Geoff Chappell - Software Analyst
The one page that is linked to below will not be all that I have to show for October!
And indeed it turns out not to be—not by a long way. But if I don’t reverse the usual order (low-level to higher), then the one page that truly was all I had to show for much of the month will get lost on its own after the others. That would be unfortunate, since I have come to see it as having been useful work. If nothing else, the program and its source code may be the first sign for some of my readers that I don’t just reverse-engineer but can forward-engineer too.
It has long annoyed me not to have collected—even for my own use, let alone to have published—a definitive list, if not full documentation, of the nearly 200 cases to the three “native API functions” that work with so-called system information. File information, volume information, and some others have long been pretty well covered in the Windows Driver Kit (WDK). Even for process and thread information, the Windows Driver Kit (WDK) has most of what I myself have ever found useful in real-world practice. But system information is a whole other story. Its neglect in Microsoft’s documentation is unsurprising, for much of the user-mode management of the Windows system goes through these functions. Yet that also makes the interface useful not just for practical programming in the lower levels but also a vital concern for security, given its interest to the writers of malware and thence to those who would protect us (even if they are sometimes arguably no better than the malware writers).
So, let’s see what I can do about this neglect in what remains of the six months that I bought myself six months ago for intellectual fulfilment before I’m compelled to address the practical need of financial security. Realistically, this first pass can do little more than match the hundreds of cases to the mostly undocumented structures that are the input or output for the three undocumented functions—and even then it is specific just to Windows 10.
It unsettles me, though, and I think it should unsettle you too, that even with such greatly constrained ambition and with many of the information classes still marked TO BE DONE, what I present here goes far beyond anything I see on the Internet. How can that be, I wonder. It can’t be that no reverse engineers have the skill. Is this sort of relatively straightforward research into Windows not supported by the business models that fund reverse engineering for computer security? Is it just that nobody’s sharing? Someone’s missing something somewhere: must be me.
The rest is coming, and it’s all to some extent in progress, which anyway will be slow since I do have to bring this research and writing to a close.
Also annoying me over the last few months as I at least tried to document some native API functions such as NtCreatePagingFile and NtManagePartition was that I was documenting them in the Kernel section even if they’re exported only in user mode. The Kernel section is the right place for them, but thinking it through brought me to create for the Win32 section a separate page from old material: