zoukankan      html  css  js  c++  java
  • win7编程接口的一些变化

    原文链接:http://www.nirsoft.net/articles/windows_7_kernel_architecture_changes.html

    Windows 7 introduces a new set of dll files containing exported functions of many well-known WIN32 APIs. All these filenames begins with 'api-ms-win-core' prefix, followed by the functions category name. 
    For example, api-ms-win-core-localregistry-l1-1-0.dll contains the exported names for all Registry functions, api-ms-win-core-file-l1-1-0.dll contains the exported names for all file-related functions, api-ms-win-core-localization-l1-1-0.dll contains the exported names for all localization functions, and so on.

        If you look deeply into these files, you'll see that all these files are very small, and the functions in them doen't do anything, and simply returns a 'TRUE' value. Just for example, here's the assembly language content of RegDeleteValueW function in api-ms-win-core-localregistry-l1-1-0.dll:

    084010CE 33C0                    xor eax, eax
    084010D0 40                      inc eax
    084010D1 C20800                  ret 0008
    
    By looking in dependency walker utility, we can see that advapi32.dll, kernel32.dll, and other system dll files, are now statically linked to these empty api-ms-win-core files.

        Moreover, if we look in the assembly language output of many API functions, we can see that they simply call their corresponding function in one of these api-ms-win-core Dlls. Just for example, RegDeleteValueW in advapi32.dll, simply contains a jump to the RegDeleteValueW in API-MS-Win-Core-LocalRegistry-L1-1-0.dll:

    ADVAPI32!RegDeleteValueW:
    77C6F301 8BFF                    mov edi, edi
    77C6F303 55                      push ebp
    77C6F304 8BEC                    mov ebp, esp
    77C6F306 5D                      pop ebp
    77C6F307 EB05                    jmp 77C6F30E
    .
    .
    .
    77C6F30E FF25B414C677            Jmp dword ptr [77C614B4]   <-- [77C614B4] Points the import entry 
    of API-MS-Win-Core-LocalRegistry-L1-1-0.RegDeleteValueW
    
        So if RegDeleteValueW in ADVAPI32 and other functions simply jumps to empty functions, how is it possible that these functions still works properly ?

        The answer is pretty simple: When Windows loads the dll files, all the import entries of these api-ms-win-core Dlls are replaced with a call to a real function in Windows kernel. 
        So here's our RegDeleteValueW example again: when loading a program into WinDbg, we can see that the jmp call now points to kernel32!RegDeleteValueW function. That's because during the loading of advapi32.dll, Windows automatically replace the import entry of API-MS-Win-Core-LocalRegistry-L1-1-0.RegDeleteValueW to the function address of RegDeleteValueW in kernel32.

    75e5f301 8bff            mov     edi,edi
    75e5f303 55              push    ebp
    75e5f304 8bec            mov     ebp,esp
    75e5f306 5d              pop     ebp
    75e5f307 eb05            jmp     ADVAPI32!RegDeleteValueW+0xd (75e5f30e)
    .
    .
    .
    75e5f30e ff25b414e575    jmp     dword ptr [ADVAPI32+0x14b4 (75e514b4)] ds:0023:75e514b4=
    {kernel32!RegDeleteValueW (758bd5af)}
    

    Another new dll: kernelbase.dll

     In addition to the new API-MS-Win-Core dll files, there is also another new dll: kernelbase.dll 
    In previous versions of Windows, most of the kernel32 functions called to their corresponding functions in ntdll.dll. 
    In Windows 7, most of the kernel functions call to their corresponding functions in kernelbase.dll, and the kernelbase dll is the one that makes the calls to ntdll.dll

    Effects on existing applications - compatibility issues.

    Most of the existing applications should not be affected by this kernel change, because all standard API calls still works the same as in previous versions of Windows. 
    However, there are some diagnostic/debugging applications that rely on the calls chain inside the Windows kernel. These kind of applications may not work properly in Windows 7. 
    My own utilities, RegFromApp and ProcessActivityView failed to work under Windows 7 because of these changes, and that what led me to discover the kernel changes of Windows 7. These utilities problems already fixed and now they works properly in Windows 7.

