Geoff Chappell - Software Analyst
Let’s see if nights and weekends through October don’t get too uninteresting if I give them over to wrapping up some of the updating that I started in September.
Essential to any understanding of kernel-mode Windows for any purpose is to know what functions and variables are exported by the kernel itself, and to a lesser extent by the HAL too. This is the functionality that all kernel-mode software except the trivial must interact with. Listing the functions and variables that are exported by any one version is as straightforward as running a simple DUMPBIN command. Listing the changes from one version to another can be automated and there are surely many websites that present such lists. I like to think there’s some value in curation, especially to compare with what Microsoft has said about the functionality, both at the time and later, whether in documentation or in C-language declarations. It’s not research, of couse, but it is the basics of everyone’s research. The wonder to me is that this—and much else that’s the common background to all study of Windows—isn’t done as some properly supported enterprise for common benefit. Perhaps by a university? Why isn’t this work done by research students or even by interns or bored teenagers?
Also new to this website this month is my own publication of an article I wrote two years ago expressly for PoC||GTFO, an entertaining epistle by the Rt. Revd. Pastor Manul Laphroaig and his merry band of clergy who devote themselves to reverse engineering as worship of weird machines. It’s both a breath of fresh air and more serious than it sounds. Through no small amount of work by its keepers of the faith, its standards are higher than many an academic journal.
While I’m at it, let’s add the other article that was first published in PoC||GTFO. I should make time to write another—perhaps on using reverse engineering to mitigate one or more of the numerous irritations of Windows 10!