New in June 2019

A very long distraction, from which I have nothing yet to show, led to another distraction but into an area of Windows that is entirely new for this website. The CSRSS.EXE process is vital to the Win32 subsystem and thus to Windows in terms of how we know it for all practical use. Yet I have tended to neglect it as too high-level for my kernel-mode interests and too low-level for my user-mode work.

Win32

CSRSRV
- API
  - API Requests
    - Functions
      - CsrCallServerFromServer
    - Structures
    - Enumerations
      - CSR_REPLY_STATUS
  - Process
    - Structures
      - CSR_PROCESS
      - CSR_THREAD
  - Server DLLs
    - Structures
      - CSR_SERVER_DLL
NTDLL
- API
  - CSR Utilities

Kernel-Mode Windows

Against the diversion into CSRSS, what I add for Kernel-Mode Windows this month is a mere amusement. Or would be, except that its point is serious. If the reverse engineering of Windows for a public record of how it works (and sometimes fails to) is ever to grow into any sort of academic discipline, then writers had better start giving their sources. Too much of what this or that website presents as a revelation has the look of having fallen from the back of a truck. It may be too cynical to imagine that someone could be given a slot at an important conference to talk about sources of information to help the reverse engineer, yet it does seem realistic to perceive that such a talk would be well received, and not just as instruction for those who are new to the field. That mystery about sources has ever grown into something to demystify is nothing to celebrate: really, it’s a sign that reverse engineering is stunted.

Debugging
- USEREXTS
  - !dso
- USERKDX
  - !dso