Crate nt_apiset

A parser for API Set Map files of Windows 10 and later.

API Sets are dependencies of PE executables whose names start with “api-” or “ext-”, e.g. api-ms-win-core-sysinfo-l1-1-0. They don’t exist as real DLL files. Instead, when that PE executable is loaded, an API Set Map file of the operating system is checked to figure out the real library file belonging to the dependency (in this case: kernelbase.dll).

The most prominent API Set Map file is apisetschema.dll.

Examples

To get the real library file behind the aforementioned api-ms-win-core-sysinfo-l1-1-0, you can use this crate like:

let dll = std::fs::read("apisetschema.dll").unwrap();
let pe_file = PeFile::from_bytes(&dll).unwrap();
let map = ApiSetMap::try_from_pe64(pe_file).unwrap();

let namespace_entry = map
    .find_namespace_entry("api-ms-win-core-sysinfo-l1-1-0")
    .unwrap()
    .unwrap();
let value_entry = namespace_entry.value_entries().unwrap().next().unwrap();

let name = namespace_entry.name().unwrap();
let default_value = value_entry.value().unwrap();
println!("{name} -> {default_value}");

Structs

• ApiSetHashEntries
  Iterator over the ApiSetHashEntrys of an ApiSetMap.
• ApiSetHashEntry
  A single Hash Entry in an ApiSetMap.
• ApiSetMap
  Root structure describing an API Set Map.
• ApiSetMapFlags
  Flags returned by ApiSetMap::flags.
• ApiSetNamespaceEntries
  Iterator over the ApiSetNamespaceEntrys of an ApiSetMap.
• ApiSetNamespaceEntry
  A single Namespace Entry in an ApiSetMap.
• ApiSetNamespaceEntryFlags
  Flags returned by ApiSetNamespaceEntry::flags.
• ApiSetValueEntries
  Iterator over the ApiSetValueEntrys of an ApiSetNamespaceEntry.
• ApiSetValueEntry
  A single mapping entry for an ApiSetNamespaceEntry.

Enums

• NtApiSetError
  Central error type of nt-apiset.

Type Definitions

• Result
  Central result type of nt-apiset.