Log in

View Full Version : Driver PE Header ImageBase modified by OS Loader

Kayaker
November 13th, 2008, 19:51
I've been noticing a peculiar behaviour in that the value of the PE->OptionalHeader.ImageBase in some loaded system drivers has been modified from the default 0x10000 value as found in the raw file.

Now we know that all driver files generally have the same PE image base (0x10000) and are relocated into memory to whatever address the OS chooses.

That PE file image base value can probably be changed when compiling it with the /BASE directive, i.e. /BASE:0X20000, but it doesn't really matter since its going to be dynamically relocated to high memory anyway.

The loaded Image Base value can be obtained from the DriverObject structure DRIVER_OBJECT->DriverStart, but we don't really care about that either.

What is peculiar though is if you parse through the PE header in memory of some loaded drivers, the ImageBase value will have changed to some non-intuitive address.


You can see this with WinDbg/LiveKd or using the simple code:

Code:
// RtlImageNtHeader returns offset of "PE" in PE header



EXTERN_C

NTKERNELAPI

PIMAGE_NT_HEADERS

RtlImageNtHeader (

    IN PVOID Base

    );

    



PIMAGE_NT_HEADERS	NtHeaders;		// "PE"





///////////////////////////////////////////////////

// Get value of ImageBase from PE header in memory

///////////////////////////////////////////////////



// Base Address in DRIVER_OBJECT may be missing

// in some drivers, so don't pass a null pointer!

if(TargetpDriverObject->DriverStart)

{



    // Get offset of "PE" in PE header

    

    NtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(

    (PVOID)TargetpDriverObject->DriverStart);

    

    if(NtHeaders)

    {

        PE_ImageBase = NtHeaders->OptionalHeader.ImageBase;

    }	

}



Let's check this in LiveKD for a driver which doesn't have a modified PE ImageBase in memory - Beep.sys. Other examples are cdrom.sys, flpydisk.sys, i8042prt.sys, etc.

Code:
Beep.sys

Loaded ImageBase = F8C2B000

ImageBase in loaded PE header = 0x10000



(List Loaded Modules, m = pattern parameter)



    0: kd> lm mBeep

    start    end        module name

    f8c2b000 f8c2c080   Beep



(!Display Headers)



    0: kd> !dh f8c2b000

    

    File Type: EXECUTABLE IMAGE

    

    OPTIONAL HEADER VALUES

    

             ----- new -----

    00010000 image base



And now for a driver in which the PE ImageBase has been modified. There are several system drivers to choose from - acpi, agp440, atapi, IntelIde, KSecDD, PCI, VolSnap, Livekd, ...

Code:
acpi.sys

Loaded ImageBase = F86A8000

ImageBase in loaded PE header = 0x80124000



    0: kd> lm mACPI

    start    end        module name

    f86a8000 f86d5d80   ACPI

    

    0: kd> !dh f86a8000

    

    File Type: EXECUTABLE IMAGE

    

    OPTIONAL HEADER VALUES

    

             ----- new -----

    80124000 image base


Code:
ksecdd.sys

Loaded ImageBase = F8569000

ImageBase in loaded PE header = 0x802AC000



    0: kd> lm mksecdd

    start    end        module name

    f8569000 f857f780   KSecDD

    

    0: kd> !dh f8569000

    

    File Type: DLL

    

    OPTIONAL HEADER VALUES

    

             ----- new -----

    802ac000 image base


Code:
agp440.sys

Loaded ImageBase = F8757000

ImageBase in loaded PE header = 0x803DA000



    0: kd> lm magp440

    start    end        module name

    f8757000 f8761580   agp440

    

    0: kd> !dh f8757000

    

    File Type: EXECUTABLE IMAGE

    

    OPTIONAL HEADER VALUES

    

             ----- new -----

    803da000 image base



There doesn't seem to be any rhyme or reason to the modified PE image base address. The addresses don't point to anything in particular, just random bits of memory from what I can see.

In some cases the imagebase will be missing entirely from the Driver Object structure and LiveKd may (win32k.sys), or may not (PnPManager.sys) get any information from the LM and !DH commands.


There's probably nothing more mysterious than the operation of the PE loader. Is there some common factor in these drivers that cause the loader (presumably) to modify the PE header ImageBase value, while in other cases not? A compiler option? Something related to the drivers purpose or operation?


I certainly don't have an explanation for it, so I guess that ends my post

Kayaker
evaluator
November 14th, 2008, 06:38
only imagined as anti-malware action!?
naides
November 14th, 2008, 07:49
Kayaker: The new "artificial" imagebase that you described does not seem so random. all your examples gravitate towards numbers starting with 80XXXXXX ie the lower high memory. Perhaps this behavior is a evolutionary residue of the way the loading of drivers was developed. initially they were directed to default locations in the lower part of high memory, and the loader explicitly wrote this imagebase by default perhaps for non relocatable drivers???. Later on with the explosion of drivers, a more dynamic an fully relocation algorithm was implemented, but the code that modified the PE header was harmless albeit superfluous and was left in there. Never misunderestimate the laziness of OS programmers of a certain company.
Have you checked howq this phenomenon operates in Windows 2000? NT? perhaps Win98. Justa a wild idea.
blabberer
November 14th, 2008, 14:05
not sure if i understood your post but for me the physical data and !dh values seems to be same

Code:


lkd> .foreach (place { lm o 1m }) {.echo place; .catch { dt hellobaby!_image_nt_headers optionalheader.imagebase  ( place  + poi(  place  + 0x3c ) ); r $t0 = place; .shell -ci "!dh -f @$t0" findstr /c:"image base" }  } .continue ; 

windbg

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x1000000

					01000000 image base

     

kdexts

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x400000

					00400000 image base

     

ext

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x1400000

					01400000 image base

     

kext

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x1600000

					01600000 image base

     

exts

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x1900000

					01900000 image base

     

symsrv

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x1d00000

					01d00000 image base

     

dbgeng

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x2000000

					02000000 image base

     

dbghelp

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x3000000

					03000000 image base

     

hellobaby

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x6eec14c

     

wship6

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x58d40000

					58d40000 image base

     

uxtheme

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x5ad70000

					5ad70000 image base

     

NETAPI32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x5b860000

					5b860000 image base

     

mslbui

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x605d0000

					605d0000 image base

     

hnetcfg

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x662b0000

					662b0000 image base

     

mswsock

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x71a50000

					71a50000 image base

     

wshtcpip

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x71a90000

					71a90000 image base

     

WS2HELP

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x71aa0000

					71aa0000 image base

     

WS2_32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x71ab0000

					71ab0000 image base

     

wsock32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x71ad0000

					71ad0000 image base

     

MPR

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x71b20000

					71b20000 image base

     

sensapi

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x722b0000

					722b0000 image base

     

MSCTF

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x74720000

					74720000 image base

     

RICHED20

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x74e30000

					74e30000 image base

     

SXS

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x75e90000

					75e90000 image base

     

USERENV

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x769c0000

					769c0000 image base

     

WINMM

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x76b40000

					76b40000 image base

     

iphlpapi

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x76d60000

					76d60000 image base

     

rtutils

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x76e80000

					76e80000 image base

     

rasman

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x76e90000

					76e90000 image base

     

TAPI32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x76eb0000

					76eb0000 image base

     

RASAPI32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x76ee0000

					76ee0000 image base

     

DNSAPI

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x76f20000

					76f20000 image base

     

WLDAP32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x76f60000

					76f60000 image base

     

winrnr

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x76fb0000

					76fb0000 image base

     

rasadhlp

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x76fc0000

					76fc0000 image base

     

OLEAUT32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x77120000

					77120000 image base

     

WININET

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x771b0000

					771b0000 image base

     

urlmon

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x77260000

					77260000 image base

     

COMCTL32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x773d0000

					773d0000 image base

     

ole32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x774e0000

					774e0000 image base

     

CRYPT32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x77a80000

					77a80000 image base

     

MSASN1

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x77b20000

					77b20000 image base

     

VERSION

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x77c00000

					77c00000 image base

     

msvcrt

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x77c10000

					77c10000 image base

     

msv1_0

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x77c70000

					77c70000 image base

     

USER32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x77d40000

					77d40000 image base

     

ADVAPI32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x77dd0000

					77dd0000 image base

     

RPCRT4

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x77e70000

					77e70000 image base

     

GDI32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x77f10000

					77f10000 image base

     

SHLWAPI

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x77f60000

					77f60000 image base

     

Secur32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x77fe0000

					77fe0000 image base

     

kernel32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x7c800000

					7c800000 image base

     

ntdll

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x7c900000

					7c900000 image base

     

SHELL32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x7c9c0000

					7c9c0000 image base

     

nt

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x400000

					00400000 image base

     

hal

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x80010000

					80010000 image base

     

NavEx15

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

mouhid

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

hidusb

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

NAVENG

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

SYMEVENT

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

HTTP

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

sit_mdm

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

sit_prt

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

SAVRTPEL

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

srv

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

SENTINEL

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

mrxdav

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

asyncmac

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

CDAC15BA

Memory access error at ') '

wdmaud

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

mdmxsdk

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

sysaudio

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

ndisuio

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

dump_atapi

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

usbvideo

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

mrxsmb

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

rdbss

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

ipnat

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

vmm

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

afd

Memory access error at ') '

tcpip6

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

netbt

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

tcpip

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

ipsec

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

HSF_CNXT

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

HSF_DPV

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

HSFHWAZL

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

					00010000 image base

     

portcls

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

CHDAud

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

dxg

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

igxprd32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

igxpgd32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

igxpdv32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

igxpdx32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

win32k

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0xbf800000

					bf800000 image base

     

rasacd

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

Dxapi

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

update

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

rdpdr

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

psched

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

ndiswan

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

btkrnl

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

ks

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

SynTP

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

USBPORT

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

ar5211

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

HDAudBus

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

VIDEOPRT

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

igxpmp32

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000000

					10000000 image base

     

kbdhid

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

Mup

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x803b7000

					803b7000 image base

     

