why it is "move eax, 25 h" in the first line of NtCreateFile?

I set  a breakpoint at Ntdll!NtCreateFile when I open a file from
notepad, and it breaks, however, the instruction displayed is "mov
eax, 25h", i simply don't why, and shouldn't it be something like

ntdll!NtCreateFile:
7c90d682 b825000000      mov     eax,25h
7c90d687 ba0003fe7f      mov     edx,offset SharedUserData!
SystemCallStub (7ffe0300)
7c90d68c ff12            call    dword ptr [edx]
7c90d68e c22c00          ret     2Ch


Anybody can explain to me, thanks..

Hi lostlander!Why do you expect it to be "push eax"?

Hi lostlander!

Why do you expect it to be "push eax"?
NtCreateFile is only called from within the OS; not directly from your
application.

Why do you bother?

--
Greetings
Jochen

My blog about Win32 and .NET
http://blog.kalmbachnet.de/

Hi lostlander!

Hi lostlander!


by the way: eax is normally the return value of a function. So it is
safe to override this register, as long as it is set to the correct
value on return...

--
Greetings
Jochen

My blog about Win32 and .NET
http://blog.kalmbachnet.de/

why it is "move eax, 25 h" in the first line of NtCreateFile?

That's exactly what I want, thanks really!!!

why it is "move eax, 25 h" in the first line of NtCreateFile?

Explanation: when calling the "SystemCallStub", EAX is the "index" of
the function to be called. So CreateFile() is the function with the
index 0x25.

It could have (by internal convention) been "push eax", but that would
have modified the stack, and is a wee bit slower than putting the
index in a register. As Jochen told you, EAX can be modified freely
(as it is the result of a C function), as no C compiler will expect it
to be persistent during the API call, so it can be used to pass some
information to the stub.

Christian