Windows 中方法的通用格式定义为:
<Prefix><Operation><Object>
- Prefix:表示导出例程的内部组件
- Operation:表示这个方法的行为,怎么操作对象或者资源
- Object:标识要操作的对象或资源
常见的 Prefix:
| Prefix | Component |
|---|---|
| Alpc | Advanced Local Procedure Calls |
| Cc | Common Cache |
| Cm | Configuration manager |
| Csr | Client Server Runtime- communication with the Windows Subsystem process (Csrss.exe) functions. |
| Dbg | Kernel debug support |
| Dbgk | Debugging Framework for user mode |
| Em | Errata manager |
| Etw | Event Tracing for Windows |
| Ex | Executive support routines |
| FsRtl | File System Runtime Library |
| Hv | Hive library |
| Hvl | Hypervisor library |
| Io | I/O manager |
| Kd | Kernel debugger |
| Ke | Kernel |
| Kse | Kernel Shim Engine |
| Lsa | Local Security Authority |
| Mm | Memory manager |
| Nt | NT system services (accessible from user mode through system calls) |
| Ob | Object manager |
| Pf | Prefetcher |
| Po | Power manager |
| PoFx | Power framework |
| Pp | PnP manager |
| Ppm | Processor power manager |
| Ps | Process support |
| Rtl | Run-time library |
| Se | Security Reference Monitor |
| Sm | Store Manager |
| Tm | Transaction manager |
| Tp | Thread pool related functions |
| Ttm | Terminal timeout manager |
| Vf | Driver Verifier |
| Vsl | Virtual Secure Mode library |
| Wdi | Windows Diagnostic Infrastructure |
| Wfp | Windows FingerPrint |
| Whea | Windows Hardware Error Architecture |
| Wmi | Windows Management Instrumentation |
| Zw | Mirror entry point for system services (beginning with Nt) that sets previous access mode to kernel, which eliminates parameter validation, because Nt system services validate parameters only if previous access mode is user |
Ntxxxx() 和 Zwxxxx() 的区别
用户模式下(ntdll.dll):
完全一致
内核模式下(ntoskrnl.exe):
- NT 函数是存放在 SSDT 表中的,用来响应用户态的请求或者响应内核态 Zw 函数的请求,即无论走用户态路径还是内核态路径
都是调用NT函数 - Zw*->Nt*(Zw函数会调用Nt)
- 内核应用只能调用 Zw*,不要直接调用 Nt*。Zw* 会自动设置 PreviousMode 为内核模式,就可以无需验证参数,直接调用。所以调用前最好提前检查好用户态传过来的参数。
0