readme

ICEExt for Driver Studio3.2的sourcecode

 IceExt documentation is not available at a time because of recent project
 redesign. Below is ring-0 tracer documentation from Godness.

           Sten


 ------------------------ e X T r e m e - t R a C e r ------------------------

                       -=       version 0.04 beta     =-
                       -=           tutorial          =-

 eXTreme tRaCer engine is an additional set of commands for IceExt plugin under 
 SoftIce. These are "!trace", "!trcinit" and "!trccode" by which you can execute 
 step-by-step code tracing while tracking the conditions needed.

 So, how to use this stuff:



 !TRCINIT

 First, initialize the tracer by "!trcinit" command. As a parameter, the given 
 command takes the condition at which the tracer will stop. Currently, as a 
 condition you can use:
 - all registers names (eax, bx, dl, etc.);
 - comparison signs (<, >, >=, etc.); 
 - logic operators || and &&;
 - brackets which set the action execution order;
 - work with pointers *(dword *), *(word *), *(byte *);
 - strings in right part of condition 'some_string';
 - symbol names loading in Soft-Ice;

 For example,
 !trcinit (eax == 5 && (ebx >= 0x6 || ecx != edx)) || al < ah && ecx == 7

 The condition parcer is insensitive to the register of letters. Also you can 
 save on short SoftIce' command line, not using spaces.

 For example,
 !trcinit (EaX==5&&(eBx>=0x6||ECX!=edx))||al<AH&&ecx==7

 Though you can use brackets for setting action execution order, remember then 
 when not using the brackets the priority of operations executing goes the same 
 way as in C. I.e. "&&" operation has the higher priority rather than "||" 
 operation.
 
 For example,
 !trcinit eax != ebx && *ecx == 'MZ' || dl == 5 && esi >= MessageBoxA
 condition will be equivalent to 
 !trcinit (eax != ebx && *ecx == 'MZ') || (dl == 5 && esi >= MessageBoxA)

 All numbers in a condition parcer perceives as sexadecimal.

 With the pointers you can as to work as in C-lanquage
 I shall result possible examples:

 *eax == 'some_string'
 *esi == 0CD,2E
 *eax == 1,2,'some_string',0D,0A,'some_other_string',0,20,20
 *eax == *eax
 **(byte **)eax == al
 **(word **)eax != *(word *)ebx
 dl != ***ecx
 *00401000 == *edx
 *00402000 == MessageBoxA

 In the following condition - !trcinit *eax == dl - The right part of expression 
 will be expanded to type dword. If you want to compare directly with dl-register
 you need to result types, such as

 *(byte *)eax == dl

 !TRACE

 Well, now you should start the tracing by "!trace count [eip_when_P]" 
 command. The first parameter of this command is the number of instructions to 
 trace. The second parameter (unessential) is the address above which 
 (or at which) the tracer will execute the "P" SoftIce command.
 If not specify a second parameter, the tracer will keep tracing any address 
 met.
 
 For example,
 !trace 10000 0x77000000
 or
 !trace 10000 MessageBoxA

 When a stop happens, the tracer shows the number of traced commands in decimal 
 format.

 The sequence of checkings is the following:
 - the condition set by you is being checked (on "yes" the stop happens) 
 - similarly, the number of traced commands is being checked
 - the current value of eip is being checked for executing "P"



 !TRCCODE

 The given command created merely for debugging. The fact is that the "!trcinit" 
 command compiles the condition entered by you directly in executed code which 
 is called from int1 handler at its beginning. But with "!trccode" command you 
 can see the compiled code.

 If say you will write a condition, which (and you are sure about it) necessarily 
 will be met by the tracer, and the tracer don't want to stop at this at all, 
 it means the condition entered by you had been compiled incorrectly. In this 
 case please let me know about it at godness@omen.ru


 And now some abstract things should be noted:
 
 - Even if you will write wrong tracing condition, the minimal code to provide 
   the normal tracer functioning will be compiled. Therefore, you can start the 
   tracer AT ANY CONDITIONS.

 - At present, "P" commands are being executed by SoftIce, not the 
   tracer, so for tracing procedure the corresponding records are being added 
   to the SoftIce' log. As a simple experiment revealed, "P" command executing 
   slows down the general trace by 30 times.

 - Generally to use a command "P" it is not recommended (it is left only as the 
   special feature) since if function will not come back that SoftIce will lose 
   control above a code, well accordingly and tracer.

 - "P" command executing the tracer considers for one traced instruction.

 - If you do not want to expect while tracer will finish job you can stop it as 
   follows. Press Ctrl-D, Sotf-Ice will pop up on the screen and then to stop a mode 
   of trace simply type "!trace 1"
  
 -----------------------------------------------------------------------------

 Any ideas and wishes send me at godness@omen.ru or Sten at stenri@pisem.net


 Credits
 =======

 Thanks to Sten for things which he has explained to me... :)
 
 ------------------------ e X T r e m e - t R a C e r ------------------------

                                               Copyright (c) 2005-2006 Godness