Hi,
What are the differences between "ntdll.dll" and "ntoskrnl.exe"? In Windows XP they exist both and they export similiar (although different) set of functions. Wine implements just "ntdll.dll".
Some W32 binary wants to import functions from "ntoskrnl.exe" from me, should I make an alias of Wine "ntdll.dll" to "ntoskrnl.exe" and try to fill the missing funcs? I have never seen W32 programming before as I am *IX coder.
Thanks, Jan Kratochvil
Jan Kratochvil wrote:
What are the differences between "ntdll.dll" and "ntoskrnl.exe"? In Windows XP they exist both and they export similiar (although different) set of functions. Wine implements just "ntdll.dll".
Some W32 binary wants to import functions from "ntoskrnl.exe" from me, should I make an alias of Wine "ntdll.dll" to "ntoskrnl.exe" and try to fill the missing funcs? I have never seen W32 programming before as I am *IX coder.
If you are talking about Rtl and Zw functions I think that ntdll should still export the same things that ntoskrnl.exe does but under a differnt name. What functions are you speaking of that are missing from ntdll but are in ntoskrnl?
Steven
Hi,
On Sun, 15 Sep 2002 01:36:36 +0200, Steven Edwards wrote:
Jan Kratochvil wrote:
What are the differences between "ntdll.dll" and "ntoskrnl.exe"?
...
If you are talking about Rtl and Zw functions I think that ntdll should still export the same things that ntoskrnl.exe does but under a differnt name. What functions are you speaking of that are missing from ntdll but are in ntoskrnl?
Out of 101 functions imported from "ntoskrnl.exe" only 21 are found also in "ntdll.dll". Missing ones are IoReleaseVpbSpinLock, IoAcquireVpbSpinLock, KeInitializeSpinLock, MmProbeAndLockPages etc.
But I was more interested in the backround - how it is ever possible that Windows system at all has two basic libraries from one vendor with similiar function name interfaces with function name colliding each other? OK, there is no technical problem as it has different namespaces but just why they did it? And do behave functions in these two libraries on the native W32 system exactly the same? It is described just once in the documentation. :-?
Regards, Jan Kratochvil
-----Original Message----- From: wine-devel-admin@winehq.com [mailto:wine-devel-admin@winehq.com] On Behalf Of Jan Kratochvil Sent: 15. september 2002 01:52 To: Steven Edwards Cc: wine-devel@winehq.com Subject: Re: ntdll.dll vs. ntoskrnl.exe
Hi,
On Sun, 15 Sep 2002 01:36:36 +0200, Steven Edwards wrote:
Jan Kratochvil wrote:
What are the differences between "ntdll.dll" and "ntoskrnl.exe"?
...
If you are talking about Rtl and Zw functions I think that ntdll should still export the same things that ntoskrnl.exe does but
under a differnt
name. What functions are you speaking of that are missing
from ntdll but
are in ntoskrnl?
Out of 101 functions imported from "ntoskrnl.exe" only 21 are found also in "ntdll.dll". Missing ones are IoReleaseVpbSpinLock, IoAcquireVpbSpinLock, KeInitializeSpinLock, MmProbeAndLockPages etc.
Those functions you mention that are missing are kernel-mode only APIs, ie. only kernel-mode drivers use them.
But I was more interested in the backround - how it is ever possible that Windows system at all has two basic libraries from one vendor with similiar function name interfaces with function name colliding each other?
Calling ntoskrnl.exe a "basic library" is a major understatement ;-) Ntoskrnl.exe is _the_ core OS component. It provides OS services like memory management, process and thread management, I/O infrastructure, etc. Ntdll.dll is the kernel-mode/user-mode gateway between ntoskrnl.exe and applications (ie. the syscall interface). Ntdll.dll wraps services that are available to applications.
OK, there is no technical problem as it has different namespaces but just why they did it?
To provide OS services to applications.
And do behave functions in these two libraries on the native W32 system exactly the same?
They are the same functions. They are just accessed differently depending on where you call them from (kernel-mode or user-mode).
It is described just once in the documentation. :-?
Most of these APIs are undocumented by MS. Most likely done to be able to change the APIs in future versions of Windows if needed.
Regards, Jan Kratochvil
Casper Hornstrup
On Sun, 15 Sep 2002, Jan Kratochvil wrote: [...]
Some W32 binary wants to import functions from "ntoskrnl.exe" from me, should I make an alias of Wine "ntdll.dll" to "ntoskrnl.exe" and try to fill the missing funcs? I have never seen W32 programming before as I am *IX coder.
