Windows 11’s advapi32.dll includes interesting export functions:<\/p>\n\n\n\n
And I know nothing about them… while they are obviously exported by advapi32.dll and for some unknown reason, they do not seem to be imported … by anything (no .exe, .dll import these functions, at least directly!). Plus, most of these apis’ code reference NDR functions (RPC), so unless you are really well-versed in these, it’s hard to reverse them \ud83d\ude41<\/p>\n\n\n\n
BUT<\/p>\n\n\n\n
A quick google<\/a> suggests that these are not Linux-related (refrerence to ‘ELF’), and are actually Event Log File (also ‘ELF’)-related. In a trivial pursuit of the truth, we look at the code of Elf* functions and their invocations and we can almost immediately see that f.ex. that RegisterEventSourceW<\/a> is calling ElfRegisterEventSourceW internally. So… looks like either intentionally, or accidentally the MS coders exposed a lower-level interface to Event Logs.<\/p>\n\n\n\n As such, functions:<\/p>\n\n\n\n may be perhaps of interest?<\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" Windows 11’s advapi32.dll includes interesting export functions: ElfBackupEventLogFileA ElfBackupEventLogFileW ElfChangeNotify ElfClearEventLogFileA ElfClearEventLogFileW ElfCloseEventLog ElfDeregisterEventSource ElfFlushEventLog ElfNumberOfRecords ElfOldestRecord ElfOpenBackupEventLogA ElfOpenBackupEventLogW ElfOpenEventLogA ElfOpenEventLogW ElfReadEventLogA ElfReadEventLogW ElfRegisterEventSourceA ElfRegisterEventSourceW ElfReportEventA ElfReportEventAndSourceW ElfReportEventW And I know nothing about them… while they are obviously exported by … Continue reading