Scylla and Api Set Map

Microsoft introduced a new technique for API redirection with Windows 7. Microsoft splits the kernel32 functions in different DLLs e.g. api-ms-win-core-libraryloader-l1-1-0.dll. This special DLLs follow a strict naming convention. A special DLL called apisetschema.dll is injected in every process with the redirection information. It is possible to manually resolve these redirections but Scylla is not doing it manually right now. I tried to investigate this a little bit because Scylla didn’t/doesn’t work very well on Windows 8. I wrote a tool to manually parse these redirections and the result is surprising (read more here).

Windows 7 has 35 special DLLs for redirection (full list). This is not too much I guess… but now I looked at Windows 8 and Windows 8 has 356 redirections (full list). Ten times more redirections than Windows 7, so it looks like this technique becomes more and more important. I wasn’t aware of this until now. Microsoft also has 2 prefixes for this kind of dlls: “API-” and “EXT-” (ext stands for extension). I don’t know what the difference between extension and api is, but Scylla handles this wrong, because I thought that all DLLs start with “api-ms-win-“. I committed a little hotfix here: But probably this is not enough, maybe I really need to resolve the redirections manually. Microsoft provides the full definition of the structures in the header file apiset.h

Source code and x86/x64 binaries of the parse tool here:

1 thought on “Scylla and Api Set Map

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s