Mail Archives: djgpp/2000/04/03/23:05:51
Hello Eli,
I have some good news and some bad news, as the saying goes.
First, the bad news. The service numbers (that would be loaded into EAX
before invoking Int 0x2E) can change from Windows version to version. For
example, I wanted to code a nice, benign, syscall ZwYieldExecution, which
is the NT API equivalent of the Win32 SwitchToThread(). This is service
number 0xD2 on Windows NT but 0xF7 on Windows 2000.
A new-for-Win2000 syscall ZwQueryDefaultUILanguage is service number
0x7C, but Windows NT uses 0x7C for ZwQuerySystemInformation.
So we can't depend on service numbers.
Next, the good news (possibly..)
When NT creates a new process, the process' FS register contains a selector
that can be used to address the TEB, Thread Environment Block. There is a
way to use this to get the Windows version. This is how GetVersion() works,
BTW, it's not a wrapper on a syscall but a bunch of load-relatives from FS.
Is the FS register available with it's original contents to DJGPP-built
programs running from a Command Prompt window?
Cheers,
..mark
On Sun, 2 Apr 2000, Eli Zaretskii wrote:
>
> On Sun, 2 Apr 2000, Mark Geisert wrote:
>
> > > What service would you suggest to try this method?
> >
> > Hi Eli,
> >
> > The NT syscalls are amazingly underdocumented considering how widely NT
> > is used. I don't have a specific syscall in mind.
> >
> > My understanding is that the list of syscalls changes from release to
> > release and syscalls could even be added by service pack. I've not been
> > able to find the mapping between syscalls (the Zw... exports from
> > NTDLL.DLL I think (don't have my notes handy)) and the service numbers
> > that you'd put in EAX to invoke the syscall via Int 0x2E. I have some
> > leads on that which I haven't yet followed.
>
> Yes, I asked the question precisely because this is not documented
> anywhere, and because I don't use NT/W2K enough to know myself.
>
> > I was actually considering something risky to determine if this strategy
> > would work at all, which would be to just try various small values in EAX.
>
> I think it could work, but we need a real example to try.
- Raw text -