Just Let It Flow

May 17, 2009

Importing Popularity

Filed under: Windows — adeyblue @ 11:12 pm

As I’m sure most people have done while having their curiosity in the exe file format peaked, some time ago I wrote a dependency walker type tool. As an additional “feature”, I added in the ability to iterate over executables in a directory and see what they both im- and ex-ported. As an addendum, I added in the ability to count the occurances of each import for the directory, which leads us to this: the top 20 functions imported by the exe’s and dll’s of the System(32) directory on the various versions of 32-bit Windows I have access to.

    Platform

  1. 98 SE
  2. NT4 SP1
  3. NT4 SP3
  4. NT4 SP6
  5. 2000 Server SP4
  6. XP SP0
  7. XP SP1
  8. XP SP2
  9. XP SP3
  10. Server 2003 SP0
  11. Server 2003 SP2
  12. Server 2008 SP1
  13. 7 Beta
  14. Entire Imports Set (1.41 MB)

98SE – All updates (494 files):

kernel32.dll - GetProcAddress               318 (64%)
kernel32.dll - CloseHandle                  316 (64%)
kernel32.dll - GetLastError                 310 (63%)
kernel32.dll - LoadLibraryA                 309 (63%)
advapi32.dll - RegCloseKey                  280 (57%)
kernel32.dll - FreeLibrary                  268 (54%)
kernel32.dll - lstrlenA                     268 (54%)
kernel32.dll - MultiByteToWideChar          265 (54%)
kernel32.dll - WideCharToMultiByte          253 (51%)
kernel32.dll - LeaveCriticalSection         243 (49%)
kernel32.dll - EnterCriticalSection         243 (49%)
kernel32.dll - lstrcpyA                     238 (48%)
advapi32.dll - RegQueryValueExA             237 (48%)
kernel32.dll - GetModuleFileNameA           236 (48%)
kernel32.dll - InitializeCriticalSection    234 (47%)
kernel32.dll - LocalFree                    225 (46%)
kernel32.dll - DeleteCriticalSection        224 (45%)
kernel32.dll - GetModuleHandleA             223 (45%)
advapi32.dll - RegOpenKeyExA                222 (45%)
kernel32.dll - LocalAlloc                   217 (44%)

All 98SE Imports (229 KB)

NT4 SP1 (365 files):

kernel32.dll - GetLastError            203 (56%)
kernel32.dll - GetProcAddress          199 (55%)
kernel32.dll - CloseHandle             191 (52%)
kernel32.dll - LocalFree               187 (51%)
kernel32.dll - LocalAlloc              170 (47%)
advapi32.dll - RegCloseKey             158 (43%)
kernel32.dll - WideCharToMultiByte     151 (41%)
kernel32.dll - LoadLibraryA            141 (39%)
kernel32.dll - MultiByteToWideChar     135 (37%)
kernel32.dll - WriteFile               134 (37%)
kernel32.dll - FreeLibrary             131 (36%)
kernel32.dll - WaitForSingleObject     125 (34%)
kernel32.dll - GetVersion              124 (34%)
kernel32.dll - GlobalFree              123 (34%)
kernel32.dll - GlobalAlloc             120 (33%)
kernel32.dll - GetCurrentProcess       113 (31%)
kernel32.dll - HeapFree                112 (31%)
kernel32.dll - HeapAlloc               112 (31%)
kernel32.dll - LeaveCriticalSection    108 (30%)
kernel32.dll - EnterCriticalSection    108 (30%)

All NT4 SP1 Imports (327 KB)

NT4 SP3 (403 files):

kernel32.dll - GetLastError                 231 (57%)
kernel32.dll - GetProcAddress               230 (57%)
kernel32.dll - CloseHandle                  223 (55%)
kernel32.dll - LocalFree                    194 (48%)
kernel32.dll - WideCharToMultiByte          179 (44%)
kernel32.dll - LocalAlloc                   177 (44%)
advapi32.dll - RegCloseKey                  173 (43%)
kernel32.dll - LoadLibraryA                 170 (42%)
kernel32.dll - MultiByteToWideChar          160 (40%)
kernel32.dll - WriteFile                    158 (39%)
kernel32.dll - FreeLibrary                  148 (37%)
kernel32.dll - GetVersion                   148 (37%)
kernel32.dll - EnterCriticalSection         136 (34%)
kernel32.dll - HeapAlloc                    136 (34%)
kernel32.dll - HeapFree                     136 (34%)
kernel32.dll - LeaveCriticalSection         136 (34%)
kernel32.dll - InitializeCriticalSection    135 (33%)
kernel32.dll - GetCurrentProcess            135 (33%)
kernel32.dll - WaitForSingleObject          133 (33%)
kernel32.dll - GlobalFree                   130 (32%)

