Guide | How To [Theory] Native Windows API (NTAPI)

The associated guide may contain user-generated or external content.

ttyssh

New Member
Aug 3, 2018
2
Hi,
I have a few questions.
So if i understand correctly:
Example:
OpenProcess is a function Win32 API (wrapper?) that calls ntdll.dll (NATIVE API) which in turn calls the corresponding function in the kernel right? what function does it call in the kernel?
the prefix Nt (Example: NtOpenProcess) and Zw (Example: ZwOpenProcess) are aliases?
NtOpenProcess / ZwOpenProcess is just usermode?
what function need to use in the kernel?

PS: sry for bad english >.>
 

maka

Level 1
Verified
Jul 1, 2018
22
Hi
OpenProcess is a function Win32 API (wrapper?) that calls ntdll.dll (NATIVE API) which in turn calls the corresponding function in the kernel right?
As far as I know, you're right. If you open kernel32.dll on W10 with IDA (which has a free version, IDA Free) you'll see this:
openprocess-kernel32.png


OpenProcess from kernel32.dll will call OpenProcess from KernelBase.dll (on W10):
openprocess-KernelBase.png

OpenProcess (kernel32.dll) => OpenProcess (KernelBase.dll) => NtOpenProcess (ntdll.dll)


the prefix Nt (Example: NtOpenProcess) and Zw (Example: ZwOpenProcess) are aliases?
Yes, NtOpenProcess and ZwOpenProcess in usermode are the same:
nt-zw-Openprocess.png



what function does it call in the kernel?
if I'm not mistaken, when you call NtOpenProcess/ZwOpenprocess from usermode it will call the real NtOpenProcess from ntoskrnl.exe and if you call ZwOpenProcess from kernel mode it will call ZwOpenProcess (ntoskrnl.exe).

what function need to use in the kernel?
In kernel mode use ZwOpenProcess

sry for bad english
Welcome to the club :)

It's a pity that users like Wave and Opcode are no longer in the forum because they have a great knowledge about reversing and Windows Internals. I hope that one day they will return.
PS: I may be wrong in some of my affirmations. If someone find false information in my post, please let me know.
 

Attachments

  • openprocess-KernelBase.png
    openprocess-KernelBase.png
    46.4 KB · Views: 1,024
Last edited:
  • Like
Reactions: kylprq and ttyssh

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
Hi

As far as I know, you're right. If you open kernel32.dll on W10 with IDA (which has a free version, IDA Free) you'll see this:
View attachment 194398

OpenProcess from kernel32.dll will call OpenProcess from KernelBase.dll (on W10):
View attachment 194400
OpenProcess (kernel32.dll) => OpenProcess (KernelBase.dll) => NtOpenProcess (ntdll.dll)



Yes, NtOpenProcess and ZwOpenProcess in usermode are the same:View attachment 194401



if I'm not mistaken, when you call NtOpenProcess/ZwOpenprocess from usermode it will call the real NtOpenProcess from ntoskrnl.exe and if you call ZwOpenProcess from kernel mode it will call ZwOpenProcess (ntoskrnl.exe).


In kernel mode use ZwOpenProcess


Welcome to the club :)

It's a pity that users like Wave and Opcode are no longer in the forum because they have a great knowledge about reversing and Windows Internals. I hope that one day they will return.
PS: I may be wrong in some of my affirmations. If someone find false information in my post, please let me know.
kram7750, Wave, and Opcode (Deleted member 65228), there are the names of the same smart & knowledgeable guy. There are some very interesting tutorials posted by him over some years. I also hope to see him again here on MalwareTips. You both seem to have the similar interest in programming, so it would be interesting to see your discussions.
 

maka

Level 1
Verified
Jul 1, 2018
22
kram7750, Wave, and Opcode (Deleted member 65228), there are the names of the same smart & knowledgeable guy. There are some very interesting tutorials posted by him over some years.
Honestly, I suspected that they were the same user due to some similarities in their posts. Now I have no doubt.
I respect this user a lot and I consider that his tutorials are a very valuable resource.

You both seem to have the similar interest in programming, so it would be interesting to see your discussions.
Thanks for your words :)
Yes sure we have similar interest in programming/reversing/Windows internals but, being humble, this guy is on another level.

Regards! (y)
 

ttyssh

New Member
Aug 3, 2018
2
ohh thanks for the help.

Im trying to learn how to program drivers in kernel mode,
Can i use all the functions of ntdll.dll in the driver (kernel mode)? or only functions of ntoskrnl?

EDIT:
Why NtOpenProcess don't have arguments? There are many function without arguments..
OpenProcess.png
 
Last edited:

thepown3der

New Member
Apr 21, 2021
2
Nice topic ...
Win32 api for software programing is better than Ntapi
but Ntapi for security however evading security or defeting it's more than better
 

lain

Level 1
Jul 12, 2022
12
ohh thanks for the help.

Im trying to learn how to program drivers in kernel mode,
Can i use all the functions of ntdll.dll in the driver (kernel mode)? or only functions of ntoskrnl?

EDIT:
Why NtOpenProcess don't have arguments? There are many function without arguments..
View attachment 194455

Those Nt* functions *do* have arguments, what you're seeing is the syscall number being moved into the eax register before the syscall and the first argument (rcx) being moved to r10.
You use Nt* functions from Ntdll in usermode, and their equivalents in ntoskrnl in the Kernel.

Edit: Wow lol I didn't see the thread was from 2018 :ROFLMAO:
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top