954,136 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
4 Years Ago
0

Doubt in Native API

Hello,

I've read in a book that APIs in the native APIs start with one of the two prefixes: Either Nt or Zw, so that the functions have names like NtCreateFile or ZwCreateFile. What does Zw stand for?

It further says:

Both versions actually point to the same code in the user mode implementation in NTDLL.DLL. In kernel mode, they are different. The Nt versions are the actual implementations of the APIs, while Zw versions are stubs that go through the system call mechanism.

I'm not able to understand this thing in the italics. Any help would be appreciated...
-Jishnu.

Jishnu
Posting Pro
518 posts since Oct 2006
Reputation Points: 193
Solved Threads: 25
 
4 Years Ago
0

>What does Zw stand for?
It's a mystery. The common assumption is that Zw was chosen because it meant absolutely nothing and there was little chance of something popping up that would make it significant.

>I'm not able to understand this thing in the italics.
Put simply, the Zw* versions will do some magic kernel stuff when called in kernel mode, and the Nt* versions won't. In user mode, both evaluate to the same thing.

Narue
Bad Cop
Administrator
15,460 posts since Sep 2004
Reputation Points: 6,464
Solved Threads: 1,401
 
4 Years Ago
0
>What does Zw stand for? It's a mystery. The common assumption is that Zw was chosen because it meant absolutely nothing and there was little chance of something popping up that would make it significant.

That is interesting!!

If possible, I'm needing some more elaborate explanation for this:Zw versions are stubs that go through the system call mechanism.

meaning what are stubs and the need for going through the system call mechanism..

Jishnu
Posting Pro
518 posts since Oct 2006
Reputation Points: 193
Solved Threads: 25
 
4 Years Ago
Show Comments
1

You might find this enlightening, but it's pretty in depth.

Narue
Bad Cop
Administrator
15,460 posts since Sep 2004
Reputation Points: 6,464
Solved Threads: 1,401
 
4 Years Ago
0

Narue has pointed to a great article. To udestand this article you may need Debugging tools for windows. http://www.microsoft.com/whdc/devtools/debugging/default.mspx
However, these are non-documented APIs you should avoid calling from user mode application.

dubeyprateek
Junior Poster
176 posts since Mar 2006
Reputation Points: 39
Solved Threads: 24
 
4 Years Ago
0

Yes, the article is pretty in depth. I appreciate it for the details. I'm familiar with some of the terms used. The unfamiliar ones will help me to go into enough depth in my reversing course. Thank you Narue :)

Thanks dubeyprateek for that link.
these are non-documented APIs you should avoid calling from user mode application.

Why is that so?

Jishnu
Posting Pro
518 posts since Oct 2006
Reputation Points: 193
Solved Threads: 25
 
4 Years Ago
Show Comments
1
Why is that so?


Two reasons::
1) Microsoft may change behaviour of these APIs without any notifications. Therefore your application may break.
2) Microsoft does not 'supports' usage of thses APIs.

dubeyprateek
Junior Poster
176 posts since Mar 2006
Reputation Points: 39
Solved Threads: 24
 
4 Years Ago
0

Got it. Thanks :)

Jishnu
Posting Pro
518 posts since Oct 2006
Reputation Points: 193
Solved Threads: 25
 

This question has already been solved

Post: Markdown Syntax: Formatting Help
You
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed