API

     
l>Windows 7 Kernel Architecture Changes - api-ms-win-core files
*
Main Page
Blog
Search
FAQ
TOP 10
Pad Files
Contact
About...
Donate
All Utilities
Password Tools
System Tools
Browser Tools
Programmer Tools
Network Tools
Outlook/Office
64-bit Download
Panel
Forensics
Pre-Release Tools
Articles
Windows 7 Kernel Architecture Changes - api-ms-win-core files
Windows 7 introduces a new phối of dll files containing exported functions of many well-known WIN32 APIs.All these filenames begins with "api-ms-win-core" prefix, followed by the functions category name.For example, api-ms-win-core-localregistry-l1-1-0.dll contains the exported names for all Registry functions,api-ms-win-core-file-l1-1-0.dll contains the exported names for all file-related functions, api-ms-win-core-localization-l1-1-0.dll contains the exported names for all localization functions, & so on. If you look deeply into these files, you"ll see that all these files are very small, và the functions in themdoen"t vày anything, & simply returns a "TRUE" value.Just for example, here"s the assembly language content of RegDeleteValueW function in api-ms-win-core-localregistry-l1-1-0.dll:084010CE 33C0 xor eax, eax084010D0 40 inch eax084010D1 C20800 ret 0008By looking in dependency walker utility, we can see that advapi32.dll, kernel32.dll, và other system dll files, are now statically linked to lớn these empty api-ms-win-core files.
*
Moreover, if we look in the assembly language output đầu ra of many API functions, we can see that they simplycall their corresponding function in one of these api-ms-win-core Dlls.Just for example, RegDeleteValueW in advapi32.dll, simply contains a jump khổng lồ the RegDeleteValueW in API-MS-Win-Core-LocalRegistry-L1-1-0.dll:ADVAPI32!RegDeleteValueW:77C6F301 8BFF mov edi, edi77C6F303 55 push ebp77C6F304 8BEC mov ebp, esp77C6F306 5D pop ebp77C6F307 EB05 jmp 77C6F30E...77C6F30E FF25B414C677 Jmp dword ptr <77C614B4> So if RegDeleteValueW in ADVAPI32 and other functions simply jumps to lớn empty functions, how is it possiblethat these functions still works properly ?The answer is pretty simple: When Windows loads the dll files, all the import entries of these api-ms-win-core Dllsare replaced with a hotline to a real function in Windows kernel.So here"s our RegDeleteValueW example again: when loading a program into WinDbg, we can see that the jmp call now points lớn kernel32!RegDeleteValueW function.


Bạn đang xem: Api


Xem thêm: Bài Văn Tả Một Con Vật Nuôi Trong Nhà Mà Em Biết Và Yêu Thích



Xem thêm: 7 Miêu Tả Người Bạn Thân Của Em Lớp 7 Hay Chọn Lọc, Đề Văn 7: Miêu Tả Người Bạn Thân Nhất Của Em

