Prototypes Of Native Apis

[shakuni]

How can I manually find the prototypes of native APIs ?

Please don't post some link or some book's name (like Gary Nebbet's book) listing the prototypes of the native APIs.
What I want is how can I reverse engineer the ntdll.dll and ntoskrnl.exe to find the prototype myself.(I have fairly good knowledge of reverse engineering so you can use the jargon associated with that).

For Example, if I see the following code in the dissasembly of the above files

Code Select Expand


push sth
push sth_else
call 0x12345


How do I know what is sth (is it a window handle or pointer to a string or whatever) and sth_else ?

[bozo]

have you been using IDA Pro for disassembly? there is freeware version, 4.3 but may not be suitable for more advanced plugins.

WinDBG is free, and IMHO best debugger on windows too, unless you can afford SoftICE.
you would have to do some debugging on this one..

ReactOS / WINE or TinyKRNL source code *may* help you out here.
also, try downloading the debugging symbols for ntdll.dll and ntoskrnl depending on your operating system.
load determina PDB+ plugin with the symbol file, and you will be given prototypes, variable names..etc making
debugging alot easier.

if possible for you, download checked build of the operating system you want to reverse.
try looking at openrce.org  :U

[Ehtyar]

4.9 is the new freeware now, and is a little less crippled than 4.3. I would also suggest OpenRCE, but it seems you are a little unfamiliar with kernel mode code, so have a look here first.

Ehtyar.

[Vortex]

include file and import library for ntdll.dll :

http://www.masm32.com/board/index.php?topic=1661.0

[fearless]

Also of use is http://undocumented.ntinternals.net/

They also have a handy little .chm file which can be download for offline reference.

[ToutEnMasm]

Hello,
use windbg.He come with the .pdb of ntdll and there is no translate to do.