im gona learn windows syscalls. Is it good idea to write portable code?
Can i access 'raw socket' by syscall? Where can i find good documentation of it (cant find anything on msdn)?

MS don't publicly announce how to use such things. You might get something working on your current Windows build only to find later it is broken on the next update.

Also there is nothing special about things like syscall, it won't give you any extra privileges or magic powers that the standard API doesn't give you.

Portable - NO
magic powers - NO:) (not in R3) (only in R0 where some Nt* funcs isn't exported - accessed only by syscall num)

Yes, i want to write in R0. Is it possible to access network driver and send my own packet? Kernel do it, so why i cant.

Easiest way to get R0 is to write a simple driver and install it on the fly. There are examples on the net, my website has lots of details about it. There have also been some examples posted here on this board previously.

A driver is preferred since the interface is public and is not likely to be broken by a monthly update. Once your driver is running then you are in R0 and can do whatever the hell you want.

ok, do i have to write additional drivers for diffrent network cards/modems?
Or 1 is enought for all hardware?

A driver is hardware specific.

You can do raw sockets from ring3 as long as you have admin privileges.

Forget about doing syscalls directly, there's nothing "cool" about it, it doesn't win you anything, and since you risk breaking on the next service pack/update, is a waste of time. Spend your time doing something constructive.

not in sp2, wich is most popular version =/

There's enough support for what most legitimate people need. Sure, it sucks that fagtard steve gibson made enough noise to reduce raw sock functionality, but it's not something that affects most people. And given your track record of posts here, I suspect you want to use raw socks for malicious purposes.

Anyway, if your goals are legitimate, you won't mind using winpcap.

no, i want write port scanner, like nmap.


return -1, and i have installed winpcap.

Perhaps you should look at the winpcap documentation, and learn to use symbolic names instead of magic values as well.

How does windows XP do syscalls internally? Do they use some interrupt, or do they use sysenter/sysexit, or something else?

By the way, syscalls won't let you get to ring 0 from ring 3 or let you gain direct hardware access.

It is hardware dependant, it uses Int $2E when syscall/sysenter and sysret/sysexit isn't present.