Native API

From Wikipedia, the free encyclopedia

The Native API (with capitalized N) is the publicly incompletely documented application programming interface used internally by the Windows NT family of operating systems produced by Microsoft.[1] Most of the Native API calls are in ntdll.dll and ntoskrnl.exe (and its variants).

While most of Microsoft Windows is implemented using the documented and well-defined Windows API, a few components, such as the Client/Server Runtime Subsystem are implemented using the Native API, as they are started early enough in the Windows NT Startup Process that the Windows API is not available yet.

Some rootkits make use of the Native API to hide their presence from malware detection software.[2]

Two specific areas where Microsoft has provided documentation for Native API calls include the Installable File System and Driver Development Kit SDKs.

Contents

[edit] Function groups

The Native API is comprised of many functions. By conventions, most of these functions have a 2 or 3 letter prefix, which is:

  • Nt or Zw are system calls declared in ntdll and ntoskrnl. When called in ntdll, these groups are almost exactly the same; they trap into kernel mode and call the equivalent function in ntoskrnl via a lookup table. When calling the functions directly in ntoskrnl (only possible in kernel mode), the Zw variant goes through the mentioned lookup table to the Nt variant, while the Nt variant is the actual implementation.
  • Rtl is the second largest group of ntdll calls. These comprise the (extended) C Run-Time Library, which includes many utility functions that can be used by native applications, yet don't directly involve kernel support.
  • Csr are Client-Server functions that are used to communicate with the csrss daemon.
  • Dbg are debugging aid functions such as a software break point.
  • Ki are upcalls from kernel-mode for things like APC dispatching.
  • Ldr are loader functions for PE file handling and starting of new processes.
  • Nls for Native Language Support (similar to code pages)
  • Pfx for prefix handling
  • C runtime are functions that are needed for a very basic C runtime execution, such as malloc(), strlen(), sprintf() and floor().

gdi32 includes several other calls that trap into kernel-mode. These were not part of the original Windows NT design, as can be seen in Windows NT 3.5. However, due to performance issues of hardware of that age, it was decided to move the graphics subsystem into the kernel. As such, system call in the range of 0x1000-0x1FFF are satisfied by win32k.sys (instead of ntoskrnl.exe as done for 0-0x0FFF), and are declared in gdi32. These functions have the Gdi prefix.

There are also many more groups that are exported from ntoskrnl and therefore are usable only in kernel mode. These may or may not be counted as Native API, depending on whom you ask (since the Native API is not fully officially documented, there is no one answer). Such groups include Ex (executive), Io (input/output), Ke (kernel routines), Lpc (Local Procedure Call), Lsa (Local Security Authority), Mm (Memory Management), Ob (Object Manager), Se (Security) and others.

The Windows 2000 version of ntdll includes floating-point emulation functions, but these are no longer exported from ntdll as of Windows XP.

[edit] See also

[edit] References

  1. ^ Mark Russinovich (1998–2004). Inside the Native API. Sysinternals. Retrieved on 2008-02-28.
  2. ^ Jason Coombs (June 21, 2005). Win32 API Obscurity for I/O Blocking and Intrusion Prevention. Dr. Dobb's Journal. Retrieved on 2007-01-04.

[edit] External links

Languages