Why is it "mov eax, 25h" in the first line of NtCreateFile?

Discussion in 'C Programming' started by john, Nov 30, 2009.

  1. john

    john Guest

    Hi

    I set a breakpoint at Ntdll!NtCreateFile when I open a file from
    notepad, and it breaks, however, the instruction displayed is "mov
    eax, 25h", i simply don't why, and shouldn't it be something like
    "push eax....", the whole thing is like this:

    ntdll!NtCreateFile:
    7c90d682 b825000000 mov eax,25h
    7c90d687 ba0003fe7f mov edx,offset SharedUserData!
    SystemCallStub (7ffe0300)
    7c90d68c ff12 call dword ptr [edx]
    7c90d68e c22c00 ret 2Ch

    Can anybody explain, thanks.

    Peace.
    john, Nov 30, 2009
    #1
    1. Advertising

  2. On 30 Nov 2009 at 21:03, Ben Pfaff wrote:
    > You will probably get better responses if you ask this question
    > in a newsgroup that focuses on Windows programming.


    Just because you don't use Windows doesn't mean there aren't plenty of
    Windows experts in this group.

    Jacob Navia is a prime example.
    Antoninus Twink, Nov 30, 2009
    #2
    1. Advertising

  3. john

    Hamiral Guest

    Antoninus Twink wrote:
    > On 30 Nov 2009 at 21:03, Ben Pfaff wrote:
    >> You will probably get better responses if you ask this question
    >> in a newsgroup that focuses on Windows programming.

    >
    > Just because you don't use Windows doesn't mean there aren't plenty of
    > Windows experts in this group.
    >
    > Jacob Navia is a prime example.
    >


    Anyway, the question is still off topic and would get faster and more
    accurate answers on the correct newsgroup.

    Ham
    Hamiral, Nov 30, 2009
    #3
  4. john

    Sjouke Burry Guest

    john wrote:
    > Hi
    >
    > I set a breakpoint at Ntdll!NtCreateFile when I open a file from
    > notepad, and it breaks, however, the instruction displayed is "mov
    > eax, 25h", i simply don't why, and shouldn't it be something like
    > "push eax....", the whole thing is like this:
    >
    > ntdll!NtCreateFile:
    > 7c90d682 b825000000 mov eax,25h
    > 7c90d687 ba0003fe7f mov edx,offset SharedUserData!
    > SystemCallStub (7ffe0300)
    > 7c90d68c ff12 call dword ptr [edx]
    > 7c90d68e c22c00 ret 2Ch
    >
    > Can anybody explain, thanks.
    >
    > Peace.

    What else but move 25(hex) into the extended ax register ???
    Sjouke Burry, Nov 30, 2009
    #4
  5. john

    jacob navia Guest

    john a écrit :
    > Hi
    >
    > I set a breakpoint at Ntdll!NtCreateFile when I open a file from
    > notepad, and it breaks, however, the instruction displayed is "mov
    > eax, 25h", i simply don't why, and shouldn't it be something like
    > "push eax....", the whole thing is like this:
    >
    > ntdll!NtCreateFile:
    > 7c90d682 b825000000 mov eax,25h
    > 7c90d687 ba0003fe7f mov edx,offset SharedUserData!
    > SystemCallStub (7ffe0300)
    > 7c90d68c ff12 call dword ptr [edx]
    > 7c90d68e c22c00 ret 2Ch
    >
    > Can anybody explain, thanks.
    >
    > Peace.


    The only people that know for sure why are the people that wrote
    that code.

    But with a little reflection it is obvious that the value
    being written to eax is an argument to the function that is being called.

    System calls do not follow the C calling conventions and
    parameters can be passed in any register, mostly in eax, ecx, or others.

    This is off topic in this group. You can find a better answer in the books
    of Mark Russinovich: windows internals.

    In that book, page 127 you will see the disassembly of ntdll!ZwReadFile, that
    does exactly the same as this stub that you show us. The parameter is the
    system service number, that will be processed by the stub whose address
    is in SharedUserData!SystemCallStub.
    jacob navia, Nov 30, 2009
    #5
  6. In article <hf1fbm$f3k$-september.org>,
    Richard <> wrote:
    ....
    (some miscellaneous CLC dork wrote)
    >> Anyway, the question is still off topic and would get faster and more
    >> accurate answers on the correct newsgroup.
    >>
    >> Ham
    >>

    >
    >Not necessarily.


    In fact, probably not, but I'll get to that in a minute.
    What should strike you most about the quote above (by the "miscellaneous
    dork") is the note of certainty about it. For a group that deals in
    absolute, mathematical certainty before making any statement (e.g., "C
    has no <X>" - because the [mythical] DS9K might not have one), note the
    absence of any weasel words in the above quoted statement.

    Now, as to question of whether the OP would be more likely to get a good
    answer in some miscellaneous Windows group (than here in CLC). I
    actually think not. And the reason is because most of the rest of
    Usenet has really gone to the dogs - particularly, those outside the
    "Big 8", and most particularly anything starting with "microsoft.".

    I'm not saying there aren't experts in those groups, but the fact is
    that getting to them is going to require, to put it mildly, time and
    patience. That is, they are so used to dealing with "How do I turn the
    computer on?" and "How do you spell Google?" - that most will give up in
    disgust. I know, having played the tech support game too many times,
    from both sides of the fence.

    Here, as you note, you're likely to get Jacob's attention right quick,
    and there are, despite them being a bunch of prigs most of the time, a
    bunch of other intelligent and Windows-knowledgeable people here. It is
    actually a shame that the CLC culture prevents them from acknowledging
    their skill and knowledge. (Hence the often seen "I know the answer,
    but I can't tell you" type responses.)
    Kenny McCormack, Nov 30, 2009
    #6
  7. In article <>, Gareth Owen <> wrote:
    >Hamiral <> writes:
    >
    >> Anyway, the question is still off topic

    >
    >Right. This newsgroup is strictly for discussing
    >
    >void main();
    >
    >i = i++;
    >
    >and whatever Richard Heathfield believes to be on topic (including, but
    >not limited to: the OED, his own religious beliefs, Peter Seebach's
    >education, the meaning of "clear", the ethics of Herb Schildt and his
    >own religious beliefs).


    Indeed. Quite so.

    And don't forget CBF's dirty underwear.
    Kenny McCormack, Dec 1, 2009
    #7
  8. john

    gwowen Guest

    On Nov 30, 8:59 pm, john <> wrote:

    > ntdll!NtCreateFile:
    > 7c90d682 b825000000      mov     eax,25h
    > 7c90d687 ba0003fe7f      mov     edx,offset SharedUserData!
    > SystemCallStub (7ffe0300)


    When you make a system call on NT, the EAX register contains the index
    of which system call you are calling. On Windows NT, the index 0x25
    corresponds to NtCreateFile

    http://msdn.microsoft.com/en-us/library/bb432380(VS.85).aspx
    gwowen, Dec 1, 2009
    #8
  9. On 1 Dec 2009 at 14:22, Kenny McCormack wrote:
    > In article <>, Gareth Owen <> wrote:
    >>whatever Richard Heathfield believes to be on topic (including, but
    >>not limited to: the OED, his own religious beliefs, Peter Seebach's
    >>education, the meaning of "clear", the ethics of Herb Schildt and his
    >>own religious beliefs).

    >
    > Indeed. Quite so.
    >
    > And don't forget CBF's dirty underwear.


    Oh yes, CBF's underwear! Just to remind us all what we're missing now
    that he's finally become incapable of using a keyboard, here's that
    famous message.

    ---------------------------------------------------
    Oh? For example, we recently had an Ice Storm here. There has
    been no power in my apartment from Thursday to Monday noon. There
    is no other heat than electricity, and no possibility to install
    any such. There is no hot water, no stove, and I can't even open
    cans (the opener is electric). The exterior temperature has gone
    down to 3 degrees F (about -15 C). So I abandoned the apartment
    until today. When I got back I could get some clean underwear.

    Note that in the interim I have been quite filthy.

    --
    [mail]: Chuck F (cbfalconer at maineline dot net)
    [page]: (SPAM DELETED)
    Try the download section.

    -----------------------------------------------------

    To be honest, it was a surprise to learn that CBF could still toilet
    himself when there *was* running water...
    Antoninus Twink, Dec 1, 2009
    #9
  10. john

    rabbits77 Guest

    Ben Pfaff wrote:
    > john <> writes:
    >
    >> I set a breakpoint at Ntdll!NtCreateFile when I open a file from
    >> notepad, and it breaks, however, the instruction displayed is "mov
    >> eax, 25h", i simply don't why, and shouldn't it be something like
    >> "push eax....", the whole thing is like this:

    >
    > You will probably get better responses if you ask this question
    > in a newsgroup that focuses on Windows programming.

    Looks like the OP got two very nice informative
    responses already. One was from jacob nivia and the
    other from gwowen.
    The quality of the responses serves as a
    counterexample to your claim which is thus
    refuted.
    rabbits77, Dec 1, 2009
    #10
  11. On 1 Dec 2009 at 17:30, rabbits77 wrote:
    > Ben Pfaff wrote:
    >> You will probably get better responses if you ask this question
    >> in a newsgroup that focuses on Windows programming.

    > Looks like the OP got two very nice informative responses already. One
    > was from jacob nivia and the other from gwowen. The quality of the
    > responses serves as a counterexample to your claim which is thus
    > refuted.


    Exactly right.

    A bit more of this and we can slowly start to roll back the
    Heathfieldization of this group and restore it as a useful resource for
    real world C programmers.
    Antoninus Twink, Dec 1, 2009
    #11
  12. john

    Seebs Guest

    On 2009-12-01, rabbits77 <> wrote:
    > Looks like the OP got two very nice informative
    > responses already. One was from jacob nivia and the
    > other from gwowen.


    Yup.

    > The quality of the responses serves as a
    > counterexample to your claim which is thus
    > refuted.


    Not necessarily; we don't know how good the responses in a better-suited
    newsgroup would have been.

    -s
    --
    Copyright 2009, all wrongs reversed. Peter Seebach /
    http://www.seebs.net/log/ <-- lawsuits, religion, and funny pictures
    http://en.wikipedia.org/wiki/Fair_Game_(Scientology) <-- get educated!
    Seebs, Dec 1, 2009
    #12
  13. On 1 Dec 2009 at 18:28, Seebs wrote:
    > Not necessarily; we don't know how good the responses in a better-suited
    > newsgroup would have been.


    Sour grapes?

    How much better can a response be than full and accurate?
    Antoninus Twink, Dec 1, 2009
    #13
  14. john

    Eric Sosman Guest

    rabbits77 wrote:
    > Ben Pfaff wrote:
    >> john <> writes:
    >>
    >>> I set a breakpoint at Ntdll!NtCreateFile when I open a file from
    >>> notepad, and it breaks, however, the instruction displayed is "mov
    >>> eax, 25h", i simply don't why, and shouldn't it be something like
    >>> "push eax....", the whole thing is like this:

    >>
    >> You will probably get better responses if you ask this question
    >> in a newsgroup that focuses on Windows programming.

    > Looks like the OP got two very nice informative
    > responses already. One was from jacob nivia and the
    > other from gwowen.
    > The quality of the responses serves as a
    > counterexample to your claim which is thus
    > refuted.


    No: Ben's claim was that a Windows forum would provide
    answers "probably [...] better" than those here. So: How
    good or bad were the answers offered on a Windows forum?
    Until you have compared the quality of the answers from the
    various sources, you have not even begun to address Ben's
    claim, much less refuted it.

    In any event, both the question and answers to it -- good
    or bad -- have nothing to do with the C language.

    --
    Eric Sosman
    lid
    Eric Sosman, Dec 1, 2009
    #14
  15. john

    gwowen Guest

    >      In any event, both the question and answers to it -- good
    > or bad -- have nothing to do with the C language.


    And yet they considerably closer to being on topic than 99.9% of the
    things posted here, even discounting spam. Those disagreeing are
    pointed to the threads:

    "How to convert Infix notation to postfix notation"
    "subroutine stack and C machine model"
    "Pig-Wrestling"
    or anything posted by Han From China's sock puppets (Antonius, Kenny
    etc).

    Call me a Usenet utilitarian, but I think helping people by answering
    mildly off-topic questions is considerably more practical use than
    pedantically arguing the minutiae of the standard.
    gwowen, Dec 2, 2009
    #15
  16. john

    Seebs Guest

    On 2009-12-02, gwowen <> wrote:
    > or anything posted by Han From China's sock puppets (Antonius, Kenny
    > etc).


    That's an interesting theory. I would grant that at least two of them appear
    to be the same person.

    > Call me a Usenet utilitarian, but I think helping people by answering
    > mildly off-topic questions is considerably more practical use than
    > pedantically arguing the minutiae of the standard.


    There's a bit of give a man a fish/teach a man to fish in it; also some
    tragedy of the commons. In the short term, giving a single off-topic answer
    may help one person. In the long run, a group where topicality is ignored
    becomes much less useful to many people. I try to compromise on suggesting
    likely better places, and sometimes offering quick off-topic answers along
    with those suggestions.

    I wouldn't call this one "mildly" off topic, though -- it's completely
    unrelated to C. It's about deciphering machine code within a particular
    operating system environment, and no part of the question has anything to
    do with whatever language the library in question was implemented with...

