Dear all,
Some function a prefixed with Zw, why? Does Zw have some special meaning?
Thanks.
BR
Volition2k
ZwXxxx functions are parallel to NtXxxx functions. That is every NtXxxx
routine has ZwXxxx equivalent. In USER mode there is no difference between
them - every NtXxxx and corresponding ZwXxxx procedure addresses are the
same. But in KERNEL mode there is a difference. NtXxxx is definition (it
does requested functionality) but ZwXxxx is only a stub (the same as in
user mode), which de facto calls appropriate NtXxxx routine. Every ZwXxxx
routine looks like this:
ZwXxxx:
mov eax, ; EAX = service number
lea edx, [esp+4] ; EDX = pointer to arguments
int 2e ; call KeSystemService routine via INT
ret ; return to caller
Routine KeSystemService then finds corresponding routine pointer, copies
arguments to kernel mode stack, sets KeGetCurrentThread()->PreviousMode to
callers (CS & 1) and calls the routine (NtXxxx).
This means call to ZwXxxx from kernel mode sets previous mode to KernelMode
so no pointer probing and parameter checking will be done.
When you want to call some NtXxxx in kernel mode you must always keep in
mind previous mode value. Only conditions when it’s OK to call NtXxxx
routine is in thread created by PsCreateSystemThread - this thread does not
have any user mode context and you may be sure PreviousMode is always
kernel mode. In all other situations it is better to call ZwXxxx => don’t
worry about current previous mode.
One exception to this is NtClose (ZwClose) routine. It has only one
argument - handle to close. There is no pointer so it is your choice which
of them you want to call.
Paul