Geoff Chappell - Software Analyst
Some paid work last month had me making what might have been routine use of Image File Execution Options for getting a particular process to run automatically under a debugger. Slightly less routine is that this was wanted before any user was yet logged on, so that the user-mode debugger had to be operated through the kernel-mode debugger from a second computer. What changed the work from routine to initially impossible was interference from software that injects its DLLs into arbitrary other software. Too much of this is done without a full understanding of what Windows functionality they disturb. As far as I’ve ever been able to tell, it’s hardly ever done with much sense of responsibiilty for the costs they impose on by-standers. I’d happily see these guys drummed out of business, along with most makers of anti-virus software, meaningful difference between their products and malware being sometimes hard to discern.
Anyway, the spill-over to my unpaid work is that it got me looking again at the exported functions for querying Image File Execution Options. Somehow, I wrote about one of them one day more than a decade ago without ever returning to it or its companions. There have, of course, been developments. And I have in the meantime got more interested in the early history. Image File Execution Options actually are ancient.
One of the quirks of the API for Image File Execution Options is that an option can be in the registry as a string but can be queried as a dword. Indeed, it wasn’t until Windows 2000 that an option could be in the registry as anything other than a string. It’s well past time, then, to document the low-level helper that parses a dword from a string. You’d think such a function is straightforward. It always has been documented. But look at the documentation and ask why it goes to the trouble of presenting examples. Then ask whether Microsoft would have added these without experience of this simple function causing real-world problems. Then look into how Microsoft’s documentation of this seemingly simple utility function has changed through the decades and wonder how anyone at Microsoft ever has the nerve to tell programmers to keep to the documentation.
Perhaps inevitably, documenting one supposedly simple function that Microsoft already documents led soon enough to others. The UNICODE_STRING is so basic a structure in kernel-mode programming that you’d think there can’t be anything useful to write about it. But the structure has always been widely appreciated as having a problem with strings that are too long for faithful representation. Microsoft’s documentation of this itself and of various attempts at correcting it is far from commendable. Problems surely lurk in real-world code, even in 2019, for even if Microsoft’s programmers are scrupulously careful we can be sure that third-party programmers aren’t, not least because their quick reading of Microsoft’s documentation won’t have alerted them.
Certainly not new, but new to this website! As best as I can now determine, this small collection of pages about what was in 1999 still the relatively recent introduction of cryptography to Windows was published at my old website from 1999 until I finally discontinued the site in 2011. Somehow, these pages never got transferred to this website when I created it in 2007. Most plausibly, I thought they could be the beginnings of some bigger work so that I didn’t simply archive them, but then neither did I ever proceed with the bigger work.
While taking this trip down memory lane, I also noticed a page that certainly never was more than a throw-away. The wonder is how I ever came upon its subject. It dates from a time when newsgroups were the closest the Internet yet had to social media and I still participated before I realised that giving away information and solutions in public for free mostly just got me a deluge of emails that expected information and solutions in private but still for free. (I say expected because I remember that very few even bothered with a please or thankyou.) I will have been at least trying to use Microsoft’s Internet News program. Some irritation that is long forgotten now must have prompted me to cast my eye over a hex dump. Are Easter eggs still a thing?