Mapping high-level functions in user-mode dlls to NTDLL.dll

Question

The book Windows NT/2000 Native API Reference provides a comprehensive documentation (even though outdated) of undocumented (by Microsoft) Native APIs. But I am curious, is there anyway to find the mappings between low-level functions declared in ntdll.dll and user-mode functions in kernel32.dll, advapi.dll, etc..

For example:

I know the function CreateFile maps to NtCreateFile. But I don't the exact function in ntdll.dll for MoveFileWithProgressW function in kernel32.dll

Answer 1

NT native API is a lower level API compared to the standard Windows (user mode) API. So there is no one to one correspondence in many cases. I'm guessing that MoveFileWithProgress is implemented in user space using lower level open/read/write/close routines.

In other words, if you want to use the Native API, you'll need to re-implement a bunch of convenience functions like MoveFileWithProgress.

The Wine project has re-implementations of the Windows API. You can see their implementation to get a taste of how it is done. (Search for "MoveFileWithProgress" in the page)

Answer 2

You can dump exports from user-mode system DLLs using dumpbin.exe utility from Windows SDK/Visual Studio and look for forwarded functions:

dumpbin -exports kernel32.dll | find/I "forwarded" > fwd.txt

This will create fwd.txt file containing a list of forwarded functions, something like this:

151   96  EnterCriticalSection (forwarded to NTDLL.RtlEnterCriticalSection)
361  168  GetLastError (forwarded to NTDLL.RtlGetLastWin32Error)
518  205  HeapAlloc (forwarded to NTDLL.RtlAllocateHeap)
524  20B  HeapFree (forwarded to NTDLL.RtlFreeHeap)
528  20F  HeapReAlloc (forwarded to NTDLL.RtlReAllocateHeap)
530  211  HeapSize (forwarded to NTDLL.RtlSizeHeap)

etc.