系统调用在Windows和放大器;原生API？ [英] System Calls in windows & Native API?

问题描述

最近我一直在使用很多汇编语言在* NIX操作系统。我想知道的Windows域。

Recently I've been using lot of Assembly language in *NIX operating systems. I was wondering about the windows domain.

在linux下的调用约定：

mov $SYS_Call_NUM, %eax
mov $param1 , %ebx
mov $param2 , %ecx
int $0x80

这就是它。这就是我们应该如何使Linux的系统调用。

Thats it. That is how we should make a system call in linux.

所有系统的参考在linux下调用：

有关哪些$ SYS_Call_NUM＆安培;哪些参数，我们可以利用这个参考：<一href=\"http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html\">http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html

Regarding which $SYS_Call_NUM & which parameters we can use this reference : http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html

官方参考：<一href=\"http://kernel.org/doc/man-pages/online/dir_section_2.html\">http://kernel.org/doc/man-pages/online/dir_section_2.html

在Windows的调用约定：

???

所有系统的参考在Windows调用：

???

非官方：<一href=\"http://www.metasploit.com/users/op$c$c/syscalls.html\">http://www.metasploit.com/users/op$c$c/syscalls.html ，但我怎么使用这些汇编，除非我知道调用约定。

Unofficial : http://www.metasploit.com/users/opcode/syscalls.html , but how do I use these in assembly unless I know the calling convention.

官方：???

• 如果你说，他们没有记录它。那么怎么是一款打算写libc的窗户不知道系统调用？ 1会是怎么做的Windows汇编语言编程？ ATLEAST在驱动程序需要知道这些。对不对？

现在，怎么了所谓的原生API？为的Native API ＆安培;对于指同样的事情的窗口这两个是不同的术语系统调用？为了证实我比较了这两个非官方渠道

Now, whats up with the so called Native API? Is Native API & System calls for windows both are different terms referring to same thing? In order to confirm I compared these from two UNOFFICIAL Sources

系统调用：<一href=\"http://www.metasploit.com/users/op$c$c/syscalls.html\">http://www.metasploit.com/users/op$c$c/syscalls.html

本机API：<一href=\"http://undocumented.ntinternals.net/aindex.html\">http://undocumented.ntinternals.net/aindex.html

我的意见：

1. 所有的系统调用与字母开头 Nt个，其中作为原生API是由很多它不与字母开头的函数 Nt个。


2. 窗口的系统调用是的Native API 的子集。系统调用是刚刚的Native API的一部分。

1. All system calls are beginning with letters Nt where as Native API is consisting of lot of functions which are not beginning with letters Nt.
2. System Call of windows are subset of Native API. System calls are just part of Native API.

任何一个可以证实这一点，并解释。

Can any one confirm this and explain.

编辑：

有是另一种答案。这是一个第二个答案。我真的很喜欢，但我不知道为什么回答者删除了它。我要求他重新发布他的回答。

There was another answer. It was a 2nd answer. I really liked it but I don't know why answerer has deleted it. I request him to repost his answer.

推荐答案

如果你在Windows下做的汇编语言编程，你不这样做手工系统调用。您可以使用NTDLL和本机API来为你做的。

If you're doing assembly programming under Windows you don't do manual syscalls. You use NTDLL and the Native API to do that for you.

本机API仅仅是周围事物的内核模式侧的包装。它所做的是正确的API进行系统调用。

The Native API is simply a wrapper around the kernelmode side of things. All it does is perform a syscall for the correct API.

您永远不需要手动系统调用使您的整个问题是多余的。

You should NEVER need to manually syscall so your entire question is redundant.

Linux的系统调用codeS不改变时，Windows的做，这就是为什么你需要通过一个额外的抽象层（又名NTDLL）上班。

Linux syscall codes do not change, Windows's do, that's why you need to work through an extra abstraction layer (aka NTDLL).

编辑：

另外，即使你在程序集级别的工作，你仍然可以完全访问Win32 API的，没有理由使用NT API来开始！进口，出口等各项工作中汇编程序就好了。

Also, even if you're working at the assembly level, you still have full access to the Win32 API, there's no reason to be using the NT API to begin with! Imports, exports, etc all work just fine in assembly programs.

EDIT2：

如果你真的想这样做手工的系统调用，你将需要扭转NTDLL每个相关的Windows版本，加入版本检测（通过PEB），并为每个调用执行系统调用查询。

If you REALLY want to do manual syscalls, you're going to need to reverse NTDLL for each relevant Windows version, add version detection (via the PEB), and perform a syscall lookup for each call.

不过，那将是愚蠢的。 NTDLL是有原因的。

However, that would be silly. NTDLL is there for a reason.

这篇关于系统调用在Windows和放大器;原生API？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！