icedump and nticedump history ----------------------------- ------------------------------------------ icedump 6.026 & nticedump 1.14 2002/09/09 ------------------------------------------ icedump: - DDB declaration syntax is now per the MS DDK - every VxD was properly protected but icedump itself, bummer - fixed all makefiles referring to tools - fixed page fault checks in PROTECT (thanks EliCZ) - fixed bug in resource rebuilding (G-RoM) - added PBPM (^DAEMON^) - support for 4.2.7 build 562 (released in DriverStudio 2.7 final) nticedump: - support for 4.2.7 build 562 (released in DriverStudio 2.7 final) ------------------------------------------ icedump 6.025 & nticedump 1.13 2001/12/12 ------------------------------------------ icedump: - hook the double fault handler and make it an interrupt gate - support for 4.2.5 build 824 (released in DriverStudio 2.5 final) - fixed unhooking _GetVxDName (thanks dEZZY) - support for 4.2.6 build 922 (released in DriverStudio 2.6 final) nticedump: - support for 4.2.5 build 824 (released in DriverStudio 2.5 final) - support for 4.2.6 build 922 (released in DriverStudio 2.6 final) ------------------------------------------ icedump 6.024 & nticedump 1.12 2001/11/11 ------------------------------------------ icedump: - Phoenix reports unresolved IAT slots in import rebuilding modes 3 and 4, they will have to be resolved manually (G-RoM) - fixed all command parsers that trashed client registers before evaluating all arguments (igNorAMUS) - moved tools/inc to common/inc - PEDUMP tries to automatically handle a trashed header (G-RoM) - added long overdue 'icebp' and 'int 01' emulation to the tracer - added Hydra plugin for telock and pcguard(?) (G-RoM), read the code for some important comments - moved w9x/hydra/example/thunk to w9x/hydra/example/unwrap - export renormalization should work on win95 as well (G-RoM) nticedump: - support for 4.2.5 build 785 (released in DriverStudio 2.5 RC1) this is an exception to the rule (no support for beta stuff), but since nothing else works with the last XP candidates... ------------------------------------------ icedump 6.023 & nticedump 1.11 2001/04/15 ------------------------------------------ icedump: - PEDUMP can coagulate rsrc and has better compatibility (G-RoM) - PROTECT hides REGMON and FILEMON VxDs as well (hint from Blackbird) - tracer emulates a VTD service - G-RoM fixed an obscure bug in the import rebuilder (thanks to LordByte ;-) - better export renormalization, looks more and more like voodoo magic - support for 4.2.1 build 53 (released in DriverStudio 2.0.1 final) nticedump: - support for 4.2.1 build 53 (released in DriverStudio 2.0.1 final) ------------------------------------------ icedump 6.022 & nticedump 1.10 2001/02/11 ------------------------------------------ icedump: - all relevant interrupts are hooked (thanks risc), offset screwups also fixed (big thanks to SV) - better kernel32 exports normalization method and also fixed an obscure bug in it (thanks The Source) - fixed a bug in EliminateFirst (thanks EliCZ) - PROTECT works properly with file system drivers that present lower case file names to DOS (thanks EliCZ) - removed IMPORTS since it was obsoleted by Hydra - added an option to PEDUMP to select IAT scanner range (G-RoM) - PROTECT hooks VMM_GetVxDLocationList (thanks risc) - fixed all %ifdef trees... eg. GetVideoMem was wrong for 3.22/3.23 - fixed GetLenAndAddr (forgot about the immediate argument while parsing SIB... unbelievable) - winice breakpoints are disabled while icedump loads/unloads - added user32, advapi32 and gdi32 exports normalization, PEDUMPed files will work even better under NT/2000 ;-) (G-RoM) - export renormalization will NOT be undone when icedump is unloaded - Updated Hydra documentation (G-RoM) - Upgraded Hydra plugin loader (G-RoM) - fixed and synchronized some PEDUMP OPTIONs - G-RoM fixed a buffer overflow in Phoenix (thanks Lordbyte) - Added FDUMP (aka Ymir) command: read documentation carefully (G-RoM) - Enhanced Ymir : filters out heaps, stack, and environment vars. - fixed a tracer bug, eg. it will no longer lose control over the trap flag when winmm.dll is imported from ------------------------------------------ icedump 6.021 & nticedump 1.10 2000/12/04 ------------------------------------------ icedump: - added an option to PEDUMP to select between two IAT scanners (G-RoM) - added HASPCODE (thanks CrackZ) - small fix in import rebuild mode 2 (G-RoM) - fixed DUMP/LOAD, non-committed pages in the memory range will not cause oversized files any longer - added kernel32 exports normalization, PEDUMPed files will work under NT/2000 as well (G-RoM) ------------------------------------------ icedump 6.020 & nticedump 1.10 2000/11/11 ------------------------------------------ icedump: - fixed a small bug in Hydra affecting UnwrapThunk callbacks, added better support for API wrappers like aspack, peshield (G-RoM) - added vbox 4.30 unwrapper plugin (G-RoM) - PROTECT hooks VXDLDR_UnloadDevice too (thanks the Egoiste) - PROTECT checks SIWDEBUG VxD ID too - added CLIP (igNorAMUS) - support for 4.0.5 build 526 (released in DriverStudio 2.0 final) - support for 4.0.5 build 334 (released in DriverStudio 1.5 final) please note that it is essentially the same as build 316, so the same icedump.exe will work for both - fixed wme issue (R3TCB.TDBX has changed) nticedump: - support for 4.0.5 build 526 (released in DriverStudio 2.0 final) ----------------------------------------- icedump 6.019 & nticedump 1.9 2000/09/09 ----------------------------------------- icedump: - added RDMSR and WRMSR - fixed lookup for VWIN32_W32_SuspendThread/VWIN32_W32_ResumeThread, SUSPEND/SUSPENDX/RESUME should work now (broken since 6.016) - tracer emulates RDTSC and Windows NT (simulates win32 selectors, will fool some schemes that would otherwise play some nasty win9x tricks. of course it is optional, turned off by default) - fixed tracer initialization, could cause page faults while loading icedump (thanks Topi) - added score system to TETRIS, but damn i shall be if i ever do the challenge mode ;-) - added anti detection/self-defense code - some code cleanup in taskmod - tracer does not log control flow above 0x80000000 - BREAKR3 can break into V86 mode threads, any number of attempts can be in progress (maintains per thread context info) - changed IRETD emulation in tracer, should no longer cause unhandled int01 exceptions (hidden bug surfaced after fixing another one ;-) - commands using the callback mechanism reinforce the original int3 handler temporarily - added PROTECT to detect illegal accesses to GDT/IDT/LDT and ring-0 entry attempts. turned off by default, pops up winice when on and something is about to happen - added G-RoM's plugin system (Hydra) to PEDUMP together with HYDRA which specifies the plugin to be used during imports rebuilding (including the new mode 4). see plugin SDK for more info (w9x/hydra) - added ALLOC, FREE (supported for win32 clients only) - fixed TRACE parameter handling (byte vs. dword compare) - tracer emulates kernel32.getlocaltime and mmsystem.timegettime - fixed inconsistency between SeekFile32 and other code that used it - tracer handles all sorts of debug exceptions (DRx hits, etc) - fixed bug in IsBadPtr, affected (badly) PEDUMP in import rebuilding - tracer ignores nested execution blocks, fixes some problems (thanks Lord Crass for a test case ;-) ----------------------------------------- icedump 6.018 & nticedump 1.9 2000/08/03 ----------------------------------------- icedump: - fixed TETRIS, last column was ignored in CompactLines, also changed some colors, should show better in text modes - fixed GetVideoMem for 3.22-3.24, crashed SCREENDUMP/TETRIS... (thanks spath, and sorry for the reboots ;-) - fixed bugs with _HeapAllocate, forgot to test eax... thanks iceman - fixed PEDUMP bugs nticedump: - added L (file load) ----------------------------------------- icedump 6.017 & nticedump 1.8 2000/07/23 ----------------------------------------- iceload: - added keyboard accelerators (thanks muffin/the rain) icedump: - bugfix in GetModuleHandle, import rebuild mode 1 works now - simpler GetCurrentProcessID and OpenFile32 - improved IMPORTS (uses the callback, can touch paged out memory) - handlers of hooked interrupts have default offset diffs - int41 is hooked - fixed inconsistencies between doc/code in 'OPTION T' (same/child process tracing flags were wrongly documented, thanks eternal bliss) - CD cannot be invoked from a ring-0 client, parser checks for this - thanks to fossil, the stupid LE page size has been optimized resulting in smaller executables... wtf i was thinking back then remains a mystery ;-) - fixed MP3, there was a resource contention problem, it's far from being perfect (it could still lock up) but should work most of the time, also Yoga behaves better and more consistently - SCREENDUMP should work for 3.22-3.24 now, NuMega has the same habit of changing their own spec as MS... okay, it ain't public, but still - make generates/uses proper dependencies - PEDUMP has a new option, can recompute the imagesize - fixed BHRAMA, forgot to skip over whitespace before the window name (thanks exit) - added TETRIS nticedump: - fixed doc stating that 16 bit modes (PM/V86) were not supported, of course they are ----------------------------------------- icedump 6.016 & nticedump 1.8 2000/04/27 ----------------------------------------- iceload: - several new features in the GUI part, like