Native API
Encyclopedia
The Native API is the publicly- and incompletely-documented application programming interface
used internally by the Windows NT
family of operating system
s produced by Microsoft
.. It is predominately used during system boot, when other components of Windows are unavailable. The Program Entry point is called DriverEntry, the same as for a Windows Device Driver
. However, the application runs in Ring 3 the same as a regular Windows Application. Most of the Native API calls are implemented in ntoskrnl.exe
and are exposed to user mode by ntdll.dll. Some Native API calls are implemented in user mode directly within ntdll.dll.
While most of Microsoft Windows is implemented using the documented and well-defined Windows API
, a few components, such as the Client/Server Runtime Subsystem, are implemented using the Native API, as they can be started earlier in the Windows NT Startup Process
when the Windows API is not yet available.
Some malware
make use of the Native API to hide their presence from malware detection software.
that are needed for a very basic C
runtime execution, such as strlen, sprintf and floor. Other common procedures like malloc, printf, scanf are missing. The vast majority of other Native API routines, by convention, have a 2 or 3 letter prefix, which is:
Gdi32.dll includes several other calls that trap into kernel-mode. These were not part of the original Windows NT design, as can be seen in Windows NT 3.5
. However, due to performance issues of hardware of that age, it was decided to move the graphics subsystem into kernel mode. As such, system call in the range of 0x1000-0x1FFF are satisfied by win32k.sys (instead of ntoskrnl.exe as done for 0-0x0FFF), and are declared in gdi32.dll. These functions have the Gdi prefix.
There are also many more groups exported from ntoskrnl.exe and therefore are usable only in kernel mode. These may or may not be counted for Native API, depending on whom you ask (since the Native API is not fully officially documented, there is no one answer). Such groups include Cc (cache controller), Ex (Windows Executive), FsRtl (file system runtime), Io (I/O manager), Ke (core kernel routines), Ks (kernel streaming), Lpc (Local Procedure Call
), Lsa (Local Security Authority
), Mm (memory management), Ob (Object Manager
), Ps (Process management), Se (security), Po (power management) and others.
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
used internally by the Windows NT
Windows NT
Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...
family of operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s produced by Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
.. It is predominately used during system boot, when other components of Windows are unavailable. The Program Entry point is called DriverEntry, the same as for a Windows Device Driver
Device driver
In computing, a device driver or software driver is a computer program allowing higher-level computer programs to interact with a hardware device....
. However, the application runs in Ring 3 the same as a regular Windows Application. Most of the Native API calls are implemented in ntoskrnl.exe
Ntoskrnl.exe
ntoskrnl.exe is the kernel image for the family of Microsoft Windows NT operating systems...
and are exposed to user mode by ntdll.dll. Some Native API calls are implemented in user mode directly within ntdll.dll.
While most of Microsoft Windows is implemented using the documented and well-defined Windows API
Windows API
The Windows API, informally WinAPI, is Microsoft's core set of application programming interfaces available in the Microsoft Windows operating systems. It was formerly called the Win32 API; however, the name "Windows API" more accurately reflects its roots in 16-bit Windows and its support on...
, a few components, such as the Client/Server Runtime Subsystem, are implemented using the Native API, as they can be started earlier in the Windows NT Startup Process
Windows NT Startup Process
The Windows NT startup process is the process by which Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 operating systems initialize...
when the Windows API is not yet available.
Some malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
make use of the Native API to hide their presence from malware detection software.
Function groups
The Native API comprises many functions. They include C runtime functionsC standard library
The C Standard Library is the standard library for the programming language C, as specified in the ANSI C standard.. It was developed at the same time as the C POSIX library, which is basically a superset of it...
that are needed for a very basic C
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
runtime execution, such as strlen, sprintf and floor. Other common procedures like malloc, printf, scanf are missing. The vast majority of other Native API routines, by convention, have a 2 or 3 letter prefix, which is:
- Nt or Zw are system calls declared in ntdll.dll and ntoskrnl.exe. When called from ntdll.dll in user mode, these groups are almost exactly the same; they trap into kernel mode and call the equivalent function in ntoskrnl.exe via a branch tableBranch tableIn computer programming, a branch table is a term used to describe an efficient method of transferring program control to another part of a program using a table of branch instructions. It is a form of multiway branch...
. When calling the functions directly in ntoskrnl.exe (only possible in kernel mode), the Zw variants ensure kernel mode, whereas the Nt variants do not. The Zw prefix does not stand for anything. - Rtl is the second largest group of ntdll calls. These comprise the (extended) C Run-Time Library, which includes many utility functions that can be used by native applications, yet don't directly involve kernel support.
- Csr are client-server functions that are used to communicate with the Win32 subsystem process, csrss.exe (csrss stands for client/server runtime sub-system).
- Dbg are debugging aid functions such as a software break point.
- Ki are upcalls from kernel-mode for things like APC dispatching.
- Ldr are loader functions for PEPortable ExecutableThe Portable Executable format is a file format for executables, object code and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. The term "portable" refers to the format's versatility in numerous environments of operating system software architecture...
file handling and starting of new processes. - Nls for Native Language SupportInternationalization and localizationIn computing, internationalization and localization are means of adapting computer software to different languages, regional differences and technical requirements of a target market...
(similar to code pages). - Pfx for prefix handling.
Gdi32.dll includes several other calls that trap into kernel-mode. These were not part of the original Windows NT design, as can be seen in Windows NT 3.5
Windows NT 3.5
Windows NT 3.5 is the second release of the Microsoft Windows NT operating system. It was released on 21 September 1994.One of the primary goals during Windows NT 3.5's development was to increase the speed of the operating system; as a result, the project was given the codename "Daytona" in...
. However, due to performance issues of hardware of that age, it was decided to move the graphics subsystem into kernel mode. As such, system call in the range of 0x1000-0x1FFF are satisfied by win32k.sys (instead of ntoskrnl.exe as done for 0-0x0FFF), and are declared in gdi32.dll. These functions have the Gdi prefix.
There are also many more groups exported from ntoskrnl.exe and therefore are usable only in kernel mode. These may or may not be counted for Native API, depending on whom you ask (since the Native API is not fully officially documented, there is no one answer). Such groups include Cc (cache controller), Ex (Windows Executive), FsRtl (file system runtime), Io (I/O manager), Ke (core kernel routines), Ks (kernel streaming), Lpc (Local Procedure Call
Local Procedure Call
The Local Procedure Call is an internal, undocumented inter-process communication facility provided by the Microsoft Windows NT kernel for lightweight IPC between processes on the same computer...
), Lsa (Local Security Authority
Local Security Authority Subsystem Service
Local Security Authority Subsystem Service , is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens...
), Mm (memory management), Ob (Object Manager
Object Manager (Windows)
Object Manager is a subsystem implemented as part of the Windows Executive which manages Windows resources. Each resource, which are surfaced as logical objects, resides in a namespace for categorization. Resources can be physical devices, files or folders on volumes, Registry entries or even...
), Ps (Process management), Se (security), Po (power management) and others.