Why is it "mov eax, 25h" in the first line of NtCreateFile?

J

john

Hi

I set a breakpoint at Ntdll!NtCreateFile when I open a file from
notepad, and it breaks, however, the instruction displayed is "mov
eax, 25h", i simply don't why, and shouldn't it be something like
"push eax....", the whole thing is like this:

ntdll!NtCreateFile:
7c90d682 b825000000 mov eax,25h
7c90d687 ba0003fe7f mov edx,offset SharedUserData!
SystemCallStub (7ffe0300)
7c90d68c ff12 call dword ptr [edx]
7c90d68e c22c00 ret 2Ch

Can anybody explain, thanks.

Peace.
 
A

Antoninus Twink

You will probably get better responses if you ask this question
in a newsgroup that focuses on Windows programming.

Just because you don't use Windows doesn't mean there aren't plenty of
Windows experts in this group.

Jacob Navia is a prime example.
 
H

Hamiral

Antoninus said:
Just because you don't use Windows doesn't mean there aren't plenty of
Windows experts in this group.

Jacob Navia is a prime example.

Anyway, the question is still off topic and would get faster and more
accurate answers on the correct newsgroup.

Ham
 
S

Sjouke Burry

john said:
Hi

I set a breakpoint at Ntdll!NtCreateFile when I open a file from
notepad, and it breaks, however, the instruction displayed is "mov
eax, 25h", i simply don't why, and shouldn't it be something like
"push eax....", the whole thing is like this:

ntdll!NtCreateFile:
7c90d682 b825000000 mov eax,25h
7c90d687 ba0003fe7f mov edx,offset SharedUserData!
SystemCallStub (7ffe0300)
7c90d68c ff12 call dword ptr [edx]
7c90d68e c22c00 ret 2Ch

Can anybody explain, thanks.

Peace.
What else but move 25(hex) into the extended ax register ???
 
J

jacob navia

john a écrit :
Hi

I set a breakpoint at Ntdll!NtCreateFile when I open a file from
notepad, and it breaks, however, the instruction displayed is "mov
eax, 25h", i simply don't why, and shouldn't it be something like
"push eax....", the whole thing is like this:

ntdll!NtCreateFile:
7c90d682 b825000000 mov eax,25h
7c90d687 ba0003fe7f mov edx,offset SharedUserData!
SystemCallStub (7ffe0300)
7c90d68c ff12 call dword ptr [edx]
7c90d68e c22c00 ret 2Ch

Can anybody explain, thanks.

Peace.

The only people that know for sure why are the people that wrote
that code.

But with a little reflection it is obvious that the value
being written to eax is an argument to the function that is being called.

System calls do not follow the C calling conventions and
parameters can be passed in any register, mostly in eax, ecx, or others.

This is off topic in this group. You can find a better answer in the books
of Mark Russinovich: windows internals.

In that book, page 127 you will see the disassembly of ntdll!ZwReadFile, that
does exactly the same as this stub that you show us. The parameter is the
system service number, that will be processed by the stub whose address
is in SharedUserData!SystemCallStub.
 
K

Kenny McCormack

(some miscellaneous CLC dork wrote)
Not necessarily.

In fact, probably not, but I'll get to that in a minute.
What should strike you most about the quote above (by the "miscellaneous
dork") is the note of certainty about it. For a group that deals in
absolute, mathematical certainty before making any statement (e.g., "C
has no <X>" - because the [mythical] DS9K might not have one), note the
absence of any weasel words in the above quoted statement.

Now, as to question of whether the OP would be more likely to get a good
answer in some miscellaneous Windows group (than here in CLC). I
actually think not. And the reason is because most of the rest of
Usenet has really gone to the dogs - particularly, those outside the
"Big 8", and most particularly anything starting with "microsoft.".

I'm not saying there aren't experts in those groups, but the fact is
that getting to them is going to require, to put it mildly, time and
patience. That is, they are so used to dealing with "How do I turn the
computer on?" and "How do you spell Google?" - that most will give up in
disgust. I know, having played the tech support game too many times,
from both sides of the fence.

Here, as you note, you're likely to get Jacob's attention right quick,
and there are, despite them being a bunch of prigs most of the time, a
bunch of other intelligent and Windows-knowledgeable people here. It is
actually a shame that the CLC culture prevents them from acknowledging
their skill and knowledge. (Hence the often seen "I know the answer,
but I can't tell you" type responses.)
 
K

Kenny McCormack

Right. This newsgroup is strictly for discussing

void main();

i = i++;

and whatever Richard Heathfield believes to be on topic (including, but
not limited to: the OED, his own religious beliefs, Peter Seebach's
education, the meaning of "clear", the ethics of Herb Schildt and his
own religious beliefs).

Indeed. Quite so.

And don't forget CBF's dirty underwear.
 
A

Antoninus Twink

Indeed. Quite so.

And don't forget CBF's dirty underwear.

Oh yes, CBF's underwear! Just to remind us all what we're missing now
that he's finally become incapable of using a keyboard, here's that
famous message.

---------------------------------------------------
Oh? For example, we recently had an Ice Storm here. There has
been no power in my apartment from Thursday to Monday noon. There
is no other heat than electricity, and no possibility to install
any such. There is no hot water, no stove, and I can't even open
cans (the opener is electric). The exterior temperature has gone
down to 3 degrees F (about -15 C). So I abandoned the apartment
until today. When I got back I could get some clean underwear.

Note that in the interim I have been quite filthy.

--
[mail]: Chuck F (cbfalconer at maineline dot net)
[page]: (SPAM DELETED)
Try the download section.
 
