Shut me up if I am completely over the line.

Let us post the most desirable features one would like to see in a kernel level debugger.
I, for example, would like to see a BPR feature in Sice versions 4.26 and up, so I could use Kayaker's tracedump work again in WinXP

Once we get a collection of ideas of the most desirable debugger for a cracker, let us make one.

Either by plugins into Sice, a growth from Ollydebug, or from scratch, A concerted effort.
So we do not have to relay so much on the wimps of numega.

I have less than 1% of the talent such a project entails, but I know the talent exists, right here

Interesting idea Naides. Heh, I'd like to see the Tracedump backtrace buffer disassembler work on XP too. In fact Clandestiny has been bugging me to get Win2K at least so we can try working on exactly that. It has proven very effective on 9x, but as you say above that there's no support for the BPR command necessary to produce the backtrace.

I believe this is an issue with the OS not Softice since DriverStudio ntice.sys still contains the code for all the BPR commands. I haven't read all the DS documentation to see if Numega broaches the subject, what is the actual reason for this, dealing with page permissions? And what happens if you try a BPR command, get an error message or does it just lock up?

What I'd like to see is a report by someone who has tried IceExt by Sten, a SoftICE NT plugin with full source which tries among other things to emulate the BPR command of the debugger.
http://stenri.pisem.net/
He actually doesn't advise using the BPR command because it's still under development, but I think it would be worthwhile to look into. It doesn't necessarily mean you could do traditional backtraces though because the traced instruction addresses still need to be stored in a buffer (the effect of the BPR "T" verb) before you can think about disassembling them.

What I'd like to try is developing a simple Ring0 tracer (which conceptually I have very little idea how to practically go about that yet), which would dump each of the traced addresses into a buffer. Nothing more, no IT fixups or tracing of redirected addresses or anything else, just a raw dump until the tracing stops. Then these addresses can be disassembled in Ring3 just as we've done with Tracedump on the addresses stored in the Softice backtrace buffer. Perhaps it's time to start looking into this

Kayaker

Hi Kayaker

"What I'd like to try is developing a simple Ring0 tracer.."
Yep, i agree !!! It's a good idea, we need this kind of tool.

SV

Salut SV ;-) For anyone into this tracer engine stuff, or for those of ye who seek the OEP, there's a nice open source project by Christoph Gabler worth looking into. Generic Unpacker Win32 (GUW32) includes surprisingly well commented examples of a Ring0 and Ring3 tracer. As well it incorporates and includes source of MackT's ImpREC dll (v1.1).

http://www.woodmann.net/protools/files/unpackers/guw32.zip

There are other snippets by Gabler around in a similar vein that are worth digging up as well...

Kayaker