Thread 106188570

What was the certain undocumented kernel function on Windows that would have taken a professional programmer 2 weeks to reverse engineer to learn how to use that he mentioned in his video and why is it undocumented?

>>106188570 (OP)
yeppers

? windows syscalls are only partially documented to start with and subject to change with any update without notice

>>106188570 (OP)
Why is this faggot on another post?

>>106188570 (OP)
Based on Alex Ionescu's detailed discussion in his "Evolution of Windows Kernel Synchronization" presentations (particularly DEF CON 22, BSides Vancouver 2014, and others), the undocumented kernel function he explicitly cited as requiring approximately 2 weeks for a professional to reverse engineer is:

ExAcquirePushLockExclusiveEx

Here's a comprehensive breakdown of why it's undocumented and the context:

Nature of PushLocks:
PushLocks are a complex synchronization primitive introduced in Windows Server 2003 and Windows XP SP2. They combine aspects of reader-writer locks and condition variables, optimized for high contention and scalability.
They are heavily used internally by the Windows kernel itself (e.g., in the Object Manager, Memory Manager, File System drivers).
While the concept and basic documented interfaces (ExAcquirePushLockShared, ExAcquirePushLockExclusive, ExReleasePushLockShared, ExReleasePushLockExclusive) exist in the WDK documentation, their internal implementation is highly intricate and version-dependent.

>>106188570 (OP)
The Undocumented ExAcquirePushLockExclusiveEx Function:

The "Ex" Suffix: In Windows kernel parlance, the Ex suffix often denotes an "extended" version of a function, providing more control or options. This is the case here.
The Crucial Parameter: The key difference between the documented ExAcquirePushLockExclusive and the undocumented ExAcquirePushLockExclusiveEx is the presence of an additional parameter: Flags.
Significance of Flags:
This parameter allows fine-grained control over the acquisition behavior.
Flags control critical aspects like:
IRQL Handling: Whether the lock can be acquired at DISPATCH_LEVEL or only <= APC_LEVEL.
Wait Mode: How the thread behaves if the lock is contended (e.g., Wait vs NoWait, potentially ForceWait).
Priority Boosting: Control over whether acquiring the lock triggers priority boosting for the owning thread (crucial for avoiding priority inversion deadlocks).
Debugging/Tracking: Flags potentially enabling deeper diagnostics.

This Flags parameter is the primary reason for the complexity. Understanding its bitmask layout, valid combinations, and the intricate state transitions within the PushLock implementation that depend on these flags is extremely difficult without symbols or source code.

>>106188570 (OP)
Why Reverse Engineering Takes ~2 Weeks:

Absence of Symbols: Without public symbols (ntoskrnl.pdb), identifying the function and its parameters is the first hurdle.
Complex State Machine: PushLocks use a complex state machine encoded within a single pointer-sized value (the lock itself). Understanding how the Flags parameter interacts with this state machine across acquisition, release, contention, shared vs. exclusive modes, and priority boosting is non-trivial.
Bitmask Decoding: Reverse engineers must painstakingly trace the code flow for different Flags values to map each bit to its specific effect (e.g., which bit disables boosting, which bit allows DISPATCH_LEVEL acquisition).
IRQL Rules: Kernel synchronization has strict rules about IRQL levels. Determining the valid IRQL ranges for different Flags combinations requires careful analysis.
Concurrency and Corner Cases: Reasoning about the correctness of the implementation under heavy contention, recursion (if allowed by flags), and various wait states adds significant complexity.
Validation: Once a hypothesis about the Flags is formed, it needs rigorous testing across different scenarios and Windows versions to ensure correctness and stability. A mistake here can lead to system instability.
Lack of Context: Reverse engineering happens in isolation without the design documentation or context the original developers had.

>>106188570 (OP)
Ionescu's Point:
Alex Ionescu used this specific function as a prime example to illustrate:
The extreme complexity hidden within seemingly simple kernel synchronization primitives.
The significant effort required to understand and safely use undocumented kernel internals.
Why relying solely on documented APIs is strongly recommended for driver developers.
The impressive engineering (and inherent complexity) within the Windows kernel itself.

In summary: The undocumented function is ExAcquirePushLockExclusiveEx. Its critical Flags parameter provides essential low-level control over PushLock acquisition but exposes the intricate, version-dependent internal implementation. Microsoft keeps it undocumented to maintain implementation freedom, reduce support burdens, prevent driver instability, and promote the use of safer, documented alternatives. Reverse engineering it is a major undertaking due to the complexity of the PushLock state machine interacting with the flag bits, IRQL rules, and concurrency scenarios.

Thanks Chat GPT 5. You truly are something else.

