Log in

View Full Version : Driver PE Header ImageBase modified by OS Loader


Kayaker
November 13th, 2008, 19:51
I've been noticing a peculiar behaviour in that the value of the PE->OptionalHeader.ImageBase in some loaded system drivers has been modified from the default 0x10000 value as found in the raw file.

Now we know that all driver files generally have the same PE image base (0x10000) and are relocated into memory to whatever address the OS chooses.

That PE file image base value can probably be changed when compiling it with the /BASE directive, i.e. /BASE:0X20000, but it doesn't really matter since its going to be dynamically relocated to high memory anyway.

The loaded Image Base value can be obtained from the DriverObject structure DRIVER_OBJECT->DriverStart, but we don't really care about that either.

What is peculiar though is if you parse through the PE header in memory of some loaded drivers, the ImageBase value will have changed to some non-intuitive address.


You can see this with WinDbg/LiveKd or using the simple code:

Code:
// RtlImageNtHeader returns offset of "PE" in PE header

EXTERN_C
NTKERNELAPI
PIMAGE_NT_HEADERS
RtlImageNtHeader (
IN PVOID Base
);


PIMAGE_NT_HEADERS NtHeaders; // "PE"


///////////////////////////////////////////////////
// Get value of ImageBase from PE header in memory
///////////////////////////////////////////////////

// Base Address in DRIVER_OBJECT may be missing
// in some drivers, so don't pass a null pointer!
if(TargetpDriverObject->DriverStart)
{

// Get offset of "PE" in PE header

NtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(
(PVOID)TargetpDriverObject->DriverStart);

if(NtHeaders)
{
PE_ImageBase = NtHeaders->OptionalHeader.ImageBase;
}
}



Let's check this in LiveKD for a driver which doesn't have a modified PE ImageBase in memory - Beep.sys. Other examples are cdrom.sys, flpydisk.sys, i8042prt.sys, etc.

Code:
Beep.sys
Loaded ImageBase = F8C2B000
ImageBase in loaded PE header = 0x10000

(List Loaded Modules, m = pattern parameter)

0: kd> lm mBeep
start end module name
f8c2b000 f8c2c080 Beep

(!Display Headers)

0: kd> !dh f8c2b000

File Type: EXECUTABLE IMAGE

OPTIONAL HEADER VALUES

----- new -----
00010000 image base



And now for a driver in which the PE ImageBase has been modified. There are several system drivers to choose from - acpi, agp440, atapi, IntelIde, KSecDD, PCI, VolSnap, Livekd, ...

Code:
acpi.sys
Loaded ImageBase = F86A8000
ImageBase in loaded PE header = 0x80124000

0: kd> lm mACPI
start end module name
f86a8000 f86d5d80 ACPI

0: kd> !dh f86a8000

File Type: EXECUTABLE IMAGE

OPTIONAL HEADER VALUES

----- new -----
80124000 image base


Code:
ksecdd.sys
Loaded ImageBase = F8569000
ImageBase in loaded PE header = 0x802AC000

0: kd> lm mksecdd
start end module name
f8569000 f857f780 KSecDD

0: kd> !dh f8569000

File Type: DLL

OPTIONAL HEADER VALUES

----- new -----
802ac000 image base


Code:
agp440.sys
Loaded ImageBase = F8757000
ImageBase in loaded PE header = 0x803DA000

0: kd> lm magp440
start end module name
f8757000 f8761580 agp440

0: kd> !dh f8757000

File Type: EXECUTABLE IMAGE

OPTIONAL HEADER VALUES

----- new -----
803da000 image base



There doesn't seem to be any rhyme or reason to the modified PE image base address. The addresses don't point to anything in particular, just random bits of memory from what I can see.

In some cases the imagebase will be missing entirely from the Driver Object structure and LiveKd may (win32k.sys), or may not (PnPManager.sys) get any information from the LM and !DH commands.


There's probably nothing more mysterious than the operation of the PE loader. Is there some common factor in these drivers that cause the loader (presumably) to modify the PE header ImageBase value, while in other cases not? A compiler option? Something related to the drivers purpose or operation?


I certainly don't have an explanation for it, so I guess that ends my post

Kayaker

evaluator
November 14th, 2008, 06:38
only imagined as anti-malware action!?

naides
November 14th, 2008, 07:49
Kayaker: The new "artificial" imagebase that you described does not seem so random. all your examples gravitate towards numbers starting with 80XXXXXX ie the lower high memory. Perhaps this behavior is a evolutionary residue of the way the loading of drivers was developed. initially they were directed to default locations in the lower part of high memory, and the loader explicitly wrote this imagebase by default perhaps for non relocatable drivers???. Later on with the explosion of drivers, a more dynamic an fully relocation algorithm was implemented, but the code that modified the PE header was harmless albeit superfluous and was left in there. Never misunderestimate the laziness of OS programmers of a certain company.
Have you checked howq this phenomenon operates in Windows 2000? NT? perhaps Win98. Justa a wild idea.

blabberer
November 14th, 2008, 14:05
not sure if i understood your post but for me the physical data and !dh values seems to be same

