Input and Output
I/O can be relevant to reversing because tracing a program’s communications
with the outside world is much easier than doing code-level reversing, and can
at times be almost as informative. In fact, some reversing sessions never reach
the code-level reversing phase—by simply monitoring a program’s I/O we
can often answer every question we have regarding our target program.
The following sections provide a brief introduction to the various I/O chan-
nels implemented in Windows. These channels can be roughly divided into
two layers: the low-level layer is the I/O system which is responsible for com-
municating with the hardware, and so on. The higher-level layer is the Win32
subsystem, which is responsible for implementing the GUI and for processing
user input.
The I/O System
The I/O system is a combination of kernel components that manage the device
drivers running in the system and the communication between applications
and device drivers. Device drivers register with the I/O system, which enables
applications to communicate with them and make generic or device-specific
requests from the device. Generic requests include basic tasks such having a
file system read or writing to a file. The I/O system is responsible for relaying
such request from the application to the device driver responsible for per-
forming the operation.
The I/O system is layered, which means that for each device there can be
multiple device drivers that are stacked on top of each other. This enables the
creation of a generic file system driver that doesn’t care about the specific stor-
age device that is used. In the same way it is possible to create generic storage
drivers that don’t care about the specific file system driver that will be used to
manage the data on the device. The I/O system will take care of connecting the
two components together, and because they use well-defined I/O System
interfaces, they will be able to coexist without special modifications.
This layered architecture also makes it relatively easy to add filter drivers,
which are additional layers that monitor or modify the communications
between drivers and the applications or between two drivers. Thus it is possi-
ble to create generic data processing drivers that perform some kind of pro-
cessing on every file before it is sent to the file system (think of a transparent
file-compression or file-encryption driver).
The I/O system is interesting to us as reversers because we often monitor it
to extract information regarding our target program. This is usually done by
tools that insert special filtering code into the device hierarchy and start mon-
itoring the flow of data. The device being monitored can represent any kind of
Windows Fundamentals 103