Geoff Chappell - Software Analyst
New to November, but tacked on without explanation, was a page I collected from age-old observations about Spin Locks. I have, of course, tried collecting many such things into publishable material many, many times over the 15 years or so that I’ve been writing pretty much exclusively to this website. That the basics are widely neglected is a recurring theme for me in my assessment of the reverse engineering of Windows as practised (and funded) for computer security, but my own thoughts a few months ago to revisit memory management show too that my own work at systematically covering the basics is pretty thin.
But, really, where’s the surprise? It’s hard work, not just for the research but for how to present it. If only in my head, much of the material that is linked to below is very much inter-linked, so much so that I’m not going to try distinguishing what was done in December and what in January. And even more than usually, all new pages and even some old are in highly varying states of disarray, which I likely won’t review for a while.
Two things intrigue me about where my choice of topics ran to. See first that I have wandered into the minefield of processor feature detection. I know this to be a minefield from previous wanderings ten years ago for this website and over a quarter-century ago for DOS Internals. But now I’m determined to do it better! Some of those old pages will get retired.
Second, and I just don’t know how this can keep surprising me, but see that Event Tracing for Windows (ETW) is never far away. I understand I’m writing to a world that is only just discovering at scale what sorts of things can get traced, as if the be all and end all of practical interest is what ETW can do for you to help with programming and even with basic operation. But ETW has been around, and hugely useful all the while, for two decades. I can’t help wondering if the reason that wide interest in it has take so long to develop, it’s because the field has not been open to independent tools for collection and analysis. So much of the mechanism is undocumented. You start looking into how Windows might let someone use a processor feature such as Branch Trace Storage and next thing it turns out that not only would you need some undocumented API but it ties into ETW. Sometimes I think there’s no end to this.