Stack Overflow
Stack Overflow

Questions tagged [nt-native-api]

Native API is used by Windows NT and user mode applications

60 questions
31
votes
5 answers

System Calls in Windows & Native API?

Recently I've been using lot of assembly language in *NIX operating systems. I was wondering about the Windows domain. Calling convention in Linux: mov $SYS_Call_NUM, %eax mov $param1 , %ebx mov $param2 , %ecx int $0x80 Thats it. That is how we…
claws
  • 52,236
  • 58
  • 146
  • 195
19
votes
3 answers

Windows Native API: When and why use Zw vs Nt prefixed API calls?

In Native API, Microsoft exports two versions of each API call, one prefixed with Zw and one with Nt, for example. ZwCreateThread and NtCreateThread. What is the difference between those two versions of the calls and when and why should one use Zw…
Shinnok
  • 6,279
  • 6
  • 31
  • 44
13
votes
1 answer

Is there any way to call the Windows Native API functions from the user mode?

I want to call some Native API function from the user mode with C++. I was wondering if it is possible to circumvent the Windows API interface completely and call directly the Native API functions from the user mode. If possible then any code…
whatisinaname
  • 333
  • 4
  • 15
12
votes
1 answer

Are there any up-to-date books or websites on the Windows NT Native API?

NT has a mostly undocumented API, called the "Native API", upon which the common subsystems (i.e. the Windows API, OS/2 API, and POSIX (usually called "Interix" nowadays) subsystems) are implemented. Several books and websites exist which attempt to…
Billy ONeal
  • 104,103
  • 58
  • 317
  • 552
8
votes
1 answer

How to list contents of Win32 namespaces?

Is there a way to list the contents of the Win32 Device Namespaces (UNC path prefix: \\.\) and the Win32 File Namespaces (UNC path prefix: \\?\)? The goal would be to have an application suitable as a command line(1) tool that can navigate them with…
n611x007
  • 8,952
  • 8
  • 59
  • 102
7
votes
2 answers

LNK2019 unresolved external symbol NtOpenFile

I am facing linker error with my code. I am trying to compile with Visual Studio command Prompt (2010) in Win-7 X64 bit m/c. The error which i see are as below. dust2.obj dust2.obj : error LNK2019: unresolved external symbol _NtOpenFile@24…
HokageSama
  • 301
  • 1
  • 3
  • 11
7
votes
2 answers

How do you get Graphics in Native NT Text-Mode?

Apparently, the EASEUS Partition Master program can display graphics before the Windows GUI starts (i.e., it runs at the same time CheckDisk runs at boot). What I already know: This might require not-very-well-documented functions. That's fine with…
user541686
  • 205,094
  • 128
  • 528
  • 886
6
votes
1 answer

Python NtQueryDirectoryFile (File information structure)

I've written a simple (test) script to list files in a selected directory. Not using FindFirstFile; only native API. When I execute the script and watch, Win32API monitor tells me STATUS_SUCCESS. My File Information buffer is c_buffer(1024), not…
Vusal Aliyev
  • 75
  • 6
4
votes
1 answer

How to access PE resources using Windows Native API?

I have a Windows native application that contain embedded resources and I'd like to access them using the native API. Are there native functions that handle resources (something similar to FindResource/LoadResource) or I will have to create my own…
Thiago Cardoso
  • 725
  • 1
  • 5
  • 19
3
votes
1 answer

What lies at fs:[0x0] on windows?

The TEB on 32-bit Windows is located at fs:[0x0018]. What exactly is found in those 24 bytes between fs:0 and fs:0x18? (Yes, I know this undocumented and subject to change, but it'd be interesting to know...)
bdonlan
  • 224,562
  • 31
  • 268
  • 324
3
votes
2 answers

Deleting symlink created by NtCreateSymbolicLinkObject

NtCreateSymbolicLinkObject creates an object in the Windows Object Manager (you can see such links using the WinObj utility from System Internals). What is the correct way to delete a symbolic link object? I noticed that using…
Adrian S
  • 514
  • 7
  • 16
3
votes
0 answers

How can I place data in WOW64's 32 bit registry view from the NT Native API?

I have an application where I am restricted to using the NtCreateKey / ZwCreateKey function(s). (e.g. in a driver) There is another application I don't control which runs under WOW64, which reads a value from this registry key. I want to set the…
Billy ONeal
  • 104,103
  • 58
  • 317
  • 552
2
votes
2 answers

NtQueryObject returns wrong insufficient required size via WOW64, why?

I am using the NT native API NtQueryObject()/ZwQueryObject() from user mode (and I am aware of the risks in general and I have written kernel mode drivers for Windows in the past in my professional capacity). Generally when one uses the typical…
0xC0000022L
  • 20,597
  • 9
  • 86
  • 152
2
votes
2 answers

How to open a file by id with DELETE access?

Using the NT native function NtCreateFile it's possible to open a file by id using the FILE_OPEN_BY_FILE_ID create option. However, in doing so the DELETE access flag appears to be ignored. If I set it the file will open fine but any attempt to…
ChrisD
  • 3,378
  • 3
  • 35
  • 40
2
votes
1 answer

Fast way to find process id by name

Task is: find process id by executable name. Calling application is 32 bit, finding process can be 32 or 64 bit Solution: #include #include #include #include #include #pragma comment(lib,…
goldstar
  • 327
  • 4
  • 15
1
2 3 4