https://docs.kernel.org/admin-guide/syscall-user-dispatch.ht...
If I recall correctly, Jurassic World Evolution’s DRM is one of those that needed this to work.
- https://www.mdsec.co.uk/2022/04/resolving-system-service-num...
- https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisp...
- https://whiteknightlabs.com/2024/07/31/layeredsyscall-abusin...
Though I'm not sure which of these techniques, if any, would be most favored by a game DRM as I've never looked into it.
And 467 on the Linux list https://filippo.io/linux-syscall-table.
Ballpark the same number.
Some operating systems have massive fan-in and fan-out on what is internally one single system call crossing the shell/kernel divide. Witness how much is done by sysctl() on the BSDs, for example. Whereas others will be more 1-to-1.
Then there's the fact that the Native API for Windows NT is structurally very different to the Linux API (as they are both different from, say, XNU). It's basically entirely coincidental that the numbers are even close, and there are no general conclusions that one can draw from such statistics.
Except, perhaps, a general but rather facile conclusion that these operating systems aren't running on 8-bit processor architectures. (-:
I don't know if there's more to this claim than just concern about an extra TLB entry though.
This kind of versioning on public APIs, I understand, but syscalls are only meant to be invoked by ntdll. Why do they need more than one?
Stability of the Native API per se isn't really a big concern for drivers, not least because Microsoft invented other APIs for drivers, such as the one for graphics drivers that made drivers so loosely coupled to other things that it let the entire graphics subsystem be moved into the kernel in Windows NT 4.
And the reliance of antivirus softwares on the Native API, and thus the need for stability, is somewhat overblown, not least because the Native API is far too high level a layer for antivirus softwares to trust. The flashy GUI bits might as well be just written in ordinary Win32 et al., and the other bits are busy being … well … essentially rootkits. (-:
That said, for those particular API functions there is an interesting history that is, rather, about mitigating security holes:
* https://www.tiraniddo.dev/2020/05/silent-exploit-mitigations...
Changes to the system calls to close exploits are clear, but I'm really curious what software is invoking NtLoadKey directly that Microsoft themselves can't change, and then kept doing it even as the system call evolved over time. These aren't documented even in headers so it takes some reverse engineering to be able to do that.
You got three common suffixes for function names in Windows. A and W relate to the encoding of the string parameters - A refers to the strings being encoded in plain ASCII, W to UTF-16.
And Ex, 2, 3, whatever - these refer to extensions with different parameters. Like, the "original" function may have had only two parameters or a tiny struct, but for more modern usecases they might have added a few parameters, expanded the struct or, even worse, re-arrange fields in the struct.
Now, of course they could have gone the Java/C++ path - basically, overload the function name with different parameters and have the "old" functions call whatever the most detailed constructor is and set default values for the newly expected parameters (or convert, if needed). But that doesn't work with C code at all, which is why the functions/syscalls have to have different names, and additionally the Java/C++ way imposes another function call with its related expenses while having dedicated functions/entrypoints allows for a tiny bit more performance, at the cost of sometimes significant code duplication.
And on top of all of that, MS has to take into account that there are a lot of third party code that doesn't use ntdll, user32 and god knows what else is supposed to be the actual API interface, but instead goes as close to the kernel as possible. Virus scanners, DRM solutions, anti-cheat measures, audit/compliance tools - these all hook themselves in everywhere they can. It's a routine source of issues with Windows updates...
EDIT: also, wondering why the above article says SetMenu requires a syscall, which is not mentioned in OP, I found this: http://www.fengyuan.com/article/win32ksyscall.html - looks like many GUI operations on Windows NT/2000 were implemented in kernel. That can't have been very good for performance to constantly context-switch to draw a window, no?
In hindsight a silly idea, trading off security for a speed boost.
Aero introduced accelerated compositing: https://learn.microsoft.com/en-us/archive/msdn-magazine/2007...
And WPF and subsequent toolkits follow a more modern model of "application draws into its own RAM region using DirectX which is then composited into the desktop".
And the criticisms were the contemporary 1990s criticisms of microkernel designs, namely that all of this message passing was slow. (In reality, this is a red herring in most critiques of microkernels. In systems ranging from AT&T STREAMS to Windows NT today, I/O subsystems are built anyway around the idea of passing request packets around, be they mbufs or IRPs.) So it all got moved into the kernel, and then some of it in later versions got moved back out again, and rearchitected when windowing became more about compositing multiple whole bitmaps that could be constructed locally rather than drawing into a shared area with lots of clip rectangles.
That’s true. I remember reading the L4 microkernel papers, showing how they achieved really decent message-passing performance on Intel 486 processors IIRC. I figure context switches are even more optimised on modern architectures.
Surac•7mo ago
ryao•7mo ago
senectus1•7mo ago