Zw*与Nt*的区别
生活随笔
收集整理的這篇文章主要介紹了
Zw*与Nt*的区别
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
某些Zw*和Nt*函數既在ntdll.dll中導出又在ntoskrnl.exe中導出,他們有什么區別呢?
我們分三部分比較:
step 1: ntdll.dll中的Zw*和Nt*有什么區別?
step 2: ntoskrnl.exe中的Zw*和Nt*有什么區別?
step 3: ntdll.dll中的Zw*與ntoskrnl.exe中的Zw*有什么區別??
??????? ntdll.dll中的Nt*與ntoskrnl.exe中的Nt*有什么區別?
在下面的討論中我們以ZwCreateFile和NtCreateFile為例
討論前:我先貼點Kd給我們的答案
Part1:
kd> u Ntdll! ZwCreateFile L4
ntdll!ZwCreateFile:
77f87cac b820000000?????? mov???? eax,0x20
77f87cb1 8d542404???????? lea???? edx,[esp+0x4]
77f87cb5 cd2e???????????? int???? 2e
77f87cb7 c22c00?????????? ret???? 0x2c
kd> u Ntdll! NtCreateFile L4
ntdll!ZwCreateFile:
77f87cac b820000000?????? mov???? eax,0x20
77f87cb1 8d542404???????? lea???? edx,[esp+0x4]
77f87cb5 cd2e???????????? int???? 2e
77f87cb7 c22c00?????????? ret???? 0x2c
Part2:
kd> u Nt!ZwCreateFile L4
nt!ZwCreateFile:
8042fa70 b820000000?????? mov???? eax,0x20
8042fa75 8d542404???????? lea???? edx,[esp+0x4]
8042fa79 cd2e???????????? int???? 2e
8042fa7b c22c00?????????? ret???? 0x2c
kd> u Nt!NtCreateFile L14
nt!NtCreateFile:
804a7172 55?????????????? push??? ebp
804a7173 8bec???????????? mov???? ebp,esp
804a7175 33c0???????????? xor???? eax,eax
804a7177 50?????????????? push??? eax
804a7178 50?????????????? push??? eax
804a7179 50?????????????? push??? eax
804a717a ff7530?????????? push??? dword ptr [ebp+0x30]
804a717d ff752c?????????? push??? dword ptr [ebp+0x2c]
804a7180 ff7528?????????? push??? dword ptr [ebp+0x28]
804a7183 ff7524?????????? push??? dword ptr [ebp+0x24]
804a7186 ff7520?????????? push??? dword ptr [ebp+0x20]
804a7189 ff751c?????????? push??? dword ptr [ebp+0x1c]
804a718c ff7518?????????? push??? dword ptr [ebp+0x18]
804a718f ff7514?????????? push??? dword ptr [ebp+0x14]
804a7192 ff7510?????????? push??? dword ptr [ebp+0x10]
804a7195 ff750c?????????? push??? dword ptr [ebp+0xc]
804a7198 ff7508?????????? push??? dword ptr [ebp+0x8]
804a719b e8b284ffff?????? call??? nt!IoCreateFile (8049f652)
804a71a0 5d?????????????? pop???? ebp
804a71a1 c22c00?????????? ret???? 0x2c
1) Part1 輸出的是Ntdll.dll中ZwCreateFile和NtCreateFile的匯編代碼,我們發現實現是一樣的;
eax是中斷號,edx是函數的參數起始地址([Esp]是返回地址);從而我可以大膽的說:Ntdll.dll中ZwCreateFile和NtCreateFile功能是一樣的作用:都是調用int 2E中斷;
IDA給我們的答案:
.text:77F87CAC ; Exported entry? 92. NtCreateFile
.text:77F87CAC ; Exported entry 740. ZwCreateFile
.text:77F87CAC
.text:77F87CAC
.text:77F87CAC???????????????? public ZwCreateFile
.text:77F87CAC ZwCreateFile??? proc near?????????????? ;
