Just Let It Flow

October 13, 2010

Windows Platform Changes

Filed under: — adeyblue @ 1:43 am

Contents

  1. Introduction
  2. Download
  3. Screenshots
  4. Other Data of Interest
  5. Notes

Introduction

As MSDN evolves, information in the function-oriented pages regarding unsupported operating systems is stripped out so the pages stay focused on what is relevant. The side effect of this culling is that the real lineage of these functions and what each OS supports is lost to the mists of time.

Well it was, until now. Those who care about such minutiae can now forgive MSDN for their deletion and with a bit of SQL get the data they need. Yep, every OS module from 95 onwards has had it’s imports, exports, and selected PE header info extracted and committed to a handy-dandy Access database. That’s a chronicle of 42 OS versions, 48,000+ modules, 2,100,000+ exports and 5,125,000+ imports.

Apart from curiosity, the data can be used to generate statistics like I did with the previous version of the database. Definitive changesets between Windows versions can be produced, developers can verify the existance of an API and the stability of ordinals, and others can find the names of ordinal only exports and which parts of Windows call others. OK, so those aren’t exactly humanity enriching applications but it gets some usage from me, so it’s probably useful to someome else too (For example, Here’s a case where the FindExportsInCriteria query was useful). Some screenshots of the tables and some queries are shown below.

As well as the database, the downloadable includes C# / C++/CLI source of the program that inserts into the database and produces XML “diffs” and a batch file to facilitate their production. All the diffs the DB can generate are listed and viewable from here.

Download

Download the 7-zip compressed file (42.1 MB)
MD5: 77215f45e21a12bba989fe360fd9ee3d
SHA1: 2e0a106df360cba7c7dcc9142b2051067294ea8b
CRC32: 85ba4e27

Note that the database compresses very well, decompressed it will take over 410 MB.

Screenshots

An idea of what data is available:

Most functions exported query

Most functions exported query

The platforms in the DB

The platforms in the DB

The Module table

The Module table

Files with the most imports query

Files with the most imports query

OS Export counts query

OS Export counts query

Modules which import SHUnicodeToAnsi on Vista SP0

Modules which import SHUnicodeToAnsi on Vista SP0

Other Data of Interest

Using the same files that the database is populated with, there’s a generated a list of resource counts per OS with module breakdowns here. There’s also a collection of files containing registry stats per base OS installs here.

Notes

The highest edition 32-bit version of each OS was used. The entire OS list is:
95 (RTM, SP1, OSR2, OSR2 + USB supplement, OSR2.5)
98 (RTM, SE)
ME
NT 3.1 (RTM, SP3)
NT 3.5 (RTM, SP3)
NT 3.51 (RTM, SP2, SP3, SP4, SP5)
NT4 (RTM, SP2, SP3, SP4, SP5, SP6a)
2000 (RTM, SP1, SP2, SP3, SP4)
XP (RTM, SP1a, SP2, SP3)
Server 2003 (RTM, SP1, SP2)
Vista (RTM, SP1, SP2)
Server 2008 (RTM (SP1), SP2)
7 (RTM, SP1)
8 (RTM) (This is the Enterprise trial on MSDN)

If a service pack is missing, then I couldn’t find a download of it anywhere.

On NT systems files from %windir%, %Windir%\system32, and %Windir%\system32\drivers were sampled.
On 9x, files from %windir%, %Windir%\system, and %Windir%\system32\drivers were sampled.

Except for 98 and 98 SE, all OS’s were installed on a default setup Oracle VirtualBox VM (3.2.8r64453) with sound, networking and USB enabled. 98 and 98 SE were installed on Sun VirtualBox 3.1.6r59338. When given options (NT4, ME and below) custom install was selected and everything checked on, also everything possible was installed on the network protocols and clients parts of setup.

Service packs were applied cumulatively instead of separately (e.g. SP0->SP1->SP2 instead of SP0->SP1, SP0->SP2)

The exact service packs installed are listed here.

System version numbers were extracted from the dwProductVersion(MS|LS) members of kernel32.dll or ntoskrnl.exe’s VS_FIXEDFILEINFO.

Module version numbers (file and product) were extracted from the dwFileVersion(MS|LS) and dwProductVersion(MS|LS) members of their VS_FIXEDFILEINFO.

For ordinal only exports, the MS symbols were used to get the names. If no names were found, they are named as ‘Ordinal x’. This is mostly apparent with the mfc40 and mfc42 dlls.

The database is in Access 2000 format, and weighs in at 385MB uncompressed.

Starting from XP SP0, comctl32v5.dll is the version from system32 while comctl32.dll is the highest versioned comctl32 from the WinSxS directory.

2 Comments »

  1. […] in mind that every release of Windows has additional Win32 functions. For anybody who cares, here is my look into this. The XML files are essentially diffs between Windows versions, and the Access […]

    Pingback by Differences — June 10, 2010 @ 1:39 pm

  2. Excellent!

    This “ordinals-to-undocumented functions” mapping will be integrated into the next version of PeStudio

    Comment by marc ochsenmeier — October 31, 2011 @ 10:50 am

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress