SoftICE Command Reference
SoftICE Command Reference
SoftICE Command Reference
December 1999
Information in this document is subject to change without notice and does not represent a commitment on the part of Compuware Corporation. The software described in this document may be used or copied only in accordance with the terms of the license. The purchaser may make one copy of the software for a backup, but no part of this user manual may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic or mechanical, including photocopying and recording for any purpose other than the purchasers personal use, without prior written permission from Compuware Corporation. NOTICE: The accompanying software is condential and proprietary to Compuware Corporation. No use or disclosure is permitted other than as expressly set forth by written license with Compuware Corporation.
Copyright 1996, 1998, 1999, 2000 Compuware Corporation. All Rights Reserved.
Compuware, the Compuware logo, NuMega, the NuMega logo, BoundsChecker, SoftICE, and On-Demand Debugging are trademarks or registered trademarks of Compuware Corporation. Microsoft, Windows, Win32, Windows NT, Visual Basic, and ActiveX are either trademarks or registered trademarks of Microsoft Corporation. Borland and Delphi are either trademarks or registered trademarks of INPRISE Corporation. Watcom is a trademark of Sybase, Incorporated or its subsidiaries. Other brand and product names are either trademarks or registered trademarks of their respective holders.
This Software License Agreement is not applicable if Licensee has a valid Compuware License Agreement and has licensed this Software under a Compuware Product Schedule.
Infringement of Intellectual Property Rights: In the event of an intellectual property right claim, Compuware agrees to indemnify and hold Licensee harmless, provided Licensee gives Compuware prompt written notice of such claim, permits Compuware to defend or settle the claim, and provides all reasonable assistance to Compuware in defending or settling the claim. In the defense or settlement of such claim, Compuware may obtain for Licensee the right to continue using the Software or replace or modify the Software so that it avoids such claim, or if such remedies are not reasonably available, accept the return of the infringing Software and provide Licensee with a pro-rata refund of the license fees paid for such Software based on a three (3) year use period. Limitation of Liability: LICENSEE ASSUMES THE ENTIRE RISK AS TO THE RESULTS AND PERFORMANCE OF THE SOFTWARE. IN NO EVENT WILL COMPUWARE BE LIABLE TO LICENSEE OR TO ANY THIRD PARTY FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING BUT NOT LIMITED TO, LOSS OF USE, DATA, REVENUES OR PROFITS, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE USE, OPERATION OR PERFORMANCE OF THE SOFTWARE, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, AND WHETHER OR NOT COMPUWARE OR ITS LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO LICENSEE. IN NO EVENT SHALL COMPUWARE BE LIABLE TO LICENSEE FOR AMOUNTS IN EXCESS OF PURCHASE PRICE PAID FOR THE SOFTWARE. Term and Termination: This License Agreement shall be effective upon Licensees acceptance of this Agreement and shall continue until terminated by mutual consent, or by election of either Licensee or Compuware in case of the others unremediated material breach. In case of any termination of this Agreement, Licensee will immediately return to Compuware the Software that Licensee has obtained under this Agreement and will certify in writing that all copies of the Software have been returned or erased from the memory of its computer or made non-readable. General: This Agreement is the complete and exclusive statement of the parties' agreement. Should any provision of this Agreement be held to be invalid by any court of competent jurisdiction, that provision will be enforced to the maximum extent permissible and the remainder of the Agreement shall nonetheless remain in full force and effect. This Agreement shall be governed by the laws of the State of Michigan and the United States of America.
Contents
. ? A
2 3 4 6 8 11 13 14 16
BSTAT C
50
48
FIBER FILE
91 92 93 95 96 97 99
CLASS CLS CODE COLOR CPU CR CSIP D DATA DEVICE DEX DIAL DPC
25 27 28 30 32 35 39 42 44 45 64 54
51
FKEY FLASH
ACTION ADDR ADDR ALTKEY ALTSCR ANSWER APC BC BD BE BH BL BMSG BPE BPINT BPINT BPIO BPM BPR BPRW BPT BPX
18 19 20 21 22 24
55 56 58 61 62
103
66 67 70 71 73 74
DRIVER E EC
76 78
HWND
79
HWND I
127
128 129
132
FAULTS
Contents
R RS S
196 198 199 200 204 207 208 209 210 214 216
WF WHAT
WIDTH WL WMSG WR WS WW WX X
257 258 259 260 261 255
256
STACK SYM
SYMLOC T
218
XFRAME XG
264 265
262
XP XRSET XT ZAP
167 169
TSS TYPES U
VXD WATCH WC WD
ii
You will nd it a very good practice always to verify your references, sir!
Dr. Routh
SoftICE Commands
The SoftICE Command Reference is for use with the following operating systems: Windows 3.1 Windows 95 Windows 98 Windows NT Windows 2000
The commands are listed in alphabetical order and contain the following information:
Operating systems Command name OBJDIR Windows 98, Windows NT, Windows 2000 System Information Note: Some commands list support for Windows 98. These commands do not consistently work the same way they do on Windows 95 or Windows NT. Do not assume similarity.
Displays objects in a Windows NT Object Managers object directory. Syntax and parameters Syntax Use Command use Output Sample output OBJDIR [object-directory-name] Use the OBJDIR command to display named objects within the Object Managers object directory. Using OBJDIR with no parameters displays the named objects within the root object directory. The OBJDIR command displays the following information: Object ObjHdr Name Type Address of the object body Address of the object header Name of the object Windows NT-dened data type of the object
Type of SoftICE command: Breakpoints and Watches Customization Display/Change Memory Flow Control I/O Port Manipulating Breakpoints Miscellaneous Mode Control Symbol/Source System Information Window Control
Example(s)
Example Abbreviated sample output of the OBJDIR command listing objects in the Device object directory follows: OBJDIR device Directory of \Device at FD8E7F30
SoftICE Commands
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Window Control
Syntax Use
When the Code window is visible, the . (Dot) command makes the instruction at the current CS:EIP visible and highlights it.
For Windows 95 and Windows NT
The command switches the context back to the original context in which SoftICE popped up.
SoftICE Commands
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Miscellaneous
Evaluate an expression.
Syntax
For Windows 3.1 ? [command | expression] For Windows 95 and Windows NT ? expression
Use
Under Windows 3.1, the parameter you supply to the ? command determines whether help is displayed or an expression is evaluated. If you specify a command, ? displays detailed information about the command, including the command syntax and an example. If you specify an expression, the expression is evaluated, and the result is displayed in hexadecimal, decimal, signed decimal (only if < 0), and ASCII.
For Windows 95 and Windows NT
Under Windows 95 and Windows NT, the ? command only evaluates expressions. (Refer to H on page 105 for information about getting help under Windows 95 and Windows NT.) To evaluate an expression enter the ? command followed by the expression you want to evaluate. SoftICE displays the result in hexadecimal, decimal, signed decimal (only if < 0), and ASCII.
Example
The following command displays the decimal, hexadecimal, and ASCII representations of the value of the expression 10*4+3.
:? 10*4+3 00000043 0000000067 "C"
See Also
SoftICE Commands
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Miscellaneous
Assemble code.
Syntax Use
A [address]
Use the SoftICE assembler to assemble instructions directly into memory. The assembler supports the standard Intel 80x86 instruction set. If you do not specify the address, assembly occurs at the last address where instructions were assembled. If you have not entered the A command before and did not specify the address, the current CS:EIP address is used. The A command enters the SoftICE interactive assembler. An address displays as a prompt for each assembly line. After you type an assembly language instruction and press Enter, the instructions assemble into memory at the specied address. Type instructions in the standard Intel format. To exit assembler mode, press Enter at an address prompt. If the address range in which you are assembling instructions is visible in the Code window, the instructions change interactively as you assemble. The SoftICE assembler supports the following instruction sets: For Windows 3.1: 386, Floating Point For Windows 95 and Windows NT: 386, 486, Pentium, Pentium Pro, all corresponding numeric coprocessor instruction sets, and MMX instruction sets SoftICE also supports the following special syntax: Enter USE16 or USE32 on a separate line to assemble subsequent instructions as 16-bit or 32-bit, respectively. If you do not specify USE16 or USE32, the default is the same as the mode of the current CS register. Enter mnemonic commands followed by a list of bytes and/or quoted strings separated by spaces or commas. Use the RETF mnemonic to represent a far return. Use WORD PTR, BYTE PTR, DWORD PTR, and FWORD PTR to determine data size, if there is no register argument.
Example: MOV BYTE PTR ES:[1234.],1
Use FAR and NEAR to explicitly assemble far and near jumps and calls. If you do not specify either, the default is NEAR. Place operands referring to memory locations in square brackets.
Example: MOV AX,[1234]
SoftICE Commands
For Windows NT
Any changes you make to 32-bit code are sticky. This means they remain in place even if you load or reload the module you change. To remove the changes, do one of the following: restart Windows NT, ush the memory image from the cache, or modify the module.
Example
the assembler prompts you for assembly instructions. Enter all instructions and press Enter at the address prompt. The assembler assembles the instructions beginning at offset 1234h within the current code segment.
SoftICE Commands
ACTION
Windows 3.1
Mode Control
Syntax
ACTION [nmi|int1|int3|here|interrupt-number|debugger-name]
Generates non-maskable interrupt after breakpoint. Generates INT1 instruction after breakpoint. Generates INT3 instruction after breakpoint. Returns control to SoftICE after breakpoint. Valid interrupt number between 0 and 5Fh. Module name of the Windows application debugger which gains control after a SoftICE breakpoint.
Use
The ACTION command determines where to pass control when breakpoint conditions are met. In most cases, you use ACTION to pass control to an application debugger you are using in conjunction with SoftICE. Use the HERE parameter to return to SoftICE when break conditions have been met. Use the NMI, INT1, and INT3 parameters as alternatives for activating DOS debuggers when break conditions are met. Use debugger-name to activate Windows debuggers. To nd the module name of the debugger, use the MOD command. If you specify debugger-name, an INT 0 triggers the Windows debugger. SoftICE ignores breakpoints that the Windows debugger causes if the debugger accesses memory covered by a memory location or range breakpoint. When SoftICE passes control to the Windows debugger with an INT 0, the Windows debugger responds as if a divide overow occurred and displays a message. Ignore this message because the INT 0 was not caused by an actual divide overow.
Note:
SoftICE Commands
Example
When using SoftICE with the following products, use the corresponding command.
Product SoftICE Command
ACTION nmi
Note: SoftICE generates a non-maskable interrupt when
break conditions are met. This gives control to CodeView for DOS. CodeView for Windows Borland's Turbo Debugger for Windows Multiscope's Debugger for Windows ACTION cvw ACTION tdw ACTION rtd
See Also
SoftICE Commands
ADDR
System Information
Syntax
context-handle process-name
Use
To be able to view the private address space for an application process, set the current address context within SoftICE to that of the application by providing an address context-handle or the process-name as the rst parameter to the ADDR command. To view information on all currently active contexts, use ADDR with no parameters. The rst address context listed is the current address context. For each address context, SoftICE prints the following information: address context handle address of the private page table entry array (PGTPTR) of the context number of entries that are valid in the PGTPTR array starting and ending linear addresses represented by the context address of the mutex object used to control access to the contexts page tables name of the process that owns the context. When you use the ADDR command with an address context parameter, SoftICE switches address contexts in the same way as Windows. When switching address contexts, Windows 95 copies all entries in the new contexts PGTPTR array to the page directory (pointed to by the CR3 register). A context switch affects the addressing of the lower 2GB of memory from linear address 0 to 7FFFFFFFh. Each entry in a PGTPTR array is a page directory entry which points at a page table that represents 4MB of memory. There can be a maximum of 512 entries in the PGTPTR array to represent the full 2GB. If there are less than 512 entries in the array, the rest of the entries in the page directory are set to invalid values.
SoftICE Commands
When running more than one instance of an application, the same owner name appears in the address context list more than once. If you specify an owner name as a parameter, SoftICE always selects the rst address context with a matching name in the list. To switch to the address context of a second or third instance of an application, provide an address contexthandle to the ADDR command.
Note:
If SoftICE pops up when the System VM (VM 1) is not the current VM, it is possible for context owner information to be paged out and unavailable. In these cases no owner information displays.
Output
For each context or process, the following information displays. Handle Pgtptr Address of the context control block. This is the handle that is passed in VxD calls that require a context handle. Address of an array of page table addresses. Each entry in the array represents a page table pointer. When address contexts switch, the appropriate location in the page directory receives a copy of this array. Number of entries in the PGTPTR array. Not all entries contain valid page directory entries. This is only the number of entries reserved. Minimum linear address of the address context. Maximum address of the address context. Mutex handle used when VMM manipulates the page tables for the context. Name of the rst process that uses this address context.
Example
The following command displays all currently active address contexts. The context on the top line of the display is the context in which SoftICE popped up. To switch back to this at any time, use the . (DOT) command. When displaying information on all contexts, one line is highlighted, indicating the current context within SoftICE. When displaying data or disassembling code, the highlighted context is the one you see.
.:ADDR Handle C1068D00 C104E214 PGTPTR C106CD0C C1068068 C0FE5330 C105CE8C C10571D4 Tables 0200 0200 0002 0200 0200 Min Addr 00400000 00400000 00400000 00400000 00400000 Max Addr 7FFFF000 7FFFF000 7FFFF000 7FFFF000 7FFFF000 Mutex C0FEC770 C1063DBC C0FE5900 C105C5EC C1056D44 Owner WINWORD Rundll32 QUICKRES Ibserver Mprexe
SoftICE Commands
Owner
See Also
10
SoftICE Commands
ADDR
System Information
Syntax
Name of any currently loaded process. Process ID. Each process has a unique ID. Linear address of a Kernel Process Environment Block.
Use
Use the ADDR command to both display and change address contexts within SoftICE so that process-specic data and code can be viewed. Using ADDR with no parameters displays a list of all address contexts. If you specify a parameter, SoftICE switches to the address context belonging to the process with that name, identier, or process control block address.
If you switch to an address context that contains a Local Descriptor Table (LDT), SoftICE sets up the LDT with the correct base and limit. All commands that use an LDT only work when the current SoftICE context contains an LDT. LDTs are never global under Windows NT. Under low memory conditions, Windows NT starts swapping data to disk, including inactive processes, parts of the page directory, and page tables. When this occurs, SoftICE may not be able to obtain the information necessary to switch to contexts that rely on this information. SoftICE indicates this by displaying the message swapped in the CR3 eld of the process or displaying an error message if an attempt is made to switch to the context of the process. When displaying information about all contexts, one line is highlighted, indicating the current context within SoftICE. When displaying data or disassembling code, the highlighted context is the one you see. An * (asterisk) precedes one line of the display, indicating the process that was active when SoftICE popped up. Use the . (DOT) command to switch contexts back to this context at any time.
Output
For each context or process, ADDR shows the following information. CR3 Physical address of the page directory that is placed into the CR3 register on a process switch to the process.
11
SoftICE Commands
LDT
If the process has an LDT, this eld has the linear base address of the LDT and the limit eld for the LDT selector. All Windows NT processes that have an LDT use the same LDT selector. For process switches, Windows NT sets the base and limit elds of this selector. Linear address of the Kernel Process Environment Block for the process. Process ID. Each process has a unique ID. Name of the process.
Example
The following example shows the ADDR command being used without parameters to display all the existing contexts.
:ADDR CR3 00030000 011FB000 017A5000 01B69000 01CF3000 01D37000 00FFA000 009A5000 00AA5000 006D2000 00837000 00C8C000 00387000 *0121C000 00030000 E1172000:0187 E115F000:FFEF LDT Base:Limit KPEB FD8EA920 FD8CD880 FD8BFB60 FD8BADE0 FD8B6B40 FD8B5760 FD8A8AE0 FD89F7E0 FD89CB40 FD899DE0 FD896D80 FD89C020 FD89E5E0 FD88CCA0 8013DD50 PID 0002 0013 0016 001B 0027 0029 0040 002B 004A 0054 0059 0046 004E 0037 0000 NAME System smss csrss winlogon services lsass spoolss nddeagnt progman ntvdm CLOCK scm 4NT ntvdm Idle
See Also
12
SoftICE Commands
ALTKEY
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Customization
Syntax
letter
Use
Use the ALTKEY command to change the key sequence (default key Ctrl-D) for popping up SoftICE. Occasionally another program may conict with the default hot key sequence. You can change the key sequence to either of the following sequences:
Ctrl + letter
or
Alt + letter
If you do not specify a parameter, the current hot key sequence displays. To change the hot key sequence every time you run SoftICE, congure SoftICE in the SoftICE Loader to place the ALTKEY command in the SoftICE initialization string.
Example
To specify that the key sequence Alt-Z pops up the SoftICE screen, use the following command.
ALTKEY alt z
13
SoftICE Commands
ALTSCR
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Window Control
Syntax
mono
Redirects SoftICE output to an alternate monochrome monitor using a Hercules-compatible monochrome card. This mode displays 43 lines of text rather than the 25 lines displayed in text mode. Redirects SoftICE output to an alternate monitor using standard VGA mode.
vga
Use
Use the ALTSCR command to redirect the SoftICE output from the default screen to an alternate monochrome or VGA monitor. ALTSCR requires the system to have two monitors attached. The alternate monitor should be either a monochrome monitor in a character mode (the default mode), or a VGA card. The default setting is ALTSCR mode OFF.
Hint:
To change the SoftICE display screen every time you run SoftICE, place the ALTSCR command in the Initialization string within your SoftICE conguration settings. Refer to Chapter 10, Customizing SoftICE in the Using SoftICE guide.
In the SoftICE program group, use Display Adapter Setup to select the monochrome monitor. SoftICE automatically starts out in monochrome mode making the ALTSCR command unnecessary. Also use this setting if you are experiencing video problems even when ALTSCR ON is in the initialization string.
Note:
If you use an alternate screen in VGA mode, you must disable VGA on the graphics card that will be used to display Windows. You cannot use two cards that are in VGA mode at the same time. Consult the documentation for your graphics card to nd the appropriate PCI slot or switches to set.
For Windows 95
You can also start WINICE with the /M parameter to bypass the initial VGA programming and force SoftICE to an alternate monochrome screen. This is useful if your video board experiences conicts with the initial programming.
14
SoftICE Commands
Example
The following command redirects screen output to the alternate monitor in standard VGA mode.
ALTSCR vga
15
SoftICE Commands
ANSWER
Customization
Syntax
com-port baud-rate
If no com-port is specied it uses COM1. Baud-rate to use for modem communications. The default is 38400. The rates include 1200, 2400, 4800, 9600, 19200, 23040, 28800, 38400, 57000, 115000. Optional modem initialization string.
i=init
Use
The ANSWER command allows SoftICE to answer an incoming call and redirect all output to a connecting PC running the SERIAL.EXE program in dial mode. After the command is executed, SoftICE listens for incoming calls on the specied com-port while the machine continues normal operation. Incoming calls are generated by the SERIAL.EXE program on a remote machine. You can place a default ANSWER initialization string in the SoftICE conguration settings. Refer to Chapter 10, Customizing SoftICE in the Using SoftICE guide. When SoftICE detects a call being made after the ANSWER command has been entered, it pops up and indicates that it is making a connection with a remote machine, then pops down. The local machine appears to be hung while a remote connection is in effect. The ANSWER command can be cancelled at any time with ANSWER OFF. This stops SoftICE from listening for incoming calls.
Example
The following is an example of the ANSWER command. SoftICE rst initializes the modem on com-port 2 with the string atx0, and then returns control to the command prompt. From that point on it answers calls made on the modem and attempts to connect at a baud rate of 38400bps.
ANSWER on 2 38400 i=atx0
16
SoftICE Commands
The following is an example of a default ANSWER initialization string statement in your SoftICE conguration settings. With this statement in place, SoftICE always initializes the modem specied in ANSWER commands with atx0, unless the ANSWER command explicitly species an initialization string.
ANSWER=atx0
See Also
SERIAL
17
SoftICE Commands
APC
System Information
Syntax
Location of an asynchronous procedure call. Thread ID of thread you want to search for asynchronous procedure calls. Process ID of process you want to search for asynchronous procedure calls.
Use
The APC command displays information about asynchronous procedure calls that are current in the system. If you enter APC with no parameters, SoftICE lists all asynchronous procedure calls queued for delivery in the currently running thread. Or you can instruct SoftICE to walk through a specied thread or process. The following command displays information about an asynchronous procedure call
APC APC Object at 806D716C PKTHREAD APC Queue Flink Routines: Kernel Rundown Normal Normal Context Argument1 ApcStateIndex ApcMode In APC Queue User mode APC Queue Empty 806E15E0 806E1614 801A3B5E 801A44DA 801A3CFA 00000000 00000000 0 KernelMode
Example
Blink
806E1614
See Also
DPC
18
SoftICE Commands
BC
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Manipulating Breakpoints
Syntax
BC list | *
list *
Example
If you use the BL command (list breakpoints), the breakpoint list will be empty until you dene more breakpoints.
19
SoftICE Commands
BD
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Manipulating Breakpoints
Syntax
BD list | *
list *
Use
Use the BD command to temporarily deactivate breakpoints. Reactivate the breakpoints with the BE command (enable breakpoints). To tell which of the breakpoints are disabled, list the breakpoints with the BL command. A breakpoint that is disabled has an * (asterisk) after the breakpoint index.
Example
20
SoftICE Commands
BE
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Manipulating Breakpoints
Syntax
BE list | *
list *
Use
Use the BE command to reactivate breakpoints that you deactivated with the BD command (disable breakpoints).
Note:
You automatically enable a breakpoint when you rst dene it or edit it.
Example
21
SoftICE Commands
BH
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Manipulating Breakpoints
List and select previously set breakpoints from the breakpoint history.
Syntax Use
BH
Use the BH command to recall breakpoints that you set in both the current and previous SoftICE sessions. All saved breakpoints display in the Command window and can be selected using the following keys: UpArrow DownArrow Insert Enter Esc Positions the cursor one line up. If the cursor is on the top line of the Command window, the list scrolls. Positions the cursor one line down. If the cursor is on the bottom line of the Command window, the list scrolls. Selects the breakpoint at the current cursor line, or deselects it if already selected. Sets all selected breakpoints. Exits breakpoint history without setting any breakpoints.
Each time Windows exits normally, these breakpoints are written to the WINICE.BRK le in the same directory as WINICE.EXE. Every time SoftICE is loaded, it reads the breakpoint history from the WINICE.BRK le.
For Windows 95
IF you congure Windows 95 to load SoftICE before WIN.COM by appending \siw95\winice.exe to the end of your AUTOEXEC.BAT, you must also set the BootGUI option in MSDOS.SYS to BootGUI=0. If this option is set to BootGUI=1, Windows 95 does not return control to SoftICE when it shuts down, and SoftICE does not save the break-point history le. Refer toUsing SoftICE manual for more information about conguring when SoftICE loads.
For Windows NT
22
SoftICE Commands
Example
To select any of the last 32 breakpoints from current and previous SoftICE sessions, use the following command.
BH
23
SoftICE Commands
BL
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Manipulating Breakpoints
Syntax Use
BL
The BL command displays all breakpoints that are currently set. For each breakpoint, BL lists the breakpoint index, breakpoint type, breakpoint state, and any conditionals or breakpoint actions. The state of a breakpoint is either enabled or disabled. If you disable the breakpoint, an * (asterisk) appears after its breakpoint index. If SoftICE is activated due to a breakpoint, that breakpoint is highlighted. The BL command has no parameters.
Example
To display all the breakpoints that have been dened, use the following command.
BL
BPMB #30:123400 W EQ 0010 DR3 C=03 BPR #30:80022800 #30:80022FFF W C=01 BPIO 0021 W NE 00FF C=01 BPINT 21 AH=3D C=01
24
SoftICE Commands
BMSG
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Breakpoints
Syntax
For Windows 3.1 BMSG window-handle [L] [begin-msg [end-msg]] [c=count] For Windows 95 and Windows NT BMSG window-handle [L] [begin-msg [end-msg ]] [IF expression [DO "command1;command2;..."]]
window-handle L begin-msg
HWND value returned from CreateWindow or CreateWindowEX. Logs messages to the SoftICE Command window. Single Windows message or lower message number in a range of Windows messages. If you do not specify a range with an end-msg, only the begin-msg will cause a break. Note: For both begin-msg and end-msg, the message numbers can be specied either in hexadecimal or by using the actual ASCII names of the messages, for example, WM_QUIT.
Higher message number in a range of Windows messages. Breakpoint trigger count. Conditional expression: the expression must evaluate to TRUE (nonzero) for the breakpoint to trigger. Breakpoint action: A series of SoftICE commands can execute when the breakpoint triggers.
You can combine breakpoint count functions (BPCOUNT, BPMISS, BPTOTAL, BPLOG, and BPINDEX) with conditional expressions to monitor and control breakpoints based on the number of times a particular breakpoint has or has not triggered. See Chapter 6, Using Breakpoints, in the Using SoftICE manual.
25
SoftICE Commands
Use
The BMSG command is used to set breakpoints on a windows message handler that will trigger when it receives messages that either match a specied message type, or fall within an indicated range of message types. If you do not specify a message range, the breakpoint applies to ALL Windows messages. If you specify the L parameter, SoftICE logs the messages into the Command window instead of popping up when the message occurs. When SoftICE does pop up on a BMSG breakpoint, the instruction pointer (CS:[E]IP) is set to the rst instruction of the message handling procedure. Each time SoftICE breaks, the current message displays in the following format:
hWnd=xxxx wParam=xxxx lParam=xxxxxxxx msg=xxxx message-name
Note:
These are the parameters that are passed to the message procedure. All numbers are hexadecimal. The message-name is the Windows dened name for the message.
To display valid Windows messages, enter the WMSG command with no parameters. To obtain valid window handles, use the HWND command. You can set multiple BMSG breakpoints on one window-handle, but the message ranges for the breakpoints may not overlap.
Example
This command sets a breakpoint on the message handler for the Window that has the handle 9BC. The breakpoint triggers and SoftICE pops up when the message handler receives messages with a type within the range WM_MOUSEFIRST to WM_MOUSELAST, inclusive. This range includes all of the Windows mouse messages.
:BMSG 9BC wm_mousefirst wm_mouselast
The next command places a breakpoint on the message handler for the Window with the handle F4C. The L parameter causes SoftICE to log the breakpoint information to the SoftICE Command window when the breakpoint is triggered, instead of popping up. The message range on which the breakpoint triggers includes any message with a type value less than or equal to WM_CREATE. You can view the output from this breakpoint being triggered by popping into SoftICE and scrolling through the command buffer.
:BMSG f4c L 0 wm_create
26
SoftICE Commands
BPE
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Manipulating Breakpoints
Syntax
BPE breakpoint-index
breakpoint-index
Use
The BPE command allows you to edit or replace an existing breakpoint. Use the editing keys to edit the breakpoint description. Press Enter to save a new breakpoint description. This command offers a quick way to modify the parameters of an existing breakpoint.
Warning: BPE rst clears the breakpoint before loading it into the edit line. If you then press
the Escape key, the breakpoint is cleared. To retain the original breakpoint and create another one, use the BPT command, which uses the original breakpoint as an editing template without rst deleting it. SoftIce expands any conditional expressions or breakpoint actions that are part of the breakpoint expression.
Example
When the command is entered, SoftICE displays the existing breakpoint denition and positions the input cursor just after the breakpoint address.
:BPE 1 :BPX 80104324 if (eax==1) do dd esi
To re-enter the breakpoint after editing, press the Enter key. To clear the breakpoint, press the Escape key.
27
SoftICE Commands
BPINT
Windows 3.1
Breakpoints
Syntax
int-number value c=
Interrupt number from 0 to 5Fh. Byte or word value. Breakpoint trigger count.
Use
Use the BPINT command to pop up SoftICE whenever a specied processor exception, hardware interrupt, or software interrupt occurs. The AX register qualifying value (AL=, AH=, or AX=) can be used to set breakpoints that trigger only when the AX register matches the specied value at the time that the interrupt or exception occurs. This capability is often used to selectively set breakpoints for DOS and BIOS calls. If an AX register value is not entered, the breakpoint occurs anytime the interrupt or exception occurs. For breakpoints that trigger because of hardware interrupts or processor exceptions, the instruction pointer (CS:EIP) at the time SoftICE pops up points to the rst instruction of the interrupt or exception handler routine pointed to by the interrupt descriptor table (IDT.) If a software interrupt triggers the breakpoint, the instruction pointer (CS:EIP) points at the INT instruction that caused the breakpoint. BPINT only works for interrupts that are handled through the IDT. In addition, Windows maps hardware interrupts, which by default map to vectors 8-Fh and 70h-77h, to higher numbers to prevent conicts with software interrupts. The primary interrupt controller is mapped from vector 50h-57h. The secondary interrupt controller is mapped from vector 58h-5Fh.
Example:
If a BPINT triggers because of a software interrupt instruction in a DOS VM, control will be transferred to the Windows protected mode interrupt handler for protection faults. This handler eventually calls down to the appropriate DOS VM's interrupt handler which is pointed to by the DOS VMs Interrupt Vector Table. To go directly to the DOS VM's interrupt handler after the BPINT has occurred on a software interrupt instruction, use the following command:
G @$0:int-number*4
28
SoftICE Commands
Example
The following command denes a breakpoint for interrupt 21h. The breakpoint occurs when DOS function call 4Ch (terminate program) is called. At the time SoftICE pops up, the instruction pointer points to the INT instruction in the DOS VM.
BPINT 21 ah=4c
The next command sets a breakpoint that triggers on each and every tick of the hardware clock. In general, this command is not recommended because it triggers so often. At the time SoftICE pops up, the instruction pointer will be at the rst instruction of the Windows interrupt handler for interrupt 50h.
BPI0
See Also
29
SoftICE Commands
BPINT
Breakpoints
Syntax
Interrupt number from 0 to FFh. Conditional expression: the expression must evaluate to TRUE (nonzero) for the breakpoint to trigger Breakpoint action: A series of SoftICE commands that execute when the breakpoint triggers.
You can combine breakpoint count functions (BPCOUNT, BPMISS, BPTOTAL, BPLOG, and BPINDEX) with conditional expressions to monitor and control breakpoints based on the number of times a particular breakpoint has or has not triggered. See Chapter 6, Using Breakpoints, in the Using SoftICE manual.
Use
Use the BPINT command to pop up SoftICE whenever a specied processor exception, hardware interrupt, or software interrupt occurs. You can use the IF option to specify a conditional expression that limits the interrupts that trigger the breakpoint. You can use thee DO option to specify SoftICE commands that execute any time the interrupt breakpoint triggers. For breakpoints that trigger for hardware interrupts or processor exceptions, the instruction pointer (CS:EIP) at the time SoftICE pops up points to the rst instruction of the interrupt or exception handler routine pointed to by the interrupt descriptor table (IDT.) If a software interrupt triggers the breakpoint, the instruction pointer (CS:EIP) points to the INT instruction that caused the breakpoint. BPINT only works for interrupts that are handled through the IDT.
If a software interrupt occurs in a DOS VM, control is transferred to a Windows protected mode interrupt handler. This handler eventually calls down to the DOS VM's interrupt handler which is pointed to by the DOS VMs Interrupt Vector Table). To go directly to the DOS VM's interrupt handler after the BPINT has occurred on a software interrupt instruction, use the following command:
G @ &0:(int-number*4)
30
SoftICE Commands
For Windows 95
Windows maps hardware interrupts, which by default map to vectors 8-Fh and 70h-77h, to higher numbers to prevent conicts with software interrupts. The primary interrupt controller is mapped from vector 50h-57h. The secondary interrupt controller is mapped from vector 58h-5Fh.
Example:
For Windows NT
Windows NT maps hardware interrupts, which by default map to vectors 8-Fh and 70h-77h, to higher numbers to prevent conicts with software interrupts. The primary interrupt controller is mapped from vector 30h-37h. The secondary interrupt controller is mapped from vector 38h-3Fh.
Example:
Example
The following example results in Windows NT system call breakpoints (software interrupt 2Eh) only being triggered if the thread making the system call has a thread ID (TID) equal to the current thread at the time the command is entered (_TID). Each time the breakpoint hits, the contents of the address 82345829h are dumped as a result of the DO option.
BPINT 2e if tid==_tid do "dd 82345829"
See Also
31
SoftICE Commands
BPIO
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Breakpoints
Syntax
For Windows 3.1 BPIO port [verb] [qualifier value] [c=count] For Windows 95 BPIO [-h] port [verb] [IF expression] [DO "command1;command2;..."] For Windows NT BPIO port [verb] [IF expression] [DO "command1;command2;..."]
port verb
R W RW
qualier
Qualier Value Description
EQ Qualier, value, and C= are not valid for Windows 95 and Windows NT. NE GT LT M
Equal Not Equal Greater Than Less Than Mask. A bit mask is represented as a combination of 1s, 0s and X's. X's are don'tcare bits.
value c=
32
SoftICE Commands
-h IF expression DO command
Note:
Use hardware debug registers to set a breakpoint in a virtual device (VxD.) Available for Pentium-class processors on Windows 95 only. Conditional expression: the expression must evaluate to TRUE (nonzero) for the breakpoint to trigger. Breakpoint action: A series of SoftICE commands can execute when the breakpoint triggers.
You can combine breakpoint count functions (BPCOUNT, BPMISS, BPTOTAL, BPLOG, and BPINDEX) with conditional expressions to monitor and control breakpoints based on the number of times a particular breakpoint has or has not triggered. See Chapter 6, Using Breakpoints, in the Using SoftICE manual.
Use
Use the BPIO instruction to have SoftICE pop up whenever a specied I/O port is accessed in the indicated manner. When a BPIO breakpoint triggers, the instruction pointer (CS:EIP) points to the instruction following the IN or OUT instruction that caused the breakpoint. If you do not specify a verb, RW is the default.
For Windows 3.1
If you specify verb and value parameters, SoftICE compares the value you specify with the actual data value read or written by the IN or OUT instruction that caused the breakpoint. The value may be a byte, a word, or a dword. You can use the verb parameter to specify a comparison of equality, inequality, greater-than-or-equal, less-than-or-equal, or logical AND.
For Windows 3.1 and Windows 95
Due to the behavior of the x86 architecture, BPIO breakpoints are only active while the processor is executing in the RING 3 privilege level. This means that I/O activity performed by RING 0 code, such as VxDs and the Windows virtual machine manager (VMM), is not trapped by BPIO breakpoints. For Windows 95 only, you can use the -H switch to force SoftICE to use the hardware debug registers. This lets you trap I/O performed at Ring 0 in VxDs. Windows virtualizes many of the system I/O ports, meaning that VxDs have registered handlers that are called when RING 3 accesses are made to the ports. To get a list of virtualized ports, use the TSS command. This command shows each hooked I/O port, the address of its associated handler, and the name of the VxD that owns it. To see how a particular port is virtualized, set a BPX command on the address of the I/O handler.
33
SoftICE Commands
For Windows NT
The BPIO command uses the debug register support provided on the Pentium, therefore, I/O breakpoints are only available on Pentium-class machines. When using debug registers for I/O breakpoints, all physical I/O instructions (non-emulated) are trapped no matter what privilege level they are executed from. This is different from using the I/O bit map to trap I/O, as is done for SoftICE running under Windows 3.1 and Windows 95 (without the -H switch). The I/O bit map method can only trap I/O done from user-level code, whereas a drawback of the debug register method for trapping port I/O is that it does not trap emulated I/O such as I/O performed from a DOS box. Due to limitations in the number of debug registers available on x86 processors, a maximum of four BPIOs can be set at any given time.
Example
The following commands dene conditional breakpoints for accesses to port 21h (interrupt control 1s mask register). The breakpoints only trigger if the access is a write access, and the value being written is not FFh. For Windows 3.1, use the following command.
BPIO 21 w ne ff
In the Windows NT example, you should be careful about intrinsic assumptions being made about the size of the I/O operations being trapped. The port I/O to be trapped is OUTB. An OUTW with AL==FFh also triggers the breakpoint, even though in that case the value in AL ends up being written to port 22h.
The following example denes a conditional byte breakpoint on reads of port 3FEh. The breakpoint occurs the rst time that I/O port 3FEh is read with a value that has the two highorder bits set to 1. The other bits can be of any value. For Windows 3.1, use the following command.
BPIO 3fe r eq m 11xx xxxx
34
SoftICE Commands
BPM
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Breakpoints
Syntax
For Windows 3.1 BPM[size] address [verb] [qualifier value] [debug-reg] [c=count] For Windows 95 and Windows NT BPM[size] address [verb] [debug-reg] [IF expression] [DO "command1;command2;..."]
size
Size species the range covered by this breakpoint. For example, if you use double word, and the third byte of the dword is modied, a breakpoint occurs. The size is also important if you specify the optional qualier.
Value Description
B W D
verb
Value Description
R W RW X
35
SoftICE Commands
qualier
These qualiers are only applicable to read and write breakpoints, not execution breakpoints.
Qualier Value Description
Qualier, value, and C= are not valid for Windows 95 and Windows NT.
EQ NE GT LT M
Equal Not Equal Greater Than Less Than Mask. A bit mask is represented as a combination of 1's, 0's and X's. The X's are don't-care bits.
value debug-reg
Byte, word, or double word value, depending on the size you specify.
Value
c= IF expression DO command
Note:
Breakpoint trigger count. Conditional expression: the expression must evaluate to TRUE (nonzero) for the breakpoint to trigger. Breakpoint action: A series of SoftICE commands that execute when the breakpoint triggers.
You can combine breakpoint count functions (BPCOUNT, BPMISS, BPTOTAL, BPLOG, and BPINDEX) with conditional expressions to monitor and control breakpoints based on the number of times a particular breakpoint has or has not triggered. See Chapter 6, Using Breakpoints, in the Using SoftICE manual.
Use
Use BPM breakpoints to have SoftICE pop up whenever certain types of accesses are made to memory locations. You can use the size and verb parameters to be lter the accesses according to their type, and you can use the DO parameter, on Windows NT only, to specify arbitrary SoftICE commands that execute each time the breakpoint is hit.
36
SoftICE Commands
If you do not specify a debug register, SoftICE uses the rst available debug register starting from DR3 and working backwards. You should not include a debug register unless you are debugging an application that uses debug registers itself, such as another debugging tool. If you do not specify a verb, RW is the default. If you do not specify a size, B is the default. For all the verb types except X, SoftICE pops up after the instruction that causes the breakpoint to trigger has executed, and the CS:EIP points to the instruction in the code stream following the trapped instruction. For the X verb, SoftICE pops up before the instruction causing the breakpoint to trigger has executed, and the CS:EIP points to the instruction where the breakpoint was set. If you specify the R verb, breakpoints occur on read accesses and on write operations that do not change the value of the memory location. If you specify a verb of R, W or RW, executing an instruction at the specied address does not cause the breakpoint to occur. If you specify a size of W (BPMW), it is a word-sized memory breakpoint, and you must specify an address that starts on a word boundary. If you specify a size of D (BPMD), the memory breakpoint is dword sized, and you must specify an address that starts on a doubleword boundary.
For Windows 3.1
On Windows 3.1, you can use the count parameter to trigger a breakpoint only after it has been hit a specied number of times. The default count value is 1, meaning that the breakpoint triggers the rst time the breakpoint condition is satised. The count is reset each time the breakpoint triggers.
For Windows 95
BPM breakpoints set in the range 400000 - 7FFFFFFF (WIN32 applications) are addresscontext sensitive. That is, the breakpoints are triggered only when the address context in which the breakpoint was set is active. If a BPM is set in a DLL that exists in multiple contexts, the breakpoint is armed in all the contexts in which it exists. For example, if you set a BPM X breakpoint in KERNEL32 it could break in any context that contains KERNEL32.DLL.
For Windows NT
Any breakpoint set on an address below 80000000h (2 GB) is address-context sensitive. That is, the breakpoint is triggered only when the address context in which the breakpoint was set is active. This includes WIN32 and DOS V86 applications. Take care to ensure you are in the correct context before setting a breakpoint.
37
SoftICE Commands
Example
The following example denes a breakpoint on memory byte access to the address pointed at by ES:DI+1Fh. The rst time that 10h is written to that location, the breakpoint triggers. For Windows 3.1, use the following command.
BPM es:di+1f w eq 10
The next example denes an execution breakpoint on the instruction at address CS:80204D20h. The rst time that the instruction at the address is executed, the breakpoint occurs. For Windows 3.1, Window 95, and Windows NT, use the following command.
BPM CS:80204D20 x
The following example denes a word breakpoint on a memory write. The breakpoint occurs the rst time that location Foo has a value written to it that sets the high order bit to 0 and the low order bit to 1. The other bits can be any value. For Windows 3.1, use the following command.
BPMW foo e eq m 0xxx xxxx xxxx xxx1
This example sets a byte breakpoint on a memory write. The breakpoint triggers the rst time that the byte at location DS:80150000h has a value written to it that is greater than 5. For Windows 3.1, use the following command.
BPM ds:80150000 w gt 5
38
SoftICE Commands
BPR
Breakpoints
Syntax
For Windows 3.1 BPR start-address end-address [verb] [c=count] For Windows 95 BPR start-address end-address [verb] [IF expression] [DO "command1;command2;..."]
R W RW T TW
Read Write Reads and Writes Back Trace on Execution Back Trace on Memory Writes
c= IF expression DO command
Note:
Breakpoint trigger count. Conditional expression: the expression must evaluate to TRUE (nonzero) for the breakpoint to trigger. Breakpoint action: A series of SoftICE commands that can execute when the breakpoint triggers.
You can combine breakpoint count functions (BPCOUNT, BPMISS, BPTOTAL, BPLOG, and BPINDEX) with conditional expressions to monitor and control breakpoints based on the number of times a particular breakpoint has or has not triggered. See Chapter 6, Using Breakpoints, in the Using SoftICE manual.
39
SoftICE Commands
Use
Use the BPR command to set breakpoints that trigger whenever certain types of accesses are made to an entire address range. There is no explicit range breakpoint for execution access. However, you can use the R verb to set execution breakpoints on a range. An instruction fetch is considered a read for range breakpoints. If you do not specify a verb, W is the default. The range breakpoint degrades system performance in certain circumstances. Any read or write within the 4KB page that contains a breakpoint range is analyzed by SoftICE to determine if it satises the breakpoint condition. This performance degradation is usually not noticeable, however, degradation could be extreme in cases where there are frequent accesses to the range. The T and TW verbs enable back trace ranges on the specied range. They do not cause breakpoints, but instead write information about all instructions that would have caused the breakpoint to trigger to a log that can be displayed with the SHOW or TRACE commands. When a range breakpoint is triggered and SoftICE pops up, the current CS:EIP points to the instruction that caused the breakpoint. Range breakpoints are always set in the page tables that are active when you enter the BPR command. Therefore, if range addresses are below 4MB, the range breakpoint will be tied to the virtual machine that is current when BPR is entered. Because of this fact, there are some areas in memory where range breakpoints are not supported. These include the page tables, global descriptor table (GDT), interrupt descriptor tables (IDT), local descriptor table (LDT), and SoftICE itself. If you try to set a range breakpoint or back trace range over one of these areas, SoftICE returns an error. There are two other data areas in which you should not place a range breakpoint, but, if you do, SoftICE will not return an error. These are Windows level 0 stacks and critical areas in the VMM. Windows level 0 stacks are usually in separately allocated data segments. If you set a range over a level 0 stack or a critical area in VMM, you could hang the system. If the memory that covers the range breakpoint is swapped or moved, the range breakpoint follows it.
For Windows 3.1
The count parameter can be used to trigger a breakpoint only after it has been hit a specied number of times. The default count value is 1, meaning that the breakpoint will trigger the rst time the breakpoint condition is satised. The count is reset each time the breakpoint triggers.
40
SoftICE Commands
For Windows 95
Due to a change in system architecture, BPRs are no longer supported in level 0 code. Thus, you cannot use BPRs to trap VxD code.
Example
The following example denes a breakpoint on a memory range. The breakpoint occurs if there are any writes to the memory between addresses ES:0 and ES:1FFF:
BPR es:0 es:1fff w
41
SoftICE Commands
BPRW
Breakpoints
Syntax
For Windows 3.1 BPRW module-name | selector [verb] For Windows 95 BPRW module-name | selector [verb] [IF expression] [DO "command1;command2;..."]
Any valid Windows Module name that contains executable code segments. Valid 16-bit selector in a Windows program.
Value Description
R W RW T TW
Read Write Reads and Writes Back Trace on Execution Back Trace on Memory Writes
IF expression DO command
Note:
Conditional expression: the expression must evaluate to TRUE (nonzero) for the breakpoint to trigger. Breakpoint action: A series of SoftICE commands can execute when the breakpoint triggers.
You can combine breakpoint count functions (BPCOUNT, BPMISS, BPTOTAL, BPLOG, and BPINDEX) with conditional expressions to monitor and control breakpoints based on the number of times a particular breakpoint has or has not triggered. See Chapter 6, Using Breakpoints, in the Using SoftICE manual.
42
SoftICE Commands
Use
The BPRW command is a short-hand way of setting range breakpoints on either all of the code segments, or on a single segment of a Windows program. The BPRW command actually sets the same type of breakpoint as the BPR command. Thus, if you enter the BL command after entering a BPRW command, you can see where separate range breakpoints were set to cover the segments specied in the BPRW command. Valid selectors for a 16-bit Windows program can be obtained with the HEAP instruction. Clearing the breakpoints created by BPRW commands requires that each of these range breakpoints be separately cleared with the BC command.
Note:
The BPRW command can become very slow when using the T verb to back trace or when using the command in conjunction with a CSIP qualifying range.
For Windows 95
Due to a change in system architecture, BPRs are no longer supported in level 0 code. For example, you cannot use BPRs to trap VxD code. When a BPRW is set on a 32-bit application or DLL, a single range breakpoint is set starting at the executable image base and ending at the image base plus image size.
Common Uses
The BPRW command is commonly used in the following ways. To set a back trace history range over an entire Windows application or DLL, specify the module-name and the T verb. To set a breakpoint that triggers whenever a program executes, use the R verb. The R verb breaks on execution as well as reads because an instruction fetch is considered a read for range breakpoints. To use BPRW as a convenient form of BPR. Instead of requiring you to look up a segments base and limit through the LDT or GDT commands, you only need to know the segment selector.
Example
The following example sets up a back trace range on all of the code segments in the Program Manager. All instructions that the Program Manager executes are logged to the back trace history buffer and can later be viewed with the TRACE and SHOW commands.
BPRW progman t
43
SoftICE Commands
BPT
Manipulating Breakpoints
Syntax
BPT breakpoint-index
breakpoint-index
Use
The BPT command uses an existing breakpoint description as a template for dening a new breakpoint. The BPT command loads a template of the breakpoint description into the edit line for modication. Use the editing keys to edit the breakpoint description and type Enter to add the new breakpoint description. The original breakpoint referenced by breakpoint-index is not altered. This command offers a quick way to modify the parameters of an existing breakpoint. When SoftICE displays a breakpoint description, it expands any conditional expressions or breakpoint actions.
Example
The following example moves a template of breakpoint 3 into the edit line, without removing breakpoint 3. An example of the edit line output by the command follows.
BPT 3 :BPX 1b:401200 if (eax==1) do dd esi
44
SoftICE Commands
BPX
F9
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Breakpoints
Syntax
For Windows 3.1 BPX [address] [c=count] For Windows 95 and Windows NT BPX [address] [IF expression] [DO "command1;command2;..."]
Linear address to set execution breakpoint. Breakpoint trigger count. Conditional expression: the expression must evaluate to TRUE (nonzero) for the breakpoint to trigger. Breakpoint action: A series of SoftICE commands that execute when the breakpoint triggers.
You can combine breakpoint count functions (BPCOUNT, BPMISS, BPTOTAL, BPLOG, and BPINDEX) with conditional expressions to monitor and control breakpoints based on the number of times a particular breakpoint has or has not triggered. See Chapter 6, Using Breakpoints, in the Using SoftICE manual.
Use
Use the BPX command to dene breakpoints that trigger whenever the instruction at the specied address is executed. You must set the address parameter to point to the rst byte of the instruction opcode of the instruction on which you want to set the breakpoint. If no address is specied and the cursor is in the Code window when you begin to type the command, a point-and-shoot breakpoint is set at the address of the instruction at the cursor location in the Code window. If you dene a point-and-shoot breakpoint at an address where a breakpoint already exists, the existing breakpoint is cleared.
Note:
Use the EC command (default key F6) to move the cursor into the Code window.
If the cursor is not in the Code window when you enter the BPX command, you must specify an address. If you specify only an offset, the current CS register value is used as the segment.
45
SoftICE Commands
The BPX command normally places an INT 3 instruction at the breakpoint address. This breakpoint method is used instead of assigning a debug register to make more execution breakpoints available. If you need to use a breakpoint register, for example, to set a breakpoint on code not yet loaded in a DOS VM, set an execution breakpoint with the BPM command and specify X as the verb. If you try to set a BPX at an address that is in ROM, a breakpoint register is automatically used for the breakpoint instead of the normal placement of an INT 3 at the target address. This method must be used because ROM cannot be modied. The BPX command accepts 16-bit Windows module names as an address parameter. When you enter a 16-bit module name, SoftICE sets a BPX-style breakpoint on every exported entry point in the module.
Example:
BPX KERNEL sets a breakpoint on every function in the 16-bit Windows module KRNL386.EXE. This can be very useful is you need to break the next time any function in a DLL is called.
BPX breakpoints in DOS VMs are tied to the VM in which they were set. This is normally what you would like when debugging a DOS program in a DOS VM. However, there are situations when you may want the breakpoint to trigger at a certain address no matter what VM is currently mapped in. This is usually true when debugging in DOS code or in a TSR that was run before Windows was started. In these cases, use a BPM breakpoint with the X verb instead of BPX.
For Windows 95
BPX breakpoints set in the range 400000 - 7FFFFFFF (WIN32 applications) are addresscontext sensitive. That is, they are only triggered when the context in which they were set is active. If a breakpoint is set in a DLL that exists in multiple contexts, however, the breakpoint will exist in all contexts.
For Windows NT
Any breakpoint set on an address below 80000000h (2 GB) is address-context sensitive. That is, they are only triggered when the context in which they were set is active. This includes WIN32, WIN16, and DOS V86 applications. Take care to ensure you are in the correct context before setting a breakpoint.
46
SoftICE Commands
Example
This example sets an execution breakpoint at the instruction 10h bytes past the current instruction pointer (CS:EIP).
BPX eip+10
This example sets an execution breakpoint at source line 1234 in the current source le (refer to FILE on page 92).
BPX .1234 For Windows 95 and Windows NT
The following is an example of the use of a conditional expression to qualify a breakpoint. In this case, the breakpoint triggers if the EAX register is within the specied range.
BPX eip if eax > 1ff && eax <= 300
In this example, a breakpoint action is used to have SoftICE automatically dump a parameter for a call. Every time the breakpoint is hit, the contents of the string pointed to by the current DS:DX displays in the Data window.
BPX 80023455 do db ds:dx
See Also
FILE
47
SoftICE Commands
BSTAT
Breakpoints
Syntax
BSTAT [breakpoint-index]
breakpoint-index
Use
Use BSTAT to display statistics on breakpoint hits, misses, and whether breakpoints popped up SoftICE or were logged. A breakpoint will be logged to the history buffer instead of popping up SoftICE if it has a conditional expression that uses the BPLOG expression macro. Because conditional expressions are evaluated when the breakpoint is triggered, it is possible to have evaluation run-time errors. For example, a virtual symbol may be referenced when that symbol has not been loaded, or a reference to a symbol may not be resolved because the memory is not present. In such cases, an error will be generated and noted in the Status and Scode elds under the Misc. column in the BSTAT output
Output
For each breakpoint, SoftICE displays the following information. BP # Totals Category: Hits Breaks Popups Logged Misses Errors Current Category: Hits Breakpoint index, and if disabled, an * (asterisk). Total number of times SoftICE has evaluated the breakpoint. Total number of times the breakpoint has evaluated TRUE, and SoftICE has either popped up or logged the breakpoint. Total number of times the breakpoint caused SoftICE to pop up. Total number of times the breakpoint has been logged. Total number of times the breakpoint evaluated to FALSE, and no breakpoint action was taken. Total number of times that the evaluation of a breakpoint resulted in a error. Current number of times the breakpoint has evaluated TRUE, but did not pop up because the count had not expired. (Refer to expression macro BPCOUNT.) Current number of times the breakpoint has evaluated FALSE or the breakpoint count has not expired.
Misses
48
SoftICE Commands
Miscellaneous Category: Status SoftICE internal status code for the last time the breakpoint was evaluated, or zero if no error occurred. Scode Cond. Action Last non-zero SoftICE internal status code, or zero if no error has occurred. Yes if the breakpoint has a conditional expression, otherwise No. Yes if the breakpoint has a dened breakpoint action, otherwise No.
Example
The following is an example using the BSTAT command for breakpoint #0:
:BSTAT 0 Breakpoint Statistics for #00 BP # *00 Totals Hits Breaks Popups Logged Misses Errors Current Hits Misses Misc Status SCode Cond. Action 2 2 2 0 0 0 0 0 0 0 No Yes
See Also
49
SoftICE Commands
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Miscellaneous
Syntax
Start of rst memory range. Length in bytes. Start of second memory range.
Use
The memory block specied by start-address and length is compared to the memory block specied by the second start address. When a byte from the rst data block does not match a byte from the second data block, SoftICE displays both bytes and their addresses.
Example
The following example compares 10h bytes starting at memory location DS:805FF000h to the 10h bytes starting at memory location DS:806FF000h.
C ds:805ff000 L 10 ds:806ff000
50
SoftICE Commands
CLASS
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
System Information
Syntax
For Windows 3.1 CLASS [module-name] For Windows 95 CLASS [-x][task-name] For Windows NT CLASS [-x][process-type | thread-type | module-type | class-name]
Any currently loaded Windows module. Not all Windows modules have classes registered. Display complete Windows 95 or Windows NT internal CLASS data structure, expanding appropriate elds into more meaningful forms. Any currently executing 16- or 32-bit task. Process name, process ID, or process handle. Thread ID or thread address (KTEB). Module name or module handle. Name of a registered class window.
Use
For Windows 95
The operating system maintains the standard window classes in the 16-bit user module (per Windows 3.1). The operating system maintains all other window classes in separate lists on behalf of each process. Each time a process or one of its DLLs registers a new window class, registration places that class on one of two lists: The application global list contains classes registered with the CS_GLOBAL attribute. They are accessible to the process or any of its DLLs. The application private list contains non-global classes. Only the registering module can access them.
51
SoftICE Commands
Finally, any process or DLL that attempts to superclass one of the standard window controls, for example, LISTBOX, receives a copy of that class. The copy resides in a process-specic system-superclass list. By making a copy of the standard class, a process or DLL can superclass any standard windows control without affecting other processes in the system. The process-specic class lists display in the following order: application private application global system superclassed In the output, dashed lines separate each list.
For Windows NT
The architecture of class information under Windows NT is similar to that of Windows 95 in that class information is process specic and the operating system creates different lists for global and private classes. Beyond this, the two operating systems have signicant differences in how super-classing a registered window class is implemented. Under Windows NT, registered window classes are considered templates that describe the base characteristics and functionality of a window (similar to the C++ notion of an abstract class). When a window of any class is created, the class template is instanced by making a physical copy of the class structure. This instanced class is stored with the windows instance data. Any changes to the instanced class data does not affect the original class template. This concept is further extended when various members of the windows instanced class structure are modied. When this occurs, the instanced class is instanced again, and the new instance points to the original instance. Registered classes act as templates from which instances of a particular class can be created; in effect this is object inheritance. This inheritance continues as changes are made to the base functionality of the class. If you do not specify the type parameter, the current context is assumed because the class information is process specic. A process-name always overrides a module of the same name. To search by module when there is a name conict, use the module handle (base address or module database selector). Also, module names are always context sensitive. If the module is not loaded in the current context (or the CSRSS context), the CLASS command interprets the module name as a class name instead.
52
SoftICE Commands
Output
For each class, the following information is shown: Class Handle Class Name Owner Window Procedure Styles Offset of a data structure within USER. Refers to windows of this class. Name that was passed when the class was registered. If no name was passed, the atom displays. Module that has registered this window class. Address of the window procedure for this window class. Bitmask of ags specied when the class was registered.
Example
The following example uses the CLASS command to display all the classes registered by the MSWORD module.
:CLASS msword Handle 0F24 0EFC 0ED4 0E18 0DDC 0DA0 0D64 0D28 0CF0
Note:
Name #32772 #32771 #32769 MDIClient ComboBox ComboLBox ScrollBar ListBox Edit
Owner USER USER USER USER USER USER USER USER USER
Window Procedure TITLEWNDPROC SWITCHWNDPROC DESKTOPWNDPROC MDICLNTWNDPROC COMBOBXWNDPROC LBBOXTLWNDPROC SBWNDPROC LBOXCTLWNDPROC EDITWNDPROC
There are symbols for all of the window procedures, because SoftICE includes all of the exported symbols from USER.EXE. If a symbol is not available for the window procedure, a hexadecimal address displays.
53
SoftICE Commands
CLS
Alt-F5
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Window Control
Syntax Use
CLS
The CLS command clears the SoftICE Command window and all display history, and moves the prompt and the cursor to the upper lefthand corner of the Command window.
54
SoftICE Commands
CODE
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Customization
Syntax Use
The CODE command controls whether or not the actual hexadecimal bytes of an instruction display when the instruction is unassembled. If CODE is ON, the instruction bytes display. If CODE is OFF, the instruction bytes do not display. Use CODE with no parameters to display the current state of CODE. The default is CODE mode OFF.
Example
The following command causes the actual hexadecimal bytes of an instruction to display when the instruction is unassembled.
CODE on
See Also
SET
55
SoftICE Commands
COLOR
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Customization
Syntax
Foreground/background attribute that displays normal text. Default = 07h grey on black. Foreground/background attribute that displays bold text. Default = 0Fh white on black. Foreground/background attribute that displays reverse video text. Default = 71h blue on grey. Foreground/background attribute that displays the help line underneath the Command window. Default = 30h black on cyan. Foreground/background attribute that displays the horizontal lines between the SoftICE windows. Default = 02h green on black.
line
Use
Use the COLOR command to customize the SoftICE screen colors on a color monitor. Each of the ve specied colors is a hexadecimal byte where the foreground color is in bits 0-3 and the background color is in bits 4-6. This is identical to the standard CGA attribute format in which there are 16 foreground colors and 8 background colors. The actual colors represented by the 16 possible codes are listed in the following table.
Code Color Code Color
0 1 2 3 4 5
A B C D E F
light green light cyan light red light magenta yellow white
56
SoftICE Commands
Code
Color
Code
Color
6 7 8 9
Example
57
SoftICE Commands
CPU
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
System Information
Syntax
CPU [-i]
-i
Use
The CPU command shows all the CPU registers (general, control, debug, and segment).
For Windows NT
If your PC contains a multi-processor motherboard that uses an I/O Advanced Program Interrupt Controller (APIC) as an interrupt controller, the CPU command displays the CPU local registers and the I/O APIC information.
Example
The following example lists the sample output from the CPU command under Windows 95 or Windows NT on systems that do not use an I/O APIC:
Processor 00 Registers ---------------------CS:EIP=0008:8013D7AE SS:ESP=0010:8014AB7C EAX=00000041 EBX=FFDFF000 ECX=00000041 ESI=80147940 EDI=80147740 EBP=FFDFF600 DS=0023 ES=0023 FS=0030 GS=0000 CR0=8000003F PE MP EM TS ET NE PG CR2=C13401D6 CR3=00030000 CR4=00000011 VME PSE DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000 DR6=FFFF0FF0 DR7=00000400 EFL=00000246 PF ZF IF IOPL=0
EDX=80010031 EFL=00000246
58
SoftICE Commands
The following example lists the sample output from the CPU command under Windows NT on a system that uses an I/O APIC:
Processor 00 Registers ---------------------CS:EIP=0008:8013D7AE SS:ESP=0010:8014AB7C EAX=00000041 EBX=FFDFF000 ECX=00000041 ESI=80147940 EDI=80147740 EBP=FFDFF600 DS=0023 ES=0023 FS=0030 GS=0000 CR0=8000003F PE MP EM TS ET NE PG CR2=C13401D6 CR3=00030000 CR4=00000011 VME PSE DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000 DR6=FFFF0FF0 DR7=00000400 EFL=00000246 PF ZF IF IOPL=0 --------Local apic-------ID: 0 Version: 30010 Task Priority: 41 Arbitration Priority: 41 Processor Priority: 41 Destination Format: FFFFFFFF Logical Destination: 1000000 Spurious Vector: 11F Interrupt Command: 3000000:60041 LVT (Timer): 300FD LVT (Lint0): 1001F LVT (Lint1): 84FF LVT (Error): E3 Timer Count: 3F94DB0 Timer Current: 23757E0 Timer Divide: B
EDX=80010031 EFL=00000246
59
SoftICE Commands
The following example lists the sample output from the CPU -i command under Windows NT on a system that uses an I/O APIC:
Inti Vector Delivery Status 01 91 Low. Pri Idle 03 61 Low. Pri Idle 04 71 Low. Pri Idle 08 D1 Fixed Idle 0C 81 Low. Pri Idle 0E B1 Low. Pri Idle I/O unit id register: 0E000000 I/O unit version register: 000F0011 Trigger Edge Edge Edge Edge Edge Edge Dest Mode Logical Logical Logical Logical Logical Logical Destination 01000000 01000000 01000000 01000000 01000000 01000000
See Also
PAGE
60
SoftICE Commands
CR
Display the control registers.
Windows 3.1
System Information
Syntax Use
CR
The CR command displays the contents of the three control registers (CR0, CR2, and CR3), and the debug registers in the Command window. CR0 is the processor control register. CR2 is the register in which the processor stores the most recently accessed address that resulted in a page fault. CR3 contains the physical address of the systems page directory. (Refer to PAGE on page 172.) The following example lists the sample output from a CR command:
CR0=8000003B PE MP TS ET NE PG CR2=000CC985 CR3=002FE000 CR4=00000008 DE DR1=00000000 DR2=00000000 DR3=00000000 DR6=FFFF0FF0 DR7=00000400
Example
See Also
PAGE
61
SoftICE Commands
CSIP
Windows 3.1
Breakpoints
Set the instruction pointer (CS:EIP) memory range qualier for all breakpoints in 16-bit programs only.
Syntax
| [not] Windows-module-
Turns off CSIP checking. Breakpoint only occurs if the CS:EIP is outside the specied range or module. Beginning of memory range. End of memory range.
Windows-module-name If you specify a valid Windows-module-name instead of a memory range, the range covers all code areas in the specied Windows module.
Use
The CSIP command qualies breakpoints so that the code that triggers the breakpoint must come from a specied memory range. This function is useful when a program is suspected of accidentally modifying memory outside of its boundaries. When breakpoint conditions are met, the instruction pointer (CS:EIP) is compared to the specied memory range. If the instruction pointer is within the range, the breakpoint activates. To activate the breakpoint only when the instruction pointer (CS:EIP) is outside the range, use the NOT parameter. Because 16-bit Windows programs are typically broken into several code segments scattered throughout memory, you can input a Windows module name as the range. If you enter a module name, the range covers all code segments in the specied Windows program or DLL. When you specify a CSIP range, it applies to ALL breakpoints that are currently active. If you do not specify parameters, the current memory range displays.
For Windows 95 and Windows NT
For 32-bit code, this command is obsolete. Use conditional expressions to achieve this functionality. CSIP still works for 16-bit code and modules.
62
SoftICE Commands
Example
The following command causes breakpoints to occur only if the CS:EIP is NOT in the ROM BIOS when the breakpoint conditions are met.
CSIP not $f000:0 $ffff:0
The following command causes breakpoints to occur only if the Windows program CALC causes them.
CSIP calc
63
SoftICE Commands
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Display/Change Memory
Display memory.
Syntax
For Windows 3.1 D[size] [address] For Windows 95 and Windows NT D[size] [address [l length]]
size
Value Description
B W D S L T
Byte Word Double Word Short Real Long Real 10-Byte Real
address l length
Starting address of the memory you want to display. Displays length number of bytes to the Command window
Use
The D command displays the memory contents at the specied address. SoftICE displays the memory contents in the format you specify in the size parameter. If you do not specify a size, SoftIce uses the last size specied. For the byte, word, and double word hexadecimal formats, the ASCII representation is displayed. For the dword format, data may be displayed in two different ways. If the displayed segment is a 32-bit segment, the dwords display as 32-bit hexadecimals (eight hexadecimal digits). If the displayed segment is a 16-bit segment (VM segment or LDT selector), the dwords display as 16:16 pointers (four hexadecimal digits, a colon, (':'), and four more hexadecimal digits). If you do not specify an address, the command displays memory at the next sequential address after the last byte displayed in the current Data window.
64
SoftICE Commands
If the Data window is visible, the data displays there. If the Data window is not visible, it displays in the Command window. The Command window displays either eight lines of data or one less than the length of the window. For oating point values, numbers display in the following format:
[leading sign] decimal-digits . decimal-digits E sign exponent
The following ASCII strings can also display for real formats:
String Not A Number Denormal Invalid Infinity Exponent all 1s all 0s Mantissa NOT 0 NOT 0 Sign +/+/-
If an L parameter followed by a length is specied, SoftICE displays the requested number of bytes to the Command window regardless of whether the Data window is visible. SoftICE always displays whole rows. If the length is not a multiple of rows, SoftICE will round up. This command is useful when dumping large amounts of data to the Command window for the purpose of logging it to a le.
Example
Displays the memory starting at address ES:1000h in word format and in ASCII format.
DW es:1000 For Windows 95 and Windows NT
The following command displays 4KB of memory starting at address SS:ESP in dword format. The data is displayed in the Command window.
DD ss:esp l 1000
65
SoftICE Commands
DATA
Windows 3.1 - F12
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Window Control
Syntax
DATA [window-number]
window-number
Use
SoftICE supports up to four Data windows. Each Data window can display a different address and/or format. Only one Data window is visible at any time. Specifying DATA without a parameter just switches to the next Data window. The windows are numbered from 0 to 3. This number displays on the righthand side of the line above the Data window. If you specify a window-number after the DATA command, SoftICE switches to display that window. The DATA command is most useful when assigned to a function key. See Chapter 10, Customizing SoftICE, in the Using SoftICE manual. The following command changes the visible Data window to Data window number 3.
DATA 3
Example
66
SoftICE Commands
DEVICE
System Information
Syntax
device-name pdevice-object
Use
The DEVICE command displays information on Windows NT device objects. If the DEVICE command is entered without parameters, summary information displays for all device objects found in the \Device directory. However, if a specic device object is indicated, either by its object directory name (device-name) or object address (pdevice-object), more detailed information displays. If a directory is not specied with a device-name, the DEVICE command attempts to locate the named device object in the entire object tree. When displaying information about a specied device, the DEVICE command displays elds of the DEVICE_OBJECT data structure as dened in NTDDK.H.
Output
The following elds are shown as summary information: RefCnt DrvObj NextDev AttDev Device objects reference count. Pointer to the driver object that owns the device object. Pointer to the next device object on the linked list of device objects that were created by the same driver. Pointer to a device object that has been attached to the displayed object via an IoAttachDeviceObject call. Attached device objects are essentially IRP lters for the devices to which they are attached. Pointer to the IRP currently being serviced for the device object by the device objects driver. Pointer to device driver-dened device object extension data structure. Name of the device, if it has one.
The following are some elds shown when detailed information is printed: Flags Denition of the device objects attributes such as whether I/O performed on the device is buffered or not.
67
SoftICE Commands
Pointer to the devices associated volume parameter block. User-dened or pre-dened value that SoftICE translates to a name.
Example
The following example shows the DEVICE command output with no parameters. It results in SoftICE printing summary information on all device objects in the \Device object directory.
DEVICE RefCnt DrvObj NextDev AttDev CurIrp DevExten Name
00000000 FD8CD910 00000000 00000000 00000000 FD8CD868 Beep 00000015 FD89E730 00000000 00000000 00000000 FD89C968 NwlnkIpx 00000001 FD892170 00000000 00000000 00000000 FD8980E8 Netbios 00000000 FD89D730 00000000 00000000 00000000 FD897D68 Ip 00000001 FD8CBB70 00000000 00000000 FD8DAA08 FD8CAF88 KeyboardClass0 00000001 FD8C9F30 00000000 00000000 00000000 FD8C60F0 Video0 00000001 FD8C9C90 00000000 00000000 00000000 FD8C50F8 Video1 00000001 FD8CC530 00000000 00000000 FD8DAC08 FD8CBF88 PointerClass0 00000001 FD8DB550 FD8D3030 00000000 00000000 FD8D3FC8 RawTape 00000007 FD89D730 FD897CB0 00000000 00000000 FD897C48 Tcp 00000001 FD88A990 00000000 00000000 00000000 FD88A8A8 ParallelPort0 00000003 FD8B3730 00000000 00000000 00000000 FD8A40E8 NE20001
The following example uses the DEVICE command with the BEEP device objects name.
DEVICE beep RefCnt DrvObj NextDev AttDev CurIrp DevExten Name 00000000 FD8CD910 00000000 00000000 00000000 FD8CD868 Beep Timer* : 00000000 Flags : 00000044 DO_BUFFERED_IO | DO_DEVICE_HAS_NAME Characteristics : 00000000 Vpb* : 00000000 Device Type : 1 FILE_DEVICE_BEEP StackSize : 1 &Queue : FD8CD7E4 AlignmentRequirement: 00000000 FILE_BYTE_ALIGNMENT &DeviceQueue : FD8CD810 &Dpc : FD8CD824 ActiveThreadCount : 00000000 SecurityDescriptor* : E10E2528 &DeviceLock : FD8CD84C SectorSize : 0000
68
SoftICE Commands
69
SoftICE Commands
DEX
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Customization
Syntax
data-window-number Number from 0 to 3 indicating which Data window to use. This number displays on the righthand side of the line above the Data window. expression Data expression to assign to the Data window.
Use
The DEX command assigns a data expression to any of the four SoftICE Data windows. Every time SoftICE pops up, the expressions are re-evaluated and the memory at that location displays in the appropriate Data window. This is useful for displaying changing memory locations where there is always a pointer to the memory in either a register or a variable. The data displays in the current format of the Data window: either byte, word, dword, short real, long real, or 10-byte real. This command is the same as entering the command D expression every time SoftICE pops up. If you type DEX without parameters, it displays all the expressions currently assigned to the Data windows. To unassign an expression from a Data window, type DEX followed by the data-windownumber, then press Enter. To cycle through the four Data windows, use the DATA command. (Refer to DATA on page 66.)
Example
Every time SoftICE pops up, Data window 0 contains the contents of the stack.
DEX 0 ss:esp
Every time SoftICE pops up, Data window 1 contains the contents of the memory pointed to by the public variable PointerVariable.
DEX 1 @pointervariable
See Also
DATA
70
SoftICE Commands
DIAL
Customization
Syntax
com-port baud-rate
If no com-port is specied, the default is COM1. Baud-rate to use for modem communications. The default is 38400. The rates you can specify are 1200, 2400, 4800, 9600, 19200, 23040, 28800, 38400, 57000, and 115000. Optional modem initialization string. Telephone number.
i=init-string p=number
Use
The DIAL command initiates a call to a remote machine via a modem. The remote machine must be running SERIAL32.EXE (SERIAL.EXE on an MSDOS machine) and be waiting for a call. Once a connection is established, SoftICE input is received from the remote machine and SoftICE output is sent to the remote machine. No input is accepted from the local machine except for the pop-up hot key sequence. For a detailed explanation of this procedure, refer to Chapter 9, Using SoftICE with a Modem in the manual Using SoftICE. You can specify the modem initialization string and phone number within the SoftICE conguration settings, so that the strings they specify become the defaults for the i and p command-line parameters. Refer to Chapter 10, Customizing SoftICE in the Using SoftICE manual. On the remote machine, you can use the SERIAL command to specify the com-port, baudrate, and init parameters for SERIAL.EXE.
Example
This command tells SoftICE to rst initialize the modem on com-port 2 at a baud rate of 19200 with the string, atx0, and then to make a call through the modem to the telephone number 9-555-5555 extension 1000. Commas can be used in the phone number, just as with traditional modem software, to insert delays into the dialing sequence.
71
SoftICE Commands
The following example shows the syntax expected by SERIAL.EXE when running it on a remote machine so that it answers a DIAL command from the local machine.
SERIAL on [com-port] [baud-rate] i"init-string"
The following SERIAL.EXE command-line uses a modem initialization string of atx0 to answer a call (at 19200 bps) through a modem on the remote machines COM1 serial port. The command line is entered on the remote machine.
SERIAL on 1 19200 i"atx0"
When the remote debugging session is complete, enter the DIAL OFF command from the remote machine to terminate the debugging session and hang up the modem. The following are examples of the Dial initialization and Phone number strings in the Remote Debugging SoftICE conguration settings:
Dial initialization string: atx0 Telephone number string: 9,555-5555,,,1000
With this Dial initialization string in place, SoftICE always initializes the modem specied in DIAL commands with ATX0, unless the DIAL command explicitly species a different initialization string. With this Phone initialization string in place, SoftICE always dials the specied number when executing DIAL commands, unless the DIAL command explicitly species a different phone number.
See Also
ANSWER, SERIAL, and Chapter10, Customizing SoftICE in the Using SoftICE manual.
72
SoftICE Commands
DPC
System Information
Syntax
DPC [ address ]
address
Use
The DPC command displays information about delayed procedure calls that are current in the system. If you enter DPC without parameters, SoftICE list all delayed procedure call that are queued for delivery in the system. For each DPC, SoftICE lists the following information: If you provide the address of a particular DPC, SoftICE displays the following information for that DPC:
Example
The following command displays a listing of all delayed procedure calls current in the system.
DPC
See Also
APC
73
SoftICE Commands
DRIVER
System Information
Syntax
driver-name pdriver-object
Use
The DRIVER command displays information on Windows NT drivers. If the DRIVER command is entered without parameters, summary information is shown for all drivers found in the \Driver directory. However, if a specic driver is indicated, either by its object directory name (driver-name), or by its object address (pdriver-object), more detailed information is displayed. If a directory is not specied with the driver-name, the DRIVER command attempts to locate the named driver in the entire object tree. When displaying detailed information about a specied driver, the DRIVER command displays the elds of the DRIVER_OBJECT data structure as dened in NTDDK.H.
Output
The following elds are shown as summary information: Start Size DrvSect Count DrvInit DrvStaIo DrvUnld Name Base address of the driver. Drivers image size. Pointer to driver module structure. Number of times the registered reinitialization routine has been invoked for the driver. Address of the driver's DriverEntry routine. Address of the driver's StartIo routine. Address of the driver's Unload routine. Name of the driver.
The following is shown when detailed information is printed: DeviceObject Flags Pointer to the rst device object on the drivers linked list of device objects that it owns. Field is a bit-mask of driver ag. The only ag currently documented is DRVO_UNLOAD_INVOKED.
74
SoftICE Commands
FastIoDispatch
Pointer to the drivers fast I/O dispatch data structure, if it has one. File System Drivers typically have a fast I/O routines dened for them. Information on the structure can be found in NTDDK.H. Upon initialization, drivers can register handlers that are called when the driver receives specic IRP request types. Each handler address is listed along with the IRP major function it processes for the driver.
Handler Addresses
Example
The following example shows the output of the DRIVER command with no parameters. This results in SoftICE printing summary information on all the drivers in the \Driver object directory.
DRIVER Start Size DrvSect Count DrvInit DrvStaIo DrvUnld Name
FB030000 00000E20 FD8CDA88 00000000 FB0302EE FB0305E8 FB0306E2 Beep FB130000 0000D3A0 FD89E8C8 00000000 FB13B7BF 00000000 FB136789 NwlnkIpx FB050000 00002320 FD8CD1A8 00000000 FB050AF2 FB0508BE 00000000 Mouclass FB060000 00002320 FD8CBC48 00000000 FB060AF2 FB0608C0 00000000 Kbdclass FB070000 00003860 FD8CAE48 00000000 FB070B0C 00000000 00000000 VgaSave
The following is an example of the DRIVER command with the BEEP.SYS driver objects name as a parameter. From the listing it can be seen that the drivers rst device object is at FD8CD7B0h, and that it has 4 IRP handler routines registered.
DRIVER beep Start Size DrvSect Count DrvInit DrvStaIo DrvUnld Name FB030000 00000E20 FD8CDA88 00000000 FB0302EE FB0305E8 FB0306E2 Beep DeviceObject* : FD8CD7B0 Flags : 00000000 HardwareDatabase : \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM FastIoDispatch* : 00000000 IRP_MJ_CREATE at 8:FB03053C IRP_MJ_CLOSE at 8:FB03058A IRP_MJ_DEVICE_CONTROL at 8:FB0304C6 IRP_MJ_CLEANUP at 8:FB030416
75
SoftICE Commands
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Display/Change Memory
Edit memory.
Syntax
size
Value Description
B W D S L T
Byte Word Double Word Short Real Long Real 10-Byte Real
address data-list List of data objects of the specied size (bytes, words, double words, short reals, long reals, or 10-byte reals) or quoted strings separated by commas or spaces. The quoted string can be enclosed with single quotes or double quotes.
Use
If you do not specify data-list, the cursor moves into the Data window where you can edit the memory in place. If you specify a data-list, the memory is immediately changed to the new values. If the Data window is not currently visible, it is automatically made visible. Both ASCII and hexadecimal edit modes are supported. To toggle between the ASCII and hexadecimal display areas, press the Tab key. If you do not specify a size, the last size used is assumed. Enter valid oating point numbers in the following format:
[leading sign] decimal-digits . decimal-digits E sign exponent
Example:
76
SoftICE Commands
Example
The following command moves the cursor into the Data window for editing. The starting address in the Data window is at DS:1000h, and the data displays in hexadecimal byte format as well as in ASCII. The initial edit mode is hexadecimal.
EB ds:1000
The next command moves the null terminated ASCII string 'Test String' into memory at location DS:1000h.
EB ds:1000 'Test String',0
This command moves the short real number 3.1415 into the memory location DS:1000h.
ES ds:1000 3.1415
77
SoftICE Commands
EC
F6
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Window Control
Syntax Use
EC
The EC command toggles the cursor between the Code window and the Command window: If the cursor is in the Command window, it moves to the Code window. If the cursor is in the Code window, it moves to the Command window. If the Code window is not visible when the command is entered, it is made visible. When the cursor is in the Code window, several options become available that make debugging much easier. These options are as follows: Set point-and-shoot breakpoints Set these with the BPX command. If you do not specify parameters with the BPX command (default key F9), an execution breakpoint is set at the location of the cursor position in the Code window. Go to cursor line Set a temporary breakpoint at the cursor line and begin executing with the HERE command (default key F7). Scroll the Code window The scrolling keys (UpArrow, DownArrow, PageUp and PageDn) are redened while the cursor is in the Code window:
UpArrow: Scroll Code window up one line. DownArrow: Scroll Code window down one line. PageUp: Scroll Code window up one window. PageDn: Scroll Code window down one window.
In source mode, you can scroll the Code window from the Command window using the CTRL key with one of cursor keys described above. In this mode, the following keys also have special meaning: CTRL-Home: Moves to line 1 of current source le. CTRL-End: Moves to the last line of the current source le.
Note:
The previous keys only work for source display, not for disassembled instructions.
CTRL-RightArrow: Horizontal scroll of source code right. CTRL-LeftArrow: Horizontal scroll of source code left.
78 SoftICE Command Reference
SoftICE Commands
ERESOURCE
System Information
Syntax
Display resources that are actively held by any thread Display resources that are or have been under contention (where contention count > 0) Display resources that have threads currently waiting on them Address of an ERESOURCE structure
Use
This command displays the ERESOURCE structure, a list of the threads that currently own the ERESOURCE, and a list of the threads that are waiting on the ERESOURCE. When you do not specify an address, SoftICE displays summary information about every ERESOURCE structure in ExpSystemResourceList.
Example
Enter the following command to display a list of the active resources on your system.
ERESOURCE -a
You can enter the following command to get extended information about a specic ERESOURCE structure, including thread contentions and threads waiting on the ERESOURCE.
ERESOURCE address
You can use the information you get from the commands above in combination with the following command to help nd deadlocks.
ERESOURCE -w
See Also
79
SoftICE Commands
EVENT
System Information
Syntax
EVENT [-? | -a | -lx | -nd | -o | -pd | -r | -s | -t | -x] [start-event-index [L event-count]] -? -a -lx -nd Displays descriptions of the supported command switches Turns API return display on or off. The default setting is on. When this is off, SoftICE does not display API return events. Species the stack-checking level (0x40 - 0x4000). The default setting is 0x800. Species the nesting depth used to display events. Legal values are 0 to 32 (decimal format). The default nesting level is 10. If events nest past the specied nesting depth, SoftICE does not display them as indented. Turns event logging on or off. The default setting is on. Species the SoftICE pop-up level for BoundsChecker events. The default setting is 0. 0 - SoftICE does not pop up on BoundsChecker events 1 - SoftICE pops up on errors only 2 - SoftICE pops up on all errors and warnings -r -s Clears the event buffer Displays the current status of event viewing and logging. The number of logged events is the total that have been trapped since the system was started. It is displayed in decimal format. Turns display of thread switches on or off. The default setting is on. When this option is on and event n-1 is in a different thread than event n, SoftICE displays event n in reverse video indicating a thread switch has occurred. When this option is off, SoftICE does not display thread switches. Displays all events with their parameters, as well as general summary information for each event, including elapsed time, current thread and current IRQL. If you do not specify this switch, SoftICE displays a single summary line for each event. Displays events starting at the specied event index Displays the logged events in the Command window, starting from the specied start-event-index for a length of event-count events. If you do not specify a length, SoftICE displays the events in a scrollable window starting from start-event-index (if one is specied).
-o -pd
-t
-x
start-event-index Levent-count
80
SoftICE Commands
Use
Use the EVENT command to display information about BoundsChecker events. You can display event information in the Event window or in the Command window.
Viewing Events in the Event Window
You can specify whether SoftICE displays the events in the Event window with summary or detail information. While the Event window is open, you can use F1 to expand or collapse all events. You can place the cursor on a line and double-click or press Enter to expand or collapse a single event. The Event window supports the following keys.
Enter Esc Toggles the display state of the event at the current cursor position between summary information and detail information Closes the Event window. When you re-open the Event window, SoftICE preserves the previous window state (i.e. current event, expansion state, and lters are the same). Scrolls the screen up one page Scrolls the screen down one page Moves cursor up one line. If on the top line, it scrolls the window up one line. Moves cursor down one line. If on bottom line, it scrolls window down one line. Scrolls the window left one column Scrolls the window right one column Moves the cursor to the top row. If the cursor is already on the top row, starts display at the rst event. Moves the cursor to the bottom row. If the cursor is already on the bottom, starts display at the last event. Undoes the last Home or End operation Toggles the display state of all events between summary information and detail information Displays the Event ltering dialog Displays the Parameter ltering dialog Displays error events only Closes the Event window and returns focus to the Command window. Use this key if you want to use other SoftICE commands on data that is displayed in the Event window. If you bring up the Event window again, SoftICE preserves the previous window state (i.e. current top event, expansion state, and lters are the same). Toggles the display state of API returns between showing all API returns and showing no API returns
SoftICE Command Reference 81
PageUp PageDown Up Arrow Down Arrow Shift-Left Arrow Shift-Right Arrow Home End * F1 F2 F3 F4 F
SoftICE Commands
T E S N P 0-7
Toggles the highlighting of thread switches. Thread switches are indicated by displaying the summary line of the rst event in the new thread in reverse video. Toggles the highlighting of errors on API returns. SoftICE displays the summary line of API return errors in bold Displays the event at the current cursor position at the top of the Event window Finds the next event that matches the search criteria selected with the right mouse button Finds the previous event that matches the search criteria selected with the right mouse button Filters events by CPU number on SMP machines. Each key acts as a toggle for displaying all events that occurred on a specic CPU. These keys also appear as buttons on the top line of the Event window.
In the Command window, SoftICE can display any number of events starting from any specic event index. SoftICE can display the events with summary or detail information. The summary display includes only a single line for each event. The detail display includes the summary information, as well as all event parameters. You can use the EVENT command switches to customize the display output. It is useful to view events in the Command window when you want to view a small group of functions, or when you want to save the event data to a SoftICE History le. A SoftICE History le contains current contents of the SoftICE history buffer. You can use the scroll bars in the Command window to view the contents of the SoftICE history buffer.
Example
Enter the following command at the command prompt to display events in the Event window.
EVENT
When you do not specify start-event-index or event-count, SoftICE displays the Event window in place of the Command window. You can use this command with one of the EVENT command switches or with a start-event-index to customize the display. Enter the following command at the command prompt to display events in the Command window starting at event start-event-index for a length of event-count events.
EVENT start-event-index Levent-count
See Also
EVMEM, Chapter 12, Using BoundsChecker Driver Edition, in the Using SoftICE manual.
82
SoftICE Commands
EVMEM
System Information
Syntax
Displays descriptions of the supported command switches Sorts the output by driver name Sorts the output by tag Sorts the output by size Sorts the output by pool type Displays overview information Displays only error events Displays only memory events that were allocated with that specic tag. Tags are 4 byte ASCII strings that are passed to the ExAllocatePoolWithTag API. Displays memory events for only the specied driver Displays only memory events allocated out of that specic pool. The following values are valid.
NPP PP NPPMS NPPCA PPCA NPPCAMS MMC MMNC
driver-name pool-type
Non-paged pool Pageable pool Non-paged pool, must succeed Non-paged pool cache aligned Pageable pool cache aligned Non-paged pool cache aligned, must succeed Allocated by MMAllocateContiguousMemory API Allocated by MMAllocateNonCachedMemory API
Use
Use the EVMEM command to display information about BoundsChecker memory events in the Command window. To display information about all types of events, use the EVENT command.
83
SoftICE Commands
Example
Enter the following command at the command prompt to display memory events in the Command window.
EVMEM
You can use the EVMEM command switches to customize the display, including sorting the output and displaying additional information. Enter the following command at the command prompt to display events in the Command window for driver-name
EVMEM driver-name
See Also
EVENT
84
SoftICE Commands
EXIT
Windows 3.1
Flow Control
Syntax Use
EXIT
The EXIT command attempts to abort the current DOS or Windows program by forcing a DOS exit function (INT 21h, function 4Ch). This command only works if DOS is in a state where it is able to accept the exit function call. If this call is made from certain interrupt routines, or other times when DOS is not ready, the system may behave unpredictably. Only use this call when SoftICE pops up in VM mode, or 16- or 32-bit protected mode, running at ring 3. In 32-bit, ring 0 protected mode code, an error displays. Use the EXIT command with care. Because SoftICE can be popped up at any time, a situation can occur in which DOS is not in a state to accept an exit function call. Also, the EXIT command does not reset any program-specic settings.
Example:
Caution
The EXIT command does not reset the video mode or interrupt vectors. For Windows programs, the EXIT command does not free resources.
If running under WIN32s, the EXIT command sometimes causes WIN32s to display a dialog box with the message Unhandled exception occurred. Press OK to terminate the application.
For Windows 95 and Windows NT
Example
The following command causes the current DOS or Windows program to exit.
EXIT
85
SoftICE Commands
EXP
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Symbol/Source
Syntax
module! partial-name
Display exports from the specied module only. Export symbol or the rst few characters of the name of an export symbol. The ? character can be used as a wildcard character in place of any character in the export name. Display list of modules for which SoftICE has exports loaded.
Use
Use the EXP command to show exports from Windows DLLs, Windows NT drivers, and 16bit drivers (.DRV extension) for which SoftICE has exports loaded. To tell SoftICE which DLLs and drivers to load, set the SoftICE initialization settings for Exports in Symbol Loader. The module and name parameters can be used to selectively display exports only from the specied module, and/or exports that match the characters and wildcards in the name parameter. When exports are displayed, the module name is printed rst on a line by itself, and the export names and their addresses are printed below it.
Note:
Since DLLs and drivers run in protected mode, the addresses are protected mode addresses.
This command is valid for both 16-bit and 32-bit DLLs with 16-bit exports being listed rst.
For Windows 3.1
SoftICE automatically loads exports for KERNEL, USER, and GDI. The SoftICE Loader can dynamically load 32-bit exported symbols.
For Windows NT
SoftICE automatically loads exports for KERNEL32, USER32, and GDI32. The SoftICE loader can dynamically load 32-bit exported symbols.
86
SoftICE Commands
Example
The following example of the EXP command displays all exports that begin with the string DELETE. The output shows that KERNEL.DLL has 3 exports matching the string: DELETEATOM, DELETEFILE, and DELETEPATHNAME. These routines are located at 127:E3, 11F:7D4 and 127:345A, respectively. Following the exports from KERNEL are the exports from USER and GDI, and following these begin the 32-bit exports.
EXP delete KERNEL 0127:00E3 DELETEATOM 0127:345A DELETEPATHNAME USER 176F:0C88 DELETEMENU GDI 0527:0000 047F:55FD 047F:564B 0587:A22E DELETEMETAFILE DELETEDC DELETEOBJECT DELETEENHMETAFILE 04B7:211C DELETESPOOLPAGE 054F:0192 DELETEPQ 04B7:226E DELETEJOB 011F:07D4 DELETEFILE
KERNEL32 0137:BFF97E9B DeleteAtom 0137:BFF9DC5A DeleteFileA USER32 0137:BFF62228 GDI32 0137:BFF3248F 0137:BFF3248B 0137:BFF3249F DeleteMenu DeleteColorSpace DeleteEnhMetaFile DeleteObject
The ! character is used to narrow EXPs output to only those modules which are listed on the command line to the left of the !. In the following example, no DLL or driver is specied before the !, so SoftICE simply dumps the names of all the modules for which it has exports loaded.
EXP ! KERNEL USER GDI KERNEL32 USER32 GDI32
87
SoftICE Commands
In the following example, the EXP command lists all exports within USER32.DLL that start with IS. The ! character is used here to differentiate the module name from the name qualier.
:EXP user32!is USER32 0137:BFF64290 0137:BFF64256 0137:BFF61014 0137:BFF61014 0137:BFF641E8 0137:BFF61014 0137:BFF64222 0137:BFF61014 0137:BFF61F6A 0137:BFF6480F 0137:BFF64D7C 0137:BFF64D7C 0137:BFF6101D 0137:BFF618A4 0137:BFF62F12 0137:BFF64697 0137:BFF623A5 0137:BFF649B9 0137:BFF644BF 0137:BFF646E1 0137:BFF638C4 0137:BFF64706 0137:BFF646BC IsCharAlphaA IsCharAlphaNumericA IsCharAlphaNumericW IsCharAlphaW IsCharLowerA IsCharLowerW IsCharUpperA IsCharUpperW IsChild IsClipboardFormatAvailable IsDialogMessage IsDialogMessageA IsDialogMessageW IsDlgButtonChecked IsHungThread IsIconic IsMenu IsRectEmpty IsWindow IsWindowEnabled IsWindowUnicode IsWindowVisible IsZoomed
See Also
SYMBOL, TABLE
88
SoftICE Commands
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Miscellaneous
Syntax
Starting address at which to begin lling memory. Length in bytes. List of bytes or quoted strings separated by commas or spaces. A quoted string can be enclosed with single quotes or double quotes.
Use
Memory is lled with the series of bytes or characters specied in the data-list. Memory is lled starting at the specied address and continues for the length specied by the L parameter. If the data-list length is less than the specied length, the data-list is repeated as many times as necessary. The following example lls memory starting at location DS:8000h for a length of 100h bytes with the string 'Test'. The string 'Test' is repeated until the ll length is exhausted.
F ds:8000 l 100 'test'
Example
89
SoftICE Commands
FAULTS
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Mode Control
Use the FAULTS command to turn SoftICE processor fault trapping on or off. The following example turns off fault trapping in SoftICE.
FAULTS off
See Also
SET
90
SoftICE Commands
FIBER
System Information
Syntax
FIBER [address]
address
Use
Use the FIBER command to dump a ber data structure as returned by CreateFiber(). If you do not specify an address, FIBER dumps the ber data associated with the current thread. SoftICE provides a stack trace after the dump. The following example dumps the ber data associated with the current thread.
FIBER Fiber state for the current thread: User data:004565D0 SEH Ptr:01C2FFA8 Stack top:01C30000 Stack bottom:01C2F000 Stack limit:01B30000 EBX=00000001 ESI=005862B8 EDI=004565D0 EBP=01C2FF88 ESP=01C2FC4C EIP=63011BAF a.k.a. WININET!.text+00010BAF => at 001B:00579720
Example
91
SoftICE Commands
FILE
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Symbol/Source
Syntax
FILE [[*]file-name]
* le-name
Use
The FILE command is often useful when setting a breakpoint on a line that has no associated symbol. Use FILE to bring the desired le into the Code window, use the SS command to locate the specic line, move the cursor to the specic line, then enter BPX or press F9 to set the breakpoint. If you specify le-name, that le becomes the current le and the start of the le displays in the Code window. If you do not specify le-name, the name of the current source le, if any, displays. If you specify the * (asterisk), all les in the current symbol table display. Only source les that are loaded into memory with Symbol Loader or are pre-loaded at initialization are available with the FILE command.
For Windows 95 and Windows NT
When you specify a le name in the FILE command, SoftICE switches address contexts if the current symbol table has an associated address context.
Example
Assuming main.c is loaded with the SoftICE Loader, the following command displays the le in the Code window starting with line 1.
FILE main.c
92
SoftICE Commands
FKEY
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Customization
Syntax
function-key
Key Description
Unshifted function key Shifted function key Control key plus function key Alternate key plus function key
string
Consists of any valid SoftICE commands and the special characters caret (^) and semicolon (;). Place a caret (^) at the beginning of a command to make the command invisible. Place a semicolon (;) in the string in place of Enter.
Use
Use the FKEY command to assign a string of one or more SoftICE commands to a functionkey. If you use the command without any parameters, the current function-key assignments display.
Hint:
You can also edit function key assignments by modifying the SoftICE initialization settings for Keyboard Mappings in Symbol Loader. Refer to the Using SoftICE manual for more information about customizing SoftICE.
To unassign a specied function-key, use the FKEY command with the parameters function_key_name followed by null_string. Use carriage return symbols in a function-key assignment string to assign a series of commands to a function-key. The carriage return symbol is represented by a semi-colon (;). If you put a caret ^ or press Shift-6 in front of a command name, the command becomes invisible. You can use the command like any other, but all information that normally displays in the Command window (excluding error messages) is suppressed. The invisible mode is useful when a command changes information in a window (Code, Register, or Data), but you do not want to clutter the Command window. You can also use the plus sign (+) to assign an incomplete command to a function-key. When the function key is pressed, SoftICE displays the partial command in the command line so that the user can complete it.
93
SoftICE Commands
SoftICE implements the function-keys by inserting the entire string into its keyboard buffer. The function-keys can therefore be used anyplace where a valid command can be typed. If you want a function key assignment to be in effect every time you use SoftICE, initialize the keyboard mappings within your SOFTICE conguration settings. Refer to Chapter 10, Customizing SoftICE in the Using SoftICE guide.
Example
The following example assigns the command to toggle the Register window command (WR) to the F2 function-key. The caret ^ makes the function invisible, and the semicolon ; ends the function with a carriage return. After you enter this command, you can press the F2 key to toggle the Register window on or off.
FKEY f2 ^wr;
The following example shows that multiple commands can be assigned to a single function and that partial commands can be assigned for the user to complete. After you enter this command, pressing the Ctrl F1 key sequence causes the program to execute until location CS:8028F000h is reached, displays the stack contents, and starts the U command for the user to complete.
FKEY cf1 g cs:8028f000;d ss:esp;u cs:eip+
After you enter the following example, pressing the F1 key makes the Data window three lines long and dumps data starting at 100h in the segment currently displayed in the Data window.
FKEY f1 wd 3;d 100;
The following example assigns commands to the F1 key to toggle the Register window, create a Locals window of length 8, and a Code window of length 10.
FKEY f1 wr;wl 8;wc 10;
94
SoftICE Commands
FLASH
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Window Control
Syntax Use
Use the FLASH command to specify whether the Windows screen restores during any T (trace) and P (step over) commands. If you specify that the Windows screen is to be restored, it is restored for the brief time period that the P or T command is executing. This feature is needed to debug sections of code that access video memory directly. In most cases, if the routine being called writes to the Windows screen, and the P command executes across such a call, the screen restores. However, when you are debugging protected mode applications, such as VxDs or Windows applications, with FLASH off, SoftICE restores the screen only if the display driver is called before the call is completed. If you do not specify a parameter, the current state of FLASH displays. The default is FLASH OFF.
Example
The following command turns on FLASH mode. The Windows screen restores during any subsequent P or T commands.
FLASH on
See Also
SET
95
SoftICE Commands
FMUTEX
System Information
Syntax
FMUTEX [ expression ]
expression
Use
The FMUTEX command displays information about the mutant object identied by the expression you specify. You must enter an expression to get data, since this is not itself a Windows NT object. The expression parameter is something that would not generally be considered a name. That is, it is a number, a complex expression (an expression which contains operators, such as Explorer + 0), or a register name.
Example
See Also
KMUTEX
96
SoftICE Commands
FOBJ
System Information
Syntax
FOBJ [fobj-address]
fobj-address
Use
The FOBJ command displays the contents of kernel le objects. The command checks for the validity of the specied le object by insuring that the device object referenced by it is a legitimate device object. The elds shown by SoftICE are not documented in their entirety here, as adequate information about them can be found in NTDDK.H in the Windows NT DDK. A few elds deserve special mention, however, because device driver writers nd them particularly useful: DeviceObject Vpb FSContext1 and FSContext2 This eld is a pointer to the device object associated with the le object. This is a pointer to the volume parameter block associated with the le object (if any). These are le system driver (FSD) private elds that can serve as keys to aid the driver in determining what internal FSD data is associated with the object.
Other elds of interest, whose purpose should be fairly obvious, include the access protection booleans, the Flags, the FileName and the CurrentByteOffset.
Example
SoftICE Commands
WriteAccess DeleteAccess SharedRead SharedWrite SharedDelete Flags FileName CurrentByteOffset Waiters Busy LastLock* &Lock &Event ComplContext*
: : : : : : : : : : : : : :
True False True True False 00040002 FO_SYNCHRONOUS_IO | FO_HANDLE_CREATED \G:\SS\data\status.dat 00 00000000 00000000 00000000 FD877294 FD8772A4 00000000
98
SoftICE Commands
FORMAT
Shift-F3
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Window Control
Syntax Use
FORMAT
Use the FORMAT command to change the display format in the currently displayed Data window. FORMAT cycles through the display formats in the following order: byte, word, dword, short real, long real, 10-byte real, and then byte again. Each call to FORMAT changes the window to the next display format in this order. This command is most useful when assigned to a function key. The default function key assignment is Shift-F3. Shift-F3 is also supported while editing in the Data window. The following example changes the Data window to the next display format in the sequence byte, word, dword, short real, long real, and 10-byte real.