All NT4 SP3 Imports (333 KB)

NT4 SP6 (443 files):

kernel32.dll - GetLastError                 258 (58%)
kernel32.dll - GetProcAddress               252 (57%)
kernel32.dll - CloseHandle                  251 (57%)
kernel32.dll - LocalFree                    216 (49%)
kernel32.dll - WideCharToMultiByte          203 (46%)
kernel32.dll - LocalAlloc                   198 (45%)
advapi32.dll - RegCloseKey                  193 (44%)
kernel32.dll - LoadLibraryA                 193 (44%)
kernel32.dll - MultiByteToWideChar          185 (42%)
kernel32.dll - WriteFile                    173 (39%)
kernel32.dll - FreeLibrary                  170 (38%)
kernel32.dll - GetCurrentProcess            159 (36%)
kernel32.dll - GetVersion                   157 (35%)
kernel32.dll - LeaveCriticalSection         155 (35%)
kernel32.dll - EnterCriticalSection         155 (35%)
kernel32.dll - HeapFree                     155 (35%)
kernel32.dll - InitializeCriticalSection    154 (35%)
kernel32.dll - HeapAlloc                    154 (35%)
kernel32.dll - WaitForSingleObject          144 (33%)
kernel32.dll - GlobalFree                   141 (32%)

All NT4 SP6 Imports (354 KB)

2000 Server SP4 (1203 files):

kernel32.dll - GetLastError                 820 (68%)
kernel32.dll - CloseHandle                  721 (60%)
advapi32.dll - RegCloseKey                  687 (57%)
kernel32.dll - LocalFree                    648 (54%)
kernel32.dll - GetProcAddress               615 (51%)
kernel32.dll - FreeLibrary                  579 (48%)
kernel32.dll - LocalAlloc                   573 (48%)
kernel32.dll - MultiByteToWideChar          560 (47%)
kernel32.dll - InitializeCriticalSection    544 (45%)
kernel32.dll - LeaveCriticalSection         534 (44%)
kernel32.dll - EnterCriticalSection         534 (44%)
kernel32.dll - WideCharToMultiByte          516 (43%)
msvcrt.dll   - _initterm                    502 (42%)
msvcrt.dll   - _adjust_fdiv                 502 (42%)
kernel32.dll - DeleteCriticalSection        501 (42%)
msvcrt.dll   - _except_handler3             492 (41%)
kernel32.dll - lstrlenW                     478 (40%)
kernel32.dll - DisableThreadLibraryCalls    459 (38%)
advapi32.dll - RegQueryValueExW             457 (38%)
kernel32.dll - WaitForSingleObject          445 (37%)

All 2000 SP4 Imports (613 KB)

XP SP0 (1322 files):

kernel32.dll - GetLastError                 898 (68%)
kernel32.dll - CloseHandle                  780 (59%)
advapi32.dll - RegCloseKey                  764 (58%)
kernel32.dll - GetProcAddress               736 (56%)
kernel32.dll - LocalFree                    679 (51%)
kernel32.dll - FreeLibrary                  663 (50%)
msvcrt.dll   - _except_handler3             656 (50%)
kernel32.dll - MultiByteToWideChar          634 (48%)
msvcrt.dll   - _adjust_fdiv                 622 (47%)
msvcrt.dll   - _initterm                    622 (47%)
kernel32.dll - InitializeCriticalSection    613 (46%)
kernel32.dll - EnterCriticalSection         612 (46%)
kernel32.dll - LeaveCriticalSection         612 (46%)
kernel32.dll - DeleteCriticalSection        604 (46%)
kernel32.dll - LocalAlloc                   575 (43%)
kernel32.dll - WideCharToMultiByte          567 (43%)
msvcrt.dll   - free                         560 (42%)
kernel32.dll - lstrlenW                     554 (42%)
msvcrt.dll   - malloc                       539 (41%)
kernel32.dll - InterlockedIncrement         532 (40%)

All XP SP0 Imports (640 KB)

