym.sys - SERVICE_BOOT_START driver where packed symbolic and config
info. This module used because in time when loaded SERVICE_BOOT_START drivers no file I/O services available (this drivers load by NTLDR).

P.S. Sorry for my poor english

http://www.sysinternals.com/ntw2k/freeware/debugview.shtml
http://www.sysinternals.com/files/dbgvnt.zip

DebugView is an application that lets you monitor debug output on your local system, or any computer on the network that you can reach via TCP/IP. It is capable of displaying both kernel-mode and Win32 debug output, so you don抰 need a debugger to catch the debug output your applications or device drivers generate, nor do you need to modify your applications or drivers to use non-standard debug output APIs.

DebugView works on Windows 95, 98, Me, NT 4, 2000, XP and .NET Server.
DebugView Capture


Under Windows 95, 98, and Me DebugView will capture output from the following sources:
Win32 OutputDebugString
Win16 OutputDebugString
Kernel-mode Out_Debug_String
Kernel-mode _Debug_Printf_Service
Under Windows NT, 2000, XP and .NET Server DebugView will capture:
Win32 OutputDebugString
Kernel-mode DbgPrint
All kernel-mode variants of DbgPrint implemented in Windows XP and .NET Server
DebugView also extracts kernel-mode debug output generated before a crash from Window NT/2000/XP crash dump files if DebugView was capturing at the time of the crash.