There's a Softice command that has very little information about it - SIWTR. It seems to be a Trace Buffer that you can turn on and off. The SI command line help is little use:

:h siwtr
ce buffer (don't know why it's called this in the status bar)
SIWTR [name | handle] [ON | OFF]
ex: SIWTR tb-name ON

:siwtr
Handle Name State
0000: SIW95 ON
----------------

At the beginning of the procedure handling the SIWTR command in winice.exe are 3 error strings which give a little more information about the command:

:C00B0364 aOnlyNamedTraceBuffersCanBeTurnedOnOff db 'Only named trace buffers can be turned on/off',0
:C00B0394 aInvalidTraceBufferHandleX db 'Invalid trace buffer handle: %x',0
:C00B03B4 aErrorDisplayingTraceBuffer db 'error displaying trace buffer',0
...
:C00B03D2 sub_0_C00B03D2 ; Beginning of main SIWTR procedure

Within the long routine are potential calls to other error strings defined at the end of the proc:

:C00B060C aHandleNameState db 'Handle',9,'Name',9,'State',0
:C00B0620 aBufferHandleXIsNotInUse db 'buffer handle: %x, is not in use',0
:C00B0644 aInvalidTraceBufferParameterS db 'Invalid trace buffer parameter: %s',0
:C00B0668 aUnexpectedParameterS db 'unexpected parameter: %s',0
:C00B0684 aExpectingOnOffNotS db 'expecting on/off, not %s',0
:C00B06A0 aUnknownOptionS db 'unknown option: %s',0
:C00B06B8 aSystemMemoryAllocatedForSBase0xXSizeDk db 'System Memory allocated for %s: base=0x%x, size=%dk',0
:C00B06F0 aScopeTableInaccessible db 9,'(scope table inaccessible)',0
---------------------------------------------

There are the backtrace and the history buffers, defined in winice.dat, and likely several internal ones, but I can't figure what this one might be used for. Turning the state of the buffer called "SIW95" ON or OFF doesn't seem to affect the behavior of the Backtrace buffer or its trace mode, breakpoints and tracing remain normal, I'm not sure what else to check.

This may be a remanent of an earlier version of SI, or some debugging function or something, but I've been able to find no references whatsoever about it. It's likely one of these virtually undocumented Softice commands, but I just thought someone may have come upon it before or has any ideas what it might refer to.

Thanks,
Kayaker

http://www.woodmann.net/IDArchive/ID-RIP/database/essays/lordsoth/SI-adv.htm

this sprung to mind, although you've probably seen it and
there doesnt appear to be any mention of that command
at a quick glance.

Kayaker, what ver are you using ?

why is the charset for that in hebrew?

I think Lord Soth speaks Hebrew...

hobgoblin

Interesting use of View html Source disavowed...

I'm using v4.05(334) on Win98SE UrgeOverKill, though the SIWTR command exists in winice.exe seemingly unchanged at least as far back as v3.25. I'm not sure about the newer DriverStudio versions since I don't use them, maybe someone could type in 'SIWTR' and see what is spit back. It's rather tantalizing to read the strings and think there's a Softice function you can allocate a base and size for in system memory and define a named trace buffer. And what the heck is a Scope Table? I've been meaning to enable breakpoints within Softice and do some live tracing of this function but haven't got around to it yet, though you've spurred my curiosity again.

I've discussed before an easy trick for finding *any* function in Softice using IDA (Debugs debugger's int handler thread with Dion in the TOT forum), but I'll mention it again for interests sake. It's based on the old BCHK Boundschecker interface built into SI. Every command you type into the SI window goes through a central jump table, even if the command itself isn't supported by the 'BCHK' set of instructions (by my count by analyzing the bitmask string, only 38 of them are).

Each SI command is defined in winice.exe as a null terminated ascii string, followed by an Index value. This index value is compared in a BT (bit test) instruction, ones which match the bitmask test are allowed via the BCHK command, and the index value is then used as an index into a jump table which leads to the function call itself. Ones which don't, go elsewhere but the jump table can still be used to find *any* of the Softice functions. The bitmask string itself is hardcoded into winice and can be found by searching for the dwords immediately after "BCHKWPV.table r".


As a general example, if you search for 'SIWTR' in winice.exe or with IDA you will find the ascii string and its Index value (82h) used in the BT test:

:C00232D8 db 53h ; S
:C00232D9 db 49h ; I
:C00232DA db 57h ; W
:C00232DB db 54h ; T
:C00232DC db 52h ; R
:C00232DD db 0 ;
:C00232DE db 82h

The Index value is stored in EDX and used in the BT instruction:

====================================
C00813FD BT DS: DWORD_C0081B07, EDX ; check byte against bitmask
C0081404 jb short loc_C0081412
C0081406 mov esi, offset aInvalidCommand ; "Invalid command"
C008140B call sub_C00818F5
C0081410 jmp short loc_C008141B

C0081412 push ebp
C0081413 call ds: off_C0022DC7[edx*4] ; jumps to *every* Softice command
====================================

Now, small digression. The addresses above are for v4.05(334), but if you search in IDA for every instance of mov esi, offset aInvalidCommand (should only be a few), you should find the BT instruction and the jump table call instruction for any version of Softice.


Now the next step is calculating the jump table call address using the appropriate Index value for whatever Softice ascii command you are interested in finding the code for. This is quite simple...

i.e. SIWTR Index value == 82h == EDX

C0081413 call ds: off_C0022DC7[edx*4]

(C0022DC7 [edx*4] == C0022DC7 + (82h*4) == C0022FCF)

:C0022FCF dd offset sub_0_C002A222 ; SIWTR

which leads to

:C002A222 mov esi, offset dword_0_C002142F
; esi is now the string instruction (i.e. "SIWTR" you typed into the command line window
:C002A227 call sub_0_C001F612 ; string parsing routine
:C002A22C push esi
:C002A22D call sub_0_C00B03D2 ; main SIWTR function
:C002A232 retn


That's it. This technique can, as far as I can tell, be used to find the starting code of any Softice function. There is only one caveat if you decide to live trace the code after enabling breakpoints within SI (see the TOT thread for how to do that). Notice the mov esi, offest instruction string line. This IS the actual string typed into the command window, so anything you type in there afterwards, including F8 and F10 tracing key presses, will overwrite that memory address and you will see it happening. Meaning ESI in the string parsing routine will be screwed up! So you have to be very careful with your choices of breakpoints. Choose BPs and do tracing *after* the main string parsing routine is completed, or if that memory address is reused elsewhere.

One more thing, since we're already totally off tangent from the original subject...;-) How to convert the IDA address to a real address you can find in Softice and use the 'd' and 'u' commands for pseudo-tracing? If you type 'VXD Winice' in SI you'll get the starting Address of the first segment of winice.exe. For me this is C002F3A4. So to convert any IDA address I just add 2F3A4h to it.

Try it out with the memory address of the command line - C002142F + 2F3A4 = C00507D3. Now display this address C00507D3 in Softice and you should see exactly what you type into the command line window.


Lol, not sure why I went here, but the question still remains - WTF is SIWTR?

Cheers,
Kayaker

When I type SIWTR in SoftIce v4.27, from DS v2.7, I get "invalid command" from the time I type the 'I' character.

It does not exist in the help list either. So it is stripped from the user interface. I will do a little IDA digging, to see if there are traces of its presence in the winice.exe code.

The SIWTR is actually an internal debug log for Numega, and was probably used to 'debug' sice during its updates and such. It serves hardly any functionality to the casual user and I think has been gone since DriverStudio 2.0.

Although its remains on the command list, its pretty much obsolete.

Hope this helps

+UoK