flat assembler
Message board for the users of flat assembler.

Index > Windows > [content deleted]

Author
Thread Post new topic Reply to topic
asmcoder



Joined: 02 Jun 2008
Posts: 784
asmcoder
[content deleted]


Last edited by asmcoder on 14 Aug 2009, 14:55; edited 1 time in total
Post 04 Nov 2008, 00:42
View user's profile Send private message Reply with quote
HyperVista



Joined: 18 Apr 2005
Posts: 691
Location: Virginia, USA
HyperVista
The Nt and Zw prefixes actually map to the same function calls in memory and therefore there is no difference between them. These function calls are contained in ntdll.dll and the prefixes represent the fact that this dll supports both kernel (Zw) function calls and user space (Nt) function calls to the same API.
I think Zw was chosen arbitrarily. Nt is self apparent.

If you reverse engineer ntdll.dll you will find some interesting things. Wink
Post 04 Nov 2008, 02:01
View user's profile Send private message Visit poster's website Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan
Actually there is difference. But /only)/ in kernel mode.
The answers for your questions are well googled. hint: use osronline resource for such specific kind of questions.
runtime library, memory manager, kernal internal, kernal external (as i correctly recall)
Post 04 Nov 2008, 08:08
View user's profile Send private message Reply with quote
HyperVista



Joined: 18 Apr 2005
Posts: 691
Location: Virginia, USA
HyperVista
wikibooks wrote:
The "official" native API is usually limited only to functions whose prefix is Nt or Zw. These calls are in fact the same: the relevant Export entries map to the same address in memory. Thus there is not real difference, although the reason for the double-mapping results from ntdll's dual purpose: it is used to provide function calls in both kernel and user space. User applications are encouraged to use the Nt* calls, while kernel callers are supposed to use the Zw* calls. The origin of the prefix "Zw" is unknown; it is rumored that this prefix was chosen due to its having no significance at all.

In actual implementation, the Nt / Zw calls merely load two registers with values required to describe a native API call, and then execute a software interrupt.
Post 04 Nov 2008, 12:01
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
HyperVista: they are same, but only from user mode. In kernel mode, one of them performs some extra check, other doesn't, but I don't remember which is which. asmfan's response is correct.
Post 04 Nov 2008, 12:27
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
vid: Do you mean that different things happen once the call has entered the kernel, or before the call has entered the kernel?
Post 04 Nov 2008, 12:33
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
No, functions beheave differently when they are called from kernel mode (from driver). They beheave same when they are called from user mode (win32 / native subsystem). Just take a look at your own website.
Post 04 Nov 2008, 14:30
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
vid: Your initial statement was not clear. I just wanted you to explain some more so that others would not be confused.
Post 04 Nov 2008, 14:42
View user's profile Send private message Visit poster's website Reply with quote
HyperVista



Joined: 18 Apr 2005
Posts: 691
Location: Virginia, USA
HyperVista
vid - I think you are correctly describing the difference between the two subsystems; kernel vs user. But the question was about the difference between Zw and Nt function calls and I still contend they are the same. I agree that the subsystem from which they are called provide different access and memory controls, but the function call is the same. The mapping of the two differently types of function calls (Zw and Nt) to the same memory location is the strongest argument.
Post 04 Nov 2008, 14:52
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
HyperVista: No, they are only mapped to same function when calling from user mode. When you call them from kernel mode, they map to slightly different function. One of them goes right on to code, other does some checks first (checks intended for user mode), and THEN goes to that code. Don't remember exactly, but look at first two pages (use google cache) of google search i linked.
Post 04 Nov 2008, 15:05
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
HyperVista



Joined: 18 Apr 2005
Posts: 691
Location: Virginia, USA
HyperVista
vid - Look at Table 2.7 in that Solomon and Russinovich Windows Internals Book
Solomon & Russinovich wrote:
Zw - Mirror entry point for system services (beginning with Nt) that sets previous access mode to kernel, which eliminates parameter validation, because Nt system services validate parameters only if previous access mode is user

Again, I agree that the subsystem (user or kernel) imposes different restrictioins (parameter validation), but the function call is exactly the same. It's the subsystems that differ, not the function.
Post 04 Nov 2008, 15:29
View user's profile Send private message Visit poster's website Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
Can "Zw" be "MZ" rotated 180°? ("yay zibo!", as somebody wrote in MS-DOS source Wink)
Post 04 Nov 2008, 16:18
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Quote:
Zw - Mirror entry point for system services (beginning with Nt) that sets previous access mode to kernel, which eliminates parameter validation, because Nt system services validate parameters only if previous access mode is user


That elimination doesn't depend on whether you call it from user or kernel mode, it depends on which one (Nt or Zw) you call. When called from user mode, parameters are always validated, whether you call Nt or Zw. When calling from kernel mode, parameters are never validated with Zw, but they can happen to be validated with Nt.

Read following article: http://209.85.135.104/search?q=cache:e0zNVFXlsaMJ:www.osronline.com/article.cfm%3Farticle%3D257+nt+zw+osronline&hl=sk&ct=clnk&cd=1
Post 04 Nov 2008, 16:22
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
vid,

I agree, that article will definitely make it clear:
Google cache wrote:
Calling From Kernel Mode

As you (should) know, Kernel Mode components link with NTOSKRNL.LIB.
NTDLL!(Nt|Rtl|Zw)QuerySystemInformation and NTOSKRNL!ZwQuerySystemInformation.
Post 04 Nov 2008, 17:22
View user's profile Send private message Reply with quote
HyperVista



Joined: 18 Apr 2005
Posts: 691
Location: Virginia, USA
HyperVista
Okay. I'm convinced. Very Happy
Post 04 Nov 2008, 20:45
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.