Please don't post some link or some book's name (like Gary Nebbet's book) listing the prototypes of the native APIs.
What I want is how can I reverse engineer the ntdll.dll and ntoskrnl.exe to find the prototype myself.(I have fairly good knowledge of reverse engineering so you can use the jargon associated with that).

For Example, if I see the following code in the dissasembly of the above files

push sth
push sth_else
call 0x12345


How do I know what is sth (is it a window handle or pointer to a string or whatever) and sth_else ?
Posted on 2007-11-14 12:55:53 by shakuni
The same if someone gives you only the following line of HLL code and the library source code of that function
foo((void *)a, (void*)b)


Now, what is the actual type of those voids? You have to look inside foo's code to try to figure them out. And of course, it is possible that you will need to look inside functions that foo calls to completely reverse the type and even with that perhaps it will be not enough since you have no guarantees that all the code you have analysed actually accesses the whole data (even less if the same memory portion is an union or not).

It is not a trivial task if that is you wanted to know, sometimes is very easy other times not (especially when the function is not a leaf or when the parameter doesn't seems to be fully touched).
Posted on 2007-11-14 13:07:59 by LocoDelAssembly

What I want is how can I reverse engineer the ntdll.dll and ntoskrnl.exe to find the prototype myself.else ?


seems pointless, you'll use the native method, and have to keep updating your code for another os (2k->vista etc), or service pack or possibly kb update... no sense in doing it really...
Posted on 2007-11-14 13:15:25 by evlncrn8