Sometimes calling or merely understanding a native API is crucial, in which
case it is always possible to reverse its implementation in order to determine
its purpose. If I had to make a guess I would say that now that the older ver-
sions of Windows are being slowly phased out, Microsoft won’t be so con-
cerned about developers using the native API and will soon publish some
level of documentation for it.
Technically, the native API is a set of functions exported from both
NTDLL.DLL(for user-mode callers) and from NTOSKRNL.EXE(for kernel-
mode callers). APIs in the native API always start with one of two prefixes:
either Nt or Zw, so that functions have names like NtCreateFile or
ZwCreateFile. If you’re wondering what Zwstands for—I’m sorry, I have no
idea. The one thing I do know is that every native API has two versions, an Nt
version and a Zwversion.
In their user-mode implementation in NTDLL.DLL, the two groups of APIs
are identical and actually point to the same code. In kernel mode, they are dif-
ferent: the Ntversions are the actual implementations of the APIs, while the Zw
versions are stubs that go through the system-call mechanism. The reason you
would want to go through the system-call mechanism when calling an API
from kernel mode is to “prove” to the API being called that you’re actually
calling it from kernel mode. If you don’t do that, the API might think it is being
called from user-mode code and will verify that all parameters only contain
user-mode addresses. This is a safety mechanism employed by the system to
make sure user mode calls don’t corrupt the system by passing kernel-memory
pointers. For kernel-mode code, calling the ZwAPIs is a way to simplify the
process of calling functions because you can pass regular kernel-mode pointers.
If you’d like to use or simply understand the workings of the native API, it
has been almost fully documented by Gary Nebbett in Windows NT/2000
Native API Reference,Macmillan Technical Publishing, 2000, [Nebbett].
System Calling Mechanism
It is important to develop a basic understanding of the system calling
mechanism—you’re almost guaranteed to run into code that invokes system
calls if you ever step into an operating system API. A system call takes place
when user-mode code needs to call a kernel-mode function. This frequently
happens when an application calls an operating system API. The user-mode
side of the API usually performs basic parameter validation checks and calls
down into the kernel to actually perform the requested operation. It goes
without saying that it is not possible to directly call a kernel function from user
mode—that would create a serious vulnerability because applications could
call into invalid address within the kernel and crash the system, or even call
into an address that would allow them to take control of the system.
Windows Fundamentals 91