4.2. Brief SoftIce Reference

Previous page
Table of content
Next page

4.2. Brief SoftIce Reference

This brief SoftIce reference contains most SoftIce commands. These commands are more than enough for investigating executable code.

4.2.1. Hotkeys

Controlling the Screen

  • <Ctrl>+<D> — Open or close the main SoftIce window.

  • <Ctrl>+<Alt> + arrow keys — Move the SoftIce main window over the screen with the increment equal to the character size.

  • <Ctrl>+<Alt>+<Home>— Move the main SoftIce window to the top left corner of the screen.

  • <Ctrl>+<Alt>+<End> — Move the main SoftIce window to the bottom left corner of the screen.

  • <Ctrl>+<Alt>+<PageUp> — Move the main SoftIce window to the top right corner of the screen.

  • <Ctrl>+<Alt>+<PageDn> — Move the main SoftIce window to the bottom right corner of the screen.

  • <Ctrl>+<L> — Refresh the main SoftIce window.

  • <Ctrl>+<Alt>+<C>— Place the main SoftIce window at the center of the screen.

Navigating the Main Window

  • <Alt>+<C> — Switch to the code window from the command window, and vice versa.

  • <Alt>+<D> — Switch to the data window from the command window, and vice versa.

  • <Alt>+<L> — Switch to the local variables window from the command window, and vice versa.

  • <Alt>+<R> — Switch to the registers window from the command window, and vice versa.

  • <Alt>+<W> — Switch to the watch window from the command window, and vice versa.

  • <Alt>+<S> — Switch to the stack window from the command window, and vice versa.

It is also possible to switch to any window (except for the FPU window) by clicking the required window with the left mouse button.

Navigating within Windows

  • <> — Move one line back.

  • <> — Move one line forward.

  • <> — Move one character left.

  • <> — Move one character right.

  • <PageUp> — Move one page back.

  • <PageDn> — Move one page forward.

  • <Home> — Go to the first line of code.

  • <End> — Go to the last line of code.

Controlling the Command Window

  • <Enter> — Terminate the command line and execute the command.

SoftIce remembers 32 recently-entered commands. To navigate the list of commands stored in the buffer, use the <> and <> keys. The prefix that you have already entered into the command line is taken into account. For example, if you have entered the B character, only the commands starting from that character will be displayed. If you are currently in the code window, then to view the commands buffer, use the following shortcuts: <Shift>+<> and <Shift>+<>.

When editing the command line, use the following commands:

  • <Home> — Go to the start of the command line.

  • <End> — Go to the end of the command line.

  • <Insert> — Toggle the insert/replace modes.

  • <Delete> — Delete the character to the right of the cursor and move the line fragment to the left.

  • <Bkspc> — Delete the character to the left of the cursor and move the line fragment to the left.

  • <> and <> — Move the cursor over the line.

The SoftIce debugger has the command window protocol buffer. This buffer contains all information previously output into the window. To view the content of this buffer, use <PageDn> and <PageUp>.

Functional Keys

  • <F1> — Display help (equivalent to the H command).

  • <F2> — Open/close the registers window.

  • <F3> — Toggle the source code modes.

  • <F4> — Display the screen of the application being debugged.

  • <F5> — Return to the program being debugged.

  • <F6> — Move the cursor to or from the code window.

  • <F7> — Execute the application being debugged up to the command pointed to by the cursor.

  • <F8> — Execute the current command of the application being debugged, stepping into the functions.

  • <F9> — Set a breakpoint to the current command.

  • <F10> — Execute the current command, stepping over functions.

  • <F11> — Go to the calling function of the program being debugged.

  • <F12> — Execute the function up to the exit to the calling program.

  • <Shift>+<F3> — Change the output format in the data window.

  • <Alt>+<F1> — Open/close the registers window.

  • <Alt>+<F2> — Open/close the data window.

  • <Alt>+<F3> — Open/close the code window.

  • <Alt>+<F4> — Open/close the watch window.

  • <Alt>+<F5> — Clear the content of the command window.

  • <Alt>+<F11>— Display the data located at the address stored in the first double word of the data window.

  • <Alt>+<F12> — Display the data located at the address stored in the second double word of the data window.

Note 

The complete list of debugger commands that can be obtained by pressing <F1> or by issuing the H command is large; however, it doesn't contain all available commands. The complete list of commands can be found in the Softlce Command Reference document, which can be downloaded from http://www.compuware.com and other Internet sites dedicated to the Softlce debugger. In this book, I mainly use the list displayed by the debugger when the H command is issued. These commands are more than enough for debugging code and investigating application programs.

