{"id":9691,"date":"2024-11-29T19:23:33","date_gmt":"2024-11-29T19:23:33","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9691"},"modified":"2024-11-29T19:23:33","modified_gmt":"2024-11-29T19:23:33","slug":"mapping-the-api-mapping-code-redundancy","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/11\/29\/mapping-the-api-mapping-code-redundancy\/","title":{"rendered":"Mapping the API mapping\/code redundancy"},"content":{"rendered":"\n<p>In my <a href=\"https:\/\/www.hexacorn.com\/blog\/2024\/11\/28\/windows-storage-lol\/\" data-type=\"post\" data-id=\"9685\">last post<\/a> I have shown that some of the <em>shell32.dll<\/em> functions are now mapped to <em>windows.storage.dll<\/em>. <\/p>\n\n\n\n<p>This sort of API mapping, as well as blatant code redundancy present in many Windows binaries is not new, and we have seen many instances of it over the years:<\/p>\n\n\n\n<ul>\n<li>Windows API sets<\/li>\n\n\n\n<li><em>gdi32.dll<\/em> and <em>gdi32full.dll<\/em><\/li>\n\n\n\n<li><em>gdi32full.dll<\/em> and <em>win32u.dll<\/em><\/li>\n\n\n\n<li><em>combase.dll<\/em> and <em>ole32.dll<\/em><\/li>\n\n\n\n<li><em>kernel32.dll<\/em> and <em>KernelBase.dll<\/em><\/li>\n\n\n\n<li><em>IEAdvpack.dll<\/em> and <em>advpack.dll<\/em><\/li>\n\n\n\n<li><em>crtdll.dll<\/em>, <em>msvcirt.dll<\/em>, <em>ucrtbase.dll<\/em> and their many, many versions over the years<\/li>\n\n\n\n<li><em>ntdll.dll<\/em> and <em>ntoskrnl.exe<\/em> (user mode vs. kernel mode mapping)<\/li>\n<\/ul>\n\n\n\n<p>and so on, and so forth.<\/p>\n\n\n\n<p>It is probably not surprising that after that latest discovery it was only natural for me to build a list of APIs (API names) that are shared between many libraries to see if I can discover more interesting bits.<\/p>\n\n\n\n<p>Looking at the list of API names that appear to be shared between at least 2 DLL libraries on the Windows 11 24 H2 build &#8211; <a href=\"https:\/\/hexacorn.com\/d\/win11_24H2_list_64_shared.txt\">win11_24H2_list_64_shared.txt<\/a> &#8211; one can immediately see a lot of interesting findings:<\/p>\n\n\n\n<ul>\n<li>sqlite functions are exported by <em>SearchIndexerCore.dll<\/em>, <em>StateRepository.Core.dll<\/em>, <em>winsqlite3.dll<\/em><\/li>\n\n\n\n<li>apart from <em>kernel32.dll<\/em> and <em>KernelBase.dll<\/em> there is now also <em>kernel.appcore.dll<\/em><\/li>\n\n\n\n<li>code base of <em>tcblaunch.exe<\/em> and <em>winload.exe<\/em> seems to be overlapping a lot<\/li>\n\n\n\n<li><em>edgehtml.dll<\/em> replaces <em>mshtml.dll<\/em><\/li>\n<\/ul>\n\n\n\n<p>Unfortunately, I have not seen anything similar to <em>ShellExec_RunDLL<\/em> &#8211; a discovery that kicked off this research \ud83d\ude41<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my last post I have shown that some of the shell32.dll functions are now mapped to windows.storage.dll. This sort of API mapping, as well as blatant code redundancy present in many Windows binaries is not new, and we have &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2024\/11\/29\/mapping-the-api-mapping-code-redundancy\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9691"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=9691"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9691\/revisions"}],"predecessor-version":[{"id":9692,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9691\/revisions\/9692"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=9691"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=9691"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=9691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}