09: Chapter 5 | Native APIs
Native APIs in Windows are a collection of functions and procedures that offer a lower-level interface to the operating system than the Windows API (Win32 API). Although not officially documented for public use, they are used internally by the Windows operating system and can provide deeper, more direct access to system resources and services. The primary role of Native APIs is to provide interfaces for system-level operations and to facilitate certain features and functions of the Win32 subsystem. They are essentially the "building blocks" of the Windows kernel mode, and perform tasks related to low-level system management, including process and thread management, memory management, and object manipulation. The reason Native APIs are needed stems from the layered architecture of the Windows operating system. The Win32 subsystem, which includes the Win32 API, is built on top of the Native API. When a Win32 API function is called, it often results in one or more Native API functions being called in the background.
Native API functions are located in ntdll.dll. This dynamic-link library is loaded into every user mode process, providing those processes with the ability to make system calls to the kernel. Here are some examples of what the Native APIs can do:
| NTAPI Name | NTAPI Tasks |
|---|---|
| NtCreateFile | These function is used to create a file. |
| NtOpenFile | These function is used to open a file. |
| NtQueryInformationProcess | This function can be used to retrieve various types of information about a process. |
| NtReadVirtualMemory | These function allows for reading the virtual memory of a process. |
| NtWriteVirtualMemory | These function allows for writing to the virtual memory of a process. |
While the Native APIs provide powerful functionality, they should be used with caution. As they are not intended for public use, they can change between different versions of Windows, potentially leading to compatibility issues. They are also more complex to use than the Win32 API and have fewer protections against errors, so incorrect usage can cause system instability or other problems. For these reasons, most developers will interact with the Windows operating system primarily through the Win32 API. However, understanding the Native API can still be valuable, particularly for tasks such as system programming, debugging, and reverse engineering.