4.2.2. SoftIce Commands

SoftIce Macrocommands

The commands described in this section can be combined into macrocommands, or macros. There are two types of macrocommands that can be used in Softlce. First, consider run-time macros. These commands can exist only within the current debugger session. After you restart the debugger, these commands will disappear. The list of commands that can be used to control these macros is as follows:

  • MACRO macro_name = "command1; command2;..." — Create or change a macro. For example, : MACRO _ap "bc *;bpx MessageBox" creates a macro named _ap.

  • MACRO macro_name * — Delete the macro with the specified name. For example, : MACRO _ap * deletes the _ap macro from the list of macros.

  • MACRO * — Delete all macros from the list.

  • MACRO macro_name — Edit the macro with the specified name.

  • MACRO — Display the list of macros.

Macros can be defined with parameters. To achieve this, the % character is used. After this character, the parameter number must be specified. The parameter number must belong to the range from one to eight. For example, the MACRO_bpx = "bpx %1;b1" command creates a macro named _bpx that accepts a single parameter. This macro sets a breakpoint to the command specified as a parameter and outputs the list of existing breakpoints. To insert characters such as " or % into the macro name, use the backslash character (\). To insert a backslash, use the (\\) sequence.

To create persistent macrocommands, use the loader32.exe program. To achieve this, use the Edit | SoftIce Initialization Settings... menu. After you choose this menu, the SoftIce settings window will appear. In this window, go to the Macro Definitions tab (see Fig. 4.4). All further actions should be intuitive. The Add and Edit buttons are used for adding and editing macros, respectively. To remove an existing macro, use the Remove button. Bear in mind that all changes introduced in the SoftIce settings window come into force only after you reload the SoftIce debugger.

image from book
Figure 4.4: The settings window for creating persistent macros

Commands for Controlling SoftIce Windows

  • Lines n — This command sets the number of lines in the debugger main window. The value of n can range from 25 to 60.

  • Width m— This command sets the width of the main window in characters. The value of m can range from 80 to 160.

  • Set font n — This command sets the size of the font used by the debugger. The n variable can take the values 1, 2, or 3.

  • Set origin x y — Using this command, it is possible to specify the values of the screen coordinates of the top left window corner.

  • Set forcepalette [on | off] — If the value of this parameter is set to on, then all changes to the system color palette are blocked.

  • Color [c1 c2 c3 c4 c5] | [reset] — This command specifies the color palette of the debugger's main window. The color reset command resets the color palette of the debugger's main window to its default state. The cl, c2, c3, c4, and c5 1-byte parameters specify the foreground and background colors for appropriate elements of the debugger's main window. The first half-byte specifies the background color, and the second half-byte sets the foreground color:

    • c1 — Main background and foreground colors

    • c2 — Background and foreground colors for output of the changed flags (in the registers window)

    • c3 — Background and foreground colors for highlighting the current command in the code window

    • c4 — Background and foreground colors in the help pane

    • c5 — Background and foreground colors for the dividing lines between windows

  • Commands for opening and closing windows:

    • WC — Code window.

    • WD— Data window. Several data windows can exist simultaneously. The number of each window can be specified after the separating dot, for example: wd.3.

    • WF — FPU window.

    • WL — Local variables window.

    • WR — Registers window.

    • WW — Watch window.

    • WS — Stack window.

    • WX — MMX registers window.

Each of the preceding commands opens the window of the corresponding type or closes the appropriate window (provided that it has already been opened). The size of the main window doesn't change, so opening a new window or closing an existing one changes the sizes of the existing windows. You can also specify the window size (the number of lines) by putting this parameter in the command. For example, the wd 30 command allocates 30 lines in the data window.

  • EC — This command switches between the command window and the code window (equivalent to the <F6> shortcut).

  • CLS — This command clears the command window (equivalent to the <Ctrl>+<F5> shortcut).

  • RS — Using this command, it is possible to temporarily hide the SoftIce window. When you press any key, the SoftIce window will be restored. The RS command is equivalent to the <F4> shortcut.

  • ALTSCR — This command is intended for redirecting the SoftIce window to an additional monitor. The command format is as follows: ALTSCR [mono|vga|off]. Parameters of this command are as follows:

    • Mono — Monochrome monitor

    • Vga — Monitor supporting video graphics array modes

    • off — Switch off the alternative monitor (default)

  • FLASH — This command is intended for restoring the screen after the T and P commands. The command format is as follows: FLASH on switches the restore mode on, and FLASH off switches the restore mode off. When executing this command without parameters, the current output mode is used.

Obtaining and Changing Information in SoftIce Windows

  • R— This command is intended for retrieving and modifying information stored in registers. The format is as follows: R[-d|reg_name|reg_name [=] value].

    • The R -d variant outputs the list of registers and their contents into the command window.

