About ZwXXXXX functions.

OSR_Community_User Member Posts: 110,217
Dear all,
Some function a prefixed with Zw, why? Does Zw have some special meaning?


  OSR_Community_User Member Posts: 110,217
    ZwXxxx functions are parallel to NtXxxx functions. That is every NtXxxx
    routine has ZwXxxx equivalent. In USER mode there is no difference between
    them - every NtXxxx and corresponding ZwXxxx procedure addresses are the
    same. But in KERNEL mode there is a difference. NtXxxx is definition (it
    does requested functionality) but ZwXxxx is only a stub (the same as in
    user mode), which de facto calls appropriate NtXxxx routine. Every ZwXxxx
    routine looks like this:

    mov eax, ; EAX = service number
    lea edx, [esp+4] ; EDX = pointer to arguments
    int 2e ; call KeSystemService routine via INT
    ret ; return to caller

    Routine KeSystemService then finds corresponding routine pointer, copies
    arguments to kernel mode stack, sets KeGetCurrentThread()->PreviousMode to
    callers (CS & 1) and calls the routine (NtXxxx).

    This means call to ZwXxxx from kernel mode sets previous mode to KernelMode
    so no pointer probing and parameter checking will be done.
    When you want to call some NtXxxx in kernel mode you must always keep in
    mind previous mode value. Only conditions when it's OK to call NtXxxx
    routine is in thread created by PsCreateSystemThread - this thread does not
    have any user mode context and you may be sure PreviousMode is always
    kernel mode. In all other situations it is better to call ZwXxxx => don't
    worry about current previous mode.

    One exception to this is NtClose (ZwClose) routine. It has only one
    argument - handle to close. There is no pointer so it is your choice which
    of them you want to call.

