SoftICE DEAD?
 

It seems SoftICE is dead forever. Sad but true.

Regards,
Dinetti

Original statement from Compuware

"DriverStudio
As of April 3rd, 2006 the DriverStudio product family has retired. For customer support information please contact our FrontLine website."

Devpartner website with information above on the right pan.
hxxp://www.compuware.com/products/devpartner/

Blog from Matt Pietrek:
hxxp://blogs.msdn.com/matt_pietrek/archive/2006/04/11/573621.aspx

Really said.. it was really good tool...:(

Like all good stories.. they is alwasy an ending..


bye

Seems that A new Era is comming...

i can't beleive it, that was the best Kernel Mode Debugger Around :(

Believe it !

If they said that, it's not too strange !

Did you (and we) pay for it? ;)

Yes, it's really sad. I already read about it some days ago.

I believe this is one of the first "suprises" we will all get with Windows Vista.

Microsoft will not allow anybody on Vista to load a driver which was not digitally signed by Microsoft, unless you attach the Microsoft Kernel Mode Debugger. So this is the end of SoftICE. Even if SoftICE would use a signed driver, you couldn't debug your own drivers with it, since you would not be using the Microsoft debugger.

This will be also the end of many daily-use applications which need some driver, since driver signing by Microsoft is very expensive and I don't expect Microsoft to drop their prices by 99%.

We will see how our beloved Sysinternals tools will vanish, unpackers and dumpers based on drivers will stop working. They will be followed by really usefull programs like CPU-Z and Daemon-Tools. Eventually all freeware Firewalls and Anti-Virus applications will die. Finally all paid software using drivers will get more expensive.

Of course there won't be any more "beta" tests for new hardware drivers any more, no more "hacked" video drivers to get the best framerate and visual quality in games. The general driver quality will drop.

And for what? Only to allow companies like Macrovison and Symantec to buy more and more competing companies and let their software die, just be course they have the money to pay for Microsoft driver signing while the other companies do not. Finally there will be something like 10 major companies only selling crap software, but nobody can compete with their products, since nobody has the money to pay Microsoft to allow alternative applications to be used.

Maybe some day the driver protection will be cracked, but the software will already have disappeared since they are not allowed to "legally" work on cracked Windows versions.

Perhaps then SOs like Linux will be more powerfull and companies will change to a freeware SO. Then M$ drivers will not be necessary and Linux could be the ONLY THE BEST from M$ SO. In future, we will need to make a question: Why use M$ SO?.
If win32 emulators from Linux will execute essential apps that you need at work, you don't need M$. Office, CAD, etc... are migrated. A better Directx emulation will be the next so you don't need Windows to play games. And you don't need defrag,skin soft, extended SO soft,etc... in Linux. It can that M$ is digging its tomb because if you try to close the circle, it breaks, because world is expanding and people changes where is more easy to be. Maybe I am an optimist.

why do you all cry? syser looks far more interesting now, you can load and unload it, its ring0, too bad no config yet, define of keys, and any plugins or tools like iceext. all what was going with softice last time its was making it worse and striped from commands that were in earlier version. i started using it in 1997 and since 10 years they havent added load or save memory. and paying for it 4000$ is just crime

Maybe "Syser" is now a good debugger (I don't really like it for various reasons), but as soon as Windows Vista comes out, it will have the same fate as SoftICE: It will be useless since only the Microsoft debugger can load unsigned drivers, just like MarkusO pointed out above.

And you have to understand what SoftICE is designed to be. It is not a cracking tool, it is a professional debugger. Loading and saving memory is nothing which an application of this kind needs to able to do, since the typical user working with SoftICE is a programmer who has the source code of his own application. Therefore he can always change his source to read/write some memory.

Perhaps SoftICE will be continued by the sceen.

The general concensus is that its developer won't continue it, but I would guess that people who love it will find a way to modify the final release as they need to continue its use on Vista+

I am not a fan of Kernel Mode Debuggers, running Ring0 for any purpose don't appeal to me, most of what I need I find in Ring3.

