This question already has an answer here:
- Windows system calls [duplicate] 1 answer
I am trying to make a program work with system-calls not dll's (kernel32.dll
,ntdll.dll
).
I know for example that the 0x2C (44) system call in windows 10 64-bit is the NtTerminateProcess
buy that web page. Also when I disassemble the ntdll.dll
i found that code:
NtTerminateProcess:
mov r10, rcx
mov eax, 44
test byte [abs 7FFE0308h], 01h ;also what is in that memory address?
jnz label
syscall
ret
label:
int 46 ;and why the 46 (the 2Eh windows NT interrupt) is here
ret
My question is how can for example terminate the program with that way?
Doing syscalls directly is not a good idea because this is not a stable ABI. The numbers can in theory change between service packs and even a plain update.
The instruction used on 32-bit Windows is not the same on all systems either!
Windows NT and 2000 always uses
int 2e
. Windows XP started usingSysEnter
/SysCall
when running on "newer" Intel/AMD CPUs (Pentium II, AMD K7, and later). Because Windows XP also supported older CPUs, it used a little helper function (SystemCallStub
) to enter kernel mode. This function (and later, the address of this function) is stored in a memory page accessible by all processes called_KUSER_SHARED_DATA
located at 0x7ffe0000.The original
int 2e
method is still supported, but I'm not sure why 64-bit Windows bothers checking which method to use, since every CPU it runs on supportsSysCall
. My Windows 8 machine does not check:These are just implementation details anyway, and they can change at any time.
int 2e
is probably a little bit slower, so just useSysCall
in 64-bit code andint 2e
in 32-bit code if you want to stay "portable".