«

Hi

I set a breakpoint at Ntdll!NtCreateFile when I open a file from
notepad, and it breaks, however, the instruction displayed is "mov
eax, 25h", i simply don't why, and shouldn't it be something like
"push eax....", the whole thing is like this:

ntdll!NtCreateFile:
7c90d682 b825000000 mov eax,25h
7c90d687 ba0003fe7f mov edx,offset SharedUserData!
SystemCallStub (7ffe0300)
7c90d68c ff12 call dword ptr [edx]
7c90d68e c22c00 ret 2Ch

Can anybody explain, thanks.

Peace.

On 30 Nov 2009 at 21:03, Ben Pfaff wrote:
> You will probably get better responses if you ask this question
> in a newsgroup that focuses on Windows programming.

Just because you don't use Windows doesn't mean there aren't plenty of
Windows experts in this group.

Jacob Navia is a prime example.

Antoninus Twink wrote:
> On 30 Nov 2009 at 21:03, Ben Pfaff wrote:
>> You will probably get better responses if you ask this question
>> in a newsgroup that focuses on Windows programming.
>
> Just because you don't use Windows doesn't mean there aren't plenty of
> Windows experts in this group.
>
> Jacob Navia is a prime example.
>

Anyway, the question is still off topic and would get faster and more
accurate answers on the correct newsgroup.

Ham

john wrote:
> Hi
>
> I set a breakpoint at Ntdll!NtCreateFile when I open a file from
> notepad, and it breaks, however, the instruction displayed is "mov
> eax, 25h", i simply don't why, and shouldn't it be something like
> "push eax....", the whole thing is like this:
>
> ntdll!NtCreateFile:
> 7c90d682 b825000000 mov eax,25h
> 7c90d687 ba0003fe7f mov edx,offset SharedUserData!
> SystemCallStub (7ffe0300)
> 7c90d68c ff12 call dword ptr [edx]
> 7c90d68e c22c00 ret 2Ch
>
> Can anybody explain, thanks.
>
> Peace.
What else but move 25(hex) into the extended ax register ???

john a écrit :
> Hi
>
> I set a breakpoint at Ntdll!NtCreateFile when I open a file from
> notepad, and it breaks, however, the instruction displayed is "mov
> eax, 25h", i simply don't why, and shouldn't it be something like
> "push eax....", the whole thing is like this:
>
> ntdll!NtCreateFile:
> 7c90d682 b825000000 mov eax,25h
> 7c90d687 ba0003fe7f mov edx,offset SharedUserData!
> SystemCallStub (7ffe0300)
> 7c90d68c ff12 call dword ptr [edx]
> 7c90d68e c22c00 ret 2Ch
>
> Can anybody explain, thanks.
>
> Peace.

The only people that know for sure why are the people that wrote
that code.

But with a little reflection it is obvious that the value
being written to eax is an argument to the function that is being called.

System calls do not follow the C calling conventions and
parameters can be passed in any register, mostly in eax, ecx, or others.

This is off topic in this group. You can find a better answer in the books
of Mark Russinovich: windows internals.

In that book, page 127 you will see the disassembly of ntdll!ZwReadFile, that
does exactly the same as this stub that you show us. The parameter is the
system service number, that will be processed by the stub whose address
is in SharedUserData!SystemCallStub.

In article <hf1fbm$f3k$>,
Richard <rgrdev_@gmail.com> wrote:
....
(some miscellaneous CLC dork wrote)
>> Anyway, the question is still off topic and would get faster and more
>> accurate answers on the correct newsgroup.
>>
>> Ham
>>
>
>Not necessarily.

In fact, probably not, but I'll get to that in a minute.
What should strike you most about the quote above (by the "miscellaneous
dork") is the note of certainty about it. For a group that deals in
absolute, mathematical certainty before making any statement (e.g., "C
has no <X>" - because the [mythical] DS9K might not have one), note the
absence of any weasel words in the above quoted statement.