.text:77F87CAC
.text:77F87CAC arg_0?????????? = dword ptr? 4
.text:77F87CAC
.text:77F87CAC???????????????? mov???? eax, 20h??????? ; NtCreateFile
.text:77F87CB1???????????????? lea???? edx, [esp+arg_0]
.text:77F87CB5???????????????? int???? 2Eh???????????? ; DOS 2+ internal - EXECUTE COMMAND
.text:77F87CB5???????????????????????????????????????? ; DS:SI -> counted CR-terminated command string
.text:77F87CB7???????????????? retn??? 2Ch
.text:77F87CB7 ZwCreateFile??? endp
原來在ntdll中NtCreateFile只是ZwCreateFile的別名。
2) Part2 輸出的是Ntoskrnl.exe中ZwCreateFile和NtCreateFile的匯編代碼,也許令你很失望,匯編代碼不一樣;ZwCreateFile中eax是中斷號,edx是函數的參數起始地址,然后調用int 2E中斷; NtCreateFile只是把參數入棧去調用IoCreateFile;
他們的區別是:NtCreateFile是實現代碼,而ZwCreateFile仍通過中斷來實現功能,2E軟中斷的20h子中斷號的處理程序是NtCreateFile;這樣一說他們是沒區別了?錯!NtCreateFile是在ring0下了,而ZwCreateFile是通過int 2E進入ring0的,而不論ZwCreateFile處于什么模式下。
3)?從而我們得出:
?? ntdll.dll中ZwCreateFile與ntoskrnl.exe中ZwCreateFile的區別是:前者是user Mode application called,后者是Kernel Mode driver Called;
???ntdll.dll中NtCreateFile與ntoskrnl.exe中NtCreateFile區別是:前者在ring3下工作,后者在ring0下工作;前者通過中斷實現,后者是前者的中斷處理程序。
注: 以前弄的東西,今天才寫的,不知道有沒有問題,望見諒!如果還有不清楚的參見: http://www.osronline.com/article.cfm?article=257 ?(Osronline/The Nt Insider/The Nt Insider 2003 Archive)
我們分三部分比較:
step 1: ntdll.dll中的Zw*和Nt*有什么區別?
step 2: ntoskrnl.exe中的Zw*和Nt*有什么區別?
step 3: ntdll.dll中的Zw*與ntoskrnl.exe中的Zw*有什么區別??
??????? ntdll.dll中的Nt*與ntoskrnl.exe中的Nt*有什么區別?
在下面的討論中我們以ZwCreateFile和NtCreateFile為例
討論前:我先貼點Kd給我們的答案
Part1:
kd> u Ntdll! ZwCreateFile L4
ntdll!ZwCreateFile:
77f87cac b820000000?????? mov???? eax,0x20
77f87cb1 8d542404???????? lea???? edx,[esp+0x4]
77f87cb5 cd2e???????????? int???? 2e
77f87cb7 c22c00?????????? ret???? 0x2c
kd> u Ntdll! NtCreateFile L4
ntdll!ZwCreateFile:
77f87cac b820000000?????? mov???? eax,0x20
77f87cb1 8d542404???????? lea???? edx,[esp+0x4]
77f87cb5 cd2e???????????? int???? 2e
77f87cb7 c22c00?????????? ret???? 0x2c
Part2:
kd> u Nt!ZwCreateFile L4
nt!ZwCreateFile:
8042fa70 b820000000?????? mov???? eax,0x20
8042fa75 8d542404???????? lea???? edx,[esp+0x4]
8042fa79 cd2e???????????? int???? 2e
8042fa7b c22c00?????????? ret???? 0x2c
kd> u Nt!NtCreateFile L14
nt!NtCreateFile:
804a7172 55?????????????? push??? ebp
804a7173 8bec???????????? mov???? ebp,esp
804a7175 33c0???????????? xor???? eax,eax
804a7177 50?????????????? push??? eax
804a7178 50?????????????? push??? eax
804a7179 50?????????????? push??? eax
804a717a ff7530?????????? push??? dword ptr [ebp+0x30]