From what has been said in other posts, ntoskrnl.exe is not meant to be
accessed from user space. Which Win32 binary is accessing it?
Hi,
On Sun, 15 Sep 2002 05:05:25 +0200, Francois Gouget wrote:
On Sun, 15 Sep 2002, Jan Kratochvil wrote: [...]
Some W32 binary wants to import functions from "ntoskrnl.exe" from me, should I make an alias of Wine "ntdll.dll" to "ntoskrnl.exe" and try to fill the missing funcs? I have never seen W32 programming before as I am *IX coder.
From what has been said in other posts, ntoskrnl.exe is not meant to be accessed from user space. Which Win32 binary is accessing it?
Some system driver (.SYS) and I hope I will be able to satisfy its requirements as it just imports "ntoskrnl.exe" and exports some own Wine-callable functions. Exact details not yet available - sorry (my own NDA), to be disclosed later.
Currently I am happy with your perfect information - "ntoskrnl.exe" is vmlinuz with its "int 0x80" (NTKERNELAPI / NTSYSAPI - differences?) while "ntdll.dll" is the userland-callable glibc. "ntdll.dll" does the "ntoskrnl.exe" syscalls by some own jumptable with syscall # in %eax and calls always some indirection point *0x7ffe0300 - probably some fixed address as it was outside of all my mapped modules. Also I found out some fixed address access of %ds:0xffdff020 being stored to by "ntoskrnl.exe", some kernel variable block?
Anyway I found out that probably it isn't much possible to run native "ntoskrnl.exe" inside Wine emulation sandbox and thus it is better to try to provide builtin emulation despite "ntoskrnl.exe" is not much documented. :-(
My first W32 code ever written was "hal.dll". My second one will be thus probably "ntoskrnl.exe" and I hope this will be really the last one. :-)
Regards, Jan Kratochvil
Anyway I found out that probably it isn't much possible to run native "ntoskrnl.exe" inside Wine emulation sandbox and thus it is better to try to provide builtin emulation despite "ntoskrnl.exe" is not much documented. :-(
My first W32 code ever written was "hal.dll". My second one will be thus probably "ntoskrnl.exe" and I hope this will be really the last one. :-)
If licensing is not a problem (GPL) you could take a look at the ReactOS source tree as we implement ntdll, ntoskrnl and the hal. We may have something in our code that will be of use to you for loading your driver. Mabey you could adapt parts of ReactOS to a Linux Module or something if licensing is a issue.
Steven
do you seriously want wine to be virus- and hack- able ? This looks a bit paranoid, I know, but as Casper reported, this could be a major security hole...
If licensing is not a problem (GPL) you could take a look at the ReactOS source tree as we implement ntdll, ntoskrnl and the hal. We may have something in our code that will be of use to you for loading your driver. Mabey you could adapt parts of ReactOS to a Linux Module or something if licensing is a issue.
Steven
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
-----Original Message----- From: wine-devel-admin@winehq.com [mailto:wine-devel-admin@winehq.com] On Behalf Of Francois Gouget Sent: 15. september 2002 05:05 To: Jan Kratochvil Cc: wine-devel@winehq.com Subject: Re: ntdll.dll vs. ntoskrnl.exe
On Sun, 15 Sep 2002, Jan Kratochvil wrote: [...]
Some W32 binary wants to import functions from
"ntoskrnl.exe" from me,
should I make an alias of Wine "ntdll.dll" to
"ntoskrnl.exe" and try
to fill the missing funcs? I have never seen W32
programming before as
I am *IX coder.
From what has been said in other posts, ntoskrnl.exe is not
meant to be accessed from user space. Which Win32 binary is accessing it?
-- Francois Gouget fgouget@free.fr http://fgouget.free.fr/ Broadcast message : fin du monde dans cinq minutes, repentez vous !
Yes, they are not supposed to be imported by user-mode applications and user-mode applications cannot access them directly. Ntoskrnl.exe (and all kernel-mode drivers) are mapped above 0x80000000 (or above 0xc0000000 depending on the /3GB address space switch). Applications will cause an exception if they touch this memory. The only way to access the ntoskrnl.exe APIs (on the x86) is through a call gate (int 0x2e on Windows NT). If applications could touch ntoskrnl.exe directly, then it would be a huge security risk. Eg. an application could overwrite some parts of an ntoskrnl.exe data section and bring down the system.
Casper Hornstrup
-
Casper Hornstrup -
Francois Gouget -
Jan Kratochvil -
Steven Edwards -
Sylvain Petreolle