SoftIce 3.0 Quick Reference..... By ZeroDay [Feb 07 1997] ============================================================================== SOFTICE COMMANDS ============================================================================== SETTING BREAKPOINTS: BPM Breakpoint on memory access BPMB Breakpoint on memory access BPMW Breakpoint on memory access BPMD Breakpoint on memory access BPR Breakpoint on memory range BPIO Breakpoint on I/O port access BPINT Breakpoint on interrupt BPX Breakpoint on execution BMSG Breakpoint on windows message BSTAT Breakpoint statistics CSIP Set CS:EIP range qualifier MANIPULATING BREAKPOINTS: BPE Edit breakpoint BPT Use breakpoint as a template BL List current breakpoints BC Clear Breakpoint BD Disable breakpoint BE Enable breakpoint BH Breakpoint history DISPLAY/CHANGE MEMORY: R Display/change register contents U Un-Assemblers instructions D Display memory DB Display memory DW Display memory DD Display memory DS Display memory DL Display memory DT Display memory E Edit memory EB Edit memory EW Edit memory ED Edit memory ES Edit memory EL Edit memory ET Edit memory PEEK Read from physical address POKE Write to physical address H Help on specified function ? Evaluate expression VER SoftIce version WATCH Add watch FORMAT Change format of data window DATA Change data window DISPLAY SYSTEM INFORMATION: GDT Display global descriptor table LDT Display local descriptor table IDT Display interrupt descriptor table TSS Display task state segment CPU Display CPU register information PCI Display PCI device information MOD Display windows module list HEAP Display windows global heap LHEAP Display windows local heap VXD Display windows VxD map TASK Display windows task list VCALL Display VxD calls WMSG Display windows messages PAGE Display page table information PHYS Display all virtual addresses for physical address STACK Display call stack XFRAME Display active exception frames MAPV86 Display v86 memory map HWND Display window handle information CLASS Display window class information VM Display virtual machine information THREAD Display thread information ADDR Display/change address contents MAP32 Display 32bit section map PROC Display process information QUERY Display processes virtual address space map WHAT Identify the type of expression I/O PORT COMMANDS: I Input data from i/o port IB Input data from i/o port IW Input data from i/o port ID Input data from i/o port O Output data to i/o port OB Output data to i/o port OW Output data to i/o port OD Output data to i/o port FLOW CONTROL COMMANDS: X Return to host debugger or program G Go to address T Single step one instruction P Step skipping calls, Int, etc HERE Go to current cursor line EXIT Force an exit to current dos/windows program GENINT Generate an interrupt HBOOT System boot (total reset) MODE CONTROL: I1HERE Direct INT1 to SoftIce I3HERE Direct INT3 to SoftIce ZAP Zap embedded INT1 or INT3 FAULTS Enable/disable SoftIce fault trapping SET Change an internal variable CUSTOMIZATION COMMANDS: PAUSE Control display scroll mode ALTKEY Set key sequence to invoke window FKEY Display/Set function keys DEX Display/assign window data expression CODE Display instruction bytes in code window COLOR Display/set screen colors ANSWER Auto-answer and redirect console to modem DIAL Redirect console to modem SERIAL Redirect console TABS Set/Display tab settings LINES Set/display number of lines on screen PRN Set printer output port MACRO Define a named macro command UTILITY COMMANDS: A Assemble code S Search for data F Fill memory with data M Move data C Compare two data blocks WINDOW COMMANDS: WC Toggle code window WD Toggle data window WF Toggle floating point stack window WL Toggle locals window WR Toggle register window WW Toggle watch window EC Enable/disable code window . Locate current instruction WINDOW CONTROL: CLS Clear window RS Restore program screen ALTSCR Change to alternate display FLASH Restore screen during P and T SYMBOL/SOURCE COMMANDS: SYMLOC Relocate symbol base EXP Display export symbols SRC Toggle between source,mixed & code TABLE Select/remove symbol table FILE Change/display current source file SS Search source module for string TYPES List all types, or display type definition LOCALS Display locals currently in scope BACK TRACE COMMANDS: SHOW Display from backtrace buffer TRACE Enter backtrace simulation mode XT Step in trace simulation mode XP Program step in trace simulation mode XG Go to address in trace simulation mode XRSET Reset backtrace history buffer SPECIAL OPERATORS: . Preceding a decimal number specifies a line number $ Preceding an address specifies SEGMENT addressing # Preceding an address specifies SELECTOR addressing @ Preceding an address specifies indirection LINE EDITOR KEY USAGE: [PRINT-SCREEN] Dump Screen to printer [UP ARROW] Recall previous command line [DOWN ARROW] Recall next command line [RIGHT ARROW] Move cursor right [LEFT ARROW] Move cursor left [BACKSPACE] Back over last character [HOME] Start of line [END] End of line [INS] Toggle insert mode [DEL] Delete character [ESC] Cancel current command SCROLLING KEY USAGE: [PAGEUP] Display previous page of display history [PAGEDOWN] Display next page of display history [ALT-DN ARROW] Scroll data window down one line [ALT-UP ARROW] Scroll data window up one line [ALT-PAGEUP] Scroll data window down one page [ALT-PAGEDOWN] Scroll data window up one page [CTRL-UP ARROW] Scroll code window down one line [CTRL-DN ARROW] Scroll code window up one line [CTRL-PAGEUP] Scroll code window down one page [CTRL-PAGEDOWN] Scroll code window up one page ============================================================================== ============================================================================== SOFTICE