Chapter 4/ System Briefing

However, this is not tiic case with Windows, which refers to its system call

interface as the Native API of Windows. Like the Wizard of Oz, Microsoft

has opted to leave the bulk of its true nature behind a curtain. Rather than ac¬

cess operadng system services through the system call interface, the archi¬

tects in Redmond have decided to veil them behind yet another layer of code.

Pay no attention to the man behind the curtain, booms the mighty Oz, focus

on the ball of fire known as the Windows API.

Note: Old habits die hard. In this book, I'll use the terms "system call interface" and

"native API" interchangeably.

One can only guess the true motivation for this decision. Certain unnamed

network security companies would claim that it's Microsoft's way of keeping

the upper hand. After all, if certain operations can only be performed via the

Native API, and you're the only one who knows how to use it, you can bet

that you possess a certain amount of competitive advantage. In contrast, leav¬

ing the Native API undocumented might also be Microsoft's way of leaving

room to accommodate change. This way, if a system patch involves updadng

the system call intcrfacc, developers aren't left out in the cold bccause their

code relies on the Windows API (which is less of a moving target).

In this section, I describe the Windows system call interface. I'll start by

looking at the kernel-mode structures that facilitate Native API calls and then

demonstrate how they can be used to enumerate the API. Next, I'll examine

which of the Native API calls are documented and how you can glean infor¬

mation about a particular call even if you don't have formal documentation.

I'll end the section by tracing the execution path of Native API calls as they

make their journey from user mode to kernel mode.

The IVT Grows Up

In real-mode operating systems, like MS-DOS, the interrupt vector table

(IVT) was the primary system-level data structure; the formal en try way to

the kernel. Every DOS system call could be invoked by a software-generated

interrupt (typically via the INT 0x21 instruction, with a function code placed

in the AH register). In Windows, the IVT has been reborn as the interrupt

dispatch table (IDT) and has lost some of its former luster. This doesn't mean

that the IDT isn't useful (it can still serve as a viable entry point into kernel

space); it's just not the all-consuming focal structure it was back in the days

of real mode.