Hi All,
When I was debugging an app today, I tried to clear a doubt,
My initial theory was:
Application calls Win32API, than it goes to NtXXX and than it invoke a system service and In general we have two API set ZwXXX API and NtXXX.
I tried to unassemble this and output surprised me, i asked for NtCreateFile and it shows
NtCreateFile
ntdll!ZwCreateFile:
7c90d090 b825000000 mov eax,25h
7c90d095 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
7c90d09a ff12 call dword ptr [edx]
7c90d09c c22c00 ret 2Ch
7c90d09f 90 nop
also I asked for NtSetInformationThread and it shows
NtSetInformationThread
ntdll!ZwSetInformationThread:
7c90dc90 b8e5000000 mov eax,0E5h
7c90dc95 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
7c90dc9a ff12 call dword ptr [edx]
7c90dc9c c21000 ret 10h
7c90dc9f 90 nop
and so on for many APIs.
So; does it mean that there is a single copy of function with two names. like in NTDLL’s EAT exported two different Methods name which actually points to same method. If it is not true kindly correct me.
if it is true than why it is been written at several MSDN pages that this Zwxxx API is for kernel mode and user mode developer should use NtXXX API and also why we have two APIs name in first place. Any reasons?
I do not need this information for any professional purpose but yes I am curious enough to know the reason behind this. And what this approach solves in terms of design.
Thanks
Aditya
Look at the article
http://www.osronline.com/login.cfm?prompt=ntInsider&id=257
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@ntdev…
> Hi All,
>
> When I was debugging an app today, I tried to clear a doubt,
>
> My initial theory was:
>
> Application calls Win32API, than it goes to NtXXX and than it invoke a
> system service and In general we have two API set ZwXXX API and NtXXX.
>
> I tried to unassemble this and output surprised me, i asked for
> NtCreateFile and it shows
>
> NtCreateFile
>
> ntdll!ZwCreateFile:
> 7c90d090 b825000000 mov eax,25h
> 7c90d095 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub
> (7ffe0300)
> 7c90d09a ff12 call dword ptr [edx]
> 7c90d09c c22c00 ret 2Ch
> 7c90d09f 90 nop
>
> also I asked for NtSetInformationThread and it shows
>
> NtSetInformationThread
>
> ntdll!ZwSetInformationThread:
> 7c90dc90 b8e5000000 mov eax,0E5h
> 7c90dc95 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub
> (7ffe0300)
> 7c90dc9a ff12 call dword ptr [edx]
> 7c90dc9c c21000 ret 10h
> 7c90dc9f 90 nop
>
> and so on for many APIs.
>
> So; does it mean that there is a single copy of function with two names.
> like in NTDLL’s EAT exported two different Methods name which actually
> points to same method. If it is not true kindly correct me.
>
> if it is true than why it is been written at several MSDN pages that this
> Zwxxx API is for kernel mode and user mode developer should use NtXXX API
> and also why we have two APIs name in first place. Any reasons?
>
> I do not need this information for any professional purpose but yes I am
> curious enough to know the reason behind this. And what this approach
> solves in terms of design.
>
> Thanks
> Aditya
>
On Tue, Feb 3, 2009 at 7:00 PM, Don Burn wrote:
> Look at the article
> http://www.osronline.com/login.cfm?prompt=ntInsider&id=257
Nice article.
It explains the usage of Ntxxx and Zwxxx in kernel mode.
But why two different variants in user mode?
MS did it for some specific purpose in user mode?
>
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
> wrote in message news:xxxxx@ntdev…
> > Hi All,
> >
> > When I was debugging an app today, I tried to clear a doubt,
> >
> > My initial theory was:
> >
> > Application calls Win32API, than it goes to NtXXX and than it invoke a
> > system service and In general we have two API set ZwXXX API and NtXXX.
> >
> > I tried to unassemble this and output surprised me, i asked for
> > NtCreateFile and it shows
> >
> > NtCreateFile
> >
> > ntdll!ZwCreateFile:
> > 7c90d090 b825000000 mov eax,25h
> > 7c90d095 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub
> > (7ffe0300)
> > 7c90d09a ff12 call dword ptr [edx]
> > 7c90d09c c22c00 ret 2Ch
> > 7c90d09f 90 nop
> >
> > also I asked for NtSetInformationThread and it shows
> >
> > NtSetInformationThread
> >
> > ntdll!ZwSetInformationThread:
> > 7c90dc90 b8e5000000 mov eax,0E5h
> > 7c90dc95 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub
> > (7ffe0300)
> > 7c90dc9a ff12 call dword ptr [edx]
> > 7c90dc9c c21000 ret 10h
> > 7c90dc9f 90 nop
> >
> > and so on for many APIs.
> >
> > So; does it mean that there is a single copy of function with two names.
> > like in NTDLL’s EAT exported two different Methods name which actually
> > points to same method. If it is not true kindly correct me.
> >
> > if it is true than why it is been written at several MSDN pages that this
> > Zwxxx API is for kernel mode and user mode developer should use NtXXX API
> > and also why we have two APIs name in first place. Any reasons?
> >
> > I do not need this information for any professional purpose but yes I am
> > curious enough to know the reason behind this. And what this approach
> > solves in terms of design.
> >
> > Thanks
> > Aditya
> >
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Both names are aliased for user mode callers. There exist operational differences between Nt (uses PreviousMode “as-is”) and Zw (sets PreviousMode to KernelMode for the duration of the system service).
There’s an OSR article explaining the consequences of this in more detail if you search older NT Insider archives.
? S
-----Original Message-----
From: xxxxx@gmail.com
Sent: Tuesday, February 03, 2009 05:28
To: Windows System Software Devs Interest List
Subject: [ntdev] Nt and Zw APIs
Hi All,
When I was debugging an app today, I tried to clear a doubt,
My initial theory was:
Application calls Win32API, than it goes to NtXXX and than it invoke a system service and In general we have two API set ZwXXX API and NtXXX.
I tried to unassemble this and output surprised me, i asked for NtCreateFile and it shows
NtCreateFile
ntdll!ZwCreateFile:
7c90d090 b825000000 mov eax,25h
7c90d095 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
7c90d09a ff12 call dword ptr [edx]
7c90d09c c22c00 ret 2Ch
7c90d09f 90 nop
also I asked for NtSetInformationThread and it shows
NtSetInformationThread
ntdll!ZwSetInformationThread:
7c90dc90 b8e5000000 mov eax,0E5h
7c90dc95 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
7c90dc9a ff12 call dword ptr [edx]
7c90dc9c c21000 ret 10h
7c90dc9f 90 nop
and so on for many APIs.
So; does it mean that there is a single copy of function with two names. like in NTDLL’s EAT exported two different Methods name which actually points to same method. If it is not true kindly correct me.
if it is true than why it is been written at several MSDN pages that this Zwxxx API is for kernel mode and user mode developer should use NtXXX API and also why we have two APIs name in first place. Any reasons?
I do not need this information for any professional purpose but yes I am curious enough to know the reason behind this. And what this approach solves in terms of design.
Thanks
Aditya
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Likely for ease of use for static libraries that can be linked to by both kernel mode or user mode programs.
? S
From: Deepak Gupta
Sent: Tuesday, February 03, 2009 05:53
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Nt and Zw APIs
On Tue, Feb 3, 2009 at 7:00 PM, Don Burn > wrote:
Look at the article
http://www.osronline.com/login.cfm?prompt=ntInsider&id=257
Nice article.
It explains the usage of Ntxxx and Zwxxx in kernel mode.
But why two different variants in user mode?
MS did it for some specific purpose in user mode?
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
> wrote in message news:xxxxx@ntdev…
> Hi All,
>
> When I was debugging an app today, I tried to clear a doubt,
>
> My initial theory was:
>
> Application calls Win32API, than it goes to NtXXX and than it invoke a
> system service and In general we have two API set ZwXXX API and NtXXX.
