神刀安全网

On API-MS-WIN-XXXXX.DLL, and Other Dependency Walker Glitches

Dependency walker is the tool of choice for static dependency analysis of native binaries (it has some dynamic analysis too, but that niche at least has some alternative solutions ). It is in a rather sorry state, however – development seems to be abandoned since more or less 2005, and it is unanimously described as aging. As a prominent example of dependency walker analysis failures, try to run it on itself:

On API-MS-WIN-XXXXX.DLL, and Other Dependency Walker Glitches

It seems the dependencies it is able to resolve are a negligible minority of the overall dependencies – and the interwebs are full of similar reports . The DLLs falsely reported as missing are all strangely named and unfamiliar, and the explanations given as SO answers range from a vague ‘some internal OS stuff’ to hypotheses about delay loads and side-by-side assemblies.

To the best of my understanding, as of March 2016 DependencyWalker 2.2 resolves side-by-side manifests very well and has no trouble with delay loads. I’m aware of only two dependency scenarios where it falls short, but unfortunately they are ubiquitous.

1: Compatibility Shims

Maybe more on that in another post. But –

2: Api Sets

…are the main issue.

Scarcely mentioned on MSDN :

An API Set is a strong name for a list of Win32 APIs … you should think of an API Set’s name as just a unique character string, and not as a dll name … API Sets rely on operating system support in the library loader … the library loader performs a runtime redirection of the reference…

Don’t be alarmed if that still sounds opaque. Brief history, as I understand it:

Sometime in the Vista dev cycle an effort referred to as MinWin began: essentially, smart people started moving functionality around in hope of simplifying the OS architecture. To protect the myriad components from breaking during a change, the ultimate solution was called in: an extra layer of indirection. This level is exactly Api Sets.

For example, the API set “api-ms-win-core-fibers-l1-1-1.dll” is an ‘atom’ of functionality encompassing the 5 APIs FlsAlloc, FlsFree, FlsGetValue, FlsSetValue and IsThreadAFiber (it is an untypically small such ‘atom’). All applications that consume fiber functionality declare dependency on this API set, and thereby become insensitive to the exact location of implementation (that might change between OS releases). During load time, the OS searches somewhere and automagically routes the calls from api-ms-win-core-fibers-l1-1-1.dll to wherever they happen to be implemented in this OS version.

One could argue that API sets now serve the original intended role of DLLs and that the architecturally clean solution is to have each API set implemented in its own DLL, but I’m sure this tradeoff has performance implications that I cannot even begin to quantify.

Some Internals

API sets are very partially documented, and the load-time mechanism that properly routes the calls – even less so. One could start by inspecting the shipped apiset.h (said to be authored by the venerable Arun Kishan in Sep-2008), and learn that the key call is to the undocumented ApiSetResolveToHost. It is called from LoadLibrary, typically through a call stack such as –

ntdll.dll!_ApiSetResolveToHost@20()  + 0xf byte s

ntdll.dll!_LdrpApplyFileNameRedirection@28()  + 0x35 byte s

ntdll.dll!_LdrpLoadDll@24()  + 0xae byte s

ntdll.dll!_LdrLoadDll@16()  + 0x74 byte s

KernelBase.dll!_LoadLibraryExW@12()  + 0x120 byte s

The actual per-OS-version redirection data lies in a special file called ApiSetSchema.dll. Its extention is DLL and it technically conforms to the PE spec, but it is not an executable binary – the redirection data lies in a specialized section called .apiset (mentioned at the apiset.h macros). Sebastien Renaud did some spectacular reversing work and described the layout of the redirection data it contains.

Full(er) Redirection Table

In principle one could – and hopefully someday would – use Renaud’s work to create a community-maintained version of dependency walker, but until that day we can get by with the aforementioned built-in loader logging : whenever ShowSnaps is raised the loader spits out many hundreds of messages like –

3e30:02b8 @ 370478046 – LdrpPreprocessDllName – INFO: DLL api-ms-win-core-rtlsupport-l1-2-0.dll was redirected to C:/WINDOWS/SYSTEM32/ntdll.dll by API set

Running a few applications and filtering the results, I arrived at the table dumped below. I’ll update it as time permits – but if you have some dependency you don’t understand you can follow the same steps (well, for apps you can run, anyway): raise ShowSnaps for your app and inspect the output to see where the ApiSet I missed really routes to. If you do, please comment here so I can correct the table.

