Well basicly, the userland versions of these exported functions load a "system call number" into eax, load a pointer to the parameters into eax and then call an INT 2E. This call maps down to something in the kernel which uses the "system call number" as an index into a lookup table.Hmm, I'm confused. ntdll exists in kernel space too? I guess I always imagined the internals of the kernel would have its own symbol fixup system, without DLLs. But perhaps not.
See http://www.sysinternals.com/ntw2k/info/ntdll.shtml for the gory details
ok, I didnt know that :)IIRC the kernel functions use a particular naming scheme. I forget exactly what it is, but IoCompleteRequest and IofCompleteRequest are not the same, but one is a variant of the other - much like FooA and FooW are in userland Win32.
1.implementing these APIs and using the SafeDisk .sys file makes it more likely that things will just "work" if a new version of SafeDisk comes out. (plus, as more things get implemented, more drivers will just "work")Yeah, but is it any simpler than just reverse engineering and cloning the driver? Drivers aren't needed all that often.
and 2.more imporantly, implementing this stuff (as opposed to cloning secdrv.sys) is a lot less likely to cause the SafeDisk people to sue WINE under the DMCA (in fact, a clone of an older version of secdrv.sys was created but not added because of this DMCA fear)
