Geoff Chappell - Software Analyst
Everyone who does security research into Windows—truly meaning Windows, not just programs that happen to run on Windows—knows WIN32K.SYS as the gift that keeps on giving. But how much of that industry’s investigations into WIN32K is hunter-gathering? Is the research effort—indeed, the industry overall—held back because each researcher surveys just enough background for immediate needs? Might everyone do better if the raw materials of everyone’s security research were farmed or mined?
Many of the WIN32K structures are sort-of known to everyone because type information once slipped into public view via the WIN32K symbol files. That was just for Windows 7, however. Public symbol files since then have disclosed much less. Discovering the layouts for other versions is far from trivial, yet is surely an effort that could benefit many. I’ve been wondering about this for a while and this month I sketch how the work might go.
The structures that I’ve started with show yet another way that WIN32K keeps giving: the symbol files that Microsoft released for Windows 7 are demonstrably incorrect. It’s not that they are the wrong symbol files for the executable. As far as can be known from time stamps, including for using the symbol files in a debugger or disassembler, these are the matching symbol files. Yet somehow they got built with incorrect type information. Some structures’ sizes are incorrect. Offsets of some members are incorrect. Some members that plainly are used by routines in the matching executable (and even by those same routines in older versions) do not appear at all in the type information for the structure.
How these symbol files got their incorrect type information, I don’t know. That it evidently can happen should be a lesson to all reverse engineers. Mechanical extraction of type information from symbol files for easy reproduction as a reverse-engineering resource is all very well, but when it comes to the nitty-gritty of relying on such resources there is surely no substitute for personal curation by an expert analyst. Make no mistake here: even though this is work in progress, I mean it as setting the standard.
And look! Here’s a stray from work that may get published next month. I briefly had it among the WIN32K structures but I have since decided that if anything WIN32K creates in kernel mode is visible in user mode, even if only for reading, then it might better go in the user-mode section.