NDIS

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x8038a000

					8038a000 image base

     

Ntfs

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x802fd000

					802fd000 image base

     

KSecDD

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x802e6000

					802e6000 image base

     

sr

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x802d4000

					802d4000 image base

     

fltmgr

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x802b5000

					802b5000 image base

     

SysLang

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x801ca000

					801ca000 image base

     

atapi

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x801a8000

					801a8000 image base

     

dmio

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x80170000

					80170000 image base

     

ftdisk

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x80151000

					80151000 image base

     

pci

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x8012e000

					8012e000 image base

     

ACPI

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x80100000

					80100000 image base

     

isapnp

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x80006000

					80006000 image base

     

MountMgr

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x80146000

					80146000 image base

     

VolSnap

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x8019b000

					8019b000 image base

     

disk

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x8029f000

					8029f000 image base

     

CLASSPNP

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x802a8000

					802a8000 image base

     

VMNetSrv

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

rasl2tp

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

raspppoe

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

raspptp

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

msgpc

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

Cdfs

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

termdd

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

NDProxy

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

usbhub

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

drmk

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

netbios

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

wanarp

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

Fips

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

intelppm

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

HIDCLASS

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

i8042prt

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

imapi

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

cdrom

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

redbook

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

PCIIDEX

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x8013f000

					8013f000 image base

     

PartMgr

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x80196000

					80196000 image base

     

SysBoot

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x801c4000

					801c4000 image base

     

USBSTOR

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

usbccgp

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

watchdog

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

HIDPARSE

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

usbuhci

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

usbehci

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

RTL8139

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

kbdclass

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

mouclass

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

TDI

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

ptilink

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

raspti

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

Modem

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

sit_bus

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

vga

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

Msfs

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

Npfs

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

ip6fw

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

BOOTVID

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x80010000

					80010000 image base

     

compbatt

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x80013000

					80013000 image base

     

BATTC

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x80016000

					80016000 image base

     

ACPIEC

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x8001c000

					8001c000 image base

     

SDbgMsg

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x801c0000

					801c0000 image base

     

tunmp

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

CmBatt

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

cpqbttn

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

wmiacpi

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

ndistapi

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

mssmbios

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

kdcom

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x806ef000

					806ef000 image base

     

WMILIB

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x80004000

					80004000 image base

     

dmload

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x8001a000

					8001a000 image base

     

USBD

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

loop

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

swenum

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

Fs_Rec

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

Beep

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

mnmdd

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

RDPCDD

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

dump_WMILIB

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

sit_flt

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

pciide

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x8000f000

					8000f000 image base

     

OPRGHDLR

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x8001f000

					8001f000 image base

     

audstub

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

dxgthk

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base

     

Null

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

                                        00010000 image base



for dt image_nt_headers you need an executable's private pdb with typeinfo included which you use with .reload /s /i yourexe= base
blabberer
November 14th, 2008, 14:45
i see what you are talking about now

just loading the acpi.sys in a hexeditor i can see 0x10000
whereas in windbg both DD , dt !dh all shows some weird 80###### values


Code:




lkd> dt testdll!image_nt_headers -b f74c10c8			from ollydbg view file of acpi.sys

   +0x000 Signature        : 0x4550				000000C8  ; PE signature (PE)

   +0x004 FileHeader       : _IMAGE_FILE_HEADER			

      +0x000 Machine          : 0x14c				000000CC  ; Machine = IMAGE_FILE_MACHINE_I386

      +0x002 NumberOfSections : 8				000000CE  ;  NumberOfSections = 8

      +0x004 TimeDateStamp    : 0x41107d27			000000D0  ;  TimeDateStamp = 41107D27

      +0x008 PointerToSymbolTable : 0				000000D4  ;  PointerToSymbolTable = 0

      +0x00c NumberOfSymbols  : 0				000000D8  ;  NumberOfSymbols = 0

      +0x010 SizeOfOptionalHeader : 0xe0			000000DC  ;  SizeOfOptionalHeader = E0 (224.)

      +0x012 Characteristics  : 0x10e				000000DE  ;  Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|LINE_NUMS_STRIPPED|LOCAL_SYMS_STRIPPED

   +0x018 OptionalHeader   : _IMAGE_OPTIONAL_HEADER			

      +0x000 Magic            : 0x10b				000000E0  ; MagicNumber = PE32

      +0x002 MajorLinkerVersion : 0x7 ''			000000E2  ;  MajorLinkerVersion = 7

      +0x003 MinorLinkerVersion : 0xa ''			000000E3  ;  MinorLinkerVersion = A (10.)

      +0x004 SizeOfCode       : 0x26180				000000E4  ;  SizeOfCode = 26180 (156032.)

      +0x008 SizeOfInitializedData : 0x7900			000000E8  ;  SizeOfInitializedData = 7900 (30976.)

      +0x00c SizeOfUninitializedData : 0			000000EC  ;  SizeOfUninitializedData = 0

      +0x010 AddressOfEntryPoint : 0x29059			000000F0  ;  AddressOfEntryPoint = 29059

      +0x014 BaseOfCode       : 0x300				000000F4  ;  BaseOfCode = 300

      +0x018 BaseOfData       : 0x1b200				000000F8  ;  BaseOfData = 1B200

      +0x01c ImageBase        : 0x80100000			000000FC  ; ImageBase = 10000

      +0x020 SectionAlignment : 0x80				00000100  ;  SectionAlignment = 80

      +0x024 FileAlignment    : 0x80				00000104  ;  FileAlignment = 80

      +0x028 MajorOperatingSystemVersion : 5			00000108  ;  MajorOSVersion = 5

      +0x02a MinorOperatingSystemVersion : 1			0000010A  ;  MinorOSVersion = 1

      +0x02c MajorImageVersion : 5				0000010C  ;  MajorImageVersion = 5

      +0x02e MinorImageVersion : 1				0000010E  ;  MinorImageVersion = 1

      +0x030 MajorSubsystemVersion : 5				00000110  ;  MajorSubsystemVersion = 5

      +0x032 MinorSubsystemVersion : 1				00000112  ;  MinorSubsystemVersion = 1

      +0x034 Win32VersionValue : 0				00000114  ;  Reserved

      +0x038 SizeOfImage      : 0x2dd80				00000118  ;  SizeOfImage = 2DD80 (187776.)

      +0x03c SizeOfHeaders    : 0x300				0000011C  ;  SizeOfHeaders = 300 (768.)

      +0x040 CheckSum         : 0x33106				00000120  ;  CheckSum = 33106

      +0x044 Subsystem        : 1				00000124  ;  Subsystem = IMAGE_SUBSYSTEM_NATIVE

      +0x046 DllCharacteristics : 0x400				00000126  ;  DLLCharacteristics = 400

      +0x048 SizeOfStackReserve : 0x40000			00000128  ;  SizeOfStackReserve = 40000 (262144.)

      +0x04c SizeOfStackCommit : 0x1000				0000012C  ;  SizeOfStackCommit = 1000 (4096.)

      +0x050 SizeOfHeapReserve : 0x100000			00000130  ;  SizeOfHeapReserve = 100000 (1048576.)

      +0x054 SizeOfHeapCommit : 0x1000				00000134  ;  SizeOfHeapCommit = 1000 (4096.)

      +0x058 LoaderFlags      : 0				00000138  ;  LoaderFlags = 0

      +0x05c NumberOfRvaAndSizes : 0x10				0000013C  ;  NumberOfRvaAndSizes = 10 (16.)

      +0x060 DataDirectory    : 				00000140  ;  Export Table address = 0

       [00] _IMAGE_DATA_DIRECTORY				00000144  ;  Export Table size = 0

         +0x000 VirtualAddress   : 0				00000148  ;  Import Table address = 290A0

         +0x004 Size             : 0				0000014C  ;  Import Table size = 50 (80.)

       [01] 			00000150  ;  			Resource Table address = 29F00

         +0x000 VirtualAddress   : 0x290a0			00000154  ;  Resource Table size = 18F8 (6392.)

         +0x004 Size             : 0x50				00000158  ;  Exception Table address = 0

       [02] 			0000015C  ;  			Exception Table size = 0

         +0x000 VirtualAddress   : 0x29f00			00000160  ;  Certificate File pointer = 0

         +0x004 Size             : 0x18f8			00000164  ;  Certificate Table size = 0

       [03] 			00000168  ;  			Relocation Table address = 2B800

         +0x000 VirtualAddress   : 0				0000016C  ;  Relocation Table size = 2300 (8960.)

         +0x004 Size             : 0				00000170  ;  Debug Data address = 1B430

       [04] 			00000174  ;  			Debug Data size = 1C (28.)

         +0x000 VirtualAddress   : 0				00000178  ;  Architecture Data address = 0

         +0x004 Size             : 0				0000017C  ;  Architecture Data size = 0

       [05] 			00000180  ;  			Global Ptr address = 0

         +0x000 VirtualAddress   : 0x2b800			00000184  ;  Must be 0

         +0x004 Size             : 0x2300			00000188  ;  TLS Table address = 0

       [06] 			0000018C  ;  			TLS Table size = 0

         +0x000 VirtualAddress   : 0x1b430			00000190  ;  Load Config Table address = 0

         +0x004 Size             : 0x1c				00000194  ;  Load Config Table size = 0

       [07] 			00000198  ;  			Bound Import Table address = 0

         +0x000 VirtualAddress   : 0				0000019C  ;  Bound Import Table size = 0

         +0x004 Size             : 0				000001A0  ;  Import Address Table address = 1B200

       [08] 			000001A4  ;  			Import Address Table size = 228 (552.)

