- Native API
-
The Native API (with capitalized N) is the publicly- and incompletely-documented application programming interface used internally by the Windows NT family of operating systems produced by Microsoft.[1]. It is predominately used during system boot, when other components of Windows are unavailable. The Program Entry point is called DriverEntry(), the same as for a Windows Device Driver. However, the application runs in Ring 3 the same as a regular Windows Application. Most of the Native API calls are implemented in ntoskrnl.exe and are exposed to user mode by ntdll.dll. Some Native API calls are implemented in user mode directly within ntdll.dll.
While most of Microsoft Windows is implemented using the documented and well-defined Windows API, a few components, such as the Client/Server Runtime Subsystem, are implemented using the Native API, as they can be started earlier in the Windows NT Startup Process when the Windows API is not yet available.
Some malware make use of the Native API to hide their presence from malware detection software.[2]
Contents
Function groups
The Native API comprises many functions. They include C runtime functions that are needed for a very basic C runtime execution, such as strlen(), sprintf() and floor(). Other common procedures like malloc(), printf(), scanf() are missing. The vast majority of other Native API routines, by convention, have a 2 or 3 letter prefix, which is:
- Nt or Zw are system calls declared in ntdll.dll and ntoskrnl.exe. When called from ntdll.dll in user mode, these groups are almost exactly the same; they trap into kernel mode and call the equivalent function in ntoskrnl.exe via a branch table. When calling the functions directly in ntoskrnl.exe (only possible in kernel mode), the Zw variants ensure kernel mode, whereas the Nt variants do not.[3] The Zw prefix does not stand for anything.[4]
- Rtl is the second largest group of ntdll calls. These comprise the (extended) C Run-Time Library, which includes many utility functions that can be used by native applications, yet don't directly involve kernel support.
- Csr are client-server functions that are used to communicate with the Win32 subsystem process, csrss.exe (csrss stands for client/server runtime sub-system).
- Dbg are debugging aid functions such as a software break point.
- Ki are upcalls from kernel-mode for things like APC dispatching.
- Ldr are loader functions for PE file handling and starting of new processes.
- Nls for Native Language Support (similar to code pages).
- Pfx for prefix handling.
Gdi32.dll includes several other calls that trap into kernel-mode. These were not part of the original Windows NT design, as can be seen in Windows NT 3.5. However, due to performance issues of hardware of that age, it was decided to move the graphics subsystem into kernel mode. As such, system call in the range of 0x1000-0x1FFF are satisfied by win32k.sys (instead of ntoskrnl.exe as done for 0-0x0FFF), and are declared in gdi32.dll. These functions have the Gdi prefix.
There are also many more groups exported from ntoskrnl.exe and therefore are usable only in kernel mode. These may or may not be counted for Native API, depending on whom you ask (since the Native API is not fully officially documented, there is no one answer). Such groups include Cc (cache controller), Ex (Windows Executive), FsRtl (file system runtime), Io (I/O manager), Ke (core kernel routines), Ks (kernel streaming), Lpc (Local Procedure Call), Lsa (Local Security Authority), Mm (memory management), Ob (Object Manager), Ps (Process management), Se (security), Po (power management) and others.[5][6][7][8][9][10]
See also
References
- ^ Mark Russinovich (1998–2004). "Inside the Native API". Sysinternals. Archived from the original on 2006-03-15. http://web.archive.org/web/20060315213024/http://www.sysinternals.com/Information/NativeApi.html. Retrieved 2008-02-28.
- ^ Jason Coombs (June 21, 2005). "Win32 API Obscurity for I/O Blocking and Intrusion Prevention". Dr. Dobb's Journal. http://www.ddj.com/dept/security/184406098. Retrieved 2007-01-04.
- ^ The NT Insider, Vol 10, Issue 4, July-August 2003 (2009). "Print an article from OSR Online". OSR Online. http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=257. Retrieved 2009-06-13.
- ^ Raymond Chen (2009). "The Old New Thing : What does the "Zw" prefix mean?". Microsoft Corporation. http://blogs.msdn.com/oldnewthing/archive/2009/06/03/9687937.aspx. Retrieved 2009-06-13.
- ^ Microsoft Corporation (2009). "I/O Manager Routines". Microsoft Corporation. http://msdn.microsoft.com/en-us/library/ms800694.aspx. Retrieved 2009-06-13.
- ^ Microsoft Corporation (2009). "Cache Manager Routines". Microsoft Corporation. http://msdn.microsoft.com/en-us/library/ms791427.aspx. Retrieved 2009-06-13.
- ^ Microsoft Corporation (2009). "Power Manager Routines". Microsoft Corporation. http://msdn.microsoft.com/en-us/library/ms806577.aspx. Retrieved 2009-06-13.
- ^ Microsoft Corporation (2009). "Core Kernel Library Support Routines". Microsoft Corporation. http://msdn.microsoft.com/en-us/library/ms801948.aspx. Retrieved 2009-06-13.
- ^ Microsoft Corporation (2009). "File System Runtime Library Routines". Microsoft Corporation. http://msdn.microsoft.com/en-us/library/ms795378.aspx. Retrieved 2009-06-13.
- ^ Raymond Chen (2009). "The Old New Thing : What does the "Zw" prefix mean?". Microsoft Corporation. http://blogs.msdn.com/oldnewthing/archive/2009/06/03/9687937.aspx. Retrieved 2009-06-13.
External links
Categories:- Microsoft application programming interfaces
- Operating system APIs
Wikimedia Foundation. 2010.