That"s because during the loading of advapi32.dll,Windows automatically replace the import entry of API-MS-Win-Core-LocalRegistry-L1-1-0.RegDeleteValueW to lớn thefunction address of RegDeleteValueW in kernel32.75e5f301 8bff mov edi,edi75e5f303 55 push ebp75e5f304 8bec mov ebp,esp75e5f306 5d pop ebp75e5f307 eb05 jmp ADVAPI32!RegDeleteValueW+0xd (75e5f30e)...75e5f30e ff25b414e575 jmp dword ptr ds:0023:75e514b4=kernel32!RegDeleteValueW (758bd5af)Another new dll: kernelbase.dllIn addition khổng lồ the new API-MS-Win-Core dll files, there is also another new dll: kernelbase.dllIn previous versions of Windows, most of the kernel32 functions called lớn their corresponding functions in ntdll.dll.In Windows 7, most of the kernel functions gọi to their corresponding functions in kernelbase.dll, and the kernelbase dll is the one that makes the calls lớn ntdll.dllEffects on existing applications - compatibility issues.Most of the existing applications should not be affected by this kernel change, because all standardAPI calls still works the same as in previous versions of Windows.However, there are some diagnostic/debugging applications that rely on the calls chain inside the Windows kernel.These kind of applications may not work properly in Windows 7.My own utilities, RegFromApp & ProcessActivityView failed to work under Windows 7 because of these changes, andthat what led me to discover the kernel changes of Windows 7. These utilities problems already fixed and now they works properly in Windows 7.API-MS-Win-Core ListFinally, here"s the danh mục of all chip core dll files added to lớn Windows 7 and the functions menu that each oneof them contain.I used my own DLL Export Viewer utility to lớn generate the list. DLL FileFunction Namesapi-ms-win-core-console-l1-1-0.dllAllocConsoleGetConsoleCPGetConsoleModeGetConsoleOutputCPGetNumberOfConsoleInputEventsPeekConsoleInputAReadConsoleAReadConsoleInputAReadConsoleInputWReadConsoleWSetConsoleCtrlHandlerSetConsoleModeWriteConsoleAWriteConsoleW
api-ms-win-core-datetime-l1-1-0.dllGetDateFormatAGetDateFormatWGetTimeFormatAGetTimeFormatW
api-ms-win-core-debug-l1-1-0.dllDebugBreakIsDebuggerPresentOutputDebugStringAOutputDebugStringW
api-ms-win-core-delayload-l1-1-0.dllDelayLoadFailureHook
api-ms-win-core-errorhandling-l1-1-0.dllGetErrorModeGetLastErrorRaiseExceptionSetErrorModeSetLastErrorSetUnhandledExceptionFilterUnhandledExceptionFilter
api-ms-win-core-fibers-l1-1-0.dllFlsAllocFlsFreeFlsGetValueFlsSetValue
api-ms-win-core-file-l1-1-0.dllCompareFileTimeCreateDirectoryACreateDirectoryWCreateFileACreateFileWDefineDosDeviceWDeleteFileADeleteFileWDeleteVolumeMountPointWFileTimeToLocalFileTimeFileTimeToSystemTimeFindCloseFindCloseChangeNotificationFindFirstChangeNotificationAFindFirstChangeNotificationWFindFirstFileAFindFirstFileExAFindFirstFileExWFindFirstFileWFindFirstVolumeWFindNextChangeNotificationFindNextFileAFindNextFileWFindNextVolumeWFindVolumeCloseFlushFileBuffersGetDiskFreeSpaceAGetDiskFreeSpaceExAGetDiskFreeSpaceExWGetDiskFreeSpaceWGetDriveTypeAGetDriveTypeWGetFileAttributesAGetFileAttributesExAGetFileAttributesExWGetFileAttributesWGetFileInformationByHandleGetFileSizeGetFileSizeExGetFileTimeGetFileTypeGetFinalPathNameByHandleAGetFinalPathNameByHandleWGetFullPathNameAGetFullPathNameWGetLogicalDrivesGetLogicalDriveStringsWGetLongPathNameAGetLongPathNameWGetShortPathNameWGetTempFileNameWGetVolumeInformationByHandleWGetVolumeInformationWGetVolumePathNameWLocalFileTimeToFileTimeLockFileLockFileExQueryDosDeviceWReadFileReadFileExReadFileScatterRemoveDirectoryARemoveDirectoryWSetEndOfFileSetFileAttributesASetFileAttributesWSetFileInformationByHandleSetFilePointerSetFilePointerExSetFileTimeSetFileValidDataUnlockFileUnlockFileExWriteFileWriteFileExWriteFileGather
