Geoff Chappell - Software Analyst
Whatever was here at this website on 1st November 2010 is pretty much all there ever will be, unless a fairy godmother appears who will fund the reverse engineering of Windows as full-time work. By “fairy godmother” I mean that the chance is less than remote and was only ever fantastic. I just can’t keep adding to this documentation project from my own pocket. Who could? But neither can I play the businessman or promoter while also achieving anything of significant merit in what I regard as the real work. Even on this question of merit in real work, I have become increasingly unhappy that too much work for this site has the feel of exercises for my practice rather than of results that are useful to my readers. I certainly do not mean to understate the value of practice, but I am by now as well practised as I think anyone ever will be at the sort of reverse engineering that seeks to understand whole features of software in detail. The venture sinks or swims on what real-world application can be found for it.
Someone else perhaps will have the right mix of skills to put all this together, some day, and make it easier for everyone who comes after. But that person won’t be me. I have done very much more than my fair share, off and on over almost two decades, to find what might be achieved in the reverse engineering of Windows (and, recently, malware) by treating it as serious work. But I’ve done all I can on my own. I can’t take it any further without substantial help.
Unfortunately, kind words and even the occasional small gift from readers, though much appreciated, thank you, are not help enough. I have to stop now. There may be corrections, because I am of course responsible for what I have written. There may from time to time be some maintenance and tidying up, but there will be no updates. Though The CPL Icon Loading Vulnerability is not my best work (but is typical for being not quite finished), it looks like being the last new work that I will ever publish to this website.
It’s too late to matter now, but it rounds things off nicely that in August 2009 when I last thought seriously to stop work on this website I wrote “it seems that nobody has yet documented all the ways that Control Panel items are discovered or the means by which details about them are cached so that they can be enumerated without having to load their CPL modules”, and then this turned out to be precisely where Windows was exploited for one of the main malware attacks in 2010. Indeed, for getting a file loaded and executed just from browsing files on removable media, Stuxnet must count as one of the most alarming exploits ever. It’s just coincidence that writing about it makes for my last article before stopping in November 2010. Had I given up on this website only a few months earlier, I would never have looked at Stuxnet and it would have gone largely unremarked that what Stuxnet exploits is not a defect in “parsing shortcuts”, as Microsoft and some supposed experts describe it, but is instead a larger problem with the Control Panel’s security for loading CPL modules, and may be a very much larger problem with shell folders generally being lax about the PIDLs they receive as input.
That I go on about this is to make the point that even though 2010 shows encouraging signs of reverse engineering becoming commercially viable work for malware analysis, the reverse engineering of Windows, even to support the reverse engineering of malware, is still so primitive that malware analyses can get widely circulated and apparently appreciated even if completely mistaken about what vulnerability is exploited.
If more were known of Windows from reverse engineering it, would the greater benefit go to attackers or defenders? The arguments have surely been developed elsewhere, though most likely to say that Windows would be better known from having its source code published. Yet the source code for Windows plainly isn’t going to be published. Reverse engineering is all there can be. You know it can be useful to do. I’ve shown what can be done. Please, someone, make a business of it. Then a lot more of it can be done, for everyone’s benefit.
If only for the record, there follows a list of all pages that were either added to the Notes and Studies at this website during 2010 or had some meaningful update of their content. All pages are new except if otherwise noted.