Geoff Chappell - Software Analyst
In for a penny, in for a pound. A catalogue of KERNEL32 functions (begun last month but still in need of work) has led soon enough to one for ADVAPI32. Though this cataloguing of exported functions requires care in various ways, it is such basic work that I tend to think the absence of reliable lists elsewhere is evidence of an absence of reverse engineering as any sort of systematic study. Really, this is stuff for research students!
Still, if cataloguing is to be all I shall now do for this website, it is all as well to be up to date and to be done with such authority that it becomes the unchallenged standard for independent reference. There is now under way, finally, a general but occasional updating of documentation status to match the SDK and WDK for Windows 7. Add an updating for 64-bit Windows (previously catalogued just for the HAL and kernel) and the first result is a substantial revision of the NTDLL catalogue. Unfortunately, if only for my immediate sense of doing productive work, the second result is a realisation that all the catalogues ought not just be updated but significantly improved. Starting from the bottom, the kernel catalogue is being reworked substantially, most notably to discover and record where documentation status has changed.
Also promised last month was some analysis of the reorganisation that Windows 7 brings to the lower levels of the Win32 subsystem. A write-up of the actual research in this is presentable as a draft. It includes a correct format of data in the new ApiSetSchema.dll, but collecting my thoughts about this reorganisation’s implications for computer security may take me a while. Of particular concern is the (possibly malicious) modification of standard Windows API functions for all users of those functions. Where software might previously have thought to achieve this by altering—some would say infecting—KERNEL32 as a file on disk, it now has the much smaller task of altering the new DLL. It’s as well that changing any DLL in the System32 directory is difficult, but any security software that specially protects KERNEL32 (and ADVAPI32) ought now protect ApiSetSchema at least as well, or accept that the lesser protection of the latter undercuts whatever protection they claim to provide the former.