0

I would like to know if there is an option, and if so - how exactly, to be able to write raw bytes to a file without using WIN32API file handling calls, while in Windows.

I tried to use a stright-forward approach using x86asm direct file calls, but without success in the meantime.

dalimama
  • 141
  • 1
  • 7

2 Answers2

2

You can try using the native API from ntdll or even direct syscalls (int 2eh or systenter instruction), but it's quite tricky - you need to use kernel-style filenames, for one.

Igor Skochinsky
  • 24,629
  • 2
  • 72
  • 109
  • +1, but the OP should note that using the native API instead of the Win32 API doesn't usually gain you anything very useful. For example, the same locking and security rules apply. – Harry Johnston Jun 28 '12 at 04:22
  • Igor,@HarryJohnston thanks, is native api is passing through win32api on the background or does it take it's own way to conduct file writing? – dalimama Jun 28 '12 at 15:37
  • 1
    It's the other way around: Win32 APIs (kernel32) use native ones (ntdll) to do their work. But in the end, everything ends up in the kernel. – Igor Skochinsky Jun 28 '12 at 17:17
  • What does a "kernel-style filename" look like? – Melab Sep 13 '16 at 15:55
  • @Melab: https://googleprojectzero.blogspot.be/2016/02/the-definitive-guide-on-win32-to-nt.html – Igor Skochinsky Sep 13 '16 at 21:09
2

Before answering your question let me mention that writing to a file using API in Windows consists of following (simplified) stages:

  1. You call WriteFile (kernel32.dll)
  2. WriteFile calls NtWriteFile (ntdll.dll)
  3. NtWriteFile calls SYSENTER and operation proceeds to kernel mode
  4. In kernel mode NtWriteFile function of Ntoskrnl.exe is called
  5. This sends IRP_MJ_WRITE to file system driver
  6. File system driver determines which sectors should be written and passes to storage driver
  7. Storage driver sends a command to the hard drive to actually write data to specified sectors
  8. Hard drive writes the data

All operations 1 to 7 are very fast compared to 8 (unless you are working with a RAM drive or extremely fast SSD)

Method 1 - You can skip Step 1 easily (by calling NtWriteFile), and Step2 (by calling SYSENTER - not easy). However you will not gain any performance improvement, so no point in doing it. Consider WriteFile just a wrapper for those (I don't think you are after eliminating one extra function call).

Method 2 - you can find out which sectors the file occupies and write to them directly (effectively skipping all steps down to Step 7). To do that you will need to open and lock the volume, find the clusters that the target file occupies by FSCTL_GET_RETRIEVAL_POINTERS call, and call WriteFile on volume handle. But it will be unfair comparison, because file system driver not only writes to the data sectors, but also updates file system metadata when you call WriteFile.

Bottom line is - "Testing efficiency over win32 API" doesn't make much sense. You can skip some of the stuff that OS does, but either won't give you any difference in speed (method 1), or there will be unfair comparison (method2).

Isso
  • 1,285
  • 11
  • 23
  • +1. Another set of options involve writing a device driver so that your code is running in kernel mode. Yet another set involve writing your code (or part of it) for the BIOS and running it outside of Windows altogether. However, I doubt that any of these options would allow anyone to measure anything very useful. – Harry Johnston Jun 29 '12 at 00:53