XP SP1 (1325 files):

kernel32.dll - GetLastError                 901 (68%)
kernel32.dll - CloseHandle                  784 (59%)
advapi32.dll - RegCloseKey                  768 (58%)
kernel32.dll - GetProcAddress               736 (56%)
kernel32.dll - LocalFree                    688 (52%)
msvcrt.dll   - _except_handler3             670 (51%)
kernel32.dll - FreeLibrary                  665 (50%)
msvcrt.dll   - _initterm                    636 (48%)
msvcrt.dll   - _adjust_fdiv                 636 (48%)
kernel32.dll - MultiByteToWideChar          633 (48%)
kernel32.dll - EnterCriticalSection         610 (46%)
kernel32.dll - LeaveCriticalSection         610 (46%)
kernel32.dll - InitializeCriticalSection    604 (46%)
kernel32.dll - DeleteCriticalSection        603 (46%)
kernel32.dll - LocalAlloc                   582 (44%)
msvcrt.dll   - free                         571 (43%)
kernel32.dll - WideCharToMultiByte          566 (43%)
kernel32.dll - lstrlenW                     558 (42%)
msvcrt.dll   - malloc                       551 (42%)
kernel32.dll - InterlockedIncrement         533 (40%)

All XP SP1 Imports (642 KB)

XP SP2 (1417 files):

kernel32.dll - GetLastError                 949 (67%)
kernel32.dll - GetCurrentThreadId           866 (61%)
kernel32.dll - GetCurrentProcess            865 (61%)
kernel32.dll - CloseHandle                  838 (59%)
kernel32.dll - GetTickCount                 819 (58%)
kernel32.dll - GetCurrentProcessId          818 (58%)
kernel32.dll - TerminateProcess             816 (58%)
advapi32.dll - RegCloseKey                  812 (57%)
kernel32.dll - UnhandledExceptionFilter     789 (56%)
msvcrt.dll   - _initterm                    784 (55%)
msvcrt.dll   - _adjust_fdiv                 784 (55%)
kernel32.dll - GetProcAddress               780 (55%)
kernel32.dll - QueryPerformanceCounter      772 (54%)
kernel32.dll - GetSystemTimeAsFileTime      772 (54%)
kernel32.dll - SetUnhandledExceptionFilter  764 (54%)
msvcrt.dll   - _except_handler3             740 (52%)
kernel32.dll - LocalFree                    722 (51%)
kernel32.dll - FreeLibrary                  694 (49%)
msvcrt.dll   - free                         685 (48%)
msvcrt.dll   - malloc                       667 (47%)

All XP SP2 Imports (658 KB)

XP SP3 (1436 files):

kernel32.dll - GetLastError                  971 (68%)
kernel32.dll - GetCurrentProcess             928 (65%)
kernel32.dll - GetCurrentThreadId            924 (64%)
kernel32.dll - GetTickCount                  890 (62%)
kernel32.dll - GetCurrentProcessId           889 (62%)
kernel32.dll - TerminateProcess              887 (62%)
kernel32.dll - UnhandledExceptionFilter      866 (60%)
kernel32.dll - CloseHandle                   860 (60%)
kernel32.dll - QueryPerformanceCounter       850 (59%)
kernel32.dll - GetSystemTimeAsFileTime       850 (59%)
kernel32.dll - SetUnhandledExceptionFilter   841 (59%)
advapi32.dll - RegCloseKey                   831 (58%)
msvcrt.dll   - _adjust_fdiv                  818 (57%)
msvcrt.dll   - _initterm                     818 (57%)
kernel32.dll - GetProcAddress                780 (54%)
msvcrt.dll   - _except_handler3              756 (53%)
kernel32.dll - LocalFree                     732 (51%)
msvcrt.dll   - free                          720 (50%)
kernel32.dll - FreeLibrary                   715 (50%)
msvcrt.dll   - malloc                        702 (49%)

All XP SP3 Imports (664 KB)

Server 2003 SP0 (1469 files):

kernel32.dll - GetCurrentThreadId            1200 (82%)
kernel32.dll - GetTickCount                  1193 (81%)
kernel32.dll - GetCurrentProcessId           1190 (81%)
kernel32.dll - QueryPerformanceCounter       1179 (80%)
kernel32.dll - GetSystemTimeAsFileTime       1177 (80%)
kernel32.dll - GetCurrentProcess             1175 (80%)
kernel32.dll - TerminateProcess              1166 (79%)
kernel32.dll - SetUnhandledExceptionFilter   1144 (78%)
kernel32.dll - GetLastError                  1021 (70%)
msvcrt.dll   - _adjust_fdiv                  1016 (69%)
msvcrt.dll   - _initterm                     1016 (69%)
kernel32.dll - GetProcAddress                 959 (65%)
kernel32.dll - Sleep                          930 (63%)
kernel32.dll - UnhandledExceptionFilter       894 (61%)
msvcrt.dll   - _except_handler3               885 (60%)
advapi32.dll - RegCloseKey                    882 (60%)
kernel32.dll - CloseHandle                    876 (60%)
msvcrt.dll   - free                           857 (58%)
msvcrt.dll   - malloc                         842 (57%)
kernel32.dll - LocalFree                      808 (55%)