>
> I tried to unassemble this and output surprised me, i asked for
> NtCreateFile and it shows
>
> NtCreateFile
>
> ntdll!ZwCreateFile:
> 7c90d090 b825000000 mov eax,25h
> 7c90d095 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub
> (7ffe0300)
> 7c90d09a ff12 call dword ptr [edx]
> 7c90d09c c22c00 ret 2Ch
> 7c90d09f 90 nop
>
> also I asked for NtSetInformationThread and it shows
>
> NtSetInformationThread
>
> ntdll!ZwSetInformationThread:
> 7c90dc90 b8e5000000 mov eax,0E5h
> 7c90dc95 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub
> (7ffe0300)
> 7c90dc9a ff12 call dword ptr [edx]
> 7c90dc9c c21000 ret 10h
> 7c90dc9f 90 nop
>
> and so on for many APIs.
>
> So; does it mean that there is a single copy of function with two names.
> like in NTDLL’s EAT exported two different Methods name which actually
> points to same method. If it is not true kindly correct me.
>
> if it is true than why it is been written at several MSDN pages that this
> Zwxxx API is for kernel mode and user mode developer should use NtXXX API
> and also why we have two APIs name in first place. Any reasons?
>
> I do not need this information for any professional purpose but yes I am
> curious enough to know the reason behind this. And what this approach
> solves in terms of design.
>
> Thanks
> Aditya
>
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> if it is true than why it is been written at several MSDN pages that this Zwxxx API is for kernel mode
In user mode, Nt and Zw are the same.
In kernel mode, Nt are the syscall bodies (which are registered in SSDT), and Zw are the same syscalls as for user mode.
They differ: if you call NtXxx, then the result of ExGetPreviousMode inside the call (in drivers, FSDs etc) will be the same as for the caller. If you call ZwXxx, it goes via trap frame and thus ExGetPreviousMode inside the call will always be KernelMode.
ExGetPreviousMode influences things like ProbeForRead/Write and ObReferenceObjectByHandle (usually the process mode parameter to it is ExGetPreviousMode result).
So, it is a good idea to always call ZwXxx while in the kernel. Since Nt and Zw are the same in user, it is a good idea to forget about calling NtXxx and only call ZwXxx.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
On Tue, 03 Feb 2009 20:59:38 +0100, Maxim S. Shatskih
wrote:
> So, it is a good idea to always call ZwXxx while in the kernel. Since Nt
> and Zw are the same in user, it is a good idea to forget about calling
> NtXxx and only call ZwXxx.
Although this rule of thumb generally holds true, there are some
implementation-specific circumstances that require the opposite when
acting on behalf of a (potentially) user-mode caller.
- Cay
In which specific cases have you needed to (or found it significantly more convenient to) use the NtXxx versions, aside from dangerous hooking scenarios, if you don’t mind my asking?
? S
-----Original Message-----
From: Cay Bremer
Sent: Tuesday, February 03, 2009 12:25
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Nt and Zw APIs
On Tue, 03 Feb 2009 20:59:38 +0100, Maxim S. Shatskih
wrote:
> So, it is a good idea to always call ZwXxx while in the kernel. Since Nt
> and Zw are the same in user, it is a good idea to forget about calling
> NtXxx and only call ZwXxx.
Although this rule of thumb generally holds true, there are some
implementation-specific circumstances that require the opposite when
acting on behalf of a (potentially) user-mode caller.
- Cay
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> Since Nt and Zw are the same in user, it is a good idea to
forget about calling NtXxx and only call ZwXxx.
No, please don’t do that. Only the Nt versions are documented in
user mode. At least some of ntdll’s Zw exports might disappear
in the future.
–
This posting is provided “AS IS” with no warranties, and confers no
rights.
>>Only the Nt versions are documented in user mode.
No, there are still many Nt APIs which are not documented but are exported.
>At least some of ntdll’s Zw exports might disappear in the future.
how do you deduce this?
Thanks
Aditya
wrote in message news:xxxxx@ntdev…
>>>Only the Nt versions are documented in user mode.
> No, there are still many Nt APIs which are not documented but are
> exported.
>
So, this doesn’t contradict his statement that only the Nt versions are
documented for user mode. If they haven’t documented something you need,
open a PSS incident and see if it was a mistake or intentional.