TABLE OF OPERATORS (USED FOR EXPRESSIONS) ============================================================================== Indirection Operators Example ----------------------- ------------------------------------------------------ -> ebp->8 (Gets DWord Pointed To By ebp+8) . eax.1C (Gets DWord Pointed To By eax+1C) * *eax (Gets DWord Value Pointed To By eax) @ @eax (Gets DWord Value Pointed To By eax) &symbol &symbol (Gets the address of the symbol) ------------------------------------------------------------------------------ Math Operators Example ----------------------- ------------------------------------------------------ Unary + +42 (Decimal) Unary - -42 (Decimal) + eax + 1 - ebp - 4 * ebx * 4 / Symbol / 2 % (Modulo) eax % 3 << (Logical Shift Left) bl << 1 (Result is bl shifted left by 1) >> (Logical Shift Right)eax >> 2 (Result is eax shifted right by 2) ------------------------------------------------------------------------------ BitWise Operators Example ----------------------- ------------------------------------------------------ & (Bitwise AND) eax & F7 | (Bitwise OR) Symbol | 4 ^ (Bitwise XOR) ebx ^ 0xFF ~ (Bitwise NOT) ~dx ------------------------------------------------------------------------------ Logical Operators Example ----------------------- ------------------------------------------------------ ! (Logical NOT) !eax && (Logical AND) eax && ebx || (Logical OR) eax || ebx == (Compare Equality) Symbol == 4 != (Compare InEquality) Symbol != al < eax < 7 > bx > cx <= ebx <= Symbol >= Symbol >= Symbol ------------------------------------------------------------------------------ Special Operators Example ----------------------- ------------------------------------------------------ . (Line Number) .123 (Value is Address of line 123 in source file) () (Grouping Symbols) (eax+3)*4 , (Arguements List) Function(eax,ebx) : (Segment Operator) es:ebx Function word(Symbol) # (Prot-Mode Selector) #es:ebx (Address is protected mode Selector:Offset) $ (Real-Mode Segment) $es:di (Address is real mode segment:offset) ============================================================================== ============================================================================== SOFTICE BUILT IN FUNCTIONS:(USED FOR EXPRESSIONS) ============================================================================== Name Description Example --------------- ------------------------------- ------------------------------ BYTE Get Low Order Byte ? Byte(0x1234=0x34 WORD Get Low Order Word ? Word(0x12345678)=0x5678 DWORD Get Low Order DWord ? DWord(0xFF)=0x000000FF HIBYTE Get High Order Byte ? HiByte(0x1234)=0x12 HIWORD Get High Order Word ? HiWord(0x12345678)=0x1234 SWORD Convert Byte To Signed Word ? SWord(0x80)=0xFF80 LONG Convert Byte Or Word To signed ? Long(0xFF)=0xFFFFFFFF Long ? Long(0xFFFF)=0xFFFFFFFF WSTR Display as UniCode String ? WSTR(cax) FLAT Convert to a selector relative ? Flat(fs:0)=0xFFDFF000 address to a linear (flat) addr CFL Carry Flag ? CFL=Bool-Type PFL Parity Flag ? PFL=Bool-Type AFL Auxiliary Flag ? AFL=Bool-Type ZFL Zero Flag ? ZFL=Bool-Type SFL Sign Flag ? SFL=Bool-Type OFL OverFlow Flag ? OFL=Bool-Type RFL Resume Flag ? RFL=Bool-Type TFL Trap Flag ? TFL=Bool-Type DFL Direction Flag ? DFL=Bool-Type IFL Interrupt Flag ? IFL=Bool-Type NTFL Nested Task Flag ? NTFL=Bool-Type IOPL IOPL Level ? IOPL=Current IO Privilege Level VMFL Virtual Machine Flag ? VMFL=Bool-Type IRQL Windows NT OS IRQ Level ? IRQL=Unsigned-Char DATAADDR Returns The Address Of The dd @DATAADDR First Item Displayed In Data Window CODEADDR Returns The Address Of The ? CODEADDR First Instruction Displayed In The Code Window EADDR Effective Address (If Any) Of EADDR The Current Instructions EVALUE Current Value Of The Effective EVALUE Address PROCESS KPEB(Kernal Process Environment ? PROCESS Block) Of The Active OS Process THREAD KTEB(Kernal Thread Environment ? THREAD Block) Of The Active OS Thread PID Active Process ID ? PID == Test32PID TID Active Thread ID ? TID == Test32MainTID BPCOUNT BreakPoint Instance Count BPIF bpcount==0x10 BPTOTAL BreakPoint Total Count BPIF bptotal==0x10 BPMISS BreakPoint Instance Miss Count BPIF bpmiss==0x20 BPLOG BreakPoint Silent Log BPIF bplog BPINDEX Current BreakPoint Index # BPDO "bd bpindex" ============================================================================== ============================================================================== SOFTICE TABLE OF OPERATOR PRECEDENCE (USED FOR EXPRESSIONS) ============================================================================== Operator Associates Comment --------------- --------------- ---------------------------------------------- (,),FUNCTION Scopes(Precedence OverRide),Function ->,. Left To Right Indirection : Left To Right Segment:Offset #,$ Right To Left Protected Mode Selector,Real Mode Segment *,@ Right To Left Indirection Unary + Default Radix == Decimal Unary - Default Radix == Decimal !,~ Logical Not,Bitwise Not . Line Number *,/,% Left To Right Multiply,Divide,Modulo +,- Left To Right Plus,Minus <<,>> Left To Right Logical Shift Left, Logical Shift Right <,<=,>,>= Left To Right Less Than,Less Than Equal,Greater Than..... ==,!= Left To Right Equal To,Not Equal To & Left To Right Bitwise AND ^ Left To Right BitWise XOR | Left To Right BitWise OR && Left To Right Logical AND || Left To Right Logical OR COMMA Left To Right Argument List ------------------------------------------------------------------------------ Use of Parenthisis () overrides precedence (means its done first) ==============================================================================