    • The R reg_name variant moves the cursor of the registers window to the register specified in the command. You can edit the register content and save the change by pressing <Enter>. It is also possible to switch to the registers window using another method, such as using the mouse, and then proceed in the same way to edit the register content.

    • The R reg_name = value variant (the = character can be omitted) loads the specified value into the specified register.

  • U — This command outputs the disassembled listing into the command window. The format of the command is as follows: U [address [L length]]. Command parameters are as follows:

    • Address — The address, from which to start the listing output. It is possible to specify the register, from which this address should be retrieved.

    • Length — The number of bytes in the listing.

When the listing length is specified, the listing will be output into the command window. If the address is specified but the length is missing, then the listing in the code window will start from the specified address. If the command is issued without parameters, the contents in the code window will be scrolled starting from the current address (the one, at which the previous listing was terminated). If the code window is missing, information output will be directed into the command window.

  • D — This command outputs the memory dump of a specific memory area. The format of this command is as follows: D[size] [address [L length]]. Command parameters are as follows:

    • Size — This parameter can take the following values: B to output information in bytes, W to output information in words, D to output information in double words, S to output information in short floating-point numbers (32-bit numbers), L to output information in long floating-point numbers (64-bit numbers), and T to output information in 10-byte blocks.

    • address — This parameter specifies the address, from which to start the dump output. It is possible to specify the register, from which this address should be retrieved.

    • Length — This parameter specifies the number of bytes for output (the listing length). By default, this value is 128.

The output is directed to the data window. If this window is missing, the dump is output into the command window.

  • E — This command is intended for editing the memory. The command format is as follows: E[size] [address [data_list]]. Command parameters are as follows:

    • Size — The meaning and value of this parameter are the same as for the D command.

    • Address — This parameter defines the address of the area to be edited.

    • Data_list — If this parameter is missing, the cursor moves to the data window, where you can directly edit a memory cell. Data passed in this parameter are placed into the memory cells starting from the specified address. The data format must correspond to the size parameter. If there are several values, they must be separated by commas.

An example of using this command is as follows: EB EBx 33, 34, 35. This command will place the values 33, 34, and 35, respectively, into three memory cells starting from the address stored in the EBX register.

  • PEEK — This command reads data directly from the physical memory. The command format is as follows: PEEK[size] address. Command parameters are listed below:

    • Size — This parameter specifies the size of the memory cell. It can take the following values: B for byte, W for word, and D for double word.

    • Address — This is the address, from which the information is read.

  • POKE — This command writes the data directly into the physical memory. The command format is as follows: POKE[size] address value. Command parameters are as follows:

    • Size — This parameter has the same meaning as the similar parameter for the PEEK command.

    • Address — This is the physical address, to which the data must be written.

    • Value — This is the value to be written to the physical memory.

  • PAGEIN — This command loads the missing page into the physical memory. The command format is as follows: PAGEIN address. The command parameter is the virtual page address.

  • WATCH — This command specifies the expression that will be traced in the watch window, for example: WATCH ds:eax. Thus, the data whose address is stored in the EAX register will be traced.

  • FORMAT — Using this command, it is possible to change the output format in the data window. This command doesn't accept any parameters. It simply changes the data window format cyclically.

  • DATA — Using this command, it is possible to create additional windows for viewing data. This command accepts a window number ranging from zero to three as a parameter.

  • A — This command allows you to enter an Assembly command at the specified address. The command format is as follows: A [address]. The address to which the Assembly command being entered will be placed, is the only parameter of this command. If the address is not specified, the current address from the code segment is used. When executing this command, the help window displays the prompt (address), after which it is possible to enter the required command.

  • S — This command allows data search. The command format is as follows:

    S [-acu] [address L length data-list]. Command parameters are as follows:

    • c — Case-insensitive search

    • u — Search in the Unicode format

    • a — Search in the ASCII format

    • Address — Starting address for the search range

    • Length — Length of the search area

    • Data_list — List of data for searching, delimited by commas or blank characters

This command is intended for searching for the required data. If the required data items are found, they will be displayed in the data window, and the command window will display an appropriate message specifying the address, at which they are located. To continue searching, enter this command without parameters. An example of data usage is as follows: S ds:eax L 2000 20. This will search for the 20h byte in the area that has the length 2000h, starting from the address stored in the EAX register.

  • F — This command is intended for filling the memory area. The command format is as follows:

    F address L length data_list. Command parameters are as follows:

    • Address — Starting address

    • Length — Length of the data area to be filled

    • Data_list — Data that will be placed starting from the required address (data items must be separated by commas or blank characters)

This command places the data specified by the data_list parameter, starting from the specified address. If the length value is greater than the data length, the data items will be repeated cyclically until they reach the length size. An example of command use is as follows: F ds:eax L 100 "W". Thus, the memory area starting at the DS:EAX address, which has the length of 100H, will be filled with w characters.

  • M — The command for moving data. The command format is as follows: M addressl L length address2. Parameter values are as follows:

    • Addressl — Address, from which the data will be moved

    • Length — Length of the data to be moved

    • Address2 — Address, to which the data will be moved

An example using this command is as follows: M ds: eax L 1000 ds:ebx. With this command, l000h bytes will be moved from the address pointed at by the EAX register to the area with the address stored in the EBX register.

  • C — This command is intended for comparing two data blocks. The command format is as follows: C addressl L length address2.

    • Addressl — Address of the first data block to be compared

    • Length — Length of the data to be compared

    • Address2 — Address of the second data block

Using this command, it is possible to compare two data blocks. If two data blocks are not equal, then the command window will display the complete addresses of these bytes and their values. An example of command use is as follows: Cds:100L10ds:200. Here, l0h bytes are compared.

  • HS — This command can be used for searching in the command buffer. The command format is as follows: HS [+|-] string. The + or - signs stand for descending (from top to bottom) and ascending (from bottom to top) search orders, respectively. After the sign, the search string is specified. To continue searching, use the command without parameters.

  • .(dot) — If the code window is visible, then this command makes the instruction specified by the CS:EIP visible and highlights it.

Commands for Controlling Breakpoints

Breakpoints are the most important mechanisms for application debugging. SoftIce assigns each breakpoint a number ranging from 0 to 255. Thus, 256 breakpoints can exist simultaneously. Breakpoint numbers can be used for controlling breakpoints: You can remove an existing breakpoint, enable it, or disable it. The total number of breakpoints for accessing memory and input/output ports must not exceed four.

Breakpoint Types

The main types of breakpoints supported by the SoftIce debugger are as follows:

  • Execution breakpoints — In this case, you can specify the command name, which SoftIce replaces with the INT 3 interrupt. If the name of this command appears in the executable code, code execution is interrupted. In particular, you can set a breakpoint to API calls.

  • Memory breakpoints — With this breakpoint, the debugger traces access to specific memory addresses.

  • Interrupt breakpoints — The debugger will trace breakpoints that take place in the operating system by modifying the interrupt descriptor table (IDT) (see Section 1.2.1).

  • Input/output breakpoints — The debugger traces all instructions for INPUT and OUTPUT.

  • Windows message breakpoints — To set such a breakpoint, it is necessary to know the descriptor of the window, to which a message must arrive.

Capabilities of Breakpoints

When working with breakpoints, it is possible to use conditional constructs. In such cases, the breakpoint will be activated only if the specified condition has been observed. In particular, using conditional constructs it is possible to specify, for which process the given breakpoint would be activated. A typical example of such a condition is as follows: if (pid == 0x058). This condition specifies that the PID must be equal to 0x058. This condition will be used constantly, because you are going to debug specific applications that are running in your operating system.

Using the do operator, it is possible to specify the commands that must be executed if a breakpoint is activated. In general, the format of this command appears as follows: do "command 1; command 2;...". As a command, it is possible to use both normal commands and macros.

When describing the commands intended for controlling breakpoints, the following designations will be used:

  • size — This parameter defines the size of the cell, to which the breakpoint will be set. The list of valid values is as follows: B for byte, W for word, and D for double word.

  • [R|W|RW|X] — This parameter specifies the type of access to the memory cell or input/output port that will be traced. Here, R designates reading from the cell (port), W is for writing to the cell (port), RW is for reading and writing to and from the cell (port), and x is for executing the command that occupies the given memory cell.

  • Reg_deb — Here, it is possible to specify, which debug register should be used (D0-D3). As a rule, this parameter is skipped, because the debugger chooses the required register on its own.

  • [IF cond] — Here, it is possible to specify, the condition that must be observed to enable the interrupt at the given breakpoint.

  • [DO comm] — Using this command, it is possible to specify a command or group of commands that will be executed in case of an interrupt at the given breakpoint.

Commands for Setting Breakpoints

  • BPM — Using this command, it is possible to set a breakpoint to a specific memory cell. The command format is as follows: BPM[size] addr [R|W|RW|X] [reg_deb] [IF cond] [DO comm]. The addr parameter specifies the cell address. The address can be specified either explicitly or using registers, for example, as follows: ds: eax.

  • BPIO — This command sets a breakpoint to the input and output to and from a specific port. The command format is as follows: BPIO [R|W|RW] [deb_reg] [IF cond] [DO comm]. The debugger will trace all commands for input and output to and from the specified port.

  • BPINT — This command is used for setting an interrupt breakpoint. The breakpoint is activated only if the interrupt is activated through the IDT. The command format is as follows: BPINT int_number [IF cond] [DO comm]. Here, int_number is the number of the interrupt being traced. When the breakpoint is activated, the first command will be the first instruction of the interrupt handler.

  • BPX — This command sets an execution breakpoint, for example, a breakpoint for execution of a specific API function. The command format is as follows: BPX name [IF cond] [DO comm]. Here, name specifies some name, for example, MessageBoxW. The BPX command without parameters sets a breakpoint to the current command. However, to set a breakpoint for the current command, it is necessary to switch to the code window of the debugger.

  • BMSG — This command is intended for setting a breakpoint to the messages arriving for the specific window in the specific range. The command format is as follows: BMSG hWnd [L] [beg_mes [end_mes]] [IF con] [DO comm]. Parameters of this commands are as follows:

    • hWnd — The window handle.

    • [L] — When this parameter is set, the message will simply be displayed in the command buffer (the command window); however, the debugger will not be activated.

    • [beg_mes] — The first message from the message range. This might be either a numeric or a symbolic designation of the required message.

    • [end_mes] — The last message from the message range (when dealing with the message range instead of a single message). If this parameter is missing, only the message specified by the beg_mes parameter will be traced.

If no messages are specified in the command, then the breakpoint is applied to all messages of the given window. The example illustrating the use of this command is as follows: BMSG 01001F WM_PAINT. This command traps the WM_PAINT message for the window with the 01001F handle.

  • BSTAT — This command outputs statistics on the given breakpoint. As a parameter for this command, specify the breakpoint number. In particular, this command will output the Popups value (the number of times this breakpoint caused the SoftIce window to pop up) and the Breaks value (the number of times the given breakpoint was activated}, among others.

Commands for Manipulating Breakpoints

  • BPE — This command is intended for editing a given breakpoint. The command accepts the breakpoint number as a parameter.

  • BPT — This command calls the template for creating a breakpoint with the specified number into the command line. The difference of this command from the previous one is that this command creates a new breakpoint instead of editing the existing one.

  • BL — This command generates the list of breakpoints, specifying the breakpoint number and the template used for creating the given breakpoint.

  • BC — This command deletes the specified breakpoint. The parameter of this command is the breakpoint number of the list of breakpoint numbers (separated by commas or blank characters). If the * character is specified as a parameter, then all breakpoints will be deleted.

  • BD — This command disables all breakpoints specified as parameters. The parameter of this command is a list of all breakpoints to be disabled (breakpoint numbers separated by commas or blank characters). To disable all breakpoints, use the * wildcard character.

  • BE — This command enables breakpoints. As a parameter, it accepts the list of breakpoints (breakpoint numbers separated by commas or blank characters) or the * wildcard character.

  • BH — This command outputs the list of breakpoints used in the current and previous debugging sessions. You can navigate this list and can choose the breakpoint that you need by pressing <Insert>. The <Enter> key is used for setting all selected breakpoints. The debugger remembers the last 32 breakpoints.

Tracing Commands

  • X — This command exits the SoftIce window and returns control to the program whose execution was interrupted by SoftIce. This command is equivalent to the <F5> hotkey or the <Ctrl>+<D> shortcut.

  • G — This command informs the debugger that it is necessary to execute the application being debugged. The command format is as follows: G [=addressl] [address2]. The command accepts the following parameters:

    • Addressl — This is the address, from which the execution must start. If this address has not been specified, then execution will start from the current address (CS:EIP).

    • Address2 — This is the terminating address for execution. If this address has not been specified, execution will continue until a breakpoint is encountered or until the SoftIce window is called.

The G command without parameters is equivalent to the X command. The G @SS:EBP command is equivalent to pressing <F11> (go to the calling function).

  • T — This command is intended for step-by-step execution of the code being debugged. The command format is as follows: T [=address] [count]. Command parameters are as follows:

    • Address — This is the starting address, from which the tracing must start. If this parameter has not been specified, then execution will start from the current command.

    • Count — This parameter specifies the number of instructions to be executed. If this parameter is missing, then only one instruction will be executed.

This command without parameters is equivalent to pressing <F8>. An example of command use is as follows: T CS:EIP - 20 10. Thus, ten instructions will be executed starting from the CS:EIP - 20 address.

  • P — This command corresponds to execution of the instruction bypassing procedures, interrupts, string commands, and loops. Without parameters, it is equivalent to pressing <F10>. If the RET (P RET) option is present, SoftIce will execute the program until the RETN/RETF instructions are encountered. Execution will stop at the point, to which the jump using these commands is carried out. Thus, this command with a parameter is equivalent to pressing <F12>.

  • HERE — This command is equivalent to pressing the <F7> hotkey. It instructs the debugger to execute the program starting from the CS:EIP address to the current location of the cursor in the code window.

