[Reprint] study on how nt loads ntldr nt guidance 1
Http://forum.eviloctal.com/thread-17505-1-1.html
Source: www.hackart.org
Author: windy men
The operating system boot process is as follows:
1. the BIOS reads the MBR to 0000: 7c00 and submits the execution permission to the MBR.
2. MBR identifies partitions and reads dbr0000 with boot permission: 7c00
3 DBR: locate ntldr and read ntldr into memory at. ntldr is 32-bit and loaded into the kernel. The following is the code analysis in step 1 of the above process, to learn more about the previous steps, read my book <data security and programming technology> (advertisement ). It should be noted that the following process is the code in the FAT32 File System. In fact, the NTFS process is similar. The purpose is to analyze the file system to read ntldr into the memory and grant the execution permission, the process is different. The guiding code style in NTFs and FAT32 is quite familiar, probably written by one person. The Guidance code of MS is similar to that written by a person.
The following is the code of the Guide record in DBR. The purpose is to read the 0C sector into the memory and hand in the execution right.
// *********************** Start of code in segment: 1 **************
: 0001.0000 33c9 xor cx, CX; Cx = 0
: 0001.0002 8ed1 mov SS, CX; SS = 0
: 0001.0004 bcf47b mov sp, 7bf4; SP = 7bf4
: 0001.0007 8ec1 mov es, CX; es = 0
: 0001.0009 8ed9 mov ds, CX; DS = 0
: 0001.000b bd007c mov bp, 7c00; BP = 7c00
: 0001.000e 884e02 mov [bp + 02], Cl; 7c02 = 0 (1 byte)
: 0001.0011 8a5640 mov DL, [bp + 40]; dl = 80 h Driver Number
: 0001.0014 b408 mov ah, 08; Ah = 8 read drive Parameters
: 0001.0016 CD13 INT 13
: 0001.0018 7305 JNB 001f; cf = 0 (successful conversion)
: 0001.001a b9ffff mov CX, FFFF; Cx = FFFF
: 0001.001d 8af1 mov DH, Cl; DH = FF
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.0018 (c)
|
: 0001.001f 660fb6c6 movzx eax, DH; maximum head DH extended to exa
: 0001.0023 40 Inc ax; AX = AX + 1. Ax is the maximum number of magnetic heads + 1. It starts from 0, so ax is the number of magnetic heads.
: 0001.0024 660fb6d1 movzx edX, Cl; if the drive parameters are read successfully, B7 B6 in Cl is the maximum value of the available cylinder number, which is 2 bits, B5 ~ B0 is the maximum sector value.
; If the read fails, CL = ff, EDX = 0ff;
: 0001.0028 80e23f and DL, 3f; 2-bit Height: 0, DL = maximum number of sectors
: 0001.002b f7e2 Mul DX; AX = number of magnetic heads * number of sectors
: 0001.002d 86cd xchg CH, Cl; CH = maximum number of available cylinder numbers (low 8 bits). In Cl, B7 B6 is the maximum value of available cylinder numbers, which is 2 bits, B5 ~ B0 is
; The maximum value of the available sector, reverse after switching
: 0001.002f c0ed06 shr ch, 06; ch logic shifts right 6-bit CH = high of the maximum value of the cylindrical number (in this case, Cx = maximum cylindrical number)
: 0001.0032 41 Inc CX; cx + 1 (the cylinder number starts from 0, and the maximum number of cylinders after the cylinder number is + 1)
: 0001.0033 660fb7c9 movzx ECx, word ptr cx; CX extended to ECx
: 0001.0037 66f7e1 Mul ECx; eax = Number of cylinders * Number of magnetic heads * Number of sectors. The result is the number of sectors of the disk,
; But less than 8 GB. If it is greater than 8 GB, 8 GB will be processed.
: 0001.003a 668946f8 mov [bp-08], eax; save this result (number of slices in 3D mode) to the position of the BP-08, that is, 7c00-8 = 7bf8
: 0001.003e 837e1600 CMP word PTR [bp + 16], 0000; whether small hard disks smaller than 30 m (16 is the number of fat sectors per hard disk)
: 0001.0042 7538 JNE 007c; small hard drive
: 0001.0044 837e2a00 CMP word PTR [bp + 2a], 0000; version 0 (2a indicates the total number of disk sectors under a small hard disk)
: 0001.0048 7732 ja 007c; if the value is greater than 0
: 0001.004a 668b461c mov eax, [bp + 1C]; eax = number of hidden sectors
: 0001.004e 6683c00c add eax, 0000000c; number of hidden sectors + 0c
: 0001.0052 bb0080 mov BX, 8000; BX = 8000
: 0001.0055 b90100 mov CX, 0001; Cx = 1
: 0001.0058 e82b00 call 0086
: 0001.005b e94803 JMP 03a6; 03a6 ??????
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.0106 (c)
|
: 0001.005e a0fa7d mov Al, [7dfa]; the following code displays the error message:
* Referenced by a (u) nconditional or (c) onditional jump at addresses:
|: 0001.007a (u),: 0001.007f (u)
|
: 0001.0061 b47d mov ah, 7d
: 0001.0063 8bf0 mov Si, ax
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.0075 (u)
|
: 0001.0065 AC lodsb
: 0001.0066 84c0 test Al, Al
: 0001.0068 7417 je 0081
: 0001.006a 3cff CMP Al, FF
: 0001.006c 7409 je 0077
: 0001.006e b40e mov ah, 0e
: 0001.0070 bb0700 mov BX, 0007
: 0001.0073 CD10 int 10; display press any key to restart
: 0001.0075 ebee JMP 0065
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.006c (c)
|
: 0001.0077 a0fb7d mov Al, [7dfb]
: 0001.007a ebe5 JMP 0061.
* Referenced by a (u) nconditional or (c) onditional jump at addresses:
|: 0001.0042 (C),: 0001.0048 (c)
|
: 0001.007c a0f97d mov Al, [7df9]
: 0001.007f ebe0 JMP 0061.
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.0068 (c)
|
: 0001.0081 98 CBW
: 0001.0082 CD16 int 16
: 0001.0084 CD19 int 19; restart
* Referenced by a call at address:
|: 0001.0058
|
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.0111 (c)
|
: 0001.0086 6660 pushad; stack all registers
: 0001.0088 663b46f8 CMP eax, [bp-08]; number of hidden sectors + 0C compared with the number of 3D mode,
: 0001.008c 0f0000a00 JB 00da; if it is smaller than, it will be switched (less than or may use non-extended int13 interrupt to read the sector)
: 0001.0090 666a00 push 00000000; 00000000 inbound stack image in building a DAP
: 0001.0093 6650 push eax; eax into the stack (number of hidden sectors + 0C)
: 0001.0095 06 push es; es inbound stack es = 0
: 0001.0096 53 push BX; BX inbound stack BX = 8000
: 0001.0097 666810000100 push 00010010; build the first 8 bytes of the DAP data packet, DAP length is 0010 H, read 1 Sector (0001)
: 0001.009d 807e0200 CMP byte PTR [bp + 02], 00; compare whether the offset 02 is 0, usually 90
: 0001.00a1 0f852000 JNE 00c5;
: 0001.00a5 b441 mov ah, 41; Extended Function Ah = 41, check whether the extended function exists
: 0001.00a7 bbaa55 mov BX, 55aa; entry parameter BX = 55aa
: 0001.00aa 8a5640 mov DL, [bp + 40]; dl = 80
: 0001.00ad CD13 INT 13
: 0001.00af 0f821c00 JB 00cf; cf = 1. The motherboard does not support extended int13 forwarding.
: 0001.00b3 81fb55aa cmp bx, aa55;
: 0001.00b7 0f851400 JNE 00cf; BX is not equal to 55aa, extended int13 is unavailable
: 0001.00bb f6c101 test Cl, 01; test whether extended read disk access is supported
: 0001.00be 0f840d00 je 00cf; conversion not supported
: 0001.00c2 fe4602 Inc byte PTR [bp + 02]; + 1 = 1 at [7c02]
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.00a1 (c)
|
: 0001.00c5 b442 mov ah, 42
: 0001.00c7 8a5640 mov DL, [bp + 40]
: 0001.00ca 8bf4 mov Si, SP; SI = Sp points to DAP data packets
: 0001.00cc CD13 INT 13; read relative logic sector 0C fan to 0: 8000
: 0001.00ce b0f9 mov Al, F9; Al = F9
: 0001.00d0 6658 pop eax
: 0001.00d2 6658 pop eax
: 0001.00d4 6658 pop eax
: 0001.00d6 6658 pop eax; clear stack eax = 0
: 0001.00d8 eb2a JMP 0104
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.008c (c)
|; Use the traditional int13 instead of extended int13 reading
: 0001.00da 6633d2 XOR edX, EDX; edX = 0
: 0001.00dd 660fb74e18 movzx ECx, word PTR [bp + 18]; ECx = 63 area code
: 0001.00e2 66f7f1 Div ECx; after this command is completed, eax is the number of magnetic heads, and EDX is the number of sectors;
: 0001.00e5 fec2 Inc dl; dl = dl + 1, number of sectors + 1
: 0001.00e7 8aca mov Cl, DL; CL = number of sectors
: 0001.00e9 668bd0 mov edX, eax; edX = number of Magnetic Heads
: 0001.00ec 66c1ea10 SHR edX, 10; edX shifts 16 bits to the right, and the result is that edX sends 16 bits at a high position.