While I'm a fan of OllyDBG I believe it too has come to an end, I haven't heard anything about any new releases, the site hasn't been updated in nearly a year.

Thats my two cents, peace :cool:

Well, then not in a week after the first release, several "load your own driver in Vista" howto-s and patches will show up.

Besides, on current Vista betas you can use the Sysinternal tools, and I don't expect many changes in the final version.

I consider this, as a usual MS blahblah...
They're just trying to pressurize the hw manufacturers and driver writers to get even more profit.

And you can use Virtual Machine with XP to debug with SoftIce your apps in Windows Vista using remote debugging, don't you?

"And you can use Virtual Machine with XP to debug with SoftIce your apps in Windows Vista using remote debugging, don't you?"


But if one does that, there are more layers to deal with.. both techncial and hardware wise..

Besides I heard tha M$ has some surprises in store for VMWare.. built in hooks for virtual pc/server and of course some "enhanced" extras that one gets when trying to use non-m$ products.. :mad:

And there's 1 more afirmation:
If you want to make a ring0 protection, you need a ring0 debugger, so we only need same debugger that programmer uses. If someday M$ sends to waste ALL ring0 debuggers, this day, forget ring0 protections.
If you don't have good ring0 debuggers (M$ debug is poor) you only will make simple ring0 drivers.

well not forget (good? but not so good) ring0 drivers. due its msshit goal as they stated they will add workaround for you on request, probably for some $$$:)
they want to keep security and control over vista, and dont let you take over system.
so there will be 2 ways, cracked vista with allowing of run and install of not signed drivers or you will need to contact msshit support team to req some features in kernel, that you need from ring0 drivers and vista doesnt have now

you will be allowed to start unsigned drivers on windows vista according to http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/x64KMSigning.doc
theres a discussion about it on woodmann http://www.woodmann.net/forum/showthread.php?t=7748&highlight=vista
but nevertheless drivers in freeware apps will become a problem if they are not signed cause the average user wont boot with F8 to use these apps

this is a OLEH mail (the ollydbg author)
 

This mail was writen 10/04/06 from Oleh:


v1.x is closed. V2.0 is under development, but advances slowly. But, earlier or later, it will be released.

Sincerely,

Olly



Ricardo Narvaja
PD:And is a bad notice than softice death, but will be the time of all ring3 packers look the new themida all ring3 and don´t is ring0 any more for the same reason, i think will be better for the security,for me is bad any program can run drivers in your machine freely.

Uhmmm! Good news about OLLY.To my mind comes some Ring0 protections... STARFORCE & ILOK from PACE (a lot of audio plugins protected in the NET) :rolleyes: .
Will be 2 ways? Rich & poor protections... So rich will use Ring0 and the rest Ring3?.
I think like you that it's time to Ring3 but at the other side I don't believe that SF & ILOK migrates to it. We must wait!

Only allowing "signed by Microsoft" drivers is not the only problem which we will have to face on Windows Vista. Even when only debugging your own Ring3 applications, a Ring0 Debugger has some advanced features which are not available in Ring3.

Quote from Microsoft on the topic "patch protection" (implemented in Win2003 x64 and Vista x86/x64):
An IDT protection for example prevents anybody from using hardware breakpoints. (since INT 01 can't be "hooked" any more)

Kayaker posted a link on woodmann to an article which describes the patch guard protection in detail.it also gives working sample code how to bypass it.patchguard is only a software based protection so bypassing it wont be a big problem for the rce community.i dont expect m$ to improve on it if it is broken i think they only want that the average user is protected from rootkits and the like.heres the article http://uninformed.org/index.cgi?v=3&a=3&t=sumry

dont worry it will be improved with next cpus, like amd64, also intel will add hardware guards. but every guard can be switched,unguarded and fooled. well for me i think best way of protection will be on boot 1 time hardware guard setting. why because when vista patches, nobody have rights to do it again till next boot, if starforce takes control of it at boot, then vista will not load. and i doubt someone will buy games with that crap

Also remember that more motherboards are introducing Trusted platform chips (Think about Palladium which is part of Vista) It will really make it difficult to run applications that are not "authorized" on your PC if you decide to use Vista and you have the hardware to enforce the protection. Currently everything I have seen so far you can disable but who knows how long that will last.

