stepping inside sysenter int2e

I agree. This is definitely possible and quite easy.

>> xxxxx@acm.org 2006-09-12 12:37 >>>

“Jimosr” wrote in message news:xxxxx@windbg…
> Yes, it can but not over the kernel link (not to be confused with
remote
> debugging over a tcp connection - which is only good for user mode)
where
> you
> are doing the kernel debugging, meaning you can’t step from user mode
to
> kernel mode on the kernel connection.
>
Sorry, you are incorrect, I have done this for years debugging a
service and
the driver for the service. It absolutely has worked with no problems,

though I normally just step to the Win32 call then have a breakpoint on
the
driver in question.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply


You are currently subscribed to windbg as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

DON:

It had a very large number of problems, and I agree that SoftICE’s
heyday was most definitely came to an abrupt and when purchased by the
pirates at CA. Nevertheless, it does allow one to do some stuff that
WinDbg makes either unreasonably inconvenient or totally impossible, and
they almost all, in my opinion, center around the user/kernel boundary.
For those of us that spend most of their time reverse
engineering/exploring, WinDbg is totally useless when there is any form
of anti-debugging technology applied (even just use of the Win32 API
checks for debuggers in some cases). Having had the serious displeasure
of having to some RE on a certain vendors firewall and IDS products that
all use the same licensing engine, I can say that this is important.
That being said, this is only time I use it, now that WinDbg supports
1394 (has for a while, I guess). Having to use a COM link in the past
was what was terminal for me.

MM

>> xxxxx@acm.org 2006-09-12 12:40 >>>

“Tim Roberts” wrote in message news:xxxxx@windbg…
> That’s true, but it’s not nearly as clean and seamless as it was in
> SoftIce, may it rest in peace. Crossing the UM/KM boundary in
SoftIce
> was just as smooth and painless as stepping into a function call.

Tim,

It may have been smooth but the number of BSOD’s caused by SoftIce
that
I filed bugs on makes me take strong exception that it was painless.
Sorry,
but back in the early days when SoftIce was worked on by good people,
and
WinDbg was an unwanted child the praise for SoftIce may have been
warranted.
But in the last 4 years or more, SoftIce was a bigger piece of crap
than any
other debugger I have ever encountered, GGOD RIDDANCE!!


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply


You are currently subscribed to windbg as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Technically, softice is no more on March 1 2007, when compuware (not sure what
you mean by CA) officially drops support.

There are patches for the current version that support hyper threading and
current processors, though it appears that a usb mouse will crash it.

Their driver wizard and integration for vc 2005 is really nice, and driver
works is fully supported on vc 2005.

I don’t think that it’s so much that compuware did a bad jab, it’s that for
softice to work the way it does has to support lots hardware without the
benefit of manufacturers supplied drivers, and no one (meaning us) was will to
pay the price. The type of developers required to do this ain’t cheap. I only
have it because a device driver consultant insisted that we buy it, at 3500
per seat. With windbg usable and free, it’s pretty hard to compete. Also,
newly trained devs don’t care for the non-gui interface of si. (these comments
are not meant to be critical, just the way it is)

The support folks I worked with there seemed to know what they were doing.
According the compuware what really put the nail in the coffin of driver works
was the delay in vista - they invested significant amounts of money into to
supporting it only to have it changed and delayed.

On Wed, 13 Sep 2006 18:17:27 -0400, Martin O’Brien wrote

DON:

It had a very large number of problems, and I agree that SoftICE’s
heyday was most definitely came to an abrupt and when purchased by
the pirates at CA. Nevertheless, it does allow one to do some stuff
that WinDbg makes either unreasonably inconvenient or totally
impossible, and they almost all, in my opinion, center around the
user/kernel boundary. For those of us that spend most of their time reverse
engineering/exploring, WinDbg is totally useless when there is any form
of anti-debugging technology applied (even just use of the Win32 API
checks for debuggers in some cases). Having had the serious displeasure
of having to some RE on a certain vendors firewall and IDS products that
all use the same licensing engine, I can say that this is important.
That being said, this is only time I use it, now that WinDbg supports
1394 (has for a while, I guess). Having to use a COM link in the
past was what was terminal for me.

