win7编程接口的一些变化

时间:2020-12-07 13:00:09

原文链接:http://www.nirsoft.net/articles/windows_7_kernel_architecture_changes.html

Windows 7 introduces a new set of dll files containing exported functions of many well-known WIN32 APIs. All these filenames begins with 'api-ms-win-core' prefix, followed by the functions category name. 
For example, api-ms-win-core-localregistry-l1-1-0.dll contains the exported names for all Registry functions, api-ms-win-core-file-l1-1-0.dll contains the exported names for all file-related functions, api-ms-win-core-localization-l1-1-0.dll contains the exported names for all localization functions, and so on.

If you look deeply into these files, you'll see that all these files are very small, and the functions in them doen't do anything, and simply returns a 'TRUE' value. Just for example, here's the assembly language content of RegDeleteValueW function in api-ms-win-core-localregistry-l1-1-0.dll:

084010CE 33C0                    xor eax, eax
084010D0 40 inc eax
084010D1 C20800 ret 0008

By looking in dependency walker utility, we can see that advapi32.dll, kernel32.dll, and other system dll files, are now statically linked to these empty api-ms-win-core files.

win7编程接口的一些变化

Moreover, if we look in the assembly language output of many API functions, we can see that they simply call their corresponding function in one of these api-ms-win-core Dlls. Just for example, RegDeleteValueW in advapi32.dll, simply contains a jump to the RegDeleteValueW in API-MS-Win-Core-LocalRegistry-L1-1-0.dll:

ADVAPI32!RegDeleteValueW:
77C6F301 8BFF mov edi, edi
77C6F303 55 push ebp
77C6F304 8BEC mov ebp, esp
77C6F306 5D pop ebp
77C6F307 EB05 jmp 77C6F30E
.
.
.
77C6F30E FF25B414C677 Jmp dword ptr [77C614B4] <-- [77C614B4] Points the import entry
of API-MS-Win-Core-LocalRegistry-L1-1-0.RegDeleteValueW

So if RegDeleteValueW in ADVAPI32 and other functions simply jumps to empty functions, how is it possible that these functions still works properly ?

The answer is pretty simple: When Windows loads the dll files, all the import entries of these api-ms-win-core Dlls are replaced with a call to a real function in Windows kernel. 
    So here's our RegDeleteValueW example again: when loading a program into WinDbg, we can see that the jmp call now points to kernel32!RegDeleteValueW function. That's because during the loading of advapi32.dll, Windows automatically replace the import entry of API-MS-Win-Core-LocalRegistry-L1-1-0.RegDeleteValueW to the function address of RegDeleteValueW in kernel32.

75e5f301 8bff            mov     edi,edi
75e5f303 55 push ebp
75e5f304 8bec mov ebp,esp
75e5f306 5d pop ebp
75e5f307 eb05 jmp ADVAPI32!RegDeleteValueW+0xd (75e5f30e)
.
.
.
75e5f30e ff25b414e575 jmp dword ptr [ADVAPI32+0x14b4 (75e514b4)] ds:0023:75e514b4=
{kernel32!RegDeleteValueW (758bd5af)}

Another new dll: kernelbase.dll

In addition to the new API-MS-Win-Core dll files, there is also another new dll: kernelbase.dll 
In previous versions of Windows, most of the kernel32 functions called to their corresponding functions in ntdll.dll. 
In Windows 7, most of the kernel functions call to their corresponding functions in kernelbase.dll, and the kernelbase dll is the one that makes the calls to ntdll.dll

Effects on existing applications - compatibility issues.

Most of the existing applications should not be affected by this kernel change, because all standard API calls still works the same as in previous versions of Windows. 
However, there are some diagnostic/debugging applications that rely on the calls chain inside the Windows kernel. These kind of applications may not work properly in Windows 7. 
My own utilities, RegFromApp and ProcessActivityView failed to work under Windows 7 because of these changes, and that what led me to discover the kernel changes of Windows 7. These utilities problems already fixed and now they works properly in Windows 7.

API-MS-Win-Core List

Finally, here's the list of all core dll files added to Windows 7 and the functions list that each one of them contain. I used my ownDLL Export Viewer utility to generate the list.

DLL File Function Names
api-ms-win-core-console-l1-1-0.dll
AllocConsole GetConsoleCP GetConsoleMode
GetConsoleOutputCP GetNumberOfConsoleInputEvents PeekConsoleInputA
ReadConsoleA ReadConsoleInputA ReadConsoleInputW
ReadConsoleW SetConsoleCtrlHandler SetConsoleMode
WriteConsoleA WriteConsoleW
api-ms-win-core-datetime-l1-1-0.dll
GetDateFormatA GetDateFormatW GetTimeFormatA
GetTimeFormatW
api-ms-win-core-debug-l1-1-0.dll
DebugBreak IsDebuggerPresent OutputDebugStringA
OutputDebugStringW
api-ms-win-core-delayload-l1-1-0.dll
DelayLoadFailureHook
api-ms-win-core-errorhandling-l1-1-0.dll
GetErrorMode GetLastError RaiseException
SetErrorMode SetLastError SetUnhandledExceptionFilter
UnhandledExceptionFilter
api-ms-win-core-fibers-l1-1-0.dll
FlsAlloc FlsFree FlsGetValue
FlsSetValue
api-ms-win-core-file-l1-1-0.dll
CompareFileTime CreateDirectoryA CreateDirectoryW
CreateFileA CreateFileW DefineDosDeviceW
DeleteFileA DeleteFileW DeleteVolumeMountPointW
FileTimeToLocalFileTime FileTimeToSystemTime FindClose
FindCloseChangeNotification FindFirstChangeNotificationA FindFirstChangeNotificationW
FindFirstFileA FindFirstFileExA FindFirstFileExW
FindFirstFileW FindFirstVolumeW FindNextChangeNotification
FindNextFileA FindNextFileW FindNextVolumeW
FindVolumeClose FlushFileBuffers GetDiskFreeSpaceA
GetDiskFreeSpaceExA GetDiskFreeSpaceExW GetDiskFreeSpaceW
GetDriveTypeA GetDriveTypeW GetFileAttributesA
GetFileAttributesExA GetFileAttributesExW GetFileAttributesW
GetFileInformationByHandle GetFileSize GetFileSizeEx
GetFileTime GetFileType GetFinalPathNameByHandleA
GetFinalPathNameByHandleW GetFullPathNameA GetFullPathNameW
GetLogicalDrives GetLogicalDriveStringsW GetLongPathNameA
GetLongPathNameW GetShortPathNameW GetTempFileNameW
GetVolumeInformationByHandleW GetVolumeInformationW GetVolumePathNameW
LocalFileTimeToFileTime LockFile LockFileEx
QueryDosDeviceW ReadFile ReadFileEx
ReadFileScatter RemoveDirectoryA RemoveDirectoryW
SetEndOfFile SetFileAttributesA SetFileAttributesW
SetFileInformationByHandle SetFilePointer SetFilePointerEx
SetFileTime SetFileValidData UnlockFile
UnlockFileEx WriteFile WriteFileEx
WriteFileGather
api-ms-win-core-handle-l1-1-0.dll
CloseHandle DuplicateHandle GetHandleInformation
SetHandleInformation
api-ms-win-core-heap-l1-1-0.dll
GetProcessHeap GetProcessHeaps HeapAlloc
HeapCompact HeapCreate HeapDestroy
HeapFree HeapLock HeapQueryInformation
HeapReAlloc HeapSetInformation HeapSize
HeapSummary HeapUnlock HeapValidate
HeapWalk
api-ms-win-core-interlocked-l1-1-0.dll
InitializeSListHead InterlockedCompareExchange InterlockedCompareExchange64
InterlockedDecrement InterlockedExchange InterlockedExchangeAdd
InterlockedFlushSList InterlockedIncrement InterlockedPopEntrySList