Code:

lkd> .foreach (place { lm o 1m }) {.echo place; .catch { dt hellobaby!_image_nt_headers optionalheader.imagebase ( place + poi( place + 0x3c ) ); r $t0 = place; .shell -ci "!dh -f @$t0" findstr /c:"image base" } } .continue ;
windbg
+0x018 OptionalHeader :
+0x01c ImageBase : 0x1000000
01000000 image base

kdexts
+0x018 OptionalHeader :
+0x01c ImageBase : 0x400000
00400000 image base

ext
+0x018 OptionalHeader :
+0x01c ImageBase : 0x1400000
01400000 image base

kext
+0x018 OptionalHeader :
+0x01c ImageBase : 0x1600000
01600000 image base

exts
+0x018 OptionalHeader :
+0x01c ImageBase : 0x1900000
01900000 image base

symsrv
+0x018 OptionalHeader :
+0x01c ImageBase : 0x1d00000
01d00000 image base

dbgeng
+0x018 OptionalHeader :
+0x01c ImageBase : 0x2000000
02000000 image base

dbghelp
+0x018 OptionalHeader :
+0x01c ImageBase : 0x3000000
03000000 image base

hellobaby
+0x018 OptionalHeader :
+0x01c ImageBase : 0x6eec14c

wship6
+0x018 OptionalHeader :
+0x01c ImageBase : 0x58d40000
58d40000 image base

uxtheme
+0x018 OptionalHeader :
+0x01c ImageBase : 0x5ad70000
5ad70000 image base

NETAPI32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x5b860000
5b860000 image base

mslbui
+0x018 OptionalHeader :
+0x01c ImageBase : 0x605d0000
605d0000 image base

hnetcfg
+0x018 OptionalHeader :
+0x01c ImageBase : 0x662b0000
662b0000 image base

mswsock
+0x018 OptionalHeader :
+0x01c ImageBase : 0x71a50000
71a50000 image base

wshtcpip
+0x018 OptionalHeader :
+0x01c ImageBase : 0x71a90000
71a90000 image base

WS2HELP
+0x018 OptionalHeader :
+0x01c ImageBase : 0x71aa0000
71aa0000 image base

WS2_32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x71ab0000
71ab0000 image base

wsock32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x71ad0000
71ad0000 image base

MPR
+0x018 OptionalHeader :
+0x01c ImageBase : 0x71b20000
71b20000 image base

sensapi
+0x018 OptionalHeader :
+0x01c ImageBase : 0x722b0000
722b0000 image base

MSCTF
+0x018 OptionalHeader :
+0x01c ImageBase : 0x74720000
74720000 image base

RICHED20
+0x018 OptionalHeader :
+0x01c ImageBase : 0x74e30000
74e30000 image base

SXS
+0x018 OptionalHeader :
+0x01c ImageBase : 0x75e90000
75e90000 image base

USERENV
+0x018 OptionalHeader :
+0x01c ImageBase : 0x769c0000
769c0000 image base

WINMM
+0x018 OptionalHeader :
+0x01c ImageBase : 0x76b40000
76b40000 image base

iphlpapi
+0x018 OptionalHeader :
+0x01c ImageBase : 0x76d60000
76d60000 image base

rtutils
+0x018 OptionalHeader :
+0x01c ImageBase : 0x76e80000
76e80000 image base

rasman
+0x018 OptionalHeader :
+0x01c ImageBase : 0x76e90000
76e90000 image base

TAPI32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x76eb0000
76eb0000 image base

RASAPI32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x76ee0000
76ee0000 image base

DNSAPI
+0x018 OptionalHeader :
+0x01c ImageBase : 0x76f20000
76f20000 image base

WLDAP32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x76f60000
76f60000 image base

winrnr
+0x018 OptionalHeader :
+0x01c ImageBase : 0x76fb0000
76fb0000 image base

rasadhlp
+0x018 OptionalHeader :
+0x01c ImageBase : 0x76fc0000
76fc0000 image base

OLEAUT32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x77120000
77120000 image base

WININET
+0x018 OptionalHeader :
+0x01c ImageBase : 0x771b0000
771b0000 image base

urlmon
+0x018 OptionalHeader :
+0x01c ImageBase : 0x77260000
77260000 image base

COMCTL32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x773d0000
773d0000 image base

ole32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x774e0000
774e0000 image base

CRYPT32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x77a80000
77a80000 image base

MSASN1
+0x018 OptionalHeader :
+0x01c ImageBase : 0x77b20000
77b20000 image base

VERSION
+0x018 OptionalHeader :
+0x01c ImageBase : 0x77c00000
77c00000 image base

msvcrt
+0x018 OptionalHeader :
+0x01c ImageBase : 0x77c10000
77c10000 image base

msv1_0
+0x018 OptionalHeader :
+0x01c ImageBase : 0x77c70000
77c70000 image base

USER32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x77d40000
77d40000 image base

ADVAPI32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x77dd0000
77dd0000 image base

RPCRT4
+0x018 OptionalHeader :
+0x01c ImageBase : 0x77e70000
77e70000 image base

GDI32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x77f10000
77f10000 image base

SHLWAPI
+0x018 OptionalHeader :
+0x01c ImageBase : 0x77f60000
77f60000 image base

Secur32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x77fe0000
77fe0000 image base

kernel32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x7c800000
7c800000 image base

ntdll
+0x018 OptionalHeader :
+0x01c ImageBase : 0x7c900000
7c900000 image base

SHELL32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x7c9c0000
7c9c0000 image base

nt
+0x018 OptionalHeader :
+0x01c ImageBase : 0x400000
00400000 image base

hal
+0x018 OptionalHeader :
+0x01c ImageBase : 0x80010000
80010000 image base

NavEx15
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

mouhid
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

hidusb
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

NAVENG
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

SYMEVENT
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

HTTP
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

sit_mdm
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

sit_prt
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

SAVRTPEL
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

srv
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

SENTINEL
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

mrxdav
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

asyncmac
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

CDAC15BA
Memory access error at ') '
wdmaud
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

mdmxsdk
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

sysaudio
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

ndisuio
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

dump_atapi
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

usbvideo
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

mrxsmb
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

rdbss
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

ipnat
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

vmm
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

afd
Memory access error at ') '
tcpip6
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