api-ms-win-core-handle-l1-1-0.dllCloseHandleDuplicateHandleGetHandleInformationSetHandleInformation
api-ms-win-core-heap-l1-1-0.dllGetProcessHeapGetProcessHeapsHeapAllocHeapCompactHeapCreateHeapDestroyHeapFreeHeapLockHeapQueryInformationHeapReAllocHeapSetInformationHeapSizeHeapSummaryHeapUnlockHeapValidateHeapWalk
api-ms-win-core-interlocked-l1-1-0.dllInitializeSListHeadInterlockedCompareExchangeInterlockedCompareExchange64InterlockedDecrementInterlockedExchangeInterlockedExchangeAddInterlockedFlushSListInterlockedIncrementInterlockedPopEntrySListInterlockedPushEntrySListInterlockedPushListSListQueryDepthSList
api-ms-win-core-io-l1-1-0.dllCancelIoExCreateIoCompletionPortDeviceIoControlGetOverlappedResultGetQueuedCompletionStatusGetQueuedCompletionStatusExPostQueuedCompletionStatus
api-ms-win-core-libraryloader-l1-1-0.dllDisableThreadLibraryCallsFindResourceExWFindStringOrdinalFreeLibraryFreeLibraryAndExitThreadFreeResourceGetModuleFileNameAGetModuleFileNameWGetModuleHandleAGetModuleHandleExAGetModuleHandleExWGetModuleHandleWGetProcAddressLoadLibraryExALoadLibraryExWLoadResourceLoadStringALoadStringWLockResourceSizeofResource
api-ms-win-core-localization-l1-1-0.dllConvertDefaultLocaleFindNLSStringFindNLSStringExGetACPGetCalendarInfoExGetCalendarInfoWGetCPFileNameFromRegistryGetCPInfoGetCPInfoExWGetFileMUIInfoGetFileMUIPathGetLocaleInfoExGetLocaleInfoWGetNLSVersionGetNLSVersionExGetOEMCPGetProcessPreferredUILanguagesGetSystemDefaultLangIDGetSystemDefaultLCIDGetSystemPreferredUILanguagesGetThreadLocaleGetThreadPreferredUILanguagesGetThreadUILanguageGetUILanguageInfoGetUserDefaultLangIDGetUserDefaultLCIDGetUserPreferredUILanguagesIsNLSDefinedStringIsValidCodePageIsValidLanguageGroupIsValidLocaleIsValidLocaleNameLCMapStringExLCMapStringWLocaleNameToLCIDNlsCheckPolicyNlsEventDataDescCreateNlsGetCacheUpdateCountNlsUpdateLocaleNlsUpdateSystemLocaleNlsWriteEtwEventResolveLocaleNameSetCalendarInfoWSetLocaleInfoWSetThreadLocaleVerLanguageNameAVerLanguageNameW
api-ms-win-core-localregistry-l1-1-0.dllRegCloseKeyRegCreateKeyExARegCreateKeyExWRegDeleteKeyExARegDeleteKeyExWRegDeleteTreeARegDeleteTreeWRegDeleteValueARegDeleteValueWRegDisablePredefinedCacheExRegEnumKeyExARegEnumKeyExWRegEnumValueARegEnumValueWRegFlushKeyRegGetKeySecurityRegGetValueARegGetValueWRegLoadKeyARegLoadKeyWRegLoadMUIStringARegLoadMUIStringWRegNotifyChangeKeyValueRegOpenCurrentUserRegOpenKeyExARegOpenKeyExWRegOpenUserClassesRootRegQueryInfoKeyARegQueryInfoKeyWRegQueryValueExARegQueryValueExWRegRestoreKeyARegRestoreKeyWRegSaveKeyExARegSaveKeyExWRegSetKeySecurityRegSetValueExARegSetValueExWRegUnLoadKeyARegUnLoadKeyW
