얼마전, 윈도우8 RTM이 MSDN/TechNet을 통해서 배포가 되어서, 설치를 해보았다. 

나의 첫번째 관심사는 시스템콜의 추가/삭제 여부였는지라, ntoskrnl.exe의 Export Table을 바로 까보았다.

시스템콜을 변경 유무를 살펴만 봐도, 해당 OS가 어떤 부분을 중점으로 개발이 진행되었는지, 유추정도는 할수 있으리라 생각했기 때문이다. 또한 커널 드라이버 개발때도 이러한 API들이 있구나, 하고 약간은 도움이 될것으로 생각된다.



* 아래 비교는  

Windows 8 Enterprise x64  <> Windows 7 Ultimate SP1 x64 

간의 비교임을 알려드립니다.




Removed System Calls on Windows 8 x64


Executive

ExUpdateLicenseData



I/O Manager

IoSetOplockKeyContext (Existed on Windows 8 x86)



Kernel Core

KeUpdateSystemTime



Process and Threads

PsSetJobUIRestrictionsClass



Transaction Manager

TmpIsKTMCommitCoordinator






Added System Calls on Windows 8 x64



Background Manager (?) (Can be related to BSOD?)

BgkDisplayCharacter

BgkGetConsoleState

BgkGetCursorState

BgkSetCursor



Cache Control

CcAddDirtyPagesToExternalCache

CcCopyReadEx

CcCopyWriteEx

CcDeductDirtyPagesFromExternalCache

CcFlushCacheToLsn

CcIsThereDirtyLoggedPages

CcRegisterExternalCache

CcScheduleReadAheadEx

CcSetAdditionalCacheAttributesEx

CcSetLogHandleForFileEx

CcSetLoggedDataThreshold

CcSetReadAheadGranularityEx

CcUnmapFileOffsetFromSystemCache

CcUnregisterExternalCache

CcZeroDataOnDisk



Configuration Manager

CmCallbackGetKeyObjectIDEx

CmCallbackReleaseKeyObjectIDEx



Executive

ExBlockOnAddressPushLock

ExBlockPushLock

ExCompositionSurfaceObjectType

ExGetFirmwareEnvironmentVariable

ExNotifyBootDeviceRemoval

ExQueryFastCacheAppOrigin

ExQueryFastCacheDevLicense

ExQueryTimerResolution

ExQueryWnfStateData

ExRealTimeIsUniversal

ExRegisterBootDevice

ExSetFirmwareEnvironmentVariable

ExSubscribeWnfStateChange

ExTimedWaitForUnblockPushLock

ExTryQueueWorkItem

ExUnsubscribeWnfStateChange

ExWaitForUnblockPushLock



File System

FsRtlAcquireEofLock

FsRtlAcquireHeaderMutex

FsRtlAreThereWaitingFileLocks

FsRtlCheckLockForOplockRequest

FsRtlDismountComplete

FsRtlGetFileNameInformation

FsRtlGetIoAtEof

FsRtlGetSectorSizeInformation

FsRtlGetSupportedFeatures

FsRtlInitializeEofLock

FsRtlIsSystemPagingFile

FsRtlIssueDeviceIoControl

FsRtlKernelFsControlFile

FsRtlMdlReadEx

FsRtlPrepareMdlWriteEx

FsRtlPrepareToReuseEcp

FsRtlQueryCachedVdl

FsRtlQueryKernelEaFile

FsRtlReleaseEofLock

FsRtlReleaseFileNameInformation

FsRtlReleaseHeaderMutex

FsRtlSetKernelEaFile

FsRtlTryToAcquireHeaderMutex

FsRtlUpdateDiskCounters



HyperVisor Library (?)

HvlGetLpIndexFromApicId

HvlPerformEndOfInterrupt

HvlQueryActiveHypervisorProcessorCount

HvlQueryActiveProcessors

HvlQueryHypervisorProcessorNodeNumber

HvlQueryProcessorTopology

HvlQueryProcessorTopologyCount

HvlQueryProcessorTopologyHighestId

HvlRegisterInterruptCallback

HvlRegisterWheaErrorNotification

HvlUnregisterInterruptCallback

HvlUnregisterWheaErrorNotification



BSOD Screen

InbvNotifyDisplayOwnershipChange



I/O Manager

IoBoostThreadIo

IoClearActivityIdThread

IoClearReservedDependency

IoCompletionObjectType

IoCopyDeviceObjectHint

IoCreateStreamFileObjectEx2

IoCreateSystemThread

IoDecrementKeepAliveCount

IoGetActivityIdIrp

IoGetActivityIdThread

IoGetDeviceInterfacePropertyData

IoGetInitiatorProcess

IoGetOplockKeyContextEx

IoIncrementKeepAliveCount

IoInitializeMiniCompletionPacket

IoIsActivityTracingEnabled

IoIsInitiator32bitProcess

IoIsValidIrpStatus

IoPropagateActivityIdToThread

IoQueueWorkItemToNode

IoRegisterBootDriverCallback

IoRegisterIoTracking

IoReportInterruptActive

IoReportInterruptInactive

IoReserveDependency

IoResolveDependency

IoSetActivityIdIrp

IoSetActivityIdThread

IoSetDeviceInterfacePropertyData

IoSetMasterIrpStatus

IoSynchronousCallDriver

IoTransferActivityId

IoTryQueueWorkItem

IoUnregisterBootDriverCallback

IoUnregisterIoTracking

IoVolumeDeviceToGuid

IoVolumeDeviceToGuidPath



Kernel Debugger

KdLogDbgPrint



Kernel Core

KeDispatchSecondaryInterrupt

KeForceEnableNx

KeGetNextTimerExpirationDueTime

KeHwPolicyLocateResource

KeInitializeSecondaryInterruptServices

KeInitializeSpinLock (Not existed on Windows 8 x86)

KeLoadMTRR

KeQueryEffectivePriorityThread

KeQueryInterruptTimePrecise

KeQuerySystemTimePrecise

KeQueryTotalCycleTimeThread

KeStallWhileFrozen

KeSweepLocalCaches

KeUpdateTime

KeUpdateTimeAssist

KeWriteProtectPAT



Unknown prefix

KseQueryDeviceData

KseQueryDeviceDataList

KseQueryDeviceFlags

KseRegisterShim

KseRegisterShimEx

KseSetDeviceFlags

KseUnregisterShim



Memory Manager

MmAllocateContiguousNodeMemory

MmAllocateMdlForIoSpace

MmAllocateNodePagesForMdlEx

MmAreMdlPagesCached

MmGetMaximumFileSectionSize

MmIsDriverSuspectForVerifier

MmMapViewInSessionSpaceEx

MmMapViewInSystemSpaceEx

MmMdlPageContentsState

MmPrefetchVirtualAddresses



NT System Calls (NT prefix)

NtSetCachedSigningLevel

NtSetInformationVirtualMemory



Object Manager

ObDuplicateObject

ObReferenceObjectSafe

ObReferenceObjectSafeWithTag

ObWaitForMultipleObjects

ObWaitForSingleObject




Power Manager

PoAllProcessorsDeepIdle

PoFxActivateComponent

PoFxCompleteDevicePowerNotRequired

PoFxCompleteIdleCondition

PoFxCompleteIdleState

PoFxIdleComponent

PoFxNotifySurprisePowerOn

PoFxPowerControl

PoFxProcessorNotification

PoFxRegisterCoreDevice

PoFxRegisterDevice

PoFxRegisterPlugin

PoFxRegisterPluginEx

PoFxRegisterPrimaryDevice

PoFxReportDevicePoweredOn

PoFxSetComponentLatency

PoFxSetComponentResidency

PoFxSetComponentWake

PoFxSetDeviceIdleTimeout

PoFxStartDevicePowerManagement

PoFxUnregisterDevice

PoGetProcessorIdleAccounting

PoInitiateProcessorWake

PoLatencySensitivityHint

PoNotifyDisableDynamicTick

PoNotifyVSyncChange

PoRegisterCoalescingCallback

PoSetUserPresent

PoUnregisterCoalescingCallback

PoUserShutdownCancelled



Process and Threads

PsChargeProcessWakeCounter

PsCreateSystemThreadEx

PsDereferenceKernelStack

PsGetProcessCommonJob

PsGetProcessSignatureLevel

PsGetThreadExitStatus

PsIsDiskCountersEnabled

PsQueryProcessAttributesByToken

PsQueryTotalCycleTimeProcess

PsReferenceKernelStack

PsReleaseProcessWakeCounter

PsUpdateDiskCounters



Runtime Library

RtlAddAtomToAtomTableEx

RtlAddResourceAttributeAce

RtlCheckPortableOperatingSystem

RtlCheckTokenCapability

RtlCheckTokenMembership

RtlCheckTokenMembershipEx

RtlCopyBitMap

RtlCrc32

RtlCrc64

RtlCreateAtomTableEx

RtlCreateHashTableEx

RtlCreateUserThread

RtlCultureNameToLCID

RtlDecompressBufferEx

RtlDeleteElementGenericTableAvlEx

RtlEqualWnfChangeStamps

RtlExtractBitMap

RtlGenerateClass5Guid

RtlGetAppContainerNamedObjectPath

RtlIsUntrustedObject

RtlLCIDToCultureName

RtlNumberOfClearBitsInRange

RtlNumberOfSetBitsInRange

RtlOpenCurrentUser

RtlQueryInformationAcl

RtlQueryPackageIdentity

RtlQueryRegistryValuesEx

RtlQueryValidationRunlevel

RtlRbInsertNodeEx

RtlRbRemoveNode

RtlSetControlSecurityDescriptor

RtlSetPortableOperatingSystem



Security

SeAccessCheckFromStateEx

SeAuditingAnyFileEventsWithContextEx

SeAuditingFileEventsWithContextEx

SeCreateClientSecurityEx

SeCreateClientSecurityFromSubjectContextEx

SeGetLogonSessionToken

SeQuerySecureBootPolicyValue

SeSecurityAttributePresent

SeSystemDefaultSd

SeTokenFromAccessInformation



Transaction Manager

TmRequestOutcomeEnlistment

TmSinglePhaseReject



Windows Hardware Error Architecture

WheaRegisterInUsePageOfflineNotification (Not existed on Windows 8 x86)

WheaUnregisterInUsePageOfflineNotification (Not existed on Windows 8 x86)



NT System Calls (ZW prefix)

ZwAlpcConnectPortEx

ZwCreateWnfStateName

ZwDeleteWnfStateData

ZwDeleteWnfStateName

ZwFlushBuffersFileEx

ZwQuerySystemEnvironmentValueEx

ZwQueryWnfStateData

ZwQueryWnfStateNameInformation

ZwSetCachedSigningLevel

ZwSetInformationKey

ZwSetInformationVirtualMemory

ZwSetSystemEnvironmentValueEx

ZwUnlockVirtualMemory

ZwUpdateWnfStateData



Standard Library

bsearch_s


저작자 표시 비영리 변경 금지
신고
by Sone 2012.08.21 18:00
| 1 |