: 0001.00f0 f7761a Div word PTR [bp + 1A ];
: 0001.00f3 86d6 xchg DH, DL
: 0001.00f5 8a5640 mov DL, [bp + 40]
: 0001.00f8 8ae8 mov CH, Al
: 0001.00fa c0e406 SHL ah, 06
: 0001.00fd 0acc or CL, ah
: 0001.00ff b80102 mov ax, 0201
: 0001.0102 CD13 INT 13; read 8000
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.00d8 (u)
|
: 0001.0104 6661 popad; all registers output Stack
: 0001.0106 0f8254ff JB 005e;
: 0001.010a 81c30002 Add Bx, 0200; BX = 8000 + 200
: 0001.010e 6640 Inc eax; eax = 0 + 1
: 0001.0110 49 dec CX; Cx = 1-1 = 0
: 0001.0111 0f8571ff JNE 0086.
: 0001.0115 C3 ret; Back to 58
: 0001.0116 4E dec Si
: 0001.0117 54 push sp
: 0001.0118 4C dec sp
: 0001.0119 44 Inc sp
: 0001.011a 52 push DX
: 000 1.011b 2020 and [bx + Si], ah
: 0001.011d 2020 and [bx + Si], ah
: 0001.011f 2020 and [bx + Si], ah
: 0001.0121 00000000000000000000 byte 10 DUP (0)
: 0001.012b 00000000000000000000 byte 10 DUP (0)
: 0001.0135 00000000000000000000 byte 10 DUP (0)
: 0001.013f 00000000000000000000 byte 10 DUP (0)
: 0001.0149 000000000000000000 byte 9 DUP (0)
: 0001.0152 0d0a4e or ax, 4e0a
: 0001.0155 54 push sp
: 0001.0156 4C dec sp
: 0001.0157 44 Inc sp
: 0001.0158 52 push DX
: 0001.0159 206973 and [bx + DI + 73], CH
: 0001.015c 206d69 and [di + 69], CH
: 0001.015f 7373 JNB 01d4
: 0001.0161 696e67ff0d imul bp, [bp + 67], 0dff
: 0001.0166 0a4469 or Al, [Si + 69]
: 0001.0169 736b JNB 01d6
: 0001.016b 206572 and [di + 72], ah
: 0001.016e rjf jb 01df
: 0001.0170 72ff JB 0171
: 0001.0172 0d0a50 or ax, 500a
: 0001.0175 7265 JB 01dc
: 0001.0177 7373 JNB 01ec
: 0001.0179 20616e and [bx + DI + 6e], ah
: 0001.017c 7920 JNS 019e
: 0001.017e 6b657920 imul sp, [di + 79], 0020
: 0001.0182 746f je 01f3
: 0001.0184 207265 and [bp + Si + 65], DH
: 0001.0187 7374 JNB 01fd
: 0001.0189 61 Popa
: 0001.018a 7274 JB 0200
: 0001.018c 0d0a00 or ax, 000a
: 0001.018f 00000000000000000000 byte 10 DUP (0)
: 0001.0199 000000000000 byte 6 DUP (0)
: 0001.019f AC lodsb
: 0001.01a0 bfcc00 mov Di, 00cc
: 0001.01a3 0055aa add [di-56], DL
The following is the content of the 12th sector in the FAT32 partition. The purpose is to find the ntldr location in the root directory, read it to, and submit the execution permission.