API Set Routes to…
api-ms-win-appmodel-state-l1-2-0.dll kernel.appcore.dll
api-ms-win-core-apiquery-l1-1-0.dll ntdll.dll
api-ms-win-core-appcompat-l1-1-1.dll kernelbase.dll
api-ms-win-core-appinit-l1-1-0.dll kernel32.dll
api-ms-win-core-atoms-l1-1-0.dll kernel32.dll
api-ms-win-core-com-l1-1-0 combase.dll
api-ms-win-core-com-l1-1-1.dll combase.dll
api-ms-win-core-com-midlproxystub-l1-1-0.dll combase.dll
api-ms-win-core-comm-l1-1-0.dll kernelbase.dll
api-ms-win-core-com-private-l1-1-0.dll combase.dll
api-ms-win-core-com-private-l1-1-1.dll combase.dll
api-ms-win-core-console-l1-1-0.dll kernelbase.dll
api-ms-win-core-console-l2-1-0.dll kernelbase.dll
api-ms-win-core-crt-l1-1-0.dll ntdll.dll
api-ms-win-core-crt-l2-1-0.dll kernelbase.dll
api-ms-win-core-datetime-l1-1-1.dll kernelbase.dll
api-ms-win-core-datetime-l1-1-2.dll kernelbase.dll
api-ms-win-core-debug-l1-1-1.dll kernelbase.dll
api-ms-win-core-delayload-l1-1-1.dll kernelbase.dll
api-ms-win-core-enclave-l1-1-0.dll kernelbase.dll
api-ms-win-core-errorhandling-l1-1-0.dll kernelbase.dll
api-ms-win-core-errorhandling-l1-1-1.dll kernelbase.dll
api-ms-win-core-errorhandling-l1-1-3.dll kernelbase.dll
api-ms-win-core-fibers-l1-1-1.dll kernelbase.dll
api-ms-win-core-fibers-l2-1-1.dll kernelbase.dll
api-ms-win-core-file-l1-1-0.dll kernelbase.dll
api-ms-win-core-file-l1-2-1.dll kernelbase.dll
api-ms-win-core-file-l1-2-2.dll kernelbase.dll
api-ms-win-core-file-l2-1-1.dll kernelbase.dll
api-ms-win-core-file-l2-1-2.dll kernelbase.dll
api-ms-win-core-handle-l1-1-0.dll kernelbase.dll
api-ms-win-core-heap-l1-1-0.dll kernelbase.dll
api-ms-win-core-heap-l1-2-0.dll kernelbase.dll
api-ms-win-core-heap-l2-1-0.dll kernelbase.dll
api-ms-win-core-heap-obsolete-l1-1-0.dll kernel32.dll
api-ms-win-core-interlocked-l1-2-0.dll kernelbase.dll
api-ms-win-core-io-l1-1-1.dll kernel32.dll
api-ms-win-core-io-l1-1-1.dll kernelbase.dll
api-ms-win-core-job-l1-1-0.dll kernelbase.dll
api-ms-win-core-job-l2-1-0.dll kernel32.dll
api-ms-win-core-kernel32-legacy-l1-1-1.dll kernel32.dll
api-ms-win-core-kernel32-legacy-l1-1-4.dll kernel32.dll
api-ms-win-core-kernel32-private-l1-1-1.dll kernel32.dll
api-ms-win-core-kernel32-private-l1-1-2.dll kernel32.dll
api-ms-win-core-largeinteger-l1-1-0.dll kernelbase.dll
api-ms-win-core-libraryloader-l1-1-0.dll kernelbase.dll
api-ms-win-core-libraryloader-l1-2-0.dll kernelbase.dll
api-ms-win-core-libraryloader-l1-2-1.dll kernelbase.dll
api-ms-win-core-libraryloader-l2-1-0.dll kernelbase.dll
api-ms-win-core-localization-l1-2-1.dll kernelbase.dll
api-ms-win-core-localization-l1-2-2.dll kernelbase.dll
api-ms-win-core-localization-l2-1-0.dll kernelbase.dll
api-ms-win-core-localization-obsolete-l1-3-0.dll kernelbase.dll
api-ms-win-core-localization-private-l1-1-0.dll kernelbase.dll
api-ms-win-core-localregistry-l1-1-0.dll kernelbase.dll
api-ms-win-core-memory-l1-1-0.dll kernelbase.dll