         +0x000 VirtualAddress   : 0				000001A8  ;  Delay Import Descriptor address = 0

         +0x004 Size             : 0				000001AC  ;  Delay Import Descriptor size = 0

       [09] 			000001B0  ;  			COM+ Runtime Header address = 0

         +0x000 VirtualAddress   : 0				000001B4  ;  Import Address Table size = 0

         +0x004 Size             : 0				000001B8  ;  Reserved

       [10] 			000001BC  ;  			Reserved

         +0x000 VirtualAddress   : 0			

         +0x004 Size             : 0			

       [11] 			

         +0x000 VirtualAddress   : 0			

         +0x004 Size             : 0			

       [12] 			

         +0x000 VirtualAddress   : 0x1b200			

         +0x004 Size             : 0x228			

       [13] 			

         +0x000 VirtualAddress   : 0			

         +0x004 Size             : 0			

       [14] 			

         +0x000 VirtualAddress   : 0			

         +0x004 Size             : 0			

       [15] 			

         +0x000 VirtualAddress   : 0			

         +0x004 Size             : 0
dELTA
November 14th, 2008, 15:29
If I know Kayaker right, we will soon have a post from him with the solution, after he has ripped the Windows loader to pieces with SoftICE to find out...
reverser
November 14th, 2008, 17:40
Could it be ASLR?
darawk
November 14th, 2008, 18:30
I *believe* this is caused by drivers being relocated in memory. I analyzed this a while back and never did figure out with complete certainty what was going on, but my inclination is that it has something to do with drivers being remapped or reloaded by the operating system, possibly as a result of certain types of errors or exceptions.
deroko
November 14th, 2008, 18:41
isn't the address stored in pe header base address of ntosrnl.exe? I came accross this issue long time ago, and certanly it was really weird. But also as I remember, it used to be ntoskrnl.exe base address stored there my tests were on xp sp2, dunno, if anything has changed on Vista
Kayaker
November 14th, 2008, 21:55
Thanks for all the replies. I think I found the correlation. Every one of the drivers with a modified PE Header ImageBase is a boot loading driver and has a registry Start value of 0. (And every unmodified driver had a Start value of 1 or greater).

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI]
"Start"=dword:00000000

The Start types are detailed in
CurrentControlSet\Services Subkey Entries
http://support.microsoft.com/kb/103000

Code:
START TYPE     LOADER     MEANING



0x0            Kernel     Represents a part of the

(Boot)                    driver stack for the boot

                          (startup) volume and must

                          therefore be loaded by the

                          Boot Loader.



So an explanation that seems to make sense is that the ImageBase IS the original loading address used by ntldr and this value was written into the PE header. The boot drivers are then relocated to their final locations after the OS loads.

The only driver that doesn't follow this is LiveKD. Its ImageBase is listed as 0x80000000, perhaps that's internal.

I know there are some who have reversed ntldr, I suppose this info would only be applicable to that. (Or maybe as a quick way of identifying boot loading drivers in memory).


In summary,

Quote:
Floccinaucinihilipilification
floc·ci·nau·ci·ni·hil·i·pil·i·fi·ca·tion [flok-suh-naw-suh-nahy-hil-uh-pil-uh-fi-key-shuhn]
the categorization of something as not important or trivial
the estimation of something as valueless
darawk
November 14th, 2008, 22:16
ah, cool. It's nice to have my suspicions confirmed with certainty. I spent a lot of time trying to figure out what the common thread amongst the remapped drivers were so that I could really understand why the drivers were being remapped, but I never connected those dots. You nailed it right on the head, nice work.
blabberer
November 15th, 2008, 11:22
so you have already concluded

anyway i was just going to say waht you already posted

these address are derived when the loader remaps the boot loading drivers

how i havent checked

but you can confirm that this patch happens for all boot loading drivers after its mapped for the first time but before it is remapped

by using -b commandline switch and /break /debug switches in boot,ini

with -b it breaks after kernel iniitilization

while with /break switch in boot.ini kd will break in hal init phase

see below for details


Code:




Waiting to reconnect...

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE

Kernel Debugger connection established.  (Initial Breakpoint requested)  broke with -b commandline switch

Symbol search path is: SRV*F:\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS

Executable search path is: 

Windows XP Kernel Version 2600 UP Free x86 compatible

Built by: 2600.xpsp_sp2_rtm.040803-2158

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20

System Uptime: not available

Break instruction exception - code 80000003 (first chance)



nt!RtlpBreakWithStatusInstruction:

804e3b25 cc              int     3







kd> k

ChildEBP RetAddr  

805506dc 806b8a5f nt!RtlpBreakWithStatusInstruction

80550868 806aa072 nt!ExpInitializeExecutive+0x350

805508bc 806a9d2c nt!KiInitializeKernel+0x35e

00000000 00000000 nt!KiSystemStartup+0x2bf





kd> lm

start    end        module name

804d7000 806eb780   nt         (pdb symbols)          F:\SYMBOLS\ntoskrnl.pdb\8592B6763F34476B9BB560395A383F962\ntoskrnl.pdb

806ec000 806ffd80   hal        (deferred)             

fa9fe000 faa18580   Mup        (deferred)             

faa19000 faa45a80   NDIS       (deferred)             

faa46000 faa5c780   KSecDD     (deferred)             

faa5d000 faa80000   Fastfat    (deferred)             

faa80000 faa9e780   fltmgr     (deferred)             

faa9f000 faab6480   atapi      (deferred)             

faab7000 faadc700   dmio       (deferred)             

faadd000 faafb880   ftdisk     (deferred)             

faafc000 fab0ca80   pci        (deferred)             

fab0d000 fab3ad80   ACPI       (deferred)             

fab5c000 fab64c00   isapnp     (deferred)             

fab6c000 fab76500   MountMgr   (deferred)             

fab7c000 fab88c80   VolSnap    (deferred)             

fab8c000 fab94e00   disk       (deferred)             

fab9c000 faba8200   CLASSPNP   (deferred)             



fade4000 fadea200   PCIIDEX    (deferred)             

fadec000 fadf0900   PartMgr    (deferred)             

faf6c000 faf6f000   BOOTVID    (deferred)             

fb05c000 fb05db80   kdcom      (deferred)             

fb05e000 fb05f100   WMILIB     (deferred)             

fb060000 fb061580   intelide   (deferred)             

fb062000 fb063700   dmload     (deferred)             



kd> dt testdll!image_nt_headers fab0d0c8

   +0x000 Signature        : 0x4550

   +0x004 FileHeader       : _IMAGE_FILE_HEADER

   +0x018 OptionalHeader   : _IMAGE_OPTIONAL_HEADER

kd> dt -b testdll!image_nt_headers fab0d0c8

   +0x000 Signature        : 0x4550

   +0x004 FileHeader       : _IMAGE_FILE_HEADER

      +0x000 Machine          : 0x14c

      +0x002 NumberOfSections : 8

      +0x004 TimeDateStamp    : 0x41107d27

      +0x008 PointerToSymbolTable : 0

      +0x00c NumberOfSymbols  : 0

      +0x010 SizeOfOptionalHeader : 0xe0

      +0x012 Characteristics  : 0x10e

   +0x018 OptionalHeader   : _IMAGE_OPTIONAL_HEADER

      +0x000 Magic            : 0x10b

      +0x002 MajorLinkerVersion : 0x7 ''

      +0x003 MinorLinkerVersion : 0xa ''

      +0x004 SizeOfCode       : 0x26180

      +0x008 SizeOfInitializedData : 0x7900

      +0x00c SizeOfUninitializedData : 0

      +0x010 AddressOfEntryPoint : 0x29059

      +0x014 BaseOfCode       : 0x300

      +0x018 BaseOfData       : 0x1b200

      +0x01c ImageBase        : 0x80100000   <----------------





kd> g



kd> g

ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 5

ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 5

ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 5

Waiting for all contexts to be flushed

Shutdown occurred...unloading all symbol tables.

Waiting to reconnect...

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE

Kernel Debugger connection established.  (Initial Breakpoint requested)                      broke with /break in boot.ini

Symbol search path is: SRV*F:\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS

Executable search path is: 

Windows XP Kernel Version 2600 UP Free x86 compatible

Built by: 2600.xpsp_sp2_rtm.040803-2158

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20

System Uptime: not available

Break instruction exception - code 80000003 (first chance)

nt!DbgBreakPoint:

804e3b14 cc              int     3



kd> k

ChildEBP RetAddr  

805506b4 806fd6b6 nt!DbgBreakPoint

805506c0 806fd70b hal!HalpGetParameters+0x42

805506d8 806aa27d hal!HalInitSystem+0x33

80550868 806aa072 nt!ExpInitializeExecutive+0x146

805508bc 806a9d2c nt!KiInitializeKernel+0x35e

00000000 00000000 nt!KiSystemStartup+0x2bf

kd> .reload /f

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE

Loading Kernel Symbols

........*** 

................