  • EXIT — This command is considered obsolete. It is equivalent to the x command. It is recommended that you avoid using this command.

  • GENINT — This command passes control to the specified interrupt. The command format is as follows: GENINT [nmi | intl | int3| number]. The following parameters are accepted by this command:

    • nmi — The call to the nonmaskable interrupt

    • Intl — The call to interrupt number 1

    • Int3 — The call to interrupt number 3

    • Number — The call to the interrupt with a number ranging from 0 to 5F

This command must be used carefully. When using it, you must be sure that the handler for the specified interrupt exists; otherwise, the command would freeze the entire system.

  • HBOOT — This command resets (reboots) the entire computer system.

  • I1HERE — There are two variants of this command. I1HERE on enables the mode. In this case, the SoftIce window will be called every time the interrupt with the number 1 takes place. I1HERE off disables the mode.

  • I3HERE — This command has two variants: I3HERE on enables the mode. The SoftIce window will be called every time the interrupt with the number 3 takes place. The I3HERE off command disables the mode.

  • ZAP — This command replaces the calls to interrupts 1 and 3 with NOP instructions.

Main Informational Commands

  • GDT — This command displays the global descriptor table (GDT). The command format is as follows: GDT [selector|address]. The list of the command parameters is as follows:

    • Selector — Selector in GDT

    • Address — Segment address

If parameters are not specified, the command would display the entire GDT content.

  • IDT — This command displays the local descriptor table (LDT). The command format is as follows: IDT [selector|table_selector]. Command parameters are as follows:

    • Selector — Selector in LDT

    • Table_selector — LDT selector in GDT

If the command is issued without parameters, the entire LDT will be displayed.

  • IDT — This command displays the contents of the IDT. The command format is as follows: IDT [number|address]. Command parameters are as follows:

    • Number — Number of the interrupt, about which it is necessary to display information

    • Address — Address of the interrupt handler (selector:offset), about which it is necessary to display information

If the command is issued without parameters, the command would display the current content of the entire IDT.

  • TSS — Using this command, the debugger outputs the contents of the task state segment (TSS) into the command window. The parameter of this command is the selector in GDT, pointing to TSS. If the command is issued without a parameter, then the command will display the contents of the current TSS, whose selector is located in the task register.

  • CPU — This command displays the complete list of processor registers and their contents.

  • PCI — This command outputs the information about all PCI devices present in the system into the command window.

  • MOD — This command outputs the list of all loaded Windows modules. In the command line, it is possible to specify the first characters of the module name, in which case the command will output the list of all modules whose names start with the specified prefix.

  • HEAP32 — This command outputs the list of memory heaps created by the operating system and applications. The command format is as follows: HEAP32 [hheap|name]. The list of command parameters is as follows:

    • hheap — Handle of the heap returned by the CreateHeap function

    • Name — Task name

This command outputs the following information: the base address of the heap, the maximum size, the amount of used memory (in kilobytes), the number of segments in the heap, the heap type, and the heap owner. If command parameters are missing, the list of all heaps is displayed.

  • TASK — When this command is issued, the debugger displays the entire task list and additional information about tasks in the command window. The active heap will be marked by the * character. This command might be useful in a system malfunction, when it is necessary to determine, which task was the cause.

  • NTCALL — This command lists all system services operating at the kernel level (ring 0).

  • WMSG — This command displays the list of Windows messages and their numbers in the command window. The command format is as follows: WMSG [partial_name] [number]. Command parameters are as follows:

    • Partial_name — Full or partial name of the Windows message

    • Number — Number of the Windows message

The command without parameters outputs the list of all Windows messages known to the debugger. If the partial_name parameter is present, the debugger outputs all messages corresponding to the given fragment of the message name. If the message number is specified, then the message number and its name will be displayed.

  • PAGE — Using this command, the debugger outputs information about memory pages starting from the given virtual address. The displayed information includes virtual and physical addresses, attribute, type, and virtual size. The command format is as follows: PAGE [address] [L length]. Command parameters are as follows:

    • Address — Virtual page address

    • Length — Number of pages for output

If the command is issued without parameters, the debugger displays the list of all pages.

  • PHYS — This command displays the list of all virtual addresses corresponding to the given physical address. This command can be used only with the parameter specifying the physical address.

  • STACK — This command outputs information about the stack structure. The command format is as follows: STACK [thread | frame]. Command parameters are as follows:

    • Thread — Either the thread descriptor or the thread identifier

    • Frame — Address of the stack frame

If this command is specified without parameters, the debugger outputs information about the current stack on the basis of the SS:EBP address.

  • XFRAME — This command outputs information about the exception written into the stack (see Section 3.2.5). The command parameter is either the thread identifier or the pointer to the stack frame. If the parameter is missing, the debugger uses the current thread.

