Hacker News new | past | comments | ask | show | jobs | submit login

It's important to note that unlike Linux, NT system call numbers are not stable. That's a very good thing --- it effectively forces all system calls to go through ntdll, which can coordinate closely with userspace in interesting ways. It's as if NT's "vdso" covered all interaction with the kernel.

For example, NT has no native 32-bit ABI like Linux does. Instead, userspace translates 32-bit to 64-bit system calls, handling the switch from long and back to long mode transparently. This elegant approach is possible because applications never make system calls directly.




Then why is there a "Program Files" and "Program Files (x86) folder. I believe the second one is for 32-bit ABI apps for some special reasons?


IIRC it's purely aesthetic so users can easily tell them apart or just some sort of convention


Raymond Chen's big answer video on the subject: https://www.youtube.com/watch?v=qRb6otsHG5c


Now explain the aesthetic of syswow64.


How does that work with regards to privilege separation. It sounds like bypassing nt.dll might be an exploit vector that is easily forgotten.


All of the verification is done on the kernel side of the boundary, all entrance points to the kernel via syscalls are marked using static code analysis so that the kernel never trusts a pointer provided from user-mode, so even if you sysenter yourself, you can't do anything Special


Permission checks are still done in the kernel.

>It sounds like bypassing nt.dll might be an exploit vector that is easily forgotten.

MSFT might be bad, but not that bad.


Just a note, it's not nt.dll, it's ntdll.dll.


Heh, interesting. Any specific reason for the stuttering? Or just arbitrary inconsistent historical decision?


I'll give you a better one. On a 64 bit Windows:

- the 64 bit binaries are stored in C:\Windows\System32

- the 32 bit binaries are stored in C:\Windows\SysWOW64


Haha, I think WOW64 means "Windows [32] on Windows 64" which kind of makes sense if you squint at it just right...


That's a bingo.


I'm guessing it's because module names are sometimes used without the extension and "ntdll" looks better in such a list than "nt".


I think it’s because the kernel’s module name is “nt”. It’ll show up like that in stack traces on occasion.


Not sure! My guess is the name would've just felt too short otherwise.


Note that 64-bit kernel-mode stuff does still have to implement a fair number of 32-bit stuff, e.g. for DeviceIoControl (see e.g. IoIs32bitProcess()).




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: