ZwOpenFile 和 NtOpenFile 有什么区别?

发布于 2024-09-04 02:15:32 字数 123 浏览 4 评论 0原文

ZWOpenFile 和 NtOpenFile 都是 nt dll 的函数。ZwOpenFile 的实现与 NtopenFile 相同。但是我不明白为什么 ZWopenFile 包含在 nt dll 函数中。有人可以解释一下区别吗?

ZWOpenFile and NtOpenFile are both the functions of nt dll..ZwOpenFile is implemented as same as NtopenFile..but I dont understand why ZWopenFile is included in nt dll function.Can anyone please explain me the difference?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

長街聽風 2024-09-11 02:15:32

这是 MSDN 中记录的

内核模式驱动程序调用本机系统服务例程的 Zw 版本,以通知例程参数来自受信任的内核模式源。在这种情况下,例程假设它可以安全地使用这些参数,而无需首先验证它们。但是,如果参数可能来自用户模式源或内核模式源,则驱动程序将调用 Nt 版本的例程,该例程根据调用线程的历史记录确定参数是否源自用户模式。模式或内核模式。有关例程如何区分用户模式参数和内核模式参数的详细信息,请参阅 上一个模式

基本上它与参数的验证方式有关。

This is documented in MSDN:

A kernel-mode driver calls the Zw version of a native system services routine to inform the routine that the parameters come from a trusted, kernel-mode source. In this case, the routine assumes that it can safely use the parameters without first validating them. However, if the parameters might be from either a user-mode source or a kernel-mode source, the driver instead calls the Nt version of the routine, which determines, based on the history of the calling thread, whether the parameters originated in user mode or kernel mode. For more information about how the routine distinguishes user-mode parameters from kernel-mode parameters, see PreviousMode.

Basically it relates to how the parameters are validated.

柠檬色的秋千 2024-09-11 02:15:32

一般来说,内核驱动程序应该只使用ZwXxx()函数。

从用户模式调用时,ZwXxx()NtXxx() 函数完全相同 - 它们解析为 ntdll.dll 中的相同代码位。

当从内核模式驱动程序调用时,Zwxxx() 变体确保设置内核使用的标志来指示请求者模式(应该指示调用者模式)是内核模式。如果内核驱动程序调用 NtXxx() 变体,则请求者模式未显式设置,因此它会被单独保留,并可能指示用户或内核模式,具体取决于此时调用堆栈中发生的情况。

如果请求者模式标志设置为用户模式,则内核将验证参数,这可能不是正确的做法(特别是如果内核驱动程序在内核模式缓冲区中传递,因为在这种情况下验证将失败),如果它设置为内核模式,内核隐式信任参数。

因此,使用这些 API 名称的规则通常可以归结为:如果您正在编写内核驱动程序,请调用 ZwXxx() 版本(除非您正在处理特殊情况,并且您知道自己要做什么)正在做什么以及为什么)。如果您正在编写用户模式组件,那么调用哪个集合并不重要。

据我所知,微软只记录了在用户模式下使用的NtXxx()(这表明它们是相当于相应的ZwXxx()的用户模式> 功能)。

Generally, kernel drivers should only use the ZwXxx() functions.

When called from user mode, the ZwXxx() and NtXxx() functions are exactly the same - they resolve to the same bits of code in ntdll.dll.

When called from a kernel-mode driver, the Zwxxx() variant ensures that a flag used by the kernel is set to indicate that the requestor mode (what's supposed to indicate the caller's mode) is kernel mode. If a kernel driver calls the NtXxx() variant the requestor mode isn't explicitly set so it's left alone and might indicate user or kernel mode, depending on what has occurred in the call stack up to this point.

If the requestor mode flag is set to user mode, the kernel will validate parameters, which might not be the right thing to do (especially if the kernel driver is passing in kernel mode buffers, as the validation will fail in that case), if it's set to kernel mode, the kernel implicitly trusts parameters.

So the rules for using these API names generally boils down to: if you're writing a kernel driver, call the ZwXxx() version (unless you're dealing with special situations, and you know what you're doing and why). If you're writing a user mode component, it doesn't matter which set you call.

As far as I know, Microsoft only documents the NtXxx() for use in user-mode (where it indicates that they are the user-mode equivalent to the corresponding ZwXxx() function).

谁与争疯 2024-09-11 02:15:32

举一个已经说过的例子,以确保 OP 或其他任何人都能得到完整的了解。

  1. 来自用户模式的 NtXxx 调用会导致将不太可信的数据(来自用户模式)传递到更特权的层(内核模式)。因此它期望缓冲区具有有效的用户模式地址,传递的句柄是有效的用户模式句柄等。

  2. 如果驱动程序调用 NtXxx api 而不是其等效的 ZwXxx,则必须确保传递有效的用户模式参数,即它无法传递内核模式地址(即使它有效)和内核模式句柄(请参阅 OBJ_KERNEL_HANDLE)。

  3. 正如已经说过的,API 的 ZwXxx 等效项明确指示(通过请求者级别)需要跳过此类参数验证,因为被调用者与调用者处于相同的特权级别。

对于任何想要超越显而易见的事物的人来说,这是一个很好的起点链接,
https://www.osronline.com/article.cfm?id=257

Giving an example to what has already been said to ensure OP or anyone else gets a complete picture.

  1. NtXxx calls from user mode are resulting in passing less trusted data(from user mode) to a more privileged layer (kernel mode). So it expects the buffer has valid user mode address, the Handles being passed are valid user mode handles, etc.

  2. If a driver calls NtXxx api instead of its equivalent ZwXxx it has to ensure that valid user mode arguments are being passed i.e. it cannot pass a kernel mode address (even if it is valid) and a kernel mode handle (see OBJ_KERNEL_HANDLE).

  3. As already said the ZwXxx equivalent of the API explicitly indicates (through requestor level) that such parameter validation needs to be skipped as the callee is at the same privilege level as the caller.

Here is link to a good starting point for anyone who wants to go beyond the obvious,
https://www.osronline.com/article.cfm?id=257.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文