netbt
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

tcpip
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

ipsec
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

HSF_CNXT
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

HSF_DPV
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

HSFHWAZL
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

portcls
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

CHDAud
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

dxg
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

igxprd32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

igxpgd32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

igxpdv32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

igxpdx32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

win32k
+0x018 OptionalHeader :
+0x01c ImageBase : 0xbf800000
bf800000 image base

rasacd
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

Dxapi
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

update
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

rdpdr
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

psched
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

ndiswan
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

btkrnl
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

ks
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

SynTP
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

USBPORT
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

ar5211
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

HDAudBus
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

VIDEOPRT
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

igxpmp32
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000000
10000000 image base

kbdhid
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

Mup
+0x018 OptionalHeader :
+0x01c ImageBase : 0x803b7000
803b7000 image base

NDIS
+0x018 OptionalHeader :
+0x01c ImageBase : 0x8038a000
8038a000 image base

Ntfs
+0x018 OptionalHeader :
+0x01c ImageBase : 0x802fd000
802fd000 image base

KSecDD
+0x018 OptionalHeader :
+0x01c ImageBase : 0x802e6000
802e6000 image base

sr
+0x018 OptionalHeader :
+0x01c ImageBase : 0x802d4000
802d4000 image base

fltmgr
+0x018 OptionalHeader :
+0x01c ImageBase : 0x802b5000
802b5000 image base

SysLang
+0x018 OptionalHeader :
+0x01c ImageBase : 0x801ca000
801ca000 image base

atapi
+0x018 OptionalHeader :
+0x01c ImageBase : 0x801a8000
801a8000 image base

dmio
+0x018 OptionalHeader :
+0x01c ImageBase : 0x80170000
80170000 image base

ftdisk
+0x018 OptionalHeader :
+0x01c ImageBase : 0x80151000
80151000 image base

pci
+0x018 OptionalHeader :
+0x01c ImageBase : 0x8012e000
8012e000 image base

ACPI
+0x018 OptionalHeader :
+0x01c ImageBase : 0x80100000
80100000 image base

isapnp
+0x018 OptionalHeader :
+0x01c ImageBase : 0x80006000
80006000 image base

MountMgr
+0x018 OptionalHeader :
+0x01c ImageBase : 0x80146000
80146000 image base

VolSnap
+0x018 OptionalHeader :
+0x01c ImageBase : 0x8019b000
8019b000 image base

disk
+0x018 OptionalHeader :
+0x01c ImageBase : 0x8029f000
8029f000 image base

CLASSPNP
+0x018 OptionalHeader :
+0x01c ImageBase : 0x802a8000
802a8000 image base

VMNetSrv
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

rasl2tp
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

raspppoe
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

raspptp
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

msgpc
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

Cdfs
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

termdd
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

NDProxy
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

usbhub
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

drmk
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

netbios
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

wanarp
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

Fips
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

intelppm
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

HIDCLASS
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

i8042prt
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

imapi
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

cdrom
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

redbook
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

PCIIDEX
+0x018 OptionalHeader :
+0x01c ImageBase : 0x8013f000
8013f000 image base

PartMgr
+0x018 OptionalHeader :
+0x01c ImageBase : 0x80196000
80196000 image base

SysBoot
+0x018 OptionalHeader :
+0x01c ImageBase : 0x801c4000
801c4000 image base

USBSTOR
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

usbccgp
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

watchdog
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

HIDPARSE
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

usbuhci
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

usbehci
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

RTL8139
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

kbdclass
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

mouclass
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

TDI
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

ptilink
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

raspti
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

Modem
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

sit_bus
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

vga
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

Msfs
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

Npfs
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

ip6fw
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

BOOTVID
+0x018 OptionalHeader :
+0x01c ImageBase : 0x80010000
80010000 image base

compbatt
+0x018 OptionalHeader :
+0x01c ImageBase : 0x80013000
80013000 image base

BATTC
+0x018 OptionalHeader :
+0x01c ImageBase : 0x80016000
80016000 image base

ACPIEC
+0x018 OptionalHeader :
+0x01c ImageBase : 0x8001c000
8001c000 image base

SDbgMsg
+0x018 OptionalHeader :
+0x01c ImageBase : 0x801c0000
801c0000 image base

tunmp
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

CmBatt
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

cpqbttn
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

wmiacpi
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

ndistapi
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

mssmbios
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

kdcom
+0x018 OptionalHeader :
+0x01c ImageBase : 0x806ef000
806ef000 image base

WMILIB
+0x018 OptionalHeader :
+0x01c ImageBase : 0x80004000
80004000 image base

dmload
+0x018 OptionalHeader :
+0x01c ImageBase : 0x8001a000
8001a000 image base

USBD
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

loop
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

swenum
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

Fs_Rec
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

Beep
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

mnmdd
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

RDPCDD
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

dump_WMILIB
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

sit_flt
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

pciide
+0x018 OptionalHeader :
+0x01c ImageBase : 0x8000f000
8000f000 image base

OPRGHDLR
+0x018 OptionalHeader :
+0x01c ImageBase : 0x8001f000
8001f000 image base

audstub
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

dxgthk
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base

Null
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
00010000 image base



for dt image_nt_headers you need an executable's private pdb with typeinfo included which you use with .reload /s /i yourexe= base

blabberer
November 14th, 2008, 14:45
i see what you are talking about now

just loading the acpi.sys in a hexeditor i can see 0x10000
whereas in windbg both DD , dt !dh all shows some weird 80###### values


