## Import the original JSON files

In [10]:
from binaryninja.architecture import Architecture
from binaryninja.platform import Platform
from binaryninja.typelibrary import TypeLibrary
from binaryninja.enums import StructureVariant, NamedTypeReferenceClass
from binaryninja.types import (Type, Tuple, TypeBuilder, FunctionBuilder, BoolWithConfidence, OffsetWithConfidence, PointerType, StructureType, EnumerationType, FunctionType, EnumerationMember, EnumerationBuilder, QualifiedName, FunctionParameter, PointerBuilder)
from binaryninja.log import log_to_stdout
from binaryninja.enums import LogLevel
from functools import cache
from typing import Optional, Set, List, DefaultDict
from pathlib import Path
import json, codecs
from collections import defaultdict
from tqdm.notebook import tqdm


log_to_stdout(LogLevel.WarningLog)
api_namespaces = {}
for file in Path("win32json/api/").glob("*.json"):
    try:
        with codecs.open(str(file), "r", "utf-8-sig") as f:
            api_namespaces[file.stem] = json.load(f)
    except json.JSONDecodeError as e:
        print(file)
        raise e
print("Success")

Success


## Create Ordinal/GUID Mapping

In [14]:
update_mapping_file = False
if update_mapping_file:
    mapping = {}
    for key, arch in [("X86", "x86"), ("X64", "x86_64")]:
        items = list(Path(f"/Users/peterlafosse/src/binaryninja/typelib/{arch}/").glob("*.dll.bntl"))
        print(f"Getting ordinals for {len(items)} - {arch} typelibs")
        mapping[key] = {}
        for file in items:
            filename = file.name
            file = str(file)
            tl = TypeLibrary.load_from_file(file)
            assert tl is not None, f"Failed to open {file}"
            ordinals_name = tl.query_metadata("ordinals")
            ordinals = tl.query_metadata(str(ordinals_name))
            mapping[key][filename] = {}
            mapping[key][filename]["guid"] = tl.guid
            mapping[key][filename]["ordinals"] = ordinals_name
            mapping[key][filename][ordinals_name] = ordinals
    with open("mappingfile.json", "w") as f:
        json.dump(mapping, f)
print("Success")

Success


In [15]:

null = ""
apiset = {"api-ms-onecoreuap-print-render-l1-1-0": "printrenderapihost.dll", "api-ms-win-appmodel-advertisingid-l1-1-0": "kernel.appcore.dll", "api-ms-win-appmodel-identity-l1-2-0": "kernel.appcore.dll", "api-ms-win-appmodel-lifecyclepolicy-l1-1-0": "rmclient.dll", "api-ms-win-appmodel-runtime-internal-l1-1-9": "kernel.appcore.dll", "api-ms-win-appmodel-runtime-l1-1-5": "kernel.appcore.dll", "api-ms-win-appmodel-state-l1-1-2": "kernel.appcore.dll", "api-ms-win-appmodel-state-l1-2-0": "kernel.appcore.dll", "api-ms-win-appmodel-unlock-l1-1-0": "kernel.appcore.dll", "api-ms-win-audiocore-spatial-config-l1-1-0": "windows.media.devices.dll", "api-ms-win-base-bootconfig-l1-1-0": "advapi32.dll", "api-ms-win-base-util-l1-1-0": "advapi32.dll", "api-ms-win-composition-redirection-l1-1-0": "dwmredir.dll", "api-ms-win-composition-windowmanager-l1-1-0": "udwm.dll", "api-ms-win-containers-cmclient-l1-1-1": "cmclient.dll", "api-ms-win-containers-cmclient-l1-2-0": "cmclient.dll", "api-ms-win-containers-cmclient-l1-3-0": "cmclient.dll", "api-ms-win-containers-cmclient-l1-4-0": "cmclient.dll", "api-ms-win-containers-cmclient-l1-5-0": "cmclient.dll", "api-ms-win-containers-cmdiagclient-l1-1-1": "cmclient.dll", "api-ms-win-containers-cmservicingclient-l1-1-1": "cmclient.dll", "api-ms-win-containers-cmservicingclient-l1-2-0": "cmclient.dll", "api-ms-win-core-apiquery-l1-1-1": "ntdll.dll", "api-ms-win-core-apiquery-l2-1-0": "kernelbase.dll", "api-ms-win-core-appcompat-l1-1-1": "kernelbase.dll", "api-ms-win-core-appinit-l1-1-0": "kernelbase.dll", "api-ms-win-core-atoms-l1-1-0": "kernel32.dll", "api-ms-win-core-backgroundtask-l1-1-0": "kernelbase.dll", "api-ms-win-core-bicltapi-l1-1-5": "bi.dll", "api-ms-win-core-biplmapi-l1-1-5": "twinapi.appcore.dll", "api-ms-win-core-biptcltapi-l1-1-7": "twinapi.appcore.dll", "api-ms-win-core-calendar-l1-1-0": "kernel32.dll", "api-ms-win-core-com-l1-1-3": "combase.dll", "api-ms-win-core-com-l2-1-1": "coml2.dll", "api-ms-win-core-com-midlproxystub-l1-1-0": "combase.dll", "api-ms-win-core-com-private-l1-1-1": "combase.dll", "api-ms-win-core-com-private-l1-2-0": "combase.dll", "api-ms-win-core-com-private-l1-3-1": "combase.dll", "api-ms-win-core-comm-l1-1-2": "kernelbase.dll", "api-ms-win-core-console-ansi-l2-1-0": "kernel32.dll", "api-ms-win-core-console-internal-l1-1-0": "kernelbase.dll", "api-ms-win-core-console-l1-1-0": "kernelbase.dll", "api-ms-win-core-console-l1-2-1": "kernelbase.dll", "api-ms-win-core-console-l2-1-0": "kernelbase.dll", "api-ms-win-core-console-l2-2-0": "kernelbase.dll", "api-ms-win-core-console-l3-1-0": "kernelbase.dll", "api-ms-win-core-console-l3-2-0": "kernelbase.dll", "api-ms-win-core-crt-l1-1-0": "ntdll.dll", "api-ms-win-core-crt-l2-1-0": "kernelbase.dll", "api-ms-win-core-datetime-l1-1-2": "kernelbase.dll", "api-ms-win-core-debug-l1-1-2": "kernelbase.dll", "api-ms-win-core-debug-minidump-l1-1-0": "dbgcore.dll", "api-ms-win-core-delayload-l1-1-1": "kernelbase.dll", "api-ms-win-core-enclave-l1-1-1": "kernelbase.dll", "api-ms-win-core-errorhandling-l1-1-3": "kernelbase.dll", "api-ms-win-core-featurestaging-l1-1-1": "shcore.dll", "api-ms-win-core-fibers-l1-1-1": "kernelbase.dll", "api-ms-win-core-fibers-l2-1-1": "kernelbase.dll", "api-ms-win-core-file-ansi-l1-1-0": "kernel32.dll", "api-ms-win-core-file-ansi-l2-1-0": "kernel32.dll", "api-ms-win-core-file-fromapp-l1-1-0": "kernelbase.dll", "api-ms-win-core-file-l1-1-1": "kernelbase.dll", "api-ms-win-core-file-l1-2-4": "kernelbase.dll", "api-ms-win-core-file-l2-1-3": "kernelbase.dll", "api-ms-win-core-firmware-l1-1-0": "kernel32.dll", "api-ms-win-core-guard-l1-1-0": "kernelbase.dll", "api-ms-win-core-handle-l1-1-0": "kernelbase.dll", "api-ms-win-core-heap-l1-1-0": "kernelbase.dll", "api-ms-win-core-heap-l1-2-0": "kernelbase.dll", "api-ms-win-core-heap-l2-1-0": "kernelbase.dll", "api-ms-win-core-heap-obsolete-l1-1-0": "kernel32.dll", "api-ms-win-core-interlocked-l1-1-1": "kernelbase.dll", "api-ms-win-core-interlocked-l1-2-0": "kernelbase.dll", "api-ms-win-core-io-l1-1-1": "kernelbase.dll", "api-ms-win-core-ioring-l1-1-0": "kernelbase.dll", "api-ms-win-core-job-l1-1-0": "kernelbase.dll", "api-ms-win-core-job-l2-1-1": "kernel32.dll", "api-ms-win-core-kernel32-legacy-ansi-l1-1-0": "kernel32.dll", "api-ms-win-core-kernel32-legacy-l1-1-6": "kernel32.dll", "api-ms-win-core-kernel32-private-l1-1-2": "kernel32.dll", "api-ms-win-core-kernel32-private-l1-2-0": "kernel32.dll", "api-ms-win-core-largeinteger-l1-1-0": "kernelbase.dll", "api-ms-win-core-libraryloader-l1-1-1": "kernelbase.dll", "api-ms-win-core-libraryloader-l1-2-3": "kernelbase.dll", "api-ms-win-core-libraryloader-l2-1-0": "kernelbase.dll", "api-ms-win-core-libraryloader-private-l1-1-0": "kernelbase.dll", "api-ms-win-core-localization-ansi-l1-1-0": "kernel32.dll", "api-ms-win-core-localization-l1-1-0": "kernelbase.dll", "api-ms-win-core-localization-l1-2-4": "kernelbase.dll", "api-ms-win-core-localization-l2-1-0": "kernelbase.dll", "api-ms-win-core-localization-obsolete-l1-1-0": "kernelbase.dll", "api-ms-win-core-localization-obsolete-l1-2-0": "kernelbase.dll", "api-ms-win-core-localization-obsolete-l1-3-0": "kernelbase.dll", "api-ms-win-core-localization-private-l1-1-0": "kernelbase.dll", "api-ms-win-core-localregistry-l1-1-0": "kernelbase.dll", "api-ms-win-core-marshal-l1-1-0": "combase.dll", "api-ms-win-core-memory-l1-1-8": "kernelbase.dll", "api-ms-win-core-misc-l1-1-0": "kernelbase.dll", "api-ms-win-core-multipleproviderrouter-l1-1-0": "mpr.dll", "api-ms-win-core-namedpipe-ansi-l1-1-1": "kernel32.dll", "api-ms-win-core-namedpipe-l1-1-0": "kernelbase.dll", "api-ms-win-core-namedpipe-l1-2-2": "kernelbase.dll", "api-ms-win-core-namespace-ansi-l1-1-0": "kernel32.dll", "api-ms-win-core-namespace-l1-1-0": "kernelbase.dll", "api-ms-win-core-normalization-l1-1-0": "kernelbase.dll", "api-ms-win-core-path-l1-1-0": "kernelbase.dll", "api-ms-win-core-pcw-l1-1-0": "kernelbase.dll", "api-ms-win-core-perfcounters-l1-1-0": "kernelbase.dll", "api-ms-win-core-perfcounters-l1-2-0": "kernelbase.dll", "api-ms-win-core-privateprofile-l1-1-1": "kernel32.dll", "api-ms-win-core-processenvironment-ansi-l1-1-0": "kernel32.dll", "api-ms-win-core-processenvironment-l1-1-1": "kernelbase.dll", "api-ms-win-core-processenvironment-l1-2-0": "kernelbase.dll", "api-ms-win-core-processsecurity-l1-1-0": "kernelbase.dll", "api-ms-win-core-processsnapshot-l1-1-0": "kernelbase.dll", "api-ms-win-core-processthreads-l1-1-7": "kernelbase.dll", "api-ms-win-core-processtopology-l1-1-0": "kernelbase.dll", "api-ms-win-core-processtopology-l1-2-0": "kernelbase.dll", "api-ms-win-core-processtopology-obsolete-l1-1-1": "kernel32.dll", "api-ms-win-core-processtopology-private-l1-1-0": "kernelbase.dll", "api-ms-win-core-profile-l1-1-0": "kernelbase.dll", "api-ms-win-core-psapi-ansi-l1-1-0": "kernelbase.dll", "api-ms-win-core-psapi-l1-1-0": "kernelbase.dll", "api-ms-win-core-psapi-obsolete-l1-1-0": "kernelbase.dll", "api-ms-win-core-psapiansi-l1-1-0": "kernelbase.dll", "api-ms-win-core-psm-app-l1-1-0": "twinapi.appcore.dll", "api-ms-win-core-psm-appnotify-l1-1-1": "twinapi.appcore.dll", "api-ms-win-core-psm-info-l1-1-1": "appsruprov.dll", "api-ms-win-core-psm-key-l1-1-3": "kernelbase.dll", "api-ms-win-core-psm-plm-l1-1-3": "twinapi.appcore.dll", "api-ms-win-core-psm-plm-l1-2-0": "twinapi.appcore.dll", "api-ms-win-core-psm-plm-l1-3-0": "twinapi.appcore.dll", "api-ms-win-core-psm-rtimer-l1-1-1": "twinapi.appcore.dll", "api-ms-win-core-psm-tc-l1-1-1": "twinapi.appcore.dll", "api-ms-win-core-quirks-l1-1-1": "kernelbase.dll", "api-ms-win-core-realtime-l1-1-2": "kernelbase.dll", "api-ms-win-core-registry-fromapp-l1-1-0": "reguwpapi.dll", "api-ms-win-core-registry-l1-1-2": "kernelbase.dll", "api-ms-win-core-registry-l2-1-0": "advapi32.dll", "api-ms-win-core-registry-l2-2-0": "advapi32.dll", "api-ms-win-core-registry-l2-3-0": "advapi32.dll", "api-ms-win-core-registry-private-l1-1-0": "advapi32.dll", "api-ms-win-core-registryuserspecific-l1-1-0": "kernelbase.dll", "api-ms-win-core-rtlsupport-l1-1-1": "ntdll.dll", "api-ms-win-core-rtlsupport-l1-2-2": "ntdll.dll", "api-ms-win-core-shlwapi-legacy-l1-1-0": "kernelbase.dll", "api-ms-win-core-shlwapi-obsolete-l1-1-0": "kernelbase.dll", "api-ms-win-core-shlwapi-obsolete-l1-2-0": "kernelbase.dll", "api-ms-win-core-shutdown-ansi-l1-1-0": "advapi32.dll", "api-ms-win-core-shutdown-l1-1-1": "advapi32.dll", "api-ms-win-core-sidebyside-ansi-l1-1-0": "kernel32.dll", "api-ms-win-core-sidebyside-l1-1-0": "kernelbase.dll", "api-ms-win-core-slapi-l1-1-0": "clipc.dll", "api-ms-win-core-state-helpers-l1-1-0": "kernelbase.dll", "api-ms-win-core-string-l1-1-0": "kernelbase.dll", "api-ms-win-core-string-l2-1-1": "kernelbase.dll", "api-ms-win-core-string-obsolete-l1-1-1": "kernel32.dll", "api-ms-win-core-stringansi-l1-1-0": "kernelbase.dll", "api-ms-win-core-stringloader-l1-1-1": "kernelbase.dll", "api-ms-win-core-synch-ansi-l1-1-0": "kernel32.dll", "api-ms-win-core-synch-l1-1-1": "kernelbase.dll", "api-ms-win-core-synch-l1-2-1": "kernelbase.dll", "api-ms-win-core-sysinfo-l1-1-1": "kernelbase.dll", "api-ms-win-core-sysinfo-l1-2-6": "kernelbase.dll", "api-ms-win-core-sysinfo-l2-1-0": "advapi32.dll", "api-ms-win-core-systemtopology-l1-1-2": "kernelbase.dll", "api-ms-win-core-textinput-client-l1-1-1": "textinputframework.dll", "api-ms-win-core-threadpool-l1-1-0": "kernelbase.dll", "api-ms-win-core-threadpool-l1-2-0": "kernelbase.dll", "api-ms-win-core-threadpool-legacy-l1-1-0": "kernelbase.dll", "api-ms-win-core-threadpool-private-l1-1-0": "kernelbase.dll", "api-ms-win-core-timezone-l1-1-1": "kernelbase.dll", "api-ms-win-core-timezone-private-l1-1-0": "kernelbase.dll", "api-ms-win-core-toolhelp-l1-1-1": "kernel32.dll", "api-ms-win-core-ums-l1-1-0": "kernel32.dll", "api-ms-win-core-url-l1-1-0": "kernelbase.dll", "api-ms-win-core-util-l1-1-1": "kernelbase.dll", "api-ms-win-core-version-l1-1-1": "kernelbase.dll", "api-ms-win-core-version-private-l1-1-0": "kernelbase.dll", "api-ms-win-core-versionansi-l1-1-1": "kernelbase.dll", "api-ms-win-core-windowsceip-l1-1-0": "kernelbase.dll", "api-ms-win-core-windowserrorreporting-l1-1-3": "kernelbase.dll", "api-ms-win-core-winrt-error-l1-1-1": "combase.dll", "api-ms-win-core-winrt-errorprivate-l1-1-1": "combase.dll", "api-ms-win-core-winrt-l1-1-0": "combase.dll", "api-ms-win-core-winrt-propertysetprivate-l1-1-1": "wintypes.dll", "api-ms-win-core-winrt-registration-l1-1-0": "combase.dll", "api-ms-win-core-winrt-robuffer-l1-1-0": "wintypes.dll", "api-ms-win-core-winrt-roparameterizediid-l1-1-0": "combase.dll", "api-ms-win-core-winrt-string-l1-1-1": "combase.dll", "api-ms-win-core-wow64-l1-1-3": "kernelbase.dll", "api-ms-win-core-xstate-l1-1-3": "ntdll.dll", "api-ms-win-core-xstate-l2-1-2": "kernelbase.dll", "api-ms-win-coremessaging-host-l1-1-0": null, "api-ms-win-coreui-secruntime-l1-1-0": null, "api-ms-win-crt-conio-l1-1-0": "ucrtbase.dll", "api-ms-win-crt-convert-l1-1-0": "ucrtbase.dll", "api-ms-win-crt-environment-l1-1-0": "ucrtbase.dll", "api-ms-win-crt-filesystem-l1-1-0": "ucrtbase.dll", "api-ms-win-crt-heap-l1-1-0": "ucrtbase.dll", "api-ms-win-crt-locale-l1-1-0": "ucrtbase.dll", "api-ms-win-crt-math-l1-1-0": "ucrtbase.dll", "api-ms-win-crt-multibyte-l1-1-0": "ucrtbase.dll", "api-ms-win-crt-private-l1-1-0": "ucrtbase.dll", "api-ms-win-crt-process-l1-1-0": "ucrtbase.dll", "api-ms-win-crt-runtime-l1-1-0": "ucrtbase.dll", "api-ms-win-crt-stdio-l1-1-0": "ucrtbase.dll", "api-ms-win-crt-string-l1-1-0": "ucrtbase.dll", "api-ms-win-crt-time-l1-1-0": "ucrtbase.dll", "api-ms-win-crt-utility-l1-1-0": "ucrtbase.dll", "api-ms-win-deprecated-apis-advapi-l1-1-0": null, "api-ms-win-deprecated-apis-legacy-l1-1-0": null, "api-ms-win-deprecated-apis-legacy-l1-2-0": null, "api-ms-win-deprecated-apis-obsolete-l1-1-0": "kernelbase.dll", "api-ms-win-devices-config-l1-1-2": "cfgmgr32.dll", "api-ms-win-devices-query-l1-1-1": "cfgmgr32.dll", "api-ms-win-devices-swdevice-l1-1-1": "cfgmgr32.dll", "api-ms-win-downlevel-advapi32-l1-1-0": "kernelbase.dll", "api-ms-win-downlevel-advapi32-l2-1-0": "sechost.dll", "api-ms-win-downlevel-advapi32-l3-1-0": "ntmarta.dll", "api-ms-win-downlevel-advapi32-l4-1-0": "advapi32.dll", "api-ms-win-downlevel-kernel32-l1-1-0": "kernelbase.dll", "api-ms-win-downlevel-kernel32-l2-1-0": "kernel32.dll", "api-ms-win-downlevel-normaliz-l1-1-0": "kernelbase.dll", "api-ms-win-downlevel-ole32-l1-1-0": "combase.dll", "api-ms-win-downlevel-shell32-l1-1-0": "shcore.dll", "api-ms-win-downlevel-shlwapi-l1-1-0": "kernelbase.dll", "api-ms-win-downlevel-shlwapi-l2-1-0": "shcore.dll", "api-ms-win-downlevel-user32-l1-1-0": "kernelbase.dll", "api-ms-win-downlevel-version-l1-1-0": "kernelbase.dll", "api-ms-win-dwmapi-l1-1-0": "dwmapi.dll", "api-ms-win-dx-d3dkmt-l1-1-7": "gdi32.dll", "api-ms-win-eventing-classicprovider-l1-1-0": "kernelbase.dll", "api-ms-win-eventing-consumer-l1-1-1": "sechost.dll", "api-ms-win-eventing-controller-l1-1-0": "sechost.dll", "api-ms-win-eventing-legacy-l1-1-0": "advapi32.dll", "api-ms-win-eventing-obsolete-l1-1-0": "sechost.dll", "api-ms-win-eventing-provider-l1-1-0": "kernelbase.dll", "api-ms-win-eventing-tdh-l1-1-2": "tdh.dll", "api-ms-win-eventlog-legacy-l1-1-0": "advapi32.dll", "api-ms-win-eventlog-private-l1-1-0": "advapi32.dll", "api-ms-win-gaming-deviceinformation-l1-1-0": "kernelbase.dll", "api-ms-win-gaming-expandedresources-l1-1-0": "gamemode.dll", "api-ms-win-gaming-tcui-l1-1-4": "gamingtcui.dll", "api-ms-win-gdi-dpiinfo-l1-1-0": "gdi32.dll", "api-ms-win-gdi-internal-uap-l1-1-0": "gdi32full.dll", "api-ms-win-ham-apphistory-l1-1-0": "rmclient.dll", "api-ms-win-ham-hamplm-l1-1-0": "rmclient.dll", "api-ms-win-http-time-l1-1-0": "kernelbase.dll", "api-ms-win-input-ie-interactioncontext-l1-1-0": null, "api-ms-win-legacy-shlwapi-l1-1-0": "kernelbase.dll", "api-ms-win-mm-joystick-l1-1-0": "winmm.dll", "api-ms-win-mm-mci-l1-1-0": "winmm.dll", "api-ms-win-mm-misc-l1-1-1": "winmmbase.dll", "api-ms-win-mm-misc-l2-1-0": "winmm.dll", "api-ms-win-mm-mme-l1-1-0": "winmmbase.dll", "api-ms-win-mm-playsound-l1-1-0": "winmm.dll", "api-ms-win-mm-time-l1-1-0": "kernel32.dll", "api-ms-win-net-isolation-l1-1-1": "firewallapi.dll", "api-ms-win-networking-interfacecontexts-l1-1-0": "ondemandconnroutehelper.dll", "api-ms-win-ngc-serialization-l1-1-1": "ngckeyenum.dll", "api-ms-win-ntuser-ie-message-l1-1-0": "user32.dll", "api-ms-win-ntuser-ie-window-l1-1-0": "user32.dll", "api-ms-win-ntuser-ie-wmpointer-l1-1-0": "user32.dll", "api-ms-win-ntuser-rectangle-l1-1-0": "user32.dll", "api-ms-win-ntuser-sysparams-l1-1-0": "user32.dll", "api-ms-win-obsolete-localization-l1-1-0": "kernelbase.dll", "api-ms-win-obsolete-psapi-l1-1-0": "kernelbase.dll", "api-ms-win-obsolete-shlwapi-l1-1-0": "kernelbase.dll", "api-ms-win-ole32-ie-l1-1-0": "ole32.dll", "api-ms-win-oobe-notification-l1-1-0": "kernel32.dll", "api-ms-win-perf-legacy-l1-1-0": "advapi32.dll", "api-ms-win-power-base-l1-1-0": "powrprof.dll", "api-ms-win-power-limitsmanagement-l1-1-0": "powrprof.dll", "api-ms-win-power-setting-l1-1-1": "powrprof.dll", "api-ms-win-privacy-coreprivacysettingsstore-l1-1-0": "coreprivacysettingsstore.dll", "api-ms-win-ro-typeresolution-l1-1-1": "wintypes.dll", "api-ms-win-rtcore-minuser-private-l1-1-1": null, "api-ms-win-rtcore-navigation-l1-1-0": null, "api-ms-win-rtcore-ntuser-clipboard-l1-1-0": "user32.dll", "api-ms-win-rtcore-ntuser-draw-l1-1-0": "user32.dll", "api-ms-win-rtcore-ntuser-powermanagement-l1-1-0": "user32.dll", "api-ms-win-rtcore-ntuser-private-l1-1-11": "user32.dll", "api-ms-win-rtcore-ntuser-shell-l1-1-0": "user32.dll", "api-ms-win-rtcore-ntuser-synch-l1-1-0": "user32.dll", "api-ms-win-rtcore-ntuser-window-l1-1-0": "user32.dll", "api-ms-win-rtcore-ntuser-winevent-l1-1-0": "user32.dll", "api-ms-win-rtcore-ntuser-wmpointer-l1-1-3": "user32.dll", "api-ms-win-rtcore-ntuser-wmpointer-l1-2-0": "user32.dll", "api-ms-win-rtcore-ole32-clipboard-l1-1-1": "ole32.dll", "api-ms-win-rtcore-session-l1-1-0": null, "api-ms-win-security-accesshlpr-l1-1-0": "sechost.dll", "api-ms-win-security-activedirectoryclient-l1-1-1": "kernelbase.dll", "api-ms-win-security-appcontainer-l1-1-0": "kernelbase.dll", "api-ms-win-security-audit-l1-1-1": "sechost.dll", "api-ms-win-security-base-ansi-l1-1-0": "advapi32.dll", "api-ms-win-security-base-l1-1-1": "kernelbase.dll", "api-ms-win-security-base-l1-2-2": "kernelbase.dll", "api-ms-win-security-base-private-l1-1-1": "kernelbase.dll", "api-ms-win-security-capability-l1-1-1": "sechost.dll", "api-ms-win-security-cpwl-l1-1-0": "advapi32.dll", "api-ms-win-security-credentials-l1-1-0": "sechost.dll", "api-ms-win-security-credentials-l2-1-1": "sechost.dll", "api-ms-win-security-cryptoapi-l1-1-0": "cryptsp.dll", "api-ms-win-security-grouppolicy-l1-1-0": "kernelbase.dll", "api-ms-win-security-isolatedcontainer-l1-1-1": "shcore.dll", "api-ms-win-security-isolationapi-l1-1-0": "sechost.dll", "api-ms-win-security-isolationapi-l1-2-0": "sechost.dll", "api-ms-win-security-isolationpolicy-l1-1-0": "sechost.dll", "api-ms-win-security-isolationpolicy-l1-2-0": "sechost.dll", "api-ms-win-security-licenseprotection-l1-1-0": "licenseprotection.dll", "api-ms-win-security-logon-l1-1-1": "advapi32.dll", "api-ms-win-security-lsalookup-ansi-l2-1-0": "advapi32.dll", "api-ms-win-security-lsalookup-l1-1-2": "sechost.dll", "api-ms-win-security-lsalookup-l2-1-1": "advapi32.dll", "api-ms-win-security-lsapolicy-l1-1-1": "sechost.dll", "api-ms-win-security-provider-ansi-l1-1-0": "advapi32.dll", "api-ms-win-security-provider-l1-1-0": "ntmarta.dll", "api-ms-win-security-sddl-ansi-l1-1-0": "advapi32.dll", "api-ms-win-security-sddl-l1-1-0": "sechost.dll", "api-ms-win-security-sddl-private-l1-1-0": "sechost.dll", "api-ms-win-security-sddlparsecond-l1-1-1": "sechost.dll", "api-ms-win-security-systemfunctions-l1-1-0": "advapi32.dll", "api-ms-win-security-trustee-l1-1-2": "advapi32.dll", "api-ms-win-service-core-ansi-l1-1-1": "advapi32.dll", "api-ms-win-service-core-l1-1-5": "sechost.dll", "api-ms-win-service-legacy-l1-1-0": "advapi32.dll", "api-ms-win-service-management-l1-1-0": "sechost.dll", "api-ms-win-service-management-l2-1-0": "sechost.dll", "api-ms-win-service-private-l1-1-5": "sechost.dll", "api-ms-win-service-private-l1-2-0": "sechost.dll", "api-ms-win-service-winsvc-l1-1-0": "sechost.dll", "api-ms-win-service-winsvc-l1-2-0": "sechost.dll", "api-ms-win-shcore-comhelpers-l1-1-0": "shcore.dll", "api-ms-win-shcore-obsolete-l1-1-0": "shcore.dll", "api-ms-win-shcore-path-l1-1-0": "shcore.dll", "api-ms-win-shcore-registry-l1-1-1": "shcore.dll", "api-ms-win-shcore-scaling-l1-1-2": "shcore.dll", "api-ms-win-shcore-stream-l1-1-0": "shcore.dll", "api-ms-win-shcore-stream-winrt-l1-1-0": "shcore.dll", "api-ms-win-shcore-sysinfo-l1-1-0": "shcore.dll", "api-ms-win-shcore-taskpool-l1-1-0": "shcore.dll", "api-ms-win-shcore-thread-l1-1-0": "shcore.dll", "api-ms-win-shcore-unicodeansi-l1-1-0": "shcore.dll", "api-ms-win-shell-associations-l1-1-2": "windows.storage.dll", "api-ms-win-shell-changenotify-l1-1-1": "windows.storage.dll", "api-ms-win-shell-dataobject-l1-1-1": "windows.storage.dll", "api-ms-win-shell-namespace-l1-1-1": "windows.storage.dll", "api-ms-win-shell-shdirectory-l1-1-0": "shcore.dll", "api-ms-win-shell-shell32legacy-shdirectory-l1-1-0": null, "api-ms-win-shell-shellcom-l1-1-0": "kernelbase.dll", "api-ms-win-shell-shellfolders-l1-1-0": "windows.storage.dll", "api-ms-win-shlwapi-ie-l1-1-0": "shlwapi.dll", "api-ms-win-shlwapi-winrt-storage-l1-1-1": "shlwapi.dll", "api-ms-win-stateseparation-helpers-l1-1-0": "kernelbase.dll", "api-ms-win-storage-exports-external-l1-1-2": "windows.storage.dll", "api-ms-win-storage-exports-internal-l1-1-0": "windows.storage.dll", "api-ms-win-storage-reserve-l1-1-0": "storageusage.dll", "api-ms-win-winrt-search-folder-l1-1-0": "windows.storage.search.dll", "api-ms-win-wsl-api-l1-1-0": "wslapi.dll", "ext-ms-mf-pal-l2-1-1": null, "ext-ms-net-eap-sim-l1-1-0": "eapsimextdesktop.dll", "ext-ms-net-vpn-soh-l1-1-0": "vpnsohdesktop.dll", "ext-ms-onecore-appchromeapi-l1-1-0": null, "ext-ms-onecore-appdefaults-l1-1-0": "windows.storage.dll", "ext-ms-onecore-appmodel-emclient-l1-1-0": null, "ext-ms-onecore-appmodel-emsvcs-l1-1-0": null, "ext-ms-onecore-appmodel-pacmanclient-l1-1-0": null, "ext-ms-onecore-appmodel-staterepository-appextension-l1-1-0": "windows.staterepositoryclient.dll", "ext-ms-onecore-appmodel-staterepository-cache-l1-1-4": "windows.staterepositorycore.dll", "ext-ms-onecore-appmodel-staterepository-internal-l1-1-6": "windows.staterepositoryclient.dll", "ext-ms-onecore-appmodel-tdlmigration-l1-1-1": "tdlmigration.dll", "ext-ms-onecore-comp-dwmmonitor-l1-1-0": null, "ext-ms-onecore-dcomp-l1-1-0": "dcomp.dll", "ext-ms-onecore-defaultdiscovery-l1-1-0": null, "ext-ms-onecore-hcap-svf-l1-1-0": "svf.dll", "ext-ms-onecore-hlink-l1-1-0": "hlink.dll", "ext-ms-onecore-hnetcfg-l1-1-0": "hnetcfgclient.dll", "ext-ms-onecore-ipnathlp-l1-1-0": "ipnathlpclient.dll", "ext-ms-onecore-mpc-input-l1-1-0": "hologramcompositor.dll", "ext-ms-onecore-orientation-l1-1-0": null, "ext-ms-onecore-security-antitheft-l1-1-0": null, "ext-ms-onecore-service-devicedirectory-claims-l1-1-0": "ddcclaimsapi.dll", "ext-ms-onecore-shellchromeapi-l1-1-2": null, "ext-ms-onecore-shellremindersapi-l1-1-0": null, "ext-ms-onecore-shlwapi-l1-1-0": "shlwapi.dll", "ext-ms-onecore-spectrumsyncclient-l1-1-0": "spectrumsyncclient.dll", "ext-ms-win-adsi-activeds-l1-1-0": "activeds.dll", "ext-ms-win-advapi32-auth-l1-1-0": "advapi32.dll", "ext-ms-win-advapi32-encryptedfile-l1-1-1": "advapi32.dll", "ext-ms-win-advapi32-eventlog-ansi-l1-1-0": "advapi32.dll", "ext-ms-win-advapi32-eventlog-l1-1-2": "advapi32.dll", "ext-ms-win-advapi32-hwprof-l1-1-0": "advapi32.dll", "ext-ms-win-advapi32-idletask-l1-1-0": "advapi32.dll", "ext-ms-win-advapi32-lsa-l1-1-3": "advapi32.dll", "ext-ms-win-advapi32-msi-l1-1-0": "advapi32.dll", "ext-ms-win-advapi32-npusername-l1-1-0": "advapi32.dll", "ext-ms-win-advapi32-ntmarta-l1-1-0": "advapi32.dll", "ext-ms-win-advapi32-psm-app-l1-1-0": "twinapi.appcore.dll", "ext-ms-win-advapi32-registry-l1-1-1": "advapi32.dll", "ext-ms-win-advapi32-safer-l1-1-0": "advapi32.dll", "ext-ms-win-advapi32-shutdown-l1-1-0": "advapi32.dll", "ext-ms-win-appcompat-aeinv-l1-1-1": "aeinv.dll", "ext-ms-win-appcompat-aepic-l1-1-0": "aepic.dll", "ext-ms-win-appcompat-apphelp-l1-1-2": "apphelp.dll", "ext-ms-win-appcompat-pcacli-l1-1-0": "pcacli.dll", "ext-ms-win-appmodel-activation-l1-1-2": "activationmanager.dll", "ext-ms-win-appmodel-appcontainerpath-l1-1-0": null, "ext-ms-win-appmodel-appexecutionalias-l1-1-4": "apisethost.appexecutionalias.dll", "ext-ms-win-appmodel-datasharingservice-extensions-l1-1-0": null, "ext-ms-win-appmodel-daxcore-l1-1-3": "daxexec.dll", "ext-ms-win-appmodel-deployment-l1-1-1": null, "ext-ms-win-appmodel-deploymentvolumes-l1-1-1": null, "ext-ms-win-appmodel-opc-l1-1-0": "opcservices.dll", "ext-ms-win-appmodel-registrycompatibility-l1-1-0": "appxdeploymentextensions.desktop.dll", "ext-ms-win-appmodel-restrictedappcontainer-internal-l1-1-0": "kernel.appcore.dll", "ext-ms-win-appmodel-shellexecute-l1-1-0": "windows.storage.dll", "ext-ms-win-appmodel-state-ext-l1-2-0": "kernel.appcore.dll", "ext-ms-win-appmodel-usercontext-l1-1-0": null, "ext-ms-win-appmodel-viewscalefactor-l1-1-0": null, "ext-ms-win-appxdeploymentclient-appxdeploy-l1-1-1": "appxdeploymentclient.dll", "ext-ms-win-appxdeploymentclient-appxdeployonecore-l1-1-1": "appxdeploymentclient.dll", "ext-ms-win-audiocore-coreaudiopolicymanager-l1-1-0": "coreaudiopolicymanagerext.dll", "ext-ms-win-audiocore-pal-l1-2-0": null, "ext-ms-win-audiocore-policymanager-l1-1-0": null, "ext-ms-win-audiocore-spatial-l1-1-0": null, "ext-ms-win-authz-claimpolicies-l1-1-0": "authz.dll", "ext-ms-win-authz-context-l1-1-0": "authz.dll", "ext-ms-win-authz-remote-l1-1-0": "logoncli.dll", "ext-ms-win-base-psapi-l1-1-0": "psapi.dll", "ext-ms-win-base-rstrtmgr-l1-1-0": "rstrtmgr.dll", "ext-ms-win-biometrics-winbio-core-l1-1-4": "winbio.dll", "ext-ms-win-biometrics-winbio-l1-1-0": "winbio.dll", "ext-ms-win-biometrics-winbio-l1-2-0": "winbioext.dll", "ext-ms-win-biometrics-winbio-l1-3-0": "winbioext.dll", "ext-ms-win-bluetooth-apis-internal-l1-1-0": "bluetoothapis.dll", "ext-ms-win-bluetooth-apis-l1-1-0": "bluetoothapis.dll", "ext-ms-win-bluetooth-apis-private-l1-1-0": "bluetoothapis.dll", "ext-ms-win-branding-winbrand-l1-1-2": "winbrand.dll", "ext-ms-win-branding-winbrand-l1-2-0": "winbrand.dll", "ext-ms-win-casting-device-l1-1-0": null, "ext-ms-win-casting-lockscreen-l1-1-0": "miracastreceiverext.dll", "ext-ms-win-casting-receiver-l1-1-1": "hubuiext.dll", "ext-ms-win-casting-shell-l1-1-0": "castingshellext.dll", "ext-ms-win-ci-management-l1-1-2": "manageci.dll", "ext-ms-win-ci-xbox-l1-1-0": null, "ext-ms-win-cloudap-tbal-l1-1-0": null, "ext-ms-win-clouddomainjoin-usermanagement-l1-1-0": null, "ext-ms-win-cluster-clusapi-l1-1-5": "clusapi.dll", "ext-ms-win-cluster-resutils-l1-1-3": "resutils.dll", "ext-ms-win-cmd-util-l1-1-0": "cmdext.dll", "ext-ms-win-cng-rng-l1-1-1": "bcryptprimitives.dll", "ext-ms-win-com-apartmentrestriction-l1-1-0": null, "ext-ms-win-com-clbcatq-l1-1-0": "clbcatq.dll", "ext-ms-win-com-coml2-l1-1-1": "coml2.dll", "ext-ms-win-com-ole32-l1-1-5": "ole32.dll", "ext-ms-win-com-ole32-l1-2-0": "ole32.dll", "ext-ms-win-com-ole32-l1-3-0": "ole32.dll", "ext-ms-win-com-ole32-l1-4-0": "ole32.dll", "ext-ms-win-com-psmregister-l1-1-0": "kernel.appcore.dll", "ext-ms-win-com-psmregister-l1-2-2": "kernel.appcore.dll", "ext-ms-win-com-psmregister-l1-3-1": "kernel.appcore.dll", "ext-ms-win-com-sta-l1-1-0": "ole32.dll", "ext-ms-win-com-suspendresiliency-l1-1-0": null, "ext-ms-win-composition-ghost-l1-1-0": "dwmghost.