From Top to Bottom on Windows NT

Recently, due to my thesis, I had to chance to look closely at Windows Operating System, especially how a process will be created, managed, terminated, and so on. If you are programming on a higher abstraction level, maybe you did not care about how some methods such as exit() work on the OS level.

In the operating system, there is mainly so-called two space which is User and Kernel space. To interact with the kernel you need to use some system call method/well-known syscalls. Let’s see how programming leverage appears: From Top to bottom.

Roger Orr accu 2019

Here is an simple c++ program that invoke exit() function:

1. Step: Application Layer

This is the application layer where you developed any arbitrary application with C++.

#include<iostream>
int main()
{ 
   exit(42); 
}

If we compile and execute this program, it will dive one level deeper after language runtime, to Win32 API which Microsoft Windows API an application interface written in C. Our simple main function will invoke via exit(42) function which implemented in iostream where the inherit the exit from stdlib.h.

2. Step: Win32 API Layer

Going one more layer deeper. How it will looks if we implement via Native API:

#include <windows.h>
int main()
{ 
    ExitProcess(42); 
}

As you see we include windows.h header to access API function directly.

3. Step: NativeWindows API

we can implement our sample program for native API as:

#include <windows.h>
int main()
{ 
    auto self = GetCurrentProcess(); 
    TerminateProcess(self, 42); 
}

4. Step: Layer on C level

extern “C” NTSTATUS NTAPI 
NtTerminateProcess( 
          ProcessHandle,
          IN NTSTATUS ExitStatus); //32 bit

5. Layer assembly layer

NtTerminateProcess:
   mov       r10,rcx 
   mov       eax,2Ch //eax is 32 register 
   syscall 
   ret

PS: will be completed soon.