Much has been written on the system call interface in NT (INT 2E, later SYSENTER), but there is surprisingly little documented about the 9x system call interface. So I disassembled its kernel32.dll and looked at where the function calls went... they all eventually end up at a far call: "call far [BFFC9734]" with EAX containing what looks like the syscall number, arranged by major/minor code --- and some of the numbers look suspiciously like the same as for the original DOS INT21 services.
BFFC9734 seems to be the "magic address" for this.(Googling "BFFC9734" yields results, but surprisingly, not "BFFC9734h", "0BFFC9734h", or "0xBFFC9734".)
Here are some more references to that I found, if you're curious:
BFFC9734 seems to be the "magic address" for this.(Googling "BFFC9734" yields results, but surprisingly, not "BFFC9734h", "0BFFC9734h", or "0xBFFC9734".)
Here are some more references to that I found, if you're curious:
http://xaknotdie.org/TopDevice/5/articles/z0mb009.htm (Russian)
http://andrewl.dreamhosters.com/site_z0mbie/ntoskrnl.txt (English version of above)