Loading User Symbols



kd> lm

start    end        module name

80004000 80005100   WMILIB     (pdb symbols)          F:\SYMBOLS\wmilib.pdb\E4C3A9A4158C4C51BC4E2B46CA108AA51\wmilib.pdb

80006000 8000ec00   isapnp     (pdb symbols)          F:\SYMBOLS\isapnp.pdb\40205FF7480844E98F62335DD78B4F8E1\isapnp.pdb

80010000 80013000   BOOTVID    (pdb symbols)          F:\SYMBOLS\bootvid.pdb\3B7D83451\bootvid.pdb



80019000 8001a580   intelide   (pdb symbols)          F:\SYMBOLS\intelide.pdb\E9E510BE387D4D5A8A3CD81376DE50071\intelide.pdb

8001b000 8001c700   dmload     (pdb symbols)          F:\SYMBOLS\dmload.pdb\28B0BFC4C7864BBD92DD888A54E9FE841\dmload.pdb

80100000 8012dd80   ACPI       (pdb symbols)          F:\SYMBOLS\acpi.pdb\F2E034F2911844B491BDAB612C220EAB1\acpi.pdb   <-------------------

8012e000 8013ea80   pci        (pdb symbols)          F:\SYMBOLS\pci.pdb\206656EB8AAA4BFCAE215D6EE55305881\pci.pdb

8013f000 80145200   PCIIDEX    (pdb symbols)          F:\SYMBOLS\pciidex.pdb\671C7864E7F74A9D8D84385D1A6347411\pciidex.pdb

80146000 80150500   MountMgr   (pdb symbols)          F:\SYMBOLS\mountmgr.pdb\E76D919C975C47B1AB592D6BF9A53C1B1\mountmgr.pdb

80151000 8016f880   ftdisk     (pdb symbols)          F:\SYMBOLS\ftdisk.pdb\370ADA20D01E457AB6AC095AF8D099681\ftdisk.pdb

80170000 80195700   dmio       (pdb symbols)          F:\SYMBOLS\dmio.pdb\A2AA03114EB84B26A6B8E29367484C881\dmio.pdb

80196000 8019a900   PartMgr    (pdb symbols)          F:\SYMBOLS\partmgr.pdb\2BF62287ECEE48DFB06FF92BF1D0514B2\partmgr.pdb

8019b000 801a7c80   VolSnap    (pdb symbols)          F:\SYMBOLS\volsnap.pdb\37AD1DAAA6A04AF8B6FC8478DAFCBDE61\volsnap.pdb

801a8000 801bf480   atapi      (pdb symbols)          F:\SYMBOLS\atapi.pdb\25228DED4EEC41F29756FC1568E4B63F1\atapi.pdb

801c0000 801c8e00   disk       (pdb symbols)          F:\SYMBOLS\disk.pdb\D9F2945AC6DF4EEDB1E66ED610B7A04A1\disk.pdb

801c9000 801d5200   CLASSPNP   (pdb symbols)          F:\SYMBOLS\classpnp.pdb\12E3EB58301B4AC3A5B2D3921F91313A2\classpnp.pdb

801d6000 801f4780   fltmgr     (pdb symbols)          F:\SYMBOLS\fltMgr.pdb\A3669C0E41994AC2AD2BD6F85D4B1A041\fltMgr.pdb

801f5000 80218000   Fastfat    (pdb symbols)          F:\SYMBOLS\fastfat.pdb\49F9F5CA625D4A5C9DC927485DA7809F2\fastfat.pdb

80218000 8022e780   KSecDD     (pdb symbols)          F:\SYMBOLS\ksecdd.pdb\E9FEAB740C29470CB973CD9D584FE5A51\ksecdd.pdb

8022f000 8025ba80   NDIS       (pdb symbols)          F:\SYMBOLS\ndis.pdb\42ED3DC0817A4246B157736BBAF668742\ndis.pdb

8025c000 80276580   Mup        (pdb symbols)          F:\SYMBOLS\mup.pdb\B31678EDA6824BB19A2A0B8081DBF7D72\mup.pdb

804d7000 806eb780   nt         (pdb symbols)          F:\SYMBOLS\ntoskrnl.pdb\8592B6763F34476B9BB560395A383F962\ntoskrnl.pdb

806ec000 806ffd80   hal        (pdb symbols)          F:\SYMBOLS\halacpi.pdb\BECA5A4012524CD290B45877E8FC674F1\halacpi.pdb

80700000 80701b80   kdcom      (pdb symbols)          F:\SYMBOLS\kdcom.pdb\3B7D83461\kdcom.pdb



kd> .reload /s /i testdll.dll=50000000

kd> dt -b testdll!image_nt_headers acpi+0xc8

   +0x000 Signature        : 0x4550

   +0x004 FileHeader       : _IMAGE_FILE_HEADER

      +0x000 Machine          : 0x14c

      +0x002 NumberOfSections : 8

      +0x004 TimeDateStamp    : 0x41107d27

      +0x008 PointerToSymbolTable : 0

      +0x00c NumberOfSymbols  : 0

      +0x010 SizeOfOptionalHeader : 0xe0

      +0x012 Characteristics  : 0x10e

   +0x018 OptionalHeader   : _IMAGE_OPTIONAL_HEADER

      +0x000 Magic            : 0x10b

      +0x002 MajorLinkerVersion : 0x7 ''

      +0x003 MinorLinkerVersion : 0xa ''

      +0x004 SizeOfCode       : 0x26180

      +0x008 SizeOfInitializedData : 0x7900

      +0x00c SizeOfUninitializedData : 0

      +0x010 AddressOfEntryPoint : 0x29059

      +0x014 BaseOfCode       : 0x300

      +0x018 BaseOfData       : 0x1b200

      +0x01c ImageBase        : 0x10000   <----------------------------



kd> .foreach (place { lm o 1m }) {.echo place; .catch { r $t0 = place; dt testdll!_image_nt_headers optionalheader.imagebase  ( place  + poi(  place  + 0x3c ) )} } .continue ; 

testdll

Memory access error at ') '

WMILIB

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

isapnp

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

BOOTVID

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x80010000

wduyuyfs

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

intelide

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

dmload

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

ACPI

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

pci

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

PCIIDEX

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

MountMgr

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

ftdisk

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

dmio

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

PartMgr

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

VolSnap

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

atapi

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

disk

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

CLASSPNP

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

fltmgr

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

Fastfat

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

KSecDD

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

NDIS

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

Mup

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x10000

nt

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x400000

hal

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x80010000

kdcom

   +0x018 OptionalHeader           : 

      +0x01c ImageBase                : 0x80010000
blabberer
November 15th, 2008, 11:33
ok setting a hardware break point on read and write on the known reloacating addresss ba /r4 0xf0###### ba /w4 f0#######

we can see watch it being written

Code:


kd> bl

 0 e fab0d000 w 4 0001 (0001) 

 1 e fab0d0fc w 4 0001 (0001) 

 2 e fab0d0c8 r 4 0001 (0001) 



kd> g

Breakpoint 0 hit

nt!MiReloadBootLoadedDrivers+0x1a8:

806a868f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

kd> k

ChildEBP RetAddr  

80550670 806af27f nt!MiReloadBootLoadedDrivers+0x1a8

805506d8 806aa3d1 nt!MmInitSystem+0xb33

80550868 806aa072 nt!ExpInitializeExecutive+0x2aa

805508bc 806a9d2c nt!KiInitializeKernel+0x35e

00000000 00000000 nt!KiSystemStartup+0x2bf

kd> r edi

edi=fab0d004

kd> r esi

esi=80100004

kd> !address esi

  80100000 - 0002e000                           

          Usage       KernelSpaceUsageImage

          ImageName   ACPI.sys



kd> !address edi

address fab0d004 not found in any known Kernel Address Range ----


but breaking on patching could be a problem with windbg as windbg sucks tracing with interrupts etc off

Code:


kd> g

Shutdown occurred...unloading all symbol tables.

Waiting to reconnect...

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE

Kernel Debugger connection established.  (Initial Breakpoint requested)

Symbol search path is: SRV*F:\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS

Executable search path is: 

Windows XP Kernel Version 2600 UP Free x86 compatible

Built by: 2600.xpsp_sp2_rtm.040803-2158

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20

System Uptime: not available

Break instruction exception - code 80000003 (first chance)

nt!DbgBreakPoint:

804e3b14 cc              int     3



kd> ba w4 fab0d0fc



kd> g;r edi;r esi;dd edi-4 l1; dd esi-4 l1;





Breakpoint 0 hit

edi=fab0d100

esi=80100100

fab0d0fc  00010000

801000fc  00010000





kd> g            <---------------- windbg just fscks off 







*** Fatal System Error: 0x00000050

                       (0xFAB0E000,0x00000001,0x806A868F,0x00000000)



Break instruction exception - code 80000003 (first chance)



A fatal system error has occurred.

Debugger entered on first try; Bugcheck callbacks have not been invoked.



A fatal system error has occurred.



Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE

Loading Kernel Symbols

........................

Loading User Symbols



*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************



Use !analyze -v to get detailed debugging information.



BugCheck 50, {fab0e000, 1, 806a868f, 0}



Probably caused by : memory_corruption ( nt!MiReloadBootLoadedDrivers+1a8 )



Followup: MachineOwner

---------



nt!RtlpBreakWithStatusInstruction:

804e3b25 cc              int     3

kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************



PAGE_FAULT_IN_NONPAGED_AREA (50)

Invalid system memory was referenced.  This cannot be protected by try-except,

it must be protected by a Probe.  Typically the address is just plain bad or it

is pointing at freed memory.

Arguments:

Arg1: fab0e000, memory referenced.

Arg2: 00000001, value 0 = read operation, 1 = write operation.

Arg3: 806a868f, If non-zero, the instruction address which referenced the bad memory

	address.