export loading, command line parameter passing to loaded exe, history file saving, you can probably dump loader32 now ;-) icedump: - new parser, requires a leading '/' and full words (instead of '/' anything that would normally print an 'invalid command' message can be used, '/' is just a suggestion, as per IRC standard ;-) - changed OPTION syntax for certain flags, read the source or TFM - added TRACE, TRACEX - added BREAKR3 - added .EPS output for SCREENDUMP (ignoramus) - removed EFLAGS, served no purpose anyway - some fixes regarding exception handling and file i/o share modes - fixed problem with looking up kernel32!ord_0017, thanks muffin - fixed callback when called from ring-0 nticedump: - fixed a bug in ntid.exe, luckily didn't really affect functionality (thanks to staier who noticed it) - added PM-16 and V86 mode support for dumper ----------------------------------------- icedump 6.015 & nticedump 1.7 2000/03/15 ----------------------------------------- icedump: - Phoenix: import caving implemented (G-RoM), also several bugfixes - added iceload, easy way of loading a PE DLL and breaking on its entry point, it requires nmtrans.dll which should NOT be patched the way as it was suggested here previously, read its source code and doc for more details - kernel32 locking disabled, seems to do nothing good, VMM doesn't even let one lock the whole thing... - added debug flag system (as in the NT kernel), by default all messages are disabled, flags are at sdata+DebugFlags ----------------------------------------- icedump 6.014 & nticedump 1.7 2000/03/01 ----------------------------------------- icedump: - updated LaTeX support for 'N' (Ghiri, igNorAMUS) nticedump: - fixed 'B', damn, how could i forget to skip over the whitespace before the window name... ----------------------------------------- icedump 6.013 & nticedump 1.6 2000/02/29 ----------------------------------------- icedump: - fixed IDT patching, now counting PM APPs in a VM myself, VMM doesn't play fair since it gets one more (last) chance to react on a SysCtrl - fixed winice bug where 'break on load' would not if the win32 module had a non-executable first section (nmtrans/winice conspiracy) - kernel32 is locked into physical memory while icedump is loaded this ensures that we can poke inside it while in winice context (might be unnecessary, but we do it just in case ;-) - enhanced 'N' to dump to LaTeX format (Ghiri) - finished ring-0 support code for Phoenix - added 'T' for true process dumping, uses G-RoM's Phoenix engine, this is one of the most significant additions to icedump yet, thanks man ;-) (and please don't ask for the source code, it's his) - added 'O T' to set some flags for the above (G-RoM) nticedump: - support for 4.0.5 build 334 (released in DriverStudio 1.5) as a general suggestion everyone should move to 4.x 'cos the next major version won't have any support for 3.x - added 'B' (Bhrama support) but unfortunately the whole scheme just doesn't work under NT, wait for Phoenix to be ported instead (and feel free to fix Bhrama and nticedump to get it to work) ----------------------------------------- icedump 6.012 & nticedump 1.5 2000/02/19 ----------------------------------------- icedump: - added some ring-0 support code for G-RoM's procdump engine (Phoenix) - fixed VMP3D initialization bug when VDSPD fails to load - added 'K', kills non-current process, not thread - fixed IDT/INTx patching (done in each VM now) - added fossil's import rebuilder ('I' subcommand) - added G-RoM's 'O B' for setting some Bhrama related options - support for 4.0.5 build 316 (released in DriverStudio 1.5) note that apparently there are (at least) two different releases of 4.01 floating around, unfortunately we support the older (and apparently beta) one only... so far very few people experienced the problem (the version detection is fooled and results in v4.00 being loaded and eventually a crash when you try to use it), so there are no plans for support. nticedump: - correct version is 1.5, i.e. no updates since its first release as it undergoes a major rewrite as well: win2k support, .sys format, new subcommands (did i hear mp3? ;-) ----------------------------------------- icedump 6.011 & nticedump 1.5 2000/01/26 ----------------------------------------- icedump: - finally ;-) fixed mp3 crashes, how could i forget about that each VM had its own V86 and PM IDTs... int1/3/4/5 hooking is crap as well, will be fixed later - updated winddk.inc, it still could have extra (erroneous) service entries for VxDs whose original definition contained ifdefs, didn't bother to check them all, at least VMM, VPICD and SHELL should be ok ----------------------------------------- icedump 6.010 & nticedump 1.5 