dll", "ext-ms-win-composition-holographic-l1-1-0": "hologramcompositor.dll", "ext-ms-win-composition-init-l1-1-0": "dwminit.dll", "ext-ms-win-compositor-hosting-l1-1-1": "ism.dll", "ext-ms-win-compositor-hosting-l1-2-1": "ism.dll", "ext-ms-win-compositor-hosting-l1-3-0": "ism.dll", "ext-ms-win-containers-policymanagercli-l1-1-1": null, "ext-ms-win-core-app-package-registration-l1-1-1": null, "ext-ms-win-core-app-package-volume-l1-1-0": null, "ext-ms-win-core-container-init-l1-1-0": null, "ext-ms-win-core-dhcp6client-l1-1-0": null, "ext-ms-win-core-game-streaming-l1-1-0": "gamestreamingext.dll", "ext-ms-win-core-iuri-l1-1-0": "urlmon.dll", "ext-ms-win-core-licensemanager-l1-1-1": null, "ext-ms-win-core-marshal-l2-1-0": "ole32.dll", "ext-ms-win-core-pkeyhelper-l1-1-0": "pkeyhelper.dll", "ext-ms-win-core-psm-bi-l1-1-0": "bisrv.dll", "ext-ms-win-core-psm-extendedresourcemode-l1-1-0": null, "ext-ms-win-core-psm-service-l1-1-6": "psmserviceexthost.dll", "ext-ms-win-core-resourcemanager-l1-1-0": "rmclient.dll", "ext-ms-win-core-resourcemanager-l1-2-1": "rmclient.dll", "ext-ms-win-core-resourcepolicy-l1-1-2": "resourcepolicyclient.dll", "ext-ms-win-core-resourcepolicyserver-l1-1-1": "resourcepolicyserver.dll", "ext-ms-win-core-stateseparationext-l1-1-0": null, "ext-ms-win-core-storelicensing-l1-1-0": "licensemanagerapi.dll", "ext-ms-win-core-storelicensing-l1-2-0": "licensemanagerapi.dll", "ext-ms-win-core-symbolicnames-l1-1-0": "tdhres.dll", "ext-ms-win-core-win32k-base-export-l1-1-0": "win32kbase.sys", "ext-ms-win-core-win32k-baseinit-l1-1-0": "win32kbase.sys", "ext-ms-win-core-win32k-common-export-l1-1-0": "win32kfull.sys", "ext-ms-win-core-win32k-common-input-l1-1-0": "win32kfull.sys", "ext-ms-win-core-win32k-common-inputrim-l1-1-0": "win32kfull.sys", "ext-ms-win-core-win32k-common-user-l1-1-0": "win32kfull.sys", "ext-ms-win-core-win32k-dcomp-l1-1-1": "win32kbase.sys", "ext-ms-win-core-win32k-ddccigdi-l1-1-0": "win32kfull.sys", "ext-ms-win-core-win32k-dxgdi-l1-1-0": "win32kfull.sys", "ext-ms-win-core-win32k-dxgk-internal-l1-1-0": "dxgkrnl.sys", "ext-ms-win-core-win32k-dxgk-l1-1-0": "dxgkrnl.sys", "ext-ms-win-core-win32k-flipmgr-l1-1-1": "dxgkrnl.sys", "ext-ms-win-core-win32k-full-export-l1-1-0": "win32kfull.sys", "ext-ms-win-core-win32k-full-float-export-l1-1-0": "win32kfull.sys", "ext-ms-win-core-win32k-fulldcompbase-l1-1-0": "win32kbase.sys", "ext-ms-win-core-win32k-fulldwm-l1-1-0": "win32kfull.sys", "ext-ms-win-core-win32k-fullgdi-l1-1-0": "win32kfull.sys", "ext-ms-win-core-win32k-fulluser-l1-1-0": "win32kfull.sys", "ext-ms-win-core-win32k-fulluser64-l1-1-0": "win32kfull.sys", "ext-ms-win-core-win32k-fulluserbase-l1-1-0": "win32kbase.sys", "ext-ms-win-core-win32k-gdi-l1-1-0": "win32kbase.sys", "ext-ms-win-core-win32k-input-l1-1-0": "win32kbase.sys", "ext-ms-win-core-win32k-inputmit-l1-1-0": "win32kbase.sys", "ext-ms-win-core-win32k-inputrim-l1-1-0": "win32kbase.sys", "ext-ms-win-core-win32k-mindwm-l1-1-0": null, "ext-ms-win-core-win32k-mininput-l1-1-0": null, "ext-ms-win-core-win32k-mininputmit-l1-1-0": null, "ext-ms-win-core-win32k-mininputmitbase-l1-1-0": "win32kbase.sys", "ext-ms-win-core-win32k-minuser-l1-1-0": null, "ext-ms-win-core-win32k-opmgdi-l1-1-0": "win32kbase.sys", "ext-ms-win-core-win32k-surfmgr-l1-1-1": "dxgkrnl.sys", "ext-ms-win-core-win32k-tokenmgr-l1-1-0": "dxgkrnl.sys", "ext-ms-win-core-win32k-user-l1-1-0": "win32kbase.sys", "ext-ms-win-core-win32k-userdisplay-l1-1-0": "win32kbase.sys", "ext-ms-win-core-win32k-userinit-l1-1-0": "win32k.sys", "ext-ms-win-core-winrt-remote-l1-1-0": null, "ext-ms-win-core-winsrv-l1-1-0": "winsrvext.dll", "ext-ms-win-core-winsrv-min-l1-1-0": null, "ext-ms-win-core-xbrm-l1-1-1": null, "ext-ms-win-coreui-l1-1-0": null, "ext-ms-win-coreui-navshutdown-l1-1-0": "navshutdown.dll", "ext-ms-win-crypto-xbox-l1-1-0": null, "ext-ms-win-deployment-productenumerator-l1-1-0": "productenumerator.dll", "ext-ms-win-desktopappx-l1-1-7": "daxexec.dll", "ext-ms-win-desktopappx-l1-2-0": "daxexec.dll", "ext-ms-win-devmgmt-dm-l1-1-2": "dmapisetextimpldesktop.dll", "ext-ms-win-devmgmt-policy-l1-1-3": "policymanager.dll", "ext-ms-win-direct2d-desktop-l1-1-0": "direct2ddesktop.dll", "ext-ms-win-domainjoin-netjoin-l1-1-0": "netjoin.dll", "ext-ms-win-dot3-grouppolicy-l1-1-0": "dot3gpclnt.dll", "ext-ms-win-driver-setup-l1-1-0": "drvsetup.dll", "ext-ms-win-driver-setup-wu-l1-1-1": "drvsetup.dll", "ext-ms-win-drvinst-desktop-l1-1-0": "newdev.dll", "ext-ms-win-dwmapi-ext-l1-1-2": "dwmapi.dll", "ext-ms-win-dwmapidxgi-ext-l1-1-1": "dwmapi.dll", "ext-ms-win-dx-d3d9-l1-1-0": "d3d9.dll", "ext-ms-win-dx-d3dkmt-dxcore-l1-1-3": "dxcore.dll", "ext-ms-win-dx-d3dkmt-gdi-l1-1-0": "gdi32.dll", "ext-ms-win-dx-ddraw-l1-1-0": "ddraw.dll", "ext-ms-win-dx-dinput8-l1-1-0": "dinput8.dll", "ext-ms-win-dx-dxdbhelper-l1-1-1": "directxdatabasehelper.dll", "ext-ms-win-dxcore-internal-l1-1-0": "dxcore.dll", "ext-ms-win-dxcore-l1-1-0": "dxcore.dll", "ext-ms-win-edputil-policy-l1-1-2": "edputil.dll", "ext-ms-win-els-elscore-l1-1-0": "elscore.dll", "ext-ms-win-eventing-pdh-l1-1-2": "pdh.dll", "ext-ms-win-eventing-rundown-l1-1-0": "etwrundown.dll", "ext-ms-win-eventing-tdh-ext-l1-1-0": "tdh.dll", "ext-ms-win-eventing-tdh-priv-l1-1-0": "tdh.dll", "ext-ms-win-familysafety-childaccount-l1-1-0": "familysafetyext.dll", "ext-ms-win-feclient-encryptedfile-l1-1-3": "feclient.dll", "ext-ms-win-firewallapi-webproxy-l1-1-1": "firewallapi.dll", "ext-ms-win-font-fontgroups-l1-1-0": "fontgroupsoverride.dll", "ext-ms-win-font-setup-l1-1-0": "muifontsetup.dll", "ext-ms-win-fs-clfs-l1-1-0": "clfs.sys", "ext-ms-win-fs-cscapi-l1-1-1": "cscapi.dll", "ext-ms-win-fs-vssapi-l1-1-0": "vssapi.dll", "ext-ms-win-fsutilext-ifsutil-l1-1-0": "fsutilext.dll", "ext-ms-win-fsutilext-ulib-l1-1-0": "fsutilext.dll", "ext-ms-win-fveapi-query-l1-1-0": "fveapi.dll", "ext-ms-win-gaming-devicefamily-l1-1-0": null, "ext-ms-win-gaming-gamechatoverlay-l1-1-0": "gamechatoverlayext.dll", "ext-ms-win-gaming-xblgamesave-l1-1-0": "xblgamesaveext.dll", "ext-ms-win-gaming-xinput-l1-1-0": "xinputuap.dll", "ext-ms-win-gdi-clipping-l1-1-0": "gdi32full.dll", "ext-ms-win-gdi-dc-create-l1-1-2": "gdi32full.dll", "ext-ms-win-gdi-dc-l1-2-1": "gdi32full.dll", "ext-ms-win-gdi-devcaps-l1-1-0": "gdi32full.dll", "ext-ms-win-gdi-draw-l1-1-3": "gdi32full.dll", "ext-ms-win-gdi-edgegdi-l1-1-0": null, "ext-ms-win-gdi-font-l1-1-3": "gdi32full.dll", "ext-ms-win-gdi-gdiplus-l1-1-0": "gdiplus.dll", "ext-ms-win-gdi-internal-desktop-l1-1-3": "gdi32full.dll", "ext-ms-win-gdi-internal-uap-init-l1-1-0": "gdi32full.dll", "ext-ms-win-gdi-metafile-l1-1-2": "gdi32full.dll", "ext-ms-win-gdi-path-l1-1-0": "gdi32full.dll", "ext-ms-win-gdi-print-l1-1-0": "gdi32full.dll", "ext-ms-win-gdi-private-l1-1-0": "gdi32full.dll", "ext-ms-win-gdi-render-l1-1-0": "gdi32.dll", "ext-ms-win-gdi-rgn-l1-1-0": "gdi32full.dll", "ext-ms-win-gdi-wcs-l1-1-0": "gdi32full.dll", "ext-ms-win-globalization-input-l1-1-2": "globinputhost.dll", "ext-ms-win-gpapi-grouppolicy-l1-1-0": "gpapi.dll", "ext-ms-win-gpsvc-grouppolicy-l1-1-0": "gpsvc.dll", "ext-ms-win-gui-dui70-l1-1-0": "dui70.dll", "ext-ms-win-gui-ieui-l1-1-0": "ieui.dll", "ext-ms-win-gui-uxinit-l1-1-1": "uxinit.dll", "ext-ms-win-hostactivitymanager-hostidstore-l1-1-1": "rmclient.dll", "ext-ms-win-hyperv-compute-l1-1-1": "vmcompute.dll", "ext-ms-win-hyperv-compute-l1-2-2": "computecore.dll", "ext-ms-win-hyperv-computenetwork-l1-1-0": "computenetwork.dll", "ext-ms-win-hyperv-computestorage-l1-1-1": "computestorage.dll", "ext-ms-win-hyperv-devicevirtualization-l1-1-1": "vmdevicehost.dll", "ext-ms-win-hyperv-devicevirtualization-l1-2-1": "vmdevicehost.dll", "ext-ms-win-hyperv-hgs-l1-1-0": "vmhgs.dll", "ext-ms-win-hyperv-hvemulation-l1-1-0": "winhvemulation.dll", "ext-ms-win-hyperv-hvplatform-l1-1-5": "winhvplatform.dll", "ext-ms-win-ie-textinput-l1-1-0": null, "ext-ms-win-imm-l1-1-1": "imm32.dll", "ext-ms-win-kernel32-appcompat-l1-1-0": "kernel32.dll", "ext-ms-win-kernel32-datetime-l1-1-0": "kernel32.dll", "ext-ms-win-kernel32-elevation-l1-1-0": "kernel32.dll", "ext-ms-win-kernel32-errorhandling-l1-1-0": "faultrep.dll", "ext-ms-win-kernel32-file-l1-1-0": "kernel32.dll", "ext-ms-win-kernel32-localization-l1-1-0": "kernel32.dll", "ext-ms-win-kernel32-package-current-l1-1-0": "kernel.appcore.dll", "ext-ms-win-kernel32-package-l1-1-2": "kernel.appcore.dll", "ext-ms-win-kernel32-process-l1-1-0": "kernel32.dll", "ext-ms-win-kernel32-quirks-l1-1-1": "kernel32.dll", "ext-ms-win-kernel32-registry-l1-1-0": "kernel32.dll", "ext-ms-win-kernel32-sidebyside-l1-1-0": "kernel32.dll", "ext-ms-win-kernel32-transacted-l1-1-0": "kernel32.dll", "ext-ms-win-kernel32-updateresource-l1-1-0": "kernel32.dll", "ext-ms-win-kernel32-windowserrorreporting-l1-1-1": "kernel32.dll", "ext-ms-win-kernelbase-processthread-l1-1-2": "kernel32.dll", "ext-ms-win-kioskmode-config-l1-1-0": null, "ext-ms-win-mapi-mapi32-l1-1-0": "mapistub.dll", "ext-ms-win-media-avi-l1-1-0": "avifil32.dll", "ext-ms-win-media-codecpack-mounting-l1-1-0": null, "ext-ms-win-mf-devicespecific-l1-1-0": null, "ext-ms-win-mf-vfw-l1-1-0": "mfvfw.dll", "ext-ms-win-mininput-cursorhost-l1-1-0": "inputhost.dll", "ext-ms-win-mininput-extensions-l1-1-0": null, "ext-ms-win-mininput-inputhost-l1-1-1": "inputhost.dll", "ext-ms-win-mininput-inputhost-l1-2-1": "inputhost.dll", "ext-ms-win-mininput-inputhost-l1-3-0": "inputhost.dll", "ext-ms-win-mininput-inputhost-l1-4-0": "inputhost.dll", "ext-ms-win-mininput-systeminputhost-l1-1-0": "ism.dll", "ext-ms-win-mininput-systeminputhost-l1-2-0": "ism.dll", "ext-ms-win-mm-io-l1-1-0": "winmmbase.dll", "ext-ms-win-mm-msacm-l1-1-0": "msacm32.dll", "ext-ms-win-mm-pehelper-l1-1-0": "mf.dll", "ext-ms-win-mm-wmvcore-l1-1-0": "wmvcore.dll", "ext-ms-win-moderncore-win32k-base-ntgdi-l1-1-0": "win32kfull.sys", "ext-ms-win-moderncore-win32k-base-ntuser-l1-1-0": "win32kfull.sys", "ext-ms-win-moderncore-win32k-base-sysentry-l1-1-0": "win32k.sys", "ext-ms-win-mpr-multipleproviderrouter-l1-1-0": "mprext.dll", "ext-ms-win-mrmcorer-resmanager-l1-1-0": "mrmcorer.dll", "ext-ms-win-msa-device-l1-1-0": null, "ext-ms-win-msa-ui-l1-1-0": "msauserext.dll", "ext-ms-win-msa-user-l1-1-1": "msauserext.dll", "ext-ms-win-msi-misc-l1-1-0": "msi.dll", "ext-ms-win-msiltcfg-msi-l1-1-0": "msiltcfg.dll", "ext-ms-win-msimg-draw-l1-1-0": "msimg32.dll", "ext-ms-win-net-cmvpn-l1-1-0": "cmintegrator.dll", "ext-ms-win-net-httpproxyext-l1-1-0": "httpprxc.dll", "ext-ms-win-net-isoext-l1-1-0": "firewallapi.dll", "ext-ms-win-net-netbios-l1-1-0": "netbios.dll", "ext-ms-win-net-netshell-l1-1-0": "netshell.dll", "ext-ms-win-net-nfdapi-l1-1-1": "ndfapi.dll", "ext-ms-win-net-vpn-l1-1-0": null, "ext-ms-win-netprovision-netprovfw-l1-1-0": "netprovfw.dll", "ext-ms-win-networking-iphlpsvc-l1-1-0": null, "ext-ms-win-networking-mpssvc-l1-1-0": null, "ext-ms-win-networking-ncsiuserprobe-l1-1-0": null, "ext-ms-win-networking-radiomonitor-l1-1-0": "windows.devices.radios.dll", "ext-ms-win-networking-teredo-l1-1-0": "windows.networking.connectivity.dll", "ext-ms-win-networking-wcmapi-l1-1-1": "wcmapi.dll", "ext-ms-win-networking-winipsec-l1-1-0": "winipsec.dll", "ext-ms-win-networking-wlanapi-l1-1-0": "wlanapi.dll", "ext-ms-win-networking-wlanstorage-l1-1-0": null, "ext-ms-win-networking-xblconnectivity-l1-1-0": null, "ext-ms-win-newdev-config-l1-1-2": "newdev.dll", "ext-ms-win-nfc-semgr-l1-1-0": "semgrsvc.dll", "ext-ms-win-ntdsa-activedirectoryasyncthreadqueue-l1-1-0": "ntdsatq.dll", "ext-ms-win-ntdsa-activedirectoryserver-l1-1-2": "ntdsa.dll", "ext-ms-win-ntdsapi-activedirectoryclient-l1-1-1": "ntdsapi.dll", "ext-ms-win-ntos-clipsp-l1-1-0": "clipsp.sys", "ext-ms-win-ntos-dg-l1-1-0": null, "ext-ms-win-ntos-kcminitcfg-l1-1-0": "cmimcext.sys", "ext-ms-win-ntos-ksecurity-l1-1-1": null, "ext-ms-win-ntos-ksr-l1-1-4": null, "ext-ms-win-ntos-processparameters-l1-1-0": null, "ext-ms-win-ntos-stateseparation-l1-1-0": null, "ext-ms-win-ntos-tm-l1-1-0": "tm.sys", "ext-ms-win-ntos-trace-l1-1-0": null, "ext-ms-win-ntos-ucode-l1-1-0": "ntosext.sys", "ext-ms-win-ntos-vail-l1-1-0": null, "ext-ms-win-ntos-vmsvc-l1-1-0": "vmsvcext.sys", "ext-ms-win-ntos-werkernel-l1-1-1": "werkernel.sys", "ext-ms-win-ntuser-caret-l1-1-0": "user32.dll", "ext-ms-win-ntuser-chartranslation-l1-1-0": "user32.dll", "ext-ms-win-ntuser-dc-access-ext-l1-1-0": "user32.dll", "ext-ms-win-ntuser-dde-l1-1-0": "user32.dll", "ext-ms-win-ntuser-dialogbox-l1-1-2": "user32.dll", "ext-ms-win-ntuser-draw-l1-1-2": "user32.dll", "ext-ms-win-ntuser-gui-l1-1-1": "user32.dll", "ext-ms-win-ntuser-gui-l1-2-0": "user32.dll", "ext-ms-win-ntuser-gui-l1-3-1": "user32.dll", "ext-ms-win-ntuser-keyboard-ansi-l1-1-0": "user32.dll", "ext-ms-win-ntuser-keyboard-l1-1-1": "user32.dll", "ext-ms-win-ntuser-keyboard-l1-2-0": "user32.dll", "ext-ms-win-ntuser-keyboard-l1-3-1": "user32.dll", "ext-ms-win-ntuser-menu-l1-1-3": "user32.dll", "ext-ms-win-ntuser-message-l1-1-3": "user32.dll", "ext-ms-win-ntuser-misc-l1-1-0": "user32.dll", "ext-ms-win-ntuser-misc-l1-2-0": "user32.dll", "ext-ms-win-ntuser-misc-l1-3-0": "user32.dll", "ext-ms-win-ntuser-misc-l1-5-1": "user32.dll", "ext-ms-win-ntuser-misc-l1-6-0": "user32.dll", "ext-ms-win-ntuser-misc-l1-7-0": "user32.dll", "ext-ms-win-ntuser-mit-l1-1-0": "user32.dll", "ext-ms-win-ntuser-mouse-l1-1-1": "user32.dll", "ext-ms-win-ntuser-powermanagement-l1-1-0": "user32.dll", "ext-ms-win-ntuser-private-l1-1-1": "user32.dll", "ext-ms-win-ntuser-private-l1-2-0": "user32.dll", "ext-ms-win-ntuser-private-l1-3-3": "user32.dll", "ext-ms-win-ntuser-private-l1-4-0": "user32.dll", "ext-ms-win-ntuser-private-l1-5-0": "user32.dll", "ext-ms-win-ntuser-private-l1-6-0": "user32.dll", "ext-ms-win-ntuser-rawinput-l1-1-0": "user32.dll", "ext-ms-win-ntuser-rawinput-l1-2-0": "user32.dll", "ext-ms-win-ntuser-rectangle-ext-l1-1-0": "user32.dll", "ext-ms-win-ntuser-rim-l1-1-2": "user32.dll", "ext-ms-win-ntuser-rim-l1-2-1": "user32.dll", "ext-ms-win-ntuser-rotationmanager-l1-1-2": "user32.dll", "ext-ms-win-ntuser-server-l1-1-1": "user32.dll", "ext-ms-win-ntuser-string-l1-1-0": "user32.dll", "ext-ms-win-ntuser-synch-l1-1-0": "user32.dll", "ext-ms-win-ntuser-sysparams-ext-l1-1-1": "user32.dll", "ext-ms-win-ntuser-touch-hittest-l1-1-0": "user32.dll", "ext-ms-win-ntuser-uicontext-ext-l1-1-0": "user32.dll", "ext-ms-win-ntuser-window-l1-1-5": "user32.dll", "ext-ms-win-ntuser-windowclass-l1-1-2": "user32.dll", "ext-ms-win-ntuser-windowstation-ansi-l1-1-1": "user32.dll", "ext-ms-win-ntuser-windowstation-l1-1-2": "user32.dll", "ext-ms-win-odbc-odbc32-l1-1-0": "odbc32.dll", "ext-ms-win-ole32-bindctx-l1-1-0": "ole32.dll", "ext-ms-win-ole32-ie-ext-l1-1-0": "ole32.dll", "ext-ms-win-ole32-oleautomation-l1-1-0": "ole32.dll", "ext-ms-win-oleacc-l1-1-2": "oleacc.dll", "ext-ms-win-onecore-shutdown-l1-1-0": "twinapi.appcore.dll", "ext-ms-win-oobe-query-l1-1-0": null, "ext-ms-win-packagevirtualizationcontext-l1-1-0": "daxexec.dll", "ext-ms-win-parentalcontrols-setup-l1-1-0": "wpcapi.dll", "ext-ms-win-perception-device-l1-1-1": "perceptiondevice.dll", "ext-ms-win-pinenrollment-enrollment-l1-1-2": "pinenrollmenthelper.dll", "ext-ms-win-printer-prntvpt-l1-1-2": "prntvpt.dll", "ext-ms-win-printer-winspool-core-l1-1-0": "winspool.drv", "ext-ms-win-printer-winspool-l1-1-4": "winspool.drv", "ext-ms-win-printer-winspool-l1-2-0": "winspool.drv", "ext-ms-win-profile-extender-l1-1-0": "userenv.dll", "ext-ms-win-profile-load-l1-1-0": null, "ext-ms-win-profile-profsvc-l1-1-0": "profsvcext.dll", "ext-ms-win-profile-userenv-l1-1-1": "profext.dll", "ext-ms-win-provisioning-platform-l1-1-2": "provplatformdesktop.dll", "ext-ms-win-ras-rasapi32-l1-1-2": "rasapi32.dll", "ext-ms-win-ras-rasdlg-l1-1-0": "rasdlg.dll", "ext-ms-win-ras-rasman-l1-1-0": "rasman.dll", "ext-ms-win-ras-tapi32-l1-1-1": "tapi32.dll", "ext-ms-win-raschapext-eap-l1-1-0": "raschapext.dll", "ext-ms-win-rastlsext-eap-l1-1-0": "rastlsext.dll", "ext-ms-win-rdr-davhlpr-l1-1-0": "davhlpr.dll", "ext-ms-win-reinfo-query-l1-1-0": "reinfo.dll", "ext-ms-win-remotewipe-platform-l1-1-0": null, "ext-ms-win-resourcemanager-crm-l1-1-0": "rmclient.dll", "ext-ms-win-resourcemanager-crm-l1-2-0": "rmclient.dll", "ext-ms-win-resourcemanager-gamemode-l1-1-0": "rmclient.dll", "ext-ms-win-resourcemanager-gamemode-l1-2-1": "rmclient.dll", "ext-ms-win-resourcemanager-limits-l1-1-0": "rmclient.dll", "ext-ms-win-resourcemanager-proc-l1-1-0": "rmclient.dll", "ext-ms-win-resources-deployment-l1-1-0": "mrmdeploy.dll", "ext-ms-win-resources-languageoverlay-l1-1-6": "languageoverlayutil.dll", "ext-ms-win-ro-typeresolution-l1-1-1": "wintypes.dll", "ext-ms-win-rometadata-dispenser-l1-1-0": "rometadata.dll", "ext-ms-win-rpc-firewallportuse-l1-1-0": "rpcrtremote.dll", "ext-ms-win-rpc-ssl-l1-1-0": "rpcrtremote.dll", "ext-ms-win-rtcore-gdi-devcaps-l1-1-1": "gdi32.dll", "ext-ms-win-rtcore-gdi-object-l1-1-0": "gdi32.dll", "ext-ms-win-rtcore-gdi-rgn-l1-1-1": "gdi32.dll", "ext-ms-win-rtcore-minuser-display-l1-1-0": null, "ext-ms-win-rtcore-minuser-host-l1-1-0": null, "ext-ms-win-rtcore-minuser-input-l1-1-4": null, "ext-ms-win-rtcore-minuser-internal-l1-1-0": null, "ext-ms-win-rtcore-minuser-private-ext-l1-1-3": null, "ext-ms-win-rtcore-ntuser-controllernavigation-l1-1-2": "inputhost.dll", "ext-ms-win-rtcore-ntuser-cursor-l1-1-1": "user32.dll", "ext-ms-win-rtcore-ntuser-dc-access-l1-1-1": "user32.dll", "ext-ms-win-rtcore-ntuser-dialogbox-l1-1-0": null, "ext-ms-win-rtcore-ntuser-dpi-l1-1-0": "user32.dll", "ext-ms-win-rtcore-ntuser-dpi-l1-2-2": "user32.dll", "ext-ms-win-rtcore-ntuser-draw-l1-1-0": null, "ext-ms-win-rtcore-ntuser-gui-l1-1-1": null, "ext-ms-win-rtcore-ntuser-iam-l1-1-2": "user32.dll", "ext-ms-win-rtcore-ntuser-inputintercept-l1-1-0": "user32.dll", "ext-ms-win-rtcore-ntuser-integration-l1-1-0": "user32.dll", "ext-ms-win-rtcore-ntuser-keyboard-l1-1-0": "user32.dll", "ext-ms-win-rtcore-ntuser-message-ansi-l1-1-0": "user32.dll", "ext-ms-win-rtcore-ntuser-message-l1-1-0": "user32.dll", "ext-ms-win-rtcore-ntuser-mininit-l1-1-0": null, "ext-ms-win-rtcore-ntuser-misc-l1-1-0": null, "ext-ms-win-rtcore-ntuser-mouse-l1-1-0": null, "ext-ms-win-rtcore-ntuser-powermanagement-l1-1-0": null, "ext-ms-win-rtcore-ntuser-private-l1-1-1": null, "ext-ms-win-rtcore-ntuser-rawinput-l1-1-1": "user32.dll", "ext-ms-win-rtcore-ntuser-rawinput-l1-2-0": "user32.dll", "ext-ms-win-rtcore-ntuser-synch-ext-l1-1-0": "user32.dll", "ext-ms-win-rtcore-ntuser-syscolors-l1-1-0": "user32.dll", "ext-ms-win-rtcore-ntuser-sysparams-l1-1-0": "user32.dll", "ext-ms-win-rtcore-ntuser-usersecurity-l1-1-0": "user32.dll", "ext-ms-win-rtcore-ntuser-window-ansi-l1-1-0": "user32.dll", "ext-ms-win-rtcore-ntuser-window-ext-l1-1-1": "user32.dll", "ext-ms-win-rtcore-ntuser-window-l1-1-0": "user32.dll", "ext-ms-win-rtcore-ntuser-winevent-ext-l1-1-0": "user32.dll", "ext-ms-win-rtcore-ntuser-winstamin-l1-1-0": null, "ext-ms-win-rtcore-ntuser-wmpointer-l1-1-0": "user32.dll", "ext-ms-win-rtcore-ntuser-wmpointermin-l1-1-0": null, "ext-ms-win-rtcore-ole32-dragdrop-l1-1-0": "ole32.dll", "ext-ms-win-rtcore-ole32-misc-l1-1-0": "ole32.dll", "ext-ms-win-samsrv-accountstore-l1-1-1": "samsrv.dll", "ext-ms-win-scesrv-server-l1-1-0": "scesrv.dll", "ext-ms-win-search-folder-l1-1-0": "searchfolder.dll", "ext-ms-win-secur32-translatename-l1-1-0": "secur32.dll", "ext-ms-win-security-appinfoext-l1-1-0": "appinfoext.dll", "ext-ms-win-security-authbrokerui-l1-1-0": "authbrokerui.dll", "ext-ms-win-security-authz-helper-l1-1-0": "authentication.dll", "ext-ms-win-security-capauthz-l1-1-1": "capauthz.dll", "ext-ms-win-security-catalog-database-l1-1-0": "cryptcatsvc.dll", "ext-ms-win-security-certpoleng-l1-1-0": "certpoleng.dll", "ext-ms-win-security-cfl-l1-1-1": "cflapi.dll", "ext-ms-win-security-chambers-l1-1-1": null, "ext-ms-win-security-credui-internal-l1-1-0": "wincredui.dll", "ext-ms-win-security-credui-l1-1-1": "credui.dll", "ext-ms-win-security-crosscontainerauthhelper-l1-1-0": null, "ext-ms-win-security-cryptui-l1-1-1": "cryptui.dll", "ext-ms-win-security-developerunlock-l1-1-0": null, "ext-ms-win-security-deviceid-l1-1-0": null, "ext-ms-win-security-efs-l1-1-1": "efsext.dll", "ext-ms-win-security-efswrt-l1-1-3": "efswrt.dll", "ext-ms-win-security-kerberos-l1-1-0": "kerberos.dll", "ext-ms-win-security-lsaadt-l1-1-0": "lsaadt.dll", "ext-ms-win-security-lsaadtpriv-l1-1-0": "lsaadt.dll", "ext-ms-win-security-lsaauditrpc-l1-1-0": "lsaadt.dll", "ext-ms-win-security-ngc-local-l1-1-0": "ngclocal.dll", "ext-ms-win-security-shutdownext-l1-1-0": "shutdownext.dll", "ext-ms-win-security-slc-l1-1-0": "slc.dll", "ext-ms-win-security-srp-l1-1-1": "srpapi.dll", "ext-ms-win-security-tokenbrokerui-l1-1-0": "tokenbrokerui.dll", "ext-ms-win-security-vaultcds-l1-1-0": "vaultcds.dll", "ext-ms-win-security-vaultcds-l1-2-0": "vaultcds.dll", "ext-ms-win-security-vaultcli-l1-1-1": "vaultcli.dll", "ext-ms-win-security-winscard-l1-1-1": "winscard.dll", "ext-ms-win-sensors-core-private-l1-1-6": "sensorsnativeapi.dll", "ext-ms-win-sensors-utilities-private-l1-1-4": "sensorsutilsv2.dll", "ext-ms-win-servicing-uapi-l1-1-2": "servicinguapi.dll", "ext-ms-win-session-candidateaccountmgr-l1-1-0": "usermgrcli.dll", "ext-ms-win-session-userinit-l1-1-0": "userinitext.dll", "ext-ms-win-session-usermgr-l1-1-0": "usermgrcli.dll", "ext-ms-win-session-usermgr-l1-2-0": "usermgrcli.dll", "ext-ms-win-session-usertoken-l1-1-0": "wtsapi32.dll", "ext-ms-win-session-wininit-l1-1-1": "wininitext.dll", "ext-ms-win-session-wininit-l1-2-0": "wininitext.dll", "ext-ms-win-session-winlogon-l1-1-2": "winlogonext.dll", "ext-ms-win-session-winsta-l1-1-4": "winsta.dll", "ext-ms-win-session-wtsapi32-l1-1-0": "wtsapi32.dll", "ext-ms-win-setupapi-classinstallers-l1-1-2": "setupapi.dll", "ext-ms-win-setupapi-inf-l1-1-1": "setupapi.dll", "ext-ms-win-setupapi-logging-l1-1-0": "setupapi.dll", "ext-ms-win-shell-aclui-l1-1-0": "aclui.dll", "ext-ms-win-shell-browsersettingsync-l1-1-0": null, "ext-ms-win-shell-comctl32-da-l1-1-0": "comctl32.dll", "ext-ms-win-shell-comctl32-init-l1-1-1": "comctl32.dll", "ext-ms-win-shell-comctl32-l1-1-0": "comctl32.dll", "ext-ms-win-shell-comctl32-window-l1-1-0": "comctl32.dll", "ext-ms-win-shell-comdlg32-l1-1-1": "comdlg32.dll", "ext-ms-win-shell-directory-l1-1-0": "windows.storage.dll", "ext-ms-win-shell-efsadu-l1-1-0": "efsadu.dll", "ext-ms-win-shell-embeddedmode-l1-1-0": "embeddedmodesvcapi.dll", "ext-ms-win-shell-exports-internal-l1-1-1": "shell32.dll", "ext-ms-win-shell-fileplaceholder-l1-1-0": "windows.fileexplorer.common.dll", "ext-ms-win-shell-ntshrui-l1-1-0": "ntshrui.dll", "ext-ms-win-shell-propsys-l1-1-1": "propsys.dll", "ext-ms-win-shell-shdocvw-l1-1-0": "shdocvw.dll", "ext-ms-win-shell-shell32-l1-2-3": "shell32.dll", "ext-ms-win-shell-shell32-l1-3-0": "shell32.dll", "ext-ms-win-shell-shell32-l1-4-0": "shell32.dll", "ext-ms-win-shell-shell32-l1-5-0": "shell32.dll", "ext-ms-win-shell-shlwapi-l1-1-2": "shlwapi.dll", "ext-ms-win-shell-shlwapi-l1-2-1": "shlwapi.dll", "ext-ms-win-shell32-shellcom-l1-1-0": "windows.storage.dll", "ext-ms-win-shell32-shellfolders-l1-1-1": "windows.storage.dll", "ext-ms-win-shell32-shellfolders-l1-2-1": "windows.storage.dll", "ext-ms-win-smbshare-browser-l1-1-0": "browser.dll", "ext-ms-win-smbshare-browserclient-l1-1-0": "browcli.dll", "ext-ms-win-smbshare-sscore-l1-1-0": "sscoreext.dll", "ext-ms-win-spinf-inf-l1-1-0": "spinf.dll", "ext-ms-win-storage-hbaapi-l1-1-1": "hbaapi.dll", "ext-ms-win-storage-iscsidsc-l1-1-0": "iscsidsc.dll", "ext-ms-win-storage-sense-l1-1-0": "storageusage.dll", "ext-ms-win-storage-sense-l1-2-4": "storageusage.dll", "ext-ms-win-sxs-oleautomation-l1-1-0": "sxs.dll", "ext-ms-win-sysmain-pfapi-l1-1-0": "pfclient.dll", "ext-ms-win-sysmain-pfsapi-l1-1-0": "pfclient.dll", "ext-ms-win-sysmain-plmapi-l1-1-1": "pfclient.dll", "ext-ms-win-system-metrics-override-l1-1-0": null, "ext-ms-win-teapext-eap-l1-1-0": "eapteapext.dll", "ext-ms-win-test-sys1-l1-1-0": null, "ext-ms-win-test-sys2-l1-1-0": null, "ext-ms-win-tsf-inputsetting-l1-1-0": "input.dll", "ext-ms-win-tsf-msctf-l1-1-4": "msctf.dll", "ext-ms-win-ttlsext-eap-l1-1-0": "ttlsext.dll", "ext-ms-win-ui-viewmanagement-l1-1-0": null, "ext-ms-win-uiacore-l1-1-3": "uiautomationcore.dll", "ext-ms-win-umpoext-umpo-l1-1-0": "umpoext.dll", "ext-ms-win-usp10-l1-1-0": "gdi32full.dll", "ext-ms-win-uwf-servicing-apis-l1-1-1": "uwfservicingapi.dll", "ext-ms-win-uxtheme-themes-l1-1-3": "uxtheme.dll", "ext-ms-win-wer-reporting-l1-1-3": "wer.dll", "ext-ms-win-wer-ui-l1-1-1": "werui.dll", "ext-ms-win-wer-wct-l1-1-0": "wer.dll", "ext-ms-win-wer-xbox-l1-1-2": null, "ext-ms-win-wevtapi-eventlog-l1-1-3": "wevtapi.dll", "ext-ms-win-winlogon-mincreds-l1-1-0": null, "ext-ms-win-winrt-device-access-l1-1-0": "deviceaccess.dll", "ext-ms-win-winrt-storage-l1-1-0": "windows.storage.dll", "ext-ms-win-winrt-storage-l1-2-3": "windows.storage.dll", "ext-ms-win-winrt-storage-win32broker-l1-1-0": "windows.storage.onecore.dll", "ext-ms-win-wlan-grouppolicy-l1-1-0": "wlgpclnt.dll", "ext-ms-win-wlan-onexui-l1-1-0": "onexui.dll", "ext-ms-win-wlan-scard-l1-1-0": "winscard.dll", "ext-ms-win-wpc-webfilter-l1-1-0": "wpcwebfilter.dll", "ext-ms-win-wpn-phoneext-l1-1-0": null, "ext-ms-win-wrp-sfc-l1-1-0": "sfc.dll", "ext-ms-win-wsclient-devlicense-l1-1-1": "wsclient.dll", "ext-ms-win-wwaext-misc-l1-1-0": "wwaext.dll", "ext-ms-win-wwaext-module-l1-1-0": "wwaext.dll", "ext-ms-win-wwan-wwapi-l1-1-3": "wwapi.dll", "ext-ms-win-xaml-controls-l1-1-0": "windows.ui.xaml.phone.dll", "ext-ms-win-xaml-pal-l1-1-0": null, "ext-ms-win-xaudio-platform-l1-1-0": null, "ext-ms-win-xblauth-console-l1-1-0": null, "ext-ms-win-xboxlive-xboxnetapisvc-l1-1-0": null, "ext-ms-win32-subsystem-query-l1-1-0": null, "ext-ms-windowscore-deviceinfo-l1-1-0": null}
# reverse the mapping

