nt-apiset: A Rust parser for Windows API Set Map files

2023-06-09
• by Colin Finck
nt-apiset logo

The next building block for my bootloader project is ready! nt-apiset is a parser written in Rust for the API Set Map files of Windows 10 and later versions.

API Sets are dependencies of PE executables whose names start with “api-” or “ext-”, e.g. api-ms-win-core-sysinfo-l1-1-0. They don’t exist as real DLL files. Instead, when that PE executable is loaded, an API Set Map file of the operating system is checked to figure out the real library file belonging to the dependency (in this case: kernelbase.dll).
The most prominent API Set Map file is apisetschema.dll.

All of this has already been researched and documented in way more detail by other people, who are named below. Check out their websites if you need more details. Even Microsoft has some basic documentation on API Sets. I’m only providing the Rust parser implementation today. Let’s see who else can make use of it :)

Usage Example

I did my best to document all crate functions at docs.rs. Anyway, here is a basic example on how to retrieve the real library behind api-ms-win-core-sysinfo-l1-1-0:

let dll = std::fs::read("apisetschema.dll")?;
let pe_file = PeFile::from_bytes(&dll)?;
let map = ApiSetMap::try_from_pe64(pe_file)?;

let namespace_entry = map.find_namespace_entry("api-ms-win-core-sysinfo-l1-1-0")??;
let value_entry = namespace_entry.value_entries()?.next()?;

let name = namespace_entry.name()?;
let default_value = value_entry.value()?;
println!("{name} -> {default_value}");

Further Resources

This parser is based on research by numerous people, who should be named here:

A big shoutout to them for their reverse-engineering and documentation efforts!