WinAPI Search is a portable app designed for searching for Win32 functions by name, as well as locating errors, and development issues.
Download
WinAPI Search is a portable app designed for searching for Win32 functions by name, as well as locating errors, and development issues.
It will be of primary use to Windows developers, researchers and malware reverse engineers. WinAPI Search will seek out PE binary files, and various filters can be applied to expedite the search like Bitness 32/64 Bit, API sets/Umbrella libraries, and PE header subsystem among many others.
WinAPI Search also supports search by Regular expressions (Regexp).
WinAPI Search Features:
Search single or multiple binary PE files by Win32 function name.
Support for Regular Expressions in search strings.
Search for specific PE files using the following filters:
-Search only in export table, import table, or "delay load" import table of the PE headers.
-Ability to differentiate between C and C++ functions, as well as among ordinal function names and export table forwarded functions.
-Support for API-Sets or Windows "umbrella" libraries.
-Search by certain PE header subsystem, such as boot application, console application, GUI application, native application, EFI driver, EFI ROM, Win9x, POSIX or OS/2 subsystem, Windows CE or XBox subsystem, etc.
-Search by certain PE header characteristics, such as the use of ASLR, App Container, Control Flow Guard, Data Execution Prevention, support for Large Address Awareness, manifest isolation, no binding, no SEH, Terminal Server Awareness, buffer overrun checks, code integrity signature checks, and more.
-Search by the presence of certain PE header directories, such as .NET & COM runtime descriptor, base relocation table, bound import directory, debug directory, delay-load import table, exception directory, export directory, import directory, import address table (IAT), load configuration directory, security directory, thread local storage (TLS), resources directory (with specific resource types) and more.
-Search by a compilation timestamp date range.
Search for PE files that import a certain module (DLL) by its name.
Search for Win32 and HRESULT error codes using their numerical values.
Search for Win32 and HRESULT errors by their message text.
Ability to undecorate (or demangle) Microsoft-specific symbol names.
For each API it can retrieve the following:
-Linear file offset, as well as the mapped offset of the function.
-What physical module (or file on disk) the function resolves to.
-Distinguish whether the symbol refers to an executable function or to a global variable.
-Other details about the PE file that were given above.
Overall this app can be used as a replacement for Microsoft's discontinued Dependency Walker.
Download