The book Windows NT/2000 Native API Reference provides a comprehensive documentation (even though outdated) of undocumented (by Microsoft) Native APIs. But I am curious, is there anyway to find the mappings between low-level functions declared in ntdll.dll and user-mode functions in kernel32.dll, advapi.dll, etc..
For example:
I know the function CreateFile maps to NtCreateFile. But I don't the exact function in ntdll.dll for MoveFileWithProgressW function in kernel32.dll
You can dump exports from user-mode system DLLs using dumpbin.exe utility from Windows SDK/Visual Studio and look for forwarded functions:
dumpbin -exports kernel32.dll | find/I "forwarded" > fwd.txt
This will create fwd.txt file containing a list of forwarded functions, something like this:
151 96 EnterCriticalSection (forwarded to NTDLL.RtlEnterCriticalSection)
361 168 GetLastError (forwarded to NTDLL.RtlGetLastWin32Error)
518 205 HeapAlloc (forwarded to NTDLL.RtlAllocateHeap)
524 20B HeapFree (forwarded to NTDLL.RtlFreeHeap)
528 20F HeapReAlloc (forwarded to NTDLL.RtlReAllocateHeap)
530 211 HeapSize (forwarded to NTDLL.RtlSizeHeap)
etc.