Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


About ZwXXXXX functions.

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Dear all,
Some function a prefixed with Zw, why? Does Zw have some special meaning?
Thanks.
BR
Volition2k

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    ZwXxxx functions are parallel to NtXxxx functions. That is every NtXxxx
    routine has ZwXxxx equivalent. In USER mode there is no difference between
    them - every NtXxxx and corresponding ZwXxxx procedure addresses are the
    same. But in KERNEL mode there is a difference. NtXxxx is definition (it
    does requested functionality) but ZwXxxx is only a stub (the same as in
    user mode), which de facto calls appropriate NtXxxx routine. Every ZwXxxx
    routine looks like this:

    ZwXxxx:
    mov eax, ; EAX = service number
    lea edx, [esp+4] ; EDX = pointer to arguments
    int 2e ; call KeSystemService routine via INT
    ret ; return to caller

    Routine KeSystemService then finds corresponding routine pointer, copies
    arguments to kernel mode stack, sets KeGetCurrentThread()->PreviousMode to
    callers (CS & 1) and calls the routine (NtXxxx).

    This means call to ZwXxxx from kernel mode sets previous mode to KernelMode
    so no pointer probing and parameter checking will be done.
    When you want to call some NtXxxx in kernel mode you must always keep in
    mind previous mode value. Only conditions when it's OK to call NtXxxx
    routine is in thread created by PsCreateSystemThread - this thread does not
    have any user mode context and you may be sure PreviousMode is always
    kernel mode. In all other situations it is better to call ZwXxxx => don't
    worry about current previous mode.

    One exception to this is NtClose (ZwClose) routine. It has only one
    argument - handle to close. There is no pointer so it is your choice which
    of them you want to call.

    Paul
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 January 2023 Live, Online
Developing Minifilters 20 March 2023 Live, Online
Internals & Software Drivers 17 April 2023 Live, Online
Writing WDF Drivers 22 May 2023 Live, Online