Skip to main content

Overview

xAnalyzer’s extended API call analysis is its most powerful feature, providing comprehensive function detection and parameter information for over 13,000 API definitions. This transforms raw disassembly into richly annotated code that reveals the purpose and behavior of every API call.
The API definition system is fully expandable - you can add or modify definitions to support any library or custom API.

How It Works

During analysis, xAnalyzer processes each CALL instruction and:
  1. Identifies the target function - Strips module prefixes, decorations, and stub suffixes
  2. Locates the definition - Searches through 200 DLL definition files in apis_def/
  3. Extracts parameters - Traces back through preceding instructions to identify arguments
  4. Applies type information - Resolves data types, flags, and enums from header files
  5. Generates comments - Creates detailed inline comments with full function signatures

Detection Capabilities

xAnalyzer detects multiple call patterns: 
; Before Analysis
call kernel32.CreateFileW

; After Analysis
push 0                          ; HANDLE hTemplateFile = NULL
push 80                         ; DWORD dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL
push 3                          ; DWORD dwCreationDisposition = OPEN_EXISTING
push 0                          ; LPSECURITY_ATTRIBUTES lpSecurityAttributes = NULL
push 1                          ; DWORD dwShareMode = FILE_SHARE_READ
push 80000000                   ; DWORD dwDesiredAccess = GENERIC_READ
push offset aFileName           ; LPCWSTR lpFileName
call kernel32.CreateFileW       ; CreateFileW

API Definition Files

The definition system uses INI-structured .api files:

Main Definition File

; File: user32.api
[MessageBox]
1=HANDLE hWnd
2=LPCTSTR lpText
3=LPCTSTR lpCaption
4=[MessageBoxType] uType
ParamCount=4
Header=shell.h.api;
@=MessageBox

Header File (Types & Constants)

; File: shell.h.api
[MessageBoxType]
TypeDisplay=UINT
Base=UINT
Type=Flag
Const1=MB_ABORTRETRYIGNORE
Value1=0x00000002
Const2=MB_OK
Value2=0x00000000
Const3=MB_OKCANCEL
Value3=0x00000001

Argument Notation

Parameters enclosed in brackets reference type definitions:
  • [MessageBoxType] uType - Links to type definition in header file
  • LPCTSTR lpText - Standard Windows type
  • HANDLE hWnd - Basic handle type

Coverage Statistics

API Definitions

13,000+ function definitions

DLL Coverage

~200 Windows DLLs supported

Data Types

1,000+ enum definitions

Flag Types

800+ flag definitions

Supported Libraries

The definition files cover all major Windows APIs:
  • kernel32.api - 141KB of definitions (memory, process, file I/O)
  • kernelbase.api - 80KB (Windows 7+ base APIs)
  • ntdll.api - 170KB (Native NT APIs)
  • advapi32.api - 79KB (security, registry, services)
  • user32.api - 71KB (windowing, messaging, input)
  • gdi32.api - 33KB (graphics device interface)
  • gdiplus.api - 93KB (GDI+ graphics)
  • comctl32.api - 15KB (common controls)
  • ws2_32.api - Winsock 2 networking
  • wininet.api - Internet APIs
  • winhttp.api - HTTP client
  • netapi32.api - Network management
  • crypt32.api - 44KB (cryptographic APIs)
  • bcrypt.api - CNG crypto primitives
  • ncrypt.api - Key storage
  • wintrust.api - Code signing verification
  • msvcrxx.api - 113KB (Visual C++ runtime)
  • vcruntime.api - VC++ runtime components
  • ucrtbase.api - Universal CRT
  • oleaut32.api - 43KB (OLE automation)

Type Resolution

xAnalyzer performs intelligent type resolution:

Constant Value Detection

When analyzing arguments, xAnalyzer:
  • Identifies hexadecimal constant values
  • Looks up flag and enum definitions
  • Resolves symbolic names for constants
  • Displays meaningful names instead of raw values
push 0x80000000
; Resolves to: GENERIC_READ

Customization

Adding New Definitions

You can extend xAnalyzer’s knowledge by creating custom .api files:
1

Create Definition File

Place your .api file in the apis_def/ directory:
; File: mycustom.api
[MyFunction]
1=int param1
2=char* param2
ParamCount=2
@=MyFunction
2

Add Type Headers (Optional)

Create corresponding .h.api files for complex types:
; File: mycustom.h.api
[MyFlags]
TypeDisplay=DWORD
Base=DWORD
Type=Flag
Const1=FLAG_ENABLE
Value1=0x00000001
3

Reload Plugin

Restart x64dbg or reload the xAnalyzer plugin to load new definitions.

Modifying Existing Definitions

If you find incorrect or missing information:
  1. Locate the relevant .api file (e.g., kernel32.api)
  2. Edit the function definition
  3. Save and reload the plugin
  4. Re-run analysis on your code
Contributions to the definition files are welcome! See the GitHub repository to submit improvements.

Benefits for Reverse Engineering

Faster Analysis

Instantly understand what each API call does without consulting MSDN

Parameter Tracking

Follow data flow from argument preparation through function calls

Malware Analysis

Quickly identify suspicious API usage patterns (registry, network, injection)

Code Comprehension

Transform cryptic assembly into documented, readable code

Implementation Details

From xanalyzer.cpp:336-460, the analysis engine: 
// Strip function name and resolve charset variants (A/W suffixes)
if (Strip_x64dbg_calls(szDisasmText)) {
    szOriginalCharsetAPIFunction = szAPIFunction;
    
    // Remove "Stub" suffix if found
    auto stub = szAPIFunction.find("Stub");
    if (stub != std::string::npos)
        szAPIFunction = szAPIFunction.substr(0, stub);
    
    // Transform charset search (GetModuleHandleA -> GetModuleHandle)
    if (szAPIFunction.back() == 'A' || szAPIFunction.back() == 'W')
        szAPIFunction.pop_back();
}
The function definition lookup searches recursively through definition files and applies parameter information to the disassembly.

Source Code Reference

Key implementation locations:
  • xanalyzer.cpp:281-552 - Main analysis loop
  • xanalyzer.cpp:744-820 - SetFunctionParams()
  • xanalyzer.cpp:978-1028 - Strip_x64dbg_calls()
  • API definition files: ~/source/apis_def/*.api

Build docs developers (and LLMs) love

Get started for freeTalk to us