FORMAT
Example
99
SoftICE Commands
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Flow Control
Go to an address.
Syntax
G [=start-address] [break-address]
=start-address break-address
Any expression that resolves to a valid address is acceptable. Any expression that resolves to a valid address is acceptable.
Use
The G command exits from SoftICE. If you specify break-address, a single one-time execution breakpoint is set on that address. In addition, all sticky breakpoints are armed. Execution begins at the current CS:EIP unless you supply the start-address parameter. If you supply the start-address parameter, execution begins at start-address. Execution continues until the break-address is encountered, the SoftICE pop-up key sequence is used, or a sticky breakpoint is triggered. When SoftICE pops up, for any reason, the one-time execution breakpoint is cleared. The break-address must be the rst byte of an instruction opcode. The G command without parameters behaves the same as the X command. If the Register window is visible when SoftICE pops up, all registers that have been altered since the G command was issued are displayed with the bold video attribute.
For Windows 3.1
The non-sticky execution breakpoint uses debug registers unless none are available. If none are available, it uses an INT 3 instruction.
Example
100
SoftICE Commands
GDT
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
System Information
Syntax
GDT [selector]
selector
Use
The GDT command displays the contents of the Global Descriptor Table. If you specify an optional selector, only information on that selector is listed. If the specied selector is a local descriptor table (LDT) selector (that is, bit 2 is a 1), SoftICE automatically displays information from the LDT, rather than the GDT. The base linear address and the limit of the GDT is shown at the top of the GDT commands output. Each subsequent line of the output contains the following information: selector value selector type The lower two bits of this value reects the descriptor privilege level. One of the following:
Type Description
Output
Code16 Data16 Code32 Data32 LDT TSS32 TSS16 CallG32 CallG16 TaskG32 TaskG16 TrapG32
16-bit code selector 16-bit data selector 32-bit code selector 32-bit data selector Local Descriptor Table selector 32-bit Task State Segment selector 16-bit Task State Segment selector 32-bit Call Gate selector 16-bit Call Gate selector 32-bit Task Gate selector 16-bit Task Gate selector 32-bit Trap Gate selector
101
SoftICE Commands
Type
Description
16-bit Trap Gate selector 32-bit Interrupt Gate selector 16-bit Interrupt Gate selector Reserved selector
selector base selector limit selector DPL present bit segment attributes
Linear base address of the selector. Size of the selectors segment. The selector's descriptor privilege level (DPL), which is either 0, 1, 2 or 3. P or NP, indicating whether the selector is present or not present. One of the following:
Value Description
RW RO RE EO B ED
Data selector is readable and writable. Data selector is read only. Code selector is readable and executable. Code selector is execute only. TSS's busy bit is set. Expand down data selector.
Example
The following command shows abbreviated output from the GDT command.
GDT Sel. Type Base Limit GDTbase=C1398000 Limit=0FFF 0008 Code16 00017370 0000FFFF 0010 Data16 00017370 0000FFFF 0018 TSS32 C000AEBC 00002069 0020 Data16 C1398000 00000FFF 0028 Code32 00000000 FFFFFFFF 0030 Data32 00000000 FFFFFFFF 003B Code16 C33E9800 000007FF 0043 Data16 00000400 000002FF 0048 Code16 00013B10 0000FFFF 0050 Data16 00013B10 0000FFFF 0058 Reserved 00000000 0000FFFF 0060 Reserved 00000000 0000FFFF DPL 0 0 0 0 0 0 3 3 0 0 0 0 Attributes P P P P P P P P P P NP NP RE RW B RW RE RW RE RW RE RW
102
SoftICE Commands
GENINT
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Flow Control
Syntax
Forces a non-maskable interrupt. Forces an INT1 interrupt. Forces an INT3 interrupt. For Windows 3.1 and Windows 95: Valid interrupt number between 0 and 5Fh. For Windows NT: Valid interrupt number between 0 and FFh.
Use
The GENINT command forces an interrupt to occur. Use this function to hand off control to another debugger you are using with SoftICE, and to test interrupt routines. The GENINT command simulates the processing sequence of a hardware interrupt or an INT instruction. It vectors control through the current IDT entry for the specied interrupt number.
Warning: You must ensure that there is a valid interrupt handler before using this command.
SoftICE does not know if there is a handler installed. Your machine is likely to crash you issue this command without a handler. GENINT cannot be used to simulate a processor fault that pushes an exception code. For example, GENINT cannot simulate a general protection fault.
Example
The following command forces a non-maskable interrupt. It gives control back to CodeView for DOS, if you use SoftICE as an assistant to CodeView for DOS.
GENINT nmi
103
SoftICE Commands
When the command I3HERE==ON, and you are using a level -3 debugger, such as BoundsChecker, SoftICE traps on any INT 3 breakpoints installed by the level-3 debugger. The following example shows how to avoid this situation. Set I3HERE==OFF, and use the GENINT command to reactivate the breakpoint. This returns control to the level -3 debugger, and SoftICE does not trap subsequent INT 3s.
I3HERE off GENINT 3
104
SoftICE Commands
H
F1
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Miscellaneous
Syntax
For Windows 3.1 H [command | expression] For Windows 95 and Windows NT H [command]
Use
Under Windows 3.1, the parameter you supply determines whether help is displayed or an expression is evaluated. If you specify a command, help displays detailed information about the command, including the command syntax and an example. If you specify an expression, the expression is evaluated, and the result is displayed in hexadecimal, decimal, signed decimal (only if < 0), and ASCII.
For Windows 95 and Windows NT
Under Windows 95 and Windows NT, the H command displays help on SoftICE commands. (Refer to ? on page 3 for information about evaluating expressions under Windows 95 and Windows NT.) To display general help on all the SoftICE commands, enter the H command with no parameters. To see detailed information about a specic command, use the H command followed by the name of the command on which you want help. Help displays a description of the command, the command syntax, and an example.
Example
See Also
105
SoftICE Commands
HBOOT
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Flow Control
Syntax Use
HBOOT
The HBOOT command resets the computer system. SoftICE is not retained in the reset process. HBOOT is sufcient unless an adapter card requires a power-on reset. In those rare cases, the machine power must be recycled. HBOOT performs the same level of system reset as pressing Ctrl-Alt-Delete when not in SoftICE.
Example
106
SoftICE Commands
HEAP
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
System Information
Syntax
Display only global heap entries that contain a local heap. Display only heap entries marked as FREE. Name of the module. LDT selector.
Use
For Windows 95
For 16-bit modules, the HEAP command works the same as it does under Windows 3.1.
For Windows NT
For 16-bit modules, the HEAP command works the same as it does under Windows 3.1, but is process-specic. You must be in a NTVDM process that contains a WOW (Windows on Windows) box.
For Windows 95, refer to HEAP32 on page 110. For Windows NT, refer to HEAP32 on page 113. For Windows 3.1
The HEAP command displays the Windows global heap in the Command window. If you do not specify parameters, the entire global heap displays. If you specify FREE, only heap entries marked as FREE display. If you specify the module name, only heap entries belonging to the module display. If you specify an LDT selector, only a single heap entry corresponding to the selector displays. At the end of the listing, the total amount of memory used by the heap entries that displayed is shown. If the current CS:EIP belongs to one of the heap entries, that entry displays with the bold video attribute. If there is no current LDT, the HEAP command is unable to display heap information.
107
SoftICE Commands
Output
For each heap entry the following information displays: selector or handle In Windows 3.1, this is almost the same thing. Heap selectors all have a dpl of 3 while the corresponding handle is the same selector with a dpl of 2. For example, if the handle was 106h the selector would be 107h. Use either of these in an expression. 32-bit at virtual address. Size of the heap entry in bytes. Module name of the owner of the heap entry. Type of entry. One of the following:
Type Description
Non-discardable code segment Discardable code segment Data segment Module data base segment Task data base segment Burger Master (The heap itself ) Allocated memory Windows Resource
Additional Type Information If the heap entry is a code or a data segment, the segment number from the .EXE le displays. If the heap entry is a resource, one of the following resource types may display:
UserDef Cursor Bitmap Icon Menu Dialog String FontGrp Font Accel ErrTable CursGrp IconGrp NameTabl
108
SoftICE Commands
Example
The following example displays all heap entries belonging to the KERNEL module.
HEAP kernel Han/Sel 00F5 00FD 0575 0106 010E 0096 Address 000311C0 00031680 00054220 00083E40 805089A0 80520440 Length 000004C0 00007600 00003640 00002660 00001300 00000C20 Owner KERNEL KERNEL KERNEL KERNEL KERNEL KERNEL Type ModuleDB Code Alloc Code D Code D Alloc 02 03 01 Seg/Rsr
Total Memory:62K
See Also
For Windows 95, refer to HEAP32 on page 110. For Windows NT, refer to HEAP32 on page 113.
109
SoftICE Commands
HEAP32
System Information
Syntax
hheap32 task-name
Use
For Windows 95
The HEAP32 command displays the following: KERNEL32 default system heap. Private heaps of processes created through the HeapCreate( ) function. Two Ring-0 heaps created by VMM. The rst one displayed is the pagelocked heap, and the second is the pagetable heap. One Ring-0 heap for every existing virtual machine.
For Windows 3.1, Windows 95, and Windows NT, refer to HEAP on page 107. For Windows NT, refer to HEAP32 on page 113.
If you provide a process name, SoftICE displays the entire default process heap for that process, and the address context automatically changes to that of the process. To view a nondefault heap for a process, specify the heap base address instead of the process name. The debug versions of Windows 95 provide extra debugging information for each heap element within a heap. To see this information, you must be running the appropriate debug version, as follows: For KERNEL32 Ring-3 heaps, have the SDK debug version installed. For VMM Ring-0 heaps, have the DDK debug version of VMM installed.
Output
For each heap entry, the following information displays: HeapBase MaxSize Committed Address at which the heap begins. Current maximum size to which the heap can grow without creating a new segment. Number of kilobytes of committed memory that are currently present in physical memory.
110
SoftICE Commands
Segments Type
Number of segments in the heap. Each time the heap grows past the current maximum size, a new heap segment is created.
Heap Type Description
Ring 3 heap created by an application process. Ring 3 default heap for KERNEL32. Ring 0 heap created by VMM. Heap created by VMM for a specic Virtual Machine to hold data structures specic to that VM.
Owner
Address of the heap element Size in bytes of the heap element If the heap element is a free block, the word FREE appears; otherwise, the eld is blank.
When the appropriate debug versions of the SDK and DDK are installed, the following extra information appears for each heap element:
Heap Element Description
EIP address of the code that allocated the heap element. VMM thread-id of the allocating thread Nearest symbol to the EIP address
111
SoftICE Commands
Example
See Also
For Windows 3.1, Windows 95, and Windows NT, refer to HEAP on page 107. For Windows NT, refer to HEAP32 on page 113.
112
SoftICE Commands
HEAP32
System Information
Syntax
Walk the heap, showing information about each heap entry. Show an extended summary of a 32-bit heap. Provide a segment summary for a heap. Validate a heap or heap-entry. Show base address and sizes of heap entry headers. Display a heap trace buffer. 32-bit heap handle. Heap allocated block returned by HeapAlloc or HeapRealloc. Process name, process-id, or process handle (KPEB).
Use
All HEAP32 options and parameters are optional. If you do not specify options or parameters, a basic heap summary displays for every heap in every process. If a parameter is specied without options, a summary will be performed for the heap-entry, heap, or in the case of a process-type, a summary for each heap within the process.
Note:
All 16-bit HEAP functionality still works. Refer to HEAP on page 107 for Windows 3.1. This information only applies to HEAP32.
For Windows 3.1, Windows 95, and Windows NT, refer to HEAP on page 107. For Windows 95, refer to HEAP32 on page 110.
The walk option (-w) walks a heap, showing the state of each heap-entry on a heap. Walk is the default option if you specify a heap handle without other options.
The Extended Option
The extended option (-x) displays a detailed description of all useful information about a heap, including a segment summary and a list of any Virtually Allocated Blocks (VABs) or extra UnCommitted Range (UCR) tables that may have been created for the heap.
113
SoftICE Commands
The segment option (-s) displays a simple summary for the heap and for each of its heapsegments. Segments are created to map the linear address space for a region of a heap. A heap can be composed of up to sixteen segments.
The Validate Option
The validate option (-v) completely validates a single heap-entry, or a heap and all of its components, including segments, heap-entries, and VABs. In most cases, the heap validation is equivalent to or stricter than the Win32 API Heap functions. The validate option is the only option that takes a heap-entry parameter as input. All other options work with heap handles or process-types. If the heap is valid, an appropriate message displays. If the validation fails, one of the following error messages appears. For a block whose header is corrupt, SoftICE displays the following message:
Generic Error: 00140BD0 is not a heap entry, or it is corrupt Specific Error: 00140BD0: Backward link for Block is invalid
For a block whose guard-bytes have been overwritten, SoftICE displays the following message:
Allocated block: 00140BD0: Block BUSY TAIL is corrupt
Note:
If you run your application under a debugger, for example, BoundsChecker or Visual C++, each allocated block has guard-bytes, and each free block is marked with a pattern so that random overwrites can be detected.
For a free block that has been written to, subsequent to being freed, SoftICE displays the following message:
Free block: 00140E50: Free block failed FREE CHECK at 141E70 The Base Option
Use the base option (-b) to change the mode in which addresses and heap entry sizes display. Under normal operation, all output shows the address of the heap-entry data, and the size of the user data for that block. When you specify the base option, all output shows the address of the heap-entry header, which precedes each heap-entry, and the size of the full heap-entry. The size of the full heap-entry includes the heap-entry header, and any extra data allocated for guard-bytes or to satisfy alignment requirements. Under most circumstances you only specify base addressing when you need to walk a heap or its entries manually. When you use the base option, the base address for each heap-entry is 8 bytes less than when base is not specied, because the heap-entry header precedes the actual heap-entry by 8 bytes. Secondly, the size for the allocated blocks is larger because it includes an additional 8 bytes for the heap-entry header, guard-bytes, and any extra bytes needed for proper alignment. The
114
SoftICE Commands
output from the base option is useful for manually navigating between adjacent heap entries, and for checking for memory overruns between the end of the heap-entry data and any unused space prior to the guard-bytes. The guard-bytes are always allocated as the last two DWORDs of the heap entry.
Note:
The base option has no effect on input parameters. Heap-entry addresses are always assumed to be the address of the heap-entry data.
Use the trace option (-trace) to display the contexts of a heap trace buffer which record actions that occur within a heap. Heap trace buffers are optional and are generally not created. To enable tracing in the Win32 API, specify the HEAP_CREATE_ENABLE_TRACING ag as one of the ags to ntdll!RtlCreateHeap. You cannot use this option with Kernel32!HeapCreate( ) because it strips out all debug-ags before calling ntdll!RtlCreateHeap. You must also run the application under a level-3 debugger, for example, BoundsChecker or the Visual C++ debugger, so that the Win32 heap debugging options will be enabled. Any time you pass a process-type as a parameter, any and all options are performed for each heap within the process. The HEAP32 command and all of its options work on either a single specied heap handle or ALL the heaps for an entire process.
Example:
The following command performs a heap validation for all the heaps in the Test32 process:
HEAP 32 -v test32
When you specify a bare (for example, 0x140000), SoftICE assumes it is in the current context. You can use the ADDR command to change to the appropriate context, if necessary. In some cases, the actual physical memory that backs a particular linear address will not be present in memory, because it has been paged out by the operating system. In these cases, the HEAP32 command detects, avoids, and, where possible, continues to operate without the not-present pages. If not-present memory prevents the HEAP32 command from performing its work, you are notied of that condition. When possible the HEAP32 command skips not-present pages and continues processing at a point where physical memory is present. Because not-present memory prevents the HEAP32 command from performing a full validation of a heap, the validation routines indicate success, but let you know that only a partial validation could be performed.
Output
Base Id Cmmt/Psnt/Rsvd
Base address of the heap, that is, the heap handle. Heap ID. Amount of committed, present, and reserved memory used for heap entries.
SoftICE Command Reference 115
SoftICE Commands
Number of heap segments within the heap. Heap ags, for example, HEAP_GROWABLE (0x02). Process that owns the heap.
If you specify the -W switch, the following information displays: Base Type This is the address of the heap entry. Type of the heap entry.
Heap Entry Description
Represents the heap header. Represents a heap segment. Active heap entry Inactive heap entry Virtually allocated block (VAB)
Size of the heap-entry. Typically, this is the number of bytes available to the application for data storage. Heap segment in which the heap-entry is allocated. Heap entry ags.
If you specify the -S switch, the following additional information displays: Seg# Segment Range Cmmt/Psnt/Rsvd Max UCR Segment number of the heap segment. Linear address range that this segment maps to. Amount of committed, present, and reserved memory for this heap segment. Maximum uncommitted range of linear memory. This value species the largest block that can be created within this heap segment.
116
SoftICE Commands
Example
The following example displays a basic heap summary for every heap in every process.
HEAP32 Base Id Cmmt/Psnt/Rsvd 0013/0013/00ED 0008/0008/00F8 001C/001A/0024 0005/0005/001B 00F6/00F1/001A 000B/000B/0005 002D/002D/02D3 0003/0003/0001 0016/0014/00EA Segments 1 1 1 1 2 1 1 1 1 Flags Process
00000002 csrss 00007008 csrss 00004003 csrss 00006009 csrss 00003002 csrss 00005002 csrss 00006009 csrss 00001062 csrss 00001001 csrss
See Also
For Windows 3.1, Windows 95, and Windows NT, refer to HEAP on page 107. For Windows 95, refer to HEAP32 on page 110.
117
SoftICE Commands
HERE
F7
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Flow Control
Syntax Use
HERE
When the cursor is in the Code window, the HERE command executes until the program reaches the current cursor line. HERE is only available when the cursor is in the Code window. If the Code window is not visible or the cursor is not in the Code window, use the G command instead. Use the EC command (default key F6), if you want to move the cursor into the Code window. To use the HERE command, place the cursor on the source statement or assembly instruction to which you want to execute. Enter HERE or press the function key that HERE is programmed to (default key F7). The HERE command sets a single, one-time execution breakpoint set at the address of the current cursor position, arms all sticky breakpoints, and exits from SoftICE. Execution begins at the current CS:EIP and continues until the execution breakpoint is encountered, the window pop-up key sequence is used, or a sticky breakpoint occurs. When SoftICE pops up, for any of these reasons, the one-time execution breakpoint is cleared. If the Register window is visible when SoftICE pops up, all registers that have been altered since the HERE command was issued display with the bold video attribute.
For Windows 3.1
The non-sticky execution breakpoint uses debug registers unless none are available, in which case, it uses an INT 3 instruction.
Example
The following command sets an execution breakpoint at the current cursor position, exits from SoftICE, and begins execution at the current CS:EIP.
HERE
118
SoftICE Commands
HS
System Information
Syntax Use
HS [ - | + ] string
You can search forward (which is the default) using the '+', or backward, using '-'. If you enter this command without parameters, SoftICE uses the previous search, starting from the last string found. Use single quotation marks to search for text that includes spaces.
Example
Enter the following command to nd the rst load notications for the net module in the history buffer.
:hs 'load32 mod=net'
See Also
S, SS
119
SoftICE Commands
HWND
System Information
Syntax
For Windows 3.1 HWND [level] [task-name] For Windows 95 HWND [-x][hwnd | [[level][process-name]]
level
Windows hierarchy number. 0 is the top level, 1 is the next level and so on. The window levels represent a parent child relationship. For example, a level 1 window has a level 0 parent. Any currently loaded Windows task. These names are available with the TASK command. Display extended information about a window. Windows handle. Name of any currently loaded process.
Use
Specifying a window handle as a parameter displays only the information for that window handle. If you specify a window handle, you do not need to specify the optional parameters for level and process-name. For each window handle, the following information is displayed: Class Name Window Procedure Class name or atom of class that this window belongs to. Address of the window procedure for this window.
Output
120
SoftICE Commands
Example
The following example displays the output of the HWND command fro the MSWORD process with no other parameters set.
HWND msword Handle 0F4C(0) 0FD4(1) 22C4(1) 53E0(2) 2764(2) 2800(3) 2844(3) 2428(2) 2888(2) hQueue 087D 080D 087D 087D 087D 087D 087D 087D 087D QOwner MSWORD MSWORD MSWORD MSWORD MSWORD MSWORD MSWORD MSWORD MSWORD Class #32769 #32768 OpusApp OpusPmt a_sdm_Msft OpusFedt OpusFedt OpusIconBar OpusFedt Procedure DESKTOP MENUWND 0925:0378 0945:1514 0F85:0010 0F85:0020 0F85:0020 0945:14FE 0945:14D2
The following example displays part of the output follows of the HWND command for the WINWORD process with the -x option set. The -x option displays extended information about a window.
HWND -x winword Window Handle Parent Child Next Owner Window RECT Client RECT hQueue Size QOwner hrgnUpdate wndClass Class : (0288) Level (1) : 16A7:000204CC : NULL : 16A7:00020584 : NULL : (9,113) - (210,259) : (10,114) - (189,258) : 1C97 : 16 : WINWORD : NULL : 16A7:281C : ListBox
121
SoftICE Commands
Window Handle hInstance lpfnWndProc dwFlags1 dwStyle dwExStyle dwFlags2 ctrlID/hMenu WndText unknown1 propertyList lastActive hSystemMenu unknown2 unknown3 classAtom unknown4 unknown5
: (0288) Level (1) : (349E) (16 bit hInstance) : 2417:000057F8 : 40002 : 44A08053 : 88 : 0 : 03E8 : NULL : 4734 : NULL : NULL : NULL : 0 : 0000 : C036 : 4CAC : A0000064
See Also
122
SoftICE Commands
HWND
System Information
Syntax
Extended. Display extended information about each window handle. Children. Force the display of the window hierarchy when searching by thread-type, module-type, or class-name. Window handle or pointer to a window structure. Desktop handle or desktop pointer to a window structure (3.51 only). Window owner-type. A value that SoftICE can interpret as being of a specic type such as process name, thread ID, or module image base. Name of a registered window class.
Use
The HWND command enumerates and displays information about window handles. The HWND command allows you to isolate windows that are owned by a particular process, thread or module, when you specify a parameter of the appropriate type.
For Windows 3.1 and Windows 95, refer to HWND on page 120.
The extended option (-x) shows extended information about each window. When you specify the extended option, or an owner-type (process-type, thread-type, or module-type) as a parameter, the HWND command will not automatically enumerate child windows. Specifying the children option (-c) forces all child windows to be enumerated regardless of whether they meet any specied search criteria. For each HWND that is enumerated, the following information is displayed: Handle HWND handle (refer to OBJTAB on page 169 for more information). Each window handle is indented to show its child and sibling relationships to other windows. Registered class name for the window, if available (refer to CLASS on page 51 for more information). Address of the message callback procedure. Depending on the callback type, this value is displayed as a 32-bit at address or 16-bit selector:offset.
SoftICE Command Reference 123
Output
Class WinProc
SoftICE Commands
TID Module
Owning thread ID. Owning module name (if available). If the module name is unknown, the module handle will be displayed as a 32-bit at address or 16-bit selector:offset, depending on the module type.
Example
The following example uses the HWND command without parameters or options.
HWND Handle 01001E 050060 010044 010020 Class #32769 (Desktop) #32770 (Dialog) SAS window class #32768 (PopupMenu) WinProc 5FBFE425 60A29304 022A49C4 5FBEDBD5 5FBFE425 5FBEDBD5 0101775E 01012A4E 010216C4 01028C85 01022F69 712188A8 7120B43A 7120B43A 016E18F1 034F:2918 77C2D88B 77C2D73B 77C2D88B 77C2DCF2 77C2D73B 71E6869A 71E6869A 71E6869A 71E6869A 0100D7F3 5FC216AB 60A2779D 0BB7:0776 01F9F7A8 5FCD23C7 03CF:0B3E TID 24 18 18 24 24 24 67 67 67 67 67 67 67 67 4B 2C 2C 2C 67 67 67 67 67 67 67 67 67 67 78 78 2B 78 Module winsrv winlogon winlogon winsrv winsrv winsrv Explorer Explorer Explorer Explorer Explorer Explorer Explorer Explorer nddeagnt OLE2 ole32 ole32 ole32 ole32 ole32 shell32 shell32 shell32 shell32 Explorer winsrv 00000000 MMSYSTEM WOWEXEC winsrv WOWEXEC
010022 #32769 (Desktop) 010024 #32768 (PopupMenu) 030074 Shell_TrayWnd 030072 Button 0800AA TrayNotifyWnd 03003E TrayClockWClass 030078 MSTaskSwWClass 030076 SysTabControl32 05007A tooltips_class32 03003C tooltips_class32 2E00F0 NDDEAgnt 1C0148 9B0152 3200F2 0800A2 030086 030088 03008A 03008C 030070 04007C 0400CC 0300CA 0300C6 0300C0 0300D2 060062 0300B4 CLIPBOARDWNDCLASS DdeCommonWindowClass OleObjectRpcWindow DdeCommonWindowClass OleMainThreadWndClass OleObjectRpcWindow ProxyTarget ProxyTarget ProxyTarget ProxyTarget OTClass DDEMLEvent DDEMLMom #42 WOWFaxClass ConsoleWindowClass WOWExecClass
124
SoftICE Commands
67 67 67 67
The output from the previous example enumerates two desktop windows (handles 1001E and 10022), each with its own separate window hierarchy. This is because the system can create more than one object of type Desktop, and each Desktop object has its own Desktop Window which denes the window hierarchy. If you use the HWND command in a context that does not have an assigned Desktop, the HWND command enumerates all objects of type Desktop. Because the system may create more than one object of type Desktop, the HWND command accepts a Desktop-type handle as a parameter. This allows the window hierarchy for a specic Desktop to be enumerated. You can use the command OBJTAB DESK to enumerate all existing desktops in the system.
The following is an example of using the HWND command with a specic window handle.
HWND 400a0 Handle 0400A0 Class Progman WinProc 0101B1D3 TID 74 Module Explorer
The following is an example of enumerating only those windows owned by thread 74.
HWND 74 Handle Class 2F00F0 Shell_TrayWnd 0500CE Button 0500C4 TrayNotifyWnd 040074 TrayClockWClass 0500C6 MSTaskSwWClass 0400C8 SysTabControl32 3700F2 tooltips_class32 040066 tooltips_class32 0F00BC DdeCommonWindowClass 040068 OleMainThreadWndClass 0500CC OleObjectRpcWindow 2600BA ProxyTarget 0400D0 ProxyTarget 0400CA ProxyTarget 070094 ProxyTarget 04009E OTClass 480092 DDEMLEvent 09004A DDEMLMom WinProc 0101775E 01012A4E 010216C4 01028C85 01022F69 712188A8 7120B43A 7120B43A 77C2D88B 77C2DCF2 77C2D73B 71E6869A 71E6869A 71E6869A 71E6869A 0100D7F3 5FC216AB 60A2779D TID 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 Module Explorer Explorer Explorer Explorer Explorer Explorer Explorer Explorer ole32 ole32 ole32 shell32 shell32 shell32 shell32 Explorer winsrv 00000000
125
SoftICE Commands
74 74 74 74
A process-name always overrides a module of the same name. To search by module, when there is a name conict, use the module handle (base address or module-database selector) instead. Also, module names are always context sensitive. If the module is not loaded in the current context (or the CSRSS context), the HWND command interprets the module name as a class name instead.
The following example shows the output when the extended option (-x) is used.
HWND -x 400a0 Hwnd Class Name Module Window Proc Win Version Title Desktop Parent 1st Child Style Ex. Style Window Rect Client Rect : : : : : : : : : : : : : 0400A0 (7F2D7148) Progman Explorer 0101B1D3 4.00 Program Manager 02001F (00402D58) 010022 (7F2D0C28) 0500C0 (7F2D7600) CLIPCHILDREN | CLIPSIBLINGS | VISIBLE | POPUP TOOLWINDOW | A0000000 0, 0, 1024, 768 (1024 x 768) 0, 0, 1024, 768 (1024 x 768)
See Also
For Windows 3.1 and Windows 95, refer to HWND on page 120.
126
SoftICE Commands
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
I/O Port
Syntax
I[size] port
size
Value Description
B W D
port
Port address.
Use
You use the I command to read and display a value from a specied hardware port. Input can be done from byte, word, or dword ports. If you do not specify size, the default is byte. Except for the interrupt mask registers, the I command does an actual I/O instruction, so it is displays the actual state of the hardware port. However, in the case of virtualized ports, the actual data returned by the I command may not be the same as the virtualized data that an application would see. The only ports that SoftICE does not do I/O on are the interrupt mask registers (Port 21 and A1). For those ports, SoftICE shows the value that existed when SoftICE popped up.
Example
The following example performs an input from port 21, which is the mask register for interrupt controller one.
I 21
127
SoftICE Commands
I1HERE
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Mode Control
Syntax Use
Use the I1HERE command to specify that any embedded interrupt 1 instruction brings up the SoftICE screen. This feature is useful for stopping your program in a specic location. When I1HERE is on, SoftICE checks to see whether an interrupt is really an INT 1 in the code before popping up. If it is not an INT 1, SoftICE will not pop up. To use this feature, place an INT 1 into the code immediately before the location where you want to stop. When the INT 1 occurs, it brings up the SoftICE screen. At this point, the current EIP is the instruction after the INT 1 instruction. If you do not specify a parameter, the current state of I1HERE displays. The default is I1HERE off. This command is useful when you are using an application debugging tool such as BoundsChecker. Since these tools rely on INT 3s for breakpoint notications, I1HERE allows you to use INT 1s as hardwired interrupts in your code without triggering the application debugger.
For Windows 3.1 and Windows 95
VMM, the Windows memory management VxD, executes INT 1 instructions prior to certain fatal exits. If you have I1HERE ON, you can trap these. The INT 1s generated by VMM are most often caused by a page fault with the registers set up as follows: EAX=faulting address ESI points to an ASCII message EBP points to a CRS (Client Register Structure as dened in the DDK include le VMM.INC).
Example
The following example turns on I1HERE mode. Any INT 1s generated after this point bring up the SoftICE screen.
I1HERE on
128
SoftICE Commands
I3HERE
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Mode Control
Syntax
DRV
Enable INT 3 handling above 2GB only. This supports trapping of a drivers call to DebugBreak().
Use
Use the I3HERE command to specify that any interrupt 3 instruction pops up SoftICE. This feature is useful for stopping your program in a specic location. To use this feature, set I3HERE on, and place an INT 3 instruction into your code immediately before the location where you want to stop. When the INT 3 occurs, it brings up the SoftICE screen. At this point, the current EIP is the instruction after the INT 3 instruction. If you are developing a Windows program, the DebugBreak( ) Windows API routine performs an INT 3. If you do not specify a parameter, the current state of I3HERE displays.
Note:
If you are using an application debugging tool such as the Visual C debugger or NuMegas BoundsChecker, you should place INT 1s in your code instead of INT 3s. Refer to I1HERE on page 128.
Example
The following example turns on I3HERE mode. Any INT 3s generated after this point cause SoftICE to pop up.
I3HERE on
When the command I3HERE==ON, and you are using a level -3 debugger, such as BoundsChecker, SoftICE traps on any INT 3 breakpoints installed by the level-3 debugger. The following example shows how to avoid this situation. Set I3HERE==OFF, and use the GENINT command to reactivate the breakpoint. This returns control to the level -3 debugger, and SoftICE does not trap further INT 3s.
I3HERE off GENINT 3
See Also
129
SoftICE Commands
IDT
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
System Information
Syntax
IDT [interrupt-number]
interrupt-number
Use
The IDT command displays the contents of the Interrupt Descriptor Table after reading the IDT register to obtain its address. The IDT command without parameters displays the IDTs base address and limit, as well as the contents of all entries in the table. If you specify an optional interrupt-number, only information about that entry is displayed.
For Windows NT
Almost all interrupt handlers reside in NTOSKRNL, so it is very useful to have exports loaded for it so that the handler names are displayed.
Note:
NTOSKRNL must be the current symbol table (refer to TABLE on page 219) to view symbol names.
Output
Each line of the display contains the following information: interrupt number interrupt type 0 - 0FFh (5Fh for Windows 3.1, Windows 95). One of the following:
Type Description
32-bit Call Gate 16-bit Call Gate Task Gate 16-bit Trap Gate 32-bit Trap Gate 32-bit Interrupt Gate 16-bit Interrupt Gate
address
130 SoftICE Command Reference
SoftICE Commands
Selector's descriptor privilege level (DPL), which is either 0, 1, 2 or 3. P or NP, indicating whether the entry is present or not present. For Windows 95 and Windows NT only: Symbol or owner name plus the offset from that symbol or owner.
Example
The following command shows partial output of the IDT command with no parameters.
IDT Int Type Sel:Offset IDTbase=C000ABBC Limit=02FF 0000 IntG32 0028:C0001200 0001 IntG32 0028:C0001210 0002 IntG32 0028:C00EEDFC 0003 IntG32 0028:C0001220 0004 IntG32 0028:C0001230 0005 IntG32 0028:C0001240 0006 IntG32 0028:C0001250 0007 IntG32 0028:C0001260 0008 TaskG 0068:00000000 0009 IntG32 0028:C000126C 000A IntG32 0028:C000128C Attributes Symbol/Owner DPL=0 DPL=3 DPL=0 DPL=3 DPL=3 DPL=3 DPL=0 DPL=0 DPL=0 DPL=0 DPL=0 P P P P P P P P P P P VMM(01)+0200 VMM(01)+0210 VTBS(01)+1D04 VMM(01)+0220 VMM(01)+0230 VMM(01)+0240 VMM(01)+0250 VMM(01)+0260 VMM(01)+026C VMM(01)+028C
The following command shows the contents of one entry in the IDT.
IDT d Int 000D Type IntG32 Sel:Offset 0028:C00012B0 Attributes Symbol/Owner DPL=0 P VMM(01)+02B0
131
SoftICE Commands
INTOBJ
System Information
Syntax Use
The INTOBJ command displays information about interrupt objects that are current in the system. If you enter INTOBJ without parameters, SoftICE lists all interrupt objects with the following information: Object Address Vector Service Address Service Context IRQL Mode Afnity Mask Symbol If you issue the command with a vector or address, SoftICE displays information about the specied interrupt object.
Example
The following example displays information about all the current interrupt objects in the system.
INTOBJ
Object Service Address Vector Address 807D0D88 31 80802D90 80750D88 33 808030F0 80750B08 34 808030F0 807E0968 35 80802D30 807E28A8 39 80802D50 80792D88 3B 80802ED0 807D18C8 3C 80802D70 808F2428 3E 8022BF58 SCSIPORT!.text+0C98 807EB428 3F 8022BF58 SCSIPORT!.text+0C98 Service Context 807D1030 807500F8 807513F8 807E1008 807E9C48 8078D158 807D1030 808F2850 807EB850 IRQL 1A 18 17 16 12 10 0F 0D 0C Mode Edge Edge Edge Edge Edge Level Edge Edge Edge Affinity Mask 01 01 01 01 01 01 01 01 01 Symbol
132
SoftICE Commands
The following example shows the information SoftICE displays for a particular interrupt object:
INTOBJ 31 Interrupt Object at 807D0D88 Length: 01E4 List Forward Link: 807D0D8C Object List Back Link: 807D0D8C Interrupt Service Routine address: 80802D90 Interrupt Service Routine context: 807D1030 Spinlock: 807D155C Vector: 31 Device IRQL: 1A Save Floating Point: FALSE Processor Affinity Mask: 01 Processor Number: 00 Share interrupt: TRUE Interrupt mode: Edge
133
SoftICE Commands
IRP
System Information
Syntax
-f -n -p -a irp-address
Display all IRP stack locations. Display the next IRP stack location Walk the previous IRP stack location Iterates through all threads on a system and shows the IRP for each thread Address of the start of the IRP structure to be displayed
Use
The IRP command displays the contents of the I/O Request Packet and the contents of associated current I/O stack located at the specied address. Note that the command does not check the validity of the IRP structure at the specied address, so any address will be accepted by SoftICE as an irp-address. Be careful to pass the IRP command a valid IRP address. The IRP elds shown by SoftICE are not documented in their entirety here, as adequate information about them can be found in NTDDK.H in the Windows NT DDK. A few elds deserve special mention, however, since device driver writers nd them particularly useful: Flags StackCount Flags used to dene IRP attributes. The number of stack locations that have been allocated for the IRP. A common device driver bug is to access non-existent stack locations, so this value may be useful in determining when this has occurred. This number indicates which stack location is the current one for the IRP. Again, this value, combined with the previous StackCount, can be used to track down IRP stack-related bugs. This boolean is set to TRUE if the IRP has been cancelled as a result of an IRP cancellation call. This happens when the IRPs result is no longer needed so the IRP will not complete. Address of current stack location. The contents of this stack location are displayed after the IRP, as illustrated in the example of the command given below.
CurrentLocation
Cancel
Tail.Overlay. CurrentStackLoc
134
SoftICE Commands
Cancel
This boolean is set to TRUE if the IRP has been cancelled as a result of an IRP cancellation call. An IRP may be cancelled when the IRPs result is no longer needed so that the IRP will not complete.
These elds in the current stack location may be useful: Major Function and Minor Function These elds indicate what type of request the IRP is being used for. The major function is used in determining which request handler will be called when an IRP is received by a device driver. Pointer to the device object at which the IRP is currently stationed. In other words, the IRP has been sent to, and is in the process of being received by, the device driver owning the device object. Pointer to the le object associated with the IRP. It can contain additional information that serves as IRP parameters. For example, le system drivers use the le object path name eld to determine the target le of a request. This eld is set when a driver sets a completion routine for an IRP through the IoSetCompletionRoutine call. Its value is the address of the routine that will be called when a lower-level driver (associated with a stack location one greater than the current one) completes servicing of the IRP and signals that it has done so with IoCompleteRequest.
Device Object
File Object
Completion Rout
Example
The following example shows the output for the IRP command.
IRP eax MdlAddress * Flags AssociatedIrp &ThreadListEntry IoStatus RequestorMode PendingReturned StackCount CurrentLocation Cancel CancelIrql ApcEnvironment Zoned UserIosb * UserEvent * Overlay CancelRoutine * UserBuffer * : : : : : : : : : : : : : : : : : : 00000000 00000404 IRP_SYNCHRONOUS_API|IRP_CLOSE_OPERATION 00000000 FD8D9B18 00000000 00 False 03 03 False 00 00 True FD8D9B20 FB11FB40 00000000 00000000 00000000 00000000
135
SoftICE Commands
Tail.Overlay &DeviceQueueEntry : FD8D9B48 Thread * : FD80A020 AuxiliaryBuffer * : 00000000 &ListEntry : FD8D9B60 CurrentStackLoc * : FD8D9BC0 OrigFileObject * : FD819E08 Tail.Apc * : FD8D9B48 Tail.ComplKey : 00000000 CurrentStackLocation: MajorFunction : 12 IRP_MJ_CLEANUP MinorFunction : 00 Control : 00 Flags : 00 Others : 00000000 00000000 00000000 00000000 DeviceObject * : FD851E40 FileObject * : FD819E08 CompletionRout * : 00000000 Context * : 00000000
136
SoftICE Commands
KEVENT
Display Kernel Events.
System Information
Syntax
KEVENT [ kernel-event ]
kernel-event
Use
The KEVENT command displays information about kernel events that are current in the system. If you enter KEVENT without parameters, SoftICE walks through the BaseNamedObjects directory, where the Win32 subsystem typically stores named kernel objects, and displays the Kernel Events in that list. If you specify a kernel event address, SoftICE displays information about the specied event. The following example shows how to use the KEVENT command to display information about a specic event.
kevent 807AB730 Address Type 807AB730 Notification State Signalled Name LSA_RPC_SERVER_ACTIVE
Example
See Also
KMUTEX, KSEM
137
SoftICE Commands
KMUTEX
System Information
Syntax
KMUTEX [ kernel-mutex ]
kernel-mutex
Use
If you issue the KMUTEX command without any parameters, SoftICE walks through the BaseNamedObjects directory, where the Win32 subsystem typically stores named kernel objects, and displays information about all the Kernel mutexes in that list. If you issue the KMUTEX command with an expression, SoftICE displays information about the kernel mutex at that address.
Example
The following example shows how to use the KEVENT command to display information about a specic object.
kmutex 80733470 Address State Own.KTEB(TID) Aban APC Name 80733470 Signalled 0( 0) N 0 OLESharedTablesMutex
See Also
138
SoftICE Commands
KSEM
System Information
Syntax
Use
If you issue the KSEM command without any parameters, SoftICE walks through the BaseNamedObjects directory, where the Win32 subsystem typically stores named kernel objects, and displays information about all the Kernel semaphores in that list. If you issue the KSEM command with an expression, SoftICE displays information about the kernel semaphores at that address.
Example
The following example shows how to use the KSEM command to display information about a specic semaphore object.
ksem 807060F0 Address Limit 807060F0 1 State Signalled Name NDDEAgent
See Also
KEVENT, KMUTEX
139
SoftICE Commands
LDT
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
System Information
Syntax
LDT [selector]
selector
Use
The LDT command displays the contents of the Local Descriptor Table after reading its location from the LDT register. If there is no LDT, an error message will be printed. If you specify an optional selector, only information on that selector is displayed. If the starting selector is a Global Descriptor Table (GDT) selector (that is, bit 2 is 0), the GDT displays rather than the LDT. The rst line of output contains the base address and limit of the LDT.
For Windows 95 and Windows NT
Even when there is no LDT, the LDT command can display an LDT you supply as a command parameter. This optional parameter can be a GDT selector that represents an LDT. You can locate selectors of type LDT with the GDT command.
For Windows NT
The LDT command is process specic and only works in processes that have an LDT. Use the ADDR command to determine which processes contain LDTs. Use ADDR to switch to those processes, then use the LDT command to examine their LDTs.
Output
Each line of the display contains the following information: selector value selector type
Type Description
Lower two bits of this value reect the descriptor privilege level.
16-bit code selector 16-bit data selector 32-bit code selector 32-bit data selector 32-bit Call Gate selector 16-bit Call Gate selector
140
SoftICE Commands
Type
Description
32-bit Task Gate selector 16-bit Task Gate selector 32-bit Trap Gate selector 16-bit Trap Gate selector 32-bit Interrupt Gate selector 16-bit Interrupt Gate selector Reserved selector
selector base selector limit selector DPL present bit segment attributes
Linear base address of the selector. Size of the selector. Selector's descriptor privilege level (DPL), either 0, 1, 2 or 3. P or NP, indicating whether the selector is present or not present. One of the following:
Type Description
RW RO RE EO B
Data selector is readable and writable. Data selector is read only. Code selector is readable and executable. Code selector is execute only. TSS's busy bit is set.
Example
The following example shows sample output for the LDT command.
LDT Sel. Type Base Limit LDTbase=8008B000 Limit=4FFF 0004 Reserved 00000000 00000000 000C Reserved 00000000 00000000 0087 Data16 80001000 00000FFF 008F Data16 00847000 0000FFFF 0097 Data16 0002DA80 0000021F 009F Data16 00099940 000029FF 00A7 Data16 0001BAC0 000000FF 00AF Data16 C11D9040 0000057F DPL 0 0 3 3 3 3 3 3 Attributes NP NP P P P P P P
RW RW RW RW RW RW
141
SoftICE Commands
LHEAP
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
System Information
Syntax
selector module-name
Use
The LHEAP command displays the data objects that a Windows program has allocated on the local heap. If you do not specify a selector, the value of the current DS register is used. The specied selector is usually the Windows program's data selector. To nd this, use the HEAP command on the Windows program you are interested in and look for an entry of type data. Each selector that contains a local heap is marked with the tag LH. If a module-name is entered, SoftICE uses the modules default data segment for the heap walk.
For Windows 95 and Windows NT
To nd all segments that contain a local heap, use the HEAP command with the -L option.
For Windows NT
The LHEAP command only works if the current process contains a WOW box.
Output
For each local heap entry the following information displays: offset size type 16-bit offset relative to the specied selector base address. Size of the heap entry in bytes. Type of entry. One of the following:
Type Description
142
SoftICE Commands
handle
Handle associated with each element. For xed elements, the handle is equal to the address that is returned from LocalAlloc( ). For moveable elements, the handle is the address that will be passed to LocalLock( ).
At the end of the list, the total amount of memory in the local heap displays.
Example
The following command displays all local heap entries belonging to the GDI default local heap.
LHEAP gdi Offset 93D2 941E 946A 94B6 950A Size 0046 0046 0046 004E 4A52 Type Mov Mov Mov Mov Mov Handle 0DFA 0C52 40DA 0C66 0E52
Used: 19.3K
143
SoftICE Commands
LINES
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Customization
Syntax
For Windows 3.1 LINES [25 | 43 | 50] For Windows 95 and Windows NT
numlines
Use
The LINES command changes SoftICE's character display mode. For VGA Text Driver displays, it allows different display modes: 25-line, 43-line, 50-line, and 60-line mode. The 50-, and 60-line modes are only valid on VGA display adapters. For the Universal Video Driver, you can specify any number of lines greater than 25. Using LINES with no parameters displays the current state of LINES. The default number of display lines is 25. If you enter the ALTSCR command, SoftICE changes to 25-line mode automatically. If you change back to a VGA display and want a larger line mode, enter the LINES command again. To display in 50-line mode on a serial terminal, rst place the console mode of the serial terminal into 50-line mode using the DOS MODE command.
For Windows 95 and Windows NT
You can display 60 lines for single monitor debugging. When debugging in serial mode, all line counts are supported for VGA displays.
Example
The following command changes the SoftICE display to 53 lines using the Universal Video Driver. The current font affects the number of lines SoftICE can display.
LINES 53
See Also
144
SET, WIDTH
SoftICE Commands
LOCALS
Symbol/Source Command
Syntax Use
LOCALS
Use the LOCALS command to list local variables from the current stack frame to the Command window. The following information displays for each local symbol: Stack Offset Type denition Value, Data, or structure symbol ( {...} ) The type of the local variable determines whether a value, data, or structure symbol ( {...} ) is displayed. If the local is a pointer, the data it points to is displayed. If it is a structure, the structure symbol is displayed. If the local is neither a pointer nor a structure, its value is displayed.
Hint:
Output
You can expand structures, arrays, and character strings to display their contents. Use the WL command to display the Locals window, then double-click the item you want to expand. Note that expandable items are delineated with a plus (+) mark.
Example
The following example displays the local variables for the current stack frame.
LOCALS [EBP-4] struct_BOUNCEDATA * pdb=0x0000013F <{...}> [EBP+8] void * hWnd=0x000006D8
See Also
TYPES, WL
145
SoftICE Commands
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Miscellaneous
Move data.
Syntax
Start of address range to move. Length in bytes. Start of destination address range.
Use Example
The specied number of bytes are moved from the source-address to the dest-address. The following command moves 2000h bytes (8KB) from memory location DS:1000h to ES:5000h.
M ds:1000 l 2000 es:5000
146
SoftICE Commands
MACRO
Customization
Syntax
macro-name macro-body * =
Case-insensitive, 3-8 character name for the macro being dened, or the name of an existing macro. Quoted string that contains a list of SoftICE commands and parameters separated by semi-colons (;). Delete one or all dened macros. Dene (or redene) a macro.
Use
The MACRO command is used to dene new Macro commands that are supersets of existing SoftICE commands. Dened macros can be executed directly from the SoftICE command line. The MACRO command is also used to list, edit, or delete individual macros. Macros are directly related to breakpoint actions, as breakpoint actions are simply macros that do not have names, and can only be executed by the SoftICE breakpoint engine. If no options are provided, a list of all dened macros will be displayed, or if a macro-name is specied, that macro will be inserted into the command buffer so that it can be edited. When dening or redening a macro, the following form of the macro command is used:
MACRO macro-name = macro-body
The macro-name parameter can be between 3 and 8 characters long, and may contain any alphanumeric character and underscores (_). If the macro-name parameter species an existing macro, the MACRO command redenes the existing macro. The macro-name cannot be a duplicate of an existing SoftICE command. The macro-name must be followed by an equal sign =, which must be followed by the quoted string that denes the macro-body. The macro-body parameter must be embedded between beginning and ending quotation marks (). The macro-body is made up of a collection of existing SoftICE commands, or dened macros, separated by semi-colons. Each command may contain appropriate literal parameters, or can use the form %<parameter#>, where parameter# must be between 1 and 8. When the macro is executed from the command line, any parameter references will expand into the macro-body from the parameters specied when the command was executed. If you need to embed a literal quote character () or a percent sign (%) within the macro body precede the character with a backslash character (\). Because the backslash character is used for escape sequences, to specify a literal backslash character, use two consecutive backslashes (\\). The nal command within the macro-body does not need to be terminated by a semi-colon.
SoftICE Command Reference 147
SoftICE Commands
You can dene macros in the SoftICE Loader using the same syntax described here. When you load SoftICE, each macro denition is created and available for use. SoftICE displays a message for each dened macro to remind you of its presence. Since macros consume memory, you can set the maximum number of named and unnamed macros (that is, breakpoint actions) that can be dened during a SoftICE session. The default value of 32 is also the minimum value. The maximum value is 256.
Note:
A macro-body cannot be empty. It must contain one or more non-white space characters. A macro-body can execute other macros, or dene another macro, or even a breakpoint with a breakpoint action. A macro can even refer to itself, although recursion of macros is not extremely useful because there is no programmatic way to terminate the macro. Macros that use recursion execute up to the number of times that SoftICE permits (32 levels of recursion are supported), no more and no less. Even with this limitation, macro recursion can be useful for walking nested or linked data structures. To get a recursive macro to execute as you expect, you have to devise clever macro denitions.
Example
The following example uses the MACRO command without parameters or options.
MACRO XWHAT OOPS 1shot
Note:
= "WHAT EAX;WHAT EBX;WHAT ECX; WHAT EDX; WHAT ESI; WHAT EDI" = "I3HERE OFF;GENINT 3" = "bpx eip do \"bc bpindex \""
The name of the macro is listed to the left, and the macro body denition to the right.
The following examples show other basic uses for the MACRO command:
MACRO * MACRO oops * MACRO xwhat
Note:
Delete all named macros. Delete the macro named oops. Edit the macro named xwhat.
Because macros can be redened at any time, when you use the edit form of the MACRO command (MACRO macro-name) the macro denition will be placed in the edit buffer so that it can be edited. If you do not wish to modify the macro, press ESC. The existing macro will remain unchanged. If you modify the macro-body without changing the macro name, the macro will be redened (assuming the syntax is correct!)
148
SoftICE Commands
The next example uses a literal parameter within the macro-body. Its usefulness is limited to specic situations or values.
MACRO help = h exp
In the previous example, the SoftICE H command is executed with the parameter EXP every time the macro executes. This causes the help for the SoftICE EXP command to display. This is a slightly more useful denition of the same macro:
MACRO help= help %1
In the revised example, an optional parameter was dened to pass to the SoftICE H command. If the command is executed with no parameters, the argument to the H command is empty, and the macro performs exactly as the rst denition; help for all commands is displayed. If the macro executes with 1 parameter, the parameter is passed to the H command, and the help for the command specied by parameter 1 is displayed. For execution of macros, all parameters are considered optional, and any unused parameters are ignored. The following are examples of legal macro denitions:
MACRO qexp = addr explorer; query %1 qexp
or
qexp 1 40000
1shot eip
or
1shot @esp MACRO ddt = dd thread ddt MACRO ddp = dd process ddp
or
thr -x
149
SoftICE Commands
The following are examples of illegal macro denitions, with an explanation and a corrected example.
Illegal Denition
MACRO dd = dd dataaddr
The macro name is a duplication of a SoftICE command name. SoftICE commands cannot be redened.
Illegal Denition
MACRO aa = addr %1
The macro command name is too short. A macro name must be between 3 and 8 characters long.
Illegal Denition
Illegal Denition
The macro body references parameter %2 without referencing parameter %1. You cannot reference parameter %n+1 without having referenced parameter %n.
150
SoftICE Commands
MAP32
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
System Information
Syntax
-u -s module-name module-handle
Displays only modules in user space. Displays only modules in system space. Windows module-name. Base address of a module image.
Windows module-name. Base address of a module image. Any address that falls within an executable image.
Use
MAP32 with no parameters lists information about all 32-bit modules. If you specify either a module-name or module-handle as a parameter, only sections from the specied module are shown. For each module, one line of data is printed for every section belonging to the module. Since the MAP32 command takes any address that falls within an executable image, an easy way to see the memory map of the module that contains the current EIP is to enter:
MAP32 eip For Windows 95
No matter what process/context you are in, MAP32 shows the same list of drivers because memory above 2GB is globally mapped. However, MAP32 shows different lists of applications/DLLs depending on the current process or context, because they are always private to an address context.
151
SoftICE Commands
For Windows NT
MAP32 lists kernel drivers as well as applications and DLLs that exist in the current process. They can be distinguished in the map because drivers always occupy addresses above 2GB, while applications and DLLs are always below 2GB.
Output
Each line in MAP32s output contains the following information: Owner Name Obj# Address Size Type Module name. Section name from the executable le. Section number from the executable le. Selector:offset address of the section. Sections size in bytes. Type and attributes of the section, as follows:
Type Attributes
Code Initialized Data Uninitialized Data Read Only Read/Write Object is shared
Example
The following example illustrates sample output for MAP32 executed on a Visual C module.
MAP32 msvcrt10 Owner Obj Name Obj# 0001 0002 0003 Address Size Type
152
SoftICE Commands
219F:86CA9000 00005C00 IDATA RO 219F:86CAF000 00006A00 IDATA RW 219F:86CB6000 00000A00 IDATA RW 219F:86CB7000 00001800 IDATA RO
153
SoftICE Commands
MAPV86
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
System Information
Syntax
MAPV86 [address]
address
Use
If no address parameter is specied, a map of the entire current virtual machines V86 address space is displayed. Information about the area in the map where a certain address lies can be obtained by specifying the address. Pages of DOS VM memory may not be valid (not mapped in) when you enter the MAPV86 command. If this occurs, the output from the MAPV86 command will terminate with a PAGE NOT PRESENT message. Often, just popping out of, and then back into, SoftICE will result in those pages being mapped in. A useful application of the MAPV86 command is in obtaining addresses to which a symbol table must be aligned with the SYMLOC command. DOS programs that were started before Windows will not automatically have their symbol information mapped to their location in V86 memory. You can enable source-level debugging for these global DOS programs by performing the following steps. Use the MAPV86 command to get the starting address of the programs static code segment. Add 10h to the address if the program in an executable (.EXE). Use the SYMLOC command to set the symbol table alignment to that value.
For Windows NT
The MAPV86 command is process specic. You must be in an NTVDM process because these are the only ones that contain V86 boxes. There is no global MSDOS in Windows NT.
Output
The following summary information is displayed by the MAPV86 command. VM ID VM handle CRS pointer VM address Virtual machine (VM) ID. VM1 is the System VM. 32-bit virtual machine handle. VMs 32-bit client register structure pointer. 32-bit linear address of the VM. This is the high linear address of the virtual machine, which is also currently mapped to linear address 0.
154
SoftICE Commands
If the current CS:IP belongs to a MAPV86 entry, that line will be highlighted. Each line of the MAPV86 display contains the following information: Start Length Name Segment:offset start address of the component. Length of the component in paragraphs. Owner name of the component.
Example
The following example illustrates how to use the MAPV86 command to display the entire V86 map for the current VM.
MAPV86 ID=01 Handle=80441000 CRS Ptr=80013390 Linear=80C00000 Start 0000:0000 0040:0000 0070:0000 02CD:0000 0BB5:0012 0C8B:0000 0D41:0000 10D0:0000 Length 0040 0030 025D 08E6 0000 00E8 00B6 038F Name Interrupt Vector Table ROM BIOS Variables I/O System DOS NUMEGA SOFTICE1 XMSXXXX0 SMARTAAR
155
SoftICE Commands
MOD
Windows 3.1
System Information
Syntax
MOD [partial-name]
partial-name
Use
This command displays the Windows module list in the Command window. A module is a Windows application or DLL. All 16-bit modules will be displayed rst, followed by all 32 bit modules. If a partial name is specied, only those modules that begin with the name will be displayed. For each loaded module the following information is displayed: module handle 16-bit handle that Windows assigns to each module. It is actually a 16-bit selector of the module database record which is similar in format to the EXE header of the module le. Selector:offset of the PE File header for that module. Note: A value will only be displayed in this column for 32-bit modules. Name specied in the .DEF le using the 'NAME' or 'LIBRARY' keyword. Full path and le name of the module's executable le.
Output
Example
The following example shows abbreviated output of MOD to display all modules in the system:
MOD hMod PEHeader 0117 0147 014F 0167 01C7 01E7 Module Name KERNEL SYSTEM KEYBOARD MOUSE DISPLAY SOUND .EXE File Name C:\WINDOWS\SYSTEM\KRNL386.EXE C:\WINDOWS\SYSTEM\SYSTEM.DRV C:\WINDOWS\SYSTEM\KEYBOARD.DRV C:\WINDOWS\SYSTEM\LMOUSE.DRV C:\WINDOWS\SYSTEM\VGA.DRV C:\WINDOWS\SYSTEM\MMSOUND.DRV
156
SoftICE Commands
0000 2987:80756080 W32SKRNL 12C7 2987:86C20080 FREECELL 1FC7 2987:86C40080 CARDS 1FDF 2987:86C70080 w32scomb
See Also
157
SoftICE Commands
MOD
System Information
Syntax
-u -s partial-name
Displays only modules in user space. Displays only modules in system space. Prex of the Windows module name
Use
This command displays the Windows module list in the Command window. If a partial name is specied, only modules that begin with the name will be displayed. SoftICE displays modules in the following order: 16-bit modules 32-bit driver modules (Windows NT only) 32-bit application modules
For Windows 95
The module list is global. A module is a Windows application or DLL. All modules have an hMod value.
For Windows NT
The Mod command is process specic. All modules will be displayed that are visible within the current process. This includes all 16-bit modules, all 32-bit modules, and all driver modules. This means if you want to see specic modules, you must switch to the appropriate address context before using the MOD command. You can distinguish application modules from driver modules because application modules have base addresses below 2GB (80000000h). The 16-bit modules will be the only modules that have an hMod value.
Output
For each loaded module the following information is displayed: module handle 16-bit handle that Windows assigns to each module. It is actually a 16-bit selector of the module database record which is similar in format to the EXE header of the module le.
158
SoftICE Commands
base
Base linear address of the executable le. This is also used as the module handle for 32-bit executables. Note: A value will only be displayed in this column for 32-bit modules. Selector:offset of the PE File header for that module. Note: A value will only be displayed in this column for 32-bit modules. Name specied in the .DEF le using the 'NAME' or 'LIBRARY' keyword. Full path and le name of the module's executable le.
Example
The following example shows abbreviated output of MOD used on the NTVDM WOW process:
MOD
hMod Base 021F 020F 01B7 02B7 02CF 02E7 0307 031F 0397 0347 03DF 0C3F 0BFF 0BF7 80100000 80100080 80400000 80400080 80010000 80010080
PEHeader ModuleName KERNEL SYSTEM KEYBOARD MOUSE DISPLAY SOUND COMM USER GDI WOWEXEC SHELL WFWNET MMSYSTEM TIMER ntoskrnl hal atapi
File Name D:\WINNT35\SYSTEM32\KRNL386.EXE D:\WINNT35\SYSTEM32\SYSTEM.DRV D:\WINNT35\SYSTEM32\KEYBOARD.DRV D:\WINNT35\SYSTEM32\MOUSE.DRV D:\WINNT35\SYSTEM32\VGA.DRV D:\WINNT35\SYSTEM32\SOUND.DRV D:\WINNT35\SYSTEM32\COMM.DRV D:\WINNT35\SYSTEM32\USER.EXE D:\WINNT35\SYSTEM32\GDI.EXE D:\WINNT35\SYSTEM32\WOWEXEC.EXE D:\WINNT35\SYSTEM32\SHELL.DLL D:\WINNT35\SYSTEM32\WFWNET.DRV D:\WINNT35\SYSTEM32\MMSYSTEM.DLL D:\WINNT35\SYSTEM32\TIMER.DRV \WINNT35\System32\ntoskrnl.exe \WINNT35\System32\hal.dll atapi.sys
159
SoftICE Commands
hMod Base 80013000 80013080 80001000 80001080 8001B000 8001B080 803AE000 803AE080 FB000000 FB000080 FB010000 FB010080 FB020000 FB020080 FB030000 FB030080
PEHeader ModuleName SCSIPORT Atdisk Scsidisk Fastfat Floppy Scsicdrm Fs_Rec Null
File Name \WINNT35\System32\Drivers\SCSIPORT.SYS Atdisk.sys Scsidisk.sys Fastfat.sys \SystemRoot\System32\Drivers\Floppy.SYS \SystemRoot\System32\Drivers\Scsicdrm.SYS \SystemRoot\System32\Drivers\Fs_Rec.SYS \SystemRoot\System32\Drivers\Null.SYS
See Also
160
SoftICE Commands
NET
Customization
Syntax
IP-address of the machine on which you are running SoftICE Dynamic Host Conguration Protocol. Instructs SoftICE to get the IP parameters from your network DHCP server. The network subnet mask.
ANY AUTO
Allows a machine from any IP address to connect to the target machine. Allows a remote machine that has connected successfully to reconnect. This is useful if the remote machine loses its connection and must reconnect. If AUTO is not specied, you must reissue the NET ALLOW command on the target machine before another connection can be made.
PASSWORD=password A case-sensitive password that will be required of users to get access to SoftICE on the target machine.
NET COMx <baud-rate>
x baud-rate
NET NET NET NET NET
COM port number. Valid values are 1 through 4. This command uses only standard port addresses. Any legal baud rate between 1200 and 115200
161
SoftICE Commands
Use
You can use the NET commands to run SoftICE on one machine (the target machine,) so that it can be controlled remotely over a standard internet connection from another machine (the remote machine.) To run SoftICE remotely you must replace the adapter driver le on the target machine, with one provided in the SoftICE distribution. For details on setting up the target machine, refer to the section Setting Up SoftICE for Remote Debugging. in Chapter 10, Customizing SoftICE, in Using SoftICE. After installing the network adapter and driver, you can use the following NET command options on the target machine to enable SoftICE to be controlled by a remote machine. The NET START command enables the IP stack in SoftICE. This command identies your IP parameters to SoftICE (IP-address, subnet-mask, and gateway address). If your local network supports DHCP (Dynamic Host Conguration Protocol), you can tell SoftICE to obtain the IP parameters from your network DHCP server. At this point, the IP stack is running, but SoftICE does not allow remote debugging until you use the NET ALLOW command to specify what other machine(s) can control SoftICE. The NET ALLOW command tells SoftICE how to determine which machine(s) can be used to remotely control SoftICE. A remote machine can be specied as a specic IP address or ANY IP address. Access to control SoftICE can also be qualied by a case-sensitive password. The NET COMx command allows you to establish a remote debugging session over a serial connection, including the ability to control the mouse and SoftICE window remotely. The NET PING command allows you to do a basic network connectivity test by sending an ICMP Echo Request (PING) packet to an IP address. SoftICE sends the request and indicates whether it receives a response within 4 seconds. The NET RESET command terminates any active remote debugging session (IP or serial connection) and cancels the effect of the previous NET ALLOW command. The NET STOP command terminates any active remote debugging session (IP or serial connection) and cancels the effect of the previous NET ALLOW command. It also disables the IP stack. The NET HELP command shows a list of the available network commands with their respective syntax. The NET STATUS command shows the current status of the network adapter. It displays the current IP parameters (IP address, subnet mask, and gateway) and the status of the remote debugging connection. After the target machine is set up correctly, you issue the SINET command on the remote machine to create the connection to the target machine. To use SINET, you must copy SINET.EXE from the SoftICE installation directory to the remote machine. The syntax for the SINET command is:
SINET <target-IP-address> [password]
162
SoftICE Commands
The syntax for the SINET command with a serial connection is:
SINET COMx [<baud-rate>]
For more information about using the SINET command, refer to the section Starting the Remote Debugging Session in Chapter 10, Customizing SoftICE, in Using SoftICE.
Examples
The following commands set up SoftICE on a target machine whose IP address is 10.0.0.5, and allows a remote machine whose IP address is 10.0.0.10 to connect to the target machine and control SoftICE.
NET START 10.0.0.5 NET ALLOW 10.0.0.10
Because the NET ALLOW command does not include the AUTO option, the remote user will only be allowed to connect to the target once. The following commands set up SoftICE on a target machine that gets its IP address from a DHCP server. It then allows any other machine to connect if the user has the right password.
NET START DHCP NET ALLOW ANY AUTO PASSWORD=NuMega
This NET ALLOW command species that any IP address can be used to connect to the target machine if the user provides the proper password. The AUTO option tells SoftICE to allow remote machines to connect more than once in case of disconnect.
See Also
SINET.EXE
163
SoftICE Commands
NTCALL
System Information
Syntax Use
NTCALL
The NTCALL command displays all NTOSKRNL calls that are used by NTDLL. Many of the API's in NTDLL are nothing more than a wrapper for routines in NTOSKRNL, where the real work is done at level 0. If you use SoftICE to step through one of these calls, you will see that it immediately performs an INT 2Eh instruction. The INT 2Eh instructions serve as the interface for transitions between a privilege level 3 API and a privilege level 0 routine that actually implements the call. When an INT 2Eh is executed, the EDX register is set to point at the parameter stack frame for the API and the EAX register is set to the index number of the function. When the current instruction pointer reference is an INT 2Eh instruction, the SoftICE disassembler will show the address of the privilege level 0 routine that will be called when the INT 2Eh executes, along with the number of dword parameters that are being passed in the stack frame pointed to by EDX. If you wish to see the symbol name of the routine, you must load symbols for NTOSKRNL and make sure that it is the current symbol table. Refer to TABLE on page 219.
Output
The NTCALL command display all the level 0 API's available. For each API, the following information displays: Func. Address Params Name Hexadecimal index number of the function passed in EAX. Selector:offset address of the start of the function. Number of dword parameters passed to the function. Either the symbolic name of the function, or the offset within NTOSKRNL if no symbols are loaded.
The following example shows the disassembler output. Note how SoftICE indicates that the INT 2Eh instructions execution result in the NTOSKRNL function, _NTSetEvent being called with 2 dword parameters.
ntdll!NtSetEvent 001B:77F8918C 001B:77F89191 001B:77F89195 001B:77F89197
164 SoftICE Command Reference
SoftICE Commands
Example
The following example shows abbreviated output of the NTCALL command. It can be seen from this listing that the NTOSKRNL routine, _NTAccessCheck, is located at 8:80182B9Eh, that it is assigned a function identier of 1, and that it takes 8 dword parameters.
00 01 02 03 04 05 06 07 08 0008:80160D42 0008:80182B9E 0008:80184234 0008:80180C0A 0008:80180868 0008:8017F9A6 0008:8017F95E 0008:8014B0C4 0008:8014B39A params=06 _NtAcceptConnectPort params=08 _NtAccessCheck params=0B _NtAccessCheckAndAuditAlarm params=06 _NtAdjustGroupsToken params=06 _NtAdjustPrivilegesToken params=02 _NtAlertResumeThread params=01 _NtAlertThread params=01 _NtAllocateLocallyUniqueId params=03 _NtAllocateUuids
165
SoftICE Commands
I/O Port
Syntax
size
Value Description
B W D
port value
Use
Output to PORT commands are used to write a value to a hardware port. Output can be done to byte, word, or dword ports. If no size is specied, the default is B. All outputs are sent immediately to the hardware with the exception of the interrupt mask registers (Port 21h & A1h). These do not take effect until the next time you exit from the SoftICE screen.
Example
The following command performs an out to port 21, which unmasks all interrupts for interrupt controller one.
O 21 0
166
SoftICE Commands
OBJDIR
System Information
Syntax
OBJDIR [object-directory-name]
object-directory-name
Use
Use the OBJDIR command to display the named objects within the Object Managers object directory. Using OBJDIR with no parameters displays the named objects within the root object directory. To list the objects in a subdirectory, enter the full object directory path. The following information will be displayed by the OBJDIR command: Object ObjHdr Name Type Address of the object body. Address of the object header. Name of the object. Windows NT-dened data type of the object.
Output
Example
The following example is abbreviated output of OBJDIR listing objects in the Device object directory.
OBJDIR device Directory of \Device at FD8E7F30 Object FD8CC750 FD89A030 FD889150 FD8979F0 FD8C9ED0 FD8C5038 FD8C4040 ObjHdr FD8CC728 FD89A008 FD889128 FD8979C8 FD8C9EA8 FD8C5010 FD8C4018 Name Beep NwlnkIpx Netbios Ip KeyboardClass0 Video0 Video1 Type Device Device Device Device Device Device Device
167
SoftICE Commands
In the following example, the OBJDIR command is used with a specied object directory pathname to list the objects in the \Device\Harddisk0 subdirectory.
OBJDIR \device\harddisk0 Directory of \Device\Harddisk0 at FD8D38D0 Object FD8D3730 FD8D3410 FD8D32D0 ObjHdr FD8D3708 FD8D33E8 FD8D32A8 Name Partition0 Partition1 Partition2 Type Device Device Device
3 Object(s)
See Also
OBJTAB
168
SoftICE Commands
OBJTAB
System Information
Syntax
handle object-type-name
-h
Use
Use the OBJTAB command to display all entries in the master object-handle table created and maintained by CSRSS, or to obtain information about a specic object or objects of a certain type. The master object-handle table contains information for translating user objecthandles such as an hWnd or hCursor into the actual data that represents the object. If you use OBJTAB without parameters, SoftICE lists the full contents of the master objecthandle table. If an object handle is specied, just that object is listed. If an object-type-name is entered, all objects in the master object-handle table of that type are listed.
169
SoftICE Commands
Output
The following information is displayed by the OBJTAB command: Object Type Id Handle Owner Flags Pointer to the objects data. Type of the object. Objects type ID. Win32 handle value for the object. CSRSS specic instance data for the process or thread that owns the object. Objects ags.
Example
The following is an abbreviated example using the OBJTAB command without parameters or options.
OBJTAB Object Type Id 01 02 01 07 09 Handle Owner Flags
7F2D4DA0 Hwnd 7F2D85B8 Menu 7F2D4E58 Hwnd 7F2D1820 Queue 003E50E0 Accel. Table
0004005C 7F2D5F88 00 0001005D 00298B40 00 0003005E 7F2D5F88 00 0002005F 00000000 00 00030060 00298B40 00
See Also
OBJDIR
170
SoftICE Commands
P
F10, F12 for P RET
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Flow Control
Syntax
P [RET]
RET
Use
The P command executes a logical program step. In assembly mode, one instruction at the current CS:EIP is executed unless the instruction is a call, interrupt, loop, or repeated string instruction. In those cases, the entire routine or iteration is completed before control is returned to SoftICE. If RET is specied, SoftICE will step until it nds a return or return from interrupt instruction. This function works in either 16- or 32-bit code and also works in level 0 code. The P command uses the single step ag for most instructions. For call, interrupt, loop, or repeated string instructions, the P command uses a one-time INT 3 instruction execution breakpoint. In source mode one source statement is executed. If the source statement involves calling another procedure, the call is not followed. The called procedure is treated like a single statement. If the Register window is visible when SoftICE pops up, all registers that have been altered since the P command was issued display with the bold video attribute. For call instructions, the highlighted registers show what registers a subroutine has not preserved. In an unusually long procedure, there can be a noticeable delay when using the P RET command, because SoftICE is single stepping every instruction.
For Windows 95 and Windows NT
The P command, by default, is thread specic. If the current EIP is executing in thread X, SoftICE will not break until the program step occurs in thread X. This prevents the case of Windows NT process switching or thread switching during the program step causing execution to stop in a different thread or process than the one you were debugging. To change this behavior, either use the SET command with the THREADP keyword or disable threadspecic stepping in the troubleshooting SoftICE initialization settings.
Example
SoftICE Commands
PAGE
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
System Information
Syntax
address
The virtual address, segment:offset address, or selector:offset address about which you want to know page table information. The output includes the virtual and physical address. Number of pages to display.
length
Use
The PAGE command can be used to list the contents of the current page directory or the contents of individual page table entries.
Note:
In the x86 architecture, a page directory contains 1024 4-byte entries, where an entry species the location and attributes of a page table that is used to map a range of memory related to the entrys position in the directory. (These ranges are shown on the far right in the PAGE commands output of the page directory.) Each entry represents the location and attributes of a specic page within the memory range mapped by the page table. An x86 processor page is 4KB in size, so a page table maps 4MB of memory (4KB/page * 1024 entries), and the page directory maps up to 4GB of memory (4MB/page table * 1024 entries). NT 4.0 uses the 4 MB page feature of the Pentium/Pentium Pro processors. NTOSKRNL, HAL, and all boot drivers are mapped into a 4 MB page starting at 2 GB (80000000h). When you specify the address parameter, information about the page table entry that maps the address is shown. This includes the following: The linear virtual address of the start of the page mapped by the entry. The physical address that corresponds to the start of the page mapped by the entry. The page table entry attributes of the page. This information corresponds directly to processor dened attributes. Page table attributes are represented by bits that indicate whether or not the entry is valid, whether the page is dirty or has been accessed, whether its a supervisor or user-mode page, and its access protections. Only bit attributes that are set are shown by SoftICE. The page type. This information is interpreted from the Windows-dened bit eld in the page table entry and the types displayed by SoftICE correspond to Windows denitions.
172
SoftICE Commands
Use the length parameter with the address parameter to list information about a range of consecutive page table entries. It should be noted that the PAGE command will not cross page table boundaries when listing a range. This means that, if fewer entries are listed than you specied, you must use a second PAGE command to list the pages starting where the rst listing stopped. If no parameters are specied, the PAGE command shows the contents of the current page directory. Each line listed represents 4MB of linear address space. The rst line shows the physical and linear address of the page directory. Each following line displays the information in each page directory entry. The data shown for each entry is the same as is described above for individual page table entries, however, in this output addresses represent the locations of page tables rather than pages.
Output
The following information is displayed by the PAGE command: physical address If a page directory is being displayed then this is the physical address of the page table that a page directory entry refers to. Each page directory entry references one page table which controls 4MB of memory. If an address parameter is entered so that specic pages are displayed, then this is the physical address that corresponds to the start of a page. linear address For Windows 3.1 and Windows 95 only: If the page directory is being displayed then this is the virtual address of a page table. This is the address you would use in SoftICE to display the page table with the D command. If specic pages are being displayed, this is the virtual address of a page. If a length was entered then this is the virtual address of the start of each page. attribute This is the attribute of the page directory or page table entry. The valid attributes are, as follows:
Windows 3.1, Windows 95, and Windows NT Windows NT Only
P D A U R NP
S RW 4M
173
SoftICE Commands
type
For Windows 3.1 and Windows 95 only: Each page directory entry has a three-bit eld that can be used by the operating system to classify page tables. Windows classies page tables into the following six categories:
System Instance VM Private Relock Hooked
If a page is marked Not Present, then all that is displayed is NP followed by the dword contents of the page table entry.
Example
Using the PAGE command with no parameters displays page directory information. The following shows this PAGE command output.
PAGE Page Directory Physical=002B6000 Linear=006B600 Physical Linear Attributes A A U U U U U A A U U U U A U Type System System System System System System System System System System Linear Address Range 00000000-003FFFFF 00400000-007FFFFF 00800000-00BFFFFF 00C00000-00FFFFFF 01000000-013FFFFF 80000000-803FFFFF 80400000-807FFFFF 80800000-80BFFFFF 80C00000-80FFFFFF 81000000-813FFFFF
002B7000 006B7000 P 00109000 00509000 P 0010A000 0050A000 P 0010B000 0050B000 P 0010C000 0050C000 P 002B8000 006B8000 P 00106000 00506000 P 00107000 00507000 P 00108000 00508000 P 002B7000 006B7000 P
174
SoftICE Commands
Using the PAGE command with the address parameter displays the page table entry that corresponds to the address you specify. In the following example, three page table entries are shown starting with the page table entry that corresponds to address 00106018. Notice that when the length parameter is specied, the linear address is truncated to the base address of the memory page that contains the specied address.
PAGE 00106018 l 3 Linear Physical Attributes U U U Type VM VM VM
The following example shows how the PAGE command can be used to nd both the virtual and physical address of selector:offset address.
PAGE #585:263C Linear Physical Attributes U Type Instance
When the Page command displays information on either PTEs or PDEs for NT 4.0, 4 MB pages are indicated by the mnemonic 4M in the Attributes column. The following sample output shows the region starting at 2 GB.
PAGE Page Directory Physical=00030000 Physical Attributes Linear Address Range 00000000 P A S RW 4M 80000000 - 803FFFFF 00400000 P A S RW 4M 80400000 - 807FFFFF 00800000 P A S RW 4M 80800000 - 80BFFFFF 00C00000 P A S RW 4M 80C00000 - 80FFFFFF 01034000 P A S RW 4M 81000000 - 813FFFFF
175
SoftICE Commands
The following example shows a partial listing of output from the PAGE command when it is executed without parameters on Windows NT 3.51. In this case, PAGE prints the page directory contents.
PAGE Page Directory Physical=00030000 Physical Attributes Linear Address Range 00380000 P A U RW 00000000 - 003FFFFF 00611000 P A U RW 77C00000 - 77FFFFFF 00610000 P A U RW 7FC00000 - 7FFFFFFF 00032000 P A S RW 80000000 - 803FFFFF 00034000 P A S RW 80400000 - 807FFFFF 00035000 P A S RW 80800000 - 80BFFFFF 00033000 P A S RW 80C00000 - 80FFFFFF 00030000 P A S RW C0000000 - C03FFFFF 00040000 P A S RW C0400000 - C07FFFFF 00001000 P A S RW C0C00000 - C0FFFFFF
The following example shows how to use the PAGE command to display the attributes and addresses of the page from which instructions are currently being executed.
PAGE eip Linear 80404292 Physical 00404292 Attributes P D A S RW
176
SoftICE Commands
PAGEIN
Category
Syntax
PAGEIN address
address
Use
In some cases, a SoftICE command cannot retrieve the data you request because the actual physical memory that backs a particular linear address has been paged out by the operating system and so is not present in memory. You can use the PAGEIN command to force the page to be brought in from disk memory into physical memory.
Note:
PAGEIN can be an unsafe command. This facility is recommended for OS experts only. If the currently executing thread is not in a context in which it can touch pageable memory, issuing PAGEIN can crash your system. You should be sure you understand the state of your application and the effect of this command before attempting to use it.
Example
The following example shows the use of the PAGEIN command to load a page into physical memory.
PAGEIN 401000
See Also
PAGE
177
SoftICE Commands
PAUSE
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Customization
Syntax Use
The PAUSE command controls screen pause at the end of each page. If PAUSE is on, you are prompted to press any key before information scrolls off the Command window. The Enter key scrolls a single line at a time. Any other key scrolls a page at a time. The prompt displays in the status line at the bottom of the Command window. If PAUSE if off, the information automatically scrolls to the end of the command output. If you do not specify a parameter, the current state of PAUSE displays. The default is PAUSE on.
Example
The following command species that the subsequent Command window display will not automatically scroll off the screen. You are prompted to press a key before information scrolls off the screen.
PAUSE on
See Also
SET
178
SoftICE Commands
PCI
System Information
Dump the conguration registers for each PCI device in the system.
Syntax Use
PCI
The PCI command dumps the registers for each PCI device in the system. Do not use this command on non-PCI systems. Many of the entries are self-explanatory, but some are not. Consult the PCI specication for more information about this output. The following example illustrates a part of the output for the PCI command.
PCI
Example
Bus 00 Device 00 Function00 Vendor: 8086 Intel Device: 1237 Revision: 02 Device class: 06 Bridge device Device subclass: 00 Host bridge Device sub-subclass: 00 Interrupt line: 00Interrupt pin: 00 Min_Gnt: 00 Cache line size: 00 Latency timer: 40 I/O:0 Mem:1 BusMAST:1 Special:0 Parity:0 Wait:0 SERR:1 Back2Back:0 Bus 00 Device 07 Function00 Vendor: 8086 Intel Device: 7000 Revision: 01 Device class: 06 Bridge device Device subclass: 01 ISA bridge Device sub-subclass: 00 Interrupt line: 00Interrupt pin: 00 Min_Gnt: 00 Cache line size: 00 Latency timer: 00 I/O:1 Mem:1 BusMAST:1 Special:1 Parity:0 Wait:0 SERR:0 Back2Back:0
179
SoftICE Commands
PEEK
Display/Change Memory
Syntax
PEEK[size] address
size address
Use
PEEK displays the byte, word, or dword at a given physical memory location. PEEK is useful for reading memory-mapped I/O registers. The following example displays the dword at physical address FF000000.
PEEKD FF000000
Example
See Also
180
SoftICE Commands
PHYS
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
System Information
Syntax
PHYS physical-address
physical-address
Memory address that the x86 generates after a virtual address has been translated by its paging unit. It is the address that appears on the computer's BUS, and is important when dealing with memorymapped hardware devices such as video memory.
Use
Windows uses x86 virtual addressing support to dene a relationship between virtual addresses, used by all system and user code, and physical addresses that are used by the underlying hardware. In many cases a physical address range may appear in more than one page table entry, and therefore more than one virtual address range. SoftICE does not accept physical addresses in expressions. To view the contents of physical memory you must use the PHYS command to obtain linear addresses that can be used in expressions.
For Windows 95 and Windows NT
The PHYS command is specic to the current address context. It searches the Page Tables and Page Directory associated with the current SoftICE address context.
Example
Physical address A0000h is the start of VGA video memory. Video memory often shows up in multiple virtual address in Windows. The following example shows three different virtual addresses that correspond to physical A0000.
PHYS a0000 000A0000 004A0000 80CA0000
181
SoftICE Commands
POKE
Display/Change Memory
Syntax
B (byte), W (word), or D (dword). Size defaults to B. Physical memory address. Value to write to memory.
Use
POKE writes a byte, word, or dword value to a given physical memory location. POKE is useful for writing to memory-mapped I/O registers. The following example writes the dword value 0x12345678 to physical address FF000000.
POKED FF000000 12345678
Example
See Also
182
SoftICE Commands
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Customization
From a DOS VM, use the DLOG.EXE utility to log the SoftICE Command window information.
See Also
PRN
183
SoftICE Commands
PRN
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Customization
Syntax
Decimal number between 1 and 2 for LPT, or between 1 and 4 for COM .
Use
The PRN command allows you to send output from Print Screen to a different printer port. If no parameters are supplied, PRN displays the currently assigned printer port. The following command causes Print Screen output to go to the COM1 port.
PRN com1
Example
184
SoftICE Commands
PROC
System Information
Syntax
For Windows 95 PROC [-xo] [task] For Windows NT PROC [[-xom] process-type | thread-type]
Display extended information for each thread. Display list of objects in processes handle table. Display information about the memory usage of a process. Task name. Process handle, process ID, or process name. Thread handle or thread ID.
Use
If you use the PROC command without any options, summary information is presented for the process you specify or, if none is specied, for all processes in the system. The information the memory option (-m) provides is also included when you specify the extended option (-x) for Windows NT. The memory information is provided for convenience, because the amount of extended information displayed is quite large. For all process and thread times, as well as process memory information, SoftICE uses raw values from within the OS data structures without performing calculations to convert them into standardized units. The object option (-o) displays the object pointer, the object handle, and the object type for every object in the processes object handle table. Because object information is allocated from the systems pageable pool, the objects type name will not be available if the page is not present. In this case, question marks (???) are displayed.
185
SoftICE Commands
Output
For Windows 95
For each process the following summary information is provided: Process pProcess Process ID Threads Context DefHeap DebuggeeCB
For Windows NT
Task name. Pointer to process database (pdb). The Ring 3 ID of the process. Number of threads the process owns. Address context. Default heap. Debuggee context block.
For each process the following summary information is provided: Process KPEB PID Threads Priority User Time Krnl Time Status Process name. Address of the Kernel Process Environment Block. Process ID. Number of threads the process owns. Base priority of the process . Relative amount of time the process spent executing code at user level. Relative amount of time the process spent executing code at the kernel level. Current status of the process: Running: The process is currently running. Ready: The process is in a ready to run state. Idle: The process is inactive. Swapped: The process is inactive, and its address space has been deleted. Transition: The process is currently between states. Terminating: The process is terminating.
186
SoftICE Commands
Example
For Windows 95
00000001 C10474D4 00400000 00000000 00000001 C1033E38 00410000 00000000 00000001 C10476D0 00470000 00000000 00000002 C104577C 00440000 00000000 00000002 C1043340 00510000 00000000 00000001 C1041E28 00400000 00000000
8155B000 K16TDB:
8156A448 pHandleTable: 8156A2C0 8156ABB0 Threadlist: 00000000 InitialR0ID: 00000000 Unknown4: 81569FE8 00000000 C007757C
&crtLoadLock: 81569F64 pConsole: ProcDWORD0: TopExFilter: HHandleBlks: wEnvSel: UTState: 00003734 ProcGroup:
187
SoftICE Commands
Environment Database
Environment: CommandLine: CurrentDir: StartupInfo: hStdError: BreakType: 00520020 Unknown1: 8156A500 C:\PROJECTS\GDIDEMO\Gdidemo.exe 8156A524 C:\PROJECTS\GDIDEMO 8156A53C hStdIn: FFFFFFFF Unknown2: 00000000 BreakSem: FFFFFFFF hStdOut: 00000001 InheritCon FFFFFFFF 00000000 00000000
8165A32C Process 8155BFFC Event C103E3A4 Memory Mapped file C0FFE0E0 Memory Mapped file C0FFE22C Memory Mapped file C0FF1058 Memory Mapped file 8155C01C Event 8155CCE4 Event 8155CD5C Event 8155CD8C Thread 8155D008 Event C1041C04 Memory Mapped file 8155D870 Event
188
SoftICE Commands
For Windows NT
The following example uses the PROC command without parameters to list all the processes in the system.
PROC Process System smss csrss KPEB FD8E0020 FD8B9020 FD8B3DC0 PID 2 13 1F 19 28 2A 43 4A 50 5D 60 0 Threads 14 6 12 2 B C 6 1 6 3 3 1 Pri 8 B D D 9 9 8 8 9 8 D 0 User Time Krnl Time Status Ready Swapped Ready Idle Idle Idle Idle Idle Running Idle Ready Ready
00000000 00001A48 00000022 00000022 00B416C5 00049C4E 00000028 00000072 0000018E 0000055A 0000001B 00000058 000000AB 000000BD 00000004 0000000C 00125B98 0003C0BE 00000024 0000008A 000002DE 00000447 00000000 00135D03
8016A9E0
The process that was active when SoftICE popped up will be highlighted. The currently active process/address context within SoftICE will be indicated by an asterisk (*).
189
SoftICE Commands
The following example uses the extended option (-x) to display extended information about a specic process, Explorer.
PROC -x explorer Extended Process Information for Explorer(60) KPEB: FD850020 PID: Base Pri: D Mem Pri: Usage Cnt: 1 Win Ver: Status: Ready Processor: Page Directory: Kernel Time: Create Time: Exit Time: Vad Root: DebugPort: SpinLock: ForkInProgress: Process Lock: Copy Mem Lock: Locked Pages: Private Pages: 00000000 011CA000 60 Parent: Unknown(48) 0 Quantum: 2 4.00 Err. Mode: 0 1 00000000
LDT Limit:
0000
MRU Vad: FD842E28 ExceptPort: E118B040 HUPEB: 00000004 Thread: Owner: Owner:
00000000 ProtoPTEs: 000000DD Modified Pages: 000000E4 0000014F Virt Size: 013F8000 Peak Virt Size: 01894000
---- Working Set Information ---Update Time: Data: Pages: Size: 01BB11D0D7B299C0 C0502000 Table: 00000879 Faults: 000002AF Minimum: C0502470 00000899 00000032
---- Non Pageable Pool Statistics ---Quota Usage: 00000E78 Inherited Usage: 0000C093 Peak Usage: Peak Usage: 00001238 00056555 Limit: 00080000
---- Pageable Pool Statistics ---Quota Usage: 00003127 Inherited Usage: 0000C000 Peak Usage: Peak Usage: 00004195 00004768 Limit: 000009CA
---- Pagefile Statistics ---Quota Usage: 00000151 Inherited Usage: FFFFFFFF Peak Usage: Peak Usage: 0000016E 00000151 Limit: 00000000
---- Handle Table Information ---Handle Table: E10CE5E8 Handle Array: E1265D48 Entries: 50
190
SoftICE Commands
QUERY
System Information
Syntax
-x address process-type
Shows the mapping for a specic linear address within every context where it is valid. Linear address to query. Expression that can be interpreted as a process.
Use
The QUERY command displays a map of the virtual address space for a single process, or the mapping for a specic linear address. If no parameter is specied, QUERY displays the map of the current process. If a process parameter is specied, QUERY displays information about each address range in the process.
For Windows 95
Output
Under Windows 95, the QUERY command displays the following information: Base AllocBase Pointer to the base address of the region of pages. Pointer to the base address of a range of pages allocated by the VirtualAlloc function that contains the base address in the Base column. Access protection assigned when the region was initially allocated. Size, in bytes, of the region starting at the base address in which all pages have the same attributes. State of the pages in the region : Commit, Free, or Reserve. Commit Committed pages for which physical storage was allocated Free Free pages not accessible to the calling process and available to be allocated. AllocBase, AllocProtect, Protect, and Owner are undened. Reserve Reserved pages. A range of the processs virtual address space is reserved, but physical storage is not allocated. Current Access Protection (Protect) is undened.
191
SoftICE Commands
The QUERY command displays the following information: Context Address Range Flags MMCI PTE Name Address context. Start and end address of the linear range. Flags from the node structure. Pointer to the memory management structure. Structure that contains the ProtoPTEs for the address range. Additional information about the range. This includes the following: Memory mapped les will show the name of the mapped le. Executable modules will show the le name of the DLL or EXE. Stacks will be displayed as (thread ID). Thread information blocks will be displayed as TIB(thread ID). Any address that the WHAT command can identify may also appear.
192
SoftICE Commands
Example
Windows 95
The following example shows a partial listing of the output of the QUERY command with no parameters. In this case, it displays the map for the current process, GDIDEMO.
QUERY Base 0 400000 407000 409000 40B000 410000 411000 510000 511000 520000 521000 AllocBase 0 400000 400000 400000 400000 410000 410000 410000 410000 520000 520000 AllocProt 0 1 1 1 1 1 1 1 1 4 4 Size 400000 7000 2000 2000 5000 1000 FF000 1000 F000 1000 F000 State Free Commit Commit Commit Reserve Commit Reserve Commit Reserve Commit Reserve Protect NA RO RW RO NA RW NA RW NA RW NA Owner GDIDEMO GDIDEMO GDIDEMO GDIDEMO Heap 32 Heap 32 Heap 32 Heap 32
The following example shows every context where base address 416000 is valid:
QUERY -x 416000 Base 416000 416000 416000 416000 416000 416000 416000 416000 AllocBase 400000 400000 400000 410000 400000 400000 410000 410000 AllocProt 1 1 1 1 1 1 0 1 Size F1000 E9000 D000 F9000 2000 E9000 EA000 FA000 State Reserve Reserve Commit Reserve Commit Reserve Free Reserve Protect NA NA RO NA RO NA NA NA Context KERNEL32 Heap 32 MSGSRV32 EXPLORER Explorer Heap 32 WINFILE CONSOLE Console Heap 32 WINOLDAP Mprexe Heap 32 Spool32 Owner
193
SoftICE Commands
The following example shows a partial listing of the virtual address map for Explorer.
QUERY EXPLORER Base 0 400000 423000 424000 435000 440000 449000 540000 541000 550000 551000 560000 AllocBase 0 400000 400000 400000 400000 440000 440000 440000 440000 550000 550000 560000 AllocProt 0 1 1 1 1 1 1 1 1 4 4 1 Size 400000 23000 1000 11000 B000 9000 F7000 1000 F000 1000 F000 106000 State Free Commit Commit Commit Reserve Commit Reserve Commit Reserve Commit Reserve Reserve Protect NA RO RW RO NA RW NA RW NA RW NA NA Owner EXPLORER EXPLORER EXPLORER EXPLORER Heap32 Heap32 Heap32 Heap32
Windows NT
The following example uses the QUERY command to map a specic linear address for Windows NT.
QUERY 7f2d0123 Context csrss Address Range Flags MMCI PTE Name
194
SoftICE Commands
The following example uses the QUERY command to list the address map of the PROGMAN process for Windows NT.
QUERY progman :query progman Address Range 00010000-00010FFF 00020000-00020FFF 00030000-0012FFFF 00130000-00130FFF 00140000-0023FFFF 00240000-0024FFFF 00250000-00258FFF 00260000-0026DFFF 00270000-002B0FFF 002C0000-002C0FFF 002D0000-002DFFFF 002E0000-0035FFFF 00360000-00360FFF 00370000-0046FFFF 00470000-0047FFFF 00480000-00481FFF 01A00000-01A30FFF 77DE0000-77DEFFFF 77E20000-77E4BFFF 77E50000-77E54FFF 77E60000-77E9BFFF 77EA0000-77ED7FFF 77EE0000-77F12FFF 77F20000-77F73FFF 77F80000-77FCDFFF 7F2D0000-7F5CFFFF 7F5F0000-7F7EFFFF 7FF70000-7FFAFFFF 7FFB0000-7FFD3FFF 7FFDD000-7FFDDFFF 7FFDE000-7FFDEFFF 7FFDF000-7FFDFFFF Flags C4000001 C4000001 84000004 C4000001 8400002D 04000000 01800000 01800000 01800000 01800000 04000000 84000001 C4000001 84000003 04000000 01800000 07300005 07300003 07300007 07300002 07300003 07300003 07300002 07300003 07300005 03400000 03400000 84000001 01600000 C4000001 C4000001 C4000001 MMCI PTE Name
STACK(2E) FF0DF4E8 FF0E7DE8 FF097AC8 FF0FC008 FF0FBA08 FF0FADC8 FF0FB728 FF0FCE08 FF0FD868 FF0EE1A8 FF0FDB48 FF0E2C08 FF0E8EA8 FF116288 E124AAA8 E110C6E8 E1246448 E1108928 E1110A08 E1103EE8 E1110C48 E11048C8 E110F608 E110C768 E1101068 E11C3068 E11B77E8 E1000188 ctype.nls progman.exe shell32.dll advapi32.dll rpcltc1.dll rpcrt4.dll user32.dll gdi32.dll kernel32.dll ntdll.dll Heap #05
195
SoftICE Commands
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Display/Change Memory
Syntax
For Windows 3.1 R [register-name [[=]value]] For Windows 95 and Windows NT R [-d | register-name | register-name [=] value]
register-name
Any of the following: AL, AH, AX, EAX, BL, BH, BX, EBX, CL, CH, CX, ECX, DL, DH, DX, EDX, DI, EDI, SI, ESI, BP, EBP, SP, ESP, IP, EIP, FL, DS, ES, SS, CS FS, GS. If register-name is any name other than FL, the value is a hexadecimal value or an expression. If register-name is FL, the value is a series of one or more of the following ag symbols, each optionally preceded by a plus or minus sign: O (Overow ag) D (Direction ag) I (Interrupt ag) S (Sign ag) Z (Zero ag) A (Auxiliary carry ag) P (Parity ag) C (Carry ag)
value
-d
Use
If no parameters are supplied, the cursor moves up to the Register window, and the registers can be edited in place. If the Register window is not currently visible, it is made visible. If register-name is supplied without a value, the cursor moves up to the Register window positioned at the beginning of the appropriate register eld. If both register-name and value are supplied, the specied register's contents are changed to the value.
196
SoftICE Commands
To change a ag value, use FL as the register-name, followed by the symbols of the ag whose values you want to toggle. To turn a ag on, precede the ag symbol with a plus sign. To turn a ag off, precede the ag symbol with a minus sign. If neither a plus or negative sign is specied, the ag value will toggle from its current state. The ags can be listed in any order.
Example
The following example moves the cursor into the Register window position under the rst ag eld.
R fl
The following example toggles the O ag value, turns on the A ag value, and turns off the C ag value.
R fl=o+a-c
197
SoftICE Commands
RS
F4
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Window Control
Syntax Use
RS
The RS command allows you to restore the program screen temporarily. This feature is useful when debugging programs that update the screen frequently. Use the RS command to redisplay your program screen. To return to the SoftICE screen, press any key.
198
SoftICE Commands
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Miscellaneous
Syntax
Starting address for search. Length in bytes. List of bytes or quoted strings separated by commas or spaces. A quoted string can be enclosed with single or double quotes. Make search case-insensitive. Search for Unicode string.
Use
Memory is searched for a series of bytes or characters that matches the data-list. The search begins at the specied address and continues for the length specied. When a match is found, the memory at that address is displayed in the Data window, and the following message is displayed in the Command window.
PATTERN FOUND AT location
If the Data window is not visible, it is made visible. To search for subsequent occurrences of the data-list, use the S command with no parameters. The search will continue from the address where the data-list was last found, until it nds another occurrence of data-list or the length is exhausted. The S command ignores pages that are marked not present. This makes it possible to search large areas of address space using the at data selector (Windows 3.1/Windows 95: 30h, Windows NT: 10h).
Example
The following example searches for the string 'Hello' followed by the bytes 12h and 34h starting at offset ES:DI+10 for a length of ECX bytes.
S es:di+10 L ecx 'Hello',12,34
The following example searches the entire 4GB virtual address range for 'string'.
S 30:0 L ffffffff 'string'
SoftICE Command Reference 199
SoftICE Commands
SERIAL
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Customization
Syntax
Initiates VT100 serial mode. Number from 1 to 4 that corresponds to COM1, COM2, COM3 or COM4. Default is COM1. Baud-rate to use for serial communications. The default is to have SoftICE automatically determine the fastest possible baud-rate that can be used. The rates are 1200, 2400, 4800, 9600, 19200, 23040, 28800, 38400, 57000, 115200.
Use
Use the SERIAL command to establish a remote debugging session through a serial port. Refer to DIAL on page 71 for information about how to establish remote sessions over a modem, and to Chapter 9, Using SoftICE with a Modem in Using SoftICE for a detailed explanation of this procedure.
