windows & 中的系统调用原生 API? [英] System Calls in windows & Native API?

问题描述

最近我在 *NIX 操作系统中使用了很多汇编语言.我想知道 Windows 域.

<小时>

Linux 中的调用约定:

mov $SYS_Call_NUM, %eaxmov $param1 , %ebxmov $param2 , %ecx整数 $0x80

就是这样.这就是我们应该如何在 linux 中进行系统调用.

linux中所有系统调用的引用:

关于 $SYS_Call_NUM &我们可以使用哪些参数参考:http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html

官方参考:http://kernel.org/doc/man-pages/online/dir_section_2.html

<小时>

Windows 中的调用约定:

???

Windows 中所有系统调用的引用:

???

非官方:http://www.metasploit.com/users/opcode/syscalls.html ，但是除非我知道调用约定，否则我如何在汇编中使用它们.

官方:???

• 如果你说，他们没有记录下来.那么如何在不知道系统调用的情况下为 Windows 编写 libc 呢?如何进行 Windows 汇编编程?至少在驱动程序编程中需要了解这些.对吗?

<小时>

现在，所谓的原生 API 怎么样了?是 Native API &windows 的系统调用 都是指同一事物的不同术语?为了确认我比较了来自两个非官方来源的这些

系统调用:http://www.metasploit.com/users/opcode/syscalls.html

原生 API:http://undocumented.ntinternals.net/aindex.html>

我的观察:

1. 所有系统调用都以字母 Nt 开头，而 Native API 由许多不以字母 Nt 开头的函数组成.
2. windows 的系统调用 是Native API 的子集.系统调用只是 Native API 的一部分.

谁能证实这一点并解释一下.

还有另一个答案.这是第二个答案.我真的很喜欢它，但我不知道为什么回答者删除了它.我请求他重新发布他的回答.

解决方案

如果您在 Windows 下进行汇编编程，则无需进行手动系统调用.您可以使用 NTDLL 和本机 API 来为您做到这一点.

Native API 只是内核模式方面的一个包装器.它所做的只是为正确的 API 执行系统调用.

您永远不需要手动系统调用，因此您的整个问题都是多余的.

Linux 系统调用代码不会改变，Windows 会改变，这就是为什么您需要通过额外的抽象层(又名 NTDLL)来工作.

此外，即使您在程序集级别工作，您仍然可以完全访问 Win32 API，没有理由一开始就使用 NT API！导入、导出等在汇编程序中都可以正常工作.

编辑 2:

如果您真的想进行手动系统调用，您将需要为每个相关的 Windows 版本反转 NTDLL，添加版本检测(通过 PEB)，并为每个调用执行系统调用查找.

然而，这很愚蠢.NTDLL 的存在是有原因的.

人们已经完成了逆向工程部分:参见 https://j00ru.vexillium.org/syscalls/nt/64/ 获取每个 Windows 内核的系统调用号表.(请注意，即使在 Windows 10 版本之间，后面的行也会发生变化.)同样，在您自己的机器上进行仅供个人使用的实验之外，这是一个坏主意，可以了解有关 asm 和/或 Windows 内部结构的更多信息.不要将系统调用内联到您分发给其他人的代码中.

Recently I've been using lot of Assembly language in *NIX operating systems. I was wondering about the windows domain.

---

Calling convention in linux:

mov $SYS_Call_NUM, %eax
mov $param1 , %ebx
mov $param2 , %ecx
int $0x80

Thats it. That is how we should make a system call in linux.

Reference of all system calls in linux:

Regarding which $SYS_Call_NUM & which parameters we can use this reference : http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html

OFFICIAL Reference : http://kernel.org/doc/man-pages/online/dir_section_2.html

---

Calling convention in Windows:

???

Reference of all system calls in Windows:

???

Unofficial : http://www.metasploit.com/users/opcode/syscalls.html , but how do I use these in assembly unless I know the calling convention.

OFFICIAL : ???

• If you say, they didn't documented it. Then how is one going to write libc for windows without knowing system calls? How is one gonna do Windows Assembly programming? Atleast in the driver programming one needs to know these. right?

---

Now, whats up with the so called Native API? Is Native API & System calls for windows both are different terms referring to same thing? In order to confirm I compared these from two UNOFFICIAL Sources

System Calls: http://www.metasploit.com/users/opcode/syscalls.html

Native API: http://undocumented.ntinternals.net/aindex.html

My observations:

1. All system calls are beginning with letters Nt where as Native API is consisting of lot of functions which are not beginning with letters Nt.
2. System Call of windows are subset of Native API. System calls are just part of Native API.

Can any one confirm this and explain.

EDIT:

There was another answer. It was a 2nd answer. I really liked it but I don't know why answerer has deleted it. I request him to repost his answer.

解决方案

If you're doing assembly programming under Windows you don't do manual syscalls. You use NTDLL and the Native API to do that for you.

The Native API is simply a wrapper around the kernelmode side of things. All it does is perform a syscall for the correct API.

You should NEVER need to manually syscall so your entire question is redundant.

Linux syscall codes do not change, Windows's do, that's why you need to work through an extra abstraction layer (aka NTDLL).

EDIT:

Also, even if you're working at the assembly level, you still have full access to the Win32 API, there's no reason to be using the NT API to begin with! Imports, exports, etc all work just fine in assembly programs.

EDIT2:

If you REALLY want to do manual syscalls, you're going to need to reverse NTDLL for each relevant Windows version, add version detection (via the PEB), and perform a syscall lookup for each call.

However, that would be silly. NTDLL is there for a reason.

People have already done the reverse-engineering part: see https://j00ru.vexillium.org/syscalls/nt/64/ for a table of system-call numbers for each Windows kernel. (Note that the later rows do change even between versions of Windows 10.) Again, this is a bad idea outside of personal-use-only experiments on your own machine to learn more about asm and/or Windows internals. Don't inline system calls into code that you distribute to anyone else.

这篇关于windows &amp; 中的系统调用原生 API?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！