def normalize_dll_name(name:str) -> str:
    name = name.lower()
    if not name.endswith(".dll"):
        name = name + ".dll"
    if name.startswith("api-ms") or name.startswith("ext-ms"):
        name = name[:str(name).rindex("-") + 1]
    return name

normalize_apiset = {}
for k, v in apiset.items():
    normalize_apiset[normalize_dll_name(k)] = v

alternate_names = defaultdict(set)
for api_set_name, dll_name in apiset.items():
    alternate_names[normalize_dll_name(dll_name)].add(normalize_dll_name(api_set_name))

alternate_names['bthprops.dll'].add(normalize_dll_name('bthprops.dll'))
alternate_names['cfgmgr32.dll'].add(normalize_dll_name('api-ms-win-devices-swdevice-l1-1-0.dll'))
alternate_names['cfgmgr32.dll'].add(normalize_dll_name('api-ms-win-devices-swdevice-l1-1-1.dll'))
alternate_names['icu.dll'].add(normalize_dll_name('icuuc.dll'))
alternate_names['netapi32.dll'].add(normalize_dll_name('dfscli.dll'))
alternate_names['netapi32.dll'].add(normalize_dll_name('DSROLE.dll'))
alternate_names['netapi32.dll'].add(normalize_dll_name('logoncli.dll'))
alternate_names['netapi32.dll'].add(normalize_dll_name('netutils.dll'))
alternate_names['netapi32.dll'].add(normalize_dll_name('samcli.dll'))
alternate_names['netapi32.dll'].add(normalize_dll_name('schedcli.dll'))
alternate_names['netapi32.dll'].add(normalize_dll_name('srvcli.dll'))
alternate_names['netapi32.dll'].add(normalize_dll_name('wkscli.dll'))
alternate_names['netsh.dll'].add(normalize_dll_name('NETSH.dll'))
alternate_names['ntdll.dll'].add(normalize_dll_name('api-ms-win-core-rtlsupport-l1-2-0.dll'))
alternate_names['ole32.dll'].add(normalize_dll_name('api-ms-win-core-com-l1-1-0.dll'))
alternate_names['ole32.dll'].add(normalize_dll_name('api-ms-win-core-com-l1-1-1.dll'))
alternate_names['ole32.dll'].add(normalize_dll_name('api-ms-win-core-com-l1-1-2.dll'))
alternate_names['ole32.dll'].add(normalize_dll_name('api-ms-win-core-com-l2-1-1.dll'))
alternate_names['ole32.dll'].add(normalize_dll_name('api-ms-win-downlevel-ole32-l1-1-0.dll'))
alternate_names['powrprof.dll'].add(normalize_dll_name('api-ms-win-power-base-l1-1-0.dll'))
alternate_names['powrprof.dll'].add(normalize_dll_name('api-ms-win-power-setting-l1-1-0.dll'))
alternate_names['rpcns4.dll'].add(normalize_dll_name('RPCRT4.dll'))
alternate_names['secur32.dll'].add(normalize_dll_name('SspiCli.dll'))
alternate_names['shell32.dll'].add(normalize_dll_name('api-ms-win-downlevel-shell32-l1-1-0.dll'))
alternate_names['shlwapi.dll'].add(normalize_dll_name('api-ms-win-core-string-l2-1-1.dll'))
alternate_names['shlwapi.dll'].add(normalize_dll_name('api-ms-win-core-url-l1-1-0.dll'))
alternate_names['shlwapi.dll'].add(normalize_dll_name('api-ms-win-downlevel-shlwapi-l1-1-0.dll'))
alternate_names['shlwapi.dll'].add(normalize_dll_name('api-ms-win-downlevel-shlwapi-l2-1-0.dll'))
alternate_names['urlmon.dll'].add(normalize_dll_name('ext-ms-win-core-iuri-l1-1-0.dll'))
alternate_names['user32.dll'].add(normalize_dll_name('api-ms-win-core-string-l2-1-0.dll'))
alternate_names['user32.dll'].add(normalize_dll_name('api-ms-win-downlevel-user32-l1-1-0.dll'))
alternate_names['version.dll'].add(normalize_dll_name('api-ms-win-core-version-l1-1-0.dll'))
alternate_names['version.dll'].add(normalize_dll_name('api-ms-win-core-version-l1-1-1.dll'))
alternate_names['version.dll'].add(normalize_dll_name('api-ms-win-core-versionansi-l1-1-0.dll'))
alternate_names['version.dll'].add(normalize_dll_name('api-ms-win-downlevel-version-l1-1-0.dll'))
alternate_names['winspool.dll'].add(normalize_dll_name('SPOOLSS.dll'))
alternate_names['wintrust.dll'].add(normalize_dll_name('CRYPT32.dll'))
alternate_names['wtsapi32.dll'].add(normalize_dll_name('WINSTA.dll'))
print("Success")

Success


## Remap the functions by DllImport

In [16]:

libs = defaultdict(lambda: defaultdict(lambda: defaultdict(lambda: defaultdict(lambda: None))))
types = defaultdict(lambda: defaultdict(lambda: defaultdict(lambda: None)))
arch_list = ["Arm64", "X64", "X86"]
def assign(archs:List, api:str, type_name:str, type):
    global types
    if len(archs) > 0:
        for arch in type["Architectures"]:
            types[arch][api][type_name] = type
    else:
        for arch in arch_list:
            types[arch][api][type_name] = type

def composite_type(type, prefix):
    for nested_type in type["NestedTypes"]:
        new_prefix = f"{prefix}{nested_type['Name']}"
        assign(nested_type["Architectures"], name, new_prefix, nested_type)
        composite_type(nested_type, new_prefix + "::")


for name, obj in api_namespaces.items():
    for func in obj["Functions"]:
        dll = normalize_dll_name(func["DllImport"])
        if dll in normalize_apiset:
            dll = normalize_apiset[dll]
        if len(func["Architectures"]) > 0:
            for arch in func["Architectures"]:
                libs[arch][dll][name][func["Name"]] = func
        else:
            for arch in arch_list:
                libs[arch][dll][name][func["Name"]] = func

    for type in obj["Types"]:
        assign(type["Architectures"], name, type["Name"], type)
        if type["Kind"] in ("Struct", "Union"):
            composite_type(type, f"{type['Name']}::")

# Spot check expected types
assert "APPLICATION_RECOVERY_CALLBACK" in types['X86']['System.WindowsProgramming']
assert "PROCESS_HEAP_ENTRY" in types["X64"]["System.Memory"]
assert "PROCESS_HEAP_ENTRY::_Anonymous_e__Union" in types["X64"]["System.Memory"]
assert "PROCESS_HEAP_ENTRY::_Anonymous_e__Union::_Block_e__Struct" in types["X64"]["System.Memory"]
assert "PROCESS_HEAP_ENTRY::_Anonymous_e__Union::_Block_e__Struct::HANDLE" not in types["X64"]["System.Memory"]
assert "HANDLE" in types["X64"]["Foundation"]

# Verify that each type definition is reachable
def verify(api, arch, t, name):
    kind = t["Kind"]
    if kind in ("PointerTo", "Array", "LPArray"):
        verify(api, arch, t["Child"], name)
    elif kind == "ApiRef":
        try:
            types[arch][t["Api"]][t["Name"]]
        except KeyError:
            types[arch][t["Api"]][f"{name}::{t['Name']}"]
    elif kind in ("Struct", "Union"):
        for type in t["NestedTypes"]:
            verify(api, arch, type, f"{name}::{t['Name']}" if name is None else name)

for arch, apis in types.items():
    for api, type_dict in apis.items():
        for name, t in type_dict.items():
            verify(api, arch, t, name)
print("Success")

Success


## Discover common dependencies so they can go in the same file

In [20]:
def deps(types, t, prefix, seen, cur_api, nested=False) -> Set[Tuple[str, str]]:
    assert isinstance(t, dict)
    kind = t["Kind"]
    if kind == "Native":
        return set()
    elif t["Kind"] == "ApiRef":
        item = (t['Api'], prefix + t["Name"])
        result = set([item])
        if item not in seen:
            seen.add(item)
            if nested:
                result |= deps(types, [t['Api']][prefix + t["Name"]], prefix, seen, t['Api'])
        return result
    elif t["Kind"] == "NativeTypedef":
        return deps(types, t["Def"], prefix, seen, cur_api)
    elif t["Kind"] == "Array":
        return deps(types, t["Child"], prefix, seen, cur_api)
    elif t["Kind"] == "Enum":
        if t["Name"] == "IMAGE_SECTION_CHARACTERISTICS":
            print(prefix)
        return set([(cur_api, f"{prefix}{t['Name']}")])
    elif t["Kind"] in ("Struct", "Union"):
        result = set()
        for type in t["NestedTypes"]:
            result |= deps(types, type, prefix + f"{t['Name']}::", seen, cur_api, True)
        for field in t["Fields"]:
            result |= deps(types, field["Type"], "", seen, cur_api)
        return result
    elif t["Kind"] == "FunctionPointer":
        result = set()
        for field in t["Params"]:
            result |= deps(types, field["Type"], prefix, seen, cur_api)
        result |= deps(types, t["ReturnType"], prefix, seen, cur_api)
        return result
    elif t["Kind"] == "Com":
        result = set()
        for method in t["Methods"]:
            for param in method["Params"]:
                result |= deps(types, param["Type"], prefix, seen, cur_api)
            result |= deps(types, method["ReturnType"], prefix, seen, cur_api)
        return result
    elif t["Kind"] in ("LPArray", "PointerTo"):
        return deps(types, t["Child"], prefix, seen, cur_api)
    else:
        return set()

types_needed = defaultdict(lambda: {})
for arch, func_info in libs.items():
    for lib_name, func_list in func_info.items():
        types_needed[arch][lib_name] = []
        seen = set()
        for api, func_dict in func_list.items():
            for func_name, func in func_dict.items():
                for param in func["Params"]:
                    types_needed[arch][lib_name].extend(deps(types, param["Type"], "", seen, api))
                types_needed[arch][lib_name].extend(deps(types, func["ReturnType"], "", seen, api))

needed_by = defaultdict(lambda: defaultdict(lambda: set()))
for arch in arch_list:
    for name, t in types_needed[arch].items():
        for api, type_name in t:
            needed_by[arch][(api, type_name)].add(name)

most_common_types = defaultdict(lambda: set())
dependencies = defaultdict(lambda: set())
for arch in arch_list:
    for (api, type_name), names in needed_by[arch].items():
        if len(names) > 1:
            most_common_types[arch].add((api, type_name))
            dependencies[arch] |= deps(types["X64"], types["X64"][api][type_name], "", set(), api)

for arch in arch_list:
    print(arch)
    print(f"  {sum([len(t) for t in types[arch].values()])} - Count of all types")
    print(f"  {len(most_common_types[arch])}  - Count of types which appear in more than one library")
    print(f"  {len(dependencies[arch])} - Dependencies of these common types")
    most_common_types[arch] |= dependencies[arch]
    print(f"  {len(most_common_types[arch])} - Dependencies and common types")

for arch, total in zip(arch_list, [33559, 33560, 33550]):
    cur_total = sum([len(type) for type in types[arch].values()])
    assert cur_total == total, f"Total {arch} types not equal to {total} instead {cur_total}"
print("Success")

