Some Win32 API usage statistics
sp <foobarcom> Saturday, July 12 2008 13:12.58 CDT


Yesterday I saw a talk given by Frank Boldewin where he mentioned the FreeIconList trick to fool code emulators. At this point I started to wonder what other Win32 API functions are basically unused. Using Ero Carreras Python library pefile to parse PE files I wrote a small Python script that tries to find out what Win32 API are basically unused.

The modus operandi�was simple.�I�read the exported functions of all DLL files in WindowsDir and WindowsDir/system32 and compared them to the functions imported by all EXE/DLL files in WindowsDir, WindowsDir/system32 and my entire Program Files directory.

The first result is that most exported functions are apparently basically never used. My script managed to find 127569 exported functions in 1225 DLL files. 104608 of those are never used by the 6615 EXE/DLL files which import functions ("used" is liberally defined as "imported through the import directory" here, of course). That leaves 22961 functions which are actually used.

Here are some output files which show the exported DLL functions sorted by their usage. The numeric column contains the number of PE files which import the function statically. That means that 3475 of the 6615 files I tested import GetLastError for example.

  • Click here to see the Top 2000 most used API functions
  • Click here to see the usage statistics of all advapi32.dll functions
  • Click here to see the usage statistics of all gdi32.dll functions
  • Click here to see the usage statistics of all kernel32.dll functions
  • Click here to see the usage statistics of all msvcrt.dll functions
  • Click here to see the usage statistics of all ole32.dll functions
  • Click here to see the usage statistics of all oleaut32.dll functions
  • Click here to see the usage statistics of all shell32.dll functions
  • Click here to see the usage statistics of all user32.dll functions

Random notes

  • kernel32.dll is surprisingly dominant while gdi32.dll is surprisingly "unused"
  • pefile is extremely awesome and easy to use
  • Dont be confused that API functions like lstrlen are imported 0 times, check lstrlenA and lstrlenW

Click here to download the Python script.



Comments
Posted: Wednesday, December 31 1969 18:00.00 CST