    API-MS-Win-Core List

    Finally, here's the list of all core dll files added to Windows 7 and the functions list that each one of them contain. I used my ownDLL Export Viewer utility to generate the list.
    DLL FileFunction Names
    api-ms-win-core-console-l1-1-0.dll
    AllocConsole GetConsoleCP GetConsoleMode
    GetConsoleOutputCP GetNumberOfConsoleInputEvents PeekConsoleInputA
    ReadConsoleA ReadConsoleInputA ReadConsoleInputW
    ReadConsoleW SetConsoleCtrlHandler SetConsoleMode
    WriteConsoleA WriteConsoleW
    api-ms-win-core-datetime-l1-1-0.dll
    GetDateFormatA GetDateFormatW GetTimeFormatA
    GetTimeFormatW
    api-ms-win-core-debug-l1-1-0.dll
    DebugBreak IsDebuggerPresent OutputDebugStringA
    OutputDebugStringW
    api-ms-win-core-delayload-l1-1-0.dll
    DelayLoadFailureHook
    api-ms-win-core-errorhandling-l1-1-0.dll
    GetErrorMode GetLastError RaiseException
    SetErrorMode SetLastError SetUnhandledExceptionFilter
    UnhandledExceptionFilter
    api-ms-win-core-fibers-l1-1-0.dll
    FlsAlloc FlsFree FlsGetValue
    FlsSetValue
    api-ms-win-core-file-l1-1-0.dll
    CompareFileTime CreateDirectoryA CreateDirectoryW
    CreateFileA CreateFileW DefineDosDeviceW
    DeleteFileA DeleteFileW DeleteVolumeMountPointW
    FileTimeToLocalFileTime FileTimeToSystemTime FindClose
    FindCloseChangeNotification FindFirstChangeNotificationA FindFirstChangeNotificationW
    FindFirstFileA FindFirstFileExA FindFirstFileExW
    FindFirstFileW FindFirstVolumeW FindNextChangeNotification
    FindNextFileA FindNextFileW FindNextVolumeW
    FindVolumeClose FlushFileBuffers GetDiskFreeSpaceA
    GetDiskFreeSpaceExA GetDiskFreeSpaceExW GetDiskFreeSpaceW
    GetDriveTypeA GetDriveTypeW GetFileAttributesA
    GetFileAttributesExA GetFileAttributesExW GetFileAttributesW
    GetFileInformationByHandle GetFileSize GetFileSizeEx
    GetFileTime GetFileType GetFinalPathNameByHandleA
    GetFinalPathNameByHandleW GetFullPathNameA GetFullPathNameW
    GetLogicalDrives GetLogicalDriveStringsW GetLongPathNameA
    GetLongPathNameW GetShortPathNameW GetTempFileNameW
    GetVolumeInformationByHandleW GetVolumeInformationW GetVolumePathNameW
    LocalFileTimeToFileTime LockFile LockFileEx
    QueryDosDeviceW ReadFile ReadFileEx
    ReadFileScatter RemoveDirectoryA RemoveDirectoryW
    SetEndOfFile SetFileAttributesA SetFileAttributesW
    SetFileInformationByHandle SetFilePointer SetFilePointerEx
    SetFileTime SetFileValidData UnlockFile
    UnlockFileEx WriteFile WriteFileEx
    WriteFileGather
    api-ms-win-core-handle-l1-1-0.dll
    CloseHandle DuplicateHandle GetHandleInformation
    SetHandleInformation
    api-ms-win-core-heap-l1-1-0.dll
    GetProcessHeap GetProcessHeaps HeapAlloc
    HeapCompact HeapCreate HeapDestroy
    HeapFree HeapLock HeapQueryInformation
    HeapReAlloc HeapSetInformation HeapSize
    HeapSummary HeapUnlock HeapValidate
    HeapWalk
    api-ms-win-core-interlocked-l1-1-0.dll
    InitializeSListHead InterlockedCompareExchange InterlockedCompareExchange64
    InterlockedDecrement InterlockedExchange InterlockedExchangeAdd
    InterlockedFlushSList InterlockedIncrement InterlockedPopEntrySList
    InterlockedPushEntrySList InterlockedPushListSList QueryDepthSList
    api-ms-win-core-io-l1-1-0.dll
    CancelIoEx CreateIoCompletionPort DeviceIoControl
    GetOverlappedResult GetQueuedCompletionStatus GetQueuedCompletionStatusEx
    PostQueuedCompletionStatus
    api-ms-win-core-libraryloader-l1-1-0.dll
    DisableThreadLibraryCalls FindResourceExW FindStringOrdinal
    FreeLibrary FreeLibraryAndExitThread FreeResource
    GetModuleFileNameA GetModuleFileNameW GetModuleHandleA
    GetModuleHandleExA GetModuleHandleExW GetModuleHandleW
    GetProcAddress LoadLibraryExA LoadLibraryExW
    LoadResource LoadStringA LoadStringW
    LockResource SizeofResource
    api-ms-win-core-localization-l1-1-0.dll
    ConvertDefaultLocale FindNLSString FindNLSStringEx
    GetACP GetCalendarInfoEx GetCalendarInfoW
    GetCPFileNameFromRegistry GetCPInfo GetCPInfoExW
    GetFileMUIInfo GetFileMUIPath GetLocaleInfoEx
    GetLocaleInfoW GetNLSVersion GetNLSVersionEx
    GetOEMCP GetProcessPreferredUILanguages GetSystemDefaultLangID
    GetSystemDefaultLCID GetSystemPreferredUILanguages GetThreadLocale
    GetThreadPreferredUILanguages GetThreadUILanguage GetUILanguageInfo
    GetUserDefaultLangID GetUserDefaultLCID GetUserPreferredUILanguages
    IsNLSDefinedString IsValidCodePage IsValidLanguageGroup
    IsValidLocale IsValidLocaleName LCMapStringEx
    LCMapStringW LocaleNameToLCID NlsCheckPolicy
    NlsEventDataDescCreate NlsGetCacheUpdateCount NlsUpdateLocale
    NlsUpdateSystemLocale NlsWriteEtwEvent ResolveLocaleName
    SetCalendarInfoW SetLocaleInfoW SetThreadLocale
    VerLanguageNameA VerLanguageNameW
    api-ms-win-core-localregistry-l1-1-0.dll
    RegCloseKey RegCreateKeyExA RegCreateKeyExW
    RegDeleteKeyExA RegDeleteKeyExW RegDeleteTreeA
    RegDeleteTreeW RegDeleteValueA RegDeleteValueW
    RegDisablePredefinedCacheEx RegEnumKeyExA RegEnumKeyExW
    RegEnumValueA RegEnumValueW RegFlushKey
    RegGetKeySecurity RegGetValueA RegGetValueW
    RegLoadKeyA RegLoadKeyW RegLoadMUIStringA
    RegLoadMUIStringW RegNotifyChangeKeyValue RegOpenCurrentUser
    RegOpenKeyExA RegOpenKeyExW RegOpenUserClassesRoot
    RegQueryInfoKeyA RegQueryInfoKeyW RegQueryValueExA
    RegQueryValueExW RegRestoreKeyA RegRestoreKeyW
    RegSaveKeyExA RegSaveKeyExW RegSetKeySecurity
    RegSetValueExA RegSetValueExW RegUnLoadKeyA
    RegUnLoadKeyW
    api-ms-win-core-memory-l1-1-0.dll
    CreateFileMappingW FlushViewOfFile MapViewOfFile
    MapViewOfFileEx OpenFileMappingW ReadProcessMemory
    UnmapViewOfFile VirtualAlloc VirtualAllocEx
    VirtualFree VirtualFreeEx VirtualProtect
    VirtualProtectEx VirtualQuery VirtualQueryEx
    WriteProcessMemory
    api-ms-win-core-misc-l1-1-0.dll
    EnumSystemLocalesA FatalAppExitA FatalAppExitW
    FormatMessageA FormatMessageW GlobalAlloc
    GlobalFree IsProcessInJob IsWow64Process
    LCMapStringA LocalAlloc LocalFree
    LocalLock LocalReAlloc LocalUnlock
    lstrcmp lstrcmpA lstrcmpi
    lstrcmpiA lstrcmpiW lstrcmpW
    lstrcpyn lstrcpynA lstrcpynW
    lstrlen lstrlenA lstrlenW
    NeedCurrentDirectoryForExePathA NeedCurrentDirectoryForExePathW PulseEvent
    SetHandleCount Sleep Wow64DisableWow64FsRedirection
    Wow64RevertWow64FsRedirection
    api-ms-win-core-namedpipe-l1-1-0.dll
    ConnectNamedPipe CreateNamedPipeW CreatePipe
    DisconnectNamedPipe GetNamedPipeAttribute GetNamedPipeClientComputerNameW
    ImpersonateNamedPipeClient PeekNamedPipe SetNamedPipeHandleState
    TransactNamedPipe WaitNamedPipeW
    api-ms-win-core-processenvironment-l1-1-0.dll
    ExpandEnvironmentStringsA ExpandEnvironmentStringsW FreeEnvironmentStringsA
    FreeEnvironmentStringsW GetCommandLineA GetCommandLineW
    GetCurrentDirectoryA GetCurrentDirectoryW GetEnvironmentStrings
    GetEnvironmentStringsA GetEnvironmentStringsW GetEnvironmentVariableA
    GetEnvironmentVariableW GetStdHandle SearchPathW
    SetCurrentDirectoryA SetCurrentDirectoryW SetEnvironmentStringsW
    SetEnvironmentVariableA SetEnvironmentVariableW SetStdHandle
    SetStdHandleEx
    api-ms-win-core-processthreads-l1-1-0.dll
    CreateProcessA CreateProcessAsUserW CreateProcessW
    CreateRemoteThread CreateRemoteThreadEx CreateThread
    DeleteProcThreadAttributeList ExitProcess ExitThread
    FlushProcessWriteBuffers GetCurrentProcess GetCurrentProcessId
    GetCurrentThread GetCurrentThreadId GetExitCodeProcess
    GetExitCodeThread GetPriorityClass GetProcessId
    GetProcessIdOfThread GetProcessTimes GetProcessVersion
    GetStartupInfoW GetThreadId GetThreadPriority
    GetThreadPriorityBoost InitializeProcThreadAttributeList OpenProcessToken
    OpenThread OpenThreadToken ProcessIdToSessionId
    QueryProcessAffinityUpdateMode QueueUserAPC ResumeThread
    SetPriorityClass SetProcessAffinityUpdateMode SetProcessShutdownParameters
    SetThreadPriority SetThreadPriorityBoost SetThreadStackGuarantee
    SetThreadToken SuspendThread SwitchToThread
    TerminateProcess TerminateThread TlsAlloc
    TlsFree TlsGetValue TlsSetValue
    UpdateProcThreadAttribute
    api-ms-win-core-profile-l1-1-0.dll
    QueryPerformanceCounter QueryPerformanceFrequency
    api-ms-win-core-rtlsupport-l1-1-0.dll
    RtlCaptureContext RtlCaptureStackBackTrace RtlFillMemory
    RtlUnwind
    api-ms-win-core-string-l1-1-0.dll
    CompareStringEx CompareStringOrdinal CompareStringW
    FoldStringW GetStringTypeExW GetStringTypeW
    MultiByteToWideChar WideCharToMultiByte
    api-ms-win-core-synch-l1-1-0.dll
    AcquireSRWLockExclusive AcquireSRWLockShared
    CancelWaitableTimer CreateEventA
    CreateEventExA CreateEventExW
    CreateEventW CreateMutexA
    CreateMutexExA CreateMutexExW
    CreateMutexW CreateSemaphoreExW
    CreateWaitableTimerExW DeleteCriticalSection
    EnterCriticalSection InitializeCriticalSection
    InitializeCriticalSectionAndSpinCount InitializeCriticalSectionEx
    InitializeSRWLock LeaveCriticalSection
    OpenEventA OpenEventW
    OpenMutexW OpenProcess
    OpenSemaphoreW OpenWaitableTimerW
    ReleaseMutex ReleaseSemaphore
    ReleaseSRWLockExclusive ReleaseSRWLockShared
    ResetEvent SetCriticalSectionSpinCount
    SetEvent SetWaitableTimer
    SetWaitableTimerEx SleepEx
    TryAcquireSRWLockExclusive TryAcquireSRWLockShared
    TryEnterCriticalSection WaitForMultipleObjectsEx
    WaitForSingleObject WaitForSingleObjectEx
    api-ms-win-core-sysinfo-l1-1-0.dll
    GetComputerNameExA GetComputerNameExW GetDynamicTimeZoneInformation
