I thought I'd continue a new thread for the Softice related discussions that seem to be happening here and there. There was some talk about trying to debug through the early loading of Softice in a VM, perhaps to identify graphic issues or other reasons. Just for fun I decided to try it.

Here is virtual Windbg on Win10 host with XP target with Softice installed. Break is at loading of siwvid.sys

VMWare Workstation, install VirtualKD on host and guest.
https://sysprogs.com/legacy/virtualkd/

After installation, XP will break at new boot.ini with debug OS. Start VirtualKD and wait for connect (might have to fiddle around with order of starting).

Code:
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64

Opened \\.\pipe\kd_XP_SOFTICE
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target
Kernel Debugger connection established.

*NOTE XP SYMBOLS in shared VM folder
************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*D:\Programming\Symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       SRV*Z:\Symbols*http://msdl.microsoft.com/download/symbols

*AT THIS POINT ONLY NT LOADED
kd> lm
start    end        module name
804d7000 806eb780   nt         (pdb symbols)          d:\programming\symbols\ntoskrnl.pdb\8592B6763F34476B9BB560395A383F962\ntoskrnl.pdb


*SET BREAKPOINT on siwvid
kd> sxe -c ".echo siwvid Loaded;" ld:siwvid.sys

*CONFIRM EVENT FILTER is set in Windbg

kd> g

siwvid Loaded

nt!DebugService2+0x10:
8050b897 cc              int     3


*NOTICE CPTHOOK and other modules LOADED BEFORE SIWVID
kd> lm
start    end        module name
804d7000 806eb780   nt         (pdb symbols)          d:\programming\symbols\ntoskrnl.pdb\8592B6763F34476B9BB560395A383F962\ntoskrnl.pdb
806ec000 8070c380   hal        (deferred)             
8070d000 80737000   KDBAZIS    (deferred)    *VIRTUALKD DRIVER         
f75af000 f75d5e80   siwvid     (deferred)             
f75d6000 f7602a80   NDIS       (deferred)             
f7603000 f768f480   Ntfs       (deferred)             
f7690000 f76a6780   KSecDD     (deferred)             
f76a7000 f76b8f00   sr         (deferred)             
f76b9000 f76d7780   fltMgr     (deferred)             
f76d8000 f76ef800   SCSIPORT   (deferred)             
f76f0000 f7707480   atapi      (deferred)             
f7708000 f7726880   ftdisk     (deferred)             
f7727000 f77d5d60   OsiData    (deferred)             
f77d6000 f77e6a80   pci        (deferred)             
f77e7000 f7814d80   ACPI       (deferred)             
f7836000 f783ec00   isapnp     (deferred)             
f7846000 f7850500   MountMgr   (deferred)             
f7856000 f7865c80   vmci       (deferred)             
f7866000 f7872c80   VolSnap    (deferred)             
f7876000 f7883d00   vsock      (deferred)             
f7886000 f788ee00   disk       (deferred)             
f7896000 f78a2200   CLASSPNP   (deferred)             
f7ab6000 f7aba800   cpthook    (deferred)             
f7abe000 f7ac4200   PCIIDEX    (deferred)             
f7ac6000 f7aca900   PartMgr    (deferred)             
f7c46000 f7c49000   BOOTVID    (deferred)             
f7c4a000 f7c4c980   bootcfg    (deferred)             
f7c4e000 f7c50480   compbatt   (deferred)             
f7c52000 f7c55700   BATTC      (deferred)             
f7d36000 f7d37100   WMILIB     (deferred)             
f7d38000 f7d39580   intelide   (deferred)             
f7d3a000 f7d3bd00   vmscsi     (deferred)

That's as far as I've gotten, I haven't traced anything I just wanted to confirm if it was possible to break on Softice loading under VMware. I'm not sure at exactly what point in loading the PE driver file Windbg sxe breaks, presumably before DriverEntry.

If it's difficult to trace into the driver code from there or find the right breakpoints, there's always the old-fashioned way

Break on the call in IopLoadDriver which directly calls DriverEntry for any driver.

Code:
kd> x nt!IopLoadDriver
805a65cf          nt!IopLoadDriver

nt!IopLoadDriver+0x662:
805a69c9 ffb570ffffff    push    dword ptr [ebp-90h]
805a69cf 57              push    edi
805a69d0 ff572c          call    dword ptr [edi+2Ch] ; Call to DriverEntry


kd> bp 805a69d0
kd> g
Breakpoint 0 hit

805a69d0 ff572c          call    dword ptr [edi+2Ch]
Kayaker