MM

>>> xxxxx@acm.org 2006-09-12 12:40 >>>

“Tim Roberts” wrote in message news:xxxxx@windbg…
> > That’s true, but it’s not nearly as clean and seamless as it was in
> > SoftIce, may it rest in peace. Crossing the UM/KM boundary in
> SoftIce
> > was just as smooth and painless as stepping into a function call.
>
> Tim,
>
> It may have been smooth but the number of BSOD’s caused by
> SoftIce that I filed bugs on makes me take strong exception that it
> was painless. Sorry, but back in the early days when SoftIce was
> worked on by good people, and WinDbg was an unwanted child the
> praise for SoftIce may have been warranted. But in the last 4 years
> or more, SoftIce was a bigger piece of crap than any other debugger
> I have ever encountered, GGOD RIDDANCE!!
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> http://www.windrvr.com
> Remove StopSpam from the email to reply
>
> —
> You are currently subscribed to windbg as: xxxxx@evitechnology.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> You are currently subscribed to windbg as: xxxxx@jimdonelson.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Jim Donelson

On 9/13/06, Martin O’Brien wrote:
>
> but, if you have the means and can actually still get your hands on a
> copy of SoftICE (either local orremote), you will easily be able to do
> this.

yes but thats not what i wanted to do i was looking if windbg could do what
softice did or was able to do.
( may be some more commandlines some extra typing few more x blah!foo
wouldnt have mattered to me as long as it delivered )

anyway there is no point talking about some thing thats almost dead and that
even while alive and kicking wasnt perfoming optimally with newer generation
os the only os it worked great was 9x with bpx hmemcpy :slight_smile: and it almost
limped along in w2k from numerous amounts of information strewn all over the
net but come xp and it seemed more like it was working because of the whims
of hardcore fans of sice and not because it was inherently good .
the amount of non official patches , tips and tricks , gotchas that show up
if you try sice and xp in google leads me to say so)

and since there seems to be nothing thats rising in the debugger horizon
apart from windbg i was wanting to get my feet and hands wet with windbg
(yeah it was like Don Burn quoted an unwanted child so far with those who
primarily rely on debuggers for reverse-engineering

i was wanting to understand and maybe remove that veil of windbg sucks
chorus that emanate pretty loud if you drop some coins in Trevi Fountains
of
underground

since it looks like its design goal was primarily for driver developers with
source i think i cant ask for anything more and that too at the unbeatable
price that it comes for
if it inherently supported those who muck around without source and symbols
then that would have been pretty excellent but i guess one cant have the
cake and eat it too

may this thread rest in peace

and thanks to all of you who spent time to participate in this thread

regards

raj_r

“Martin O’Brien” wrote in message news:xxxxx@windbg…
> For those of us that spend most of their time reverse
> engineering/exploring, WinDbg is totally useless when there is any form
> of anti-debugging technology applied (even just use of the Win32 API
> checks for debuggers in some cases). Having had the serious displeasure
> of having to some RE on a certain vendors firewall and IDS products that
> all use the same licensing engine, I can say that this is important.

Ok, when SoftICE does not help, there is a HARD ICE
http://www.arium.com/products/ecmxdpice.html

Bu the way, are you sure that your “RE” isn’t illegal.
The license to the software you’re using may prohibit disassembly.

–PA

PA:

Agreed. I haven’t looked at the link you sent, but I use an ECM-50
these days instead of SoftICE. There is however, just a slight
difference in price.

As far as the licensing goes, why do you think that what I am doing is
illegal?

MM

>> xxxxx@writeme.com 2006-09-16 20:41 >>>
“Martin O’Brien” wrote in message
news:xxxxx@windbg…
> For those of us that spend most of their time reverse
> engineering/exploring, WinDbg is totally useless when there is any
form
> of anti-debugging technology applied (even just use of the Win32 API
> checks for debuggers in some cases). Having had the serious
displeasure
> of having to some RE on a certain vendors firewall and IDS products
that
> all use the same licensing engine, I can say that this is important.

Ok, when SoftICE does not help, there is a HARD ICE
http://www.arium.com/products/ecmxdpice.html

Bu the way, are you sure that your “RE” isn’t illegal.
The license to the software you’re using may prohibit disassembly.

–PA


You are currently subscribed to windbg as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

“Martin O’Brien” wrote in message news:xxxxx@windbg…
> As far as the licensing goes, why do you think that what I am doing is
> illegal?

Why, many software license agreements put this straight -
decompilation or disassembly prohibited.

I don’t know whether this clause applies if one doesn’t agree with the
licence and does not use the software - just decompiles it :slight_smile:

Regards,
–PA

I would agree that most specify this. Actually, I would say that almost
all do. For the most part, (U. S.) courts have ruled that this means
nothing/isn’t enforceable. What I really meant, however, is that, given
there is no clear decision, why are you commenting on it, given you have
no idea of what it is I might be working on presently.

MM

>> xxxxx@writeme.com 2006-09-23 00:10 >>>
“Martin O’Brien” wrote in message
news:xxxxx@windbg…
> As far as the licensing goes, why do you think that what I am doing
is
> illegal?

Why, many software license agreements put this straight -
decompilation or disassembly prohibited.

I don’t know whether this clause applies if one doesn’t agree with the
licence and does not use the software - just decompiles it :slight_smile:

Regards,
–PA


You are currently subscribed to windbg as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com