    GetLocalTime GetLogicalProcessorInformation GetLogicalProcessorInformationEx
    GetSystemDirectoryA GetSystemDirectoryW GetSystemInfo
    GetSystemTime GetSystemTimeAdjustment GetSystemTimeAsFileTime
    GetSystemWindowsDirectoryA GetSystemWindowsDirectoryW GetTickCount
    GetTickCount64 GetTimeZoneInformation GetTimeZoneInformationForYear
    GetVersion GetVersionExA GetVersionExW
    GetWindowsDirectoryA GetWindowsDirectoryW GlobalMemoryStatusEx
    SetLocalTime SystemTimeToFileTime SystemTimeToTzSpecificLocalTime
    TzSpecificLocalTimeToSystemTime
    api-ms-win-core-threadpool-l1-1-0.dll
    CallbackMayRunLong CancelThreadpoolIo
    ChangeTimerQueueTimer CloseThreadpool
    CloseThreadpoolCleanupGroup CloseThreadpoolCleanupGroupMembers
    CloseThreadpoolIo CloseThreadpoolTimer
    CloseThreadpoolWait CloseThreadpoolWork
    CreateThreadpool CreateThreadpoolCleanupGroup
    CreateThreadpoolIo CreateThreadpoolTimer
    CreateThreadpoolWait CreateThreadpoolWork
    CreateTimerQueue CreateTimerQueueTimer
    DeleteTimerQueueEx DeleteTimerQueueTimer
    DisassociateCurrentThreadFromCallback FreeLibraryWhenCallbackReturns
    IsThreadpoolTimerSet LeaveCriticalSectionWhenCallbackReturns
    QueryThreadpoolStackInformation RegisterWaitForSingleObjectEx
    ReleaseMutexWhenCallbackReturns ReleaseSemaphoreWhenCallbackReturns
    SetEventWhenCallbackReturns SetThreadpoolStackInformation
    SetThreadpoolThreadMaximum SetThreadpoolThreadMinimum
    SetThreadpoolTimer SetThreadpoolWait
    StartThreadpoolIo SubmitThreadpoolWork
    TrySubmitThreadpoolCallback UnregisterWaitEx
    WaitForThreadpoolIoCallbacks WaitForThreadpoolTimerCallbacks
    WaitForThreadpoolWaitCallbacks WaitForThreadpoolWorkCallbacks
    api-ms-win-core-util-l1-1-0.dll
    Beep DecodePointer DecodeSystemPointer
    EncodePointer EncodeSystemPointer
    api-ms-win-core-xstate-l1-1-0.dll
    RtlCopyExtendedContext RtlGetEnabledExtendedFeatures RtlGetExtendedContextLength
    RtlGetExtendedFeaturesMask RtlInitializeExtendedContext RtlLocateExtendedFeature
    RtlLocateLegacyContext RtlSetExtendedFeaturesMask
    api-ms-win-security-base-l1-1-0.dll
    AccessCheck AccessCheckAndAuditAlarmW
    AccessCheckByType AccessCheckByTypeAndAuditAlarmW
    AccessCheckByTypeResultList AccessCheckByTypeResultListAndAuditAlarmByHandleW
    AccessCheckByTypeResultListAndAuditAlarmW AddAccessAllowedAce
    AddAccessAllowedAceEx AddAccessAllowedObjectAce
    AddAccessDeniedAce AddAccessDeniedAceEx
    AddAccessDeniedObjectAce AddAce
    AddAuditAccessAce AddAuditAccessAceEx
    AddAuditAccessObjectAce AddMandatoryAce
    AdjustTokenGroups AdjustTokenPrivileges
    AllocateAndInitializeSid AllocateLocallyUniqueId
    AreAllAccessesGranted AreAnyAccessesGranted
    CheckTokenMembership ConvertToAutoInheritPrivateObjectSecurity
    CopySid CreatePrivateObjectSecurity
    CreatePrivateObjectSecurityEx CreatePrivateObjectSecurityWithMultipleInheritance
    CreateRestrictedToken CreateWellKnownSid
    DeleteAce DestroyPrivateObjectSecurity
    DuplicateToken DuplicateTokenEx
    EqualDomainSid EqualPrefixSid
    EqualSid FindFirstFreeAce
    FreeSid GetAce
    GetAclInformation GetFileSecurityW
    GetKernelObjectSecurity GetLengthSid
