Geoff Chappell - Software Analyst
I’m aiming very deliberately this month to do nothing substantial. Getting those articles on driver signing into something like publishable form for July was more than enough work for a while, especially considering what exhaustion awaits me when I inevitably return to writing up the vast amount of research that those articles only begin to hint at. I have to leave my thinking on that to settle. On the one hand, I decry that the not insubstantial industries both of driver writers and security researchers had produced so little reliable information on the subject of driver signing even three years after Microsoft started its tightening of what we can run on our own computers. On the other, I have to sympathise. More than almost anyone, I know how much work is involved.
Among the more popular pages at this website is the list of boot options such as can be set as Boot Configuration Data via Microsoft’s BCDEDIT tool. It’s just a list of which options have any known recognition—as opposed to having Microsoft’s formal support—in which versions. Still, even though the aim is modest and the Internet is very good at stimulating so-called reverse engineers to do so-called deep dives that are in fact nothing but automated listings, there aren’t very many lists of BCD options anywhere of any sort, and mine has been around since 2007. Lists are valuable, though, because you can’t even ask what a boot option does without first knowing that it’s something to ask about. To find just which options BCDEDIT recognises—which is not the same as finding all that are defined—is mechanical work but is evidently not so easily automated that Google knows (today, 12th August) of even one page that contains “hypervisordebugpages” or “windowssyspart” or “osarcdevice” or…
Now that those notes are up-to-date for the 1803 release, I might easily not revisit them for another few years!
While thinking of other things, I ran into a problem of ordinary use. It goes away just by updating the driver, but it only appeared because an earlier update was forced onto me. Continuous updates may be all well and good for software manufacturers and they may even benefit computer users too, but not without the unwelcome side-effect that what counts as a computer’s normal behaviour is always changing. Some of the good for manufacturers is that consumers are all at sea, with no stability of experience and no sense of what’s good or bad about how they’re treated. On that point I can’t hope to fight the tide, but I can at least bark—perhaps even usefully, since now if any other users of this very common wireless adapter have the same problem they can at least know what was done to them.
A few pages in some larger work that I’m actually quite proud of (and more than a little mystified to see has received very little attention) turn out to have an unusual error. For two years, I had KSE_COLLECTION as Microsoft’s name for a structure that Microsoft in fact names KSE_HOOK_COLLECTION. The applicable pages have always stated where I got the name from. I just transcribed the name incorrectly. That happens sometimes. The brain wants to miss things. Today, for instance—in notes for paid work—I wrote Msvm_VirtualSystemManagementSettingData instead of Msvm_VirtualSystemManagementServiceSettingData. KSE_HOOK_COLLECTION is nothing like as long, so I don’t know how I got it wrong. That I did get it wrong is far from good, of course, but it could have been so much worse. I’d have been very, very embarrassed if it had not been my writing that’s defective but my research: what if I had got the name right but some numbers wrong?
From that question and a look on the Internet for other research on this topic, you can perhaps tell that there’s a story to how I came to look again at these pages and notice that I had mis-transcribed the name. Let’s just say I’m mulling how much of that story I want to tell, and how I might tell it.
If you’re a regular reader, you may have noticed that I’ve become something of a stickler for telling you my source when I present Microsoft’s names for programming elements. Mostly, I do this because I naively imagine it helps reverse engineering to mature as a discipline. I have a long history of wanting to encourage interest in Software Analysis by Reverse Engineering. Especially since I am no teacher but have instead thought that the best I can do is demonstrate what detail is both possible and practicable, it’s important to me that my readers see that this work isn’t magic: you can do it too.
But I also have a selfish reason. See that I do not present structures in a C-language layout. In part, this is because I want to differentiate my methods of study from a reversing of Microsoft’s engineering such as might “recover” source code that can be re-compiled. Another part to it is that one of my main purposes is archaeological, to track how the structures have changed, and C-language representation is not well suited to this. The selfish part is that I don’t want you thinking that the credibility of my writing on the undocumented in Windows—and, more importantly, the under-documented and the mis-documented—has anything to do with help from Microsoft beyond what’s publicly available. I have no such help and resolutely do not want any such help, not even in the semi-public form of background presentations by Microsoft on upcoming features. As I say in the linked article, if software is a creative work and software analysis is some sort of literary criticism, then we “do not need, and ordinarily would not want, that the critic should be helped by the author, let alone that the critic’s understanding of the work should depend on contact with the author.”
Thus does it come about that I do not invent C-language descriptions of undocumented structures, nor even re-compose them from type information in public symbol files. If I did, I would make a point of spelling out that it’s made up or that it’s reproduced from some obscure source. Otherwise, you can’t know that it didn’t fall off the back of a truck. Worse, if it has errors in it—and note especially that comments have been known to remain in Microsoft’s headers even though they’ve been wrong for decades—then you can’t know that having stuff fall off the back of a truck isn’t something I’m so glad of that I accept the stuff without reliably checking it for correctness.