Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

System Calls in windows & Native API?

Tags:

linux

windows

assembly

kernel

nt-native-api

Recently I've been using lot of Assembly language in *NIX operating systems. I was wondering about the windows domain.

Calling convention in linux:

mov $SYS_Call_NUM, %eax mov $param1 , %ebx mov $param2 , %ecx int $0x80

Thats it. That is how we should make a system call in linux.

Reference of all system calls in linux:

Regarding which $SYS_Call_NUM & which parameters we can use this reference : http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html

OFFICIAL Reference : http://kernel.org/doc/man-pages/online/dir_section_2.html

Calling convention in Windows:

???

Reference of all system calls in Windows:

???

Unofficial : http://www.metasploit.com/users/opcode/syscalls.html , but how do I use these in assembly unless I know the calling convention.

OFFICIAL : ???

  • If you say, they didn't documented it. Then how is one going to write libc for windows without knowing system calls? How is one gonna do Windows Assembly programming? Atleast in the driver programming one needs to know these. right?

Now, whats up with the so called Native API? Is Native API & System calls for windows both are different terms referring to same thing? In order to confirm I compared these from two UNOFFICIAL Sources

System Calls: http://www.metasploit.com/users/opcode/syscalls.html

Native API: http://undocumented.ntinternals.net/aindex.html

My observations:

  1. All system calls are beginning with letters Nt where as Native API is consisting of lot of functions which are not beginning with letters Nt.
  2. System Call of windows are subset of Native API. System calls are just part of Native API.

Can any one confirm this and explain.

EDIT:

There was another answer. It was a 2nd answer. I really liked it but I don't know why answerer has deleted it. I request him to repost his answer.

like image 954
claws Avatar asked Mar 22 '10 03:03

claws

People also ask

How many system calls are there in Windows?

There are mainly 5 types of system calls available. Process Control: It handles the system calls for process creation, deletion, etc. Examples for process control system calls are: Load, Execute, Abort, Wait Signal events for process.

What is system call with example?

A system call is a way for programs to interact with the operating system. A computer program makes a system call when it makes a request to the operating system's kernel. System call provides the services of the operating system to the user programs via Application Program Interface(API).

Which is a system call?

In computing, a system call (commonly abbreviated to syscall) is the programmatic way in which a computer program requests a service from the kernel of the operating system on which it is executed.

1 Answers

If you're doing assembly programming under Windows you don't do manual syscalls. You use NTDLL and the Native API to do that for you.

The Native API is simply a wrapper around the kernelmode side of things. All it does is perform a syscall for the correct API.

You should NEVER need to manually syscall so your entire question is redundant.

Linux syscall codes do not change, Windows's do, that's why you need to work through an extra abstraction layer (aka NTDLL).

EDIT:

Also, even if you're working at the assembly level, you still have full access to the Win32 API, there's no reason to be using the NT API to begin with! Imports, exports, etc all work just fine in assembly programs.

EDIT2:

If you REALLY want to do manual syscalls, you're going to need to reverse NTDLL for each relevant Windows version, add version detection (via the PEB), and perform a syscall lookup for each call.

However, that would be silly. NTDLL is there for a reason.

People have already done the reverse-engineering part: see https://j00ru.vexillium.org/syscalls/nt/64/ for a table of system-call numbers for each Windows kernel. (Note that the later rows do change even between versions of Windows 10.) Again, this is a bad idea outside of personal-use-only experiments on your own machine to learn more about asm and/or Windows internals. Don't inline system calls into code that you distribute to anyone else.

like image 194
RaptorFactor Avatar answered Sep 23 '22 02:09

RaptorFactor
Sign in to Comment

Related questions

How to obtain good concurrent read performance from disk
Is there really any way to uniquely identify any computer at all
What is the best way of determining that two file paths are referring to the same file object?
How do you read directly from physical memory?
Boot a native OS on a hard disk as a virtual machine
Building with CMake, Ninja and Clang on Windows
How run clang from command line on Windows?
How to choose which port to use when building a windows service? (windows & .net) [closed]
Difference between WinMain and wWinMain
What IDE / Editor do you use for Ruby on Windows? [closed]
Too many fonts when enumerating with EnumFontFamiliesEx function
Git on a Windows Lan
Fatal Python error on Windows 10 ModuleNotFoundError: No module named 'encodings'
Why do Windows consoles lose command-line history (up arrow) after a time?
How to programmatically create a shortcut using Win32
How to display text on the screen without a window using Python
Where exactly Git Bash for Windows' prompt is defined?
Creating a professional-looking (and behaving!) form designer
How to run an awk commands in Windows?
Identify process using a file

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!