Windows Architecture

A processor inside a machine running Windows operating system can operate under 2 modes - User Mode & Kernel Mode. Applications run in User mode, and operating system components run in Kernel Mode.

When an application wants to complete a task, let’s say Create a file, it cannot do on it’s own. The only entity who can complete the task is the kernel, so instead applications have to follow a specific function call flow.

Windows_Architecture.png

  1. User Processes - A program or application executed by the user such as Notepad, Chrome, Notion or Word.
  2. Subsystem DLLs - DLLs that contain API functions that are called by User Processes. Eg. Kernel32.dll exports CreateFile WinAPI function. Other common subsystem DLLs are ntdll.dll, advapi32.dll and user32.dll.
  3. Ntdll.dll - A system wide DLL which is the lowest layer available in user mode. This is a special DLL which makes transition from user mode to kernel mode. This is often referred as Native API or NTAPI.
  4. Executive Kernel - This is the Windows kernel, it calls other modules and drivers to complete tasks. It is partially stored in a file called as ntoskrnl.exe under “C:\Windows\System32”.

Function Call Flow

Function_Call_Flow.png

The above image shows how a function call flow would look in the case where a user application creates a file.

  1. It begins with the user application calling the CreateFile WinAPI function which is residing in Kernel32.dll. Kernel32.dll is a critical DLL that exposes application to WinAPI and is therefore can be seen that it is loaded by most of the applications.
  2. CreateFile calls it’s equivalent NTAPI function which is provided by the ntdll.dll.
  3. Ntdll.dll then executes an assembly sysenter/syscall instrcution, which transfers the execution to the kernel mode.
  4. The kernel NtCreateFile function is then used which calls kernel drivers and modules to perform the requested task.

Directly Invoking the Native API (NTAPI)

The applications can directly invoke the native apis from the ntdll.dll without going through the Windows APIs. The WinAPI simply acts as a wrapper for the Native API.

Native API is not officially documented making it tough to use directly.

Second reason is that these NTAPIs can be modified by microsoft and hence are not advised to use them directly.

Objectives