// *********************** Start of code in segment: 1 **************
: 0001.0000 660fb64610 movzx eax, [bp + 10]; offset 10 is the number of fat
: 0001.0005 668b4e24 mov ECx, [bp + 24]; offset 24 indicates the number of sectors per fat
: 0001.0009 66f7e1 Mul ECx; fat count * fat slice COUNT = the total number of slice occupied by fat is placed in eax
: 0001.000c 6601_1c add eax, [bp + 1C]; add number of hidden sectors
: 0001.0010 660fb7560e movzx edX, word PTR [bp + 0e]; put the number of reserved sectors into edX
: 0001.0015 6603c2 add eax, EDX; eax = start sector of the Data Zone
: 0001.0018 668946fc mov [bp-04], eax; place at 7c00-4
: 0001.001c 66c746f4ffffffff mov dword ptr [bp-0C], ffffffff; 7c00-0C = ffffffff
: 0001.0024 668b462c mov eax, [bp + 2C]; put the first cluster number in the root directory into eax
: 0001.0028 6683f802 CMP eax, 00000002; whether the first cluster is 2
: 0001.002c 0f82a6fc JB fcd6; offset 0d6 from less than 2 to the top (as if it was in an endless loop)
: 0001.0030 663df8ffff0f CMP eax, 0ffffff8; compare whether the first cluster is 0ffffff8
: 0001.0036 0f839cfc JNB fcd6; greater than or equal to conversion (these two jumps are generally not transferred unless the disk is damaged)
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.0079 (c)
|
: 0001.003a 6650 push eax; the first cluster number in the root directory is added to the stack.
: 0001.003c 6683e802 sub eax, 00000002; eax-2
: 0001.0040 660fb65e0d movzx EBX, [bp + 0d]; EBX for each cluster sector
: 0001.0045 8bf3 mov Si, BX; send Si to each cluster sector
: 0001.0047 66f7e3 Mul EBX; eax = number of sectors per cluster * (number of clusters in the root directory-2)
: 0001.004a 6601_fc add eax, [bp-04]; eax + plus start sector of the Data zone = number of start sectors of the root directory
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.0072 (c)
|
: 0001.004e bb0082 mov BX, 8200; BX = 8200
: 0001.0051 8bfb mov Di, BX; DI = 8200
: 0001.0053 b90100 mov CX, 0001; Cx = 1
: 0001.0056 e887fc call fce0; this Code may be used to read the root directory to 8200
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.006f (c)
|
: 0001.0059 382d CMP [di], ch; if the first one in the root directory is empty, it indicates that the root directory has no files
: 0001.005b 741e je 007b
: 0001.005d b10b mov Cl, 0b; compare 0b times,
: 0001.005f 56 push Si; Si inbound Stack
: 0001.0060 be707d mov Si, 7d70; 7d70 is a ntldr string
: 0001.0063 F3 repz; Comparison
: 0001.0064 A6 cmpsb
: 0001.0065 5E pop Si; Si output Stack
: 0001.0066 741b je 0083; jump to 83 if the comparison is the same
: 0001.0068 03f9 add Di, CX
: 0001.006a 83c715 add Di, 0015
: 0001.006d 3bfb CMP Di, BX
: 0001.006f 72e8 JB 0059; points to the next directory to continue the comparison
: 0001.0071 4E dec Si
: 0001.0072 75da JNE 004e
: 0001.0074 6658 pop eax
: 0001.0076 e86500 call 00de
: 0001.0079 72bf JB 003a
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.005b (c)
|
: 0001.007b 83c404 add SP, 0004
: 0001.007e e955fc JMP fcd6
: 0001.0081 00 byte 0
;: 0001.0082 2083c404 and [bp + DI + 04c4], Al
: 0001.0083 83c404 add SP, 0004
: 0001.0086 8b7509 mov Si, [di + 09]
: 0001.0089 8b7d0f mov Di, [di + 0f]
: 0001.008c 8bc6 mov ax, Si
