Geoff Chappell - Software Analyst
It was perhaps inevitable, but research and writing for free publication at this website stops again. Were I an independently wealthy gentleman of leisure, I surely would continue just for the intellectual pleasure and for the spirit of providing a resource for public benefit. But I’m not. I have to fund such work—and please make no mistake that it is very intensive work—from being consulted for Windows programming that others find too hard but which I can make possible and do well. I’ve known all along, if only at the back of my mind, that I can’t get the best results at either the research and writing or at a consulting business while I try to do both, but now I have to face it and that would seem to be the end of it.
When I last thought this way, back in October 2010, luck had it that my attention was directed to the Stuxnet worm, which had recently been notorious for getting loaded just from browsing files, e.g., on removable media. That this depended on shortcut (.LNK) files to Control Panel items fed into two of my hobby horses.
First is my long-running interest in the Windows shell as a reservoir of undocumented functionality that Microsoft leveraged for years to establish Internet Explorer and which programmers in general might put to productive new use if only some way could be found of getting a good proportion documented reliably. Barely a year before, in August 2009, what had I picked as something we all ought to know more about?
Yet even after nearly 15 years of the Desktop, My Computer, Control Panel, etc, as everyday features of the Windows shell, it looks like much is left that might usefully be documented. For instance, it seems that nobody has yet documented all the ways that Control Panel items are discovered or the means by which details about them are cached so that they can be enumerated without having to load their CPL modules.
Second is my dissatisfaction with the quality of commercial analyses of software vulnerabilities and of malware. Any investigation into anything soon becomes a trade-off between going further faster and studying each detail, but commercial investigations in computer security too often skip past the details at the price of missing what exactly it is that the software has done and depends on. This is especially noticeable for malware that does something innovative—or just not well appreciated—with the operating system or processor.
Here was malware that worked with exactly some functionality that I had picked as under-documented. And here were published analyses that at least glossed over the malware’s dependence on the Control Panel and instead went along with Microsoft’s mis-description of the vulnerability as incorrect parsing of shortcut files. I couldn’t resist then, and now that I bring my latest round of research and writing to a close I couldn’t resist a trip down memory lane and an attempt to improve the old article’s readability.