Code:


lkd> dt testdll!image_nt_headers -b f74c10c8 from ollydbg view file of acpi.sys
+0x000 Signature : 0x4550 000000C8 ; PE signature (PE)
+0x004 FileHeader : _IMAGE_FILE_HEADER
+0x000 Machine : 0x14c 000000CC ; Machine = IMAGE_FILE_MACHINE_I386
+0x002 NumberOfSections : 8 000000CE ; NumberOfSections = 8
+0x004 TimeDateStamp : 0x41107d27 000000D0 ; TimeDateStamp = 41107D27
+0x008 PointerToSymbolTable : 0 000000D4 ; PointerToSymbolTable = 0
+0x00c NumberOfSymbols : 0 000000D8 ; NumberOfSymbols = 0
+0x010 SizeOfOptionalHeader : 0xe0 000000DC ; SizeOfOptionalHeader = E0 (224.)
+0x012 Characteristics : 0x10e 000000DE ; Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|LINE_NUMS_STRIPPED|LOCAL_SYMS_STRIPPED
+0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER
+0x000 Magic : 0x10b 000000E0 ; MagicNumber = PE32
+0x002 MajorLinkerVersion : 0x7 '' 000000E2 ; MajorLinkerVersion = 7
+0x003 MinorLinkerVersion : 0xa '' 000000E3 ; MinorLinkerVersion = A (10.)
+0x004 SizeOfCode : 0x26180 000000E4 ; SizeOfCode = 26180 (156032.)
+0x008 SizeOfInitializedData : 0x7900 000000E8 ; SizeOfInitializedData = 7900 (30976.)
+0x00c SizeOfUninitializedData : 0 000000EC ; SizeOfUninitializedData = 0
+0x010 AddressOfEntryPoint : 0x29059 000000F0 ; AddressOfEntryPoint = 29059
+0x014 BaseOfCode : 0x300 000000F4 ; BaseOfCode = 300
+0x018 BaseOfData : 0x1b200 000000F8 ; BaseOfData = 1B200
+0x01c ImageBase : 0x80100000 000000FC ; ImageBase = 10000
+0x020 SectionAlignment : 0x80 00000100 ; SectionAlignment = 80
+0x024 FileAlignment : 0x80 00000104 ; FileAlignment = 80
+0x028 MajorOperatingSystemVersion : 5 00000108 ; MajorOSVersion = 5
+0x02a MinorOperatingSystemVersion : 1 0000010A ; MinorOSVersion = 1
+0x02c MajorImageVersion : 5 0000010C ; MajorImageVersion = 5
+0x02e MinorImageVersion : 1 0000010E ; MinorImageVersion = 1
+0x030 MajorSubsystemVersion : 5 00000110 ; MajorSubsystemVersion = 5
+0x032 MinorSubsystemVersion : 1 00000112 ; MinorSubsystemVersion = 1
+0x034 Win32VersionValue : 0 00000114 ; Reserved
+0x038 SizeOfImage : 0x2dd80 00000118 ; SizeOfImage = 2DD80 (187776.)
+0x03c SizeOfHeaders : 0x300 0000011C ; SizeOfHeaders = 300 (768.)
+0x040 CheckSum : 0x33106 00000120 ; CheckSum = 33106
+0x044 Subsystem : 1 00000124 ; Subsystem = IMAGE_SUBSYSTEM_NATIVE
+0x046 DllCharacteristics : 0x400 00000126 ; DLLCharacteristics = 400
+0x048 SizeOfStackReserve : 0x40000 00000128 ; SizeOfStackReserve = 40000 (262144.)
+0x04c SizeOfStackCommit : 0x1000 0000012C ; SizeOfStackCommit = 1000 (4096.)
+0x050 SizeOfHeapReserve : 0x100000 00000130 ; SizeOfHeapReserve = 100000 (1048576.)
+0x054 SizeOfHeapCommit : 0x1000 00000134 ; SizeOfHeapCommit = 1000 (4096.)
+0x058 LoaderFlags : 0 00000138 ; LoaderFlags = 0
+0x05c NumberOfRvaAndSizes : 0x10 0000013C ; NumberOfRvaAndSizes = 10 (16.)
+0x060 DataDirectory : 00000140 ; Export Table address = 0
[00] _IMAGE_DATA_DIRECTORY 00000144 ; Export Table size = 0
+0x000 VirtualAddress : 0 00000148 ; Import Table address = 290A0
+0x004 Size : 0 0000014C ; Import Table size = 50 (80.)
[01] 00000150 ; Resource Table address = 29F00
+0x000 VirtualAddress : 0x290a0 00000154 ; Resource Table size = 18F8 (6392.)
+0x004 Size : 0x50 00000158 ; Exception Table address = 0
[02] 0000015C ; Exception Table size = 0
+0x000 VirtualAddress : 0x29f00 00000160 ; Certificate File pointer = 0
+0x004 Size : 0x18f8 00000164 ; Certificate Table size = 0
[03] 00000168 ; Relocation Table address = 2B800
+0x000 VirtualAddress : 0 0000016C ; Relocation Table size = 2300 (8960.)
+0x004 Size : 0 00000170 ; Debug Data address = 1B430
[04] 00000174 ; Debug Data size = 1C (28.)
+0x000 VirtualAddress : 0 00000178 ; Architecture Data address = 0
+0x004 Size : 0 0000017C ; Architecture Data size = 0
[05] 00000180 ; Global Ptr address = 0
+0x000 VirtualAddress : 0x2b800 00000184 ; Must be 0
+0x004 Size : 0x2300 00000188 ; TLS Table address = 0
[06] 0000018C ; TLS Table size = 0
+0x000 VirtualAddress : 0x1b430 00000190 ; Load Config Table address = 0
+0x004 Size : 0x1c 00000194 ; Load Config Table size = 0
[07] 00000198 ; Bound Import Table address = 0
+0x000 VirtualAddress : 0 0000019C ; Bound Import Table size = 0
+0x004 Size : 0 000001A0 ; Import Address Table address = 1B200
[08] 000001A4 ; Import Address Table size = 228 (552.)
+0x000 VirtualAddress : 0 000001A8 ; Delay Import Descriptor address = 0
+0x004 Size : 0 000001AC ; Delay Import Descriptor size = 0
[09] 000001B0 ; COM+ Runtime Header address = 0
+0x000 VirtualAddress : 0 000001B4 ; Import Address Table size = 0
+0x004 Size : 0 000001B8 ; Reserved
[10] 000001BC ; Reserved
+0x000 VirtualAddress : 0
+0x004 Size : 0
[11]
+0x000 VirtualAddress : 0
+0x004 Size : 0
[12]
+0x000 VirtualAddress : 0x1b200
+0x004 Size : 0x228
[13]
+0x000 VirtualAddress : 0
+0x004 Size : 0
[14]
+0x000 VirtualAddress : 0
+0x004 Size : 0
[15]
+0x000 VirtualAddress : 0
+0x004 Size : 0

dELTA
November 14th, 2008, 15:29
If I know Kayaker right, we will soon have a post from him with the solution, after he has ripped the Windows loader to pieces with SoftICE to find out...

reverser
November 14th, 2008, 17:40
Could it be ASLR?

darawk
November 14th, 2008, 18:30
I *believe* this is caused by drivers being relocated in memory. I analyzed this a while back and never did figure out with complete certainty what was going on, but my inclination is that it has something to do with drivers being remapped or reloaded by the operating system, possibly as a result of certain types of errors or exceptions.

deroko
November 14th, 2008, 18:41
isn't the address stored in pe header base address of ntosrnl.exe? I came accross this issue long time ago, and certanly it was really weird. But also as I remember, it used to be ntoskrnl.exe base address stored there my tests were on xp sp2, dunno, if anything has changed on Vista

Kayaker
November 14th, 2008, 21:55
Thanks for all the replies. I think I found the correlation. Every one of the drivers with a modified PE Header ImageBase is a boot loading driver and has a registry Start value of 0. (And every unmodified driver had a Start value of 1 or greater).

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI]
"Start"=dword:00000000

The Start types are detailed in
CurrentControlSet\Services Subkey Entries
http://support.microsoft.com/kb/103000

Code:
START TYPE LOADER MEANING

0x0 Kernel Represents a part of the
(Boot) driver stack for the boot
(startup) volume and must
therefore be loaded by the
Boot Loader.



So an explanation that seems to make sense is that the ImageBase IS the original loading address used by ntldr and this value was written into the PE header. The boot drivers are then relocated to their final locations after the OS loads.

The only driver that doesn't follow this is LiveKD. Its ImageBase is listed as 0x80000000, perhaps that's internal.

I know there are some who have reversed ntldr, I suppose this info would only be applicable to that. (Or maybe as a quick way of identifying boot loading drivers in memory).


In summary,

Quote:
Floccinaucinihilipilification
floc·ci·nau·ci·ni·hil·i·pil·i·fi·ca·tion [flok-suh-naw-suh-nahy-hil-uh-pil-uh-fi-key-shuhn]
the categorization of something as not important or trivial
the estimation of something as valueless

darawk
November 14th, 2008, 22:16
ah, cool. It's nice to have my suspicions confirmed with certainty. I spent a lot of time trying to figure out what the common thread amongst the remapped drivers were so that I could really understand why the drivers were being remapped, but I never connected those dots. You nailed it right on the head, nice work.

blabberer
November 15th, 2008, 11:22
so you have already concluded

anyway i was just going to say waht you already posted

these address are derived when the loader remaps the boot loading drivers

how i havent checked

but you can confirm that this patch happens for all boot loading drivers after its mapped for the first time but before it is remapped

by using -b commandline switch and /break /debug switches in boot,ini

with -b it breaks after kernel iniitilization

while with /break switch in boot.ini kd will break in hal init phase

see below for details


Code:


Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established. (Initial Breakpoint requested) broke with -b commandline switch
Symbol search path is: SRV*F:\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS
Executable search path is:
Windows XP Kernel Version 2600 UP Free x86 compatible
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20
System Uptime: not available
Break instruction exception - code 80000003 (first chance)

nt!RtlpBreakWithStatusInstruction:
804e3b25 cc int 3



kd> k
ChildEBP RetAddr
805506dc 806b8a5f nt!RtlpBreakWithStatusInstruction
80550868 806aa072 nt!ExpInitializeExecutive+0x350
805508bc 806a9d2c nt!KiInitializeKernel+0x35e
00000000 00000000 nt!KiSystemStartup+0x2bf


kd> lm
start end module name
804d7000 806eb780 nt (pdb symbols) F:\SYMBOLS\ntoskrnl.pdb\8592B6763F34476B9BB560395A383F962\ntoskrnl.pdb
806ec000 806ffd80 hal (deferred)
fa9fe000 faa18580 Mup (deferred)
faa19000 faa45a80 NDIS (deferred)
faa46000 faa5c780 KSecDD (deferred)
faa5d000 faa80000 Fastfat (deferred)
faa80000 faa9e780 fltmgr (deferred)
faa9f000 faab6480 atapi (deferred)
faab7000 faadc700 dmio (deferred)
faadd000 faafb880 ftdisk (deferred)
faafc000 fab0ca80 pci (deferred)
fab0d000 fab3ad80 ACPI (deferred)
fab5c000 fab64c00 isapnp (deferred)
fab6c000 fab76500 MountMgr (deferred)
fab7c000 fab88c80 VolSnap (deferred)
fab8c000 fab94e00 disk (deferred)
fab9c000 faba8200 CLASSPNP (deferred)

fade4000 fadea200 PCIIDEX (deferred)
fadec000 fadf0900 PartMgr (deferred)
faf6c000 faf6f000 BOOTVID (deferred)
fb05c000 fb05db80 kdcom (deferred)
fb05e000 fb05f100 WMILIB (deferred)
fb060000 fb061580 intelide (deferred)
fb062000 fb063700 dmload (deferred)