: 0001.008e 66c1e010 SHL eax, 10
: 0001.0092 8bc7 mov ax, Di
: 0001.0094 6683f802 CMP eax, 00000002
: 0001.0098 0f823afc JB fcd6
: 0001.009c 663df8ffff0f CMP eax, 0ffffff8
: 0001.00a2 0f8330fc JNB fcd6
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.00d4 (c)
|
: 0001.00a6 6650 push eax
: 0001.00a8 6683e802 sub eax, 00000002
: 0001.00ac 660fb64e0d movzx ECx, [bp + 0d]
: 0001.00b1 66f7e1 Mul ECx
: 0001.00b4 660108fc add eax, [bp-04]
: 0001.00b8 bb0000 mov BX, 0000
: 0001.00bb 06 push es
: 0001.00bc 8e068180 mov es, [8081]
: 0001.00c0 e81dfc call fce0
: 0001.00c3 07 pop es
: 0001.00c4 6658 pop eax
: 0001.00c6 c1eb04 shr bx, 04
: 0001.00c9 011e8180 add [8081], BX
: 0001.00cd e80e00 call 00de
: 0001.00d0 0f830200 JNB 00d6
: 0001.00d4 72d0 JB 00a6
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.00d0 (c)
|
: 0001.00d6 8a5640 mov DL, [bp + 40]
: 0001.00d9 ea00000020 JMP 2000:0000; grant the execution right to ntldr
* Referenced by a call at addresses:
|: 0001.0076,: 0001.00cd
|
: 0001.00de 66c1e002 SHL eax, 02
: 0001.00e2 e81100 call 00f6
: 0001.00e5 26668b01 mov eax, ES: [bx + DI]
: 0001.00e9 6625ffffff0f and eax, 0 fffffff
: 0001.00ef 663df8ffff0f CMP eax, 0ffffff8
: 0001.00f5 C3 RET
* Referenced by a call at address:
|: 0001.00e2
|
: 0001.00f6 bf007e mov Di, 7e00
: 0001.00f9 660fb74e0b movzx ECx, word PTR [bp + 0b]
: 0001.00fe 6633d2 XOR edX, EDX
: 0001.0101 66f7f1 Div ECx
: 0001.0104 663b46f4 CMP eax, [bp-0C]
: 0001.0108 743a je 0144.
: 0001.010a 668946f4 mov [bp-0C], eax
: 0001.010e 6601_1c add eax, [bp + 1C]
: 0001.0112 660fb74e0e movzx ECx, word PTR [bp + 0e]
: 0001.0117 6603c1 add eax, ECx
: 0001.011a 660fb75e28 movzx EBX, word PTR [bp + 28]
: 0001.011f 83e30f and BX, 000f
: 0001.0122 7416 je 013a
: 0001.0124 3a5e10 cmp bl, [bp + 10]
: 0001.0127 0f83abfb JNB fcd6
: 0001.012b 52 push DX
: 0001.012c 668bc8 mov ECx, eax
: 0001.012f 668b4624 mov eax, [bp + 24]
: 0001.0133 66f7e3 Mul EBX
: 0001.0136 6603c1 add eax, ECx
: 0001.0139 5A pop DX
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.0122 (c)
|
: 0001.013a 52 push DX
: 0001.013b 8bdf mov BX, Di
: 0001.013d b90100 mov CX, 0001
: 0001.0140 e89dfb call fce0
: 0001.0143 5A pop DX
* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 0001.0108 (c)
|
: 0001.0144 8127mov BX, DX
: 0001.0146 C3 RET
: 0001.0147 00000000000000000000 byte 10 DUP (0)
: 0001.0151 00000000000000000000 byte 10 DUP (0)
: 0001.015b 00000000000000000000 byte 10 DUP (0)
: 0001.0165 00000000000000000000 byte 10 DUP (0)
: 0001.016f 00000000000000000000 byte 10 DUP (0)
: 0001.0179 00000000000000000000 byte 10 DUP (0)
: 0001.0183 00000000000000000000 byte 10 DUP (0)
: 0001.018d 00000000000000000000 byte 10 DUP (0)
: 0001.0197 00000000000000000000 byte 10 DUP (0)
: 0001.01a1 00000000000000000000 byte 10 DUP (0)
: 0001.01ab 00000000000000000000 byte 10 DUP (0)
: 0001.01b5 00000000000000000000 byte 10 DUP (0)
: 0001.01bf00000000000000000000 byte 10 DUP (0)
: 0001.01c9 00000000000000000000 byte 10 DUP (0)
: 0001.01d3 00000000000000000000 byte 10 DUP (0)
: 0001.01dd 00000000000000000000 byte 10 DUP (0)
: 0001.01e7 00000000000000000000 byte 10 DUP (0)
: 0001.01f1 00000000000000000000 byte 10 DUP (0)
: 0001.01fb 000000 byte 3 DUP (0)
: 0001.01fe 55 push BP
: 0001.01ff AA stosb