Geoff Chappell - Software Analyst
It’s harder than it looks. Not all undocumented Windows structures are equally undocumented. Most prominent ones are known from the public symbol files, though sometimes in surprising places, but for a handful of prominent ones type information has made it into the public symbol files only for a smattering of versions. The structure in which WIN32K.SYS keeps what it knows of a process surely counts as prominent. Only in one version, 6.1, do the public symbol files have type information for this structure. Worse, the type information is incorrect even though the symbol files do match the executables. So it’s big news, relatively speaking, that the public symbol files in the 1803 release have type information for the sub-structure at this one’s start.
It turns out that a few structures that have never or only rarely had type information in public symbol files have it for the 1803 release. I attended to some of that back in July, just as fallout from my articles on driver signing, but clearly it’s (past) time for a round of updating the bookkeeping. Where are the research students to do this?
Having Microsoft’s names and types is always welcome. Understanding anyone else’s code is very much harder when you have to make up names for everything. Of course, having the manufacturer’s name doesn’t mean you should trust that what’s named truly does what the name suggests (any more than having source code would give you the luxury of believing what’s said in comments). But a little extra watchfulness against being misled is nothing against the extra work of inventing good names and tracking all your changes of them as your understanding develops.
The ideal, of course, is to have not just a bare catalogue of offsets, types and names, but some level of informed annotation. Why is some sort of curation not organised by someone who has the resources to do it well?
The good and bad in this is that I find small mistakes. Good because mistakes don’t quite mortify me, but do very nearly, and it’s vital that they get corrected. Bad because I wonder how it is that my errors aren’t pointed out much sooner (and more frequently, for surely there are many more than I yet know). Does anyone actually read any of this material?