api-ms-win-core-memory-l1-1-0.dllCreateFileMappingWFlushViewOfFileMapViewOfFileMapViewOfFileExOpenFileMappingWReadProcessMemoryUnmapViewOfFileVirtualAllocVirtualAllocExVirtualFreeVirtualFreeExVirtualProtectVirtualProtectExVirtualQueryVirtualQueryExWriteProcessMemory
api-ms-win-core-misc-l1-1-0.dllEnumSystemLocalesAFatalAppExitAFatalAppExitWFormatMessageAFormatMessageWGlobalAllocGlobalFreeIsProcessInJobIsWow64ProcessLCMapStringALocalAllocLocalFreeLocalLockLocalReAllocLocalUnlocklstrcmplstrcmpAlstrcmpilstrcmpiAlstrcmpiWlstrcmpWlstrcpynlstrcpynAlstrcpynWlstrlenlstrlenAlstrlenWNeedCurrentDirectoryForExePathANeedCurrentDirectoryForExePathWPulseEventSetHandleCountSleepWow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection
api-ms-win-core-namedpipe-l1-1-0.dllConnectNamedPipeCreateNamedPipeWCreatePipeDisconnectNamedPipeGetNamedPipeAttributeGetNamedPipeClientComputerNameWImpersonateNamedPipeClientPeekNamedPipeSetNamedPipeHandleStateTransactNamedPipeWaitNamedPipeW
api-ms-win-core-processenvironment-l1-1-0.dllExpandEnvironmentStringsAExpandEnvironmentStringsWFreeEnvironmentStringsAFreeEnvironmentStringsWGetCommandLineAGetCommandLineWGetCurrentDirectoryAGetCurrentDirectoryWGetEnvironmentStringsGetEnvironmentStringsAGetEnvironmentStringsWGetEnvironmentVariableAGetEnvironmentVariableWGetStdHandleSearchPathWSetCurrentDirectoryASetCurrentDirectoryWSetEnvironmentStringsWSetEnvironmentVariableASetEnvironmentVariableWSetStdHandleSetStdHandleEx
api-ms-win-core-processthreads-l1-1-0.dllCreateProcessACreateProcessAsUserWCreateProcessWCreateRemoteThreadCreateRemoteThreadExCreateThreadDeleteProcThreadAttributeListExitProcessExitThreadFlushProcessWriteBuffersGetCurrentProcessGetCurrentProcessIdGetCurrentThreadGetCurrentThreadIdGetExitCodeProcessGetExitCodeThreadGetPriorityClassGetProcessIdGetProcessIdOfThreadGetProcessTimesGetProcessVersionGetStartupInfoWGetThreadIdGetThreadPriorityGetThreadPriorityBoostInitializeProcThreadAttributeListOpenProcessTokenOpenThreadOpenThreadTokenProcessIdToSessionIdQueryProcessAffinityUpdateModeQueueUserAPCResumeThreadSetPriorityClassSetProcessAffinityUpdateModeSetProcessShutdownParametersSetThreadPrioritySetThreadPriorityBoostSetThreadStackGuaranteeSetThreadTokenSuspendThreadSwitchToThreadTerminateProcessTerminateThreadTlsAllocTlsFreeTlsGetValueTlsSetValueUpdateProcThreadAttribute
api-ms-win-core-profile-l1-1-0.dllQueryPerformanceCounterQueryPerformanceFrequency
api-ms-win-core-rtlsupport-l1-1-0.dllRtlCaptureContextRtlCaptureStackBackTraceRtlFillMemoryRtlUnwind
api-ms-win-core-string-l1-1-0.dllCompareStringExCompareStringOrdinalCompareStringWFoldStringWGetStringTypeExWGetStringTypeWMultiByteToWideCharWideCharToMultiByte
