From Collaborative RCE Tool Library

Jump to: navigation, search

SoftICE Extensions


Tool name: IceStealth
Rating: 5.0 (1 vote)
Author:                         
Website: http://www.woodmann.com/forum/showthread.php?t=12131
Current version: 1.81
Last updated: April 10, 2015
Direct D/L link: Locally archived copy
License type: Free
Description: IceStealth is a SoftICE hiding tool, that should protect from:

CreateFileA, CreateFileW, NtCreateFile, also nmtrans.dll wont find SoftICE with these methods
NtQueryDirectoryObject
NtQueryObject
OpenServiceA, OpenServiceW, EnumServicesStatusA,EnumServicesStatusW,EnumServicesStatusExA, EnumServicesStatusExW
UnhandledExceptionFilter (2 Options)
SEH BPM Protection
BPM Protection
NtQuerySystemInformation
int 41 killed + DPL 0
int 1 DPL 0
Basic Registry Protection (if ever needed)
(RegOpenKeyExA, RegOpenKeyExW, RegOpenKeyA, RegOpenKeyW)
SaveDisk Protection

Also Improvements To NTICE
Also listed in: Tool Hiding Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Antisptd
Rating: 0.0 (0 votes)
Author: smoke                        
Website: http://www.woodmann.com/forum/showthread.php?t=11870
Current version:
Last updated: July 1, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Antisptd is a driver that makes it possible for SoftICE to load when sptd.sys is present. It uses the method described by Kayaker (see related URLs below) and that is, by removing the notifyroutine sptd sets to prevent ntice.sys to load. After ntice.sys gets loaded, it restores the notifyroutine and the keyboard hooks in i8042prt.sys that have been screwed by the sptd.sys


How to use it:

Just put the startsi.exe in a directory with antisptd.sys and execute startsi.exe.


Compatibility issues

The driver should work on XP SP2/SP3 with the latest SoftICE installed. I have no idea if it'll work on XP SP1 (cause I have used hard-coded values to locate the patches). If it doesn't work, feel free to modify the sources and recompile the driver yourself. ;)
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA2SICE
Rating: 0.0 (0 votes)
Author: Mostek                        
Website: http://mostek.subcultural.com
Current version: 4.09
Last updated: October 30, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: IDA to SoftIce is an IDA plugIn which loades IDA symbols to SoftIce. It can export them as nms file too.
To get the last version go to News page.

I started the project in May 2000 and it took me almost 9 months to reverse everything needed to make the plugIn (well around 4 month of real work).
The main reason for the plug was that at that time, you could only see global procedures and variables.
And because there was no local variables in SIce, reversing was really a pain in the .... So this plugIn solves that. :)

Some info:
Currently PE and LE file types are suported.
Use map2sice utilitie for all other types ( included in the package ).

One of the nicest feature of the plug is that you can see structures in SIce.
ex.: In IDA you set local/global structure and when in SIce you can use command '? myStructure' or '? myStructure.element.element', .....
PlugIn suports structure(union) in structure(union)).
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IceExt
Rating: 0.0 (0 votes)
Author: Sten                        
Website: http://sourceforge.net/projects/iceext
Current version: 0.70
Last updated: May 11, 2006
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Very famous SoftICE extension.

Extends the functionality of the world's most famous debugger SoftICE to an unprecedented degree of power and usability.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IceProbe
Rating: 0.0 (0 votes)
Author: Kayaker                        
Website: http://www.woodmann.com/forum/showthread.php?t=11857
Current version:
Last updated: June 28, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: IceProbe is a utility that allows live tracing and analysis of SoftIce commands using the full capability of SoftIce itself. It is a tool strictly for code exploration, designed to be able to trace running Softice code in order to augment IDA analysis. It is debugging a debugger, in order to answer the question "How does Softice work?"

There is much that can be learned about system internals by studying Softice code. This utility will give a live hands-on method of tracing and exploring the code for the first time. It can also act as a GUI front-end for Softice, as bizarre as that might sound.


Concept:

Any SoftIce command typed into the command line window is stored in a global string buffer. The command string consists of the command name and any arguments. The buffer is passed to the individual function where it is parsed, and the command is executed.

We can selectively replace instances of this global buffer pointer with one of our own and call Softice commands directly from a GUI interface. An (optional) embedded breakpoint which will pop-up Softice is written into our driver code immediately before calling the command, which allows us to start tracing the Softice command.

While live tracing you have full use of all other Softice commands at your disposal, including the ability to set breakpoints in Softice code itself. There is an additional modification which will force the "Idt" command to expose the addresses of the Softice IDT hooks so you can also locate and analyse those various handlers as well.


Usage:

Iceprobe is simple to use, select Initialize/Reinitialize from the menu and the driver will return a listview listing of all the Softice commands and their addresses. A log window will monitor the driver. Double click on one of the entries and you will be presented with a dialog box to add any usual arguments to the command. When you select OK, Softice will popup at the start of the command, and you're ready to start tracing with F8.


Options:

Disable Manual Tracing Mode
We embed an INT 3 in our code and programatically enable "I3HERE DRV" in order to make Softice popup at the start of each command. Set this option if you don't want Softice to popup. The command will still be executed and output to the Softice window as normal.


Make "Idt" show real addresses
Expose the addresses of the Softice IDT hooks in the listing from the "Idt" command.


