icedump and nticedump history
-----------------------------


------------------------------------------
icedump 6.026 & nticedump 1.14  2002/09/09
------------------------------------------

icedump:
	- DDB declaration syntax is now per the MS DDK
	- every VxD was properly protected but icedump itself, bummer
	- fixed all makefiles referring to tools
	- fixed page fault checks in PROTECT (thanks EliCZ)
	- fixed bug in resource rebuilding (G-RoM)
	- added PBPM (^DAEMON^)
	- support for 4.2.7 build 562 (released in DriverStudio 2.7 final)

nticedump:
	- support for 4.2.7 build 562 (released in DriverStudio 2.7 final)


------------------------------------------
icedump 6.025 & nticedump 1.13  2001/12/12
------------------------------------------

icedump:
	- hook the double fault handler and make it an interrupt gate
	- support for 4.2.5 build 824 (released in DriverStudio 2.5 final)
	- fixed unhooking _GetVxDName (thanks dEZZY)
	- support for 4.2.6 build 922 (released in DriverStudio 2.6 final)

nticedump:
	- support for 4.2.5 build 824 (released in DriverStudio 2.5 final)
	- support for 4.2.6 build 922 (released in DriverStudio 2.6 final)


------------------------------------------
icedump 6.024 & nticedump 1.12  2001/11/11
------------------------------------------

icedump:
	- Phoenix reports unresolved IAT slots in import rebuilding modes 3
	  and 4, they will have to be resolved manually (G-RoM)
	- fixed all command parsers that trashed client registers before
	  evaluating all arguments (igNorAMUS)
	- moved tools/inc to common/inc
	- PEDUMP tries to automatically handle a trashed header (G-RoM)
	- added long overdue 'icebp' and 'int 01' emulation to the tracer
	- added Hydra plugin for telock and pcguard(?) (G-RoM), read the
	  code for some important comments
	- moved w9x/hydra/example/thunk to w9x/hydra/example/unwrap
	- export renormalization should work on win95 as well (G-RoM)

nticedump:
	- support for 4.2.5 build 785 (released in DriverStudio 2.5 RC1)
	  this is an exception to the rule (no support for beta stuff),
	  but since nothing else works with the last XP candidates...


------------------------------------------
icedump 6.023 & nticedump 1.11  2001/04/15
------------------------------------------

icedump:
	- PEDUMP can coagulate rsrc and has better compatibility (G-RoM)
	- PROTECT hides REGMON and FILEMON VxDs as well (hint from Blackbird)
	- tracer emulates a VTD service
	- G-RoM fixed an obscure bug in the import rebuilder
	  (thanks to LordByte ;-)
	- better export renormalization, looks more and more like voodoo magic
	- support for 4.2.1 build 53 (released in DriverStudio 2.0.1 final)

nticedump:
	- support for 4.2.1 build 53 (released in DriverStudio 2.0.1 final)


------------------------------------------
icedump 6.022 & nticedump 1.10  2001/02/11
------------------------------------------

icedump:
	- all relevant interrupts are hooked (thanks risc), offset screwups
	  also fixed (big thanks to SV)
	- better kernel32 exports normalization method and
	  also fixed an obscure bug in it (thanks The Source)
	- fixed a bug in EliminateFirst (thanks EliCZ)
	- PROTECT works properly with file system drivers that present lower
	  case file names to DOS (thanks EliCZ)
	- removed IMPORTS since it was obsoleted by Hydra
	- added an option to PEDUMP to select IAT scanner range (G-RoM)
	- PROTECT hooks VMM_GetVxDLocationList (thanks risc)
	- fixed all %ifdef trees... eg. GetVideoMem was wrong for 3.22/3.23
	- fixed GetLenAndAddr (forgot about the immediate argument while
	  parsing SIB... unbelievable)
	- winice breakpoints are disabled while icedump loads/unloads
	- added user32, advapi32 and gdi32 exports normalization, PEDUMPed
	  files will work even better under NT/2000 ;-) (G-RoM)
	- export renormalization will NOT be undone when icedump is unloaded
	- Updated Hydra documentation (G-RoM)
	- Upgraded Hydra plugin loader (G-RoM)
	- fixed and synchronized some PEDUMP OPTIONs
	- G-RoM fixed a buffer overflow in Phoenix (thanks Lordbyte)
	- Added FDUMP (aka Ymir) command: read documentation carefully (G-RoM)
	- Enhanced Ymir : filters out heaps, stack, and environment vars.
	- fixed a tracer bug, eg. it will no longer lose control over the trap
	  flag when winmm.dll is imported from


