Coalescable Timers – yet another possible anti-* API

Posted on by

I was reading about coalescable timers today and it occurred to me that:

a) there is not that much info about them online

b) I have not seen them being mentioned in a context of anti-* evasion (sandbox, reversing).

Quick googling didn’t bring many results, so I guess I will make a note here.

What are Coalescable Timers?

They are not that much different from your regular timers that one can set up using the SetTimer function, except they allow the processor(s) to better manage the resources. Basically, if you have a bunch of software that uses timers, they will end up being quite noisy and will keep popping up forcing the processors to exit the idle mode (so that the software can handle these events).

Many apps don’t really need precise timers that badly; they are often more interested in doing something every once in a while, but very precise intervals between these activities are really really rarely needed. And such regular ‘attention seeking’ is quite expensive, especially for portable devices that need to preserve the battery. So the idea is that instead of using such demanding timers one can set up a timer that can be triggered with a bit of a delay. This way, processor seeing a number of timers triggering can combine all of these falling within a certain threshold into a single event that can notify all the software ‘looking for the attention’ at once. I am simplifying it, but that’s more or less the idea.

The concept is good, and there is an API for it.  It is called SetCoalescableTimer and is present in Windows 8 and Windows Server 2012. Quick look at its implementation shows that it’s just a redirected call to… NtUserSetTimer inside the ntdll.dll. Notably, there is also a kernel function KeSetCoalescableTimer.

And here’s the funny bit.

The SetCoalescableTimer is a true Schrödinger API – it is both documented (I provided the link to MSDN above) and not (most of the information I could find leads me to believe that the proper way to use coalescablee timers is to rely on a completely different API: SetWaitableTimerEx! And this one was available in Windows 7 and Windows Server 2008 R2). Most likely someone let the SetCoalescableTimer out of the bag and now it’s there for anyone to abuse it. At the moment even Windows 10’s Windows Explorer is using it, so it’s probably not going away that soon…