InterlockedPushEntrySList InterlockedPushListSList QueryDepthSList
api-ms-win-core-io-l1-1-0.dll
CancelIoEx CreateIoCompletionPort DeviceIoControl
GetOverlappedResult GetQueuedCompletionStatus GetQueuedCompletionStatusEx
PostQueuedCompletionStatus
api-ms-win-core-libraryloader-l1-1-0.dll
DisableThreadLibraryCalls FindResourceExW FindStringOrdinal
FreeLibrary FreeLibraryAndExitThread FreeResource
GetModuleFileNameA GetModuleFileNameW GetModuleHandleA
GetModuleHandleExA GetModuleHandleExW GetModuleHandleW
GetProcAddress LoadLibraryExA LoadLibraryExW
LoadResource LoadStringA LoadStringW
LockResource SizeofResource
api-ms-win-core-localization-l1-1-0.dll
ConvertDefaultLocale FindNLSString FindNLSStringEx
GetACP GetCalendarInfoEx GetCalendarInfoW
GetCPFileNameFromRegistry GetCPInfo GetCPInfoExW
GetFileMUIInfo GetFileMUIPath GetLocaleInfoEx
GetLocaleInfoW GetNLSVersion GetNLSVersionEx
GetOEMCP GetProcessPreferredUILanguages GetSystemDefaultLangID
GetSystemDefaultLCID GetSystemPreferredUILanguages GetThreadLocale
GetThreadPreferredUILanguages GetThreadUILanguage GetUILanguageInfo
GetUserDefaultLangID GetUserDefaultLCID GetUserPreferredUILanguages
IsNLSDefinedString IsValidCodePage IsValidLanguageGroup
IsValidLocale IsValidLocaleName LCMapStringEx
LCMapStringW LocaleNameToLCID NlsCheckPolicy
NlsEventDataDescCreate NlsGetCacheUpdateCount NlsUpdateLocale
NlsUpdateSystemLocale NlsWriteEtwEvent ResolveLocaleName
SetCalendarInfoW SetLocaleInfoW SetThreadLocale
VerLanguageNameA VerLanguageNameW
api-ms-win-core-localregistry-l1-1-0.dll
RegCloseKey RegCreateKeyExA RegCreateKeyExW
RegDeleteKeyExA RegDeleteKeyExW RegDeleteTreeA
RegDeleteTreeW RegDeleteValueA RegDeleteValueW
RegDisablePredefinedCacheEx RegEnumKeyExA RegEnumKeyExW
RegEnumValueA RegEnumValueW RegFlushKey
RegGetKeySecurity RegGetValueA RegGetValueW
RegLoadKeyA RegLoadKeyW RegLoadMUIStringA
RegLoadMUIStringW RegNotifyChangeKeyValue RegOpenCurrentUser
RegOpenKeyExA RegOpenKeyExW RegOpenUserClassesRoot
RegQueryInfoKeyA RegQueryInfoKeyW RegQueryValueExA
RegQueryValueExW RegRestoreKeyA RegRestoreKeyW
RegSaveKeyExA RegSaveKeyExW RegSetKeySecurity
RegSetValueExA RegSetValueExW RegUnLoadKeyA
RegUnLoadKeyW
api-ms-win-core-memory-l1-1-0.dll
CreateFileMappingW FlushViewOfFile MapViewOfFile
MapViewOfFileEx OpenFileMappingW ReadProcessMemory
UnmapViewOfFile VirtualAlloc VirtualAllocEx
VirtualFree VirtualFreeEx VirtualProtect
VirtualProtectEx VirtualQuery VirtualQueryEx
WriteProcessMemory
api-ms-win-core-misc-l1-1-0.dll
EnumSystemLocalesA FatalAppExitA FatalAppExitW
FormatMessageA FormatMessageW GlobalAlloc
GlobalFree IsProcessInJob IsWow64Process
LCMapStringA LocalAlloc LocalFree
LocalLock LocalReAlloc LocalUnlock
lstrcmp lstrcmpA lstrcmpi
lstrcmpiA lstrcmpiW lstrcmpW
lstrcpyn lstrcpynA lstrcpynW
lstrlen lstrlenA lstrlenW
NeedCurrentDirectoryForExePathA NeedCurrentDirectoryForExePathW PulseEvent