2000/01/22 ----------------------------------------- icedump: - added mp3 player control - fixed callbacks (save EFLAGS now, important for ring-0 clients) - got rid of the semaphore in vmp3d and some stuff, quote of the day: is *any* of my code left in vmp3d ? =)) - hopefully fixed crashes under win9x versions supporting WDM and the IRQL concept (that means VMM version 0x403 and above). ----------------------------------------- icedump 6.009 & nticedump 1.5 2000/01/18 ----------------------------------------- icedump: - fixed mp3 VxDs, finally... control from icedump is still pending though - new vmm/vxd macros (fossil) ----------------------------------------- icedump 6.008 & nticedump 1.5 2000/01/16 ----------------------------------------- icedump: - added fossil's VxD based mp3 player (ported it to nasm), it doesn't work though for now, so don't use it ----------------------------------------- icedump 6.007 & nticedump 1.5 2000/01/13 ----------------------------------------- icedump: - fixed default file name handling ('O','D','N'), WIAT again... - debug builds can be made by adding DEBUG=1 to the make command line (default value is 0) - define MY_WINICE in the makefile and 'make loadsym' to load symbols - fixed delegating the soundcard irq to winice based on the wrong flag still, windows hangs sometimes (but the mp3 song does not stop ;-) ----------------------------------------- icedump 6.006 & nticedump 1.5 2000/01/11 ----------------------------------------- icedump: - fixed 'N', blame it on WIAT again ;-) ----------------------------------------- icedump 6.005 & nticedump 1.5 2000/01/10 ----------------------------------------- icedump: - fixed callbacks again (gotta get used to WIAT ;-) - fixed 3.24/3.25 crashes ----------------------------------------- icedump 6.004 & nticedump 1.5 2000/01/10 ----------------------------------------- icedump: - mp3 playing inside winice works now, thanks Domnar - added Winice Import Address Table -> cleaner code ----------------------------------------- icedump 6.003 & nticedump 1.5 2000/01/10 ----------------------------------------- icedump: - first shot at getting fossil's mp3 player to work inside winice ----------------------------------------- icedump 6.002 & nticedump 1.5 2000/01/09 ----------------------------------------- icedump: - workaround for a damn nasm bug, callbacks should work now - fixed SaveRegs/RestoreRegs, my mistake ;-) ----------------------------------------- icedump 6.001 & nticedump 1.5 2000/01/06 ----------------------------------------- icedump: - it's a dynamic VxD now, icedump.exe loads itself - dropped 'U' (the VxD loading mechanism takes care of it) - fixed html screendump (hopefully) -------------------------------------- icedump 5.18 & nticedump 1.5 xx/xx/xx !was not released! -------------------------------------- - fixed patcher.bat (out of environment space) icedump: - some cosmetic changes -------------------------------------- icedump 5.17 & nticedump 1.5 99/09/29 -------------------------------------- - new history format: separated win9x and nt stuff - patcher.bat supports both icedump and nticedump nticedump: - added g-rom's patcher - fixed command line parser - fixed one damn offset for v3.24, thanks Krk - fixed bug affecting v3.22 and v3.23 when used in boot mode - added support for v3.22 (pGetIrqlLevel) handcoded ------------------------ icedump 5.16 99/09/17 ------------------------ - added nticedump (thanks Ice ;-), right now 'D' is supported note that ntice v3.22 is NOT supported since it lacks one important function we need... perhaps next time we will add our own version ;-) ------------------------ icedump 5.15 99/09/15 ------------------------ - added patcher.bat by the rain, makes applying the patch even easier - added support for winice v4.01 - .inc files for winice are automatically generated from the IDBs ------------------------ icedump 5.14 99/09/09 ------------------------ - minor updates to 'C', 'U' (by fOSSiL) - sdc.exe updated (cosmetic change in HTML output ;-) - fixed 'F', thanks to fOSSiL for pointing out the now obvious ;-) ------------------------ icedump 5.13 99/08/29 ------------------------ - help prints version info as well - added offsets for 3.23-4.00 to support 'F' - fixed 'F', winice uses the per thread FPU state info managed by VMCPD and doesn't directly read the FPU... - 'F' cannot parse negative numbers for some reason, will be fixed... ------------------------ icedump 5.12 99/08/26 ------------------------ - another damned build of kernel32 (hi Lorian ;-), another fix for the runtime detector, if you have build 1111 of win9x, this fix is probably for you - finished 'F' - finished 'U' - finished 'C' - put off 'K' due to difficulties, feel free