New in August 2017

Everyone who does security research into Windows—truly meaning Windows, not just programs that happen to run on Windows—knows WIN32K.SYS as the gift that keeps on giving. But how much of that industry’s investigations into WIN32K is hunter-gathering? Is the research effort—indeed, the industry overall—held back because each researcher surveys just enough background for immediate needs? Might everyone do better if the raw materials of everyone’s security research were farmed or mined?

Many of the WIN32K structures are sort-of known to everyone because type information once slipped into the public view via the WIN32K symbol files. That was just for Windows 7, however. Public symbol files since then have disclosed much less. Discovering the layouts for other versions is far from trivial, yet is surely an effort that could benefit many. I’ve been wondering about this for a while and this month I sketch how the work might go.

Even if your interest is just in the techniques of reverse engineering—or more in those than in WIN32K specifically—you may like that the structures I’ve started with show yet another way that WIN32K keeps giving. The symbol files that Microsoft released for Windows 7 are demonstrably incorrect. It’s not that they are the wrong symbol files for the executable. It is that they somehow got built with incorrect type information. Some structures’ sizes are incorrect. Offsets of some members are incorrect. Some members that plainly are used by routines in the matching executable (and even by those routines in older versions) do not appear at all in the type information for the structure.

How that mismatch happened, I don’t know. That it evidently can happen should be a lesson to all reverse engineers. Mechanical extraction of type information from symbol files for easy reproduction as a reverse-engineering resource is all very well, but when it comes to the nitty-gritty of relying on such resources there is surely no substitute the personal curation of an expert analyst. Make no mistake here: even though this is work in progress, I mean it as setting the standard.

Kernel