Hello,

I've read in a book that APIs in the native APIs start with one of the two prefixes: Either Nt or Zw, so that the functions have names like NtCreateFile or ZwCreateFile. What does Zw stand for?

It further says:

Both versions actually point to the same code in the user mode implementation in NTDLL.DLL. In kernel mode, they are different. The Nt versions are the actual implementations of the APIs, while Zw versions are stubs that go through the system call mechanism.

I'm not able to understand this thing in the italics. Any help would be appreciated...
-Jishnu.

>What does Zw stand for?
It's a mystery. The common assumption is that Zw was chosen because it meant absolutely nothing and there was little chance of something popping up that would make it significant.

>I'm not able to understand this thing in the italics.
Put simply, the Zw* versions will do some magic kernel stuff when called in kernel mode, and the Nt* versions won't. In user mode, both evaluate to the same thing.

That is interesting!!

If possible, I'm needing some more elaborate explanation for this:

•

•

•

•

Zw versions are stubs that go through the system call mechanism.

meaning what are stubs and the need for going through the system call mechanism..

You might find this enlightening, but it's pretty in depth.

Narue has pointed to a great article. To udestand this article you may need Debugging tools for windows. http://www.microsoft.com/whdc/devtoo...g/default.mspx
However, these are non-documented APIs you should avoid calling from user mode application.

Yes, the article is pretty in depth. I appreciate it for the details. I'm familiar with some of the terms used. The unfamiliar ones will help me to go into enough depth in my reversing course. Thank you Narue

Thanks dubeyprateek for that link.
Why is that so?

Two reasons::
1) Microsoft may change behaviour of these APIs without any notifications. Therefore your application may break.
2) Microsoft does not 'supports' usage of thses APIs.

Got it. Thanks