Geoff Chappell - Software Analyst
It was perhaps inevitable, but research and writing for free publication at this website stops again. Were I an independently wealthy gentleman of leisure, I surely would continue just for the intellectual pleasure and for the spirit of providing a resource for public benefit. But I’m not. To do such work—and please make no mistake that it is very intensive work—I must fund it from being consulted for Windows programming that others find too hard but which I can make possible and do well. I’ve known all along, if only at the back of my mind, that I can’t get the best results at either the research and writing or at a consulting business while I try to do both, but now I have to face it and that would seem to be the end of it.
When I last thought this way, back in October 2010, luck had it that my attention was directed to the Stuxnet worm, which had recently been notorious for getting loaded just from browsing files, e.g., on removable media. That this depended on shortcut (.LNK) files to Control Panel items fed into two of my hobby horses.
First is my long-running interest in the Windows shell as a reservoir of undocumented functionality. Microsoft leveraged it for years to establish Internet Explorer. Its wider value, however, is for programmers in general who might find all sorts of productive interactions with it if only some way could be found of getting a good proportion documented reliably. Barely a year before, in August 2009, what had I picked as something we all ought to know more about?
Yet even after nearly 15 years of the Desktop, My Computer, Control Panel, etc, as everyday features of the Windows shell, it looks like much is left that might usefully be documented. For instance, it seems that nobody has yet documented all the ways that Control Panel items are discovered or the means by which details about them are cached so that they can be enumerated without having to load their CPL modules.
Second is my dissatisfaction with the quality of commercial analyses of software vulnerabilities and of malware. Any investigation into anything soon becomes a trade-off between going further faster and studying each detail in detail. Commercial investigations in computer security too often skip past the details at the price of missing what exactly it is that the software has done and depends on. This is especially noticeable for malware that does something innovative—or just not well appreciated—with the operating system or processor.
Here for this Control Panel exploitation was malware that worked with exactly some functionality that I had picked as under-documented. And here were published analyses that at least glossed over the malware’s dependence on the Control Panel and instead went along with Microsoft’s mis-description of the vulnerability as incorrect parsing of shortcut files. I couldn’t resist then, and now that I bring my latest round of research and writing to a close I couldn’t resist a trip down memory lane. I’ve tidied the original page in an attempt to improve its readability. A new article, Control Panel Vulnerabilities, is published separately as PoC||GTFO 14:8.