  • HWND — This command outputs information about the windows created in the system. The command format is as follows: HWND [-x] [-c] [hwnd|desktop|process|thread|modul|class]. Command parameters are as follows:

    • -x — Extended information

    • -c — Windows hierarchy

    • Hwnd — Window handle or the pointer to the window structure

    • Desktop — Desktop descriptor

    • Process — PID

    • Thread — Thread identifier

    • Module — Module name

    • Class — Name of the registered window class

If the command is issued without parameters, the debugger outputs information about all windows currently in the system.

  • class — This command outputs information about window classes. The command format is as follows: CLASS [-x] [process] [thread] [module] [class]. Command parameters are as follows:

    • -x — Extended information about window classes

    • Process — PID

    • Thread — Thread identifier

    • Module — Module identifier or name

    • Class — Name of the registered window class

If the command is issued without parameters, the debugger will output the list of all registered window classes for the current process.

  • THREAD - This command is used for obtaining information about threads. The command format is as follows: THREAD [-r|-x-u] [thread] [process]. Command parameters are as follows:

    • -r — Information about the thread registers

    • -x — Extended information about threads

    • -u — Information about user-level thread components

    • Thread — Thread identifier

    • Process — PID

  • ADDR- This command is used to output information about existing address contexts (processes) and to establish the current context. To set the current context, it is necessary to supply the command parameter representing the PID, name, or address. Also, it is possible to specify the address of the process environment block (PEB), or kernel process environment block (KPEB). If the command is issued without parameters, the debugger outputs information about all existing address contexts.

  • MAP32 — This command outputs the list of loaded 32-bit modules and additional information about these modules. The command format is as follows: MAP32 [-u|-s] [name|handle|address]. Command parameters are as follows:

    • -u — Display only modules loaded into the user-mode part of available memory

    • -s — Display only modules loaded into the part of the memory allocated for the operating system and the tools that it requires

    • Name — Module name

    • Handle — Base address of a module image

    • Address — Address that falls within the module image

If the command is issued without parameters, the debugger will output the list of all loaded 32-bit modules and additional information about those modules.

  • proc — This command is intended for obtaining information about the process. The command format is as follows: PROC [-xom] [name]. Command parameters are as follows:

    • -x — Extended information about each branch

    • -o — Extended information about each object

    • -m — Information about the object's memory use

    • Name — Name of the tasks or process, process descriptor, PID, thread name or identifier, or thread descriptor

If the object name has not been specified, then information about all processes will be displayed.

  • QUERY - This command is intended for output of the virtual memory map of the processes. The command format is as follows: QUERY [-x] [address] [name]. Command parameters are as follows:

    • -x — Names of processes (along with information about them) that occupy the specified virtual address

    • address — Virtual address

    • Name — Process name

If the command is issued without parameters, it displays the virtual memory map of the current process.

  • WHAT — This command tries to interpret the parameter specified to it. For example, if the supplied parameter is the PID, the command informs you about this. In other words, you can check the authenticity of the identifier or descriptor on your own.

  • OBJTAB — This command allows you to obtain information about the USER object table.

  • FOBJ — This command outputs information about existing file objects. Such objects are created for each opened file.

  • IRP — This command outputs information about input/output request packets.

  • FIBER — This command outputs the information about the fiber data structure. In particular, this data structure is returned by the CreateFiber() function.

Other Commands

  • PAUSE — This command sets two modes for viewing information in the command window. The PAUSE on mode is the default one, in which the information is displayed in portions, and the next portion of data appears only after the user presses any key. The PAUSE off mode corresponds to continuous information output.

  • ? — This command computes the expression value, for example, ? 34 + 90*2. The debugger simultaneously outputs the result in hex and decimal formats, as well as in the ASCII format.

  • OPTNFO — This command allows you to obtain information about a specific processor instruction. For example, if you issue the OPINFO add command, the main information about the ADD processor instruction will be displayed on the screen (Listing 4.2).

    Listing 4.2: Information about the ADD processor instruction displayed by the OPINFO command

    image from book 

     ADD      Integer addition: DEST <- DEST + SRC      EFLAGS | OF DF IF SF ZF AF PF CF TF NT RF |             | M        M  M  M  M  M           |

    image from book

  • ALTKEY — This command replaces the keyboard combination used for activating the SoftIce debugger. By default, the <Ctrl>+<D> shortcut is used. If this command is issued without parameters, then SoftIce will display the current combination in the command window, for example, ALTKEY Alt P or ALTKEY ctrl z. In this case, the SoftIce window will be activated by <Alt>+<P> or <Ctrl>+<Z>, respectively.

