Header files (.h.api files) contain type definitions for enums, flags, and constants used by API functions. These files allow xAnalyzer to:
- Resolve numeric values to symbolic constant names
- Display flag combinations as human-readable OR’d values
- Identify enum members instead of showing raw integers
Header files are stored in the apis_def/headers/ directory and referenced by module .api files.
File Naming Convention
- Format:
<module_name>.h.api
- Location:
apis_def/headers/ directory
- Examples:
windows.h.api, shell.h.api, kernel32.h.api
Header filenames typically correspond to their associated module file but can be shared across multiple modules.
Structure Overview
Header files use the INI format with sections for each type definition:
[TypeName]
TypeDisplay=DISPLAY_TYPE
Base=BASE_TYPE
Type=Flag|Enum
Const1=CONSTANT_NAME
Value1=0x00000001
Const2=CONSTANT_NAME
Value2=0x00000002
...
Field Reference
The name of the custom type. This is what you reference in brackets in .api files (e.g., [TypeName]).
The data type to display in comments. Common values: DWORD, UINT, int, LONG.
The underlying base data type. Can be a primitive (DWORD, UINT) or another custom type in brackets.
Specifies how values are interpreted:
Flag - Values are bitwise flags that can be OR’d togetherEnum - Values are mutually exclusive enumeration members
Names of the constants. Must be numbered sequentially starting from 1.
Numeric values for each constant. Can be decimal or hexadecimal (prefix with 0x).
Type: Flag
Flags are bitwise values that can be combined using the OR operator (|).
Example: MessageBox Flags
From shell.h.api:
[MessageBoxType]
TypeDisplay=UINT
Base=UINT
Type=Flag
Const1=MB_ABORTRETRYIGNORE
Value1=0x00000002
Const2=MB_CANCELTRYCONTINUE
Value2=0x00000006
Const3=MB_HELP
Value3=0x00004000
Const4=MB_OK
Value4=0x00000000
Const5=MB_OKCANCEL
Value5=0x00000001
Const6=MB_RETRYCANCEL
Value6=0x00000005
Const7=MB_YESNO
Value7=0x00000004
Const8=MB_YESNOCANCEL
Value8=0x00000003
Const9=MB_ICONEXCLAMATION
Value9=0x00000030
Const10=MB_ICONWARNING
Value10=0x00000030
Const11=MB_ICONINFORMATION
Value11=0x00000040
Const12=MB_ICONASTERISK
Value12=0x00000040
Const13=MB_ICONQUESTION
Value13=0x00000020
Const14=MB_ICONSTOP
Value14=0x00000010
Const15=MB_ICONERROR
Value15=0x00000010
Const16=MB_ICONHAND
Value16=0x00000010
Usage in Analysis
When xAnalyzer encounters:
push 0x00000031 ; uType parameter
push 0x00000031 ; UINT uType = MB_OKCANCEL | MB_ICONEXCLAMATION
Flag Pattern Example
From user32.h.api:
[WindowStyle]
TypeDisplay=DWORD
Base=DWORD
Type=Flag
Const1=WS_OVERLAPPED
Value1=0x00000000
Const2=WS_POPUP
Value2=0x80000000
Const3=WS_CHILD
Value3=0x40000000
Const4=WS_MINIMIZE
Value4=0x20000000
Const5=WS_VISIBLE
Value5=0x10000000
Const6=WS_DISABLED
Value6=0x08000000
Const7=WS_CLIPSIBLINGS
Value7=0x04000000
Const8=WS_CLIPCHILDREN
Value8=0x02000000
Const9=WS_MAXIMIZE
Value9=0x01000000
Const10=WS_CAPTION
Value10=0x00C00000
Const11=WS_BORDER
Value11=0x00800000
Const12=WS_DLGFRAME
Value12=0x00400000
Type: Enum
Enums are mutually exclusive values where only one can be active at a time.
Example: Special Folder IDs
From shell.h.api:
[CSIDL]
TypeDisplay=int
Base=UINT
Type=Flag
Const1=CSIDL_DESKTOP
Value1=0x0000
Const2=CSIDL_INTERNET
Value2=0x0001
Const3=CSIDL_PROGRAMS
Value3=0x0002
Const4=CSIDL_CONTROLS
Value4=0x0003
Const5=CSIDL_PRINTERS
Value5=0x0004
Const6=CSIDL_MYDOCUMENTS
Value6=0x0005
Const7=CSIDL_FAVORITES
Value7=0x0006
Const8=CSIDL_STARTUP
Value8=0x0007
Note: In the source, this uses Type=Flag but should logically be Type=Enum since CSIDL values are mutually exclusive.
Proper Enum Example
From shell.h.api:
[CM_SET_WIDTH_VALUE]
TypeDisplay=UINT
Base=UINT
Type=Enum
Const1=CM_WIDTH_USEDEFAULT
Value1=-1
Const2=CM_WIDTH_AUTOSIZE
Value2=-2
Usage in Analysis
When xAnalyzer sees:
push 0x0005 ; nFolder parameter
push 0x0005 ; int nFolder = CSIDL_MYDOCUMENTS
Nested Types
The Base field can reference another custom type:
[ExtendedAccessRights]
TypeDisplay=DWORD
Base=[AccessRights]
Type=Flag
Const1=EXTENDED_RIGHT_1
Value1=0x00010000
Const2=EXTENDED_RIGHT_2
Value2=0x00020000
ExtendedAccessRights inherits from AccessRights.
Real-World Examples
Window Messages
From windows.h.api:
[WinMsg]
TypeDisplay=UINT
Base=UINT
Type=Enum
Const1=WM_NULL
Value1=0x0000
Const2=WM_CREATE
Value2=0x0001
Const3=WM_DESTROY
Value3=0x0002
Const4=WM_MOVE
Value4=0x0003
Const5=WM_SIZE
Value5=0x0005
Const6=WM_ACTIVATE
Value6=0x0006
Const7=WM_SETFOCUS
Value7=0x0007
Const8=WM_KILLFOCUS
Value8=0x0008
Const9=WM_CLOSE
Value9=0x0010
Const10=WM_QUIT
Value10=0x0012
Const11=WM_PAINT
Value11=0x000F
Const12=WM_COMMAND
Value12=0x0111
Process Access Rights
From windows.h.api:
[ProcessAccessRights]
TypeDisplay=DWORD
Base=DWORD
Type=Flag
Const1=PROCESS_TERMINATE
Value1=0x0001
Const2=PROCESS_CREATE_THREAD
Value2=0x0002
Const3=PROCESS_VM_OPERATION
Value3=0x0008
Const4=PROCESS_VM_READ
Value4=0x0010
Const5=PROCESS_VM_WRITE
Value5=0x0020
Const6=PROCESS_DUP_HANDLE
Value6=0x0040
Const7=PROCESS_CREATE_PROCESS
Value7=0x0080
Const8=PROCESS_SET_QUOTA
Value8=0x0100
Const9=PROCESS_SET_INFORMATION
Value9=0x0200
Const10=PROCESS_QUERY_INFORMATION
Value10=0x0400
Const11=PROCESS_ALL_ACCESS
Value11=0x001F0FFF
Step 1: Identify the Data Type
Determine if your constants are:
- Flags (can be OR’d together) → Use
Type=Flag
- Enums (mutually exclusive) → Use
Type=Enum
Step 2: Research the Values
Find constant definitions from:
- MSDN documentation
- Windows SDK header files (e.g.,
windows.h, winuser.h)
- Reverse engineering and analysis
Step 3: Create the Definition
Example for custom application flags:
[AppInitFlags]
TypeDisplay=DWORD
Base=DWORD
Type=Flag
Const1=APP_INIT_LOGGING
Value1=0x00000001
Const2=APP_INIT_NETWORK
Value2=0x00000002
Const3=APP_INIT_GUI
Value3=0x00000004
Const4=APP_INIT_PLUGINS
Value4=0x00000008
Const5=APP_INIT_DEBUG
Value5=0x80000000
Step 4: Reference in Function Definition
In your .api file:
[InitializeApp]
1=[AppInitFlags] flags
2=LPVOID pConfig
ParamCount=2
Header=CustomApp.h.api;
@=InitializeApp
Best Practices
Type names should clearly indicate what they represent (e.g., MessageBoxType, WindowStyle).
Follow Microsoft Conventions
When defining Windows API types, match the constant names from official headers exactly.
Use hex notation for flag values to make bit positions obvious (e.g., 0x00000001, 0x00000002).
Add INI comments (;) to explain non-obvious values or special cases.
Keep related type definitions in the same header file for maintainability.
Common Patterns
Bitwise Powers of Two (Flags)
Value1=0x00000001 ; Bit 0
Value2=0x00000002 ; Bit 1
Value3=0x00000004 ; Bit 2
Value4=0x00000008 ; Bit 3
Value5=0x00000010 ; Bit 4
Sequential Values (Enums)
Value1=0 ; First value
Value2=1
Value3=2
Value4=3
High-Bit Flags
Value1=0x80000000 ; Highest bit set
Value2=0x40000000
Value3=0x20000000
Troubleshooting
Values not resolving - Check that the header file is listed in the Header= field of the function definition.
Incorrect flag combinations - Verify that flag values don’t overlap unless intentional.
Missing constants - Ensure Const and Value entries are numbered sequentially without gaps.
Template
Flag Type Template
[FlagTypeName]
TypeDisplay=DWORD
Base=DWORD
Type=Flag
Const1=FLAG_NAME_1
Value1=0x00000001
Const2=FLAG_NAME_2
Value2=0x00000002
Const3=FLAG_NAME_3
Value3=0x00000004
Enum Type Template
[EnumTypeName]
TypeDisplay=DWORD
Base=DWORD
Type=Enum
Const1=ENUM_VALUE_1
Value1=0
Const2=ENUM_VALUE_2
Value2=1
Const3=ENUM_VALUE_3
Value3=2
Next Steps
Creating Definitions
Apply header files in complete API definitions
File Format
Review function definition syntax
Browse Examples
Explore existing header definitions
Configuration
Configure analysis behavior
