Hi,
I wanted to find out about the following function prefices to the function
names of NTOSKRNL.EXE and NTDLL.DLL exports:
Cc*, Cm*, Csr*, Dbg*, Etw*, Ex*, Fs*, Hal*, Inbv*, Io*, Kd*, Ke*, Ki*, Ldr*,
Lpc*, Lsa*, Mm*, Nls*, Nt*, Ob*, Pfx*, Po*, Ps*, Rtl*, (Rtlp*, Rtlx*,) Se*,
Wmi*, Vf*, Zw*
Of course I believe to know the meaning of some prefices already, but
nevertheless there are some completely unknown to me.
E.g. has Zw* a meaning at all? The difference in kernel mode is that Zw*
functions don’t care about the previous mode, so perhaps Z is for “Zero” and
“w” for some synonym of “check” (or something ;-)?!
Here’s what I believe I know:
Cc = Cache manager (???)
Csr = Client Server support functions(LPC; related: CSRSS.EXE)
Dbg = Debugger support functions
Etw = Extended tracing … support functions (???)
Ex = Executive
Fs = File system support functions
Hal = Hardware abstraction layer functions
Inbv = Something like: _In_itial _B_oot _V_ideo functions (???)
Io = I/O manager support functions
Kd = Kernel debugger support functions
Ki = Kernel interrupt support functions (???)
Ldr = PE image loader support functions
Lpc = LPC support functions
Lsa = Local security authority support functions
Mm = Memory manager support functions
Nls = Native language support functions
Ob = Object manager functions
Pfx = Name prefix support functions (???)
Po = Power management support functions
Ps = Process management support functions
Rtl = Runtime library functions
Rtlp = Private runtime library functions
Se = Security support functions
Wmi = Windows management instrumentation support functions
Vf = Verification (?) functions
So, if I am right on the above there are still these few left:
Cm, Ke, Nt, Rtlx, Zw
However, if I am mistaking on some of the above prefices, please correct me.
(Etw* was introduced with Windows 2003 Server)
Maybe “Ke/Ki” is Kernel _e_xternal and Kernel _i_nternal functions?
Oliver
PS: What for? Well, I am currently compiling a list of all the exports of
ntdll.dll and ntoskrnl.exe which contains currently only information about
the availability of the functions (KM/UM and OS), but will be extended with
function declarations soon (I hope) -> http://native.assarbad.net