eremitic software development

Thu, Jan 10, 2008

I was reading an interesting article by Jeff Atwood on Understanding User and Kernel Mode and it got me thinking back to my printer driver days and the time I used to develop in kernel mode on Windows NT4 and how, looking back on those days, it related to the practice of eremitism, which is defined by dictionary.com as:

monasticism characterized by solitude in which the social dimension of life is sacrificed to the primacy of religious experience” and “The state of a hermit; a living in seclusion from social life

I wouldn’t go so far as to claim a religious experience but kernel mode debugging with SoftICE was in many ways the act of a hermit retiring from the world for a few days to experience a spiritual solitude in the digital cave.

When you debug in kernel mode, you enter a state of simplicity, where life’s background of noise, activity and rituals diminishes and your foreground personality comes to the fore. To use an analogy, the background of society is the black screen so familiar of SoftICE while you are the contrasting white registers and source code which stand out so clearly and demand all your attention.

The purpose of a hermit is mainly to detach from society, perhaps only for a few days or hours and contemplate life’s greater meanings and nature’s architecture of mountains and landscapes but the digital hermit can experience a wonder of a different kind when they enter kernel mode. A landscape where mortals fear to tread. Where MessageBox doesn’t work and you have to rely on inspecting registers and memory blocks to figure out why things are the way they are. You get to recognise the skeletons upon which User mode interfaces are built. You control time. You move pointers around to replay events, or skip to a place in the application’s future by shifting some memory around. You can influence what the application “thinks” by populating its memory allocation with data of your choosing. You are a mole burrowing beneath skyscrapers.

But kernel mode is also a dangerous place in which to work. You have root access to everything. All the hardware, the interrupts, the machine’s heart. If you slip, the machine goes down. It’s a big responsibility. But I sometimes pine for those days of simplicity, where you control how your application works, right down to its memory management. Contrast that to today’s Java world of inefficient garbage collection and so bloated an API that you need to keep looking up how to open a file and read a line from it. It’s pretty difficult to make any wattage savings in a Java app compared to a kernel mode driver.

Just after I left and moved out of driver development, SoftICE became restricted to genuine device driver developers as it was so powerful the cracking community used it to bypass serial number restrictions in applications. I remember reading a Russian cracker’s account of how he did just that, without the application’s source code. It basically involved using SoftICE to load the application and setting a breakpoint on, say, GetDlgItemText and then stepping through the disassembly, tracing a path through the app’s memory blocks and looking for cmp instructions and inspecting the memory locations being compared, looking for a serial number. Fascinating.

With the advent of Windows 2000 though, printer drivers moved back to User mode. I heard at the time that the move was due to too many flaky drivers being produced and giving the OS a bad name. To be fair though, kernel mode driver development is a black art. Any driver development is a black art. The driver is the interface between the customer (the application) and the machine and as in the real world, the customers are a hairy bunch of weirdos. A colleague was so fed up with an Adobe application that he allocated space in his DEVMODE to accommodate its idiosyncrasies. He even called the memory block “crapadobehack”! We had to do this in those days as Adobe applications were optimised for postscript drivers and they didn’t play well with PCL ones. And now SoftICE is no more. The nearest you can get to software development eremitism is in AOP but you don’t get to go as deep as kernel mode any more.

So now I must return to the JVM and perhaps look into bytecode manipluation. Try to rediscover that digital cave.

comments powered by Disqus