This will be enable/disable like PENTIUM serial number, because you can put a demand to hardware factory because they can fail (with others SO for example) :D

Trusted HW with trusted soft, its sounds like IPOD or PSP protection and you know what is the result... ;)

BTW:

M$ informs that the need to use signed drivers ARE ONLY FOR 64 BITS version. Maybe to stability.

Link:
hxxp://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/DrvCompat_Vista.doc


• Digital signatures are required for 64-bit kernel-mode drivers. Signed catalog (.cat) files are required for all kernel-mode packages that are to be installed on the 64-bit editions of Windows Vista. This applies to any software module that loads in kernel mode, including device drivers, filter drivers, and kernel services. The operating system does not load unsigned kernel modules that lack a signed catalog file.
There are two ways to obtain an appropriately signed catalog file:
• Obtain a Windows Vista logo. Drivers that pass Windows Hardware Quality Lab (WHQL) testing receive a catalog file that is signed with the WHQL certificate.
• Obtain a publisher identity certificate (PIC) and use the PIC to sign the package��s catalog file. To obtain a PIC, a publisher must first obtain a VeriSign Class 3 Commercial Software Publisher Certificate and then use that certificate to obtain a PIC from Microsoft that can be used to sign kernel-mode modules intended for 64-bit Windows Vista.
For boot drivers, hardware manufacturers must also use a PIC to embed a signature in the driver binaries. This requirement applies to CD-ROM and disk drivers, ATA/ATAPI controllers, mouse and other pointing devices, SCSI and RAID controllers, and system devices.
Solution: Sign all catalog files for 64-bit drivers by using a PIC or get a WHQL-signed catalog file by obtaining a Windows Vista logo. Sign boot driver binaries by using a PIC.
For more information, see the white paper titled ��Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista.��

taos, thanks for the information. I though it applied to 32 and 64 bits version, but it looks that only for 64 bits.

Anyway, no words to describe my feelings about SoftICE is dead...how many lovely nights I have been with "him" :)

In 0day :
Compuware.DriverStudio.v3.2-Lz0 (Dupe)
Compuware.DevPartner64.v1.0.1-Lz0

i can't up on FTP today, sorry :o

I don't understand you, 3.2 version is old, why in 0day?
can you put the nfo file?

It is sad to hear such news about SoftICE, and this thing with signed drivers makes me more unhappy :(

Hello guys,

1. All Drivers can be signed unless they dont contain hooking of functions. A certification is only required (from $99-$400/year depends on the provider).
2. Hooking of functions are allowed in some cases for example if software is antivirus, firewall or any-other security related. Requirement: Hooking must not slow-down system performance. (How Norton certified driver turns my PC to 486, this is a mystery).
3. In Windows vista by default windows unsigned drivers cannot be installed. Why? Because in Vista, Microsoft introduces a new technology that normal non-admin users would be able to install programs. Those programs may install system-wide elements such as drivers. Thats why the system is stricted.
4. Windows Vista will have an option in Administration Panel (Local Security Panel) that will allow administrator to DISABLE this rule. Then, all drivers can be installed freely. Signed and non-signed.
5. As far as all security policy elements are registry keys, developers would be able to programmatically disable this restrictrion, ask for reboot and then install the driver.

Generally, this is surviving for legal developers (to install unsigned drivers) BUT it will kick-out those transparent driver installations (ie rootkits). This is what Microsoft want to defeat.

Hope that helps!