Windows XP System Services
Webcrazy (http://webcrazy.yeah.net)
I have introduced Windows 2000 System Call in "Talking about Windows NT / 2000 Internal Data Structure". Today, Windows XP official version has come out. It is not much change from the total SYSTEM CALL organization. The System Call schedule is still specified by the global variable that is derived from Ntoskrnl.exe. I am analyzing Windows XP Professional Build 2600 (I have only this disk in hand), I found that the difference with Windows 2000 Server is the base address of the System Call table exported by Win32K.sys, specified by KeserviceDescriptable-30H, not the KServicedScriptable in 2000. -0CH. Regarding the System Call parameter table, there is still no other differences.
In the study of February 25, 2001, I pointed out that the System Call scheduling mode of WHITLER BETA 1 (Windows XP Beta) has a large difference from Windows 2000. Windows XP follows the practice of Beta 1. We start from NTOPENKEY to see SYSTEM CALL scheduling.
KD> u NTDLL! NTOPENKEY
NTDLL! ZWOPENKEY:
77F7EB23 B877000000 MOV Eax, 0x77
77f7eb28 ba0003fe7f mov EDX, 0x7ffe0300
77F7EB2D FFD2 Call Edx
77F7EB2F C20C00 RET 0XC
Where 0x77 is NTOPENKEY SYSTEM CALL ID in Windows XP. From RET 0XC, we can easily know that NTOPENKEY is three parameters. Continue to track 7ffe0300:
KD> u7ffe0300 L 20
SharedUserData! SystemCallstub: SYSTEMCALLSTUB:
7FFE0300 8BD4 MOV EDX, ESP
7FFE0302 0F34 SYSENTER
7FFE0304 C3 RET
7FFE0305 9C Pushfd
7FFE0306 810C2400010000 or DWORD PTR [ESP], 0x100
7FFE030D 9D POPFD
7FFE030E C3 RET
7FFE030F 8BD4 MOV EDX, ESP
7FFE0311 0F05 Syscall
7FFE0313 C3 RET
From this part of this code, it can be seen that EAX and EDX values are the same as Windows 2000 when incoming ntoskrnl! KisystemService is the SYSTEM CALL ID, and the parameter address. The only difference is that the original INT 2EH directive is changed to the Sysenter directive. I checked the Intel document this instruction is pii introduced. Its execution time period is shorter than INT 2EH. This is also an improvement made by Windows XP from performance. But this causes my Strace's application gadget to the application gadget. Check the AMD documentation about the syscall of AMD. It can also be seen from the assembly code from above.
In the article "Windows 2000 System Services list", I have pointed out that "Windows 2000 Server Build 2195 SP0 Chinese version exports 248 System Services from NTOSKRNL.EXE (X86 Single Processor Version), and exported from Win2k.sys 639 System Services. Windows XP wants to expand its operating system feature, unless you want to expand the System Service. Windows XP Professional Build 2600 exports 284 System Services from NTOSKRNL.EXE (X86 single processor versions), and 666 System Services are exported from Win2k.sys. A total of 63 were added. In order to have a whole concept of windows XP kernel. I use Softice to organize these System Calls with Windbg. It can also be referred to that each core routine name corresponding to each System Call. I also made a tag for Windows 2000 Server SP0 Build 2195. It should be pointed out that this list is not a document of Microsoft. I am just a analysis of the version I use. We can also see improvements in Windows XP from the new routines. Only the SYSTEM Service routine name is listed in the list, and you can learn from WindBG for complete ntoskrnl.exe and Win32k.sys Symbol. I also make this part into an Excel file, because I have not uploaded this part due to space limitations. Please contact me directly (TSU00@263.net). Attachment:
Windows XP Build 2600 System Services vs Windows 2000 Build 2195 System Services (Document is relatively large, please be patient when you look at).