kd> dt testdll!image_nt_headers fab0d0c8
+0x000 Signature : 0x4550
+0x004 FileHeader : _IMAGE_FILE_HEADER
+0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER
kd> dt -b testdll!image_nt_headers fab0d0c8
+0x000 Signature : 0x4550
+0x004 FileHeader : _IMAGE_FILE_HEADER
+0x000 Machine : 0x14c
+0x002 NumberOfSections : 8
+0x004 TimeDateStamp : 0x41107d27
+0x008 PointerToSymbolTable : 0
+0x00c NumberOfSymbols : 0
+0x010 SizeOfOptionalHeader : 0xe0
+0x012 Characteristics : 0x10e
+0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER
+0x000 Magic : 0x10b
+0x002 MajorLinkerVersion : 0x7 ''
+0x003 MinorLinkerVersion : 0xa ''
+0x004 SizeOfCode : 0x26180
+0x008 SizeOfInitializedData : 0x7900
+0x00c SizeOfUninitializedData : 0
+0x010 AddressOfEntryPoint : 0x29059
+0x014 BaseOfCode : 0x300
+0x018 BaseOfData : 0x1b200
+0x01c ImageBase : 0x80100000 <----------------


kd> g

kd> g
ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 5
Waiting for all contexts to be flushed
Shutdown occurred...unloading all symbol tables.
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established. (Initial Breakpoint requested) broke with /break in boot.ini
Symbol search path is: SRV*F:\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS
Executable search path is:
Windows XP Kernel Version 2600 UP Free x86 compatible
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPoint:
804e3b14 cc int 3

kd> k
ChildEBP RetAddr
805506b4 806fd6b6 nt!DbgBreakPoint
805506c0 806fd70b hal!HalpGetParameters+0x42
805506d8 806aa27d hal!HalInitSystem+0x33
80550868 806aa072 nt!ExpInitializeExecutive+0x146
805508bc 806a9d2c nt!KiInitializeKernel+0x35e
00000000 00000000 nt!KiSystemStartup+0x2bf
kd> .reload /f
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
........***
................
Loading User Symbols

kd> lm
start end module name
80004000 80005100 WMILIB (pdb symbols) F:\SYMBOLS\wmilib.pdb\E4C3A9A4158C4C51BC4E2B46CA108AA51\wmilib.pdb
80006000 8000ec00 isapnp (pdb symbols) F:\SYMBOLS\isapnp.pdb\40205FF7480844E98F62335DD78B4F8E1\isapnp.pdb
80010000 80013000 BOOTVID (pdb symbols) F:\SYMBOLS\bootvid.pdb\3B7D83451\bootvid.pdb

80019000 8001a580 intelide (pdb symbols) F:\SYMBOLS\intelide.pdb\E9E510BE387D4D5A8A3CD81376DE50071\intelide.pdb
8001b000 8001c700 dmload (pdb symbols) F:\SYMBOLS\dmload.pdb\28B0BFC4C7864BBD92DD888A54E9FE841\dmload.pdb
80100000 8012dd80 ACPI (pdb symbols) F:\SYMBOLS\acpi.pdb\F2E034F2911844B491BDAB612C220EAB1\acpi.pdb <-------------------
8012e000 8013ea80 pci (pdb symbols) F:\SYMBOLS\pci.pdb\206656EB8AAA4BFCAE215D6EE55305881\pci.pdb
8013f000 80145200 PCIIDEX (pdb symbols) F:\SYMBOLS\pciidex.pdb\671C7864E7F74A9D8D84385D1A6347411\pciidex.pdb
80146000 80150500 MountMgr (pdb symbols) F:\SYMBOLS\mountmgr.pdb\E76D919C975C47B1AB592D6BF9A53C1B1\mountmgr.pdb
80151000 8016f880 ftdisk (pdb symbols) F:\SYMBOLS\ftdisk.pdb\370ADA20D01E457AB6AC095AF8D099681\ftdisk.pdb
80170000 80195700 dmio (pdb symbols) F:\SYMBOLS\dmio.pdb\A2AA03114EB84B26A6B8E29367484C881\dmio.pdb
80196000 8019a900 PartMgr (pdb symbols) F:\SYMBOLS\partmgr.pdb\2BF62287ECEE48DFB06FF92BF1D0514B2\partmgr.pdb
8019b000 801a7c80 VolSnap (pdb symbols) F:\SYMBOLS\volsnap.pdb\37AD1DAAA6A04AF8B6FC8478DAFCBDE61\volsnap.pdb
801a8000 801bf480 atapi (pdb symbols) F:\SYMBOLS\atapi.pdb\25228DED4EEC41F29756FC1568E4B63F1\atapi.pdb
801c0000 801c8e00 disk (pdb symbols) F:\SYMBOLS\disk.pdb\D9F2945AC6DF4EEDB1E66ED610B7A04A1\disk.pdb
801c9000 801d5200 CLASSPNP (pdb symbols) F:\SYMBOLS\classpnp.pdb\12E3EB58301B4AC3A5B2D3921F91313A2\classpnp.pdb
801d6000 801f4780 fltmgr (pdb symbols) F:\SYMBOLS\fltMgr.pdb\A3669C0E41994AC2AD2BD6F85D4B1A041\fltMgr.pdb
801f5000 80218000 Fastfat (pdb symbols) F:\SYMBOLS\fastfat.pdb\49F9F5CA625D4A5C9DC927485DA7809F2\fastfat.pdb
80218000 8022e780 KSecDD (pdb symbols) F:\SYMBOLS\ksecdd.pdb\E9FEAB740C29470CB973CD9D584FE5A51\ksecdd.pdb
8022f000 8025ba80 NDIS (pdb symbols) F:\SYMBOLS\ndis.pdb\42ED3DC0817A4246B157736BBAF668742\ndis.pdb
8025c000 80276580 Mup (pdb symbols) F:\SYMBOLS\mup.pdb\B31678EDA6824BB19A2A0B8081DBF7D72\mup.pdb
804d7000 806eb780 nt (pdb symbols) F:\SYMBOLS\ntoskrnl.pdb\8592B6763F34476B9BB560395A383F962\ntoskrnl.pdb
806ec000 806ffd80 hal (pdb symbols) F:\SYMBOLS\halacpi.pdb\BECA5A4012524CD290B45877E8FC674F1\halacpi.pdb
80700000 80701b80 kdcom (pdb symbols) F:\SYMBOLS\kdcom.pdb\3B7D83461\kdcom.pdb