Disable extra Softice self address space checks
These are somewhat experimental patching of locations where Softice tests if an offset is within its own address space. Specifically, they occur in the "Search" command, in a portion of breakpoint handling code where MSR LastBranch and MSR LastException information is printed, and in the Int0D handler. You may or may not see any effect.


Include Undocumented Commands
There is only one command here, BPTE - Breakpoint on Thread Execution was its probable purpose. Code exists to be traced, but the command appears non-functional and was never documented. If selected, the BPTE command will be added to the listview where you can run it with test arguments.


Increase Recursive Disassembly Level (Calls nested 4 deep)
We must find every occurence of the Softice global command buffer used in each command, in order to replace them with a pointer to our own buffer. A recursive disassembly is therefore needed in order to trace through all nested subcalls within a command.

A simple recursive method is used - trace each call until a RET/RETN is reached. It was found that this was sufficient with a default value of 3 nested levels of disassembly to find all instances of the global buffer for each command. A value of 4 will find further instances, but most seem to be false positives and not part of the command execution path. This is due to how Softice code is laid out (code chunks, use of jmps, etc), and the simplified method of recursive disassembly.


Output Recursive Call Pattern for Xref with IDA (DbgPrint) - Shows the nested recursive disassembly of all Calls and SubCalls for a command, as determined by the Increase Recursive Disassembly Level option. The pattern can be matched to what you find during the IDA analysis. It makes it easier to keep track of where you are while jumping back and forth between IDA and the Softice/Softice tracing of a command.


Output Developmental Notes (DbgPrint)
Prints a bunch of output about the Softice driver and internal offsets, mostly used during development.


All these options can be "toggled" on or off by setting them and selecting Initialize/Reinitialize from the menu again.



IDA Analysis:

This tool is meant to work side by side with an IDA analysis of the ntice.sys driver. Iceprobe should run without problem with Driver Studio 2.7, 3.1 or 3.2. It is designed to work with the final official DS3.2.1 patch version of the Softice driver which was publically available on their ftp site. This offical patch is available here:

http://www.woodmann.com/collaborative/tools/index.php/Compuware_DriverStudio_Version_3.2_patch


This would be incomplete without an explanation of how to set up IDA properly, which fortunately I discussed previously:

Setting up IDA for analysing Softice functions
http://www.woodmann.com/forum/showthread.php?t=6529


Briefly, Softice keeps its command names and offsets in indexed tables. The very first step is to run the following idc script. The CmdTable offsets are for the DS3.2.1 patch version. If you happen to be using a different version change the offsets accordingly, the above thread describes how to find them.

Your IDA disassembly will now identify all of the Softice commands by name. I would then strongly suggest to look at the IDB analysis and Softice headers produced by The Owl while developing Icedump, and use them to start naming some of the internal variables already defined. The article by +Spath is old but indispensable as well.

NTICE and WINICE IDB Files by the_owl (IDB)
http://woodmann.net/yates/ida/softice_idb.zip

SOFTICE INTERNALS revision 2 by +Spath
http://www.woodmann.com/crackz/Tutorials/Siceints.txt


Now you can start filling in the blanks in your IDA analysis with live tracing of any command using Iceprobe. The ideal situation is to have Softice running under VMWare and have IDA on your desktop. Iceprobe is stable, but you ARE live tracing Softice, so running under VMWare, etc. is desirable.

To further enhance the experience, you can create progressive NMS symbol files of your IDA analysis and have Softice load its own symbol file into itself using its Symbol Loader. Produce the symbol file with Mostek's Ida2Sice

http://www.woodmann.com/collaborative/tools/index.php/IDA2SICE


Any command can be traced, while at the same time being able to issue any other Softice command. However, if you execute the same command as you are tracing it will only rerun it with the same parameters that were initially set in the GUI, since we've overwritten the global buffer for that command with our own pointer.

For tracing the BPX command, you can set a breakpoint with a double click, or use BPM. You can even trace the HBOOT command and watch your VM reboot! (I put a protection in the GUI so you can't inadvertently click the HBOOT command).



WTF is this?:

I wrote this a few years back, partly as a way of tracing Softice code, but mostly as a way of exploring system internals and how Softice made use of various system structures, variables, hardware and registers. Sort of kernel spelunking through the eyes of a ring 0 debugger.

IceProbe was first integrated as a KDExtension driver to take advantage of the internal Softice disassembly engine available through the WINDBG_EXTENSION_APIS interface. Further Softice internal details can be found in the thread

Guide to creating a Softice Kernel Debugger Extension (KDExtension)
http://www.woodmann.com/forum/showthread.php?t=7097


This version uses a standalone driver and the disassembler is an integration of a module I created from the Ndisasm NASM disassembler for use in drivers. The disasm module is also available separately here:

Sysdasm: Full-Text Disassembler DLL Export Module for Kernel Mode
http://www.woodmann.com/collaborative/tools/index.php/SysDasm


Full VC6++ source is included for those interested in looking at an old friend with new eyes. ;)
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: pdepte softice plugin
Rating: 0.0 (0 votes)
Author: deroko of ARTeam                        
Website: http://deroko.phearless.org
Current version:
Last updated:
Direct D/L link: Locally archived copy
License type: Open source, use it as you like
Description: This plugin allows users to list PDE/PTE fields on PAE systems from SoftICE. There is no support for non-PAE systems.

Howto install:

1. use kd2sysxlat.exe to convert pdepte.dll to pdepte.sys
2. use loader1.exe to load extension

commands:
!pte - displays information about pte
!pde - displays information about pde
!help - help
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (19)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (20)
   Needs New Category  (3)