Doubt in Native API

Question

Jishnu 160 Posting Pro

16 Years Ago

Hello,

I've read in a book that APIs in the native APIs start with one of the two prefixes: Either Nt or Zw, so that the functions have names like NtCreateFile or ZwCreateFile. What does Zw stand for?

It further says:

Both versions actually point to the same code in the user mode implementation in NTDLL.DLL. In kernel mode, they are different. The Nt versions are the actual implementations of the APIs, while Zw versions are stubs that go through the system call mechanism.

I'm not able to understand this thing in the italics. Any help would be appreciated...
-Jishnu.

c++

3 Contributors
7 Replies
140 Views
1 Day Discussion Span
Latest Post 16 Years Ago Latest Post by Jishnu

Narue 5,707 Bad Cop

16 Years Ago

You might find this enlightening, but it's pretty in depth.

Jishnu commented: Excellent article :) +2

dubeyprateek 26 Junior Poster

16 Years Ago

Why is that so?

Two reasons::
1) Microsoft may change behaviour of these APIs without any notifications. Therefore your application may break.
2) Microsoft does not 'supports' usage of thses APIs.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Narue 5,707 Bad Cop Team Colleague · Answer 1 · 2007-12-17T23:42:10+00:00

>What does Zw stand for?
It's a mystery. The common assumption is that Zw was chosen because it meant absolutely nothing and there was little chance of something popping up that would make it significant.

>I'm not able to understand this thing in the italics.
Put simply, the Zw* versions will do some magic kernel stuff when called in kernel mode, and the Nt* versions won't. In user mode, both evaluate to the same thing.

Jishnu 160 Posting Pro · Answer 2 · 2007-12-17T23:46:36+00:00

>What does Zw stand for?
It's a mystery. The common assumption is that Zw was chosen because it meant absolutely nothing and there was little chance of something popping up that would make it significant.

That is interesting!!

If possible, I'm needing some more elaborate explanation for this:

Zw versions are stubs that go through the system call mechanism.

meaning what are stubs and the need for going through the system call mechanism..

dubeyprateek 26 Junior Poster · Answer 3 · 2007-12-18T03:48:26+00:00

Narue has pointed to a great article. To udestand this article you may need Debugging tools for windows. http://www.microsoft.com/whdc/devtools/debugging/default.mspx
However, these are non-documented APIs you should avoid calling from user mode application.

Jishnu 160 Posting Pro · Answer 4 · 2007-12-18T22:00:20+00:00

Yes, the article is pretty in depth. I appreciate it for the details. I'm familiar with some of the terms used. The unfamiliar ones will help me to go into enough depth in my reversing course. Thank you Narue :)

Thanks dubeyprateek for that link.

these are non-documented APIs you should avoid calling from user mode application.

Why is that so?

Jishnu 160 Posting Pro · Answer 5 · 2007-12-19T09:16:55+00:00

Jishnu 160 Posting Pro

16 Years Ago

Got it. Thanks :)