If you’re going to be doing serious reversing of Windows applications, it is
going to be important for you to understand the Win32 API. That’s because no
matter which high-level interface an application employs (if any), it is eventu-
ally going to use the Win32 API for communicating with the OS. Some appli-
cations will use the native API, but that’s quite rare—see section below on the
native API.
The Core Win32 API contains roughly 2000 APIs (it depends on the specific
Windows version and on whether or not you count undocumented Win32
APIs). These APIs are divided into three categories: Kernel, USER, and GDI.
Figure 3.3 shows the relation between the Win32 interface DLLs, NTDLL.DLL,
and the kernel components.
Figure 3.3 The Win32 interface DLLs and their relation to the kernel components.
NTOSKRNL.EXE
The Windows KernelKernel-ModeUser-ModeWIN32K.SYS
The Win32 Kernel
ImplementationApplication ProcessNTDLL.DLL
Native API InterfaceUSER32.DLL
The USER API
Client ComponentGDI32.DLL
GDI API Client
ComponentKERNEL32.DLL
BASE API Client
ComponentApplication ModulesWindows Fundamentals 89