1

I want to know how IOCTL works. I know the basics:

DeviceIoControl() -> kernel32.dll -> ntdll.dll -> the moment it gets from user mode to kernel mode -> I/O Manager -> IRP

Question is how IOCTL gets form user mode to the kernel mode? Is it interrupt gate, call gate, or something else?

If you know any article/book that explains details of IOCTL (more than Windows Internals) please post a link.

codingfreak
  • 4,467
  • 11
  • 48
  • 60
lmmalino
  • 81
  • 1
  • 1
  • 6

1 Answers1

0

If you look at the implementation of DeviceIoControl in Kernel32.dll you'll see it calls NtDeviceIoControlFile from ntdll.dll. This in turn does a syscall which does the transition from user-mode to kernel-mode.

jcopenha
  • 3,935
  • 1
  • 17
  • 15
  • To be more specific, it loads the system call and return address onto the stack then calls `kifastsystemcall` which then loads a secret number (giving kernel mode access) and makes the `syscall`, and then `kifastsystemcallret` is used with the return address parameter. Therefore a user wanting to go this low-level will need to use `kifastsystemcall`. –  Jan 24 '13 at 18:04