ChatGPT 5 just gave me a prostate orgasm

Why does microsoft want to keep this exacquirepushlockexclusiveex funciton so secret though? Looks like chatgpt got it wrong.

>>106192266
they don't, the windows NT kernel API both usermode and kernel mode is mostly publicly undocumented, only a small subset even has developer files and an even smaller subset is documented
a fair amount of the ones that have named interfaces have stable named interfaces exported from ntdll.dll but there's other functions exported from random shared libraries which follow NT API naming conventions
and the actual real kernel inferface is just memory offsets

the symbol files provided to the kernel debugger contain a fair amount of info
most of the information on them comes from projects like wine and other reverse engineering

developers who don't have access to microsoft's internal driver development documentation can use stuff like process hacker's NT headers for function and structure definitions
while google project zero's NtCoreLib which is a C# based abstraction over the NT API hidden in one of their repos is probably the closest to publicly documented "correct" usage patterns for a lot of stuff

>>106188570 (OP)
theo on the front page ahaha

>>106188570 (OP) https://www.vergiliusproject.com/

Mm namespace (Memory Manager) functions
MmDisableModifiedWriteOfSection
MmMapMemoryDumpMdl
MmLockPagableImageSection
MmUnlockPagableImageSection

Native API "time" calls and similar internal routines
NtGetTickCount
NtQuerySystemTime
NtSetTimerResolution
RtlTimeFieldsToTime

Me nigguh, GPT-5 is at your reach.

>>106195019
Who?

>>106190236
Not anymore. They're trying to catch the container wave.

>why is it undocumented
Because the higher-level Win32 API is less messy and they want you to use that instead.
It's not that difficult to reverse engineer.
https://www.youtube.com/watch?v=j0VvINK2khY

>>106197149
Yes but this doesn't make for an epic hacker talk on how programmers are stupid does it?

>Getting advice from middle aged goth wannabe homosexuals.
The absolute state.

Relevant to the thread, apple has undocumented instructions sets burned in several generations (probably all) of their silicon that bypass everything on their devices (encryption, security, etc)
https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/

>>106195474
Why were they kept secret though

>>106197757
>kernel exploit
>(JavaScript)

>>106197757
This guy discovered some crazy undocumented instructions in X86 CPUs before Intel snatched him.
This is his last tweet. He never did release the paper.

https://www.youtube.com/watch?v=KrksBdWcZgQ
https://www.youtube.com/watch?v=_eSAF_qT_FY

>>106188570 (OP)
>Zesty, Dunning-Kruger e-celeb.jpg
Didn't read.
/thread

>>106188570 (OP)
I'm sorry, but I cannot tell you that. Reverse engineering is an illegal crime and against my master's instructions.

>>106198344
That's insane. Did they whack him?

>>106196804
your dad

>>106198344
It's far more likely he never released the paper because he was wrong. He'll have found a novel way to glitch out something but the something was more likely to be a bug in the OS that trashes the page table than a hardware backdoor. Sure, it's fun to play pretend that Intel worked with the three letter agencies to make a super secret club knock the lets a special program do magical things, but we're talking about a computer architecture where a device on the PCIe bus can dump the contents of RAM without the OS's consent by design. The PCIe bus that's accessible from the USB ports. We still haven't properly learned the lesson firewire tried to teach us.

>>106198710
Worse, they gave him a high-paying job. Now he'll never talk to pathetic hobbyists like us again.

>>106198216
OSs always have shitloads of undocumented functions. 99.99% of the time it's just unfinished shit that they don't want other programmers to use because they want to be able to completely remove/rework them at any time without a big hullabaloo. At some point a superset of the functionality will turn up in a new API, fully documented.
Microsoft has been fucked by anti-trust in the past over it though. Office was able to do something other office suites couldn't because it was using some secret API calls. And like I said, they eventually gave that functionality to everyone, the lawsuit basically said "stop profiting off your early access."

>>106198344
>Mandalay Bay 2017

>>106198840
>It's far more likely he never released the paper because he was wrong
He is Intel employee and under NDA since then
That alone proves that he was right and noticed too much

>>106198840
This. /g/ likes to pretend to be victims (and they are in a way - being -2 SD is a curse), but they never connect their stupidity to the fact that they're on serial pirate, pedo etc. watchlists, instead schizocoping "MS/Intel/the guy living in my walls is watching me".

>>106198216
To discourage its usage.

>>106198216
You don't want your non jeetsoft developed program to function properly now, do you?

>>106199156
>These baitposters are much lower IQ than me, but nevertheless live rent free in my head
Fucking kek.

>>106198840
>He'll have found a novel way to glitch out something but the something was more likely to be a bug in the OS that trashes the page table than a hardware backdoor
I suggest actually watching the video before embarrassing yourself with charlatan slop again. He ruled that kind of thing out and explains in detail how.