Now, as to question of whether the OP would be more likely to get a good
answer in some miscellaneous Windows group (than here in CLC). I
actually think not. And the reason is because most of the rest of
Usenet has really gone to the dogs - particularly, those outside the
"Big 8", and most particularly anything starting with "microsoft.".

I'm not saying there aren't experts in those groups, but the fact is
that getting to them is going to require, to put it mildly, time and
patience. That is, they are so used to dealing with "How do I turn the
computer on?" and "How do you spell Google?" - that most will give up in
disgust. I know, having played the tech support game too many times,
from both sides of the fence.

Here, as you note, you're likely to get Jacob's attention right quick,
and there are, despite them being a bunch of prigs most of the time, a
bunch of other intelligent and Windows-knowledgeable people here. It is
actually a shame that the CLC culture prevents them from acknowledging
their skill and knowledge. (Hence the often seen "I know the answer,
but I can't tell you" type responses.)

In article <>, Gareth Owen <> wrote:
>Hamiral <> writes:
>
>> Anyway, the question is still off topic
>
>Right. This newsgroup is strictly for discussing
>
>void main();
>
>i = i++;
>
>and whatever Richard Heathfield believes to be on topic (including, but
>not limited to: the OED, his own religious beliefs, Peter Seebach's
>education, the meaning of "clear", the ethics of Herb Schildt and his
>own religious beliefs).

Indeed. Quite so.

And don't forget CBF's dirty underwear.

On Nov 30, 8:59*pm, john <j...@nospam.com> wrote:

> ntdll!NtCreateFile:
> 7c90d682 b825000000 * * *mov * * eax,25h
> 7c90d687 ba0003fe7f * * *mov * * edx,offset SharedUserData!
> SystemCallStub (7ffe0300)

When you make a system call on NT, the EAX register contains the index
of which system call you are calling. On Windows NT, the index 0x25
corresponds to NtCreateFile

http://msdn.microsoft.com/en-us/libr...8VS.85%29.aspx

On 1 Dec 2009 at 14:22, Kenny McCormack wrote:
> In article <>, Gareth Owen <> wrote:
>>whatever Richard Heathfield believes to be on topic (including, but
>>not limited to: the OED, his own religious beliefs, Peter Seebach's
>>education, the meaning of "clear", the ethics of Herb Schildt and his
>>own religious beliefs).
>
> Indeed. Quite so.
>
> And don't forget CBF's dirty underwear.

Oh yes, CBF's underwear! Just to remind us all what we're missing now
that he's finally become incapable of using a keyboard, here's that
famous message.

---------------------------------------------------
Oh? For example, we recently had an Ice Storm here. There has
been no power in my apartment from Thursday to Monday noon. There
is no other heat than electricity, and no possibility to install
any such. There is no hot water, no stove, and I can't even open
cans (the opener is electric). The exterior temperature has gone
down to 3 degrees F (about -15 C). So I abandoned the apartment
until today. When I got back I could get some clean underwear.

Note that in the interim I have been quite filthy.

--
[mail]: Chuck F (cbfalconer at maineline dot net)
[page]: (SPAM DELETED)
Try the download section.

-----------------------------------------------------

To be honest, it was a surprise to learn that CBF could still toilet
himself when there *was* running water...

Ben Pfaff wrote:
> john <> writes:
>
>> I set a breakpoint at Ntdll!NtCreateFile when I open a file from
>> notepad, and it breaks, however, the instruction displayed is "mov
>> eax, 25h", i simply don't why, and shouldn't it be something like
>> "push eax....", the whole thing is like this:
>
> You will probably get better responses if you ask this question
> in a newsgroup that focuses on Windows programming.
Looks like the OP got two very nice informative
responses already. One was from jacob nivia and the
other from gwowen.
The quality of the responses serves as a
counterexample to your claim which is thus
refuted.