200
SoftICE Commands
Remote debugging requires a second IBM-compatible PC. The machine being debugged is known as the local machine, and the machine where SoftICE is being controlled remotely is known as the remote machine.To use the SERIAL command, the remote and local machines must be connected with a null modem cable, with wiring as shown in the following gure, attached through serial ports. Before using the SERIAL command on the local machine, you must rst run the SERIAL32.EXE or SERIAL.EXE program on the remote machine. SERIAL32.EXE is a 32-bit client. SERIAL.EXE is a real mode (MSDOS) client. Pins 2 3 4 5 6 7 8 20 25-Pin Null-Modem Configuration Pins 2 3 5 7 8 6 1 4 9-Pin Null-Modem Configuration Pins 2 3 5 7 8 6 1 4 Pins 2 3 4 5 6 7 8 20
The syntax for the SERIAL32.EXE and SERIAL.EXE programs are the same as the syntax of the SERIAL command, so the following information is applicable to all. The SERIAL command has two optional parameters. The rst parameter specifies the comport on the machine where the command is entered through which the connection will be made. If no com-port is specied, com-port 1 (COM1) is chosen by default. The second parameter specifies a baud-rate. If a baud-rate is specied, the same baud-rate must be explicitly specied on both sides of the connection. If no baud-rate is specied, SoftICE will attempt to determine the fastest baud-rate that can be used over the connection without data loss. The process of arriving at the maximum rate can take a few seconds, during which SoftICE prints the rates it is checking. After the maximum rate is determined, SoftICE indicates the result.
SoftICE Command Reference 201
SoftICE Commands
Ctrl D is always the pop-up hot key sequence on the remote machine. SoftICE can also be popped up from the local machine with the local machines pop-up hot key sequence (which may have been set via the ALTKEY command). If the remote machine has a monochrome display, the COLOR command can be used to make SoftICEs output more readable. If for any reason data is lost over the connection and SoftICE output on the remote machine becomes corrupted, Shift \ (backslash) can be typed on the remote machine to force a repaint of the SoftICE screen. Specifying SERIAL OFF will end the remote debugging session and SoftICE will resume using the local machine for I/O. SERIAL with no parameters will display the current serial state and the com-port and baud-rate being used if SERIAL is ON. Using Ctrl-Z will exit the SERIAL.EXE program on the remote machine after a remote debugging session is complete. If you place the SERIAL command in the SoftICE initialization string setting, SERIAL.EXE must be running on the remote machine before SoftICE is started on the local machine.
For Windows 3.1
Prior to using the SERIAL command, you must place the COMn keyword on a separate line in the WINICE.DAT le to reserve a specic COM port for the serial connection. The n is a number between 1 and 4 representing the COM port. If this statement is not present in WINICE.DAT, SoftICE cannot be popped up from the remote machine. For example, the following keyword sets Com 2 as the serial post.
Com2 For Windows 95
Select the desired com port in the remote debugging initialization settings within Symbol Loader.
Example
The following example shows how to run the SERIAL.EXE program on the remote machine:
SERIAL.EXE on 19200
The following example shows how to execute a SERIAL command on the local machine that corresponds to the SERIAL.EXE command given in the previous example.
202
SoftICE Commands
SERIAL on 2 19200
When the rst command is executed, the remote machine will be prepared to receive a connection request from the local machine on its rst com-port at 19200bps. The second command establishes a connection between the two machines through the local machines second com-port. Since the rst command explicitly specied a baud rate, the SERIAL command on the local machine must explicitly specify the same baud rate of 19200bps. Once the connection is established, the remote machine will serve as the SoftICE interface for debugging the local machine until SERIAL off is entered on the remote machine.
See Also
203
SoftICE Commands
SET
Mode Control
Syntax
Species option to be set. Enables or disables the option. Value to be assigned to the option.
Use
Use the SET command to display or change the state of internal SoftICE variables. If you specify SET with a keyword, ON or OFF enables or disables that option. If you specify SET with a keyword and value, it assigns the value to the keyword. If SET is followed by a keyword with no additional parameters, it displays the state of the keyword. Using SET without parameters displays the state of all keywords. SET supports the following keywords:
ALTSCR BUTTONREVERSE CASESENSITIVE CENTER CODE EXCLUDE FAULTS FLASH FONT FORCEPALETTE I1HERE I3HERE LOWERCASE MAXIMIZE MONITOR [on|off ] [on|off ] [on|off ] [on|off ] [on|off ] [on|off ] [on|off ] [on|off ] [1|2|3] [on|off ] [on|off ] [on|off ] [on|off ] [on|off ] [1| 2 | 3 | n] (Windows2000 only)
204
SoftICE Commands
[on|off ] [1|2|3] x y (window location in pixel coordinates) [on|off ] [on|off ] [on|off ] [1|2|3|4|5|6|7|8] [on|off ] [on|off ] n
SET BUTTONREVERSE ON reverses the meaning of the left and right mouse buttons. SET CASESENSITIVE ON makes global and local symbol names case sensitive. Enter them exactly as displayed by the SYM command. SET CENTER ON centers the SoftICE window. When you manually move the window, SoftICE turns centering off. SET FORCEPALETTE ON prevents the system colors (palette indices 0-7 and 248-255) from being changed in 8-bits per pixel mode. This ensures that the SoftICE display can always be seen. This is OFF by default. SET MAXIMIZE ON sizes the UVD window as large as possible. This setting overrides LINES and WIDTH but not FONT. When you can change the LINES or WIDTH settings, SoftICE changes them only temporarily. The next time SoftICE pops up, it displays the window at maximum size. On Windows2000 only, SET MONITOR changes the monitor used to display SoftICE. Enter the decimal value representing the monitor you want to use to display SoftICE. Issuing the SET MONITOR command without parameters lists the monitors available to SoftICE. If you do not want SoftICE to patch in a specic video driver, add the base name of the DDI driver to the NTICE\ExcludedDisplayDrivers key in the registry. This list is delimited by semi-colons, ; . SET MOUSE ON enables mouse support and SET MOUSE OFF disables it. To adjust the speed at which the mouse moves, use one of the following: 1 (slowest speed); 2 (intermediate speedthis is the mouse default.); 3 (fastest speed). SET SYMBOLS ON instructs the disassembler to show the symbol names in disassembled code. SET SYMBOLS OFF instructs the disassembler to show numbers (for example, offsets and addresses). This command applies to both local and global symbol names. SET WHEELLINES sets the number of lines that should be scrolled for each wheel movement when using an Intellipoint mouse.
205
SoftICE Commands
Example
See Also
206
SoftICE Commands
SHOW
Ctrl-F11
Symbol/Source
Syntax
B start
Display instructions beginning with the oldest instruction. Hexadecimal number specifying the index within the back trace history buffer to start disassembling from. An index of 1 corresponds to the newest instruction in the buffer. Number of instructions to display.
length
Use
Use the SHOW command to display instructions from the back trace history buffer. If source is available for the instructions, the display is in mixed mode; otherwise, only code is displayed. You can use the SHOW command only if the back trace history buffer contains instructions. To ll the back trace history buffer, use the BPR command with either the T or TW parameter to specify a range breakpoint. The SHOW command displays all instructions and source in the Command window. Each instruction is preceded by its index within the back trace history buffer. The instruction whose index is 1 is the newest instruction in the buffer. Once SHOW is entered, you can use the Up and Down Arrow keys to scroll through the contents of the back trace history buffer. To exit from SHOW, press the Esc key. SHOW with no parameters or SHOW B will begin displaying from the back trace history buffer starting with the oldest instruction in the buffer. SHOW followed by a start number begins displaying instructions starting at the specied index within the back trace history buffer.
Example
The following example starts displaying instructions in the Command window, starting at the oldest instruction in the back trace history buffer.
SHOW B
See Also
BPR
207
SoftICE Commands
SRC
F3
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Symbol/Source
Cycle among source, code, and mixed displays in the Code window.
Syntax Use
SRC
Use the SRC command to cycle among the following modes in the Code window: source mode, code mode, and mixed mode.
Hint:
Example
The following example changes the current mode of the Code window.
SRC
208
SoftICE Commands
SS
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Symbol/Source
Syntax
SS [line-number] ['string']
line-number string
Use
The SS command searches the current source le for the specied character string. If there is a match, the line that contains the string is displayed as the top line in the Code window. The search starts at the specied line-number. If no line-number is specied, the search starts at the top line displayed in the Code window. If no parameters are specied, the search continues for the previously specied string. The Code window must be visible and in source mode before using the SS command. To make the Code window visible, use the WC command. To make the Code window display source, use the SRC command.
Example
In the following example, the current source le is searched starting at line 1 for the string 'if (i==3)'. The line containing the next occurrence of the string becomes the top line displayed in the Code window.
SS 1 'if (i==3)'
209
SoftICE Commands
STACK
System Information
Syntax
For Windows 3.1 and Windows 95 STACK [-v | -r] [task-name | SS:[E]BP]
-v -r task-name SS:[E]BP
Verbose. Displays local variables in 32-bit code. Ring transition. Walks through ring transitions in 32-bit code. Name of the task as displayed by the TASK command.
SS:[E]BP of a valid stack frame.
Thread handle or thread ID. Value that is not a thread-type is interpreted as a stack frame.
Use
Use the STACK command to display the call stacks for DOS programs, Windows tasks, and 32-bit code. If you enter STACK with no parameters, the current SS:[E]BP is used as a base for the stack frame displayed. You can explicitly specify a stack base with a task-name or base address, and under Windows NT, with a thread identier. If you are using STACK to display the stack of a Windows task that is not the current one, specify either its task-name or a valid SS:[E]BP stack frame. You can use the TASK command to obtain a list of running tasks. However, you should avoid using the STACK command with the current task of the TASK commands output (marked with an '*'), because the tasks last known SS:[E]BP is no longer valid. The STACK command walks the stack starting at the base by traversing x86 stack frames. If an invalid stack frame or address that has been paged out is encountered during the walk, the traversal will stop. In 32-bit code, the -r (ring transition) switch tells SoftICE to continue walking the stack through ring transitions. The SoftICE stack walking algorithm can use FPO (frame pointer omission) data to walk call stacks. The FPO data is a type of debug
210
SoftICE Commands
information that is embedded in a .NMS le during the translation step. The FPO data is module/symbol table specic. Therefore, when using the STACK command, it will be helpful to have symbol tables for all modules that are listed on the stack. If SoftICE does not have FPO data, it is limited to walking EBP frames only. The address of the call instruction at each frame is displayed along with the name of the routine it is in, if the routine is found in any loaded symbol table. If the routine is not in the symbol table, the export list and module name list are searched for nearby symbols. In 32-bit code, the STACK command output includes the frame pointer, the return address, and the instruction pointer for each frame. If you set the -v switch, SoftICE also displays the local variables for each frame. For each frame in the call stack, both the nearest symbol to the call instruction, and the actual address, are displayed. If there is no symbol available, the module name and object/section name are displayed instead. The 32-bit call stack support is not limited to applications; it will also work for VxDs and Windows NT device driver code at ring 0. Since many VxDs are written in assembly language, there may not be a valid call stack to walk from a VxD-stack base address. For Windows 3.1 and Windows 95, the call stack is not followed through thunks or ring transitions, but under Windows NT it is when you set the -r switch.
For Windows 3.1 and Windows 95
If you want SoftICE to pop up when a non-active task is restarted, you can use the STACK command with the task as a parameter to nd the address on which to set an execution breakpoint. To do this, enter STACK followed by the task-name. The bottom line of the call stack will show an address preceded by the word 'at'. This is the address of the CALL instruction the program made to Windows that has not yet returned. You must set an execution breakpoint at the address following this call. You can also use this technique to stop at other routines higher on the call stack. This is useful when you do not want to single step through library code until execution resumes in your program's code.
211
SoftICE Commands
Example
The following example shows the output from the STACK -r command when sitting at a breakpoint in the Driver::Works PCIENUM sample. Using the -r parameter results in the STACK command walking past the ring transition in _KiSystemService. The output is organized into three columns. Column one is the frame pointer. Column two is the return address. Column three is the instruction pointer.
stack -r FC070DE8 FC070E04 FC070E18 FC070E30 FC070E48 FC070ED8 FC070F04 0012FE04 0012FE6C 0012FEDC 0012FF80 0012FFC0 0012FFF0 F74FC919 F74FC796 801FE4F8 8016EBF8 8016CDF7 8013DC14 77F67E87 77F0D300 100011A0 00401057 004017C9 77F1BA3C 00000000 KIrp::KIrp+0007 KDevice::DeviceIrpDispatch+003C KDriver::DriverIrpDispatch+0026 @IofCallDriver+0037 _IopSynchronousServiceTail+006A _NtReadFile+0683 _KiSystemService+00C4 ntdll!.text+6E87 _ReadFile+01A6 PCIDLL!.text+01A0 PCIEXE!.text+0057 PCIEXE!.text+07C9 _BaseProcessStart+0040
The following example shows the same stack as the previous example, but displayed with the STACK -V -R command. The -v switch causes the local variables for each frame to be displayed.
stack -v -r F74AFDE8 F74FC919 KIrp::KIrp+0007 [EBP-4] + const class KIrp * this = 0xF74AFDF4 <{...}> [EBP+8] +struct _IRP * pIrp = 0x84C460E8 <{...}> F74AFE04 F74FC796 KDevice::DeviceIrpDispatch+003C [EBP-C] + const class KDevice * this = 0x807DC7A8 <{...}> [EBP-4] unsigned long Major = 0x3 [EBP+8] +struct _IRP * pIrp = 0x84C460E8 <{...}> F74AFE18 801FE4F8 KDriver::DriverIrpDispatch+0026 [EBP+8] +struct _DEVICE_OBJECT * pSysDev = 0x807DB850 <{...}> [EBP+C] +struct _IRP * pIrp = 0x84C460E8 <{...}> F74AFE30 8016EBF8 @IofCallDriver+0037 F74AFE48 8016CDF7 _IopSynchronousServiceTail+006A F74AFED8 8013DC14 _NtReadFile+0683 F74AFF04 77F67E87 _KiSystemService+00C4 0012FE04 77F0D300 ntdll!.text+6E87 0012FE6C 100011A0 _ReadFile+01A6 0012FEDC 00401057 PCIDLL!.text+01A0 0012FF80 004017C9 PCIEXE!.text+0057 0012FFC0 77F1BA3C PCIEXE!.text+07C9 0012FFF0 00000000 _BaseProcessStart+0040
212
SoftICE Commands
The following example shows the output of the STACK command in 16-bit mode. The command has been issued without any parameters, after a breakpoint is set in the message handler of a Windows program.
STACK __astart at 0935:1021 [?] WinMain at 0935:0d76 [00750] [BP+000C]hInstance 0935 [BP+000A]hPrev 0000 [BP+0006]lpszCmdLine [BP+0004]CmdShow [BP-0002]width 00DD [BP-0004]hWnd 00E5 USER!SENDMESSAGE+004F at 05CD:06A7 USER(01) at 0595:04A0 [?] 0595:048b USER(06) at 05BD:1A83 [?] =>ClockWndProc at 0935:006F [0179] [BP+000E]hWnd 1954 [BP+000C]message 0024 [BP+000A]wParam 0000 [BP+0006]lParam 06ED:07A4 [BP-0022]ps 0000
Each entry of the call stack in the 16-bit format contains the following information: Symbol name or module name in which the return address falls SS:[E]BP value of this entry Call instructions source line number if available Address of the rst line of this routine or the name of the routine that was called to reach this routine If stack variables are available for this entry, the following information about each is displayed: SS:[E]BP relative offset Stack variable name Data in the stack variable if it is of type char, int, or long
213
SoftICE Commands
SYM
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Symbol/Source
Syntax
section-name
A valid section-name or a partial section-name. You can use this parameter to display symbols in a particular section. If a section-name is specied, it must be followed by an exclamation point (!). For example, you could use the command SYM .TEXT! to display all symbols in the .TEXT section of the executable. If ! is the only parameter specied, the modules in this symbol table are listed. A valid symbol-name. The symbol-name can end with an asterisk (*). This allows searching if only the rst part of the symbol-name is known. The comma , character can be used as a wildcard character in place of any character in the symbol-name. The specic address to which the symbol is to be set.Value that is used to set a symbol to a specic address.
! symbol-name
value
Use
Use the SYM command to display and set symbol addresses. If you enter SYM without parameters, all symbols display. The address of each symbol displays next to the symbol-name. If you specify a symbol-name without a value, the symbol-name and its address display. If the symbol-name is not found, nothing displays. If you specify a section name followed by an exclamation point (!) and then a symbol name or asterisk (*), SYM displays only symbols from the specied section. The SYM command is often useful for nding a symbol when you can only remember a portion of the name. Two wildcard methods are available for locating symbols. If you specify a symbol-name ending with an asterisk (*), SYM displays all symbols that match the actual characters typed prior to the asterisk, regardless of their ending characters. If you use a comma (,) in place of a specic character in a symbol name, that character is a wild-card character. If you specify a value, the address of all symbols that match symbol-name are set to the value. If you place an address between square brackets as a parameter to the SYM command, SYM displays the closest symbol above and below the address.
214
SoftICE Commands
Example
The following example displays all symbols that start with FOO display.
SYM foo*
The following example sets all symbols that start with FOO to the address 6000.
SYM foo* 6000
The following example displays all sections for the current symbol table.
SYM !
The following example displays all symbols in section MAIN that start with FOO.
SYM main!foo*
215
SoftICE Commands
SYMLOC
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Symbol/Source
Syntax
For Windows 3.1 SYMLOC [segment-address | o | r | (section-number selector linear-address)] For Windows 95 and Windows NT SYMLOC [segment-address | o | r | -c process-type | (section-number selector linear-address)]
Use only use to relocate DOS programs. For 16-bit Windows table only. Changes all selector values back to their ordinal state. For 16-bit Windows table only. Changes all segment ordinals to their appropriate selector value. Specify a context value for a symbol table. Use when debugging DOS extended applications. For 32-bit tables only. PE le 1 based section-number. For 32-bit tables only. Protected mode selector. For 32-bit tables only. Base address of the section.
Use
The SYMLOC command handles symbol xups in a loaded symbol table. The command contains support for DOS tables, 16-bit protected mode Windows tables (using O and R commands only), and 32-bit protected mode tables. The 32-bit support is intended for 32-bit code that must be manually xed up such as DOS 32-bit extender applications. In a DOS program, SYMLOC relocates the segment components of all symbols relative to the specied segment-address. This function is necessary when debugging loadable device drivers or other programs that cannot be loaded directly with the SoftICE Loader. When relocating for a loadable device driver, use the value of the base address of the driver as found in the MAP command. When relocating for an .EXE program, the value is 10h greater than that found as the base in the MAP command. When relocating for a .COM program, use the base segment address that is found in the MAP command.
216
SoftICE Commands
The MAP command displays at least two entries for each program. The rst is typically the environment and the second is typically the program. The base address of the program is the relocation value.
For Windows 95 and Windows NT
The SYMLOC -C option allows you to associate a specic address context with the current symbol table. This option is useful for debugging an extender application under Windows NT where SoftICE would not be able to assign a context to the symbol table automatically.
Example
The following example relocates all segments in the symbol table relative to 1244. The +10 relocates a TSR that was originally an .EXE le. If it is a .COM le or a DOS loadable device driver, the +10 is not necessary.
SYMLOC 1244+10
The following example relocates all symbols in section 1 of the table to 401000h using selector 1Bh. Each section of the 32-bit table must be relocated separately.
SYMLOC 1 1b 401000
The following example sets the context of the current symbol table to the process whose process ID is 47. Subsequently, when symbols are used, SoftICE will automatically switch to that process.
SYMLOC -c 47
217
SoftICE Commands
T
F8
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Flow Control
Syntax
T [=start-address] [count]
start-address count
Address at which to begin execution. Specify how many times SoftICE should single step before stopping.
Use
The T command uses the single step ag to single step one instruction. Execution begins at the current CS:EIP, unless you specify the start-address parameter. If you specify this parameter, CS:EIP is changed to start-address prior to single stepping. If you specify count, SoftICE single steps count times. Use the Esc key to terminate stepping with a count. If the Register window is visible when SoftICE pops up, all registers that were altered since the T command was issued are displayed with the bold video attribute. If the Code window is in source mode, this command single steps to the next source statement.
Example
The following example single-steps through eight instructions starting at memory location CS:1112.
T = cs:1112 8
218
SoftICE Commands
TABLE
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Symbol/Source
Syntax
For Windows 3.1 TABLE [[r] partial-table-name] | autoon | autooff | $ For Windows 95 and Windows NT TABLE [partial-table-name] | autoon | autooff | $
Removes the table specied by partial-table-name. Symbol table name or enough of the rst few characters to dene a unique name. Key word that turns auto table switching on. Key word that turns auto table switching off. Specify $ to switch to the table where the current instruction pointer is located.
Use
If you do not specify any parameters, all the currently loaded symbol tables are displayed with the current symbol table highlighted. If you specify a partial-table-name, that table becomes the current symbol table. Use the TABLE command when you have multiple symbol tables loaded. SoftICE supports symbol tables for 16- and 32-bit Windows applications and DLLs, 32-bit Windows VxDs, Windows NT device drivers, DOS programs, DOS loadable device drivers, and TSRs. Symbols are only accessible from one symbol table at time. You must use the TABLE command to switch to a symbol table before using symbols from that table. If you use the AUTOON keyword, SoftICE will switch to auto table switching mode. In this mode, SoftICE changes the current table to the table the instruction pointer is in when SoftICE pops up. AUTOOFF turns off this mode. Tables are not automatically removed when your program exits. If you reload your program with the SoftICE Loader, the symbol table corresponding to the loaded program is replaced with the new one.
219
SoftICE Commands
If the R parameter precedes a partial-table-name, the specied table is removed. Specifying an asterisk (*) after the R parameter removes all symbol tables.
For Windows 95 and Windows NT
Symbol tables can be tied to a single address context or multiple address contexts. If a table is tied to a single context, switching to that table using the TABLE command switches to the appropriate address context. If you use any symbol from a context-sensitive table, SoftICE switches to that context. Use View Symbol Tables in the SoftICE Loader to remove tables from memory. The R parameter is not supported.
Example
In the following example, the TABLE command, used without parameters, lists all loaded symbol tables. In the sample output, GENERIC is highlighted because it is the current table. The amount of available symbol table memory is displayed at the bottom.
TABLE MYTSR.EXE MYAPP.EXE MYVXD GENERIC 006412 bytes of symbol table memory available
In the following example, the current table is changed to MYTSR.EXE. Notice that only enough characters to identify a unique table were entered.
TABLE myt
220
SoftICE Commands
TABS
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Customization
Syntax
TABS [tab-setting]
tab-setting
Number from 1 through 8 that species the number of columns between each tab stop in the source display.
Use
Use the TABS command to display or set tab-settings for the display of source les. Tab stops can be anywhere from 1 to 8 columns. The default TABS setting is 8. Using the TABS command without any parameters displays the current tab-setting. Specifying a tab-setting of 1 allows the most source to be viewed since each tab will be replaced by a single space. The following example causes the tabs setting to change to every fourth column starting at the rst display column.
TABS 4
Example
221
SoftICE Commands
TASK
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
System Information
Syntax Use
TASK
The TASK command displays information about all tasks that are currently running. The task that has focus is displayed with an asterisk after its name. This command is useful when a general protection fault occurs because it indicates which program caused the fault.
For Windows NT
The TASK command is process specic and only shows 16-bit tasks under Windows NT. In addition, it is only useful when the current context is that of an NTVDM process containing a WOW box. To view information on other processes, refer to PROC on page 185.
Output
For each running task, the following information displays: Task Name SS:SP StackTop StackBot StackLow TaskDB hQueue Events Name of the task. Stack address of the task when it last relinquished control. Top of stack offset. Bottom of stack offset. Lowest value that SP has ever had when there was a context-switch away from the task. Selector for the task data base segment. Queue handle for the task. This is just the selector for the queue. Number of outstanding events in the queue.
The TASK command works for 16- and 32-bit tasks, however, the following elds change for 32-bit tasks: StackBot StackTop Highest legal address of the stack shown as a 32-bit at offset. Lowest legal address of the stack shown as a 32-bit at offset.
222
SoftICE Commands
StackLow SS:SP
Field is not used. Contains the 16-bit selector offset address of the stack. If you examine the base address of the 16-bit selector, you see that this points to the same memory as does the at 32-bit pointer used with the 32-bit data selector.
Example
The following example shows the use of the TASK command on Windows 3.1 running Win32s, and its output.
TASK TaskNm FREECELL PROGMAN CLOCK MSWORD SS:SP 21BF:7D96 17A7:200A 1427:1916 StackTop 86CE0000 0936 02E4 StackBot 86D00000 2070 1A4E 93A4 14CE 143E 7ADE Low TaskDB hQueue Events 10FF 064F 144F 1F67 121F 07D7 1437 1F47 0000 0000 0000 0000
* 29AF:913E 5956
223
SoftICE Commands
THREAD
System Information
Syntax
TCB ID task-name
Thread Control Block. Thread ID number. Name of a currently running 32-bit process.
Use
Use the THREAD command to obtain information about a thread. If you do not specify any options or parameters, the THREAD command displays information for every active thread in the system.
If you specify a task-name as a parameter, all active threads for that process display. If you specify a TCB or ID, only information for that thread displays.
Output
For each thread, the following information is shown: Ring0TCB ID Context Ring3TCB Thread ID Process TaskDB PDB SZ Owner Address of the Ring-0 thread control block. This is the address that is passed to VxDs for thread creation and termination. VMM Thread ID. Context handle associated with the process of the thread. Address of the KERNEL32 Ring-3 thread control block Ring-3 thread ID Address of the KERNEL32 process database that owns the thread. Selector of the task database that owns the thread. Selector of the program database (protected-mode PSP). Size of the thread which can be either 16 or 32 bit. Process name of the owner.
224
SoftICE Commands
If you specify TCB or ID, the following information displays for the thread with the specied TCB or ID: Current register contents for the thread. All thread local storage offsets within the thread. This shows the offset in the thread control block of the VMM TLS entry, the contents of the TLS entry, and the owner of the TLS entry.
Example
The following example displays the thread that belongs to the Winword process.
THREAD
Ring0TCB C1051808
ID
Context
Process 8158AAA8
SZ
Owner *Winword
008B C104B990
25B7 32
The following example shows a partial listing of the information returned about the thread with ID 8B.
THREAD 8B Ring0TCB ID Context Ring3TCB ThreadID Process TaskDB PDB SZ Owner *Winword
25B7 32
CS:EIP=0137:BFF96868 SS:ESP=013F:0062FC3C DS=013F ES=013F FS=2EBF GS=0000 EAX=002A002E EBX=815805B8 ECX=815842CC EDX=815805B8 I S P ESI=00000000 EDI=815805B8 EBP=0062FC80 ECODE=00000000 TLS Offset 007C = 00000000 VPICD TLS Offset 0080 = 00000000 DOSMGR TLS Offset 0084 = 00000000 SHELL TLS Offset 0088 = C1053434 VMCPD TLS Offset 008C = C104EA74 VWIN32 TLS Offset 0090 = 00000000 VFAT TLS Offset 0094 = 00000000 IFSMgr
See Also
225
SoftICE Commands
THREAD
System Information
Syntax
-r -x -u -w thread-type process-type
Display value of the threads registers. Display extended information for each thread. Display threads with user-level components. Display a list of the objects that the thread is waiting on. Thread handle or thread ID. Process-handle, process-id or process-name.
Use
Use the THREAD command to obtain information about a thread. If you do not specify any options or parameters, the THREAD command displays information for every active thread in the system.
If you specify a process-type as a parameter, all the active threads for that process display. If you specify a thread-type, only information for that thread displays. For the -R and -X options, the registers shown are those that are saved on the thread context switches: ESI, EDI, EBX and EBP.
Output
For each thread, the following summary information is displayed: TID Krnl TEB StackBtm StackTop StackPtr User TEB Process(Id) Thread ID. Kernel Thread Environment Block. Address of the bottom of the threads stack. Address of the start of the threads stack. Threads current stack pointer value. User thread environment block. Owner process-name and process-id.
226
SoftICE Commands
When you specify extended output (-x), THREAD displays many elds of information about thread environment blocks. Most of these elds are self-explanatory, but the following are particularly useful and deserve to be highlighted: TID KTEB Base Pri, Dyn. Pri Mode Switches Afnity Restart Thread ID. Kernel Thread Environment Block. Threads base priority and current priority. Indicates whether the thread is executing in user or kernel mode. Number of context switches made by the thread. Processor afnity mask of the thread. Bit positions that are set represent processors on which the thread is allowed to execute. Address at which the thread will start executing when it is resumed.
Example
The following example uses the THREAD command to display the threads that belong to the Explorer process:
THREAD explorer TID 006A 006F 007C Krnl TEB StackBtm FD857DA0 FB1CB000 FD854620 FB235000 FD840020 FD72F000 StkTop StackPtr User TEB Process(Id)
FB1CD000 FB1CCED8 7FFDE000 Explorer(6B) FB237000 FB236B2C 7FFDD000 Explorer(6B) FD731000 FD730E24 7FFDB000 Explorer(6B)
227
SoftICE Commands
The following example displays extended information on the thread with ID 5Fh:
THREAD -x 5f Extended Thread Info for thread 5F KTEB: FD850D80 TID: 05F Process: Explorer(60) Base Pri: D Dyn. Pri: E Quantum: 2 Mode: User Suspended: 0 Switches: 00024B4F TickCount: 00EE8DA4 Wait Irql: 0 Status: User Wait for WrEventPair Start EIP: KERNEL32!LeaveCriticalSection+0058 (6060744C) Affinity: 00000001 Context Flags: A KSS EBP: FB1C3F04 Callback ESP: 00000000 Kernel Stack: FB1C2000 - FB1C4000 Stack Ptr: FB1C3ED8 User Stack: 00030000 - 00130000 Stack Ptr: 0012FE3C Kernel Time: 0000014A User Time: 0000015F Create Time: 01BB10646E2DBE90 SpinLock: 00000000 Service Table: 80174A40 Queue: 00000000 SE Token: 00000000 SE Acc. Flags: 001F03FF UTEB: 7FFDE000 Except Frame: 0012FEB4 Last Err: 00000006 Registers: ESI=FD850D80 EDI=0012FEC4 EBX=77F6BA0C EBP=FB1C3F04 Restart : EIP=80168757 a.k.a. _KiSetServerWaitClientEvent+01CF Explorer!.text+975D at 001B:0100A75D Explorer!.text+9945 at 001B:0100A945 Explorer!.text+A3F8 at 001B:0100B3F8 USER32!WaitMessage+004F at 001B:60A0CA4B user32!.text+070A at 001B:60A0170A => ntdll!CsrClientSendMessage+0072 at 001B:77F6BA0C
See Also
228
SoftICE Commands
TIMER
System Information
Syntax
TIMER [ timer-address ]
timer-address
Use Example
Displays the system timer objects or the contents of a specic timer object. The following example shows a portion of the output of the TIMER command when it is issued with no parameters
TIMER
Timer DPC DPC Object Address Context 80706588 80681C48 8074E108 80730DE8 FBDA3980 FBD47C80 00000000 NTice!.text+000479C0 FC392EB0 F74D0B4C FC392E80 806DAD68 8066A108 807946D8 80802E90 807946A8 807AF048 8078D1A8 80802EF0 8078D1A8 807079C8 8074B108 8073D108 Remaining Time 10.233s 10.233s 62.787s 10.248s 18.588ms 19.884ms 22.633ms 29.323ms 180.777s 59.942ms 79.971ms 5.223s 68.043s 159.510ms Signaled FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE Period Symbol
TDI!.text+088C
229
SoftICE Commands
The following example shows the output of TIMER when it is issued for a specic timer object.
TIMER 80793568
Timer Object at 80793568 Dispatcher Type: 08 Dispatcher Size: 010A Signal State: Not Signaled Dispatch Wait List Forward Link: <self> Dispatch Wait List Back Link: <self> Remaining Time: 349.784ms Timer List Forward Link: 8014D828 Timer List Back Link: 8014D828 Timer Object is NOT Periodic Timer DPC: 80793548 DPC Routine: F74D0B4C TDI!.text+088C DPC Context: 80793538
See Also
APC, DPC
230
SoftICE Commands
TRACE
CTRL-F9, TRACE B, CTRL-F12
Symbol/Source
Syntax
b off start
Start tracing from the oldest instruction in the back trace history buffer. Exit from trace simulation mode. Hexadecimal number specifying the index within the back trace history buffer from which to start tracing. An index of 1 corresponds to the newest instruction in the buffer.
Use
Use the TRACE command to enter, exit, and display the current state of the trace simulation mode. TRACE with no parameters displays the current state of trace simulation mode. TRACE followed by off exits from trace simulation mode and returns to regular debugging mode. TRACE B enters trace simulation mode starting from the oldest instruction in the back trace history buffer. TRACE followed by a start number enters trace simulation mode at the specied index within the back trace history buffer. You can use the trace simulation mode only if the back trace history buffer contains instructions. To ll the back trace history buffer, use the BPR command with either the T or TW parameter to specifying a range breakpoint. When trace simulation mode is active, the help line at the bottom of the SoftICE screen signals the trace mode and displays the index of the current instruction within the back trace history buffer. Use the XT, XP, and XG commands to step through the instructions in the back trace history buffer from within the trace simulation mode. When stepping through the back trace history buffer, the only register that changes is the EIP register because back trace ranges do NOT record the contents of all the registers. You can use all the SoftICE commands within trace simulation mode except for the following: X, T, G, P, HERE, and XRSET.
