Finding undocumented APIs in Windows

I was curious as to how does one go about finding undocumented APIs in Windows.

I know the risks involved in using them but this question is focused towards finding them and not whether to use them or not.

Use a tool to dump the export table from a shared library (for example, a .dll such as kernel32.dll). You'll see the named entry points and/or the ordinal entry points. Generally for windows the named entry points are unmangled (extern "C"). You will most likely need to do some peeking at the assembly code and derive the parameters (types, number, order, calling convention, etc) from the stack frame (if there is one) and register usage. If there is no stack frame it is a bit more difficult, but still doable. See the following links for references:

1. http://www.sf.org.cn/symbian/Tools/symbian_18245.html
2. http://msdn.microsoft.com/en-us/library/31d242h4.aspx

Check out tools such as dumpbin for investigating export sections.

There are also sites and books out there that try to keep an updated list of undocumented windows APIs:

1. The Undocumented Functions
2. A Primer of the Windows Architecture
3. How To Find Undocumented Constants Used by Windows API Functions
4. Undocumented Windows
5. Windows API

Edit: These same principles work on a multitude of operating systems however, you will need to replace the tool you're using to dump the export table. For example, on Linux you could use nm to dump an object file and list its exports section (among other things). You could also use gdb to set breakpoints and step through the assembly code of an entry point to determine what the arguments should be.

IDA Pro is your best bet here, but please please double please don't actually use them for anything ever.

They're internal because they change; they can (and do) even change as a result of a Hotfix, so you're not even guaranteed your undocumented API will work for the specific OS version and Service Pack level you wrote it for. If you ship a product like that, you're living on borrowed time.

Everybody here so far is missing some substantial functionality that comprises hugely un-documented portions of the Windows OS RPC . RPC (think rpcrt4.dll, lsass.exe, csrss.exe, etc...) operations occur very frequently across all subsystems, via LPC ports or other interfaces, their functionality is buried in the mysticism incantations of various type/sub-type/struct-typedef's etc... which are substantially more difficult to debug, due to the asynchronous nature or the fact that they are destine for process's which if you were to debug via single stepping or what have you, you would find the entire system lockup due to blocking keyboard or other I/O from being passed ;)

ReactOS is probably the most expedient way to investigate undocumented API. They have a fairly mature kernel and other executive's built up. IDA is fairly time-intensive and it's unlikely you will find anything the ReactOS people have not already.

Here's a blurb from the linked page;

> ReactOS® is a free, modern operating > system based on the design of Windows® > XP/2003. Written completely from > scratch, it aims to follow the > Windows® architecture designed by > Microsoft from the hardware level > right through to the application > level. This is not a Linux based > system, and shares none of the unix > architecture. > >The main goal of the > ReactOS project is to provide an > operating system which is binary > compatible with Windows. This will > allow your Windows applications and > drivers to run as they would on your > Windows system. Additionally, the look > and feel of the Windows operating > system is used, such that people > accustomed to the familiar user > interface of Windows® would find using > ReactOS straightforward. The ultimate > goal of ReactOS is to allow you to > remove Windows® and install ReactOS > without the end user noticing the > change.

When I am investigating some rarely seen Windows construct, ReactOS is often the only credible reference.

Look at the system dlls and what functions they export. Every API function, whether documented or not, is exported in one of them (user, kernel, ...).

For user mode APIs you can open Kernel32.dll User32.dll Gdi32.dll, specially ntdll.dll in dependancy walker and find all the exported APIs. But you will not have the documentation offcourse.

Just found a good article on Native APIS by Mark Russinovich