>>>At least some of ntdll’s Zw exports might disappear in the future.
> how do you deduce this?
>
He works for Microsoft and would know of internal discussions about the
topic.
> Thanks
> Aditya
>
That is a nice answer David, 
>He works for Microsoft and would know of internal discussions about the topic.
Post was from hotmail id, so I definitely could not guess this.
So it concludes that, if in user mode, use Nt APIs
Thanks
Aditya
Remembering the players in this newsgroup is a wise investment in your time.
It will help you to evaluate the relative value of the various responses.
He does post rather frequently to this and a couple of other newsgroups.
wrote in message news:xxxxx@ntdev…
> That is a nice answer David,
>
>>>He works for Microsoft and would know of internal discussions about the
>>>topic.
> Post was from hotmail id, so I definitely could not guess this.
>
> So it concludes that, if in user mode, use Nt APIs
>
> Thanks
> Aditya
>
> No, please don’t do that. Only the Nt versions are documented in
user mode. At least some of ntdll’s Zw exports might disappear
in the future.
Actually, for me, it’s news that any of Nt/Zw are documented for user mode.
For kernel mode - yes, some Zw (not Nt) are documented for sure since NT3 DDK docs
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
The SDK and Wintrnl.h documents some of the NT calls.
Bill Wandel
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Maxim S. Shatskih
Sent: Wednesday, February 04, 2009 2:24 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Nt and Zw APIs
No, please don’t do that. Only the Nt versions are documented in user
mode. At least some of ntdll’s Zw exports might disappear in the
future.
Actually, for me, it’s news that any of Nt/Zw are documented for user
mode.
For kernel mode - yes, some Zw (not Nt) are documented for sure since NT3
DDK docs
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> The SDK and Wintrnl.h documents some of the NT calls.
If the call is in some header file shipped with WDK - then is is documented? Doubts.
SDK docs is yes, a criteria.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Wintrnl.h is in the sdk.
Bill Wandel
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Maxim S. Shatskih
Sent: Wednesday, February 04, 2009 2:33 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Nt and Zw APIs
The SDK and Wintrnl.h documents some of the NT calls.
If the call is in some header file shipped with WDK - then is is
documented? Doubts.
SDK docs is yes, a criteria.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
That doesn’t quite pass muster as being documented though.
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Bill Wandel
Sent: Wednesday, February 04, 2009 11:40 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Nt and Zw APIs
Wintrnl.h is in the sdk.
Bill Wandel
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Maxim S. Shatskih
Sent: Wednesday, February 04, 2009 2:33 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Nt and Zw APIs
The SDK and Wintrnl.h documents some of the NT calls.
If the call is in some header file shipped with WDK - then is is
documented? Doubts.
SDK docs is yes, a criteria.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I’ve never actually had to, but the documentation of most Native functions
indirectly point this possibility of privilege escalation out. There’s
also a short article in “The NT Insider”, Vol. 10, Issue 5 named “Sidebar
Discussion – Nt vs. Zw Continued”.
On Wed, 04 Feb 2009 04:47:58 +0100, Skywing
wrote:
> In which specific cases have you needed to (or found it significantly
> more convenient to) use the NtXxx versions, aside from dangerous hooking
> scenarios, if you don’t mind my asking?
>
> – S
>
> -----Original Message-----
> From: Cay Bremer
> Sent: Tuesday, February 03, 2009 12:25
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Nt and Zw APIs
>
>
> On Tue, 03 Feb 2009 20:59:38 +0100, Maxim S. Shatskih
> wrote:
>> So, it is a good idea to always call ZwXxx while in the kernel. Since Nt
>> and Zw are the same in user, it is a good idea to forget about calling
>> NtXxx and only call ZwXxx.
>
> Although this rule of thumb generally holds true, there are some
> implementation-specific circumstances that require the opposite when
> acting on behalf of a (potentially) user-mode caller.
>
>
> - Cay
> indirectly point this possibility of privilege escalation out. There’s
Since in user mode, Nt and Zw are the same - then I think this leaves not much chances for the privilege escalation.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com