Arm64
  33559 - Count of all types
  271  - Count of types which appear in more than one library
  397 - Dependencies of these common types
  552 - Dependencies and common types
X64
  33560 - Count of all types
  271  - Count of types which appear in more than one library
  396 - Dependencies of these common types
  551 - Dependencies and common types
X86
  33550 - Count of all types
  270  - Count of types which appear in more than one library
  395 - Dependencies of these common types
  549 - Dependencies and common types
Success


## Now that we have the mappings we need... here's the method for adding types to a library

In [21]:
from typing import Dict
from binaryninja.architecture import Architecture
from binaryninja.platform import Platform
from binaryninja.typelibrary import TypeLibrary
from binaryninja.enums import StructureVariant, NamedTypeReferenceClass, TypeClass
from binaryninja.types import (Type, StructureBuilder, NamedTypeReferenceType, StructureMember, PointerType, StructureType, EnumerationType, FunctionType, EnumerationMember, EnumerationBuilder, QualifiedName, FunctionParameter, PointerBuilder)
from binaryninja.log import log_to_stdout
from binaryninja.enums import LogLevel
from typing import Optional, Set, List, DefaultDict, Tuple
from pathlib import Path
import json, codecs
from collections import defaultdict

lib_sets = {
    ("X64", "x86_64", Architecture["x86_64"], Platform["windows-x86_64"], "winX64common"),
    ("X86", "x86", Architecture["x86"], Platform["windows-x86"], "win32common"),
    ("Arm64", "aarch64", Architecture["aarch64"], Platform["windows-aarch64"], "winArm64common"),
}
def pointer_width(arch):
    assert arch in ("X86", "X64", "Arm64"), f"unknown arch {arch}"
    return 4 if arch == "X86" else 8

def get_ntr_type(type_info) -> NamedTypeReferenceClass:
    if type_info["Kind"] == "Struct":
        return NamedTypeReferenceClass.StructNamedTypeClass
    elif type_info["Kind"] == "Union":
        return NamedTypeReferenceClass.UnionNamedTypeClass
    elif type_info["Kind"] == "Enum":
        return NamedTypeReferenceClass.EnumNamedTypeClass
    else:
        return NamedTypeReferenceClass.TypedefNamedTypeClass

def type_size(t, arch_name, nested_sizes={}) -> int:
    kind = t["Kind"]
    if kind == "Native":
        name = t["Name"]
        if name in ("Byte", "SByte", "Char"):
            return 1
        elif name in ("UInt16", "Int16"):
            return 2
        elif name in ("UInt32", "Int32", "Single", "Boolean"):
            return 4
        elif name in ("UInt64", "Int64", "Double"):
            return 8
        elif name in ("UIntPtr", "IntPtr"):
            return pointer_width(arch_name)
        elif name == "Void":
            assert False, "Attempting to get size of void"
            return 0
        elif name == "Guid":
            return 16
    elif kind == "ApiRef":
        name = t["Name"]
        if name in nested_sizes:
            return nested_sizes[name]
        type = types[arch_name][t["Api"]][name]
        assert type is not None, f"{arch_name, t['Api'], name} returned None"
        return type_size(type, arch_name, nested_sizes)
    elif kind == "NativeTypedef":
        return type_size(t["Def"], arch_name, nested_sizes)
    elif kind in ("PointerTo", "FunctionPointer", "LPArray"):
        return pointer_width(arch_name)
    elif kind == "Struct":
        new_nested_sizes = {}
        for nested_type in t["NestedTypes"]:
            new_nested_sizes[nested_type["Name"]] = type_size(nested_type, arch_name, nested_sizes)
        offset = 0
        for field in t["Fields"]:
            offset += type_size(field["Type"], arch_name, new_nested_sizes)
            if t["PackingSize"] != 0 and offset % t["PackingSize"] != 0:
                offset += t["PackingSize"] - (offset & (t["PackingSize"] - 1))
        return offset
    elif kind == "Union":
        new_nested_sizes = {}
        for nested_type in t["NestedTypes"]:
            new_nested_sizes[nested_type["Name"]] = type_size(nested_type, arch_name, nested_sizes)
        return max([type_size(field["Type"], arch_name, new_nested_sizes) for field in t["Fields"]])
    elif kind == "Enum":
        if t["IntegerBase"] is None:
            return 4
        x = {"Kind":"Native", "Name":t["IntegerBase"]}
        return type_size(x, arch_name, nested_sizes)
    elif kind == "Array":
        if t["Shape"]:
            return int(t["Shape"]["Size"]) * type_size(t["Child"], arch_name, nested_sizes)
        else:
            return pointer_width(arch_name)
    elif kind == "Com":
        return pointer_width(arch)
    else:
        assert False, f"Gettings size of {t['Kind']}"

defined_types:DefaultDict[str, DefaultDict[str, DefaultDict[str, Type]]] = defaultdict(lambda: defaultdict(lambda: defaultdict(lambda: None)))
def add_to_type_library(typelib:TypeLibrary, arch_name:str, api_name:str, type_name:Optional[QualifiedName], t, seen:Dict[Tuple[str, str, str], Type], dependent:Optional[TypeLibrary] = None, nested_types = None, lib_name:str = None) -> Optional[Type]:
    kind = t["Kind"]
    if kind == "Native":
        name = t["Name"]
        type = defined_types[arch_name][api_name][name]
        if type is not None:
            return type
        if name == "Byte":
            return Type.int(1, sign=False)
        elif name == "SByte":
            return Type.int(1)
        elif name == "Char":
            return Type.char()
        elif name == "UInt16":
            return Type.int(2, sign=False)
        elif name == "Int16":
            return Type.int(2)
        elif name == "Int64":
            return Type.int(8)
        elif name == "UInt32":
            return Type.int(4, sign=False)
        elif name == "UInt64":
            return Type.int(8, sign=False)
        elif name == "Int32":
            return Type.int(4)
        elif name == "Single":
            return Type.float(4)
        elif name == "Double":
            return Type.float(8)
        elif name == "UIntPtr":
            # TODO: Ensure integer width is correct
            return Type.pointer_of_width(pointer_width(arch_name), Type.int(pointer_width(arch_name), sign=False))
        elif name == "IntPtr":
            # TODO: Ensure integer width is correct
            return Type.pointer_of_width(pointer_width(arch_name), Type.int(pointer_width(arch_name), sign=True))
        elif name == "Void":
            return Type.void()
        elif name == "Boolean":
            return Type.bool()
        elif name == "Guid":
            # it doesn't exist in the platform so create it
            result = Type.structure([
                (Type.int(4, False), "Data1"),
                (Type.int(2, False), "Data2"),
                (Type.int(2, False), "Data3"),
                (Type.array(Type.int(1, False), 8), "Data4")
                ])
            if typelib.name in ("winX64common", "win32common", "winArm64common"):
                typelib.add_named_type(QualifiedName("GUID"), result)
            return NamedTypeReferenceType.create(NamedTypeReferenceClass.StructNamedTypeClass, f"common::GUID", QualifiedName("GUID"), width=len(result))
        else:
            assert False, f"Unhandled Native Type: {name}"
    elif kind == "ApiRef":
        name = t["Name"]
        api = t["Api"]
        if dependent is not None and dependent.get_named_type(name) is not None:
            result = dependent.get_named_type(name)
            dep_name = dependent.name
            assert dep_name is not None and result is not None
            if not isinstance(result, NamedTypeReferenceType):
                if isinstance(result, StructureType):
                    if result.type == StructureVariant.UnionStructureType:
                        ntr_type = NamedTypeReferenceClass.UnionNamedTypeClass
                    else:
                        ntr_type = NamedTypeReferenceClass.StructNamedTypeClass
                elif isinstance(result, EnumerationType):
                    ntr_type = NamedTypeReferenceClass.EnumNamedTypeClass
                else:
                    ntr_type = NamedTypeReferenceClass.TypedefNamedTypeClass
                result = NamedTypeReferenceType.create(ntr_type, f"{dep_name}::{name}", name, width=len(result), alignment=result.alignment)
                assert result is not None
            return result

        if nested_types is not None:
            for nested_type in nested_types:
                if name == nested_type["Name"]:
                    seen[(arch_name, api, name)] = None
                    result = add_to_type_library(typelib, arch_name, api_name, name, nested_type, seen, dependent, nested_types, lib_name)
                    assert result is not None
                    seen[(arch_name, api, name)] = result
                    return result

        if (arch_name, api, name) in seen:
            # we have a recursively defined type
            type = seen[(arch_name, api, name)]
            if type is not None:
                return type
            new_type_info = types[arch_name][api][name]
            assert new_type_info is not None
            result = Type.named_type_reference(get_ntr_type(new_type_info), name, f"{api}::{name}")
            # result = NamedTypeReferenceType.create(get_ntr_type(new_type_info), f"{api}::{name}", name, width=len(new_type), alignment=new_type.alignment)
            assert result is not None
            return result

        new_type_info = types[arch_name][api][name]
        assert new_type_info is not None, f"{arch_name, api, name} returned None"
        seen[(arch_name, api, name)] = None
        new_type = add_to_type_library(typelib, arch_name, api, name, new_type_info, seen, dependent, nested_types, lib_name)
        assert new_type is not None
        if not isinstance(new_type, NamedTypeReferenceType):
            typelib.add_named_type(name, new_type)
            new_type = NamedTypeReferenceType.create(get_ntr_type(t), f"{api_name}::{name}", name, width=len(new_type), alignment=new_type.alignment)
            assert new_type is not None
        seen[(arch_name, api, name)] = new_type
        return new_type
    elif kind == "NativeTypedef":
        name = t["Name"]
        if dependent is not None and dependent.get_named_type(name) is not None:
            result = dependent.get_named_type(name)
            assert result is not None
            if not isinstance(result, NamedTypeReferenceType):
                result = NamedTypeReferenceType.create(get_ntr_type(t["Def"]), f"{dependent.name}::{name}", name, width=len(result), alignment=result.alignment)
                assert result is not None
                if name == "FARPROC": # This is a hack to deal with confidence of function pointers
                    result = result.with_confidence(0)
            return result
        new_type = add_to_type_library(typelib, arch_name, api_name, None, t["Def"], seen, dependent, nested_types, lib_name)
        seen[(arch_name, api_name, name)] = None
        assert new_type is not None
        typelib.add_named_type(name, new_type)
        new_type = NamedTypeReferenceType.create(get_ntr_type(t["Def"]), f"{api_name}::{name}", name, width=len(new_type), alignment=new_type.alignment)
        if name == "FARPROC": # This is a hack to deal with confidence of function pointers
            new_type = new_type.with_confidence(0)
        assert new_type is not None
        seen[(arch_name, api_name, name)] = new_type
        return new_type
    elif kind == "Array":
        child = t["Child"]
        if t["Shape"]:
            child = add_to_type_library(typelib, arch_name, api_name, None, t["Child"], seen, dependent, nested_types, lib_name)
            assert child is not None
            return Type.array(child, int(t["Shape"]["Size"]))
        else:
            child = add_to_type_library(typelib, arch_name, api_name, None, t["Child"], seen, dependent, nested_types, lib_name)
            assert child is not None
            return Type.pointer_of_width(pointer_width(arch_name), child)
    elif kind == "Enum":
        name = t["Name"]
        members = [EnumerationMember(str(member["Name"]), int(member["Value"])) for member in t["Values"]]
        result = EnumerationType.create(members, width=type_size(t, arch_name))
        assert result is not None
        seen[(arch_name, api_name, name)] = result
        typelib.add_named_type(name, result)
        new_type = NamedTypeReferenceType.create(get_ntr_type(t), f"{api_name}::{name}", name, width=len(result), alignment=result.alignment)
        assert new_type is not None
        return new_type
    elif kind in ("Struct", "Union"):
        name = t["Name"]
        members = []
        packing_size = t["PackingSize"]

        for field in t["Fields"]:
            type = add_to_type_library(typelib, arch_name, api_name, None, field["Type"], seen, dependent, t["NestedTypes"], lib_name)
            assert type is not None, f"returned none: {arch_name} {api_name}, {field['Type']}"
            members.append((type, "" if field["Name"] == "Anonymous" else field["Name"]))

        result = Type.structure(members, packed=packing_size != 0, type=StructureVariant.UnionStructureType if kind == "Union" else StructureVariant.StructStructureType)
        assert result is not None
        if not name.startswith("_Anonymous"):
            typelib.add_named_type(name, result)
            result = NamedTypeReferenceType.create(get_ntr_type(t), f"{api_name}::{name}", name, width=len(result), alignment=result.alignment)
            assert result is not None
        return result
    elif kind == "FunctionPointer":
        name = t["Name"]
        params = []
        for param in t["Params"]:
            type = add_to_type_library(typelib, arch_name, api_name, None, param["Type"], seen, dependent, nested_types, lib_name)
            params.append((param["Name"], type))
        return_type = add_to_type_library(typelib, arch_name, api_name, None, t["ReturnType"], seen, dependent, nested_types, lib_name)
        target = FunctionType.create(return_type, params)
        result = Type.pointer_of_width(pointer_width(arch_name), target.with_confidence(0))
        assert result is not None
        typelib.add_named_type(name, result)
        new_type = NamedTypeReferenceType.create(get_ntr_type(t), f"{api_name}::{name}", name, width=len(result), alignment=result.alignment)
        assert new_type is not None
        return new_type
    elif kind == "Com":
        members = []
        name = t["Name"]
        width = pointer_width(arch_name) * len(t["Methods"])
        ntr =  NamedTypeReferenceType.create(get_ntr_type(t), f"{api_name}::{name}", name, width=width, alignment=pointer_width(arch_name))
        # if name != "IUnknown":
        #     members.append((ntr, "this"))
        for method in t["Methods"]:
            params = []
            params.append(FunctionParameter(ntr, "this"))
            for param in method["Params"]:
                param_type = add_to_type_library(typelib, arch_name, api_name, None, param["Type"], seen, dependent, nested_types, lib_name)
                assert param_type is not None
                params.append(FunctionParameter(param_type, param["Name"]))
            return_type = add_to_type_library(typelib, arch_name, api_name, None, method["ReturnType"], seen, dependent, nested_types, lib_name)
            assert return_type is not None
            func = FunctionType.create(return_type, params)
            members.append((Type.pointer_of_width(pointer_width(arch_name), func), method["Name"]))

        result = StructureType.create(members)
        assert result is not None
        typelib.add_named_type(QualifiedName(f"_{name}"), result)
        result = ntr
        assert result is not None
        result = Type.pointer_of_width(pointer_width(arch_name), result)
        typelib.add_named_type(name, result)
        assert result is not None
        return result
    elif kind in ("LPArray", "PointerTo"):
        new_type = add_to_type_library(typelib, arch_name, api_name, None, t["Child"], seen, dependent, nested_types, lib_name)
        assert new_type is not None, t["Child"]
        result = Type.pointer_of_width(pointer_width(arch_name), new_type.with_confidence(0))
        assert result is not None
        return result
    elif kind == "ComClassID":
        return Type.void() # TODO: What is this really?
    elif kind == "MissingClrType":
        return Type.void()
    else:
        print(f"Found unknown type kind: {t['Kind']}")


# for arch, total in zip(arch_list, [828, 829, 827]):
#     cur_total = len(win_common[arch].named_types)
#     assert cur_total == total, f"Total for {arch} doesn't match {total} instead {cur_total}"
#     assert not any([str(name).startswith('_Anonymous') for name in win_common["X64"].named_types.keys()])
# assert win_common["X64"].get_named_type("BSTR").type_class == TypeClass.PointerTypeClass
print("Success")



Success


## APISet mappings

## Handle Kernelbase Exports

KernelBase is _special_ and just exports things it imports from other libraries. The original data doesn't have those mapped properly so we come up with that mapping here...

In [22]:
kernel_base_exports = ['UrlHashW', 'UrlHashA', 'SystemTimeToTzSpecificLocalTimeEx', 'GetSecureSystemAppDataFolder', 'StrRChrIW', 'InternetTimeToSystemTimeW', 'InternetTimeToSystemTimeA', 'EnumDynamicTimeZoneInformation', 'SHRegQueryUSValueA', 'GetNumberFormatW', 'WerRegisterCustomMetadata', 'lstrcmpA', 'lstrcmp', 'VirtualUnlockEx', 'AreAllAccessesGranted', 'StrToIntA', 'AppPolicyGetLifecycleManagement', 'InternetTimeFromSystemTimeW', 'InternetTimeFromSystemTimeA', 'PathRelativePathToW', 'UrlGetLocationW', 'DefineDosDeviceW', 'AllocConsole', 'IsMrtResourceRedirectionEnabled', 'IsInternetESCEnabled', 'CallNamedPipeW', 'PathIsSameRootW', 'PcwEnumerateInstances', 'GetPackagePropertyString', 'GetPackageProperty', 'GetCurrentPackageContext', 'NlsCheckPolicy', 'CheckGroupPolicyEnabled', 'PsmGetDynamicIdFromKey', 'QueryProcessCycleTime', '_AddMUIStringToCache', 'CreatePrivateObjectSecurity', 'HashData', 'GetProcAddressForCaller', 'CreateFiber', 'CreateFiberEx', 'GetSystemWow64DirectoryW', 'GetSystemWow64Directory2W', 'GetWindowsDirectoryW', 'GetSystemWindowsDirectoryW', 'CreateProcessAsUserW', 'Wow64SetThreadDefaultGuestMachine', 'PathSearchAndQualifyW', 'StrPBrkW', 'SearchPathW', 'CreateProcessW', 'CreateProcessA', 'CreateProcessInternalA', 'GetFullPathNameW', 'IsProcessInJob', 'CreateProcessInternalW', 'GetSystemAppDataFolder', 'GetAppDataFolder', 'RegLoadAppKeyW', 'GetPackageFamilyNameFromToken', 'GetDynamicTimeZoneInformationEffectiveYears', 'GetSystemDefaultLangID', 'GetCurrentConsoleFontEx', 'GetSystemDefaultLCID', 'CreateAppContainerToken', 'GetConsoleWindow', 'GetConsoleCP', 'GetAppContainerNamedObjectPath', 'SetConsoleCursorPosition', 'GetTimeZoneInformationForYear', 'TzSpecificLocalTimeToSystemTime', 'PeekConsoleInputW', 'SetConsoleTextAttribute', 'GetConsoleScreenBufferInfo', 'GetConsoleScreenBufferInfoEx', 'GetConsoleTitleW', 'SetConsoleMode', 'WriteConsoleW', 'GetFileVersionInfoW', 'QueryStateAtomValueInfo', 'GetTimeZoneInformation', 'GetUserDefaultUILanguage', 'SystemTimeToTzSpecificLocalTime', 'GetLocalTime', 'FileTimeToLocalFileTime', 'IsTimeZoneRedirectionEnabled', 'GetLongPathNameW', 'RegLoadMUIStringW', 'ReadStateAtomValue', 'LoadStringW', 'LoadStringBaseExW', 'GetSystemMetadataPathForPackage', 'SHLoadIndirectString', 'SHLoadIndirectStringInternal', 'LoadStringByReference', 'FreeLibrary', '_OpenMuiStringCache', 'QueryStateContainerItemInfo', 'ReadStateContainerValue', 'GetFileVersionInfoExW', 'GetFileVersionInfoSizeExW', 'PathFileExistsW', 'GetShortPathNameW', 'SetErrorMode', 'GetErrorMode', 'FindClose', 'CreateStateSubcontainer', 'QueryStateContainerCreatedNew', 'SetThreadPreferredUILanguages', 'SetThreadPreferredUILanguages2', 'NlsIsUserDefaultLocale', 'GetCalendar', 'EnumCalendarInfoExEx', 'Internal_EnumCalendarInfo', 'CloseStateContainer', 'IsValidLocaleName', 'LCIDToLocaleName', 'Internal_EnumSystemLocales', 'GetLocaleInfoA', 'ResolveLocaleName', 'GetConsoleOutputCP', 'SetThreadUILanguage', 'FindStringOrdinal', 'GetThreadUILanguage', 'StrChrIA', 'IsDBCSLeadByte', 'lstrcmpiA', 'lstrcmpi', 'GetNamedLocaleHashNode', 'CharUpperBuffW', 'GetCalendarInfoEx', 'CharLowerBuffW', 'CharLowerA', 'CharUpperW', 'CharLowerW', 'LCMapStringW', 'LCMapStringEx', 'GetLocaleInfoW', 'CompareStringA', 'MultiByteToWideChar', 'GetLocaleInfoEx', 'GetLocaleInfoHelper', 'GetUserDefaultLCID', 'WaitForSingleObject', 'WaitForSingleObjectEx', 'StrCmpNW', 'lstrcmpW', 'StrCmpW', 'lstrcmpiW', 'StrStrIW', 'CompareStringW', 'GetStringTypeExW', 'NlsValidateLocale', 'GetUserOverrideString', 'UrlIsW', 'ParseURLW', 'lstrlenW', 'StrCmpNIW', 'StrCmpNCW', 'StrCmpIW', 'StrCSpnW', 'StrChrW', 'CompareStringEx', 'PathIsURLW', 'StrStrW', 'StrDupW', 'SHRegOpenUSKeyW', 'PathAllocCombine', 'FormatMessageW', 'IsTokenRestricted', 'LocalFree', 'LocalAlloc', 'GetComputerNameExW', 'PathCchCanonicalizeEx', 'PathCchAppendEx', 'PathCchCombineEx', 'RegSetKeyValueW', 'GetDriveTypeW', 'GetKernelObjectSecurity', 'CreateFileA', 'CreateFileW', 'CloseHandle', 'WriteFile', 'GetEnvironmentVariableW', 'GetTokenInformation', 'LoadLibraryExW', 'ReadFile', 'DeviceIoControl', 'GetOverlappedResult', 'OpenThreadToken', 'RegSetValueExW', 'RegCreateKeyExW', 'RegCreateKeyExInternalW', 'GetFileAttributesW', 'OpenProcess', 'SetWaitableTimer', 'QueryDosDeviceW', 'RegQueryInfoKeyW', 'RegQueryValueExA', 'GetFileAttributesExW', 'RegEnumKeyExW', 'RegEnumValueW', 'RegGetValueW', 'RegOpenKeyExW', 'RegOpenKeyExInternalW', 'RegQueryValueExW', 'MapPredefinedHandleInternal', 'RegCloseKey', 'RegOpenKeyExInternalA', 'RegOpenKeyExA', 'FindFirstFileExW', 'FindFirstFileW', 'OpenEventW', 'OpenFileMappingW', 'BaseFormatObjectAttributes', 'BaseGetNamedObjectDirectory', 'DeleteFileW', 'DeleteFileA', 'CreateFileMappingNumaW', 'OpenThread', 'RegEnumKeyExA', 'CLOSE_LOCAL_HANDLE_INTERNAL', 'CreateFileMappingW', 'CreateMutexW', 'CreateMutexExW', 'RegNotifyChangeKeyValue', 'CreateEventExW', 'GetModuleHandleA', 'GetModuleHandleW', 'ProcessIdToSessionId', 'GetDiskFreeSpaceW', 'CreateDirectoryW', 'LoadLibraryExA', 'CreateWaitableTimerExW', 'OpenGlobalizationUserSettingsKey', 'OutputDebugStringA', 'ReleaseMutex', 'GetNativeSystemInfo', 'GetSystemInfo', 'GetLastError', 'RaiseException', 'GetFileAttributesA', 'OutputDebugStringW', 'RegDeleteValueW', 'CreateRemoteThreadEx', '_GetMUIStringFromCache', 'UrlCanonicalizeW', 'StrCmpCW', 'GetStagedPackagePathByFullName2', 'GetUserGeoID', 'CopySid', 'GetStagedPackageOrigin', 'GetApplicationUserModelIdFromToken', 'GetPackageFamilyName', 'GetCurrentProcess', 'OpenProcessToken', 'OpenStateExplicit', 'OpenPackageInfoByFullNameForUser', 'GetStateFolder', 'CreateStateContainer', 'GetPackageStatus', 'ClosePackageInfo', 'IsDeveloperModeEnabled', 'GetUserDefaultLocaleName', 'CompareStringOrdinal', 'AppContainerDeriveSidFromMoniker', 'EnumUILanguagesW', 'Internal_EnumUILanguages', 'GetProcAddress', 'AppXGetPackageSid', 'AppXFreeMemory', 'AppContainerFreeMemory', 'IsDebuggerPresent', 'GetCurrentThreadId', 'AppContainerLookupMoniker', 'GetExtensionProgIds', 'GetCPFileNameFromRegistry', 'WideCharToMultiByte', 'StrChrA', 'GetFinalPathNameByHandleW', 'IsValidCodePage', 'StrStrIA', 'PathFindFileNameA', 'StrRChrA', 'CharNextA', 'StrCmpNIA', 'StrStrA', 'StrChrA_MB', 'StrDupA', 'lstrlenA', 'lstrlen', 'IsDBCSLeadByteEx', 'GetCPInfo', 'GetCPHashNode', 'GetVolumePathNamesForVolumeNameW', 'GetSystemDirectoryW', 'GetSerializedAtomBytes', 'OpenStateAtom', 'GetProcessHeap', 'FindFirstVolumeW', 'FindNextVolumeW', 'ExtensionProgIdExists', 'GetPhysicallyInstalledSystemMemory', 'EnumerateStateContainerItems', 'EnumerateStateAtomValues', 'InitOnceBeginInitialize', 'GlobalMemoryStatusEx', 'GetCPInfoExW', 'EnumResourceNamesExW', 'VerLanguageNameW', 'GetStringTableEntry', 'LoadResource', 'FindResourceW', 'FindResourceExW', 'BaseDllMapResourceIdW', 'SizeofResource', 'BaseDllFreeResourceId', 'InitOnceComplete', 'atexit', '_onexit', '__dllonexit3', 'GetSystemFirmwareTable', 'VerLanguageNameA', 'Sleep', 'SleepEx', 'FlsSetValue', 'StrCmpICA', 'QISearch', 'GetTickCount', 'FlsGetValue', 'FindNextFileA', 'FindNextFileW', 'UrlApplySchemeW', 'SHRegGetUSValueA', 'SHRegOpenUSKeyA', 'SHRegGetBoolUSValueW', 'StrCmpICW', 'SHRegGetUSValueW', 'SHRegCloseUSKey', 'SHRegQueryUSValueW', 'PathCchRemoveBackslash', 'PathSkipRootW', 'IsCharAlphaW', 'PathStripToRootW', 'PathRemoveBackslashW', 'CharPrevW', 'GetStringTypeW', 'PathIsRootW', 'PathCchStripToRoot', 'PathRemoveFileSpecW', 'PathCchRemoveFileSpec', 'PathCchRemoveBackslashEx', 'PathIsUNCServerW', 'PathIsUNCServerShareW', 'PathCchIsRoot', 'PathCchSkipRoot', 'PathIsUNCEx', 'UrlEscapeW', 'UrlCreateFromPathW', 'UrlGetPartW', 'UrlUnescapeW', 'PathCreateFromUrlW', 'PathIsUNCW', 'WaitForMultipleObjects', 'WaitForMultipleObjectsEx', 'FindNLSStringEx', 'PathFindExtensionW', 'GetTickCount64', 'MoveFileWithProgressW', 'MoveFileExW', 'MoveFileWithProgressTransactedW', 'CopyFile2', 'ReplaceFileW', 'ReplaceFileExInternal', 'BasepNotifyTrackingService', 'DuplicateStateContainerHandle', 'DuplicateHandle', 'CopyFileW', 'GetSecurityDescriptorControl', 'SetFilePointer', 'CopyFileExW', 'GetFileInformationByHandleEx', 'BasepCopyFileExW', 'KernelbasePostInit', 'CreateEventA', 'GetOverlappedResultEx', 'BasepCopyFileCallback', 'TlsSetValue', 'GetEnvironmentStringsW', 'FileTimeToSystemTime', 'InitOnceExecuteOnce', 'StrChrNW', 'GlobalFree', 'GlobalAlloc', 'SharedLocalIsEnabled', 'GetPackageId', 'AppXPreCreationExtension', 'EqualSid', 'WerRegisterRuntimeExceptionModule', 'WerUnregisterFile', 'WerRegisterFile', 'AppXGetPackageCapabilities', 'GetEffectivePackageStatusForUser', 'GetPackageStatusForUser', 'GetSidSubAuthority', 'GetPackageFullName', 'GetFileInformationByHandle', 'GetPackageVolumeSisPath', 'GetVolumeInformationW', 'GetVolumeInformationByHandleW', 'GetStagedPackagePathByFullName', 'OpenState', 'GetPackageInfo', 'GetPackageInfo3', 'GetCurrentPackageInfo2', 'GetCurrentPackageFullName', 'GetCurrentPackageInfo', 'GetCurrentPackageInfo3', 'GetCurrentPackageFamilyName', 'SetCurrentDirectoryW', 'EnumSystemGeoID', 'K32GetModuleBaseNameW', 'GetModuleBaseNameW', 'K32GetModuleInformation', 'GetModuleInformation', 'K32GetModuleFileNameExW', 'GetModuleFileNameExW', 'GetSystemTimeAsFileTime', 'GetCurrentProcessId', 'StrCmpNICA', 'MulDiv', 'PathFindFileNameW', 'VirtualAlloc', 'StrCmpNICW', 'GetQueuedCompletionStatus', 'ReadProcessMemory', 'RegGetValueA', 'SHExpandEnvironmentStringsW', 'ExpandEnvironmentStringsW', 'GetModuleHandleExW', 'IsCharSpaceW', 'SetEvent', 'GetFileType', 'SetThreadLocale', 'CreateEventW', 'CharNextW', 'PsmGetApplicationNameFromKey', 'PsmGetPackageFullNameFromKey', 'StrTrimW', 'GetSystemTime', 'BasepAdjustObjectAttributesForPrivateNamespace', 'GetModuleFileNameA', 'GetModuleFileNameW', 'GetConsoleMode', 'VirtualFree', 'K32EnumProcessModules', 'EnumProcessModules', 'PathParseIconLocationW', 'PathRemoveBlanksW', 'PathUnquoteSpacesW', 'StrToIntW', 'SetThreadInformation', 'ResetWriteWatch', 'SystemTimeToFileTime', 'ResetEvent', 'IsApiSetImplemented', 'FlushInstructionCache', 'GetStringScripts', 'SetThreadToken', 'GetThreadInformation', 'QueryThreadCycleTime', 'K32GetDeviceDriverBaseNameW', 'GetDeviceDriverBaseNameW', 'K32GetDeviceDriverBaseNameA', 'GetDeviceDriverBaseNameA', 'LockFileEx', 'InitializeCriticalSectionEx', 'SetFilePointerEx', 'PathCchFindExtension', 'FindActCtxSectionGuid', 'GetSystemTimePreciseAsFileTime', 'GetLengthSid', 'SetWaitableTimerEx', 'MapViewOfFileEx', 'MapViewOfFile', 'MapViewOfFileExNuma', 'PathIsValidCharW', 'SetThreadPriority', 'GetThreadTimes', 'VirtualProtect', 'AllocateAndInitializeSid', 'GetProcessTimes', 'SetThreadErrorMode', 'LocalReAlloc', 'CheckTokenMembership', 'RegCreateKeyExA', 'RegCreateKeyExInternalA', 'RegSetKeySecurity', 'RegGetKeySecurity', 'SwitchToThread', 'RevertToSelf', 'SetEnvironmentStringsW', 'GetWriteWatch', 'UnlockFile', 'UnlockFileEx', 'QuirkIsEnabled', 'SetEndOfFile', 'GetFileSize', 'CreateSemaphoreW', 'CreateSemaphoreExW', 'ExpandEnvironmentStringsA', 'QueryFullProcessImageNameW', 'VirtualQuery', 'PackageFamilyNameFromFullName', 'AccessCheckByType', 'AccessCheck', 'GetProcessMitigationPolicy', 'ReleaseSemaphore', 'MapViewOfFileNuma2', 'ConvertThreadToFiber', 'QuirkIsEnabled3', 'InitializeCriticalSectionAndSpinCount', 'CompareFileTime', 'PathIsPrefixW', 'PathCommonPrefixW', 'StrIsIntlEqualW', 'IsValidSid', 'GetSecurityDescriptorDacl', 'PathIsRelativeW', 'PathGetDriveNumberW', 'UnmapViewOfFile', 'GetThreadPriority', 'GetNumberFormatEx', 'GetPersistedRegistryLocationW', 'GetVersionExA', 'GetVersionExW', 'PathIsFileSpecW', 'GetThreadLocale', 'ImpersonateLoggedOnUser', 'UnmapViewOfFileEx', 'UnmapViewOfFile2', 'GetPersistedRegistryValueW', 'SetConsoleInputExeNameW', 'DuplicateToken', 'DuplicateTokenEx', 'SetProcessValidCallTargets', 'GetEnvironmentStringsA', 'GetEnvironmentStrings', 'LocaleNameToLCID', 'EnumDateFormatsExEx', 'Internal_EnumDateFormats', 'EnumTimeFormatsEx', 'Internal_EnumTimeFormats', 'GetUserOverrideWord', 'PsmIsValidKey', 'SetUnhandledExceptionFilter', 'VirtualQueryEx', 'PostQueuedCompletionStatus', 'ImpersonateNamedPipeClient', 'GetGeoInfoW', 'LockResource', 'SwitchToFiber', 'UrlUnescapeA', 'AccessCheckAndAuditAlarmW', 'CancelWaitableTimer', 'PathGetCharTypeW', 'ResolveDelayLoadedAPI', 'FreeSid', 'TrySubmitThreadpoolCallback', 'GetEnvironmentVariableA', 'GetFileSecurityW', 'QuerySecurityAccessMask', 'ConvertFiberToThread', 'GetSystemTimes', 'GetAppContainerAce', 'GetAce', 'IsValidAcl', 'LocalUnlock', 'LocalLock', 'GetStdHandle', 'StrRChrW', 'CreateThreadpoolWork', 'SetEnvironmentVariableW', 'SetProcessInformation', 'RegDeleteKeyExW', 'RegDeleteTreeW', 'RegDeleteKeyExInternalW', 'DeleteFiber', 'TlsAlloc', 'SleepConditionVariableCS', 'WaitOnAddress', 'SleepConditionVariableSRW', 'SetThreadDescription', 'GetSidSubAuthorityCount', 'TlsFree', 'RegOpenUserClassesRoot', 'K32EnumDeviceDrivers', 'EnumDeviceDrivers', 'CreateThreadpoolIo', 'GetFileSizeEx', 'GetFullPathNameA', 'OpenSemaphoreW', 'PathAddBackslashW', 'PathCchAddBackslash', 'PathCchAddBackslashEx', 'VirtualUnlock', 'GetStartupInfoW', 'PsmGetKeyFromProcess', 'PsmCreateKeyWithDynamicId', 'PsmCreateKey', 'PsmGetKeyFromToken', 'GetTempPathW', 'NlsGetCacheUpdateCount', 'MakeAbsoluteSD', 'HeapValidate', 'CreateTimerQueueTimer', 'PathRemoveExtensionW', 'PathCchRemoveExtension', 'GetProcessId', 'DelayLoadFailureHook', 'HeapCreate', 'PulseEvent', 'SHCoCreateInstance', 'GetDateFormatEx', 'GetDateFormatW', 'CharUpperA', 'CharUpperBuffA', 'SHRegEnumUSKeyW', 'SetHandleInformation', 'AddAce', 'KernelBaseGetGlobalData', 'GetAcceptLanguagesW', 'MakeSelfRelativeSD', 'IdnToAscii', 'GetThreadPreferredUILanguages', 'IsValidSecurityDescriptor', 'CreateThreadpoolTimer', 'GetSystemPreferredUILanguages', 'GetNamedPipeClientComputerNameW', 'GetNamedPipeAttribute', 'SetEnvironmentVariableA', 'SetThreadStackGuarantee', 'CloseState', 'SetStdHandle', 'DisableThreadLibraryCalls', 'DisconnectNamedPipe', 'CreateStateChangeNotification', 'GetSystemAppDataKey', 'RegisterWaitForSingleObjectEx', 'FreeEnvironmentStringsW', 'FreeEnvironmentStringsA', 'IsWow64Process', 'IsWow64Process2', 'WriteProcessMemory', 'UnregisterWaitEx', 'QueryActCtxSettingsW', '_initterm', 'DeleteStateAtomValue', 'WriteStateAtomValue', 'ConnectNamedPipe', 'StrChrIW', 'ChrCmpIW', 'GetDiskFreeSpaceExW', 'PathAllocCanonicalize', 'IsThreadAFiber', 'SetSecurityDescriptorDacl', 'RegDisablePredefinedCacheEx', 'DisablePredefinedHandleTableInternal', 'WriteFileEx', 'ReadFileEx', 'DeleteTimerQueueTimer', 'PrivilegeCheck', 'InitializeAcl', 'WriteStateContainerValue', 'AdjustTokenPrivileges', 'GetCurrentPackageResourcesContext', 'StrCmpNCA', 'GetSidIdentifierAuthority', 'CheckTokenCapability', 'SetConsoleCtrlHandler', 'InitializeSecurityDescriptor', 'SetNamedPipeHandleState', 'PathGetArgsW', 'ActivateActCtx', 'DeactivateActCtx', 'OpenFileById', 'PackageIdFromFullName', 'RegQueryInfoKeyA', 'CreatePipe', 'PathMatchSpecW', 'StrCmpLogicalW', 'GetSecurityDescriptorSacl', 'GetCurrentPackagePath', 'GetCurrentPackagePath2', 'FlushFileBuffers', 'CallbackMayRunLong', 'QueueUserAPC', 'FindFirstFileA', 'SHRegWriteUSValueW', 'FlsAlloc', 'GetACP', 'OpenEventA', 'CheckTokenMembershipEx', 'OpenPrivateNamespaceW', 'CreatePrivateNamespaceW', 'CreateThreadpoolWait', 'GetFileTime', 'GetAclInformation', 'K32GetProcessMemoryInfo', 'GetProcessMemoryInfo', 'AddAccessAllowedAce', 'VirtualProtectEx', 'GetHandleInformation', '_initterm_e', 'PathAppendW', 'UpdateProcThreadAttribute', 'GetPackageTargetPlatformProperty', 'CloseStateAtom', 'GetLogicalProcessorInformationEx', 'GetModuleHandleExA', 'VirtualAllocEx', 'VirtualAllocExNuma', 'SetFileInformationByHandle', 'CreateFile2', 'PathCchCombine', 'AddAccessAllowedAceEx', 'IsValidLocale', 'ReleaseActCtx', 'GetDynamicTimeZoneInformation', 'RegEnumValueA', 'GetProcessInformation', 'K32GetProcessImageFileNameW', 'GetProcessImageFileNameW', 'SetSecurityDescriptorOwner', 'QueueUserWorkItem', 'InitializeSid', 'GetVolumeNameForVolumeMountPointW', 'CreateMutexA', 'CreateMutexExA', 'GetSidLengthRequired', 'GetTimeFormatEx', 'GetTimeFormatW', 'HeapSetInformation', 'WTSGetServiceSessionId', 'GetCurrentPackageId', 'MapGenericMask', 'IsProcessorFeaturePresent', 'K32EnumProcesses', 'EnumProcesses', 'GetLogicalDrives', 'AppPolicyGetMediaFoundationCodecLoading', 'AppPolicyGetWindowingModel', 'AppPolicyGetThreadInitializationType', 'AppPolicyGetClrCompat', 'AppPolicyGetProcessTerminationMethod', 'GetExitCodeProcess', 'ImpersonateSelf', 'GetSecurityDescriptorLength', 'SetSecurityDescriptorGroup', 'WerRegisterMemoryBlock', 'HeapDestroy', 'RegKrnGetClassesEnumTableAddressInternal', 'PeekNamedPipe', 'GetVolumePathNameW', 'OpenMutexW', 'WaitNamedPipeW', 'TransactNamedPipe', 'CreateNamedPipeW', 'PathGetDriveNumberA', 'SHRegEnumUSValueW', 'AppXGetOSMaxVersionTested', 'GetCurrentActCtx', 'RemoveDirectoryW', 'InitializeProcThreadAttributeList', 'SetFileAttributesW', 'AddRefActCtx', 'ResumeThread', 'GetTempFileNameW', 'FreeLibraryAndExitThread', 'SHRegCreateUSKeyW', 'PathCchAppend', 'VerQueryValueW', 'NeedCurrentDirectoryForExePathW', 'GetCurrentApplicationUserModelId', 'GetApplicationUserModelId', 'GetExitCodeThread', 'GetPackagePathByFullName2', 'GetNLSVersion', 'GetNLSVersionEx', 'QueryActCtxW', 'PathCchCanonicalize', 'InternalLcidToName', 'ReadDirectoryChangesW', 'ReadDirectoryChangesExW', 'LoadLibraryA', 'OpenStateExplicitForUserSid', 'LockFile', 'GetStateRootFolder', 'lstrcpynW', 'CreateStateAtom', 'QueryInterruptTimePrecise', 'SetKernelObjectSecurity', 'GetUserPreferredUILanguages', 'GetCurrentDirectoryW', 'GetSystemDefaultUILanguage', 'IdnToUnicode', 'CreatePrivateObjectSecurityEx', 'QueryMemoryResourceNotification', 'GetTargetPlatformContext', 'GetSecurityDescriptorOwner', 'RegisterGPNotificationInternal', 'WTSIsServerContainer', 'CreateIoCompletionPort', 'GetFileVersionInfoSizeW', 'GetCommandLineW', 'PathCombineW', 'QueryProtectedPolicy', 'FlsFree', 'GetSecurityDescriptorGroup', 'LoadLibraryW', 'SetPriorityClass', 'K32GetPerformanceInfo', 'GetPerformanceInfo', 'GetSystemDirectoryA', 'GetEffectivePackageStatusForUserSid', 'GetPackageStatusForUserSid', 'GetPackageFullNameFromToken', 'QuirkIsEnabledForPackage3', 'CreateHardLinkW', 'SHRegQueryInfoUSKeyW', 'GetIsEdpEnabled', 'CreateThreadpoolCleanupGroup', 'ClosePrivateNamespace', 'GetProductInfo', 'GetSystemTimeAdjustment', 'UrlCombineW', 'AppXPostSuccessExtension', 'GetEnabledXStateFeatures', 'GetCommandLineA', 'StrToIntExW', 'StrToInt64ExW', 'AppXReleaseAppXContext', 'GetDriveTypeA', 'ParseApplicationUserModelId', 'SetSecurityDescriptorSacl', 'QueryWorkingSetEx', 'K32QueryWorkingSetEx', 'GetCurrentPackageApplicationResourcesContext', 'DestroyPrivateObjectSecurity', 'UnregisterGPNotificationInternal', 'CreateBoundaryDescriptorW', 'GetIsWdagEnabled', 'DeleteStateContainerValue', 'RegFlushKey', 'CancelIoEx', 'CreateMemoryResourceNotification', 'CreateActCtxW', 'SubscribeStateChangeNotification', 'DeleteAce', 'AddSIDToBoundaryDescriptor', 'FindActCtxSectionStringW', 'SubscribeWdagEnabledStateChange', 'SubscribeEdpEnabledStateChange', 'ObjectOpenAuditAlarmW', 'CharPrevA', 'GetCompressedFileSizeW', 'GetLogicalProcessorInformation', 'PathCchAddExtension', 'CreateThreadpool', 'GetOsSafeBootMode', 'GetFileMUIPath', 'CreateTimerQueue', 'SetProcessMitigationPolicy', 'TerminateProcess', 'GetPackageResourcesProperty', 'QuirkIsEnabledForPackage', 'ChangeTimerQueueTimer', 'GetNumaHighestNodeNumber', 'VerifyPackageFullName', 'SetProcessShutdownParameters', 'GetCurrentDirectoryA', 'GetVersion', 'GetProcessIdOfThread', 'PsmIsDynamicKey', 'CreateRestrictedToken', 'WerSetFlags', 'CouldMultiUserAppsBehaviorBePossibleForPackage', 'ImpersonateAnonymousToken', 'FindNextChangeNotification', 'OpenStateExplicitForUserSidString', 'FormatApplicationUserModelId', 'PathCchStripPrefix', 'GetThreadId', 'PathStripPathW', 'StrCmpCA', 'VirtualLock', 'SuspendThread', 'GetUnicodeStringToEightBitStringRoutine', 'FormatMessageA', '_amsg_exit', 'LoadAppInitDlls', 'DeleteProcThreadAttributeList', 'AdjustTokenGroups', 'GetStateRootFolderBase', 'RegDeleteKeyValueW', 'Wow64DisableWow64FsRedirection', 'SetTokenInformation', 'RegSetValueExA', 'GetPublisherRootFolder', 'FindFirstChangeNotificationW', 'SetSecurityDescriptorControl', 'GetFileVersionInfoSizeA', 'GetThreadContext', 'ObjectCloseAuditAlarmW', 'CreateEventExA', 'SetFileSecurityW', 'SetSecurityAccessMask', 'WriteFileGather', 'ConvertDefaultLocale', '__wgetmainargs', 'WerUnregisterMemoryBlock', 'AllocateLocallyUniqueId', 'PrefetchVirtualMemory', 'GetOEMCP', 'PackageFamilyNameFromId', 'CloseStateChangeNotification', 'SetFileTime', 'GetSystemDefaultLocaleName', 'GetPriorityClass', 'GetCurrentPackageGlobalizationContext', 'SetThreadpoolThreadMinimum', 'GetProcessorSystemCycleTime', 'CreateDirectoryA', 'VirtualFreeEx', 'UnsubscribeStateChangeNotification', 'SetConsoleTitleW', 'EqualPrefixSid', 'CancelIo', 'FindVolumeClose', 'OpenPackageInfoByFullName', 'RegDeleteValueA', 'CheckRemoteDebuggerPresent', 'RegKrnGetTermsrvRegistryExtensionFlags', 'DeleteBoundaryDescriptor', 'SetProtectedPolicy', 'ReadFileScatter', 'HeapUnlock', 'HeapLock', 'PathFindNextComponentW', 'SetFileApisToOEM', 