kd> .reload /s /i testdll.dll=50000000
kd> dt -b testdll!image_nt_headers acpi+0xc8
+0x000 Signature : 0x4550
+0x004 FileHeader : _IMAGE_FILE_HEADER
+0x000 Machine : 0x14c
+0x002 NumberOfSections : 8
+0x004 TimeDateStamp : 0x41107d27
+0x008 PointerToSymbolTable : 0
+0x00c NumberOfSymbols : 0
+0x010 SizeOfOptionalHeader : 0xe0
+0x012 Characteristics : 0x10e
+0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER
+0x000 Magic : 0x10b
+0x002 MajorLinkerVersion : 0x7 ''
+0x003 MinorLinkerVersion : 0xa ''
+0x004 SizeOfCode : 0x26180
+0x008 SizeOfInitializedData : 0x7900
+0x00c SizeOfUninitializedData : 0
+0x010 AddressOfEntryPoint : 0x29059
+0x014 BaseOfCode : 0x300
+0x018 BaseOfData : 0x1b200
+0x01c ImageBase : 0x10000 <----------------------------

kd> .foreach (place { lm o 1m }) {.echo place; .catch { r $t0 = place; dt testdll!_image_nt_headers optionalheader.imagebase ( place + poi( place + 0x3c ) )} } .continue ;
testdll
Memory access error at ') '
WMILIB
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
isapnp
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
BOOTVID
+0x018 OptionalHeader :
+0x01c ImageBase : 0x80010000
wduyuyfs
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
intelide
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
dmload
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
ACPI
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
pci
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
PCIIDEX
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
MountMgr
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
ftdisk
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
dmio
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
PartMgr
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
VolSnap
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
atapi
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
disk
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
CLASSPNP
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
fltmgr
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
Fastfat
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
KSecDD
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
NDIS
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
Mup
+0x018 OptionalHeader :
+0x01c ImageBase : 0x10000
nt
+0x018 OptionalHeader :
+0x01c ImageBase : 0x400000
hal
+0x018 OptionalHeader :
+0x01c ImageBase : 0x80010000
kdcom
+0x018 OptionalHeader :
+0x01c ImageBase : 0x80010000

blabberer
November 15th, 2008, 11:33
ok setting a hardware break point on read and write on the known reloacating addresss ba /r4 0xf0###### ba /w4 f0#######

we can see watch it being written

Code:

kd> bl
0 e fab0d000 w 4 0001 (0001)
1 e fab0d0fc w 4 0001 (0001)
2 e fab0d0c8 r 4 0001 (0001)

kd> g
Breakpoint 0 hit
nt!MiReloadBootLoadedDrivers+0x1a8:
806a868f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
kd> k
ChildEBP RetAddr
80550670 806af27f nt!MiReloadBootLoadedDrivers+0x1a8
805506d8 806aa3d1 nt!MmInitSystem+0xb33
80550868 806aa072 nt!ExpInitializeExecutive+0x2aa
805508bc 806a9d2c nt!KiInitializeKernel+0x35e
00000000 00000000 nt!KiSystemStartup+0x2bf
kd> r edi
edi=fab0d004
kd> r esi
esi=80100004
kd> !address esi
80100000 - 0002e000
Usage KernelSpaceUsageImage
ImageName ACPI.sys

kd> !address edi
address fab0d004 not found in any known Kernel Address Range ----


but breaking on patching could be a problem with windbg as windbg sucks tracing with interrupts etc off

Code:

kd> g
Shutdown occurred...unloading all symbol tables.
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established. (Initial Breakpoint requested)
Symbol search path is: SRV*F:\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS
Executable search path is:
Windows XP Kernel Version 2600 UP Free x86 compatible
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPoint:
804e3b14 cc int 3

kd> ba w4 fab0d0fc

kd> g;r edi;r esi;dd edi-4 l1; dd esi-4 l1;


Breakpoint 0 hit
edi=fab0d100
esi=80100100
fab0d0fc 00010000
801000fc 00010000


kd> g <---------------- windbg just fscks off



*** Fatal System Error: 0x00000050
(0xFAB0E000,0x00000001,0x806A868F,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
........................
Loading User Symbols

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fab0e000, 1, 806a868f, 0}

Probably caused by : memory_corruption ( nt!MiReloadBootLoadedDrivers+1a8 )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
804e3b25 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fab0e000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 806a868f, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


WRITE_ADDRESS: fab0e000

FAULTING_IP:
nt!MiReloadBootLoadedDrivers+1a8
806a868f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0x50

TRAP_FRAME: 805505b8 -- (.trap 0xffffffff805505b8)
ErrCode = 00000002
eax=00001000 ebx=803f14b0 ecx=00000001 edx=00001485 esi=80101000 edi=fab0e000
eip=806a868f esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x1a8:
806a868f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