SetHandleCount Sleep Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
api-ms-win-core-namedpipe-l1-1-0.dll
ConnectNamedPipe CreateNamedPipeW CreatePipe
DisconnectNamedPipe GetNamedPipeAttribute GetNamedPipeClientComputerNameW
ImpersonateNamedPipeClient PeekNamedPipe SetNamedPipeHandleState
TransactNamedPipe WaitNamedPipeW
api-ms-win-core-processenvironment-l1-1-0.dll
ExpandEnvironmentStringsA ExpandEnvironmentStringsW FreeEnvironmentStringsA
FreeEnvironmentStringsW GetCommandLineA GetCommandLineW
GetCurrentDirectoryA GetCurrentDirectoryW GetEnvironmentStrings
GetEnvironmentStringsA GetEnvironmentStringsW GetEnvironmentVariableA
GetEnvironmentVariableW GetStdHandle SearchPathW
SetCurrentDirectoryA SetCurrentDirectoryW SetEnvironmentStringsW
SetEnvironmentVariableA SetEnvironmentVariableW SetStdHandle
SetStdHandleEx
api-ms-win-core-processthreads-l1-1-0.dll
CreateProcessA CreateProcessAsUserW CreateProcessW
CreateRemoteThread CreateRemoteThreadEx CreateThread
DeleteProcThreadAttributeList ExitProcess ExitThread
FlushProcessWriteBuffers GetCurrentProcess GetCurrentProcessId
GetCurrentThread GetCurrentThreadId GetExitCodeProcess
GetExitCodeThread GetPriorityClass GetProcessId
GetProcessIdOfThread GetProcessTimes GetProcessVersion
GetStartupInfoW GetThreadId GetThreadPriority
GetThreadPriorityBoost InitializeProcThreadAttributeList OpenProcessToken
OpenThread OpenThreadToken ProcessIdToSessionId
QueryProcessAffinityUpdateMode QueueUserAPC ResumeThread
SetPriorityClass SetProcessAffinityUpdateMode SetProcessShutdownParameters
SetThreadPriority SetThreadPriorityBoost SetThreadStackGuarantee
SetThreadToken SuspendThread SwitchToThread
TerminateProcess TerminateThread TlsAlloc
TlsFree TlsGetValue TlsSetValue
UpdateProcThreadAttribute
api-ms-win-core-profile-l1-1-0.dll
QueryPerformanceCounter QueryPerformanceFrequency
api-ms-win-core-rtlsupport-l1-1-0.dll
RtlCaptureContext RtlCaptureStackBackTrace RtlFillMemory
RtlUnwind
api-ms-win-core-string-l1-1-0.dll
CompareStringEx CompareStringOrdinal CompareStringW
FoldStringW GetStringTypeExW GetStringTypeW
MultiByteToWideChar WideCharToMultiByte
api-ms-win-core-synch-l1-1-0.dll
AcquireSRWLockExclusive AcquireSRWLockShared
CancelWaitableTimer CreateEventA
CreateEventExA CreateEventExW
CreateEventW CreateMutexA
CreateMutexExA CreateMutexExW
CreateMutexW CreateSemaphoreExW
CreateWaitableTimerExW DeleteCriticalSection
EnterCriticalSection InitializeCriticalSection
InitializeCriticalSectionAndSpinCount InitializeCriticalSectionEx
InitializeSRWLock LeaveCriticalSection
OpenEventA OpenEventW
OpenMutexW OpenProcess
OpenSemaphoreW OpenWaitableTimerW
ReleaseMutex ReleaseSemaphore
ReleaseSRWLockExclusive ReleaseSRWLockShared
ResetEvent SetCriticalSectionSpinCount
SetEvent SetWaitableTimer
SetWaitableTimerEx SleepEx
TryAcquireSRWLockExclusive TryAcquireSRWLockShared
TryEnterCriticalSection WaitForMultipleObjectsEx