'VerQueryValueA', 'WerUnregisterRuntimeExceptionModule', 'DeleteTimerQueueEx', 'LocalFileTimeToFileTime', 'GetPackageGlobalizationProperty', 'FlushViewOfFile', 'CreateWaitableTimerW', 'AreFileApisANSI', 'AddMandatoryAce', 'RegisterApplicationRestart', 'GetPackagePathByFullName', 'CharLowerBuffA', 'SpecialMBToWC', 'FreeResource', 'GetCurrentPackageApplicationContext', 'GetPackageApplicationPropertyString', 'GetPackageApplicationProperty', 'QuirkIsEnabledForPackage4', 'GetEightBitStringToUnicodeStringRoutine', 'BaseReadAppCompatDataForProcess', 'SetFileValidData', 'QuirkIsEnabledForProcess', 'UnsubscribeWdagEnabledStateChange', 'UnsubscribeEdpEnabledStateChange', 'EnumSystemLocalesEx', 'BaseIsAppcompatInfrastructureDisabled', 'BaseFreeAppCompatDataForProcess', 'GetSecurityDescriptorRMControl', 'SetProcessWorkingSetSizeEx', 'OpenRegKey', 'GetNumberOfConsoleInputEvents', 'GetPersistedFileLocationW', 'FlushConsoleInputBuffer', 'GetProcessWorkingSetSizeEx', 'GetAppliedGPOListInternalW', 'LeaveCriticalPolicySectionInternal', 'EnterCriticalPolicySectionInternal', 'SetSecurityDescriptorRMControl', 'ProductIdFromPackageFamilyName', 'PackageRelativeApplicationIdFromProductId', 'PackageIdFromProductId', 'PackageFullNameFromProductId', 'ApplicationUserModelIdFromProductId', 'GetIntegratedDisplaySize', 'GetUserDefaultLangID', 'IsEnclaveTypeSupported', 'SetProcessPriorityBoost', 'UrlIsNoHistoryW', 'FindCloseChangeNotification', 'VerifyApplicationUserModelId', 'GetPackagesByPackageFamily', 'GetSharedLocalFolder', 'FindPackagesByPackageFamily', 'RegOpenCurrentUser', 'PcwCreateQuery', 'PcwSetQueryItemUserData', 'PcwAddQueryItem', 'PcwCollectData', 'CreateWellKnownSid', 'IsWellKnownSid', 'RegLoadMUIStringA', 'WerpNotifyUseStringResource', 'WerpNotifyLoadStringResource', 'AppXUpdatePackageCapabilities', 'AppXGetOSMinVersion', 'RemoveExtensionProgIds', 'RemovePackageFromFamilyXref', 'AddPackageToFamilyXref', 'VerifyPackagePublisher', 'RegCopyTreeW', 'SetProtocolProperty', 'SetExtensionProperty', 'AddExtensionProgId', 'GetExtensionProperty', 'EnumerateExtensionNames', 'UpdatePackageStatusForUserSid', 'IncrementPackageStatusVersion', 'PackageNameAndPublisherIdFromFamilyName', 'IsCharAlphaNumericW', 'CreateStateLock', 'RemovePackageStatus', 'UpdatePackageStatus', 'AcquireStateLock', 'RegSaveKeyExW', 'CloseStateLock', 'GetHivePath', 'WerGetFlags', 'GetFileVersionInfoExA', 'PathAddBackslashA', 'GetFileVersionInfoSizeExA', 'QuirkIsEnabledForPackage2', 'CheckIfStateChangeNotificationExists', 'DeleteStateContainer', 'PssQuerySnapshot', 'IsSideloadingEnabled', 'ReleaseStateLock', 'GetWindowsDirectoryA', 'GetSystemWindowsDirectoryA', 'PssDuplicateSnapshot', 'GetCalendarInfoW', 'PssFreeSnapshot', 'PackageSidFromFamilyName', 'AppContainerLookupDisplayNameMrtReference', 'AppContainerRegisterSid', 'GetDateFormatA', 'PerfDeleteInstance', 'PerfStopProvider', 'PcwDisconnectCounterSet', 'PerfStartProviderEx', 'PerfCreateInstance', 'PerfSetCounterSetInfo', 'PcwRegisterCounterSet', 'PerfSetCounterRefValue', 'PrivCopyFileExW', 'GetLogicalDriveStringsW', 'FindFirstFileNameW', 'FindNextFileNameW', 'SetThreadIdealProcessor', 'GetRegistryValueWithFallbackW', 'GetCurrentThread', 'GetFileVersionInfoByHandle', 'GetTimeFormatA', 'GetTempPathA', 'CtrlRoutine', 'SetClientDynamicTimeZoneInformation', 'PathFileExistsA', 'WerSetMaxProcessHoldMilliseconds', 'RsopLoggingEnabledInternal', 'SetThreadPriorityBoost', 'SetProcessPreferredUILanguages', 'EnumSystemLocalesA', 'BaseInitAppcompatCacheSupport', 'SetThreadGroupAffinity', 'GetFileVersionInfoA', 'ReadConsoleOutputW', 'WriteConsoleOutputW', 'EnumResourceLanguagesExW', 'PerfSetULongLongCounterValue', 'GetProcessPreferredUILanguages', 'GetComputerNameExA', 'SetProcessAffinityUpdateMode', 'RegUnLoadKeyW', 'GetConsoleCursorInfo', 'GetLargestConsoleWindowSize', 'SetThreadContext', 'GetWindowsAccountDomainSid', 'EqualDomainSid', 'PathCanonicalizeW', 'RegLoadKeyW', 'PerfStartProvider', 'GetOsManufacturingMode', 'AddAccessDeniedAce', 'AddDllDirectory', 'RemoveDllDirectory', '_invalid_parameter', '_purecall', '_time64', 'time', 'SHExpandEnvironmentStringsA', 'CheckIsMSIXPackage', 'SetProcessDynamicEnforcedCetCompatibleRanges', 'SetHandleCount', 'TlsGetValue', 'QueryFullProcessImageNameA', 'VerFindFileA', 'AreThereVisibleLogoffScriptsInternal', 'AreThereVisibleShutdownScriptsInternal', 'ForceSyncFgPolicyInternal', 'FreeGPOListInternalA', 'FreeGPOListInternalW', 'GenerateGPNotificationInternal', 'GetAppliedGPOListInternalA', 'GetGPOListInternalA', 'GetGPOListInternalW', 'GetNextFgPolicyRefreshInfoInternal', 'GetPreviousFgPolicyRefreshInfoInternal', 'HasPolicyForegroundProcessingCompletedInternal', 'IsSyncForegroundPolicyRefresh', 'RefreshPolicyExInternal', 'RefreshPolicyInternal', 'WaitForMachinePolicyForegroundProcessingInternal', 'WaitForUserPolicyForegroundProcessingInternal', 'VerFindFileW', 'DsBindWithSpnExW', 'DsCrackNamesW', 'DsFreeDomainControllerInfoW', 'DsFreeNameResultW', 'DsFreeNgcKey', 'DsFreePasswordCredentials', 'DsGetDomainControllerInfoW', 'DsMakePasswordCredentialsW', 'DsReadNgcKeyW', 'DsUnBindW', 'DsWriteNgcKeyW', 'ZombifyActCtx', 'BaseCheckAppcompatCache', 'BaseCheckAppcompatCacheEx', 'BaseCleanupAppcompatCacheSupport', 'BaseDumpAppcompatCache', 'BaseFlushAppcompatCache', 'BaseUpdateAppcompatCache', 'GetApplicationRecoveryCallback', 'GetApplicationRestartSettings', 'UnregisterApplicationRestart', 'WerRegisterAdditionalProcess', 'WerRegisterAppLocalDump', 'WerRegisterExcludedMemoryBlock', 'WerUnregisterAdditionalProcess', 'WerUnregisterAppLocalDump', 'WerUnregisterCustomMetadata', 'WerUnregisterExcludedMemoryBlock', 'IsCharLowerW', 'IsCharUpperW', 'CharNextExA', 'CharPrevExA', 'IsCharAlphaA', 'IsCharAlphaNumericA', 'IsCharLowerA', 'IsCharUpperA', 'ReOpenFile', 'BaseMarkFileForDelete', 'CheckAllowDecryptedRemoteDestinationPolicy', 'CreateSymbolicLinkW', 'CreateDirectoryExW', 'ChrCmpIA', 'StrCSpnA', 'StrCSpnIA', 'StrCSpnIW', 'StrCatBuffA', 'StrCatBuffW', 'StrCatChainW', 'StrChrNIW', 'StrCmpNA', 'StrCpyNW', 'StrCpyNXA', 'StrCpyNXW', 'StrIsIntlEqualA', 'StrPBrkA', 'StrRChrIA', 'StrRStrIA', 'StrRStrIW', 'StrSpnA', 'StrSpnW', 'StrStrNIW', 'StrStrNW', 'StrToInt64ExA', 'StrToIntExA', 'StrTrimA', 'IsCharBlankW', 'IsCharCntrlW', 'IsCharDigitW', 'IsCharPunctW', 'IsCharSpaceA', 'IsCharXDigitW', 'CeipIsOptedIn', 'CreateHardLinkA', 'QuirkGetData', 'QuirkGetData2', 'QuirkIsEnabled2', 'CopyContext', 'GetXStateFeaturesMask', 'InitializeContext', 'InitializeContext2', 'LocateXStateFeature', 'SetXStateFeaturesMask', 'GetGamingDeviceModelInformation', 'GetAcceptLanguagesA', 'PathCchRenameExtension', 'SHRegCreateUSKeyA', 'SHRegDeleteEmptyUSKeyA', 'SHRegDeleteEmptyUSKeyW', 'SHRegDeleteUSValueA', 'SHRegDeleteUSValueW', 'SHRegGetBoolUSValueA', 'ParseURLA', 'PathCreateFromUrlA', 'PathCreateFromUrlAlloc', 'UrlApplySchemeA', 'UrlCanonicalizeA', 'UrlCombineA', 'UrlCompareA', 'UrlCompareW', 'UrlCreateFromPathA', 'UrlEscapeA', 'UrlFixupW', 'UrlGetLocationA', 'UrlGetPartA', 'UrlIsA', 'UrlIsNoHistoryA', 'UrlIsOpaqueA', 'UrlIsOpaqueW', 'DebugBreak', 'NlsGetACPFromLocale', 'GetStringTypeA', 'LCMapStringA', 'FindNLSString', 'GetEraNameCountedString', 'GetFallbackDisplayName', 'GetPtrCalData', 'GetPtrCalDataArray', 'GetUserInfo', 'GetUserInfoWord', 'IsValidLanguageGroup', 'NlsUpdateLocale', 'NlsUpdateSystemLocale', 'SetCalendarInfoW', 'SetLocaleInfoW', 'EnumCalendarInfoExW', 'EnumCalendarInfoW', 'EnumDateFormatsExW', 'EnumDateFormatsW', 'EnumLanguageGroupLocalesW', 'EnumSystemCodePagesW', 'EnumSystemLanguageGroupsW', 'EnumSystemLocalesW', 'EnumTimeFormatsW', 'Internal_EnumLanguageGroupLocales', 'Internal_EnumSystemCodePages', 'Internal_EnumSystemLanguageGroups', 'NlsDispatchAnsiEnumProc', 'FoldStringW', 'GetCurrencyFormatEx', 'GetCurrencyFormatW', 'GetDurationFormatEx', 'GetFileMUIInfo', 'GetUILanguageInfo', 'RestoreThreadPreferredUILanguages', 'IdnToNameprepUnicode', 'IsNormalizedString', 'NormalizeString', 'VerifyScripts', 'NotifyRedirectedStringChange', 'EnumSystemGeoNames', 'GetGeoInfoEx', 'GetUserDefaultGeoName', 'SetUserGeoID', 'SetUserGeoName', 'IsValidNLSVersion', 'IsNLSDefinedString', 'GetLongPathNameA', 'QueryThreadpoolStackInformation', 'SetThreadpoolStackInformation', 'QueryGlobalizationUserSettingsStatus', '_c_exit', '_cexit', '_exit', 'exit', 'hgets', 'hwprintf', 'wprintf', 'PathMatchSpecExW', 'PathQuoteSpacesW', 'PathUnExpandEnvStringsW', 'PathAddExtensionW', 'PathIsLFNFileSpecW', 'PathRenameExtensionW', 'SHRegSetUSValueW', 'PathCombineA', 'PathFindExtensionA', 'PathIsUNCA', 'PathIsUNCServerA', 'PathIsUNCServerShareA', 'PathMatchSpecA', 'PathMatchSpecExA', 'PathParseIconLocationA', 'PathQuoteSpacesA', 'PathRemoveBlanksA', 'PathRemoveFileSpecA', 'PathUnExpandEnvStringsA', 'PathUnquoteSpacesA', 'SHTruncateString', 'PathAddExtensionA', 'PathAppendA', 'PathCanonicalizeA', 'PathCommonPrefixA', 'PathFindNextComponentA', 'PathGetArgsA', 'PathGetCharTypeA', 'PathIsFileSpecA', 'PathIsLFNFileSpecA', 'PathIsPrefixA', 'PathIsRelativeA', 'PathIsRootA', 'PathIsSameRootA', 'PathIsValidCharA', 'PathRelativePathToA', 'PathRemoveBackslashA', 'PathRemoveExtensionA', 'PathRenameExtensionA', 'PathSearchAndQualifyA', 'PathSkipRootA', 'PathStripPathA', 'PathStripToRootA', 'PathIsURLA', 'SHRegEnumUSKeyA', 'SHRegEnumUSValueA', 'SHRegQueryInfoUSKeyA', 'SHRegSetUSValueA', 'SHRegWriteUSValueA', 'RemapPredefinedHandleInternal', 'GetRegistryExtensionFlags', 'PoolPerAppKeyStateInternal', 'RegKrnGetAppKeyEventAddressInternal', 'RegKrnGetAppKeyLoaded', 'RegKrnGetHKEY_ClassesRootAddress', 'RegKrnResetAppKeyLoaded', 'RegKrnSetDllHasThreadStateGlobal', 'RegKrnSetTermsrvRegistryExtensionFlags', 'RegDeleteKeyExA', 'RegDeleteKeyExInternalA', 'RegDeleteKeyValueA', 'RegSetKeyValueA', 'RegDeleteTreeA', 'RegLoadAppKeyA', 'RegLoadKeyA', 'RegUnLoadKeyA', 'RegQueryMultipleValuesA', 'RegQueryMultipleValuesW', 'RegRestoreKeyA', 'RegRestoreKeyW', 'RegSaveKeyExA', 'DelayLoadFailureHookLookup', 'PssCaptureSnapshot', 'PssWalkMarkerCreate', 'PssWalkMarkerFree', 'PssWalkMarkerSeekToBeginning', 'PssWalkMarkerSetPosition', 'PssWalkMarkerGetPosition', 'PssWalkSnapshot', 'K32EmptyWorkingSet', 'EmptyWorkingSet', 'QueryWorkingSet', 'K32QueryWorkingSet', 'K32GetDeviceDriverFileNameA', 'GetDeviceDriverFileNameA', 'K32GetDeviceDriverFileNameW', 'GetDeviceDriverFileNameW', 'K32EnumPageFilesA', 'EnumPageFilesA', 'K32EnumPageFilesW', 'EnumPageFilesW', 'K32EnumProcessModulesEx', 'EnumProcessModulesEx', 'K32GetModuleBaseNameA', 'GetModuleBaseNameA', 'K32GetModuleFileNameExA', 'GetModuleFileNameExA', 'K32GetProcessImageFileNameA', 'GetProcessImageFileNameA', 'K32GetWsChanges', 'GetWsChanges', 'K32GetWsChangesEx', 'GetWsChangesEx', 'K32InitializeProcessForWsWatch', 'InitializeProcessForWsWatch', 'K32GetMappedFileNameA', 'GetMappedFileNameA', 'K32GetMappedFileNameW', 'GetMappedFileNameW', 'PsmEqualApplication', 'PsmEqualPackage', 'PsmIsChildKey', 'CommitStateAtom', 'SaveStateRootFolderPath', 'SaveAlternatePackageRootPath', 'GetSystemStateRootFolder', 'GetAlternatePackageRoots', 'GetPublisherCacheFolder', 'GetRoamingLastObservedChangeTime', 'GetStateContainerDepth', 'GetStateSettingsFolder', 'GetStateVersion', 'OverrideRoamingDataModificationTimesInRange', 'PublishStateChangeNotification', 'RegisterStateChangeNotification', 'RegisterStateLock', 'ResetState', 'SetRoamingLastObservedChangeTime', 'SetStateVersion', 'UnregisterStateChangeNotification', 'UnregisterStateLock', 'PackageSidFromProductId', 'AddDependencyToProcessPackageGraph', 'GetPackageApplicationIds', 'GetPackageInfo2', 'OpenPackageInfoByFullNameForMachine', 'RefreshPackageInfo', 'GetPackageFamilyNameFromProgId', 'GetPackageInstallTime', 'AppPolicyGetCreateFileAccess', 'AppPolicyGetShowDeveloperDiagnostic', 'PackageFamilyNameFromProductId', 'GetExtensionApplicationUserModelId', 'GetExtensionProperty2', 'IsOnDemandRegistrationSupportedForExtensionCategory', 'FormatApplicationUserModelIdA', 'PackageFamilyNameFromFullNameA', 'PackageFamilyNameFromIdA', 'PackageFullNameFromId', 'PackageFullNameFromIdA', 'PackageIdFromFullNameA', 'PackageNameAndPublisherIdFromFamilyNameA', 'ParseApplicationUserModelIdA', 'VerifyApplicationUserModelIdA', 'VerifyPackageFamilyName', 'VerifyPackageFamilyNameA', 'VerifyPackageFullNameA', 'VerifyPackageId', 'VerifyPackageIdA', 'VerifyPackagePublisherA', 'VerifyPackageRelativeApplicationId', 'VerifyPackageRelativeApplicationIdA', 'GetAppModelVersion', 'InvalidateAppModelVersionCache', 'GetCurrentPackageSecurityContext', 'GetCurrentTargetPlatformContext', 'GetPackageApplicationContext', 'GetPackageApplicationResourcesContext', 'GetPackageContext', 'GetPackageGlobalizationContext', 'GetPackageOSMaxVersionTested', 'GetPackageResourcesContext', 'GetPackageSecurityContext', 'GetPackageSecurityProperty', 'GetPackagePath', 'RemovePackageStatusForUser', 'UpdatePackageStatusForUser', 'GetPackagePathOnVolume', 'GetProtocolAumid', 'GetProtocolProperty', 'GetSystemMetadataPath', 'GetSystemMetadataPathForPackageFamily', 'PublisherFromPackageFullName', 'AppContainerUnregisterSid', 'AppXGetApplicationData', 'AppXGetDevelopmentMode', 'AppXLookupDisplayName', 'AppXLookupMoniker', 'IsDeveloperModePolicyApplied', 'IsSideloadingPolicyApplied', 'SetIsDeveloperModeEnabled', 'SetIsSideloadingEnabled', 'PcwClearCounterSetSecurity', 'PcwCompleteNotification', 'PcwCreateNotifier', 'PcwIsNotifierAlive', 'PcwQueryCounterSetSecurity', 'PcwReadNotificationData', 'PcwRemoveQueryItem', 'PcwSendNotification', 'PcwSendStatelessNotification', 'PcwSetCounterSetSecurity', 'PerfDecrementULongCounterValue', 'PerfDecrementULongLongCounterValue', 'PerfIncrementULongCounterValue', 'PerfIncrementULongLongCounterValue', 'PerfQueryInstance', 'PerfSetULongCounterValue', 'AddConsoleAliasA', 'AddConsoleAliasW', 'ExpungeConsoleCommandHistoryA', 'ExpungeConsoleCommandHistoryW', 'GetConsoleAliasA', 'GetConsoleAliasExesA', 'GetConsoleAliasExesLengthA', 'GetConsoleAliasExesLengthW', 'GetConsoleAliasExesW', 'GetConsoleAliasW', 'GetConsoleAliasesA', 'GetConsoleAliasesLengthA', 'GetConsoleAliasesLengthW', 'GetConsoleAliasesW', 'GetConsoleCommandHistoryA', 'GetConsoleCommandHistoryLengthA', 'GetConsoleCommandHistoryLengthW', 'GetConsoleCommandHistoryW', 'GetConsoleInputExeNameA', 'GetConsoleInputExeNameW', 'GetConsoleOriginalTitleA', 'GetConsoleOriginalTitleW', 'GetConsoleTitleA', 'SetConsoleInputExeNameA', 'SetConsoleNumberOfCommandsA', 'SetConsoleNumberOfCommandsW', 'SetConsoleTitleA', 'AttachConsole', 'BaseGetConsoleReference', 'FreeConsole', 'ClosePseudoConsole', 'CreatePseudoConsole', 'CreatePseudoConsoleAsUser', 'ResizePseudoConsole', 'CreateConsoleScreenBuffer', 'FillConsoleOutputAttribute', 'FillConsoleOutputCharacterA', 'FillConsoleOutputCharacterW', 'PeekConsoleInputA', 'ReadConsoleInputA', 'ReadConsoleInputExA', 'ReadConsoleInputExW', 'ReadConsoleInputW', 'ReadConsoleOutputA', 'ReadConsoleOutputAttribute', 'ReadConsoleOutputCharacterA', 'ReadConsoleOutputCharacterW', 'WriteConsoleInputA', 'WriteConsoleInputW', 'WriteConsoleOutputA', 'WriteConsoleOutputAttribute', 'WriteConsoleOutputCharacterA', 'WriteConsoleOutputCharacterW', 'SetLastConsoleEventActive', 'GenerateConsoleCtrlEvent', 'GetConsoleDisplayMode', 'GetConsoleFontSize', 'GetConsoleHistoryInfo', 'GetConsoleProcessList', 'GetConsoleSelectionInfo', 'GetCurrentConsoleFont', 'GetNumberOfConsoleMouseButtons', 'ScrollConsoleScreenBufferA', 'ScrollConsoleScreenBufferW', 'SetConsoleActiveScreenBuffer', 'SetConsoleCP', 'SetConsoleCursorInfo', 'SetConsoleDisplayMode', 'SetConsoleHistoryInfo', 'SetConsoleOutputCP', 'SetConsoleScreenBufferInfoEx', 'SetConsoleScreenBufferSize', 'SetConsoleWindowInfo', 'SetCurrentConsoleFontEx', 'ReadConsoleA', 'ReadConsoleW', 'WriteConsoleA', 'AccessCheckByTypeAndAuditAlarmW', 'AccessCheckByTypeResultList', 'AccessCheckByTypeResultListAndAuditAlarmByHandleW', 'AccessCheckByTypeResultListAndAuditAlarmW', 'AddAccessAllowedObjectAce', 'AddAccessDeniedAceEx', 'AddAccessDeniedObjectAce', 'AddAuditAccessAce', 'AddAuditAccessAceEx', 'AddAuditAccessObjectAce', 'AddResourceAttributeAce', 'AddScopedPolicyIDAce', 'AreAnyAccessesGranted', 'ConvertToAutoInheritPrivateObjectSecurity', 'CreatePrivateObjectSecurityWithMultipleInheritance', 'CveEventWrite', 'DeriveCapabilitySidsFromName', 'FindFirstFreeAce', 'GetCachedSigningLevel', 'GetPrivateObjectSecurity', 'InstallELAMCertificateInfo', 'IsValidRelativeSecurityDescriptor', 'MakeAbsoluteSD2', 'ObjectDeleteAuditAlarmW', 'ObjectPrivilegeAuditAlarmW', 'PrivilegedServiceAuditAlarmW', 'SetAclInformation', 'SetCachedSigningLevel', 'SetPrivateObjectSecurity', 'SetPrivateObjectSecurityEx', 'EnumResourceLanguagesExA', 'EnumResourceNamesExA', 'EnumResourceNamesW', 'EnumResourceTypesExA', 'EnumResourceTypesExW', 'LoadPackagedLibrary', 'QueryOptionalDelayLoadedAPI', 'ResolveDelayLoadsFromDll', 'SetDefaultDllDirectories', 'AllocateUserPhysicalPages', 'AllocateUserPhysicalPagesNuma', 'DiscardVirtualMemory', 'FreeUserPhysicalPages', 'GetLargePageMinimum', 'GetMemoryErrorHandlingCapabilities', 'GetSystemFileCacheSize', 'MapUserPhysicalPages', 'OfferVirtualMemory', 'QueryVirtualMemoryInformation', 'ReclaimVirtualMemory', 'RegisterBadMemoryNotification', 'SetProcessValidCallTargetsForMappedView', 'SetSystemFileCacheSize', 'UnregisterBadMemoryNotification', 'VirtualAlloc2', 'VirtualAlloc2FromApp', 'VirtualAllocFromApp', 'VirtualProtectFromApp', 'GetAdjustObjectAttributesForPrivateNamespaceRoutine', 'GetEightBitStringToUnicodeSizeRoutine', 'GetUnicodeStringToEightBitSizeRoutine', 'SetFileApisToANSI', 'Beep', 'CallEnclave', 'CreateEnclave', 'DeleteEnclave', 'InitializeEnclave', 'LoadEnclaveData', 'LoadEnclaveImageA', 'LoadEnclaveImageW', 'TerminateEnclave', 'GetNamedPipeHandleStateW', 'GetNamedPipeInfo', 'NamedPipeEventEnum', 'NamedPipeEventSelect', 'CancelSynchronousIo', 'GetFinalPathNameByHandleA', 'Wow64RevertWow64FsRedirection', 'EnterSynchronizationBarrier', 'InitializeSynchronizationBarrier', 'OpenWaitableTimerW', 'SignalObjectAndWait', 'ContinueDebugEvent', 'DebugActiveProcess', 'DebugActiveProcessStop', 'WaitForDebugEvent', 'WaitForDebugEventEx', 'ClearCommBreak', 'ClearCommError', 'EscapeCommFunction', 'GetCommConfig', 'GetCommMask', 'GetCommModemStatus', 'GetCommPorts', 'GetCommProperties', 'GetCommState', 'GetCommTimeouts', 'OpenCommPort', 'PurgeComm', 'SetCommBreak', 'SetCommConfig', 'SetCommMask', 'SetCommState', 'SetCommTimeouts', 'SetupComm', 'TransmitCommChar', 'WaitCommEvent', 'CompareObjectHandles', 'ConvertAuxiliaryCounterToPerformanceCounter', 'ConvertPerformanceCounterToAuxiliaryCounter', 'GetSystemLeapSecondInformation', 'GetSystemTimeAdjustmentPrecise', 'LocalFileTimeToLocalSystemTime', 'LocalSystemTimeToLocalFileTime', 'QueryAuxiliaryCounterFrequency', 'QueryInterruptTime', 'QueryUnbiasedInterruptTimePrecise', 'SetClientTimeZoneInformation', 'SetDynamicTimeZoneInformation', 'SetLocalTime', 'SetSystemTime', 'SetSystemTimeAdjustment', 'SetSystemTimeAdjustmentPrecise', 'SetTimeZoneInformation', 'TzSpecificLocalTimeToSystemTimeEx', 'ConvertThreadToFiberEx', 'CreateRemoteThread', 'CreateThread', 'GetCurrentThreadStackLimits', 'GetThreadDescription', 'GetThreadGroupAffinity', 'GetThreadIOPendingFlag', 'GetThreadIdealProcessorEx', 'GetThreadPriorityBoost', 'GetThreadSelectedCpuSets', 'SetThreadIdealProcessorEx', 'SetThreadSelectedCpuSets', 'TerminateThread', 'Wow64GetThreadContext', 'Wow64SetThreadContext', 'Wow64SuspendThread', 'RemoveDirectoryA', 'CreateFileMapping2', 'CreateFileMappingFromApp', 'MapViewOfFile3', 'MapViewOfFile3FromApp', 'MapViewOfFileFromApp', 'OpenFileMappingFromApp', 'GetQueuedCompletionStatusEx', 'GetThreadErrorMode', 'SetFileIoOverlappedRange', 'CreateProcessAsUserA', 'FatalAppExitA', 'FatalAppExitW', 'GetProcessDefaultCpuSets', 'GetProcessGroupAffinity', 'GetProcessHandleCount', 'GetProcessPriorityBoost', 'GetProcessShutdownParameters', 'GetProcessVersion', 'GetSystemCpuSetInformation', 'IsProcessCritical', 'IsUserCetAvailableInEnvironment', 'IsWow64GuestMachineSupported', 'NeedCurrentDirectoryForExePathA', 'QueryProcessAffinityUpdateMode', 'SetProcessDefaultCpuSets', 'SetProcessDynamicEHContinuationTargets', 'SetProcessGroupAffinity', 'GetCompressedFileSizeA', 'GetFileAttributesExA', 'SetFileAttributesA', 'DeleteVolumeMountPointW', 'NotifyMountMgr', 'DnsHostnameToComputerNameExW', 'SetComputerNameA', 'SetComputerNameEx2W', 'SetComputerNameExA', 'SetComputerNameExW', 'SetComputerNameW', 'EnumSystemFirmwareTables', 'FindFirstChangeNotificationA', 'FindFirstFileExA', 'FindFirstStreamW', 'FindNextStreamW', 'LoadStringA', 'SetCurrentDirectoryA', 'GetDiskFreeSpaceA', 'GetDiskFreeSpaceExA', 'GetDiskSpaceInformationA', 'GetDiskSpaceInformationW', 'GetSystemWow64Directory2A', 'GetSystemWow64DirectoryA', 'GetTempFileNameA', 'GetVolumeInformationA', 'SearchPathA', 'GetNumaNodeProcessorMaskEx', 'GetNumaProximityNodeEx', 'GetProcessHeaps', 'HeapCompact', 'HeapQueryInformation', 'HeapSummary', 'HeapWalk', 'SetStdHandleEx', 'GuardCheckLongJumpTarget', 'lstrcpynA', 'lstrcpyn', 'QueryIdleProcessorCycleTime', 'QueryIdleProcessorCycleTimeEx', 'RaiseCustomSystemEventTrigger', 'RaiseFailFastException', 'TerminateProcessOnMemoryExhaustion', 'UnhandledExceptionFilter']

