Introduction to functions starting with NT **, ZW **, and RTL **

FirstThey are all functions not made public by Microsoft.The reason why these functions are not made public is that most of these functions are too powerful, making them public will be used by some people with ulterior motives. I don't know about 9X. for NT (including 2000/XP), you can refer to Windows NT native API. Most of their functions have never changed.Almost all win32apis derived from kenerl. dll are called by calling the native API (exported from NTDLL. dll.For example:NtquerysysteminformationThis function isIt is powerful enough to query all system information and requires a high level of access permissions.

 
InRing3:
Lkd>? Ntdll! Zwopenprocess
Evaluate expression_r:2089999739= 7c92dd7b
Lkd>? Ntdll! Ntopenprocess
Evaluate expression_r:2089999739= 7c92dd7b
 

You can also see the dependency.
As you can see, in Ntdll, zwopenprocess and ntopenprocess are actually the same function, but they only have two names.
That is to say, in the ring3 environment, there is no difference between the ZW *** series functions and the NT *** series functions.

  in  ring0: 
 lkd> u nt! Zwopenprocess 
 NT! Zwopenprocess: 
 804de044 b87a000000 mov eax, 7ah 
 804de049 8d542404 Lea edX, [esp +  4 ] 
 804de04d 9C pushfd 
 804de04e 6a08 push  8  
 804de050 e8dc150000 call nt! Kisystemservice (804df631) 
 804de055 c21000 RET 10 h 
 lkd> u nt! Ntopenprocess 
 NT! Ntopenprocess: 
 80573d06 68c4000000 push 0c4h 
 80573d0b 6810b44e80 push offset nt! Obwatchhandles +  0x25c  (804eb410) 
 80573d10 e826f7f6ff call nt! _ Seh_prolog (804e343b) 
 80573d15 33f6 xor esi, ESI 
 80573d17 8975d4 mov dword ptr [ebp-2Ch], ESI 
 80573d1a 33c0 XOR eax, eax 
 80573d1c 8d7dd8 Lea EDI, [ebp-28h] 
 80573d1f AB STOs DWORD PTR ES: [EDI] 

It can be seen that the zwopenprocess function is very short. First, store 0x7a (Service Number of ntopenprocess) to eax, then, save the field, that is, kisystemservice. This function searches for the corresponding system service in ssdt based on the service ID in eax and then calls it.

The ntopenprocess function is very long (the disassembly result is only part of it). In fact, ntopenprocess is a function that actually executes the process opening operation (usually called a service or routine in R0). Therefore,If you directly call the NT series functions in the driver, it will not go through ssdt and will not be intercepted by ssdt hook.

Summary:
Ssdt hook cannot be bypassed no matter how it is called in R3. Nt * can be called in R0 to bypass ssdt hook. The RTL ** function is a write-driven function provided by Windows DDK.

My summary:

From the decompiling ZW ***, we can see that ZW ***CodeInternally, the entry address of the real nt code execution is found through the corresponding nt *** index number in ssdt. 

Most Win32 API functions are implemented using these zwxxx APIs and ntxxx APIs.
In user mode, the local APIs in these two forms are the same, but the two symbols of the same entry point in Ntdll. dll are different.
In the internal mode, the code is connected by ntoskrnl.exe, instead of NTDLL. dll. This is because the function entry point of zwxxx contains a copy from NTDLL. dll. The function entry point of ntxxx contains the actual implementation of system services.

 

[Thank you for your reference]
1. Introduction to functions starting with NT **, ZW **, and RTL **