------------------------------------------
icedump 6.021 & nticedump 1.10  2000/12/04
------------------------------------------

icedump:
	- added an option to PEDUMP to select between two IAT scanners (G-RoM)
	- added HASPCODE (thanks CrackZ)
	- small fix in import rebuild mode 2 (G-RoM)
	- fixed DUMP/LOAD, non-committed pages in the memory range will not
	  cause oversized files any longer
	- added kernel32 exports normalization, PEDUMPed files will work
	  under NT/2000 as well (G-RoM)


------------------------------------------
icedump 6.020 & nticedump 1.10  2000/11/11
------------------------------------------

icedump:
	- fixed a small bug in Hydra affecting UnwrapThunk callbacks, added
	  better support for API wrappers like aspack, peshield (G-RoM)
	- added vbox 4.30 unwrapper plugin (G-RoM)
	- PROTECT hooks VXDLDR_UnloadDevice too (thanks the Egoiste)
	- PROTECT checks SIWDEBUG VxD ID too
	- added CLIP (igNorAMUS)
	- support for 4.0.5 build 526 (released in DriverStudio 2.0 final)
	- support for 4.0.5 build 334 (released in DriverStudio 1.5 final)
	  please note that it is essentially the same as build 316, so the
	  same icedump.exe will work for both
	- fixed wme issue (R3TCB.TDBX has changed)

nticedump:
	- support for 4.0.5 build 526 (released in DriverStudio 2.0 final)


-----------------------------------------
icedump 6.019 & nticedump 1.9  2000/09/09
-----------------------------------------

icedump:
	- added RDMSR and WRMSR
	- fixed lookup for VWIN32_W32_SuspendThread/VWIN32_W32_ResumeThread,
	  SUSPEND/SUSPENDX/RESUME should work now (broken since 6.016)
	- tracer emulates RDTSC and Windows NT (simulates win32 selectors,
	  will fool some schemes that would otherwise play some nasty win9x
	  tricks. of course it is optional, turned off by default)
	- fixed tracer initialization, could cause page faults while loading
	  icedump (thanks Topi)
	- added score system to TETRIS, but damn i shall be if i ever do the
	  challenge mode ;-)
	- added anti detection/self-defense code
	- some code cleanup in taskmod
	- tracer does not log control flow above 0x80000000
	- BREAKR3 can break into V86 mode threads, any number of attempts can
	  be in progress (maintains per thread context info)
	- changed IRETD emulation in tracer, should no longer cause unhandled
	  int01 exceptions (hidden bug surfaced after fixing another one ;-)
	- commands using the callback mechanism reinforce the original int3
	  handler temporarily
	- added PROTECT to detect illegal accesses to GDT/IDT/LDT and ring-0
	  entry attempts. turned off by default, pops up winice when on and
	  something is about to happen
	- added G-RoM's plugin system (Hydra) to PEDUMP together with HYDRA
	  which specifies the plugin to be used during imports rebuilding
	  (including the new mode 4). see plugin SDK for more info (w9x/hydra)
	- added ALLOC, FREE (supported for win32 clients only)
	- fixed TRACE parameter handling (byte vs. dword compare)
	- tracer emulates kernel32.getlocaltime and mmsystem.timegettime
	- fixed inconsistency between SeekFile32 and other code that used it
	- tracer handles all sorts of debug exceptions (DRx hits, etc)
	- fixed bug in IsBadPtr, affected (badly) PEDUMP in import rebuilding
	- tracer ignores nested execution blocks, fixes some problems (thanks
	  Lord Crass for a test case ;-)


