tags:

views:

85

answers:

2
Q: 

what is the difference between ZwOpenFile and NtOpenFile?

ZWOpenFile and NtOpenFile are both the functions of nt dll..ZwOpenFile is implemented as same as NtopenFile..but I dont understand why ZWopenFile is included in nt dll function.Can anyone please explain me the difference?

+2  A: 

This is documented in MSDN:

A kernel-mode driver calls the Zw version of a native system services routine to inform the routine that the parameters come from a trusted, kernel-mode source. In this case, the routine assumes that it can safely use the parameters without first validating them. However, if the parameters might be from either a user-mode source or a kernel-mode source, the driver instead calls the Nt version of the routine, which determines, based on the history of the calling thread, whether the parameters originated in user mode or kernel mode. For more information about how the routine distinguishes user-mode parameters from kernel-mode parameters, see PreviousMode.

Basically it relates to how the parameters are validated.

Dean Harding  2010-06-01 06:02:12
+1  A: 

Generally, kernel drivers should only use the ZwXxx() functions.

When called from user mode, the ZwXxx() and NtXxx() functions are exactly the same - they resolve to the same bits of code in ntdll.dll.

When called from a kernel-mode driver, the Zwxxx() variant ensures that a flag used by the kernel is set to indicate that the requestor mode (what's supposed to indicate the caller's mode) is kernel mode. If a kernel driver calls the NtXxx() variant the requestor mode isn't explicitly set so it's left alone and might indicate user or kernel mode, depending on what has occurred in the call stack up to this point.

If the requestor mode flag is set to user mode, the kernel will validate parameters, which might not be the right thing to do (especially if the kernel driver is passing in kernel mode buffers, as the validation will fail in that case), if it's set to kernel mode, the kernel implicitly trusts parameters.

So the rules for using these API names generally boils down to: if you're writing a kernel driver, call the ZwXxx() version (unless you're dealing with special situations, and you know what you're doing and why). If you're writing a user mode component, it doesn't matter which set you call.

As far as I know, Microsoft only documents the NtXxx() for use in user-mode (where it indicates that they are the user-mode equivalent to the corresponding ZwXxx() function).

Michael Burr  2010-06-01 06:22:30

related questions

Which is more preferable to use in Python: lambda functions or nested functions ('def') ?
How do you determine Daylight Savings Time in VBA?
How do you pass a member function pointer?
How do you find Leapyear in VBA?
C++ Function List
How to convert an "object" into a function in JavaScript?
Classic asp include
What is the standard format for documenting functions in php?
Javascript curry - what are the practical applications?
Is there a function in python to split a word into a list?
Why was the arguments.callee.caller property deprecated in JavaScript?
Tools for finding unused function declarations?
Good explanation of "Combinators" (For non mathematicians)
How can I generate a list of function dependencies in MATLAB?
Comparing std::tr1::function<> objects
How can I avoid the warning fom an unused parameter in PLSQ?
Excel Macro Help
How to Truncate a string in PHP to the word closest to a certain number of characters?
Worse sin: side effects or passing massive objects?
C++ overload resolution
PHP: Can I reference a single member of an array that is returned by a function ?
In PHP is it possible to use a function inside a variable
Best way to convert DateTime to "n Hours Ago" in SQL
PowerShell - how do I do a string replacement in a function?
How do you pass a function as a parameter in C?