api-ms-win-core-memory-l1-1-2.dll kernelbase.dll
api-ms-win-core-misc-l1-1-0.dll kernelbase.dll
api-ms-win-core-namedpipe-l1-2-0.dll kernelbase.dll
api-ms-win-core-namedpipe-l1-2-2.dll kernelbase.dll
api-ms-win-core-namespace-l1-1-0.dll kernelbase.dll
api-ms-win-core-normalization-l1-1-0.dll kernelbase.dll
api-ms-win-core-path-l1-1-0.dll kernelbase.dll
api-ms-win-core-perfcounters-l1-1-0.dll kernelbase.dll
api-ms-win-core-privateprofile-l1-1-1.dll kernel32.dll
api-ms-win-core-processenvironment-l1-1-0.dll kernelbase.dll
api-ms-win-core-processenvironment-l1-2-0.dll kernelbase.dll
api-ms-win-core-processsnapshot-l1-1-0.dll kernelbase.dll
api-ms-win-core-processthreads-l1-1-0 kernelbase.dll
api-ms-win-core-processthreads-l1-1-0.dll kernel32.dll
api-ms-win-core-processthreads-l1-1-1 kernelbase.dll
api-ms-win-core-processthreads-l1-1-2.dll kernel32.dll
api-ms-win-core-processthreads-l1-1-2.dll kernelbase.dll
api-ms-win-core-processthreads-l1-1-3.dll kernel32.dll
api-ms-win-core-processthreads-l1-1-3.dll kernelbase.dll
api-ms-win-core-processtopology-l1-2-0.dll kernelbase.dll
api-ms-win-core-profile-l1-1-0.dll kernelbase.dll
api-ms-win-core-psapi-ansi-l1-1-0.dll kernelbase.dll
api-ms-win-core-psapi-l1-1-0.dll kernelbase.dll
api-ms-win-core-psm-key-l1-1-0.dll kernelbase.dll
api-ms-win-core-psm-key-l1-1-1.dll kernelbase.dll
api-ms-win-core-quirks-l1-1-0.dll kernelbase.dll
api-ms-win-core-realtime-l1-1-0.dll kernelbase.dll
api-ms-win-core-realtime-l1-1-1.dll kernelbase.dll
api-ms-win-core-registry-l1-1-0.dll kernelbase.dll
api-ms-win-core-registry-l1-1-1.dll kernelbase.dll
api-ms-win-core-registry-l2-2-0.dll advapi32.dll
api-ms-win-core-registryuserspecific-l1-1-0.dll kernelbase.dll
api-ms-win-core-rtlsupport-l1-2-0.dll ntdll.dll
api-ms-win-core-shlwapi-legacy-l1-1-0.dll kernelbase.dll
api-ms-win-core-shlwapi-obsolete-l1-2-0.dll kernelbase.dll
api-ms-win-core-sidebyside-l1-1-0.dll kernelbase.dll
api-ms-win-core-stringansi-l1-1-0.dll kernelbase.dll
api-ms-win-core-string-l1-1-0.dll kernelbase.dll
api-ms-win-core-string-l2-1-0.dll kernelbase.dll
api-ms-win-core-string-l2-1-1.dll kernelbase.dll
api-ms-win-core-string-obsolete-l1-1-0.dll kernel32.dll
api-ms-win-core-synch-l1-1-0.dll kernelbase.dll
api-ms-win-core-synch-l1-2-0.dll kernelbase.dll
api-ms-win-core-synch-l1-2-1.dll kernelbase.dll
api-ms-win-core-sysinfo-l1-1-0.dll kernelbase.dll
api-ms-win-core-sysinfo-l1-2-1.dll kernelbase.dll
api-ms-win-core-sysinfo-l1-2-3.dll kernelbase.dll
api-ms-win-core-systemtopology-l1-1-0.dll kernelbase.dll
api-ms-win-core-threadpool-l1-2-0.dll kernelbase.dll
api-ms-win-core-threadpool-legacy-l1-1-0.dll kernelbase.dll
api-ms-win-core-threadpool-private-l1-1-0.dll kernelbase.dll
api-ms-win-core-timezone-l1-1-0.dll kernelbase.dll
api-ms-win-core-url-l1-1-0.dll kernelbase.dll
api-ms-win-core-util-l1-1-0.dll kernel32.dll