-----------------------------------------
icedump 6.018 & nticedump 1.9  2000/08/03
-----------------------------------------

icedump:
	- fixed TETRIS, last column was ignored in CompactLines, also changed
	  some colors, should show better in text modes
	- fixed GetVideoMem for 3.22-3.24, crashed SCREENDUMP/TETRIS...
	  (thanks spath, and sorry for the reboots ;-)
	- fixed bugs with _HeapAllocate, forgot to test eax... thanks iceman
	- fixed PEDUMP bugs

nticedump:
	- added L (file load)


-----------------------------------------
icedump 6.017 & nticedump 1.8  2000/07/23
-----------------------------------------

iceload:
	- added keyboard accelerators (thanks muffin/the rain)

icedump:
	- bugfix in GetModuleHandle, import rebuild mode 1 works now
	- simpler GetCurrentProcessID and OpenFile32
	- improved IMPORTS (uses the callback, can touch paged out memory)
	- handlers of hooked interrupts have default offset diffs
	- int41 is hooked
	- fixed inconsistencies between doc/code in 'OPTION T' (same/child
	  process tracing flags were wrongly documented, thanks eternal bliss)
	- CD cannot be invoked from a ring-0 client, parser checks for this
	- thanks to fossil, the stupid LE page size has been optimized
	  resulting in smaller executables... wtf i was thinking back
	  then remains a mystery ;-)
	- fixed MP3, there was a resource contention problem, it's far from
	  being perfect (it could still lock up) but should work most of
	  the time, also Yoga behaves better and more consistently
	- SCREENDUMP should work for 3.22-3.24 now, NuMega has the same habit
	  of changing their own spec as MS... okay, it ain't public, but still
	- make generates/uses proper dependencies
	- PEDUMP has a new option, can recompute the imagesize
	- fixed BHRAMA, forgot to skip over whitespace before the window name
	  (thanks exit)
	- added TETRIS

nticedump:
	- fixed doc stating that 16 bit modes (PM/V86) were not supported,
	  of course they are


-----------------------------------------
icedump 6.016 & nticedump 1.8  2000/04/27
-----------------------------------------

iceload:
	- several new features in the GUI part, like export loading, command
	  line parameter passing to loaded exe, history file saving, you can
	  probably dump loader32 now ;-)

icedump:
	- new parser, requires a leading '/' and full words (instead of '/'
	  anything that would normally print an 'invalid command' message
	  can be used, '/' is just a suggestion, as per IRC standard ;-)
	- changed OPTION syntax for certain flags, read the source or TFM
	- added TRACE, TRACEX
	- added BREAKR3
	- added .EPS output for SCREENDUMP (ignoramus)
	- removed EFLAGS, served no purpose anyway
	- some fixes regarding exception handling and file i/o share modes
	- fixed problem with looking up kernel32!ord_0017, thanks muffin
	- fixed callback when called from ring-0

nticedump:
	- fixed a bug in ntid.exe, luckily didn't really affect functionality
	  (thanks to staier who noticed it)
	- added PM-16 and V86 mode support for dumper


-----------------------------------------
icedump 6.015 & nticedump 1.7  2000/03/15
-----------------------------------------

icedump:
	- Phoenix: import caving implemented (G-RoM), also several bugfixes
	- added iceload, easy way of loading a PE DLL and breaking on its
	  entry point, it requires nmtrans.dll which should NOT be patched
	  the way as it was suggested here previously, read its source code
	  and doc for more details
	- kernel32 locking disabled, seems to do nothing good, VMM doesn't
	  even let one lock the whole thing...
	- added debug flag system (as in the NT kernel), by default all
	  messages are disabled, flags are at sdata+DebugFlags


-----------------------------------------
icedump 6.014 & nticedump 1.7  2000/03/01
-----------------------------------------

icedump:
	- updated LaTeX support for 'N' (Ghiri, igNorAMUS)

nticedump:
	- fixed 'B', damn, how could i forget to skip over the whitespace
	  before the window name...


-----------------------------------------
icedump 6.013 & nticedump 1.6  2000/02/29
-----------------------------------------

icedump:
	- fixed IDT patching, now counting PM APPs in a VM myself, VMM doesn't
	  play fair since it gets one more (last) chance to react on a SysCtrl
	- fixed winice bug where 'break on load' would not if the win32 module
	  had a non-executable first section (nmtrans/winice conspiracy)
	- kernel32 is locked into physical memory while icedump is loaded
	  this ensures that we can poke inside it while in winice context
	  (might be unnecessary, but we do it just in case ;-)
	- enhanced 'N' to dump to LaTeX format (Ghiri)
	- finished ring-0 support code for Phoenix
	- added 'T' for true process dumping, uses G-RoM's Phoenix engine,
	  this is one of the most significant additions to icedump yet,
	  thanks man ;-) (and please don't ask for the source code, it's his)
	- added 'O T' to set some flags for the above (G-RoM)

nticedump:
	- support for 4.0.5 build 334 (released in DriverStudio 1.5)
	  as a general suggestion everyone should move to 4.x 'cos the next
	  major version won't have any support for 3.x
	- added 'B' (Bhrama support) but unfortunately the whole scheme just
	  doesn't work under NT, wait for Phoenix to be ported instead (and
	  feel free to fix Bhrama and nticedump to get it to work)


-----------------------------------------
icedump 6.012 & nticedump 1.5  2000/02/19
-----------------------------------------

icedump:
	- added some ring-0 support code for G-RoM's procdump engine (Phoenix)
	- fixed VMP3D initialization bug when VDSPD fails to load
	- added 'K', kills non-current process, not thread
	- fixed IDT/INTx patching (done in each VM now)
	- added fossil's import rebuilder ('I' subcommand)
	- added G-RoM's 'O B' for setting some Bhrama related options
	- support for 4.0.5 build 316 (released in DriverStudio 1.5)

	  note that apparently there are (at least) two different releases
	  of 4.01 floating around, unfortunately we support the older (and
	  apparently beta) one only... so far very few people experienced
	  the problem (the version detection is fooled and results in v4.00
	  being loaded and eventually a crash when you try to use it), so
	  there are no plans for support.

nticedump:
	- correct version is 1.5, i.e. no updates since its first release as
	  it undergoes a major rewrite as well: win2k support, .sys format,
	  new subcommands (did i hear mp3? ;-)


-----------------------------------------
icedump 6.011 & nticedump 1.5  2000/01/26
-----------------------------------------

icedump:
	- finally ;-) fixed mp3 crashes, how could i forget about that each VM
	  had its own V86 and PM IDTs... int1/3/4/5 hooking is crap as well,
	  will be fixed later
	- updated winddk.inc, it still could have extra (erroneous) service
	  entries for VxDs whose original definition contained ifdefs, didn't
	  bother to check them all, at least VMM, VPICD and SHELL should be ok


-----------------------------------------
icedump 6.010 & nticedump 1.5  2000/01/22
-----------------------------------------

icedump:
	- added mp3 player control
	- fixed callbacks (save EFLAGS now, important for ring-0 clients)
	- got rid of the semaphore in vmp3d and some stuff, quote of the day:
	  <fOSSiL> is *any* of my code left in vmp3d ? =))
	- hopefully fixed crashes under win9x versions supporting WDM and the
	  IRQL concept (that means VMM version 0x403 and above).


-----------------------------------------
icedump 6.009 & nticedump 1.5  2000/01/18
-----------------------------------------

icedump:
	- fixed mp3 VxDs, finally...
	  control from icedump is still pending though
	- new vmm/vxd macros (fossil)


-----------------------------------------
icedump 6.008 & nticedump 1.5  2000/01/16
-----------------------------------------

icedump:
	- added fossil's VxD based mp3 player (ported it to nasm),
	  it doesn't work though for now, so don't use it