Arg4: 00000000, (reserved)



Debugging Details:

------------------





WRITE_ADDRESS:  fab0e000 



FAULTING_IP: 

nt!MiReloadBootLoadedDrivers+1a8

806a868f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]



MM_INTERNAL_CODE:  0



DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO



BUGCHECK_STR:  0x50



TRAP_FRAME:  805505b8 -- (.trap 0xffffffff805505b8)

ErrCode = 00000002

eax=00001000 ebx=803f14b0 ecx=00000001 edx=00001485 esi=80101000 edi=fab0e000

eip=806a868f esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x1a8:

806a868f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

Resetting default scope



LAST_CONTROL_TRANSFER:  from 805328e7 to 804e3b25



STACK_TEXT:  

80550108 805328e7 00000003 fab0e000 00000000 nt!RtlpBreakWithStatusInstruction

80550154 805333be 00000003 806ed03c c03eac38 nt!KiBugCheckDebugBreak+0x19

80550534 805339ae 00000050 fab0e000 00000001 nt!KeBugCheck2+0x574

80550554 805246fb 00000050 fab0e000 00000001 nt!KeBugCheckEx+0x1b

805505a0 804e1ff1 00000001 fab0e000 00000000 nt!MmAccessFault+0x6f5

805505a0 806a868f 00000001 fab0e000 00000000 nt!KiTrap0E+0xcc

80550670 806af27f 80087000 00000000 8008a950 nt!MiReloadBootLoadedDrivers+0x1a8

805506d8 806aa3d1 00000000 80087000 80559320 nt!MmInitSystem+0xb33

80550868 806aa072 00000000 80087000 8003fc00 nt!ExpInitializeExecutive+0x2aa

805508bc 806a9d2c 80559580 80559320 80550b80 nt!KiInitializeKernel+0x35e

00000000 00000000 00000000 00000000 00000000 nt!KiSystemStartup+0x2bf





STACK_COMMAND:  kb



FOLLOWUP_IP: 

nt!MiReloadBootLoadedDrivers+1a8

806a868f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]



SYMBOL_STACK_INDEX:  6



SYMBOL_NAME:  nt!MiReloadBootLoadedDrivers+1a8



FOLLOWUP_NAME:  MachineOwner



MODULE_NAME: nt



DEBUG_FLR_IMAGE_TIMESTAMP:  41108004



IMAGE_NAME:  memory_corruption



FAILURE_BUCKET_ID:  0x50_W_nt!MiReloadBootLoadedDrivers+1a8



BUCKET_ID:  0x50_W_nt!MiReloadBootLoadedDrivers+1a8



Followup: MachineOwner

---------
blabberer
November 15th, 2008, 16:27
so if some one wants to watch the paint dry you can see where acpi gets its 810###### whatever from the trace below
it happens after MiReloadBootLoadedDrivers has moved the complete image somplace the last instruction in this trace will show the boot image being patched into
the relocated memory

note to self weird name acpi!osCallbacks ?? for image_nt_header ?? should check it out

Code:


kd> 

eax=00001000 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4

eip=806a86a4 esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz ac pe cy

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000297

nt!MiReloadBootLoadedDrivers+0x1dd:

806a86a4 0f8245ffffff    jb      nt!MiReloadBootLoadedDrivers+0x105 (806a85ef) [br=1]

kd> 

eax=00001000 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4

eip=806a85ef esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz ac pe cy

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000297

nt!MiReloadBootLoadedDrivers+0x105:

806a85ef 833d9c10558001  cmp     dword ptr [nt!MmMakeLowMemory (8055109c)],1 ds:0023:8055109c=00000001

kd> 

eax=00001000 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4

eip=806a85f6 esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x10c:

806a85f6 8b45f8          mov     eax,dword ptr [ebp-8] ss:0010:80550668=c02004a0

kd> 

eax=c02004a0 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4

eip=806a85f9 esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x10f:

806a85f9 8b00            mov     eax,dword ptr [eax]  ds:0023:c02004a0=00128163

kd> 

eax=00128163 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4

eip=806a85fb esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x111:

806a85fb 8945c8          mov     dword ptr [ebp-38h],eax ss:0010:80550638=00127163

kd> 

eax=00128163 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4

eip=806a85fe esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x114:

806a85fe 0f854f300100    jne     nt!MiReloadBootLoadedDrivers+0x1b2 (806bb653) [br=0]

kd> 

eax=00128163 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4

eip=806a8604 esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x11a:

806a8604 ff1568764d80    call    dword ptr [nt!_imp__KeRaiseIrqlToDpcLevel (804d7668)] ds:0023:804d7668={hal!KeRaiseIrqlToDpcLevel (806ed03c)}

kd> 

eax=00000001 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4

eip=806a860a esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x120:

806a860a 33d2            xor     edx,edx

kd> 

eax=00000001 ebx=803f14b0 ecx=00000000 edx=00000000 esi=0000002e edi=c03eacd4

eip=806a860c esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x122:

806a860c 33c9            xor     ecx,ecx

kd> 

eax=00000001 ebx=803f14b0 ecx=00000000 edx=00000000 esi=0000002e edi=c03eacd4

eip=806a860e esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x124:

806a860e 8845ff          mov     byte ptr [ebp-1],al        ss:0010:8055066f=01

kd> 

eax=00000001 ebx=803f14b0 ecx=00000000 edx=00000000 esi=0000002e edi=c03eacd4

eip=806a8611 esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x127:

806a8611 e853e8e3ff      call    nt!MiEnsureAvailablePageOrWait (804e6e69)

kd> 

eax=00000000 ebx=803f14b0 ecx=00000080 edx=00000000 esi=0000002e edi=c03eacd4

eip=806a8616 esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x12c:

806a8616 8b0dd4f45580    mov     ecx,dword ptr [nt!MmSecondaryColorMask (8055f4d4)] ds:0023:8055f4d4=0000003f

kd> 

eax=00000000 ebx=803f14b0 ecx=0000003f edx=00000000 esi=0000002e edi=c03eacd4

eip=806a861c esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x132:

806a861c 230db8ef5580    and     ecx,dword ptr [nt!MmSystemPageColor (8055efb8)] ds:0023:8055efb8=0000002d

kd> 

eax=00000000 ebx=803f14b0 ecx=0000002d edx=00000000 esi=0000002e edi=c03eacd4

eip=806a8622 esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x138:

806a8622 ff05b8ef5580    inc     dword ptr [nt!MmSystemPageColor (8055efb8)] ds:0023:8055efb8=0000002d

kd> 

eax=00000000 ebx=803f14b0 ecx=0000002d edx=00000000 esi=0000002e edi=c03eacd4

eip=806a8628 esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x13e:

806a8628 e8d3e7e3ff      call    nt!MiRemoveAnyPage (804e6e00)

kd> 

eax=0000146d ebx=803f14b0 ecx=00000000 edx=000014ad esi=0000002e edi=c03eacd4

eip=806a862d esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x143:

806a862d 8bf0            mov     esi,eax

kd> 

eax=0000146d ebx=803f14b0 ecx=00000000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a862f esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x145:

806a862f 81fe00100000    cmp     esi,1000h

kd> 

eax=0000146d ebx=803f14b0 ecx=00000000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8635 esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202

nt!MiReloadBootLoadedDrivers+0x14b:

806a8635 0f820c300100    jb      nt!MiReloadBootLoadedDrivers+0x14d (806bb647) [br=0]

kd> 

eax=0000146d ebx=803f14b0 ecx=00000000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a863b esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202

nt!MiReloadBootLoadedDrivers+0x154:

806a863b 8bcf            mov     ecx,edi

kd> 

eax=0000146d ebx=803f14b0 ecx=c03eacd4 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a863d esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202

nt!MiReloadBootLoadedDrivers+0x156:

806a863d e8e6e7e3ff      call    nt!MiDetermineUserGlobalPteMask (804e6e28)

kd> 

eax=00000121 ebx=803f14b0 ecx=c03eacd4 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8642 esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x15b:

806a8642 8bce            mov     ecx,esi

kd> 

eax=00000121 ebx=803f14b0 ecx=0000146d edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8644 esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x15d:

806a8644 c1e10c          shl     ecx,0Ch

kd> 

eax=00000121 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8647 esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x160:

806a8647 0bc1            or      eax,ecx

kd> 

eax=0146d121 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8649 esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x162:

806a8649 0b05000f5580    or      eax,dword ptr [nt!MmProtectToPteMask+0x18 (80550f00)] ds:0023:80550f00=00000002

kd> 

eax=0146d123 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a864f esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202

nt!MiReloadBootLoadedDrivers+0x168:

806a864f 6a01            push    1

kd> 

eax=0146d123 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8651 esp=80550628 ebp=80550670 iopl=0         nv up ei pl nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202

nt!MiReloadBootLoadedDrivers+0x16a:

806a8651 57              push    edi

kd> 

eax=0146d123 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8652 esp=80550624 ebp=80550670 iopl=0         nv up ei pl nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202

nt!MiReloadBootLoadedDrivers+0x16b:

806a8652 83c860          or      eax,60h

kd> 

eax=0146d163 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8655 esp=80550624 ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x16e:

806a8655 56              push    esi

kd> 

eax=0146d163 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8656 esp=80550620 ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x16f:

806a8656 8907            mov     dword ptr [edi],eax  ds:0023:c03eacd4=00000000

kd> 

eax=0146d163 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8658 esp=80550620 ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x171:

806a8658 e8f1f2e3ff      call    nt!MiInitializePfn (804e794e)

kd> 

eax=810181e0 ebx=803f14b0 ecx=81000000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a865d esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x176:

806a865d 8b0dc8f45580    mov     ecx,dword ptr [nt!MmPfnDatabase (8055f4c8)] ds:0023:8055f4c8=81000000

kd> 

eax=810181e0 ebx=803f14b0 ecx=81000000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8663 esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x17c:

806a8663 8d0476          lea     eax,[esi+esi*2]

kd> 

eax=00003d47 ebx=803f14b0 ecx=81000000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8666 esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x17f:

806a8666 8d04c1          lea     eax,[ecx+eax*8]

kd> 

eax=8101ea38 ebx=803f14b0 ecx=81000000 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8669 esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x182:

806a8669 8a4dff          mov     cl,byte ptr [ebp-1]        ss:0010:8055066f=01

kd> 

eax=8101ea38 ebx=803f14b0 ecx=81000001 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a866c esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x185:

806a866c 83480c01        or      dword ptr [eax+0Ch],1 ds:0023:8101ea44=00011601

kd> 

eax=8101ea38 ebx=803f14b0 ecx=81000001 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8670 esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202

nt!MiReloadBootLoadedDrivers+0x189:

806a8670 832000          and     dword ptr [eax],0    ds:0023:8101ea38=00000000

kd> 

eax=8101ea38 ebx=803f14b0 ecx=81000001 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8673 esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x18c:

806a8673 ff1570764d80    call    dword ptr [nt!_imp_KfLowerIrql (804d7670)] ds:0023:804d7670={hal!KfLowerIrql (806ed070)}

kd> 

eax=00000000 ebx=803f14b0 ecx=00000001 edx=000014ad esi=0000146d edi=c03eacd4

eip=806a8679 esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x192:

806a8679 8b75f4          mov     esi,dword ptr [ebp-0Ch] ss:0010:80550664=80128000

kd> 

eax=00000000 ebx=803f14b0 ecx=00000001 edx=000014ad esi=80128000 edi=c03eacd4

eip=806a867c esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x195:

806a867c 8b7dec          mov     edi,dword ptr [ebp-14h] ss:0010:8055065c=fab35000

kd> 

eax=00000000 ebx=803f14b0 ecx=00000001 edx=000014ad esi=80128000 edi=fab35000

eip=806a867f esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x198:

806a867f b800100000      mov     eax,1000h

kd> 

eax=00001000 ebx=803f14b0 ecx=00000001 edx=000014ad esi=80128000 edi=fab35000

eip=806a8684 esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x19d:

806a8684 0145ec          add     dword ptr [ebp-14h],eax ss:0010:8055065c=fab35000

kd> 

eax=00001000 ebx=803f14b0 ecx=00000001 edx=000014ad esi=80128000 edi=fab35000

eip=806a8687 esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!MiReloadBootLoadedDrivers+0x1a0:

806a8687 0145f4          add     dword ptr [ebp-0Ch],eax ss:0010:80550664=80128000

kd> 

eax=00001000 ebx=803f14b0 ecx=00000001 edx=000014ad esi=80128000 edi=fab35000

eip=806a868a esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!MiReloadBootLoadedDrivers+0x1a3:

806a868a b900040000      mov     ecx,400h

kd> 

Breakpoint 1 hit

eax=00001000 ebx=803f14b0 ecx=00000400 edx=000014ad esi=80128000 edi=fab35000

eip=806a868f esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!MiReloadBootLoadedDrivers+0x1a8:

806a868f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

kd> bd 1;p;be 1;

kd> g

Breakpoint 1 hit

eax=00001000 ebx=803f14b0 ecx=00000400 edx=000014ae esi=80129000 edi=fab36000

eip=806a868f esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!MiReloadBootLoadedDrivers+0x1a8:

806a868f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

kd> bd 1;p;be 1;

kd> g

Breakpoint 1 hit

eax=00001000 ebx=803f14b0 ecx=00000400 edx=000014af esi=8012a000 edi=fab37000

eip=806a868f esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!MiReloadBootLoadedDrivers+0x1a8:

806a868f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

kd> bd 1;p;be 1;

kd> g

Breakpoint 1 hit

eax=00001000 ebx=803f14b0 ecx=00000400 edx=000014b0 esi=8012b000 edi=fab38000

eip=806a868f esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!MiReloadBootLoadedDrivers+0x1a8:

806a868f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

kd> bd 1;p;be 1;

kd> g

Breakpoint 1 hit

eax=00001000 ebx=803f14b0 ecx=00000400 edx=000014b1 esi=8012c000 edi=fab39000

eip=806a868f esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!MiReloadBootLoadedDrivers+0x1a8:

806a868f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

kd> bd 1;p;be 1;

kd> g

Breakpoint 1 hit

eax=00001000 ebx=803f14b0 ecx=00000400 edx=00001472 esi=8012d000 edi=fab3a000

eip=806a868f esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!MiReloadBootLoadedDrivers+0x1a8:

806a868f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

kd> bd 1;p;be 1;

kd> p

eax=00001000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=8012e000 edi=c03eace8

eip=806a8694 esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!MiReloadBootLoadedDrivers+0x1ad:

806a8694 8b75cc          mov     esi,dword ptr [ebp-34h] ss:0010:8055063c=0000002e

kd> 

eax=00001000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=0000002e edi=c03eace8

eip=806a8697 esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!MiReloadBootLoadedDrivers+0x1d0:

806a8697 8345f804        add     dword ptr [ebp-8],4  ss:0010:80550668=c02004b4

kd> 

eax=00001000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=0000002e edi=c03eace8

eip=806a869b esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!MiReloadBootLoadedDrivers+0x1d4:

806a869b 83c704          add     edi,4

kd> 

eax=00001000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=0000002e edi=c03eacec

eip=806a869e esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000282

nt!MiReloadBootLoadedDrivers+0x1d7:

806a869e 3b7df0          cmp     edi,dword ptr [ebp-10h] ss:0010:80550660=c03eacec

kd> 

eax=00001000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=0000002e edi=c03eacec

eip=806a86a1 esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x1da:

806a86a1 897ddc          mov     dword ptr [ebp-24h],edi ss:0010:8055064c=c03eace8

kd> 

eax=00001000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=0000002e edi=c03eacec

eip=806a86a4 esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x1dd:

806a86a4 0f8245ffffff    jb      nt!MiReloadBootLoadedDrivers+0x105 (806a85ef) [br=0]

kd> 

eax=00001000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=0000002e edi=c03eacec

eip=806a86aa esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x1e3:

806a86aa 8b45e8          mov     eax,dword ptr [ebp-18h] ss:0010:80550658=fab0d000

kd> 

eax=fab0d000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=0000002e edi=c03eacec

eip=806a86ad esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x1e6:

806a86ad 8b55d0          mov     edx,dword ptr [ebp-30h] ss:0010:80550640={ACPI!OSInitializeCallbacks <PERF> (ACPI+0xc8) (801000c8)}

kd> p

eax=fab0d000 ebx=803f14b0 ecx=00000000 edx=801000c8 esi=0000002e edi=c03eacec

eip=806a86b0 esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x1e9:

806a86b0 8bce            mov     ecx,esi

kd> dd edx

801000c8  00004550 0008014c 41107d27 00000000

801000d8  00000000 010e00e0 0a07010b 00026180

801000e8  00007900 00000000 00029059 00000300

801000f8  0001b200 00010000 00000080 00000080

80100108  00010005 00010005 00010005 00000000

80100118  0002dd80 00000300 00033106 04000001

80100128  00040000 00001000 00100000 00001000

80100138  00000000 00000010 00000000 00000000

kd> p

eax=fab0d000 ebx=803f14b0 ecx=0000002e edx=801000c8 esi=0000002e edi=c03eacec

eip=806a86b2 esp=8055062c ebp=80550670 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers+0x1eb:

806a86b2 c1e102          shl     ecx,2

kd> 

eax=fab0d000 ebx=803f14b0 ecx=000000b8 edx=801000c8 esi=0000002e edi=c03eacec

eip=806a86b5 esp=8055062c ebp=80550670 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206

nt!MiReloadBootLoadedDrivers+0x1ee:

806a86b5 2bf9            sub     edi,ecx

kd> 

eax=fab0d000 ebx=803f14b0 ecx=000000b8 edx=801000c8 esi=0000002e edi=c03eac34

eip=806a86b7 esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000282

nt!MiReloadBootLoadedDrivers+0x1f0:

806a86b7 8b4dd4          mov     ecx,dword ptr [ebp-2Ch] ss:0010:80550644={ACPI!OSInitializeCallbacks <PERF> (ACPI+0x0) (80100000)}

kd> p

eax=fab0d000 ebx=803f14b0 ecx=80100000 edx=801000c8 esi=0000002e edi=c03eac34

eip=806a86ba esp=8055062c ebp=80550670 iopl=0         nv up ei ng nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000282

nt!MiReloadBootLoadedDrivers+0x1f3:

806a86ba 894a34          mov     dword ptr [edx+34h],ecx ds:0023:801000fc=00010000
Kayaker
November 15th, 2008, 17:17
Hehe, blabberer I was hoping you'd do your Winny trick of breaking on early kernel loading. You seem to have caught it nicely there with nt!MiReloadBootLoadedDrivers.

Is there any way you can break at the start of MiReloadBootLoadedDrivers and display the hidden structure pointed to by arg_0? There are some interesting bits in there, such as pointed to by [ebx+18h] = ImageBase, [ebx+1Ch] [ebx+20h] [ebx+37h]. It may point to an array of structures for each boot driver.

The function looks to be constructed as a loop that rebases all the boot drivers in turn. The loopcounter seems to indicate it skips the first 2 drivers (nt & hal?) before rebasing the rest.

Adding a few definitions such as IMAGE_NT_HEADERS32 and the analysis looks like this.

Code:


:005D1503 ; __stdcall MiReloadBootLoadedDrivers(x)

:005D1503 _MiReloadBootLoadedDrivers@4 proc near  ; CODE XREF: InbvIndicateProgress()+F7F3p

:005D1503

:005D1503 var_38          = dword ptr -38h

:005D1503 var_34          = dword ptr -34h

:005D1503 NtHeaders       = dword ptr -30h

:005D1503 var_2C          = dword ptr -2Ch

:005D1503 var_28          = dword ptr -28h

:005D1503 var_24          = dword ptr -24h

:005D1503 var_20          = dword ptr -20h

:005D1503 loopcounter     = dword ptr -1Ch

:005D1503 ImageBase       = dword ptr -18h

:005D1503 var_14          = dword ptr -14h

:005D1503 var_10          = dword ptr -10h

:005D1503 var_C           = dword ptr -0Ch

:005D1503 var_8           = dword ptr -8

:005D1503 var_1           = byte ptr -1

:005D1503 _pInteresting_struct= dword ptr  8

:005D1503

:005D1503 ; FUNCTION CHUNK AT :005D14DD SIZE 00000021 BYTES

:005D1503 ; FUNCTION CHUNK AT :005E463F SIZE 000000FB BYTES

:005D1503

:005D1503                 mov     edi, edi

:005D1505                 push    ebp

:005D1506                 mov     ebp, esp

:005D1508                 sub     esp, 38h

:005D150B                 mov     eax, [ebp+_pInteresting_struct]

:005D150E                 and     [ebp+var_20], 0

:005D1512                 and     [ebp+loopcounter], 0

:005D1516                 push    ebx

:005D1517                 mov     ebx, [eax]

:005D1519                 cmp     ebx, eax

:005D151B                 jz      short _ret

:005D151D                 push    esi

:005D151E                 push    edi

:005D151F

:005D151F loopNextImage:                          ; CODE XREF: MiReloadBootLoadedDrivers(x)-Ej

:005D151F                 inc     [ebp+loopcounter]

:005D1522                 cmp     [ebp+loopcounter], 2

:005D1526                 jbe     short NextImage

:005D1528                 push    dword ptr [ebx+18h] ; ImageBase

:005D152B                 call    _RtlImageNtHeader@4 ; RtlImageNtHeader(x)

:005D1530                 test    eax, eax

:005D1532                 mov     [ebp+NtHeaders], eax

:005D1535                 jz      short NextImage

:005D1537                 test    byte ptr [eax+IMAGE_NT_HEADERS32.FileHeader.Characteristics], 1

:005D153B                 jnz     short NextImage

:005D153D                 cmp     [eax+IMAGE_NT_HEADERS32.OptionalHeader.NumberOfRvaAndSizes], 5

:005D1541                 jbe     short NextImage

:005D1543                 add     eax, 0A0h       ; [PE + A0] = BaseRelocationTable

:005D1543                                         ;

:005D1543                                         ; typedef struct _IMAGE_BASE_RELOCATION {

:005D1543                                         ;     DWORD   VirtualAddress;

:005D1543                                         ;     DWORD   SizeOfBlock;

:005D1543                                         ; } IMAGE_BASE_RELOCATION;

:005D1548                 mov     ecx, [eax]

:005D154A                 test    ecx, ecx

:005D154C                 jz      loc_5E463F

:005D1552                 mov     eax, [eax+IMAGE_BASE_RELOCATION.SizeOfBlock]

:005D1555                 add     eax, ecx        ; Virtual Address + SizeOfBlock

:005D1557                 cmp     eax, [ebx+20h]

:005D155A                 ja      short NextImage

:005D155C                 mov     [ebp+var_28], 1

:005D1563

:005D1563 loc_5D1563:                             ; CODE XREF: MiReloadBootLoadedDrivers(x)+1313Fj

:005D1563                 mov     edi, [ebx+18h]

:005D1566                 mov     esi, [ebx+20h]

:005D1569                 mov     [ebp+var_2C], edi

:005D156C                 shr     edi, 0Ah

:005D156F                 and     edi, 3FFFFCh

:005D1575                 add     esi, 0FFFh

:005D157B                 sub     edi, 40000000h

:005D1581                 shr     esi, 0Ch

:005D1584                 mov     [ebp+var_8], edi

:005D1587                 mov     [ebp+var_34], esi

:005D158A                 call    ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()

:005D1590                 mov     [ebp+var_1], al

:005D1593                 lea     ecx, [edi+esi*4]

:005D1596

:005D1596 loc_5D1596:                             ; CODE XREF: MiReloadBootLoadedDrivers(x)+AFj

:005D1596                 cmp     edi, ecx

:005D1598                 jnb     short loc_5D15B4

:005D159A                 mov     edx, [edi]

:005D159C                 shr     edx, 0Ch

:005D159F                 lea     eax, [edx+edx*2]

:005D15A2                 mov     edx, _MmPfnDatabase

:005D15A8                 lea     edx, [edx+eax*8]

:005D15AB                 or      dword ptr [edx+0Ch], 1

:005D15AF                 add     edi, 4

:005D15B2                 jmp     short loc_5D1596

:005D15B4 ; ---------------------------------------------------------------------------

:005D15B4

:005D15B4 loc_5D15B4:                             ; CODE XREF: MiReloadBootLoadedDrivers(x)+95j

:005D15B4                 mov     cl, [ebp+var_1]

:005D15B7                 call    ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

:005D15BD                 push    0

:005D15BF                 push    esi

:005D15C0                 call    _MiReserveSystemPtes@8 ; MiReserveSystemPtes(x,x)

:005D15C5                 mov     edi, eax

:005D15C7                 test    edi, edi

:005D15C9                 mov     [ebp+var_24], edi

:005D15CC                 jz      NextImage

:005D15D2                 mov     edx, [ebx+18h]

:005D15D5                 lea     ecx, [edi+esi*4]

:005D15D8                 shl     eax, 0Ah

:005D15DB                 cmp     edi, ecx

:005D15DD                 mov     [ebp+var_10], ecx

:005D15E0                 mov     [ebp+ImageBase], eax

:005D15E3                 mov     [ebp+var_14], eax

:005D15E6                 mov     [ebp+var_C], edx

:005D15E9                 jnb     loc_5D16AD

:005D15EF

:005D15EF loc_5D15EF:                             ; CODE XREF: MiReloadBootLoadedDrivers(x)+1A1j

:005D15EF                 cmp     _MmMakeLowMemory, 1

:005D15F6                 mov     eax, [ebp+var_8]

:005D15F9                 mov     eax, [eax]

:005D15FB                 mov     [ebp+var_38], eax

:005D15FE                 jnz     loc_5E4653

:005D1604                 call    ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()

:005D160A                 xor     edx, edx

:005D160C                 xor     ecx, ecx

:005D160E                 mov     [ebp+var_1], al

:005D1611                 call    @MiEnsureAvailablePageOrWait@8 ; MiEnsureAvailablePageOrWait(x,x)

:005D1616                 mov     ecx, _MmSecondaryColorMask

:005D161C                 and     ecx, _MmSystemPageColor

:005D1622                 inc     _MmSystemPageColor

:005D1628                 call    @MiRemoveAnyPage@4 ; MiRemoveAnyPage(x)

:005D162D                 mov     esi, eax

:005D162F                 cmp     esi, 1000h

:005D1635                 jb      loc_5E4647

:005D163B

:005D163B loc_5D163B:                             ; CODE XREF: MiReloadBootLoadedDrivers(x)+1314Bj

:005D163B                 mov     ecx, edi

:005D163D                 call    @MiDetermineUserGlobalPteMask@4 ; MiDetermineUserGlobalPteMask(x)

:005D1642                 mov     ecx, esi

:005D1644                 shl     ecx, 0Ch

:005D1647                 or      eax, ecx

:005D1649                 or      eax, dword_479F00

:005D164F                 push    1

:005D1651                 push    edi

:005D1652                 or      eax, 60h

:005D1655                 push    esi

:005D1656                 mov     [edi], eax

:005D1658                 call    _MiializePfn@12 ; MiializePfn(x,x,x)

:005D165D                 mov     ecx, _MmPfnDatabase

:005D1663                 lea     eax, [esi+esi*2]

:005D1666                 lea     eax, [ecx+eax*8]

:005D1669                 mov     cl, [ebp+var_1]

:005D166C                 or      dword ptr [eax+0Ch], 1

:005D1670                 and     dword ptr [eax], 0

:005D1673                 call    ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)

:005D1679                 mov     esi, [ebp+var_C]

:005D167C                 mov     edi, [ebp+var_14]

:005D167F                 mov     eax, 1000h

:005D1684                 add     [ebp+var_14], eax

:005D1687                 add     [ebp+var_C], eax

:005D168A                 mov     ecx, 400h

:005D168F                 rep movsd

:005D1691                 mov     edi, [ebp+var_24]

:005D1694                 mov     esi, [ebp+var_34]

:005D1697

:005D1697 loc_5D1697:                             ; CODE XREF: MiReloadBootLoadedDrivers(x)+1316Ej

:005D1697                 add     [ebp+var_8], 4

:005D169B                 add     edi, 4

:005D169E                 cmp     edi, [ebp+var_10]

:005D16A1                 mov     [ebp+var_24], edi

:005D16A4                 jb      loc_5D15EF

:005D16AA                 mov     eax, [ebp+ImageBase]

:005D16AD

:005D16AD loc_5D16AD:                             ; CODE XREF: MiReloadBootLoadedDrivers(x)+E6j

:005D16AD                 mov     edx, [ebp+NtHeaders]

:005D16B0                 mov     ecx, esi

:005D16B2                 shl     ecx, 2

:005D16B5                 sub     edi, ecx

:005D16B7                 mov     ecx, [ebp+var_2C]