    GetPrivateObjectSecurity GetSecurityDescriptorControl
    GetSecurityDescriptorDacl GetSecurityDescriptorGroup
    GetSecurityDescriptorLength GetSecurityDescriptorOwner
    GetSecurityDescriptorRMControl GetSecurityDescriptorSacl
    GetSidIdentifierAuthority GetSidLengthRequired
    GetSidSubAuthority GetSidSubAuthorityCount
    GetTokenInformation GetWindowsAccountDomainSid
    ImpersonateAnonymousToken ImpersonateLoggedOnUser
    ImpersonateSelf InitializeAcl
    InitializeSecurityDescriptor InitializeSid
    IsTokenRestricted IsValidAcl
    IsValidRelativeSecurityDescriptor IsValidSecurityDescriptor
    IsValidSid IsWellKnownSid
    MakeAbsoluteSD MakeAbsoluteSD2
    MakeSelfRelativeSD MapGenericMask
    ObjectCloseAuditAlarmW ObjectDeleteAuditAlarmW
    ObjectOpenAuditAlarmW ObjectPrivilegeAuditAlarmW
    PrivilegeCheck PrivilegedServiceAuditAlarmW
    QuerySecurityAccessMask RevertToSelf
    SetAclInformation SetFileSecurityW
    SetKernelObjectSecurity SetPrivateObjectSecurity
    SetPrivateObjectSecurityEx SetSecurityAccessMask
    SetSecurityDescriptorControl SetSecurityDescriptorDacl
    SetSecurityDescriptorGroup SetSecurityDescriptorOwner
    SetSecurityDescriptorRMControl SetSecurityDescriptorSacl
    SetTokenInformation
    api-ms-win-security-lsalookup-l1-1-0.dll
    LookupAccountNameLocalA LookupAccountNameLocalW LookupAccountSidLocalA
    LookupAccountSidLocalW LsaLookupClose LsaLookupFreeMemory
    LsaLookupGetDomainInfo LsaLookupManageSidNameMapping LsaLookupOpenLocalPolicy
    LsaLookupTranslateNames LsaLookupTranslateSids
    api-ms-win-security-sddl-l1-1-0.dll
    ConvertSecurityDescriptorToStringSecurityDescriptorW ConvertSidToStringSidW
    ConvertStringSecurityDescriptorToSecurityDescriptorW ConvertStringSidToSidW
    api-ms-win-service-core-l1-1-0.dll
    RegisterServiceCtrlHandlerExW SetServiceStatus StartServiceCtrlDispatcherW
    api-ms-win-service-management-l1-1-0.dll
    CloseServiceHandle ControlServiceExW CreateServiceW
    DeleteService OpenSCManagerW OpenServiceW
    StartServiceW
    api-ms-win-service-management-l2-1-0.dll
    ChangeServiceConfig2W ChangeServiceConfigW NotifyServiceStatusChangeW
    QueryServiceConfig2W QueryServiceConfigW QueryServiceObjectSecurity
    QueryServiceStatusEx SetServiceObjectSecurity
    api-ms-win-service-winsvc-l1-1-0.dll
    ChangeServiceConfig2A ChangeServiceConfigA ControlService
    ControlServiceExA CreateServiceA I_QueryTagInformation
    I_ScBroadcastServiceControlMessage I_ScIsSecurityProcess I_ScPnPGetServiceName
    I_ScQueryServiceConfig I_ScRpcBindA I_ScRpcBindW
    I_ScSendPnPMessage I_ScSendTSMessage I_ScValidatePnPService
    NotifyServiceStatusChangeA OpenSCManagerA OpenServiceA
    QueryServiceConfig2A QueryServiceConfigA QueryServiceStatus
    RegisterServiceCtrlHandlerA RegisterServiceCtrlHandlerExA RegisterServiceCtrlHandlerW
    StartServiceA StartServiceCtrlDispatcherA
     
     
    0
  • 相关阅读:
    ASCII码
    cron表达式学习
    mysql学习二、SQL常用数据类型
    mysql学习一 常用语句
    python学习
    搬砖
    新接触Linux 命令
    搬砖
    python encode decode
    201521123071 《JAVA程序设计》第十二周学习总结
  • 原文地址:https://www.cnblogs.com/micro-chen/p/6488837.html
Copyright © 2011-2022 走看看