Microsoft Windows NT provides a set of system services (similar to the System Call Interface under UNIX). Various environment subsystems such as WIN32 and use these services for implementing their own APIs.
The system services are implemented by a system trap (INT 2Eh on Intel X86 processors); see Helen Custer's Inside Windows NT (page 230) and the discussion of "Undocumented NT" in Andrew Schulman et al., Undocumented DOS, 2nd edition (pages 225-227).
Under Windows NT, NTDLL.DLL provides the system call interface. The user level DLLs such as KERNEL32 call this interface. NTDLL.DLL fills the service id in the EAX register, fills EDX register with a pointer to the stack frame required for the service and then issues an INT 2Eh. The control passes through the interrupt descriptor table (IDT) to a handler in NTOSKRNL.EXE. This handler in called _KiSystemService. The handler uses the system service dispatch table (SSDT) to locate the handler for a particular service and calls the service.
There is NO documented way to add new system services to the Windows NT kernel. Our method of adding new system services to NT kernel fits in the exising skeleton of the INT 2Eh handler. Therefore we now have the solution for the problem noted on page 231 of Helen Custer's Inside Windows NT, which states:
"The kernel can support new system services simply by expanding the table, without requiring changes to the system or to applications... ... Although neither this capability nor its user interface is present in the first release of Windows NT, it could be added at a later time".We discovered that in the 3.51 and 4.0 releases of NT, it is possible to extend the SSDT using some tricks.
2. Change to the BIN directory: cd BIN
3. Run the INSTDRV.EXE program to load the driver which will add new system services to the kernel. (The INSTDRV.EXE is compiled using the NT 3.51 DDK sample files and is contained in the ADDSYS.ZIP file.)
INSTDRV EXTNDDRV C:\SAMPLE\BIN\EXTNDDRV.SYSNote: It is important that you specify the COMPLETE path to the EXTNDDRV.SYS driver file as indicated above. The above example assumes that you have unzipped the file from C:\SAMPLE directory.
4. When the driver is loaded, it will add a total of 7 services to the NT kernel. Each of these services return values between 0 and 6. i.e Service 0 returns 0, Service 1 returns 1 and so on...
Each of these services outputs a debug message: "Kernel service ## called ..." (which you will be seen if you are running under a kernel-mode debugger such as Nu-Mega Soft-ICE for Windows NT.)
5. Run the program called MYAPP.EXE. This executable will call functions from a DLL called MYNTDLL.DLL. MYNTDLL.DLL is just like NTDLL.DLL. It provides "INT 2E" wrappers around the new services implemented inside kernel. The MYAPP.EXE calls each of the newly added 7 services and prints a return value from these services. This should confirm the correct execution of MYAPP.EXE calling the newly added system services using MYNTDLL.DLL wrappers.
2. The file ADDSYS.OBJ is the one which actually adds services to the NT Kernel. Source code for this file is NOT yet disclosed. You may modify the EXTNDSYS.C file to change the implementation of a service or to play around with the mechanism. The source code for ADDSYS.OBJ will be presented in our forthcoming book Undocumented Windows NT to be published by O'Reilly Associates.
3. You can not change the number of parameter which each of the service expects, since this information is hardcoded in ADDSYS.OBJ file by design.