This information is specific to Windows 2000, but how the Native API Functions work and how to find the code for them is similar on other versions of Windows.
Table with every Native API function: https://j00ru.vexillium.org/syscalls/nt/32/
Summary of what Native API Functions are and how they work:
Native API Functions are functions stored in kernel-space but can be called by user-space applications. User-space applications will usually call forwarded exports in kernel32 that point to exports in ntdll. The code an export will eventually reach in ntdll will look like this:
mov eax, ##h
lea edx, [esp+4]
int 2Eh
retn 2Ch
A software interrupt is used to transfer code execution to one of the addresses in the System Service Descriptor Table (also known as the KiServiceTable). The KiServiceTable is contained in ntoskrnl and the address of the KiServiceTable is copied to an exported value called KeServiceDescriptorTable. This is the relevant code:
INIT:005535EE mov ds:KeServiceDescriptorTable, offset off_472228
This is the most reliable way to find the address of the KiServiceTable. The address may not be 472228, but the beginning of the KiServiceTable will always have this comment at the end of the first line:
; DATA XREF: sub_55351A+D4↓o
Finding the code for a certain Native API Function:
If the name of the Native API Function starts with "Nt", then the export in ntoskrnl probably points to the actual function code. Finding the function code may be as simple as that, but most of the time, it isn't. There are a few Nt exports that do not point to the actual function code. In this case, it will point to the same code execution transfer code found in ntdll, but inside of ntoskrnl. These functions will also have a matching function with the same name except for "Zw" instead of "Nt" at the beginning. The export with Zw at the beginning will point to the code that transfers code execution to an address in the KiServiceTable. If the function is one of the few Nt functions which have exports that don't point to the actual function code, or is only a Zw function, then finding the KiServiceTable will be required. To find the KiServiceTable, find the line of code above that copies the KiServiceTable to KeServiceDescriptorTable in ntoskrnl. The address 5535EE will most likely be where this code is. In the example code above, the KiServiceTable is located at address 472228. The KiServiceTable will look like this (only the first 16 lines shown here):
off_472228 dd offset sub_4C5C12 ; DATA XREF: sub_55351A+D4↓o
dd offset sub_4FA4EE
dd offset sub_4FD362
dd offset sub_4FA518
dd offset sub_4FD398
dd offset sub_45BE3E
dd offset sub_4FD3D8
dd offset sub_4FD418
dd offset NtAddAtom
dd offset sub_4F63E6
dd offset NtAdjustPrivilegesToken
dd offset sub_4E5660
dd offset sub_4E5616
dd offset NtAllocateLocallyUniqueId
dd offset sub_44AB84
dd offset NtAllocateUuids
The first address will correspond with value 00h in this code:
mov eax, ##h
lea edx, [esp+4]
int 2Eh
retn 2Ch
The next will correspond with 01h, then 02h, etc.