0x325 Windows Admin

Architecture

Kernel

Interrupt

KiSystemService is the entry point in kernel handling Native API interrupt. It is located at ntoskrnl.exe. The dispatch table is called System Service Descriptor Table

User API

Native API

Native API is usually prefixed with Ex or Nt, this is the entry point of system call exposed from ntdll.dll. Usually undocumented.

It is doing something like the following, notice interruption is 0x2E in Windows.

The system call index number might be change in different builds as they are not expected to be called directly.

NtCreateFile:
    mov    eax, 0x0000001A
    lea    edx, [esp+04]
    int    0x2E 
    ret    0x2C

Of course, in the modern CPU, it is doing sysenter, syscall instead of int

Win32 API

Win32 API depends on Native API

WinRT

Shell

cmd

Powershell