Operators

The SoftIce debugger environment allows you to use expressions in commands and breakpoint definitions. Expressions are built using operators. Consider the list of operators used by the debugger.

Addressing Operators

  • . — If the code window is visible, this command makes the instruction located at CS:EIP visible, and highlights it. The dot operator can be used in expressions.

  • * — This operator is used for specifying the address, to which the given expression points. For example, *(EAX) designates the contents of the memory pointed to by the EAX register.

  • -> — Using this operator, as well as using the asterisk operator, it is possible to obtain the memory contents located at the address pointed to by the given expression. For example, if you know the address of the window procedure, which can be obtained using the HWND command, then it is possible to set the following breakpoint at the WM PAINT message: BPX 65DFE003 IF (ESP -> 8) == WM PAINT.

  • @ - This operator is equivalent to the asterisk operator.

Arithmetic Operators

  • Unary and binary plus (+) operators, for example, +100 or EBx + EST

  • Unary and binary minus (-) operators, for example, -100 or EAx - 8

  • Binary multiplication (*) operator, for example, EBx*4

  • Binary division (/) operator, for example, (EAX + EBx) /2

  • Binary modulo (%) operator, for example, EBx % 3

  • Logical left shift operator (<<)

  • Logical right shift operator (>>)

Bitwise Operators

  • Bitwise AND operator (&)

  • Bitwise or operator (|)

  • Bitwise exclusive OR operator (^)

  • Bitwise negation or NOT operator (~)

Logical Operators

  • Logical NOT (!), for example, ! EBx

  • Logical AND (&&), for example, EAX && EBX

  • Logical OR (||), for example, EAX || FF

  • Equality condition (==)

  • Inequality condition (!=)

  • Less than (<)

  • Greater than (>)

  • Less than or equal to (<=)

  • Greater than or equal to (>=)

Built-in SoftIce Functions

The disassembler provides a range of built-in functions. The main built-in functions are briefly outlined here:

  • Byte — Return the least significant byte of the expression.

  • Word — Return the least significant word of the expression.

  • Dword — Return a double word (extend a byte or a word to a double word).

  • HiByte — Return the most significant byte (or a word or a double word).

  • Hiword — Return the most significant word.

  • Sword — Convert a byte into a signed word.

  • Long — Convert a byte or a word into a long integer.

  • wstr — Display the string in the Unicode format.

  • Flat — Convert the address with a selector (logical address) into the linear address of the flat memory model.

The current contents of the registers can be found using the functions with names corresponding to the names of appropriate registers, for example, EAX, EBX, and EDX.

  • CFL — Return the carry flag's value.

  • PFL— Return the parity flag's value.

  • AEL — Return the auxiliary flag's value.

  • ZEL — Return the zero flag's value.

  • SEL — Return the sign flag's value.

  • OEL — Return the overflow flag's value.

  • RFL — Return the resume flag's value.

  • TEL — Return the trace flag's value.

  • DFL — Return the direction flag's value.

  • TEL — Return the interrupt flag's value.

  • NTFL — Return the nested task flag's value.

  • IOPL — Return the input/output privilege level flag's value.

  • VMFL — Return the virtual machine flag's value.

  • IRQL — Return the interrupt request level flag's value.

  • DataAddr — Return the initial address of the data block displayed in the data window.

  • CodeAddr —Return the address of the first instruction displayed in the code window.

  • Eaddr — Return the effective address of the current instruction, if one is present.

  • Evalue — Return the value located at the current effective address.

  • Process — Return the kernel-mode PEB of the currently active process.

  • Thread — Return the kernel-mode thread environment block of the currently active thread.

  • PID — Return the identifier of the currently active process.

  • TID — Return the identifier of the currently active thread.

  • BPCount — Return the number of times that the breakpoint has been activated, for which the value of the conditional expression was TRUE.

  • BPTotal — Return the total number of times the breakpoint has been evaluated.

  • BPMiss — Return the number of times the breakpoint has been triggered, for which the conditional expression hasn't been satisfied (and the Softlce window hasn't been activated).

  • BPLog — Silently save into the buffer information about the number of times the breakpoint has been evaluated.

  • BPIndex — Return the number of the current breakpoint in the list of breakpoints.

If the number of any function is preceded by the underscore character, then the disassembler computes the current function value and uses it in further computations: _ PID,_TID,_EAX, etc.



Previous page
Table of content
Next page
Disassembling Code. IDA Pro and SoftICE
Disassembling Code: IDA Pro and SoftICE
ISBN: 1931769516
EAN: 2147483647
Year: 2006
Pages: 63
Authors: Vlad Pirogov
BUY ON AMAZON
MySQL Stored Procedure Programming
GO! with Microsoft Office 2003 Brief (2nd Edition)
Microsoft VBScript Professional Projects
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy