Analysis of function call flow in kernel32.dll analysis

Source: Internet
Author: User

Nothing to do with Ida, WinDbg, OD analysis Kernel32.dll function Call Process notes

1. Use the analysis Createfilew,createfilea function first:


Createfilea Process:

kernel32.dll! Createfilea process
kernel32.dll! Basep8bitstringtodynamicunicodestring
kernel32.dll! Createfilewimplementation ; the actual export table Createfil address
kernel32.dll! Rtlfreeunicodestring

kernel32.dll! Createfilewimplementation process
Ds:rtlinitunicodestringex
Baseisthisaconsolename
Api-ms-win-core-file-l1-1-0.createfilew ; the actual import table Createfilew address

Api-ms-win-core-file-l1-1-0.createfilew process
Ntdll.dll!zwcreatefile
ntdll.dll! Kifastsystemcall
sysenter; sysenter command cut into the kernel

1. When Createfilea is called, it is converted to a Unicode version and then called directly Createfilew (Createfilew's export table address)
2. Then call Createfilew (Createfilew's Import table address, Api-ms-win-core-file-l1-1.dll personally understood as the conversion layer)
3. Import Table Createfilew is the implementation of the function, continue to call
A. Ntdll.dll!zwcreatefile
B. ntdll.dll! Kifastsystemcall Sysenter
c. sysenter command cut into the kernel
....................
kernel function calls
....................
......................
Omit xxxxxxxxx


Createfilew Process:

kernel32.dll! Createfilewimplementation ; the actual export table Createfil address

kernel32.dll! Createfilewimplementation
Ds:rtlinitunicodestringex
Baseisthisaconsolename
Api-ms-win-core-file-l1-1-0.createfilew ; the actual import table Createfilew address

Api-ms-win-core-file-l1-1-0.createfilew
Ntdll.dll!zwcreatefile
ntdll.dll! Kifastsystemcall
sysenter; sysenter command cut into the kernel


To summarize, the API call process
1. If the API is version a. Switch to W version first, W version without conversion
2. Call the API through the corresponding API address of the export table, after several initialization function function calls
3. By importing the corresponding API address of the table in the call API, after NTDLL.DLL!ZWAPI to Ntdll.dll!ntapi several calls, through the assembly instructions
Sysenter cut into the kernel
4. Kernel function call, omit xxxxxxxxx

Analysis of function call flow in kernel32.dll analysis

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.