The use of "naked" native API (also known as raw API) is considered a kind of hacking aerobatics. However, this is not just. On the contrary, using such perversions without a reason is an indication of an amateurish approach. This is not only because native API functions are undocumented and subject to constant changes but also because they are unsuitable for direct use (that's why they are called "raw"). These functions are semi-products, implementing low-level primitives, a kind of building block that requires large amount of "coupling" code. Individual examples of implementation of such a code can be found in ntdlLdll and kernel32.dll.
In Windows NT, access to native API functions is carried out through the int 2Eh interrupt. The interrupt number is loaded into the EAX register, and the address of the parameters block with the argument is loaded into the EDX register. In Windows XP, the sysenter machine command is used for the same purpose; however, the main properties of int 2Eh have been fully preserved (at least for now).
The most interesting native API functions used in shellcodes are listed in Listing 11.10.
000h AcceptConnectPort (24 bytes of parameters) 00Ah AllocateVirtualMemory (24 bytes of parameters) 012h ConnectPort (32 bytes of parameters) 017h CreateFile (44 bytes of parameters) 019h CreateKey (28 bytes of parameters) 0lCh CreateNamedPipeFile (56 bytes of parameters) 0lEh CreatePort (20 bytes of parameters) 0lFh CreateProcess (32 bytes of parameters) 024h CreateThread (32 bytes of parameters) 029h DeleteFile (4 bytes of parameters) 02Ah DeleteKey (4 bytes of parameters) 02Ch DeleteValueKey (8 bytes of parameters) 02Dh DeviceloControlFile (40 bytes of parameters) 03Ch FreeVirtualMemory (16 bytes of parameters) 03Ch GetContextThread (8 bytes of parameters) 049h MapViewOfSection (40 bytes of parameters) 04Fh OpenFile (24 bytes of parameters) 051h OpenKey (12 bytes of parameters) 054h OpenProcess (16 bytes of parameters) 059h OpenThread (16 bytes of parameters) 067h QueryEaFile (36 bytes of parameters) 086h ReadFile (36 bytes of parameters) 089h ReadVirtualMemory (20 bytes of parameters) 08Fh ReplyPort (8 bytes of parameters) 092h RequestPort (8 bytes of parameters) 096h ResumeThread (8 bytes of parameters) 09Ch SetEaFile (16 bytes of parameters) 0B3h SetValueKey (24 bytes of parameters) 0B5h ShutdownSystem (4 bytes of parameters) 0BAh SystemDebugControl (24 bytes of parameters) 0BBh TerminateProcess (8 bytes of parameters) 0BCh TerminateThread (8 bytes of parameters) 0C2h UrunapViewOfSection (8 bytes of parameters) 0C3h VdinControl (8 bytes of parameters) 0C8h WriteFile (36 bytes of parameters) 0CBh WriteVirtualMemory (20 bytes of parameters) 0CCh W32Call (20 bytes of parameters)