All 2003 SP0 Imports (707 KB)

Server 2003 SP2 (1523 files):

kernel32.dll - GetCurrentThreadId            1229 (81%)
kernel32.dll - GetTickCount                  1223 (80%)
kernel32.dll - GetCurrentProcessId           1221 (80%)
kernel32.dll - QueryPerformanceCounter       1210 (79%)
kernel32.dll - GetSystemTimeAsFileTime       1208 (79%)
kernel32.dll - GetCurrentProcess             1199 (79%)
kernel32.dll - TerminateProcess              1191 (78%)
kernel32.dll - SetUnhandledExceptionFilter   1171 (77%)
msvcrt.dll   - _initterm                     1051 (69%)
msvcrt.dll   - _adjust_fdiv                  1051 (69%)
kernel32.dll - GetLastError                  1047 (69%)
kernel32.dll - UnhandledExceptionFilter       984 (65%)
kernel32.dll - Sleep                          962 (63%)
kernel32.dll - GetProcAddress                 948 (62%)
msvcrt.dll   - _except_handler3               904 (59%)
advapi32.dll - RegCloseKey                    901 (59%)
kernel32.dll - CloseHandle                    895 (59%)
msvcrt.dll   - free                           886 (58%)
msvcrt.dll   - malloc                         870 (57%)
kernel32.dll - LocalFree                      822 (54%)

All 2003 SP2 Imports (716 KB)

Server 2008 SP1 (1773 files):

kernel32.dll - GetCurrentThreadId            1443 (81%)
kernel32.dll - GetCurrentProcess             1439 (81%)
kernel32.dll - GetTickCount                  1434 (81%)
kernel32.dll - TerminateProcess              1433 (81%)
kernel32.dll - GetCurrentProcessId           1432 (81%)
kernel32.dll - QueryPerformanceCounter       1429 (81%)
kernel32.dll - GetSystemTimeAsFileTime       1428 (81%)
kernel32.dll - UnhandledExceptionFilter      1426 (80%)
kernel32.dll - SetUnhandledExceptionFilter   1426 (80%)
kernel32.dll - Sleep                         1398 (79%)
kernel32.dll - InterlockedExchange           1344 (76%)
kernel32.dll - InterlockedCompareExchange    1343 (76%)
msvcrt.dll   - _initterm                     1311 (74%)
msvcrt.dll   - _amsg_exit                    1308 (74%)
msvcrt.dll   - _adjust_fdiv                  1307 (74%)
msvcrt.dll   - _XcptFilter                   1306 (74%)
kernel32.dll - GetLastError                  1211 (68%)
msvcrt.dll   - free                          1122 (63%)
msvcrt.dll   - malloc                        1108 (62%)
msvcrt.dll   - memset                        1106 (62%)

All 2008 SP1 Imports (645 KB)

Win7 Beta (2318 files):

msvcrt.dll   - _initterm                     1814 (78%)
msvcrt.dll   - _amsg_exit                    1811 (78%)
msvcrt.dll   - _XcptFilter                   1807 (78%)
msvcrt.dll   - _except_handler4_common       1596 (69%)
msvcrt.dll   - free                          1586 (68%)
msvcrt.dll   - memset                        1579 (68%)
msvcrt.dll   - malloc                        1574 (68%)
kernel32.dll - GetCurrentThreadId            1477 (64%)
kernel32.dll - GetCurrentProcess             1468 (63%)
kernel32.dll - GetTickCount                  1468 (63%)
kernel32.dll - GetCurrentProcessId           1466 (63%)
kernel32.dll - GetSystemTimeAsFileTime       1463 (63%)
kernel32.dll - QueryPerformanceCounter       1462 (63%)
kernel32.dll - TerminateProcess              1460 (63%)
kernel32.dll - UnhandledExceptionFilter      1454 (63%)
kernel32.dll - SetUnhandledExceptionFilter   1454 (63%)
kernel32.dll - Sleep                         1448 (62%)
kernel32.dll - InterlockedCompareExchange    1413 (61%)
kernel32.dll - InterlockedExchange           1410 (61%)
msvcrt.dll   - memcpy                        1302 (56%)

All Win7 Beta Imports (858 KB)

1 Comment »

  1. Could you please contact me via msn: joe_400 att hotmail doot com?

    Cheers

    Comment by Joe — May 19, 2009 @ 2:47 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress