User API → NTDLL → Syscall → Kernel routine
Visual reference of how a Win32 call ends up as a syscall instruction and which kernel routine handles it.
VirtualAllocEx (kernel32.dll)
│
▼
NtAllocateVirtualMemory (ntdll.dll)
│ mov r10, rcx
│ mov eax, SSN
│ syscall
▼
KiSystemCall64 (ntoskrnl.exe)
│
▼
NtAllocateVirtualMemory (ntoskrnl.exe)
│
▼
MmAllocateVirtualMemory (Mm subsystem)Diagram ships in Phase 2.