Example
The following example enters trace simulation mode starting at the eighth instruction in the back trace history buffer.
TRACE 8
See Also
SoftICE Commands
TSS
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
System Information
Syntax
For Windows 3.1 TSS For Windows 95 and Windows NT TSS [TSS-selector]
TSS-selector
Use
This command displays the contents of the task state segment after reading the task register (TR) to obtain its address. You can display any 32-bit TSS by supplying a valid 32-bit Task Gate selector as a parameter. Use the GDT command to nd TSS selectors. If you do not specify a parameter, the current TSS is shown.
Output
The following information is displayed: TSS selector value selector base selector limit TSS selector number. Linear address of the TSS. Size of the TSS.
The next four lines of the display show the contents of the register elds in the TSS. The following registers are displayed:
LDT, GS, FS, DS, SS, CS, ES, CR3 EAX, EBX, ECX, EDX, EIP ESI, EDI, EBP, ESP, EFLAGS Level 0, 1 and 2 stack SS:ESP For Windows 3.1 and Windows 95
On Windows 3.1 and Windows 95, the TSS command also displays the TSS bit mask array. The bit mask array shows each I/O port that has been hooked by a Windows virtual device driver (VxD). For each port, the following information is displayed: port number 16-bit port number.
232
SoftICE Commands
32-bit at address of the ports I/O handler. All I/O instructions on the port will be reected to this handler. Symbolic name of the I/O handler for the port. If symbols are available for the VxD, the nearest symbol is displayed; otherwise the name of the VxD followed by the handlers offset within the VxD is displayed.
On Windows95 and Windows NT, the TSS command also displays the I/O permission map base and size. A size of zero indicates that all I/O is trapped. A non-zero size indicates that the I/O permission map determines if an I/O port is trapped.
Example
The following example displays the task state segment in the Command window. The output of the bit mask array is abbreviated.
TSS TR=0018 BASE=C000AEBC LIMIT=2069 LDT=0000 GS=0000 FS=0000 DS=0000 SS=0000 CS=0000 ES=0000 CR3=00000000 EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000000 EIP=00000000 ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000 EFL=00000000 SS0=0030:C33EEFA8 SS1=0000:00000000 SS2=0000:00000000 I/O Map Base=0068 I/O Map Size=2000 Port 0000 0001 0002 0003 0004 0005 0006 0007 0008 0009 Handler C00C3E92 C00C3F0E C00C3E92 C00C3F0E C00C3E92 C00C3F0E C00C3E92 C00C3F0E C00C3C55 C00C3D98 Trapped Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Owner VDMAD(01)+17BA VDMAD(01)+1836 VDMAD(01)+17BA VDMAD(01)+1836 VDMAD(01)+17BA VDMAD(01)+1836 VDMAD(01)+17BA VDMAD(01)+1836 VDMAD(01)+157D VDMAD(01)+16C0
If you are interested in which VxD has hooked port 21h (interrupt mask register), you would look at the TSS bit mask output of the TSS display for the entry corresponding to the port. The following output, taken from the TSS commands output, indicates that the port is hooked by the virtual PIC device and its handler is at offset 800792B4 in the at code segment. This corresponds to an offset of 0AF8h bytes from the beginning of VPICD's code segment.
0021 800792B4 VPICD+0AF8
233
SoftICE Commands
TYPES
Symbol/Source Command
List all types in the current context or list all type information for the type-name specied.
Syntax
TYPES [type-name]
type-name
Use
If you do not specify a type-name, TYPES lists all the types in the current context. If you do specify a type-name, TYPES lists all the type information for the type-name you specied. If the type-name you specied is a structure, TYPES expands the structure and lists the typedefs for its members. The following example displays all the types in the current context. The example output is only a partial listing.
TYPES Size 0x0004 0x0004 0x0004 0x0018 0x0002 0x0048 0x0048 0x0020 0x0004 0x0001 0x0010 0x0004 Type Name ABORTPROC ACCESS_MASK ACL_INFORMATION_CLASS ARRAY_INFO ATOM BALLDATA _BALLDATA _BEZBUFFER BOOL BOOLEAN _BOUNCEDATA BSTR Typedef int stdcall (*proc) (void) unsigned long int struct ARRAY_INFO unsigned short struct _BALLDATA struct _BALLDATA struct _BEZBUFFER int unsigned char struct _BOUNCEDATA unsigned short *
Example
The following example displays all the type information for the type-name _bouncedata:
TYPES _bouncedata typedef public: void void void void }; struct _BOUNCEDATA { * * * * hBall1 hBall2 hBall3 hBall4 ; ; ; ;
See Also
234
LOCALS, WL
SoftICE Commands
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Display/Change Memory
Unassemble instructions.
Syntax
For Windows 3.1 U [address] | [symbol-name] For Windows 95 and Windows NT U [address [l length]] | [symbol-name]
Segment offset or selector offset. Scrolls the Code window to the function you specify. Number of instruction bytes.
Use
The U command displays either source code or unassembled code at the specied address. The code displays in the current mode (either code, mixed, or source) of the Code window,. Source displays only if it is available for the specied address. To change the mode of the Code window, use the SRC command (default key F3). If you do not specify the address, the command unassembles at the address where you left off. If the Code window is visible, the instructions display in the Code window, otherwise they display in the Command window. The Command window displays either eight lines or one less than the length of the Command window. To make the Code window visible, use the WC command (default key Alt-F3). To move the cursor to the Code window, use the EC command (default key F6). If the instruction is at the current CS:EIP, the U command displays the instruction using the reverse video attribute. If the current CS:EIP instruction is a relative jump, the instruction contains either the string JUMP or NO JUMP, indicating whether or not the jump will be taken. If the jump will be taken, an arrow indicates if the jump will go up or down in the Code window. If the current CS:EIP instruction references a memory location, the U command displays the contents of the memory location in the Register window beneath the ags eld. If the Register window is not visible, this value displays at the end of the code line. If a breakpoint is set on an instruction being displayed, the code line is displayed using the bold attribute.
235
SoftICE Commands
If any of the memory addresses within an instruction have a corresponding symbol, the symbol displays instead of the hexadecimal address. If an instruction is located at a code symbol, the symbol name displays on the line above the instruction. To view or suppress the actual hexadecimal bytes of the instruction, use the CODE command.
For Windows 95 and Windows NT
If you specify a length, SoftICE disassembles the instructions in the Command window instead of the Code window. This is useful for reverse engineering, for example, disassembling an entire routine and then using the SoftICE Loader Save SoftICE History function to capture the output to a le.
Example
The following example unassembles instructions beginning at 10 hexadecimal bytes before the current address.
U eip - 10
The following example displays source in the Code window starting at line number 121.
U .121 For Windows 95 and Windows NT
The following command disassembles 100h bytes starting at MyProc and displays the output in the Command window.
U myproc L100
236
SoftICE Commands
VCALL
System Information
Syntax
VCALL [partial-name]
partial-name
VxD callable routine name or the rst few characters of the name. If more than one routines name matches the partial-name, VCALL lists all routines that start with the specied characters.
Use
The VCALL command displays the names and addresses of Windows VxD API routines. These are Windows services provided by VxDs for other VxDs. All the routines SoftICE lists are located in Windows system VxDs that are included as part of the base-line Windows kernel. The addresses displayed are not valid until the VMM VxD is initialized. If an X is not present in the SoftICE initialization string, SoftICE pops up while Windows is booting and VMM is not initialized. The names of all VxD APIs are static. Only the function names provided in the Windows DDK Include Files are available. These API names are not built into the nal VxD executable le. SoftICE provides API names for the following VxDs:
CONFIGMG DOSMGR DOSNET EBIOS ENABLE IFSMGR INT13 IOS NDIS VCD VCOMM VMCPD VMD VMM VMPOLL VNETBIOS VSD VTD VWIN32 VXDLDR
237
SoftICE Commands
Example
The following example lists all Windows system VxD calls that start with Call. Sample output follows the command.
VCALL call 80006E04 80009FD4 80009FF4 8000A018 8000969C 800082C0 8000889F 8000898C Call_When_VM_Returns Call_Global_Event Call_VM_Event Call_Priority_VM_Event Call_When_VM_Ints_Enabled Call_When_Not_Critical Call_When_Task_Switched Call_When_Idle
238
SoftICE Commands
VER
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Miscellaneous
Syntax
VER
Hint:
To view your registration information and product serial number, start SoftIce Loader and choose About SoftICE Loader from the Help menu.
Example
The following example displays the SoftICE version number and operating system version.
VER
239
SoftICE Commands
VM
System Information
Syntax
VM [-S] [VM-ID]
-S VM-ID
Switches to the VM identied by the VM-ID. Index number of the virtual machine. Index numbers start at 1. Index number 1 is always assigned to the Windows System VM, the VM in which Windows applications run.
Use
If no parameters are specied, the VM command displays information about all virtual machines (VM) in the system. If a VM-ID is specied, the register values of the VM are displayed. These registers are those found in the client register area of the virtual machine control block, so they represent the values last saved into the control block when there was a context switch away from the VM. If SoftICE is popped up while a VM is executing, the registers displayed in the SoftICE Register window, not the ones shown in the VM command output, are the current registers for the VM. However, if you are in the rst few instructions of an interrupt routine in which a virtual machines registers are being saved to the control block, the CS:IP register may be the only valid register. The others will not have been saved yet. The command displays two sets of segment registers plus the EIP and SP registers. The segment registers are used for the protected mode and the real mode contexts of the VM. If a VM was executing in protected mode last, the protected mode registers are listed rst. If V86 mode was the last execution mode, the V86 segment registers are listed rst. The general purpose registers, displayed below the segment registers, correspond to the segment registers listed rst. A VM is a unit of scheduling for the Windows kernel. A VM can have one protected mode thread under Windows 3.1, and multiple protected mode threads under Windows 95. In both cases, the VM has one V86 mode thread of execution. Windows, Windows applications, and DLLs all run in protected mode threads of VM 1 (the System VM). VMs other than the System VM normally have a V86 thread of execution only. However, DPMI applications (also known as DOS extended applications) launched from these VMs can also execute in a protected mode thread. The VM command is very useful for debugging VxDs, DPMI programs, and DOS programs running under Windows. For example, if the system hangs while running a DOS program, you can often use the VM command to nd the address of the last instruction executed. The last instruction would be the CS:EIP shown for the VMs V86 thread.
240
SoftICE Commands
The VM command can also be very valuable when Windows faults all the way back to DOS. That is, when Windows cannot handle a fault and exits Windows, your computer is left at the DOS prompt. If this case, set I1HERE ON in SoftICE and duplicate the problem so that Windows executes an INT 1 prior to returning to DOS. When the fault happens, SoftICE pops up. You can then use the VM command to nd out the last address of execution and the CR command to nd the fault address. CR2 contains the fault address. The ESI register usually points to an error message at this point.
Output
For each virtual machine, VM displays the following information. VM Handle Status VM handle is actually a at offset of the data structure that holds information about the VM. This is a bit mask that shows current state information for the VxD. The values are as follows:
0001H 0002H 0004H 0008H 0010H 0020H 0040H 0080H 0100H 0200H 0400H 0800H 1000H 2000H 4000H 8000H Exclusive mode Runs in background In process of creating Suspended Partially destroyed Executing protected mode code Executing protected mode app Executing 32-bit protected app Executing call from VxD High priority background Blocked on semaphore Woke up after blocked Part of V86 App is pageable Rest of V86 is locked Scheduled by time-slices Idle, has released time slice
241
SoftICE Commands
High Address
Alternate address space for VM. This is where a VxD typically accesses VM memory (instead of 0). Note: It is likely that parts of the VM will be paged out when SoftICE pops up. Index number of this VxD, starting at 1. Address of the saved registers of this VM. This address actually points into the level 0 stack for this VM.
Example
The following example shows the use of the VM command without parameters
VM
VM-ID 3 2 1
242
SoftICE Commands
VXD
Windows 3.1
System Information
Syntax
VxD-name partial-VxD-name
Use
This command displays a map of all Windows virtual device drivers in the Command window. If no parameters are specied, all VxDs are displayed. If a VxD-name is specied, only information about the VxD with that name displays. If a partial name is specied, SoftICE displays information on all VxDs whose name begins with the partial name. Information that is shown about a VxD includes the VxDs control procedure address, its Protected Mode and V86 API addresses, and the addresses of all VxD services it implements. If the current CS:EIP belongs to one of the VxD's in the map, the line with the address range that contains the CS:EIP will be highlighted.
Output
If no parameters are specied, each entry in the VxD map contains the following information: VxD name address Name specied in the .DEF le when the VxD was built. Flat 32-bit address of one VxD section. VxDs are comprised of multiple sections where each section contains both code and data. (i.e. LockCode, LockData would be one section.) Length of the VxD section. This includes both the code and the data of the VxD group. Flat code selector. Flat data selector. Section number from the .386 le. VxD ID number. The VxD ID numbers are used to obtain the Protected Mode and V86 API addresses that applications call. Address of the VxDs Device Descriptor Block (DDB). This is a control block that contains information about the VxD such as the address of the Control Procedure and addresses of APIs.
243
SoftICE Commands
If a VxD name is specied, the following information is displayed in addition to the previous information: Control Procedure Protected Mode API V86 API Address VxD Services Routine to which all VxD messages are dispatched. Address of the routine where all services called by protected mode applications are processed. Address of the routine where all services called by V86 applications are processed. List of all VxD services that are callable from other VxDs. For the Windows system VxDs, both the name and the address of the routines are displayed.
Example
The following example displays the VxD map in the Command window. The rst few lines of the display would look something like the following. You can use the VxD names in the table as symbol names. The address of seg 1 will be used when a VxD name is used in an expression.
VXD VxDName VMM VMM LoadHi LoadHi WINICE CV1 VDDVGA VDDVGA Address Length Code Data 0030 0030 0030 0030 0030 0030 0030 0030 Type LGRP IGRP LGRP IGRP LGRP LGRP LGRP IGRP 02 ID 01 DDB
80001000 000193D0 0028 80200000 00002F1C 0028 8001A3d0 000007E8 0028 80202F1C 00000788 0028 8001ABB8 00027875 0028 80042430 0000036B 0028 8004279C 00007AD8 0028 802036A8 000005EC 0028
See Also
244
SoftICE Commands
VXD
System Information
Syntax
VXD [VxD-name]
VxD-name
Use
Use this command to obtain information about one or more VxDs. If you do not specify any parameters, it displays a map of all the Windows virtual device drivers that are currently loaded in the system. Dynamically loaded VxDs are listed after statically loaded VxDs. If a VxD-name is specied, only that VxD, or VxDs with the same string at the start of their name are displayed. For example, VM will match VMM and VMOUSE. If the current CS:EIP belongs to one of the VxDs in the map, the line with the address range that contains the CS:EIP is highlighted. If no parameters are specied, each entry in the VxD map contains this information: VxDName Address Length Seg ID DDB Control PM V86 VXD Win32 VxD Name. Base address of the segment. Length of the segment. Section number from the executable. VxD ID. Address of the VxD descriptor block. Address of the control dispatch handler. Y, if the VxD has a protected mode API. N otherwise. Y, if the VxD has a V86 API. N otherwise. Number of VxD services implemented. Number of Win32 services implemented.
If a unique VxD name is specied, the following additional information appears: Init Order Reference Data Order in which VxDs receive control messages. A zero value indicates highest priority. The dword value that was passed from the real mode initialization procedure (if any) of the VxD.
245
SoftICE Commands
VxD version number. PM API FLAT procedure address and PM API Ring-3 address used by applications. Refer to the following comments on PM and V86 APIs. V86 API FLAT procedure address and V86 API Ring-3 address used by applications. Refer to the next comments on PM and V86 APIs.
The PM API and V86 API parameters are register based and it is up to the individual VxD to dene subfunctions and parameter passing (on entry EBX-VM Handle, EBP-client registers). If the Ring-3 address shown is 0:0, it means that no application code has yet requested the API address through INT 2F function 1684h. When the VxD being listed has a Win32 service table, the following information is presented for each service: Service Number Service Address Params Win32 Service Number. Address of the service API handler. Number of dword parameters the service requires.
When the VxD being listed has a VxD service table, the following is shown for each service: Service Number Service Address Service Name VxD service number. Flat address of service. Symbol name if known (from VCALL list).
Example
The following example displays the VxD map in the Command window. The rst few lines of the display look similar to the following. You can use the VxD as symbol names. The address of Seg 1 is used when a VxD name is used in an expression.
VXD VxD Address Name VMM VMM VMM VMM VMM VMM Length Seg ID DDB Control PM V86 VxD Win32 Y 402 41
C0001000 00FDC0 0001 0001 C000E990 C00024F8 Y C0200000 000897 0002 C03E0000 000723 0003 C0320000 000095 0004 C0360000 00ED50 0005 C0260000 007938 0006
See Also
246
SoftICE Commands
WATCH
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Watch
Syntax Use
WATCH expression
Use the WATCH command to display the results of expressions. SoftICE determines the size of the result based on the expressions type information. If SoftICE cannot determine the size, dword is assumed. The expressions being watched are displayed in the Watch window. There can be up to eight watch expressions at a time. Every time the SoftICE screen is popped up, the Watch window displays the expressions current values. Each line in the Watch window contains the following information: Expression being evaluated. Expression type. Current value of the expression displayed in the appropriate format. A plus sign (+) preceding the type indicates that you can expand it to view more information. To expand the type, either double-click the type or press Alt-W to enter the Watch window, use the UpArrow and DownArrow keys to move the highlight bar to the type you want to expand, and press Enter. If the expression being watched goes out of scope, SoftICE displays the following message: Error evaluating expression. To delete a watch, use either the mouse or keyboard to select the watch and press Delete.
Example
The following example creates an entry in the Watch window for the variable hInstance.
WATCH hInstance
The following example indicates that the type for hInstance is void pointer (void *) and its current value is 0x00400000.
hPrevInstance void * = 0x00400000
The following example displays the dword to which the DS:ESI registers point.
WATCH ds:esi ds:esi void * =0x8158D72E
To watch what ds:esi points to, use the pointer operator (*):
WATCH * ds:esi
247
SoftICE Commands
The following example sets a watch on a pointer to a character string lpszCmdLine. The results show the value of the pointer (0x8158D72E) and the ASCII string (currently null).
WATCH lpszCmdLine +char * =0x8158D72E <"">
See Also
Alt-W, WW
248
SoftICE Commands
WC
Alt-F3
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Window Control
Toggle the Code window open or closed; and set the size of the Code window.
Syntax
WC [window-size]
window-size
Decimal number.
Use
If you do not specify window-size, WC toggles the window open or closed. If the Code window is closed, WC opens it; and if it is open, WC closes it. If you specify the window-size, the Code window is resized. If it is closed, WC opens it to the specied size. When the Code window is closed, the extra screen lines are added to the Command window. When the Code window is opened, the lines are taken from the other windows in the following order: Command and Data. If you wish to move the cursor to the Code window, use the EC command (default key F6).
Example
If the Code window is closed, the following example displays the window and sets it to twelve lines. If the Code window is open, the example sets it to twelve lines.
WC 12
See Also
249
SoftICE Commands
WD
Alt-F2
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Window Control
Toggle the Data window open or closed; and set the size of the Data window.
Syntax
WD [window-size]
window-size
Decimal number.
Use
If you do not specify the window-size, WD toggles the Data window open or closed. If the Data window is closed, WD opens it; and if it is open, WD closes it. If you specify the window-size, the Data window is resized. If it is closed, WD opens it to the specied size. When the Data window is closed, the extra screen lines are added to the Command window. When the Data window is opened, the lines are taken from the other windows in the following order: Command and Code. If you wish to move the cursor to the Data window to edit data, use the E command.
Example
If the Data window is closed, the following example displays the window and sets it to one line. If the Data window is open, the example sets it to one line.
WD 1
See Also
250
SoftICE Commands
WF
CTRL-F3
Window Control
Display the oating point stack in either oating point or MMX format.
Syntax
WF [-d] [b | w | d | f | p | *]
-d
Display the oating point stack in the Command window. In addition to the registers, both the FPU status word and the FPU control word display in ASCII format. Display the oating point stack in byte hexadecimal format. Display the oating point stack in word hexadecimal format. Display the oating point stack in dword hexadecimal format. Display the oating point stack in 10-byte real format. Display the oating point stack as packed 32-bit oating point. This is the AMD 3DNow format. Display the next format. The * keyword is present to allow cycling through all the display formats by pressing a function key.
b w d f p *
Use
WF with no parameters toggles the display of the oating point Register window. The window occupies four lines and is displayed immediately below the Register window. In 10 byte real format, the registers are labeled ST0-ST7. In all other formats the registers are labeled MM0-MM7. If the oating point stack contains an unmasked exception, SoftICE will NOT display the stack contents. When reading the FPS, SoftICE obeys the tag bits and displays 'empty' if the tag bits specify that state. When displaying in the Command window, SoftICE displays both the status word and the control word in ASCII format.
251
SoftICE Commands
Example
The following example shows the use of the WF command with the -d option set to show the oating point stack, and the -f option set to display the stack in 10-byte real format.
WF -d f FPU Status Word: top=2 FPU Control Word: PM UM OM ZM DM IM pc=3 rc=0 ST0 1.619534411708533451e-289 ST1 9.930182991407099205e-293 ST2 6.779357630001165015e-296 ST3 4.274541060856685014e-299 ST4 2.782904336495237639e-302 ST5 1.818657819582844735e-305 ST6 empty ST7 empty
Note:
ASCII ags are documented in the INTEL Pentium Processor Users Manual, Architecture and Programming, Volume 3.
When displaying in any of the hexadecimal formats, SoftICE always display left to right from most signicant to least signicant. For example, in word format, the following order would be used:
bits(63-48) bits(47-32) bits(31-16) bits(15-0)
See Also
252
SoftICE Commands
WHAT
System Information
Syntax
name expression
Any symbolic name that cannot be evaluated as an expression. Any expression that can be interpreted as an expression.
Use
The WHAT command analyzes the parameter specied and compares it to known names/values, enumerating each possible match, until no more matches can be found. Where appropriate, type identication of a match is expanded to indicate relevant information such as a related process or thread. The name parameter is typically a collection of alphanumeric characters that represent the name of an object. For example, Explorer would be interpreted as a name, and might be identied as either a module, a process, or both. The expression parameter is something that would not generally be considered a name. That is, it is a number, a complex expression (an expression which contains operators, such as Explorer + 0), or a register name. Although a register looks like a name, registers are special cased as expressions since this usage is much more common. For example, for WHAT eax, the parameter eax is interpreted as an expression-type. Symbol names are treated as names, and will be correctly identied by the WHAT command as symbols. Because the rules for determining name- and expression-types can be ambiguous at times, you can force a parameter to be evaluated as a name-type by placing it in quotes. For example, for WHAT eax, the quotes force eax to be interpreted as a name-type. To force a parameter that might be interpreted as a name-type to an expression-type, use the unary + operator. For example, for WHAT +Explorer, the presence of the unary + operator forces Explorer to be interpreted as a symbol, instead of a name.
Example
The following is an example of using the WHAT command on the name Explorer and the resulting output. From the output, you can see that the name Explorer was identied twice: once as a kernel process and once as a module.
WHAT explorer The name (explorer) was identified and has the value FD854A80 The value (FD854A80) is a Kernel Process (KPEB) for Explorer(58) The name (explorer) was identified and has the value 1000000 The value (1000000) is a Module Image Base for 'Explorer'
253
SoftICE Commands
WIDTH
Customization
Syntax
WIDTH [80-160 ]
80 - 160
Use
When you are using SoftICE with the Universal Video Driver, you can use the WIDTH command can be used to set the number of display columns between 80 and 160. The default width is 80. If you enter the WIDTH command without specifying a parameter, SoftICE displays the current setting of the windows width.
Example
The following example sets the width of the SoftICE window to 90 display columns.
WIDTH 90
The following command returns the current width setting of the SoftICE window.
WIDTH
See Also
LINES, SET
254
SoftICE Commands
WL
Toggle the Locals window open or closed; and set the size of the Locals window.
Syntax
WL [window-size]
window-size
Decimal number.
Use
If you do not specify the window-size, WL toggles the Locals window open or closed. If the Local window is closed, WL opens it; and if it is open, WL closes it. If you specify the window-size, the Locals window is resized. If it is closed, WL opens it to the specied size. When the Locals window is closed, the extra screen lines are added to the Command window. When the Locals window is opened, the lines are taken from the other windows in the following order: Command and Code.
Hint:
From within the Locals window, you can expand structures, arrays, and character strings to display their contents. Simply double-click the item you want to expand. Note that expandable items are indicated with a plus mark (+).
Example
If the Locals window is closed, the following example displays the window and sets it to four lines. If the Locals window is open, the example sets it to four lines.
WL 4
See Also
255
SoftICE Commands
WMSG
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
System Information
Syntax
For Windows 3.1 WMSG [partial-name] For Windows 95 and Windows NT WMSG [partial-name| msg-number]
partial-name
Windows message name or the rst few characters of a Windows message name. If multiple Windows messages match the partial-name then all messages that start with the specied characters display. Hexadecimal message number of the message. Only the message that matches the msg-number displays.
msg-number
Use
The following command displays the names and message numbers of Windows messages. It is useful when logging or setting breakpoints on Windows messages with the BMSG command. The following example displays the names and message numbers of all Windows messages that start with "WM_GET".
WMSG wm_get*
Examples
The following example displays the Windows message that has the specied message number, 111.
WMSG 111 0111 WM_Command
256
SoftICE Commands
WR
F2
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Window Control
Syntax Use
WR
The WR command makes the Register window visible if it is not currently visible. If the Register window is currently visible, WR closes the Register window. The Register window displays the 80386 register set and the processor ags. When the Register window is closed, the extra screen lines are added to the Command window. When the Register window is made visible, the lines are taken from the other windows in the following order: Command, Code and Data.
For Windows 95 and Windows NT
The WR command also toggles the visibility of the oating point Register window if one is open.
See Also
257
SoftICE Commands
WS
ALT-S
Window Control
Toggle the call stack window open or closed, and set the size of the stack window.
Syntax
WS [window-size ]
window-size
The number of lines in the SoftIce window assigned to the call stack window.
Use
You can use the arrow keys to select a particular call stack element. When you select a call stack item and press Enter, SoftICE updates the Locals and Code windows to show the selected stack level. You can also click your mouse in the Stack window to set focus, singleclick an item to select it, and double-click an item to update the Locals and Code windows. The following command open the call stack window, if it is closed, and sets its size to 8 lines.
ws 8
Example
See Also
258
SoftICE Commands
WW
Alt-F4
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Window Control
Toggle the Watch window open or closed, and set the size of the Watch window.
Syntax
WW [window-size]
window-size
Decimal number.
Use
If you do not specify the window-size, WW toggles the Watch window open or closed. If the Watch window is closed, WW opens it; and if it is open, WW closes it. If you specify the window-size, the Watch window is resized. If it is closed, WW opens it to the specied size. When the Watch window is closed, the extra screen lines are added to the Command window. When the Watch window is opened, the lines are taken from the other windows in the following order: Command, Code, and Data.
Example
If the Watch window is closed, the following example displays the window and sets it to four lines. If the Watch window is open, this example sets it to four lines.
WW 4
See Also
259
SoftICE Commands
WX
Window Control
Toggle the XMM register window open or closed; and set the display format of the window.
Syntax
WX [F | D | *]
F D *
Display as short real values. Display as dword values. Toggle between dword and real.
Use
On computers using the Pentium III CPU, you can use the WX command to display a window that contains the value of the XMM registers, XMM0 through XMM7. If you use the F option, the register values are displayed as short real values. If you use the D option the values are displayed as dwords. You can use an asterisk (*) to toggle between the short and dword formats. The following example displays the XMM register window. The values are displayed as dwords.
WX d
Example
See Also
260
SoftICE Commands
X
F5
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Flow Control
Syntax Use
The X command exits SoftICE and restores control to the program that was interrupted to bring up SoftICE. The SoftICE screen disappears. If you had set any breakpoints, they become active.
Note:
While in SoftICE, pressing the hot key sequence (default key Ctrl-D) or entering the G command without any parameters is equivalent to entering the X command.
261
SoftICE Commands
XFRAME
System Information
Syntax
except-frame* thread-type
Stack pointer value for an exception frame. Value that SoftICE recognizes as a thread.
Use
Exception frames are created by Microsoft's Structured Exception Handling API (SEH). Handlers are instantiated on the stack, so they are context specic. When an exception handler is installed, information about it is recorded in the current stack frame. This information is referred to as an ExceptionRegistration. The XFRAME command understands this information, and walks backwards through stack frames until it reaches the top-most exception handler. From there it begins displaying each registration record up to the currently active scope. From each registration, it determines if the handler is active or inactive; its associated "global exception handler;" and, if the handler is active, the SEH type: try/ except or try/nally. In the case of active exception handlers, it also displays the exception lter or nally handler address.
Note:
The global exception handler is actually an exception dispatcher that uses information within an exception scope table to determine which, if any, exception handler handles the exception. It also handles other tasks such as global and local unwinds.
You can use the global exception handler, and try/except/nally addresses to trap SEH exceptions by setting breakpoints on appropriate handler addresses. The XFRAME command is context-sensitive, so if you do not specify one of the optional parameters, SoftICE reverts to the context that was active at pop-up time and displays the exception frames for the current thread. When specifying an exception frame pointer as an optional parameter, make sure you are in a context in which the exception frame is valid. For thread-type parameters, SoftICE automatically switches to the correct context for the thread. Below the information for the ExceptionRegistration record, XFRAME lists each active handler for the exception frame. For each active handler, XFRAME displays its type (try/ except or try/nally), the address of its exception lter (for try/except only), and the address of the exception handler. Because exception handlers can be nested, more than one entry may be listed for each ExceptionRegistration record. The XFRAME command displays bare addresses in its output. You can use either the STACK or WHAT commands to determine the API that installed an exception handler.
262
SoftICE Commands
Do not confuse the xScope value with the nesting level of exception handlers. Although these values may appear to have some correlation, the value of xScope is simply an index into a scope table (xTable). The scope table entry contains a link to its parent scope (if any). In the event that a stack frame is not present, the XFRAME will not be able to complete the stack walk.
Output
For each exception frame that is installed, XFRAME displays the following information: xFrame xHandler xTable xScope Address of the ExceptionRegistration. This value is stack based. Address of the global exception handler which dispatches the exception to the appropriate try/except/nally lter/handler. Address of the scope table used by the global exception handler to dispatch exceptions. Index into the xTable for the currently active exception handler. If this value is -1, the exception handler is installed, but is inactive and will not trap an exception.
Example
The following example illustrates the use of the XFRAME command to display information about the exception handler frames for the currently active thread:
XFRAME xFrame -----xHandler -------xTable -----0x606018B8 xScope -----00
0x45FFFDC 0x60639638
263
SoftICE Commands
XG
Symbol/Source
Syntax
XG [r] address
Use
XG does a Go to a specic code address within the back trace history buffer. This command can only be used in trace simulation mode. The R parameter makes XG go backwards within the back trace history buffer. If the specied address is not found within the back trace history buffer, an error displays. The following example makes the instruction at address CS:2FF000h the current instruction in the back trace history buffer.
XG 2ff000
Example
264
SoftICE Commands
XP
Ctrl-F10
Symbol/Source
Syntax Use
XP
The XP command does a program step of the current instruction in the back trace history buffer. It can only be used in trace simulation mode. Use this command to skip over calls to procedures and rep string instructions. The following example does a program step over the current instruction in the back trace history buffer.
XP
Example
265
SoftICE Commands
XRSET
Symbol/Source Command
Syntax Use
XRSET
XRSET clears all information from the back trace history buffer. It can only be used when NOT in trace simulation mode. The following example clears the back trace history buffer.
XRSET
Example
266
SoftICE Commands
XT
Ctrl-F8, XT R Alt-F8
Symbol/Source Command
Syntax
XT [R]
Use
Use the XT command to single step the current instruction in the back trace history buffer. You can only use the XT command in trace simulation mode. This command steps to the next instruction contained in the back trace history buffer. The command XT R single steps backwards within the back trace history buffer. The following example single steps one instruction forward in the back trace history buffer.
XT
Example
267
SoftICE Commands
ZAP
Windows 3.1, Windows 95, Windows 98, Windows NT, Windows 2000
Syntax Use
ZAP
The ZAP command replaces an embedded interrupt 1 or 3 with the appropriate number of NOP instructions. This is useful when the INT 1 or INT 3 is placed in code that is repeatedly executed, and you no longer want SoftICE to pop up. This command works only if the INT 1 or INT 3 instruction is the instruction before the current CS:EIP. The following example replaces the embedded interrupt 1 or interrupt 3 with a NOP instruction.
ZAP
Example
268