:005D16BA                 mov     [edx+IMAGE_NT_HEADERS32.OptionalHeader.ImageBase], ecx

:005D16BD                 cmp     _MmMakeLowMemory, 1

:005D16C4                 jnz     short loc_5D16D3

:005D16C6                 mov     eax, [ebp+var_14]

:005D16C9                 sub     eax, [ebp+var_C]

:005D16CC                 mov     [eax+edx+34h], ecx

:005D16D0                 mov     eax, [ebp+ImageBase]

:005D16D3

:005D16D3 loc_5D16D3:                             ; CODE XREF: MiReloadBootLoadedDrivers(x)+1C1j

:005D16D3                 cmp     [ebp+var_28], 1

:005D16D7                 jnz     short loc_5D16FE

:005D16D9                 push    0C000007Bh      ; int

:005D16DE                 push    0C0000018h      ; int

:005D16E3                 push    0               ; int

:005D16E5                 push    offset aSysldr_0 ; "SYSLDR"

:005D16EA                 push    eax             ; ImageBase

:005D16EB                 call    _LdrRelocateImage@20 ;

:005D16EB                                         ; Also called by MmLoadSystemImage()

:005D16F0                 test    eax, eax

:005D16F2                 jl      loc_5E4676

:005D16F8                 mov     ecx, [ebp+var_2C]

:005D16FB                 mov     eax, [ebp+ImageBase]

:005D16FE

:005D16FE loc_5D16FE:                             ; CODE XREF: MiReloadBootLoadedDrivers(x)+1D4j

:005D16FE                 push    dword ptr [ebx+20h] ; Size

:005D1701                 mov     edx, [ebx+18h]

:005D1704                 push    eax             ; int

:005D1705                 push    ecx             ; int

:005D1706                 push    [ebp+_pInteresting_struct]; int

:005D1709                 mov     [ebp+var_C], edx

:005D170C                 mov     [ebx+18h], eax

:005D170F                 call    _MiUpdateThunks@16 ; MiUpdateThunks(x,x,x,x)

:005D1714                 mov     eax, [ebp+ImageBase]

:005D1717                 or      byte ptr [ebx+37h], 1

:005D171B                 mov     ecx, [ebp+NtHeaders]

:005D171E                 mov     [ebx+18h], eax

:005D1721                 mov     ecx, [ecx+IMAGE_NT_HEADERS32.OptionalHeader.AddressOfEntryPoint]

:005D1724                 add     ecx, eax

:005D1726                 shl     esi, 0Ch

:005D1729                 push    ebx

:005D172A                 mov     [ebx+1Ch], ecx

:005D172D                 mov     [ebx+20h], esi

:005D1730                 call    _MiCaptureImageExceptionValues@4 ; MiCaptureImageExceptionValues(x)

:005D1735                 mov     eax, [ebp+var_C]

:005D1738                 shr     eax, 0Ah

:005D173B                 and     eax, 3FFFFCh

:005D1740                 sub     eax, 40000000h

:005D1745                 mov     [ebp+var_8], eax

:005D1748                 call    ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()

:005D174E                 mov     [ebp+var_1], al

:005D1751                 jmp     short loc_5D1760

:005D1751 ; ---------------------------------------------------------------------------

:005D1753                 align 4

:005D1754 aSysldr_0       db 'SYSLDR',0           ; DATA XREF: MiReloadBootLoadedDrivers(x)+1E2o

:005D175B                 align 10h

:005D1760

:005D1760 loc_5D1760:                             ; CODE XREF: MiReloadBootLoadedDrivers(x)+24Ej

:005D1760                                         ; MiReloadBootLoadedDrivers(x)+2ADj

:005D1760                 cmp     edi, [ebp+var_10]

:005D1763                 jnb     loc_5D14DD

:005D1769                 cmp     _MmMakeLowMemory, 1

:005D1770                 mov     ecx, _MmPfnDatabase

:005D1776                 jnz     loc_5E46D2

:005D177C                 mov     eax, [ebp+var_8]

:005D177F                 mov     esi, [eax]

:005D1781                 shr     esi, 0Ch

:005D1784                 lea     eax, [esi+esi*2]

:005D1787                 lea     eax, [ecx+eax*8]

:005D178A                 mov     ecx, [eax+14h]

:005D178D                 and     ecx, 3FFFFFFh

:005D1793                 mov     [ebp+ImageBase], eax

:005D1796                 call    @MiDecrementShareCount@4 ; MiDecrementShareCount(x)

:005D179B                 mov     eax, [ebp+ImageBase]

:005D179E                 or      dword ptr [eax+4], 1

:005D17A2                 mov     ecx, esi

:005D17A4                 call    @MiDecrementShareCount@4 ; MiDecrementShareCount(x)

:005D17A9                 add     [ebp+var_8], 4

:005D17AD

:005D17AD loc_5D17AD:                             ; CODE XREF: MiReloadBootLoadedDrivers(x)+13226j

:005D17AD                 add     edi, 4

:005D17B0                 jmp     short loc_5D1760

:005D17B0 _MiReloadBootLoadedDrivers@4 endp

:005D17B0





:005D14F0 NextImage:           ; CODE XREF: MiReloadBootLoadedDrivers(x)+23j



:005D14F0                 mov     ebx, [ebx]

:005D14F2                 cmp     ebx, [ebp+_pInteresting_struct]

:005D14F5                 jnz     short loopNextImage

:005D14F7                 pop     edi

:005D14F8                 pop     esi

:005D14F9

:005D14F9 _ret:                ; CODE XREF: MiReloadBootLoadedDrivers(x)+18j

:005D14F9                 pop     ebx

:005D14FA                 leave

:005D14FB                 retn    4

:005D14FB ; END OF FUNCTION CHUNK FOR _MiReloadBootLoadedDrivers@4
blabberer
November 15th, 2008, 18:57
nt!MiReloadBootLoadedDrivers take one parameter

Code:


kd> .fnent nt!MiReloadBootLoadedDrivers

Debugger function entry 05ed9018 for:

(806a8503)   nt!MiReloadBootLoadedDrivers   |  (806a87b7)   nt!MxConvertToLargePage

Exact matches:

    nt!MiReloadBootLoadedDrivers = <no type information>



OffStart:  001d1503

ProcSize:  0x3b4

Prologue:  0x14

Params:    0n1 (0x4 bytes)

Locals:    0n14 (0x38 bytes)

Non-FPO


it is a pointer to LOADER_PARAMETER_BLOCK


Code:


Breakpoint 0 hit

eax=8131dd88 ebx=00000000 ecx=00000003 edx=8131c7fe esi=00000001 edi=8055aaa8

eip=806a8503 esp=80550674 ebp=805506d8 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246

nt!MiReloadBootLoadedDrivers:

806a8503 8bff            mov     edi,edi

kd> dt -b LOADER_PARAMETER_BLOCK poi(esp+4)

testdll!LOADER_PARAMETER_BLOCK

   +0x000 LoadOrderListHead : _LIST_ENTRY [ 0x8008a950 - 0x803f24a0 ]

      +0x000 Flink            : 0x8008a950 

      +0x004 Blink            : 0x803f24a0 

   +0x008 MemoryDescriptorListHead : _LIST_ENTRY [ 0x80087138 - 0x80087270 ]

      +0x000 Flink            : 0x80087138 

      +0x004 Blink            : 0x80087270 

   +0x010 BootDriverListHead : _LIST_ENTRY [ 0x80095128 - 0x80095bb8 ]

      +0x000 Flink            : 0x80095128 

      +0x004 Blink            : 0x80095bb8 

   +0x018 KernelStack      : 0x80550b80

   +0x01c Prcb             : 0

   +0x020 Process          : 0

   +0x024 Thread           : 0x80559320

   +0x028 RegistryLength   : 0x480000

   +0x02c RegistryBase     : 0x80a02000 

   +0x030 ConfigurationRoot : 0x80088580 

   +0x034 ArcBootDeviceName : 0x803f2510  "multi(0)disk(0)rdisk(0)partition(1)"

   +0x038 ArcHalDeviceName : 0x803f2548  "multi(0)disk(0)rdisk(0)partition(1)"

   +0x03c NtBootPathName   : 0x803f2538  "\WINDOWS\"

   +0x040 NtHalPathName    : 0x803f2570  "\"

   +0x044 LoadOptions      : 0x80089300  "FASTDETECT  NOEXECUTE=OPTIN  DEBUG  DEBUGPORT=COM1  BREAK  LASTBOOTSTATUS=2"

   +0x048 NlsData          : 0x8008dc58 

   +0x04c ArcDiskInformation : 0x80089398 

   +0x050 OemFontFile      : 0x803f01d0 

   +0x054 SetupLdrBlock    : (null) 

   +0x058 Extension        : 0x80087068 

   +0x05c u                : __unnamed

      +0x000 I386             : _I386_LOADER_BLOCK

         +0x000 CommonDataArea   : (null) 

         +0x004 MachineType      : 0

         +0x008 VirtualBias      : 0

      +0x000 Alpha            : _ALPHA_LOADER_BLOCK

         +0x000 PlaceHolder      : 0

      +0x000 Ia64             : _IA64_LOADER_BLOCK

         +0x000 PlaceHolder      : 0

      +0x000 PowerPC          : _PPC_LOADER_BLOCK

         +0x000 BootInfo         : (null)
Kayaker
November 15th, 2008, 20:54
Ah sweet Match that up with the ReactOS definition of MiReloadBootLoadedDrivers and the disasm starts to make sense.

http://www.koders.com/c/fid9C821527F895855A80DA07EFE73CC806FD33A5D5.aspx

http://www.nirsoft.net/kernel_struct/vista/LOADER_PARAMETER_BLOCK.html