Chapter 4/ System Briefing

ntdl1!Ki FastSystemCal 1 :

77da0f30 Sbd4 mov edx.esp

77da0f32 0f34 sysenter

77da0f34 c3 ret

As discussed earlier, the SYSENTER instruction compels program control to

jump to the K1 FastCal � Entry () routine in ntoskrnl .exe. This will lead to the

invocation of the native NtWriteFi 1 e() procedure. This whole programmatic

song-and-dance is best summarized by Figure 4.14.

Hardware

Figure 4,14

Other Kernel-Mode Routines

In addition to the Native API (which consists of more than 400 different

system calls), the Windows executive exports hundreds of other routines. All

told, the ntoskrnl .exe binary exports 2,184 functions. Many of these system-

level calls can be grouped together under a particular Windows subsystem or

within a common area of functionality (see Figure 4.15).