1. Flow of system calls -ntdll.dll, kernel32.dll

basic flow of ntdll.dll in Windows system operations:

2a. NTDLL.DLL - Overview and Functionality

2. Win32 API and Windows Native API

graph TD
  A[User Application] -->|Calls WinAPI e.g., kernel32.dll| B[WinAPI DLLs]
  B -->|Forwards Request| C[ntdll.dll]
  C -->|Converts to Syscall| D[Syscall Interface]
  D -->|Switches to Kernel Mode| E[Windows Kernel _ntoskrnl.exe_]
  E -->|Executes System Operation| F[Hardware & OS Components]
  F -->|Returns Response| E
  E -->|Returns Result| D
  D -->|Returns to User Mode| C
  C -->|Returns Data| B
  B -->|Completes Execution| A

Explanation

1. User Application calls a function from WinAPI (e.g., ReadFile from kernel32.dll).
2. WinAPI DLLs forward the request to ntdll.dll.
3. ntdll.dll translates the request into a syscall and passes it to the Windows Kernel.
4. Windows Kernel (ntoskrnl.exe) processes the request and interacts with hardware or OS components.
5. The kernel returns the result through ntdll.dll, which passes it back to the WinAPI DLLs and ultimately to the user application.