to contribute your solution - new patcher to support 'U', older 'icedump' images are NO longer supported! - source code rearranged for easier maintainability ------------------------ icedump 5.11 99/08/19 ------------------------ - hopefully synchronised patcher and new header format. new header subject to owl approval (header size increased for sake of readability - but size increase is not passed into WINICE.EXE so is not really a bad thing) - i've included the new patcher with this. but it hasn't been tested so use at your own risk for now ;) it should be noted that the old patcher won't handle any of the new versions which separate 'Init' into 'Init' and 'Static Part'. Also, new patcher is not yet backwards compatible (and may never be) ------------------------ icedump 5.10 99/08/02 ------------------------ - merged fossil's and ghiri's update to 'O', 'N' and 'D' read the doc and the code for details - finished 'L' ------------------------ icedump 5.9g6 99/08/01 ------------------------ - HTML credit line fixed again - html directory nuked ------------------------ icedump 5.9g5 99/08/01 ------------------------ - more doc updates - HTML credit line fixed ;) ------------------------ icedump 5.9g4 99/07/31 ------------------------ - minor doc update ------------------------ icedump 5.9g3 99/07/31 ------------------------ - memdump autolength feature scrapped - O subcommand complete, unless somebody needs OptLx control ------------------------ icedump 5.9g2 99/07/31 ------------------------ - added auto filename option for memdump command - removed some commented out debug code - commented out a redundant 'end:' label ------------------------ icedump 5.9g 99/07/31 ------------------------ - screendump options (O N subcommands) implemented and documented - various screendump labels/vars that were made global have been made local again ------------------------ icedump 5.9 99/07/30 ------------------------ - fuck microsoft which changes just about every damned structure in each build the runtime detection code now also detects the vwin32 win32 API IDs... anyway fossil, you have a god damned build ;-) ------------------------ icedump 5.8 99/07/29 ------------------------ - bugfixes (forgot to save/restore some registers ;-) - added runtime determination of kernel32 structure offsets and object IDs ------------------------ icedump 5.7 99/07/29 ------------------------ - merged Fossil's updated html code, not tested - merged Ghiri's updated 'N' parser code, not tested - merged Ghiri's 'O' command, no idea if it works at all ;-) - finished 'P', not tested ------------------------ Icedump 56g2 26/07/99 ------------------------ - Screendump 'expert mode' added (this will be renamed to Auto-mode when I next change it). - Options for screendump expert mode and dump number added (filename base yet to be implemented). - I'm assuming the '.' before labels makes the label local. I had to make a few of the labels global. Namely: EmodeFileName, EmodeExtPtr, Emode and mode2_html - I plan to finish the screendump options and add auto-mode for normal file dumping. Also, perhaps options for the Procdump OptLx registers. ------------------------ Icedump 56g 26/07/99 ------------------------ - history.txt added (this file) - faq.txt added (FAQ regarding installation, probs etc.) this will hopefully reduce the number of support emails sent to the BETA team. - Options subcommand added (skeletal implementation so far) - will eventually be used to control screendump options and can be used to modify other icedump internal options. ------------------------ Icedump 56 26/07/99 ------------------------ - New thread code written (see X subcommand in docs) - New F subcommand to alter Eflags (only TRAP at the moment and it doesn't seem to work anyway :) - Pagein H subcommand changed to just PAGEIN - Int4 and Int5 handlers also redirected - Note: L subcommand added to parser and help but not yet implemented! Confusing? Heh, not as bad as my mode1 label - got both Owl and fossil with that ;) Perhaps we should stop doing this to each other ;) ------------------------ Icedump 55g 23/07/99 ------------------------ - Bhrama stuff done and subcommand is 'b' not 'p' - Suspend/Resume stuff is working on some platforms but is still experimental Note: you cannot suspend current thread! - Mode 0 and 1 of screendump is complete and mode 2 is mostly complete Yet to be done: - fixing encoding for '<' to < so that '<' chars in the dump do not screw up HTML code. - standalone HTML converter (possibly unified RAW to TXT/HTML converter) - Opera fix (probably will be implemented as optional code requiring recompile) - Included 'patch' for IDT delta offset trick for SoftICE detection with Int1 and Int3 handlers