In [23]:
# Helper mapping to look up which API is defined in which DLL
libs_by_func_name = defaultdict(list)
for api_name, api_mapping in libs["X64"].items():
    for dll_name, func_mapping in api_mapping.items():
        for func_name, func_info in func_mapping.items():
            libs_by_func_name[func_name].append(api_name)

funcs_by_lib_name = defaultdict(lambda: defaultdict(list))
for key, api_mapping in libs.items():
    for api_name, api_mapping in api_mapping.items():
        for dll_name, func_mapping in api_mapping.items():
            for func_name, func_info in func_mapping.items():
                funcs_by_lib_name[key][api_name].append(func_name)

## Create The Type Libraries

In [24]:
from typing import Set, List
import json
from tqdm.notebook import tqdm

ordinal_data = json.load(open("mappingfile.json"))
ordinal_data["Arm64"] = {}
typelibs = {}

win_common = {}
for key, arch_name, arch, platform, bntl_name in lib_sets:
    print(f"Building common bntl file {bntl_name}")
    defined_types = defaultdict(lambda: defaultdict(lambda: defaultdict(lambda: None)))
    win_common[key] = TypeLibrary.new(arch, bntl_name)
    win_common[key].add_platform(platform)
    filename = f"output/{arch_name}/{bntl_name}.bntl"

    for api, type_name in most_common_types[key]:
        type = types[key][api][type_name]
        if type is None:
            if not type_name.startswith("_"):
                print("couldn't find: ", key, api, type_name)
            continue
        add_to_type_library(win_common[key], key, api, QualifiedName(type_name), type, {})
    # ensure GUID is defined as its _special_
    add_to_type_library(win_common[key], key, "", QualifiedName("GUID"), {"Kind":"Native","Name":"Guid"}, {})

    win_common[key].finalize()
    win_common[key].write_to_file(filename)


func_api_map = defaultdict(lambda :defaultdict(list))
for key, arch_name, arch, platform, dependency_name in lib_sets:
    for dll_name, api_mapping in libs[key].items():
        for api_name, func_mapping in api_mapping.items():
            for func_name, func_info in func_mapping.items():
                func_api_map[key][func_name].append((dll_name, api_name))

no_return_functions = [
    "cexit", "exit", "ExitProcess", "ExitThread", "RaiseException", "CxxThrowException", "report_gsfailure", "AfxThrowOleException", "AfxThrowMemoryException", "AfxThrowInvalidArgException", "AfxThrowNotSupportedException", "AfxThrowArchiveException", "AfxThrowFileException", "com_issue_error",
    "com_raise_error", "terminate", "unexpected", "ExceptionPtrRethrow", "abort", "RaiseException", "__crtExitProcess", "_invalid_parameter_noinfo_noreturn", "_invoke_watson", "FreeLibraryAndExitThread", "quick_exit", "RpcRaiseException",
]

# for key, arch_name, arch, platform, dependency_name in lib_sets:
#     print(f"Building kernelbase {arch_name}")
#     typelib = TypeLibrary.new(arch, "kernelbase.dll")
#     typelib.add_platform(platform)
#     typelib.dependency_name = dependency_name
#     for alt_name in alternate_names["kernelbase.dll"]:
#         typelib.add_alternate_name(normalize_dll_name(alt_name))
#     for name in win_common[key].named_types.keys():
#         typelib.add_type_source(QualifiedName(name), win_common[key].name)

#     for func_name in kernel_base_exports:
#         items = func_api_map[key][func_name]
#         if len(items) == 0:
#             print(key, func_name)
#             continue
#         dll_name, api_name = items[0]
#         func = libs[key][dll_name][api_name][func_name]
#         assert func is not None
#         params = []
#         for param in func["Params"]:
#             param_type = add_to_type_library(typelib, key, api_name, None, param["Type"], {}, dependent=win_common[key], lib_name=dll_name)
#             params.append((param["Name"], param_type))
#         return_type = add_to_type_library(typelib, key, api_name, None, func["ReturnType"], {}, dependent=win_common[key], lib_name=dll_name)
#         function_type = TypeBuilder.function(return_type, params, calling_convention=platform.stdcall_calling_convention)
#         if func_name in no_return_functions:
#             function_type.can_return = False
#         else:
#             function_type.can_return = not func["NoReturn"]
#         typelib.add_named_object(QualifiedName(func_name), function_type.immutable_copy())

#     typelib.finalize()
#     typelib.write_to_file(f"output/{arch_name}/kernelbase.dll.bntl")
#     typelibs[f"output/{arch_name}/kernelbase.dll.bntl"] = typelib


for key, arch_name, arch, platform, dependency_name in lib_sets:
    print(f"Building Type Libraries for {arch_name}")
    for lib_name, func_list in libs[key].items():
        orig_name = lib_name
        lib_name = normalize_dll_name(lib_name)
        typelib = TypeLibrary.new(arch, lib_name)
        typelib.add_platform(platform)
        typelib.dependency_name = dependency_name

        for name in win_common[key].named_types.keys():
            typelib.add_type_source(QualifiedName(name), win_common[key].name)

        for alt_name in alternate_names[lib_name]:
            if alt_name not in libs[key].keys():
                typelib.add_alternate_name(alt_name)

        lookup_name = f"{lib_name}.bntl"
        if lookup_name in ordinal_data[key]:
            typelib.guid = str(ordinal_data[key][lookup_name]["guid"])
            ordinal_name = ordinal_data[key][lookup_name]["ordinals"]
            if ordinal_name is not None:
                typelib.store_metadata("ordinals", ordinal_name)
                typelib.store_metadata(ordinal_name, ordinal_data[key][lookup_name][ordinal_name])
        for api_name, func_dict in func_list.items():
            for func_name, func in func_dict.items():
                params = []
                for param in func["Params"]:
                    param_type = add_to_type_library(typelib, key, api_name, None, param["Type"], {}, win_common[key])
                    params.append((param["Name"], param_type))
                return_type = add_to_type_library(typelib, key, api_name, None, func["ReturnType"], {}, win_common[key])
                function_type = FunctionBuilder.create(
                    return_type=return_type,
                    params=params,
                    calling_convention=platform.stdcall_calling_convention,
                    stack_adjust=OffsetWithConfidence(0, 0), # set stack adjustment confidence to zero so calling_convention determines it
                    platform=platform,
                    var_args=BoolWithConfidence(False, 255))
                if func_name in no_return_functions:
                    function_type.can_return = False
                else:
                    function_type.can_return = not func["NoReturn"]
                function_type.stack_adjustment = OffsetWithConfidence(function_type.stack_adjustment.value, function_type.calling_convention.confidence)
                typelib.add_named_object(func_name, function_type.immutable_copy())


        assert not any([str(name).startswith('_Anonymous') for name in typelib.named_types.keys()])
        typelib.finalize()
        typelib.write_to_file(f"output/{arch_name}/{lookup_name}")
        typelibs[f"output/{arch_name}/{lookup_name}"] = typelib

print("Success")

Building common bntl file winX64common
Building common bntl file win32common
Building common bntl file winArm64common
Building Type Libraries for x86_64
Building Type Libraries for x86
Building Type Libraries for aarch64
Success


In [48]:
import glob
for name in glob.glob("output/*/*.bntl"):
        tl = TypeLibrary.load_from_file(name)
        if tl.get_named_type("IUnknown") is not None:
                print("here")
                break
else:
        print('failed')

here


In [71]:
tl = TypeLibrary.load_from_file("output/x86/win32common.bntl")
print(repr(tl.get_named_type("IUnknown")))
print(repr(tl.get_named_type("IUnknown").target))

<type: immutable:PointerTypeClass 'IUnknown*'>
<type: immutable:NamedTypeReferenceClass 'typedef IUnknown'>


In [12]:

all = [*funcs_by_lib_name["X64"]["advapi32.dll"], *funcs_by_lib_name["X64"]["kernelbase.dll"], *funcs_by_lib_name["X64"]["kernel32.dll"], *funcs_by_lib_name["X64"]["shlwapi.dll"], *funcs_by_lib_name["X64"]["wininet.dll"]]
result = set()
missing = []
for a in kernel_base_exports:
    libs = libs_by_func_name[a]
    if len(libs) >= 1:
        assert len(libs) == 1, libs
        result.add(libs[0])
    else:
        missing.append(a)
print(len(result))
print(result)
print(len(missing))
print(missing)
libs_by_func_name["TerminateEnclave"]

12
{'kernel.appcore.dll', 'vertdll.dll', 'ntdsapi.dll', 'wininet.dll', 'kernel32.dll', 'kernelbase.dll', 'advapi32.dll', 'shell32.dll', 'normaliz.dll', 'shlwapi.dll', 'user32.dll', 'version.dll'}
445
['GetSecureSystemAppDataFolder', 'lstrcmp', 'IsMrtResourceRedirectionEnabled', 'PcwEnumerateInstances', 'GetPackagePropertyString', 'GetPackageProperty', 'GetCurrentPackageContext', 'NlsCheckPolicy', 'CheckGroupPolicyEnabled', 'PsmGetDynamicIdFromKey', '_AddMUIStringToCache', 'GetProcAddressForCaller', 'CreateProcessInternalA', 'CreateProcessInternalW', 'GetSystemAppDataFolder', 'GetAppDataFolder', 'CreateAppContainerToken', 'QueryStateAtomValueInfo', 'IsTimeZoneRedirectionEnabled', 'ReadStateAtomValue', 'LoadStringBaseExW', 'GetSystemMetadataPathForPackage', 'SHLoadIndirectStringInternal', 'LoadStringByReference', '_OpenMuiStringCache', 'QueryStateContainerItemInfo', 'ReadStateContainerValue', 'CreateStateSubcontainer', 'QueryStateContainerCreatedNew', 'NlsIsUserDefaultLocale', 'GetCalend

['vertdll.dll']

In [None]:
reduced_api_set = {}
for api_set_name, library_name in apiset.items():
    api_name = api_set_name[:api_set_name.rindex("-")+1]
    if api_name in reduced_api_set:
        assert library_name == reduced_api_set[api_name], f"{api_name} {reduced_api_set[api_name]} {library_name}"
    else:
        reduced_api_set[api_name] = library_name
print(reduced_api_set)
print(len(apiset))

{'api-ms-onecoreuap-print-render-l1-1-': 'printrenderapihost.dll', 'api-ms-win-appmodel-advertisingid-l1-1-': 'kernel.appcore.dll', 'api-ms-win-appmodel-identity-l1-2-': 'kernel.appcore.dll', 'api-ms-win-appmodel-lifecyclepolicy-l1-1-': 'rmclient.dll', 'api-ms-win-appmodel-runtime-internal-l1-1-': 'kernel.appcore.dll', 'api-ms-win-appmodel-runtime-l1-1-': 'kernel.appcore.dll', 'api-ms-win-appmodel-state-l1-1-': 'kernel.appcore.dll', 'api-ms-win-appmodel-state-l1-2-': 'kernel.appcore.dll', 'api-ms-win-appmodel-unlock-l1-1-': 'kernel.appcore.dll', 'api-ms-win-audiocore-spatial-config-l1-1-': 'windows.media.devices.dll', 'api-ms-win-base-bootconfig-l1-1-': 'advapi32.dll', 'api-ms-win-base-util-l1-1-': 'advapi32.dll', 'api-ms-win-composition-redirection-l1-1-': 'dwmredir.dll', 'api-ms-win-composition-windowmanager-l1-1-': 'udwm.dll', 'api-ms-win-containers-cmclient-l1-1-': 'cmclient.dll', 'api-ms-win-containers-cmclient-l1-2-': 'cmclient.dll', 'api-ms-win-containers-cmclient-l1-3-': 'cmcli

In [None]:
for k in funcs_by_lib_name["X64"].keys():
    if '-' in k:
        print(apiset[k])

In [None]:
func_names = []
for func_mapping in libs["X64"]["kernelbase.dll"].values():
    func_names.extend(list(func_mapping.keys()))
len(func_names)
for func_name in func_names:
    if func_name not in kernel_base_exports:
        print(func_name)

AllocateUserPhysicalPages2
OpenDedicatedMemoryPartition
QueryPartitionInformation
CopyFileFromAppW
CreateDirectoryFromAppW
CreateFileFromAppW
CreateFile2FromAppW
DeleteFileFromAppW
FindFirstFileExFromAppW
GetFileAttributesExFromAppW
MoveFileFromAppW
RemoveDirectoryFromAppW
ReplaceFileFromAppW
SetFileAttributesFromAppW
QueryIoRingCapabilities
IsIoRingOpSupported
CreateIoRing
GetIoRingInfo
SubmitIoRing
CloseIoRing
PopIoRingCompletion
SetIoRingCompletionEvent
BuildIoRingCancelRequest
BuildIoRingReadFile
BuildIoRingRegisterFileHandles
BuildIoRingRegisterBuffers
TryCreatePackageDependency
DeletePackageDependency
AddPackageDependency
RemovePackageDependency
GetResolvedPackageFullNameForPackageDependency
GetIdForPackageDependencyContext
EncodeRemotePointer
DecodeRemotePointer


In [None]:
api_namespaces.keys()

NameError: name 'api_namespaces' is not defined