.NET Framework Methods and Its Equivalent Native Functions

To explain a rather confusing title for this article, suppose I create a very simple .NET console application, with arbitrary version, using C# language as follows :

namespace CLRTest
class Program
static void Main(string[] args)
System.Console.WriteLine(“Hello, World”);

After correctly compiling the above small program, executing this will shows the nice “Hello, World” string on windows command prompt :

This will become a rather dull piece of application had I not asked to the reader forum : What is the corresponding windows (native) function that gets called to implement the above System.Console.WriteLine method in .NET Framework ?

To put it more clearly, what is the native windows API function that is responsible for showing the “Hello,World” text for the .NET’s System.Console.WriteLine method ?

By applying detailed analysis for this sample application, the answer happens to be KERNEL32!WriteFile function.

This call resides in .NET managed code routine in the mscorlib.ni.dll module, precisely in the vicinity of these assembly instructions :

00c2a3e6 mov eax,dword ptr [eax+14h] ds:0023:7910de34=790c5a70
00c2a3e9 call dword ptr [eax] ;;KERNEL32!WriteFile
00c2a3eb push eax

Using kv to view the callstack symbols at this location is useless here because of the different architecture of the code structure.

In order to view the .NET callstack, I have to resort to use the sos.dll (note that I am using .NET v2.0.50727) :

.load C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\sos.dll

Now, using the .NET specific command to view the callstack :

0:000> !clrstack
OS Thread Id: 0xb48 (0)
0012f3a0 00c2a3e9 [NDirectMethodFrameStandaloneCleanup: 0012f3a0] System.IO.__ConsoleStream.WriteFile(Microsoft.Win32.SafeHandles.SafeFileHandle, Byte*, Int32, Int32 ByRef, IntPtr)
0012f3bc 792ed9fb System.IO.__ConsoleStream.WriteFileNative(Microsoft.Win32.SafeHandles.SafeFileHandle, Byte[], Int32, Int32, Int32, Int32 ByRef)
0012f3e8 792ed974 System.IO.__ConsoleStream.Write(Byte[], Int32, Int32)
0012f40c 792ecdc0 System.IO.StreamWriter.Flush(Boolean, Boolean)
0012f424 792ee205 System.IO.StreamWriter.Write(Char[], Int32, Int32)
0012f444 792ee151 System.IO.TextWriter.WriteLine(System.String)
0012f460 792ed8fd System.IO.TextWriter+SyncTextWriter.WriteLine(System.String)
0012f470 7979392f System.Console.WriteLine(System.String)
0012f47c 00f70091 CLRTest.Program.Main(System.String[])
0012f69c 79e71b4c [GCFrame: 0012f69c]

From the above callstack (i.e. at the topmost stack), you can see that there is a naming relation between the managed routine and its corresponding native API call routine name, i.e. between System.IO.__ConsoleStream.WriteFile and KERNEL32!WriteFile.

So, here, by using the “Hello World” sample program, it is now possible to guess other managed routine for other native API function with greater possibility of being correct.

Happy guessing 🙂


One Response to “.NET Framework Methods and Its Equivalent Native Functions”

  1. faltenkorrektur Says:

    After looking into a handful of the blog articles on your web page, I honestly like your technique of blogging.

    I book-marked it to my bookmark webpage
    list and will be checking back soon. Please visit my website
    as well and let me know what you think.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: