『Windows NT / 2000 Native API Reference』は、(Microsoftによる)文書化されていないネイティブAPIの包括的な文書(古くなっていますが)を提供しています。しかし、私は興味があります。ntdll.dllで宣言されている低レベル関数とkernel32.dll、advapi.dllなどのユーザーモード関数の間のマッピングを見つける方法はありますか。
例えば:
CreateFile関数がにマップされることを知っていますNtCreateFile。MoveFileWithProgressWしかし、kernel32.dllの関数のntdll.dllの正確な関数はありません
NT native API is a lower level API compared to the standard Windows (user mode) API. So there is no one to one correspondence in many cases. I'm guessing that MoveFileWithProgress is implemented in user space using lower level open/read/write/close routines.
In other words, if you want to use the Native API, you'll need to re-implement a bunch of convenience functions like MoveFileWithProgress.
The Wine project has re-implementations of the Windows API. You can see their implementation to get a taste of how it is done. (Search for "MoveFileWithProgress" in the page)
You can dump exports from user-mode system DLLs using dumpbin.exe utility from Windows SDK/Visual Studio and look for forwarded functions:
dumpbin -exports kernel32.dll | find/I "forwarded" > fwd.txt
This will create fwd.txt file containing a list of forwarded functions, something like this:
151 96 EnterCriticalSection (forwarded to NTDLL.RtlEnterCriticalSection)
361 168 GetLastError (forwarded to NTDLL.RtlGetLastWin32Error)
518 205 HeapAlloc (forwarded to NTDLL.RtlAllocateHeap)
524 20B HeapFree (forwarded to NTDLL.RtlFreeHeap)
528 20F HeapReAlloc (forwarded to NTDLL.RtlReAllocateHeap)
530 211 HeapSize (forwarded to NTDLL.RtlSizeHeap)
etc.