Hacker News new | ask | show | jobs
by delta_p_delta_x 124 days ago
Indeed. Anything documented has a function wrapper. `NtCreateFile` is a function wrapper for the syscall number, so any user-mode code that has `NtCreateFile` instead of directly loading the syscall number 0x55 will be stable. The latter might not. In fact, it is not; the number has increased by 3 since Windows XP[1].

One could probably produce some sort of function pointer loader library with these tables, but at that point... Why not just use the documented APIs?

[1]: https://github.com/j00ru/windows-syscalls/blob/8a6806ac91486...
1 comments
Dwedit 123 days ago
Only Malware uses the system call numbers directly. Using the system call numbers directly is foolish if they're going to change and break your app. Just import and call a function that will perform the actual SYSENTER (or WOW64 context change).
link
monocasa 123 days ago
Unfortunately, that's not the case. Wine for instance has to keep up to date to maintain compatibility with some applications.

https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0

> NT system calls use the same syscall numbering as recent Windows, to support applications that hardcode syscall numbers.

link