views:

555

answers:

4

Recently I've been using lot of Assembly language in *NIX operating systems. I was wondering about the windows domain.


Calling convention in linux:

mov $SYS_Call_NUM, %eax
mov $param1 , %ebx
mov $param2 , %ecx
int $0x80

Thats it. That is how we should make a system call in linux.

Reference of all system calls in linux:

Regarding which $SYS_Call_NUM & which parameters we can use this reference : http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html

OFFICIAL Reference : http://kernel.org/doc/man-pages/online/dir_section_2.html


Calling convention in Windows:

???

Reference of all system calls in Windows:

???

Unofficial : http://www.metasploit.com/users/opcode/syscalls.html , but how do I use these in assembly unless I know the calling convention.

OFFICIAL : ???

  • If you say, they didn't documented it. Then how is one going to write libc for windows without knowing system calls? How is one gonna do Windows Assembly programming? Atleast in the driver programming one needs to know these. right?

Now, whats up with the so called Native API? Is Native API & System calls for windows both are different terms referring to same thing? In order to confirm I compared these from two UNOFFICIAL Sources

System Calls: http://www.metasploit.com/users/opcode/syscalls.html

Native API: http://undocumented.ntinternals.net/aindex.html

My observations:

  1. All system calls are beginning with letters Nt where as Native API is consisting of lot of functions which are not beginning with letters Nt.
  2. System Call of windows are subset of Native API. System calls are just part of Native API.

Can any one confirm this and explain.

EDIT:

There was another answer. It was a 2nd answer. I really liked it but I don't know why answerer has deleted it. I request him to repost his answer.

+1  A: 

Windows system calls are performed by calling into system DLLs such as kernel32.dll or gdi32.dll, which is done with ordinary subroutine calls. The mechanisms for trapping into the OS privileged layer is undocumented, but that is okay because DLLs like kernel32.dll do this for you.

And by system calls, I'm referring to documented Windows API entry points like CreateProcess() or GetWindowText(). Device drivers will generally use a different API from the Windows DDK.

Will
1. How am I gonna use these in Assembly language programming?2. Windows API and system calls are not the same thing. WINDOWS API *use* system calls. The similar analogy on linux domain would be POSIX API (WINDOWS API) use system calls provided by linux kernel (windows kernel). So, my concern is about the *true* system calls.
claws
I understand that there's a difference between API calls and traps into the OS privileged layer (what you call "true" system calls). These "true" system calls are an implementation detail of Windows system DLLs. You might be able to figure out how they work by disassembling the DLLs and looking at the assembly. Or you could just write your assembly code to call into the DLLs as appropriate... it's possible.
Will
+3  A: 

If you're doing assembly programming under Windows you don't do manual syscalls. You use NTDLL and the Native API to do that for you.

The Native API is simply a wrapper around the kernelmode side of things. All it does is perform a syscall for the correct API.

You should NEVER need to manually syscall so your entire question is redundant.

Linux syscall codes do not change, Windows's do, that's why you need to work through an extra abstraction layer (aka NTDLL).

EDIT:

Also, even if you're working at the assembly level, you still have full access to the Win32 API, there's no reason to be using the NT API to begin with! Imports, exports, etc all work just fine in assembly programs.

EDIT2:

If you REALLY want to do manual syscalls, you're going to need to reverse NTDLL for each relevant Windows version, add version detection (via the PEB), and perform a syscall lookup for each call.

However, that would be silly. NTDLL is there for a reason.

RaptorFactor
claws
What assembler are you using? If you're using MASM for example the easiest way would be to just use 'INVOKE'.The first Google result I found that outlined it is:http://www.movsd.com/masm.htm
RaptorFactor
claws
That article is not what you're looking for.It shows how to perform manual syscalls, which you should not be doing because the numbers change across Windows versions and service packs.As I've already stated, you should be using the Windows API to perform the dispatching for you.NTDLL is mapped into all processes automatically. So even if for some reason you can't use imports (I can't think of any reasonable times where this would be the case) you can still get a handle to NTDLL and enumerate the EAT manually to get the necessary function pointers (though you should never have to).
RaptorFactor
Agreed!! but still knowing stuff doesn't harm right?
claws
Of course not. I was just trying to make it clear that the particular information you were referring to is not relevant to your question because you don't need to know how the system dispatch process works in order to make system calls in Windows. That's why the high-level Win32 API (or heck, even the NT API) is there, to abstract away such irrelevant details.
RaptorFactor
+1  A: 

OFFICIAL Calling convention in Windows: http://msdn.microsoft.com/en-us/library/7kcdt6fy.aspx

(hope this link survives in the future; if it doesn't, just search for "x64 Software Conventions" on MSDN).

The function calling convention differs in Linux & Windows x86_64. In both ABIs, parameters are preferably passed via registers, but the registers used differ. More on the Linux ABI can be found at http://www.x86-64.org/documentation/abi.pdf

claws
+3  A: 

The other thing you need to know about the windows syscall convention is that as I understand it the syscall tables are generated as part of the build process. This means that they can simply change - no one tracks them. If someone adds a new one at the top of the list, it doesn't matter. NTDLL still works, so everyone else who calls NTDLL still works.

Even the mechanism used to perform syscalls (which int, or sysenter) is not fixed in stone and has changed in the past, and I think that once upon a time the same version of windows used different DLLs which used different entry mechanisms depending on the CPU in the machine.

Stewart
+1 because I found this very interesting. Do you have any resources (internet or books) where one can learn more about that kind of Win32 API / syscall internals?
stakx
It is a bit out of date, but Inside Windows 2000 covers this I think. http://www.nynaeve.net/?p=48 has a nice discussion and also demonstrates that there are at last three syscall conventions in use on windows on x86 and x64. IA64 probably does something totally different again, and then of course there was Alpha, PowerPC, MIPS and probably others.Of course, usual caveat applies - all undocumented and likely to change.
Stewart