api-ms-win-core-util-l1-1-0.dll kernelbase.dll
api-ms-win-core-versionansi-l1-1-0.dll kernelbase.dll
api-ms-win-core-version-l1-1-0.dll kernelbase.dll
api-ms-win-core-windowserrorreporting-l1-1-0.dll kernelbase.dll
api-ms-win-core-winrt-error-l1-1-1.dll combase.dll
api-ms-win-core-winrt-string-l1-1-0.dll combase.dll
api-ms-win-core-wow64-l1-1-0.dll kernelbase.dll
api-ms-win-core-wow64-l1-1-1.dll kernelbase.dll
api-ms-win-core-xstate-l2-1-0.dll kernelbase.dll
api-ms-win-devices-config-l1-1-1.dll cfgmgr32.dll
api-ms-win-eventing-classicprovider-l1-1-0.dll kernelbase.dll
api-ms-win-eventing-consumer-l1-1-0.dll sechost.dll
api-ms-win-eventing-controller-l1-1-0.dll sechost.dll
api-ms-win-eventing-provider-l1-1-0.dll kernelbase.dll
api-ms-win-power-base-l1-1-0.dll powrprof.dll
api-ms-win-security-appcontainer-l1-1-0.dll kernelbase.dll
api-ms-win-security-audit-l1-1-1.dll sechost.dll
api-ms-win-security-base-l1-2-0.dll kernelbase.dll
api-ms-win-security-base-private-l1-1-1.dll kernelbase.dll
api-ms-win-security-capability-l1-1-0.dll sechost.dll
api-ms-win-security-sddl-l1-1-0.dll sechost.dll
api-ms-win-service-core-l1-1-1.dll sechost.dll
api-ms-win-service-core-l1-1-2.dll sechost.dll
api-ms-win-service-management-l1-1-0.dll sechost.dll
api-ms-win-service-management-l2-1-0.dll sechost.dll
api-ms-win-service-private-l1-1-1.dll sechost.dll
api-ms-win-service-private-l1-1-2.dll sechost.dll
api-ms-win-service-winsvc-l1-2-0.dll sechost.dll
api-ms-win-shcore-registry-l1-1-1.dll shcore.dll
api-ms-win-shcore-scaling-l1-1-1.dll shcore.dll
api-ms-win-shell-shellcom-l1-1-0.dll kernelbase.dll
api-ms-win-shell-shellfolders-l1-1-0.dll windows.storage.dll
api-ms-win-shlwapi-ie-l1-1-0.dll shlwapi.dll
api-ms-win-shlwapi-winrt-storage-l1-1-0.dll shlwapi.dll
api-ms-win-shlwapi-winrt-storage-l1-1-1.dll shlwapi.dll
api-ms-win-storage-exports-external-l1-1-0.dll windows.storage.dll
api-ms-win-storage-exports-internal-l1-1-0.dll windows.storage.dll
ext-ms-win-kernel32-appcompat-l1-1-0.dll kernel32.dll
ext-ms-win-kernel32-datetime-l1-1-0.dll kernel32.dll
ext-ms-win-kernel32-errorhandling-l1-1-0.dll kernel32.dll
ext-ms-win-kernel32-file-l1-1-0.dll kernel32.dll
ext-ms-win-kernel32-package-current-l1-1-0.dll kernel.appcore.dll
ext-ms-win-kernel32-quirks-l1-1-0.dll kernel32.dll
ext-ms-win-kernel32-registry-l1-1-0.dll kernel32.dll
ext-ms-win-kernel32-sidebyside-l1-1-0.dll kernel32.dll
ext-ms-win-kernel32-windowserrorreporting-l1-1-0.dll kernel32.dll
ext-ms-win-kernel32-windowserrorreporting-l1-1-1.dll kernel32.dll
ext-ms-win-kernelbase-processthread-l1-1-0.dll kernel32.dll
ext-ms-win-ole32-oleautomation-l1-1-0.dll ole32.dll
ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll user32.dll

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » On API-MS-WIN-XXXXX.DLL, and Other Dependency Walker Glitches

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