Geoff Chappell - Software Analyst
As if this site doesn’t already leave lying around in various states of completion more than enough lists of functions exported from this or that module through its many different versions, I have this month started another. I had always dismissed WININET.DLL from close attention on the assumption that it’s general-purpose Internet-access functionality that likely works as documented. My immediate reason for looking now was to see what my methods of analysis might usefully add to what others have discovered of the INDEX.DAT file format, especially to support forensic evidence. To pick the low-hanging fruit for that was diverting enough, and I really would like to do the job thoroughly. Still, the present sketch is enough to show what could be aimed for in computer forensics if its practitioners want that what they deduce as evidence is based on more certain knowledge than can be got from any amount of collecting impressions from observation, however cleverly. If you want to know a file format and you have the software that defines the format, then the knowledge you seek is in that software’s code. Anything you learn from any amount of observing anything cannot be more than second best.
It soon became clear that a study of WININET has other merit, such that I ought to have covered it long ago just as part of an occasional mission to record for history what the integration of Windows and Internet Explorer meant in the software. Though Microsoft documents WININET as providing Network Protocols for Windows, its origin is plainly in Internet Explorer, it still has Internet Explorer version numbering and it surely is still being developed as an Internet Explorer component. So why not document it openly and honestly as a piece of Internet Explorer that Windows can’t do without, for better or worse, even when users think to replace Internet Explorer with some competing web browser? Though many of its exported functions are documented, more than a handful aren’t, and the many that are support numerous undocumented arguments and flags. The few for which I here venture some alternative documentation turn out to be unusually buggy. Perhaps they’re just not used much.
Anyway, WININET becomes yet another topic that looks like it might usefully be studied properly, if I can ever find a way to fund the work.