WaitForSingleObject WaitForSingleObjectEx
api-ms-win-core-sysinfo-l1-1-0.dll
GetComputerNameExA GetComputerNameExW GetDynamicTimeZoneInformation
GetLocalTime GetLogicalProcessorInformation GetLogicalProcessorInformationEx
GetSystemDirectoryA GetSystemDirectoryW GetSystemInfo
GetSystemTime GetSystemTimeAdjustment GetSystemTimeAsFileTime
GetSystemWindowsDirectoryA GetSystemWindowsDirectoryW GetTickCount
GetTickCount64 GetTimeZoneInformation GetTimeZoneInformationForYear
GetVersion GetVersionExA GetVersionExW
GetWindowsDirectoryA GetWindowsDirectoryW GlobalMemoryStatusEx
SetLocalTime SystemTimeToFileTime SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
api-ms-win-core-threadpool-l1-1-0.dll
CallbackMayRunLong CancelThreadpoolIo
ChangeTimerQueueTimer CloseThreadpool
CloseThreadpoolCleanupGroup CloseThreadpoolCleanupGroupMembers
CloseThreadpoolIo CloseThreadpoolTimer
CloseThreadpoolWait CloseThreadpoolWork
CreateThreadpool CreateThreadpoolCleanupGroup
CreateThreadpoolIo CreateThreadpoolTimer
CreateThreadpoolWait CreateThreadpoolWork
CreateTimerQueue CreateTimerQueueTimer
DeleteTimerQueueEx DeleteTimerQueueTimer
DisassociateCurrentThreadFromCallback FreeLibraryWhenCallbackReturns
IsThreadpoolTimerSet LeaveCriticalSectionWhenCallbackReturns
QueryThreadpoolStackInformation RegisterWaitForSingleObjectEx
ReleaseMutexWhenCallbackReturns ReleaseSemaphoreWhenCallbackReturns
SetEventWhenCallbackReturns SetThreadpoolStackInformation
SetThreadpoolThreadMaximum SetThreadpoolThreadMinimum
SetThreadpoolTimer SetThreadpoolWait
StartThreadpoolIo SubmitThreadpoolWork
TrySubmitThreadpoolCallback UnregisterWaitEx
WaitForThreadpoolIoCallbacks WaitForThreadpoolTimerCallbacks
WaitForThreadpoolWaitCallbacks WaitForThreadpoolWorkCallbacks
api-ms-win-core-util-l1-1-0.dll
Beep DecodePointer DecodeSystemPointer
EncodePointer EncodeSystemPointer
api-ms-win-core-xstate-l1-1-0.dll
RtlCopyExtendedContext RtlGetEnabledExtendedFeatures RtlGetExtendedContextLength
RtlGetExtendedFeaturesMask RtlInitializeExtendedContext RtlLocateExtendedFeature
RtlLocateLegacyContext RtlSetExtendedFeaturesMask
api-ms-win-security-base-l1-1-0.dll
AccessCheck AccessCheckAndAuditAlarmW
AccessCheckByType AccessCheckByTypeAndAuditAlarmW
AccessCheckByTypeResultList AccessCheckByTypeResultListAndAuditAlarmByHandleW
AccessCheckByTypeResultListAndAuditAlarmW AddAccessAllowedAce
AddAccessAllowedAceEx AddAccessAllowedObjectAce
AddAccessDeniedAce AddAccessDeniedAceEx
AddAccessDeniedObjectAce AddAce
AddAuditAccessAce AddAuditAccessAceEx
AddAuditAccessObjectAce AddMandatoryAce
AdjustTokenGroups AdjustTokenPrivileges
AllocateAndInitializeSid AllocateLocallyUniqueId
AreAllAccessesGranted AreAnyAccessesGranted
CheckTokenMembership ConvertToAutoInheritPrivateObjectSecurity
CopySid CreatePrivateObjectSecurity
CreatePrivateObjectSecurityEx CreatePrivateObjectSecurityWithMultipleInheritance
CreateRestrictedToken CreateWellKnownSid
DeleteAce DestroyPrivateObjectSecurity
DuplicateToken DuplicateTokenEx
EqualDomainSid EqualPrefixSid
EqualSid FindFirstFreeAce
FreeSid GetAce
GetAclInformation GetFileSecurityW
GetKernelObjectSecurity GetLengthSid
GetPrivateObjectSecurity GetSecurityDescriptorControl
GetSecurityDescriptorDacl GetSecurityDescriptorGroup
GetSecurityDescriptorLength GetSecurityDescriptorOwner
GetSecurityDescriptorRMControl GetSecurityDescriptorSacl
GetSidIdentifierAuthority GetSidLengthRequired
GetSidSubAuthority GetSidSubAuthorityCount
GetTokenInformation GetWindowsAccountDomainSid
ImpersonateAnonymousToken ImpersonateLoggedOnUser
ImpersonateSelf InitializeAcl
InitializeSecurityDescriptor InitializeSid
IsTokenRestricted IsValidAcl
IsValidRelativeSecurityDescriptor IsValidSecurityDescriptor
IsValidSid IsWellKnownSid
MakeAbsoluteSD MakeAbsoluteSD2
MakeSelfRelativeSD MapGenericMask
ObjectCloseAuditAlarmW ObjectDeleteAuditAlarmW
ObjectOpenAuditAlarmW ObjectPrivilegeAuditAlarmW
PrivilegeCheck PrivilegedServiceAuditAlarmW
QuerySecurityAccessMask RevertToSelf
SetAclInformation SetFileSecurityW
SetKernelObjectSecurity SetPrivateObjectSecurity
SetPrivateObjectSecurityEx SetSecurityAccessMask
SetSecurityDescriptorControl SetSecurityDescriptorDacl
SetSecurityDescriptorGroup SetSecurityDescriptorOwner
SetSecurityDescriptorRMControl SetSecurityDescriptorSacl
SetTokenInformation
api-ms-win-security-lsalookup-l1-1-0.dll
LookupAccountNameLocalA LookupAccountNameLocalW LookupAccountSidLocalA
LookupAccountSidLocalW LsaLookupClose LsaLookupFreeMemory
LsaLookupGetDomainInfo LsaLookupManageSidNameMapping LsaLookupOpenLocalPolicy
LsaLookupTranslateNames LsaLookupTranslateSids
api-ms-win-security-sddl-l1-1-0.dll
ConvertSecurityDescriptorToStringSecurityDescriptorW ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW ConvertStringSidToSidW
api-ms-win-service-core-l1-1-0.dll
RegisterServiceCtrlHandlerExW SetServiceStatus StartServiceCtrlDispatcherW
api-ms-win-service-management-l1-1-0.dll
CloseServiceHandle ControlServiceExW CreateServiceW
DeleteService OpenSCManagerW OpenServiceW
StartServiceW
api-ms-win-service-management-l2-1-0.dll
ChangeServiceConfig2W ChangeServiceConfigW NotifyServiceStatusChangeW
QueryServiceConfig2W QueryServiceConfigW QueryServiceObjectSecurity
QueryServiceStatusEx SetServiceObjectSecurity
api-ms-win-service-winsvc-l1-1-0.dll
ChangeServiceConfig2A ChangeServiceConfigA ControlService
ControlServiceExA CreateServiceA I_QueryTagInformation
I_ScBroadcastServiceControlMessage I_ScIsSecurityProcess I_ScPnPGetServiceName
I_ScQueryServiceConfig I_ScRpcBindA I_ScRpcBindW
I_ScSendPnPMessage I_ScSendTSMessage I_ScValidatePnPService
NotifyServiceStatusChangeA OpenSCManagerA OpenServiceA
QueryServiceConfig2A QueryServiceConfigA QueryServiceStatus
RegisterServiceCtrlHandlerA RegisterServiceCtrlHandlerExA RegisterServiceCtrlHandlerW
StartServiceA StartServiceCtrlDispatcherA
 
0