804a717d ff752c?????????? push??? dword ptr [ebp+0x2c]
804a7180 ff7528?????????? push??? dword ptr [ebp+0x28]
804a7183 ff7524?????????? push??? dword ptr [ebp+0x24]
804a7186 ff7520?????????? push??? dword ptr [ebp+0x20]
804a7189 ff751c?????????? push??? dword ptr [ebp+0x1c]
804a718c ff7518?????????? push??? dword ptr [ebp+0x18]
804a718f ff7514?????????? push??? dword ptr [ebp+0x14]
804a7192 ff7510?????????? push??? dword ptr [ebp+0x10]
804a7195 ff750c?????????? push??? dword ptr [ebp+0xc]
804a7198 ff7508?????????? push??? dword ptr [ebp+0x8]
804a719b e8b284ffff?????? call??? nt!IoCreateFile (8049f652)
804a71a0 5d?????????????? pop???? ebp
804a71a1 c22c00?????????? ret???? 0x2c
1) Part1 輸出的是Ntdll.dll中ZwCreateFile和NtCreateFile的匯編代碼,我們發現實現是一樣的;
eax是中斷號,edx是函數的參數起始地址([Esp]是返回地址);從而我可以大膽的說:Ntdll.dll中ZwCreateFile和NtCreateFile功能是一樣的作用:都是調用int 2E中斷;
IDA給我們的答案:
.text:77F87CAC ; Exported entry? 92. NtCreateFile
.text:77F87CAC ; Exported entry 740. ZwCreateFile
.text:77F87CAC
.text:77F87CAC
.text:77F87CAC???????????????? public ZwCreateFile
.text:77F87CAC ZwCreateFile??? proc near?????????????? ;
.text:77F87CAC
.text:77F87CAC arg_0?????????? = dword ptr? 4
.text:77F87CAC
.text:77F87CAC???????????????? mov???? eax, 20h??????? ; NtCreateFile
.text:77F87CB1???????????????? lea???? edx, [esp+arg_0]
.text:77F87CB5???????????????? int???? 2Eh???????????? ; DOS 2+ internal - EXECUTE COMMAND
.text:77F87CB5???????????????????????????????????????? ; DS:SI -> counted CR-terminated command string
.text:77F87CB7???????????????? retn??? 2Ch
.text:77F87CB7 ZwCreateFile??? endp
原來在ntdll中NtCreateFile只是ZwCreateFile的別名。
2) Part2 輸出的是Ntoskrnl.exe中ZwCreateFile和NtCreateFile的匯編代碼,也許令你很失望,匯編代碼不一樣;ZwCreateFile中eax是中斷號,edx是函數的參數起始地址,然后調用int 2E中斷; NtCreateFile只是把參數入棧去調用IoCreateFile;
他們的區別是:NtCreateFile是實現代碼,而ZwCreateFile仍通過中斷來實現功能,2E軟中斷的20h子中斷號的處理程序是NtCreateFile;這樣一說他們是沒區別了?錯!NtCreateFile是在ring0下了,而ZwCreateFile是通過int 2E進入ring0的,而不論ZwCreateFile處于什么模式下。
3)?從而我們得出:
?? ntdll.dll中ZwCreateFile與ntoskrnl.exe中ZwCreateFile的區別是:前者是user Mode application called,后者是Kernel Mode driver Called;
???ntdll.dll中NtCreateFile與ntoskrnl.exe中NtCreateFile區別是:前者在ring3下工作,后者在ring0下工作;前者通過中斷實現,后者是前者的中斷處理程序。
注: 以前弄的東西,今天才寫的,不知道有沒有問題,望見諒!如果還有不清楚的參見: http://www.osronline.com/article.cfm?article=257 ?(Osronline/The Nt Insider/The Nt Insider 2003 Archive)
總結
以上是生活随笔為你收集整理的Zw*与Nt*的区别的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: html怎么给没张图片添加单击事件,如何
- 下一篇: windows调试器设置