R

rabbits77

Ben said:
You will probably get better responses if you ask this question
in a newsgroup that focuses on Windows programming.
Looks like the OP got two very nice informative
responses already. One was from jacob nivia and the
other from gwowen.
The quality of the responses serves as a
counterexample to your claim which is thus
refuted.
 
A

Antoninus Twink

Looks like the OP got two very nice informative responses already. One
was from jacob nivia and the other from gwowen. The quality of the
responses serves as a counterexample to your claim which is thus
refuted.

Exactly right.

A bit more of this and we can slowly start to roll back the
Heathfieldization of this group and restore it as a useful resource for
real world C programmers.
 
S

Seebs

Looks like the OP got two very nice informative
responses already. One was from jacob nivia and the
other from gwowen.
Yup.

The quality of the responses serves as a
counterexample to your claim which is thus
refuted.

Not necessarily; we don't know how good the responses in a better-suited
newsgroup would have been.

-s
 
A

Antoninus Twink

Not necessarily; we don't know how good the responses in a better-suited
newsgroup would have been.

Sour grapes?

How much better can a response be than full and accurate?
 
E

Eric Sosman

rabbits77 said:
Looks like the OP got two very nice informative
responses already. One was from jacob nivia and the
other from gwowen.
The quality of the responses serves as a
counterexample to your claim which is thus
refuted.

No: Ben's claim was that a Windows forum would provide
answers "probably [...] better" than those here. So: How
good or bad were the answers offered on a Windows forum?
Until you have compared the quality of the answers from the
various sources, you have not even begun to address Ben's
claim, much less refuted it.

In any event, both the question and answers to it -- good
or bad -- have nothing to do with the C language.
 
G

gwowen

     In any event, both the question and answers to it -- good
or bad -- have nothing to do with the C language.

And yet they considerably closer to being on topic than 99.9% of the
things posted here, even discounting spam. Those disagreeing are
pointed to the threads:

"How to convert Infix notation to postfix notation"
"subroutine stack and C machine model"
"Pig-Wrestling"
or anything posted by Han From China's sock puppets (Antonius, Kenny
etc).

Call me a Usenet utilitarian, but I think helping people by answering
mildly off-topic questions is considerably more practical use than
pedantically arguing the minutiae of the standard.
 
S

Seebs

or anything posted by Han From China's sock puppets (Antonius, Kenny
etc).

That's an interesting theory. I would grant that at least two of them appear
to be the same person.
Call me a Usenet utilitarian, but I think helping people by answering
mildly off-topic questions is considerably more practical use than
pedantically arguing the minutiae of the standard.

There's a bit of give a man a fish/teach a man to fish in it; also some
tragedy of the commons. In the short term, giving a single off-topic answer
may help one person. In the long run, a group where topicality is ignored
becomes much less useful to many people. I try to compromise on suggesting
likely better places, and sometimes offering quick off-topic answers along
with those suggestions.

I wouldn't call this one "mildly" off topic, though -- it's completely
unrelated to C. It's about deciphering machine code within a particular
operating system environment, and no part of the question has anything to
do with whatever language the library in question was implemented with...

-s
 
E

Eric Sosman

gwowen said:
And yet they considerably closer to being on topic than 99.9% of the
things posted here, even discounting spam. Those disagreeing are
pointed to the threads:

"How to convert Infix notation to postfix notation"
"subroutine stack and C machine model"
"Pig-Wrestling"
or anything posted by Han From China's sock puppets (Antonius, Kenny
etc).

Call me a Usenet utilitarian, but I think helping people by answering
mildly off-topic questions is considerably more practical use than
pedantically arguing the minutiae of the standard.

When your dog befouls the living room carpet, do you
skritch his ears, call him "Good Boy," and give him a biscuit?

Rewarding undesired behavior is a strange way to discourage
it. (Although there's a delightful little story by Saki about
how women were discouraged from seeking the vote by giving it to
them and then making its exercise mandatory.)
 
E

Eric Sosman

Tim said:
gwowen said:
[...]
Call me a Usenet utilitarian, but I think helping people by answering
mildly off-topic questions is considerably more practical use than
pedantically arguing the minutiae of the standard.
[...]

Rewarding undesired behaviour is a strange way to discourage
it.

While this is true, there are times when someone is not quite sure of
what they need to ask - perhaps they can't express it very well. Or they
are experiencing odd behaviour and don't know whether it's a problem
with html, css, javascript, php, or SQLite.

Yes. Which is why Ben Pfaff's answer to the question
was exactly right: He directed the O.P. toward a better
source of information. The c.l.c. vandals then seized upon
Ben's correct and helpful answer, and derided it for pedantry.
Go figure.
 
J

jacob navia

Eric Sosman a écrit :
Yes. Which is why Ben Pfaff's answer to the question
was exactly right: He directed the O.P. toward a better
source of information. The c.l.c. vandals then seized upon
Ben's correct and helpful answer, and derided it for pedantry.
Go figure.

I am not a "vandal" because I correctly answered a question here.
Who you think you are?

I can answer any question as I want, and you have nothing to say about it.
 
K

Keith Thompson

jacob navia said:
Eric Sosman a écrit :

I am not a "vandal" because I correctly answered a question here.
Who you think you are?

I can answer any question as I want, and you have nothing to say about it.

You didn't seize upon Ben's correct and helpful answer, nor did
you deride it for pedantry. You even mentioned that the question
was off topic and suggested a better source of information.

What makes you think Eric was calling you a vandal?

It's not always about you.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top