flat assembler
Message board for the users of flat assembler.
Index
> Windows > [content deleted] |
Author |
|
asmcoder 04 Nov 2008, 00:42
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:55; edited 1 time in total |
|||
04 Nov 2008, 00:42 |
|
asmfan 04 Nov 2008, 08:08
Actually there is difference. But /only)/ in kernel mode.
The answers for your questions are well googled. hint: use osronline resource for such specific kind of questions. runtime library, memory manager, kernal internal, kernal external (as i correctly recall) |
|||
04 Nov 2008, 08:08 |
|
HyperVista 04 Nov 2008, 12:01
wikibooks wrote: The "official" native API is usually limited only to functions whose prefix is Nt or Zw. These calls are in fact the same: the relevant Export entries map to the same address in memory. Thus there is not real difference, although the reason for the double-mapping results from ntdll's dual purpose: it is used to provide function calls in both kernel and user space. User applications are encouraged to use the Nt* calls, while kernel callers are supposed to use the Zw* calls. The origin of the prefix "Zw" is unknown; it is rumored that this prefix was chosen due to its having no significance at all. |
|||
04 Nov 2008, 12:01 |
|
vid 04 Nov 2008, 12:27
HyperVista: they are same, but only from user mode. In kernel mode, one of them performs some extra check, other doesn't, but I don't remember which is which. asmfan's response is correct.
|
|||
04 Nov 2008, 12:27 |
|
revolution 04 Nov 2008, 12:33
vid: Do you mean that different things happen once the call has entered the kernel, or before the call has entered the kernel?
|
|||
04 Nov 2008, 12:33 |
|
vid 04 Nov 2008, 14:30
No, functions beheave differently when they are called from kernel mode (from driver). They beheave same when they are called from user mode (win32 / native subsystem). Just take a look at your own website.
|
|||
04 Nov 2008, 14:30 |
|
revolution 04 Nov 2008, 14:42
vid: Your initial statement was not clear. I just wanted you to explain some more so that others would not be confused.
|
|||
04 Nov 2008, 14:42 |
|
HyperVista 04 Nov 2008, 14:52
vid - I think you are correctly describing the difference between the two subsystems; kernel vs user. But the question was about the difference between Zw and Nt function calls and I still contend they are the same. I agree that the subsystem from which they are called provide different access and memory controls, but the function call is the same. The mapping of the two differently types of function calls (Zw and Nt) to the same memory location is the strongest argument.
|
|||
04 Nov 2008, 14:52 |
|
vid 04 Nov 2008, 15:05
HyperVista: No, they are only mapped to same function when calling from user mode. When you call them from kernel mode, they map to slightly different function. One of them goes right on to code, other does some checks first (checks intended for user mode), and THEN goes to that code. Don't remember exactly, but look at first two pages (use google cache) of google search i linked.
|
|||
04 Nov 2008, 15:05 |
|
HyperVista 04 Nov 2008, 15:29
vid - Look at Table 2.7 in that Solomon and Russinovich Windows Internals Book
Solomon & Russinovich wrote: Zw - Mirror entry point for system services (beginning with Nt) that sets previous access mode to kernel, which eliminates parameter validation, because Nt system services validate parameters only if previous access mode is user Again, I agree that the subsystem (user or kernel) imposes different restrictioins (parameter validation), but the function call is exactly the same. It's the subsystems that differ, not the function. |
|||
04 Nov 2008, 15:29 |
|
baldr 04 Nov 2008, 16:18
Can "Zw" be "MZ" rotated 180°? ("yay zibo!", as somebody wrote in MS-DOS source )
|
|||
04 Nov 2008, 16:18 |
|
vid 04 Nov 2008, 16:22
Quote: Zw - Mirror entry point for system services (beginning with Nt) that sets previous access mode to kernel, which eliminates parameter validation, because Nt system services validate parameters only if previous access mode is user That elimination doesn't depend on whether you call it from user or kernel mode, it depends on which one (Nt or Zw) you call. When called from user mode, parameters are always validated, whether you call Nt or Zw. When calling from kernel mode, parameters are never validated with Zw, but they can happen to be validated with Nt. Read following article: http://209.85.135.104/search?q=cache:e0zNVFXlsaMJ:www.osronline.com/article.cfm%3Farticle%3D257+nt+zw+osronline&hl=sk&ct=clnk&cd=1 |
|||
04 Nov 2008, 16:22 |
|
baldr 04 Nov 2008, 17:22
vid,
I agree, that article will definitely make it clear: Google cache wrote: Calling From Kernel Mode |
|||
04 Nov 2008, 17:22 |
|
HyperVista 04 Nov 2008, 20:45
Okay. I'm convinced.
|
|||
04 Nov 2008, 20:45 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.