Nothing to do with Ida, WinDbg, OD analysis Kernel32.dll function Call Process notes
1. Use the analysis Createfilew,createfilea function first:
Createfilea Process:
kernel32.dll! Createfilea process
kernel32.dll! Basep8bitstringtodynamicunicodestring
kernel32.dll! Createfilewimplementation ; the actual export table Createfil address
kernel32.dll! Rtlfreeunicodestring
kernel32.dll! Createfilewimplementation process
Ds:rtlinitunicodestringex
Baseisthisaconsolename
Api-ms-win-core-file-l1-1-0.createfilew ; the actual import table Createfilew address
Api-ms-win-core-file-l1-1-0.createfilew process
Ntdll.dll!zwcreatefile
ntdll.dll! Kifastsystemcall
sysenter; sysenter command cut into the kernel
1. When Createfilea is called, it is converted to a Unicode version and then called directly Createfilew (Createfilew's export table address)
2. Then call Createfilew (Createfilew's Import table address, Api-ms-win-core-file-l1-1.dll personally understood as the conversion layer)
3. Import Table Createfilew is the implementation of the function, continue to call
A. Ntdll.dll!zwcreatefile
B. ntdll.dll! Kifastsystemcall Sysenter
c. sysenter command cut into the kernel
....................
kernel function calls
....................
......................
Omit xxxxxxxxx
Createfilew Process:
kernel32.dll! Createfilewimplementation ; the actual export table Createfil address
kernel32.dll! Createfilewimplementation
Ds:rtlinitunicodestringex
Baseisthisaconsolename
Api-ms-win-core-file-l1-1-0.createfilew ; the actual import table Createfilew address
Api-ms-win-core-file-l1-1-0.createfilew
Ntdll.dll!zwcreatefile
ntdll.dll! Kifastsystemcall
sysenter; sysenter command cut into the kernel
To summarize, the API call process
1. If the API is version a. Switch to W version first, W version without conversion
2. Call the API through the corresponding API address of the export table, after several initialization function function calls
3. By importing the corresponding API address of the table in the call API, after NTDLL.DLL!ZWAPI to Ntdll.dll!ntapi several calls, through the assembly instructions
Sysenter cut into the kernel
4. Kernel function call, omit xxxxxxxxx
Analysis of function call flow in kernel32.dll analysis