    -s
    --
    Copyright 2009, all wrongs reversed. Peter Seebach /
    http://www.seebs.net/log/ <-- lawsuits, religion, and funny pictures
    http://en.wikipedia.org/wiki/Fair_Game_(Scientology) <-- get educated!
    Seebs, Dec 2, 2009
    #16
  17. john

    Eric Sosman Guest

    gwowen wrote:
    >> In any event, both the question and answers to it -- good
    >> or bad -- have nothing to do with the C language.

    >
    > And yet they considerably closer to being on topic than 99.9% of the
    > things posted here, even discounting spam. Those disagreeing are
    > pointed to the threads:
    >
    > "How to convert Infix notation to postfix notation"
    > "subroutine stack and C machine model"
    > "Pig-Wrestling"
    > or anything posted by Han From China's sock puppets (Antonius, Kenny
    > etc).
    >
    > Call me a Usenet utilitarian, but I think helping people by answering
    > mildly off-topic questions is considerably more practical use than
    > pedantically arguing the minutiae of the standard.


    When your dog befouls the living room carpet, do you
    skritch his ears, call him "Good Boy," and give him a biscuit?

    Rewarding undesired behavior is a strange way to discourage
    it. (Although there's a delightful little story by Saki about
    how women were discouraged from seeking the vote by giving it to
    them and then making its exercise mandatory.)

    --
    Eric Sosman
    lid
    Eric Sosman, Dec 2, 2009
    #17
  18. john

    Eric Sosman Guest

    Tim Streater wrote:
    > On 02/12/2009 12:44, Eric Sosman wrote:
    >> gwowen wrote:
    >>> [...]
    >>> Call me a Usenet utilitarian, but I think helping people by answering
    >>> mildly off-topic questions is considerably more practical use than
    >>> pedantically arguing the minutiae of the standard.

    >> [...]
    >>
    >> Rewarding undesired behaviour is a strange way to discourage
    >> it.

    >
    > While this is true, there are times when someone is not quite sure of
    > what they need to ask - perhaps they can't express it very well. Or they
    > are experiencing odd behaviour and don't know whether it's a problem
    > with html, css, javascript, php, or SQLite.


    Yes. Which is why Ben Pfaff's answer to the question
    was exactly right: He directed the O.P. toward a better
    source of information. The c.l.c. vandals then seized upon
    Ben's correct and helpful answer, and derided it for pedantry.
    Go figure.

    --
    Eric Sosman
    lid
    Eric Sosman, Dec 2, 2009
    #18
  19. john

    jacob navia Guest

    Eric Sosman a écrit :
    > Yes. Which is why Ben Pfaff's answer to the question
    > was exactly right: He directed the O.P. toward a better
    > source of information. The c.l.c. vandals then seized upon
    > Ben's correct and helpful answer, and derided it for pedantry.
    > Go figure.
    >


    I am not a "vandal" because I correctly answered a question here.
    Who you think you are?

    I can answer any question as I want, and you have nothing to say about it.
    jacob navia, Dec 2, 2009
    #19
  20. jacob navia <> writes:
    > Eric Sosman a écrit :
    >> Yes. Which is why Ben Pfaff's answer to the question
    >> was exactly right: He directed the O.P. toward a better
    >> source of information. The c.l.c. vandals then seized upon
    >> Ben's correct and helpful answer, and derided it for pedantry.
    >> Go figure.
    >>

    >
    > I am not a "vandal" because I correctly answered a question here.
    > Who you think you are?
    >
    > I can answer any question as I want, and you have nothing to say about it.


    You didn't seize upon Ben's correct and helpful answer, nor did
    you deride it for pedantry. You even mentioned that the question
    was off topic and suggested a better source of information.

    What makes you think Eric was calling you a vandal?

    It's not always about you.

    --
    Keith Thompson (The_Other_Keith) <http://www.ghoti.net/~kst>
    Nokia
    "We must do something. This is something. Therefore, we must do this."
    -- Antony Jay and Jonathan Lynn, "Yes Minister"
    Keith Thompson, Dec 2, 2009
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mr. SweatyFinger

    why why why why why

    Mr. SweatyFinger, Nov 28, 2006, in forum: ASP .Net
    Replies:
    4
    Views:
    853
    Mark Rae
    Dec 21, 2006
  2. Mr. SweatyFinger
    Replies:
    2
    Views:
    1,739
    Smokey Grindel
    Dec 2, 2006
  3. Richard Schneeman
    Replies:
    16
    Views:
    452
    Daniel Bush
    Aug 27, 2008
  4. Replies:
    10
    Views:
    253
    Robert Klemme
    Oct 11, 2008
  5. Anthony Papillion
    Replies:
    0
    Views:
    108
    Anthony Papillion
    Sep 2, 2013
Loading...

Share This Page