api-ms-win-core-synch-l1-1-0.dllAcquireSRWLockExclusiveAcquireSRWLockSharedCancelWaitableTimerCreateEventACreateEventExACreateEventExWCreateEventWCreateMutexACreateMutexExACreateMutexExWCreateMutexWCreateSemaphoreExWCreateWaitableTimerExWDeleteCriticalSectionEnterCriticalSectionInitializeCriticalSectionInitializeCriticalSectionAndSpinCountInitializeCriticalSectionExInitializeSRWLockLeaveCriticalSectionOpenEventAOpenEventWOpenMutexWOpenProcessOpenSemaphoreWOpenWaitableTimerWReleaseMutexReleaseSemaphoreReleaseSRWLockExclusiveReleaseSRWLockSharedResetEventSetCriticalSectionSpinCountSetEventSetWaitableTimerSetWaitableTimerExSleepExTryAcquireSRWLockExclusiveTryAcquireSRWLockSharedTryEnterCriticalSectionWaitForMultipleObjectsExWaitForSingleObjectWaitForSingleObjectEx
api-ms-win-core-sysinfo-l1-1-0.dllGetComputerNameExAGetComputerNameExWGetDynamicTimeZoneInformationGetLocalTimeGetLogicalProcessorInformationGetLogicalProcessorInformationExGetSystemDirectoryAGetSystemDirectoryWGetSystemInfoGetSystemTimeGetSystemTimeAdjustmentGetSystemTimeAsFileTimeGetSystemWindowsDirectoryAGetSystemWindowsDirectoryWGetTickCountGetTickCount64GetTimeZoneInformationGetTimeZoneInformationForYearGetVersionGetVersionExAGetVersionExWGetWindowsDirectoryAGetWindowsDirectoryWGlobalMemoryStatusExSetLocalTimeSystemTimeToFileTimeSystemTimeToTzSpecificLocalTimeTzSpecificLocalTimeToSystemTime
api-ms-win-core-threadpool-l1-1-0.dllCallbackMayRunLongCancelThreadpoolIoChangeTimerQueueTimerCloseThreadpoolCloseThreadpoolCleanupGroupCloseThreadpoolCleanupGroupMembersCloseThreadpoolIoCloseThreadpoolTimerCloseThreadpoolWaitCloseThreadpoolWorkCreateThreadpoolCreateThreadpoolCleanupGroupCreateThreadpoolIoCreateThreadpoolTimerCreateThreadpoolWaitCreateThreadpoolWorkCreateTimerQueueCreateTimerQueueTimerDeleteTimerQueueExDeleteTimerQueueTimerDisassociateCurrentThreadFromCallbackFreeLibraryWhenCallbackReturnsIsThreadpoolTimerSetLeaveCriticalSectionWhenCallbackReturnsQueryThreadpoolStackInformationRegisterWaitForSingleObjectExReleaseMutexWhenCallbackReturnsReleaseSemaphoreWhenCallbackReturnsSetEventWhenCallbackReturnsSetThreadpoolStackInformationSetThreadpoolThreadMaximumSetThreadpoolThreadMinimumSetThreadpoolTimerSetThreadpoolWaitStartThreadpoolIoSubmitThreadpoolWorkTrySubmitThreadpoolCallbackUnregisterWaitExWaitForThreadpoolIoCallbacksWaitForThreadpoolTimerCallbacksWaitForThreadpoolWaitCallbacksWaitForThreadpoolWorkCallbacks
api-ms-win-core-util-l1-1-0.dllBeepDecodePointerDecodeSystemPointerEncodePointerEncodeSystemPointer
api-ms-win-core-xstate-l1-1-0.dllRtlCopyExtendedContextRtlGetEnabledExtendedFeaturesRtlGetExtendedContextLengthRtlGetExtendedFeaturesMaskRtlInitializeExtendedContextRtlLocateExtendedFeatureRtlLocateLegacyContextRtlSetExtendedFeaturesMask
api-ms-win-security-base-l1-1-0.dllAccessCheckAccessCheckAndAuditAlarmWAccessCheckByTypeAccessCheckByTypeAndAuditAlarmWAccessCheckByTypeResultListAccessCheckByTypeResultListAndAuditAlarmByHandleWAccessCheckByTypeResultListAndAuditAlarmWAddAccessAllowedAceAddAccessAllowedAceExAddAccessAllowedObjectAceAddAccessDeniedAceAddAccessDeniedAceExAddAccessDeniedObjectAceAddAceAddAuditAccessAceAddAuditAccessAceExAddAuditAccessObjectAceAddMandatoryAceAdjustTokenGroupsAdjustTokenPrivilegesAllocateAndInitializeSidAllocateLocallyUniqueIdAreAllAccessesGrantedAreAnyAccessesGrantedCheckTokenMembershipConvertToAutoInheritPrivateObjectSecurityCopySidCreatePrivateObjectSecurityCreatePrivateObjectSecurityExCreatePrivateObjectSecurityWithMultipleInheritanceCreateRestrictedTokenCreateWellKnownSidDeleteAceDestroyPrivateObjectSecurityDuplicateTokenDuplicateTokenExEqualDomainSidEqualPrefixSidEqualSidFindFirstFreeAceFreeSidGetAceGetAclInformationGetFileSecurityWGetKernelObjectSecurityGetLengthSidGetPrivateObjectSecurityGetSecurityDescriptorControlGetSecurityDescriptorDaclGetSecurityDescriptorGroupGetSecurityDescriptorLengthGetSecurityDescriptorOwnerGetSecurityDescriptorRMControlGetSecurityDescriptorSaclGetSidIdentifierAuthorityGetSidLengthRequiredGetSidSubAuthorityGetSidSubAuthorityCountGetTokenInformationGetWindowsAccountDomainSidImpersonateAnonymousTokenImpersonateLoggedOnUserImpersonateSelfInitializeAclInitializeSecurityDescriptorInitializeSidIsTokenRestrictedIsValidAclIsValidRelativeSecurityDescriptorIsValidSecurityDescriptorIsValidSidIsWellKnownSidMakeAbsoluteSDMakeAbsoluteSD2MakeSelfRelativeSDMapGenericMaskObjectCloseAuditAlarmWObjectDeleteAuditAlarmWObjectOpenAuditAlarmWObjectPrivilegeAuditAlarmWPrivilegeCheckPrivilegedServiceAuditAlarmWQuerySecurityAccessMaskRevertToSelfSetAclInformationSetFileSecurityWSetKernelObjectSecuritySetPrivateObjectSecuritySetPrivateObjectSecurityExSetSecurityAccessMaskSetSecurityDescriptorControlSetSecurityDescriptorDaclSetSecurityDescriptorGroupSetSecurityDescriptorOwnerSetSecurityDescriptorRMControlSetSecurityDescriptorSaclSetTokenInformation
api-ms-win-security-lsalookup-l1-1-0.dllLookupAccountNameLocalALookupAccountNameLocalWLookupAccountSidLocalALookupAccountSidLocalWLsaLookupCloseLsaLookupFreeMemoryLsaLookupGetDomainInfoLsaLookupManageSidNameMappingLsaLookupOpenLocalPolicyLsaLookupTranslateNamesLsaLookupTranslateSids
api-ms-win-security-sddl-l1-1-0.dllConvertSecurityDescriptorToStringSecurityDescriptorWConvertSidToStringSidWConvertStringSecurityDescriptorToSecurityDescriptorWConvertStringSidToSidW
api-ms-win-service-core-l1-1-0.dllRegisterServiceCtrlHandlerExWSetServiceStatusStartServiceCtrlDispatcherW
api-ms-win-service-management-l1-1-0.dllCloseServiceHandleControlServiceExWCreateServiceWDeleteServiceOpenSCManagerWOpenServiceWStartServiceW
api-ms-win-service-management-l2-1-0.dllChangeServiceConfig2WChangeServiceConfigWNotifyServiceStatusChangeWQueryServiceConfig2WQueryServiceConfigWQueryServiceObjectSecurityQueryServiceStatusExSetServiceObjectSecurity
api-ms-win-service-winsvc-l1-1-0.dllChangeServiceConfig2AChangeServiceConfigAControlServiceControlServiceExACreateServiceAI_QueryTagInformationI_ScBroadcastServiceControlMessageI_ScIsSecurityProcessI_ScPnPGetServiceNameI_ScQueryServiceConfigI_ScRpcBindAI_ScRpcBindWI_ScSendPnPMessageI_ScSendTSMessageI_ScValidatePnPServiceNotifyServiceStatusChangeAOpenSCManagerAOpenServiceAQueryServiceConfig2AQueryServiceConfigAQueryServiceStatusRegisterServiceCtrlHandlerARegisterServiceCtrlHandlerExARegisterServiceCtrlHandlerWStartServiceAStartServiceCtrlDispatcherA