-----------------------------------------
icedump 6.007 & nticedump 1.5  2000/01/13
-----------------------------------------

icedump:
	- fixed default file name handling ('O','D','N'), WIAT again...
	- debug builds can be made by adding DEBUG=1 to the make command line
	  (default value is 0)
	- define MY_WINICE in the makefile and 'make loadsym' to load symbols
	- fixed delegating the soundcard irq to winice based on the wrong flag
	  still, windows hangs sometimes (but the mp3 song does not stop ;-)


-----------------------------------------
icedump 6.006 & nticedump 1.5  2000/01/11
-----------------------------------------

icedump:
	- fixed 'N', blame it on WIAT again ;-)


-----------------------------------------
icedump 6.005 & nticedump 1.5  2000/01/10
-----------------------------------------

icedump:
	- fixed callbacks again (gotta get used to WIAT ;-)
	- fixed 3.24/3.25 crashes


-----------------------------------------
icedump 6.004 & nticedump 1.5  2000/01/10
-----------------------------------------

icedump:
	- mp3 playing inside winice works now, thanks Domnar
	- added Winice Import Address Table -> cleaner code


-----------------------------------------
icedump 6.003 & nticedump 1.5  2000/01/10
-----------------------------------------

icedump:
	- first shot at getting fossil's mp3 player to work inside winice


-----------------------------------------
icedump 6.002 & nticedump 1.5  2000/01/09
-----------------------------------------

icedump:
	- workaround for a damn nasm bug, callbacks should work now
	- fixed SaveRegs/RestoreRegs, my mistake ;-)


-----------------------------------------
icedump 6.001 & nticedump 1.5  2000/01/06
-----------------------------------------

icedump:
	- it's a dynamic VxD now, icedump.exe loads itself
	- dropped 'U' (the VxD loading mechanism takes care of it)
	- fixed html screendump (hopefully)


--------------------------------------
icedump 5.18 & nticedump 1.5  xx/xx/xx           !was not released!
--------------------------------------

- fixed patcher.bat (out of environment space)

icedump:
	- some cosmetic changes


--------------------------------------
icedump 5.17 & nticedump 1.5  99/09/29
--------------------------------------

- new history format: separated win9x and nt stuff
- patcher.bat supports both icedump and nticedump

nticedump:
	- added g-rom's patcher
	- fixed command line parser
	- fixed one damn offset for v3.24, thanks Krk
	- fixed bug affecting v3.22 and v3.23 when used in boot mode
	- added support for v3.22 (pGetIrqlLevel) handcoded


------------------------
icedump 5.16    99/09/17
------------------------

- added nticedump (thanks Ice ;-), right now 'D' is supported
  note that ntice v3.22 is NOT supported since it lacks one
  important function we need... perhaps next time we will add
  our own version ;-)


------------------------
icedump 5.15    99/09/15
------------------------

- added patcher.bat by the rain, makes applying the patch even easier
- added support for winice v4.01
- .inc files for winice are automatically generated from the IDBs


------------------------
icedump 5.14    99/09/09
------------------------

- minor updates to 'C', 'U' (by fOSSiL)
- sdc.exe updated (cosmetic change in HTML output ;-)
- fixed 'F', thanks to fOSSiL for pointing out the now obvious ;-)


------------------------
icedump 5.13    99/08/29
------------------------

- help prints version info as well
- added offsets for 3.23-4.00 to support 'F'
- fixed 'F', winice uses the per thread FPU state info managed by VMCPD
  and doesn't directly read the FPU...
- 'F' cannot parse negative numbers for some reason, will be fixed...


------------------------
icedump 5.12    99/08/26
------------------------

- another damned build of kernel32 (hi Lorian ;-), another fix for the runtime
  detector, if you have build 1111 of win9x, this fix is probably for you
- finished 'F'
- finished 'U'
- finished 'C'
- put off  'K' due to difficulties, feel free to contribute your solution
- new patcher to support 'U', older 'icedump' images are NO longer supported!
- source code rearranged for easier maintainability


