ntdevHi,All!
How the system debuger like Softice or WinDbg works?
Thanks for help!
???Crasher
???guodongzi@163.net
???2001-12-28
b???.???????&?v?'?ׯj?.n?Qyȩf??]?:.?˛???m??֛???zf???%y?ޞ?^?˛??^r*Lzfެ?
???l??ܢ
SoftICE - by adding hacks, patches and breakpoints to the kernel.
WinDbg uses native KD which was embedded in the kernel by Microsoft.
Max
----- Original Message -----
From: “Crasher”
To: “NT Developers Interest List”
Sent: Friday, December 28, 2001 5:27 PM
Subject: [ntdev] How system debuger works?
> ntdevHi,All!
> How the system debuger like Softice or WinDbg works?
> Thanks for help!
>
> Crasher
> guodongzi@163.net
> 2001-12-28
> b??.??????+i???{.n???wZnV???h??{]z??b?(?(
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Actually, we don’t really add our stuff to the kernel - we rather interpose
ourselves between the kernel and the hardware. We do much of our stuff at
hardware level, most of the time we talk directly to the iron. When you type
ctrl-D, we ARE the kernel, give or take a few.
And not much that we do deserves that “hack” title ! SoftICE is rather a
high quality machine that works with clockwork precision. That level of
precision and quality is necessary to reliably run single-machine debugging.
Also remember that SoftICE works in real mode too, and also in Win9x, and it
can easily and routinely cross the real/protected mode boundary: that’s one
more reason for us to be as independent of the OS kernel as possible.
SoftICE occupies more or less the same structural level as VMWare does, it
sits between the hardware and the OS. In fact, it shouldn’t be that hard to
turn it into a virtual memory operating system ! We already handle most of
the hardware on our own anyway.
Doing breakpoints is relatively simple: one replaces the target machine
instruction with an int 1 or int 3, and redirect the ISR to the debugger.
Upon exit from the debugger, one executes the frigged instruction. Actually,
one could use just about any interrupt vector, but both int 1 and int 3 are
one-instruction interrupts, which makes the hooking simpler. One could also
use the debug registers, but then you’d be limited in the number of
breakpoints you could handle.
Alberto.
-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Friday, December 28, 2001 1:42 PM
To: NT Developers Interest List
Subject: [ntdev] Re: How system debuger works?
SoftICE - by adding hacks, patches and breakpoints to the kernel.
WinDbg uses native KD which was embedded in the kernel by Microsoft.
Max
----- Original Message -----
From: “Crasher”
To: “NT Developers Interest List”
Sent: Friday, December 28, 2001 5:27 PM
Subject: [ntdev] How system debuger works?
> ntdevHi,All!
> How the system debuger like Softice or WinDbg works?
> Thanks for help!
>
> Crasher
> guodongzi@163.net
> 2001-12-28
> b??.??????+i???{.n???wZnV???h??{]z??b?(?(
—
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> Also remember that SoftICE works in real mode too, and also in Win9x, and it
Surely, I used it for DOS/Win3.1 as early as in 92. The ability of stepping from DOS in the VM box to the Windows VMM 32bit trap
handler was amazing!
Can SI do the same for NTVDM?
I have some friends on the web who are interested in NTVDM hacking very much (nothing illegal, just patching old DOS games to be
compatible with NT - sometimes patching the DOS EXE, sometimes writing a VDD), and WinDbg is not so suitable for such a task.
For instance, they want to install #GP handler for a VM - NTVDM has no documented way for this, contrary to the Windows VMM.
Surely the NT kernel gets control in case of #GP in the VM - but then it will return to 32bit flat mode code in NTVDM, and then
NTVDM must have some way of switching back to V86 mode, which is impossible without the help of the NT kernel.
SoftICE occupies more or less the same structural level as VMWare does, it
sits between the hardware and the OS.
Does VMWare use the native CPU to execute the opcodes or is it pure emulation?
If uses the native CPU - how they deal with paged virtual memory then?
Can VMWare app itself ask physical pages from the OS? No OS except DOS+VCPI will provide physical pages for user apps.
If cannot - they how they set up the page tables for the OS running under them?
use the debug registers, but then you’d be limited in the number of
breakpoints you could handle.
Yes, but looks like they are necessary for data breakpoints.
In early 90ies, I’ve heard on some team in Moscow who were in breaking copy protections. 
They used Periscope debugger with a card, till 386 appeared with data breakpoints
Max
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Strange — how things change. When I started in this industry “to hack” was
an honored title … it meant the ability to do things with light panes and
card chaff not many others could. It was an honor “to hack”.
Gary
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Moreira, Alberto
Sent: Friday, December 28, 2001 11:54 AM
To: NT Developers Interest List
Subject: [ntdev] Re: How system debuger works?
Actually, we don’t really add our stuff to the kernel - we rather interpose
ourselves between the kernel and the hardware. We do much of our stuff at
hardware level, most of the time we talk directly to the iron. When you type
ctrl-D, we ARE the kernel, give or take a few.
And not much that we do deserves that “hack” title ! SoftICE is rather a
high quality machine that works with clockwork precision. That level of
precision and quality is necessary to reliably run single-machine debugging.
Also remember that SoftICE works in real mode too, and also in Win9x, and it
can easily and routinely cross the real/protected mode boundary: that’s one
more reason for us to be as independent of the OS kernel as possible.
SoftICE occupies more or less the same structural level as VMWare does, it
sits between the hardware and the OS. In fact, it shouldn’t be that hard to
turn it into a virtual memory operating system ! We already handle most of
the hardware on our own anyway.
Doing breakpoints is relatively simple: one replaces the target machine
instruction with an int 1 or int 3, and redirect the ISR to the debugger.
Upon exit from the debugger, one executes the frigged instruction. Actually,
one could use just about any interrupt vector, but both int 1 and int 3 are
one-instruction interrupts, which makes the hooking simpler. One could also
use the debug registers, but then you’d be limited in the number of
breakpoints you could handle.
Alberto.
-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Friday, December 28, 2001 1:42 PM
To: NT Developers Interest List
Subject: [ntdev] Re: How system debuger works?
SoftICE - by adding hacks, patches and breakpoints to the kernel.
WinDbg uses native KD which was embedded in the kernel by Microsoft.
Max
----- Original Message -----
From: “Crasher”
To: “NT Developers Interest List”
Sent: Friday, December 28, 2001 5:27 PM
Subject: [ntdev] How system debuger works?
> ntdevHi,All!
> How the system debuger like Softice or WinDbg works?
> Thanks for help!
>
> Crasher
> guodongzi@163.net
> 2001-12-28
> b??.??????+i???{.n???wZnV???h??{]z??b?(?(
—
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: xxxxx@inland.net
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> Strange — how things change. When I started in this industry “to hack” was
an honored title … it meant the ability to do things with light panes and
card chaff not many others could. It was an honor “to hack”.
Maybe this is due to DOS legacy. DOS provided no ways for many tasks except hacking and patching.
From what I know on UNIXen, these world do not please such kind of patching like replacing the code bytes with JMP.
Max
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com