WingNews logo WingNews
top | item 47063774

(no title)

delta_p_delta_x | 11 days ago

Indeed. Anything documented has a function wrapper. `NtCreateFile` is a function wrapper for the syscall number, so any user-mode code that has `NtCreateFile` instead of directly loading the syscall number 0x55 will be stable. The latter might not. In fact, it is not; the number has increased by 3 since Windows XP[1].

One could probably produce some sort of function pointer loader library with these tables, but at that point... Why not just use the documented APIs?

[1]: https://github.com/j00ru/windows-syscalls/blob/8a6806ac91486...

discuss

order

Dwedit|10 days ago

Only Malware uses the system call numbers directly. Using the system call numbers directly is foolish if they're going to change and break your app. Just import and call a function that will perform the actual SYSENTER (or WOW64 context change).

monocasa|10 days ago

Unfortunately, that's not the case. Wine for instance has to keep up to date to maintain compatibility with some applications.

https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0

> NT system calls use the same syscall numbering as recent Windows, to support applications that hardcode syscall numbers.