------------------------
icedump 5.11    99/08/19
------------------------

- hopefully synchronised patcher and new header format. new header subject to
  owl approval (header size increased for sake of readability - but size
  increase is not passed into WINICE.EXE so is not really a bad thing)
- i've included the new patcher with this. but it hasn't been tested so use
  at your own risk for now ;) it should be noted that the old patcher won't
  handle any of the new versions which separate 'Init' into 'Init' and
  'Static Part'. Also, new patcher is not yet backwards compatible (and may
  never be)


------------------------
icedump 5.10    99/08/02
------------------------

- merged fossil's and ghiri's update to 'O', 'N' and 'D'
  read the doc and the code for details
- finished 'L'


------------------------
icedump 5.9g6   99/08/01
------------------------

- HTML credit line fixed again
- html directory nuked


------------------------
icedump 5.9g5   99/08/01
------------------------

- more doc updates
- HTML credit line fixed ;)


------------------------
icedump 5.9g4   99/07/31
------------------------

- minor doc update


------------------------
icedump 5.9g3   99/07/31
------------------------

- memdump autolength feature scrapped
- O subcommand complete, unless somebody needs OptLx control


------------------------
icedump 5.9g2   99/07/31
------------------------

- added auto filename option for memdump command
- removed some commented out debug code
- commented out a redundant 'end:' label


------------------------
icedump 5.9g    99/07/31
------------------------

- screendump options (O N subcommands) implemented and documented
- various screendump labels/vars that were made global have been made local
  again


------------------------
icedump 5.9     99/07/30
------------------------

- fuck microsoft which changes just about every damned structure in each build
  the runtime detection code now also detects the vwin32 win32 API IDs...
  anyway fossil, you have a god damned build ;-)


------------------------
icedump 5.8     99/07/29
------------------------

- bugfixes (forgot to save/restore some registers ;-)
- added runtime determination of kernel32 structure offsets and object IDs


------------------------
icedump 5.7     99/07/29
------------------------

- merged Fossil's updated html code, not tested
- merged Ghiri's updated 'N' parser code, not tested
- merged Ghiri's 'O' command, no idea if it works at all ;-)
- finished 'P', not tested


------------------------
Icedump 56g2	26/07/99
------------------------

- Screendump 'expert mode' added (this will be renamed to Auto-mode when I next
  change it).

- Options for screendump expert mode and dump number added (filename base yet to
  be implemented).

- I'm assuming the '.' before labels makes the label local. I had to make a few
  of the labels global. Namely: EmodeFileName, EmodeExtPtr, Emode and mode2_html

- I plan to finish the screendump options and add auto-mode for normal file
  dumping. Also, perhaps options for the Procdump OptLx registers.


------------------------
Icedump 56g	26/07/99
------------------------

- history.txt added (this file)

- faq.txt added (FAQ regarding installation, probs etc.) this will hopefully
  reduce the number of support emails sent to the BETA team.

- Options subcommand added (skeletal implementation so far) - will eventually be
  used to control screendump options and can be used to modify other icedump
  internal options.


------------------------
Icedump 56	26/07/99
------------------------

- New thread code written (see X subcommand in docs)

- New F subcommand to alter Eflags (only TRAP at the moment and it doesn't seem
  to work anyway :)

- Pagein H subcommand changed to just PAGEIN

- Int4 and Int5 handlers also redirected

- Note: L subcommand added to parser and help but not yet implemented!
  Confusing? Heh, not as bad as my mode1 label - got both Owl and fossil with
  that ;) Perhaps we should stop doing this to each other ;)


------------------------
Icedump 55g	23/07/99
------------------------

- Bhrama stuff done and subcommand is 'b' not 'p'

- Suspend/Resume stuff is working on some platforms but is still experimental
  Note: you cannot suspend current thread!

- Mode 0 and 1 of screendump is complete and mode 2 is mostly complete
  Yet to be done:
	- fixing encoding for '<' to &lt; so that '<' chars in the dump do not
	  screw up HTML code.
	- standalone HTML converter (possibly unified RAW to TXT/HTML converter)
	- Opera fix (probably will be implemented as optional code requiring
	  recompile)

- Included 'patch' for IDT delta offset	trick for SoftICE detection with Int1
  and Int3 handlers