LAST_CONTROL_TRANSFER: from 805328e7 to 804e3b25

STACK_TEXT:
80550108 805328e7 00000003 fab0e000 00000000 nt!RtlpBreakWithStatusInstruction
80550154 805333be 00000003 806ed03c c03eac38 nt!KiBugCheckDebugBreak+0x19
80550534 805339ae 00000050 fab0e000 00000001 nt!KeBugCheck2+0x574
80550554 805246fb 00000050 fab0e000 00000001 nt!KeBugCheckEx+0x1b
805505a0 804e1ff1 00000001 fab0e000 00000000 nt!MmAccessFault+0x6f5
805505a0 806a868f 00000001 fab0e000 00000000 nt!KiTrap0E+0xcc
80550670 806af27f 80087000 00000000 8008a950 nt!MiReloadBootLoadedDrivers+0x1a8
805506d8 806aa3d1 00000000 80087000 80559320 nt!MmInitSystem+0xb33
80550868 806aa072 00000000 80087000 8003fc00 nt!ExpInitializeExecutive+0x2aa
805508bc 806a9d2c 80559580 80559320 80550b80 nt!KiInitializeKernel+0x35e
00000000 00000000 00000000 00000000 00000000 nt!KiSystemStartup+0x2bf


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!MiReloadBootLoadedDrivers+1a8
806a868f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: nt!MiReloadBootLoadedDrivers+1a8

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP: 41108004

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: 0x50_W_nt!MiReloadBootLoadedDrivers+1a8

BUCKET_ID: 0x50_W_nt!MiReloadBootLoadedDrivers+1a8

Followup: MachineOwner
---------

blabberer
November 15th, 2008, 16:27
so if some one wants to watch the paint dry you can see where acpi gets its 810###### whatever from the trace below
it happens after MiReloadBootLoadedDrivers has moved the complete image somplace the last instruction in this trace will show the boot image being patched into
the relocated memory

note to self weird name acpi!osCallbacks ?? for image_nt_header ?? should check it out

Code:

kd>
eax=00001000 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4
eip=806a86a4 esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297
nt!MiReloadBootLoadedDrivers+0x1dd:
806a86a4 0f8245ffffff jb nt!MiReloadBootLoadedDrivers+0x105 (806a85ef) [br=1]
kd>
eax=00001000 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4
eip=806a85ef esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297
nt!MiReloadBootLoadedDrivers+0x105:
806a85ef 833d9c10558001 cmp dword ptr [nt!MmMakeLowMemory (8055109c)],1 ds:0023:8055109c=00000001
kd>
eax=00001000 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4
eip=806a85f6 esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x10c:
806a85f6 8b45f8 mov eax,dword ptr [ebp-8] ss:0010:80550668=c02004a0
kd>
eax=c02004a0 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4
eip=806a85f9 esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x10f:
806a85f9 8b00 mov eax,dword ptr [eax] ds:0023:c02004a0=00128163
kd>
eax=00128163 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4
eip=806a85fb esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x111:
806a85fb 8945c8 mov dword ptr [ebp-38h],eax ss:0010:80550638=00127163
kd>
eax=00128163 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4
eip=806a85fe esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x114:
806a85fe 0f854f300100 jne nt!MiReloadBootLoadedDrivers+0x1b2 (806bb653) [br=0]
kd>
eax=00128163 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4
eip=806a8604 esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x11a:
806a8604 ff1568764d80 call dword ptr [nt!_imp__KeRaiseIrqlToDpcLevel (804d7668)] ds:0023:804d7668={hal!KeRaiseIrqlToDpcLevel (806ed03c)}
kd>
eax=00000001 ebx=803f14b0 ecx=00000000 edx=000014ac esi=0000002e edi=c03eacd4
eip=806a860a esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x120:
806a860a 33d2 xor edx,edx
kd>
eax=00000001 ebx=803f14b0 ecx=00000000 edx=00000000 esi=0000002e edi=c03eacd4
eip=806a860c esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x122:
806a860c 33c9 xor ecx,ecx
kd>
eax=00000001 ebx=803f14b0 ecx=00000000 edx=00000000 esi=0000002e edi=c03eacd4
eip=806a860e esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x124:
806a860e 8845ff mov byte ptr [ebp-1],al ss:0010:8055066f=01
kd>
eax=00000001 ebx=803f14b0 ecx=00000000 edx=00000000 esi=0000002e edi=c03eacd4
eip=806a8611 esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x127:
806a8611 e853e8e3ff call nt!MiEnsureAvailablePageOrWait (804e6e69)
kd>
eax=00000000 ebx=803f14b0 ecx=00000080 edx=00000000 esi=0000002e edi=c03eacd4
eip=806a8616 esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x12c:
806a8616 8b0dd4f45580 mov ecx,dword ptr [nt!MmSecondaryColorMask (8055f4d4)] ds:0023:8055f4d4=0000003f
kd>
eax=00000000 ebx=803f14b0 ecx=0000003f edx=00000000 esi=0000002e edi=c03eacd4
eip=806a861c esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x132:
806a861c 230db8ef5580 and ecx,dword ptr [nt!MmSystemPageColor (8055efb8)] ds:0023:8055efb8=0000002d
kd>
eax=00000000 ebx=803f14b0 ecx=0000002d edx=00000000 esi=0000002e edi=c03eacd4
eip=806a8622 esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x138:
806a8622 ff05b8ef5580 inc dword ptr [nt!MmSystemPageColor (8055efb8)] ds:0023:8055efb8=0000002d
kd>
eax=00000000 ebx=803f14b0 ecx=0000002d edx=00000000 esi=0000002e edi=c03eacd4
eip=806a8628 esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x13e:
806a8628 e8d3e7e3ff call nt!MiRemoveAnyPage (804e6e00)
kd>
eax=0000146d ebx=803f14b0 ecx=00000000 edx=000014ad esi=0000002e edi=c03eacd4
eip=806a862d esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x143:
806a862d 8bf0 mov esi,eax
kd>
eax=0000146d ebx=803f14b0 ecx=00000000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a862f esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x145:
806a862f 81fe00100000 cmp esi,1000h
kd>
eax=0000146d ebx=803f14b0 ecx=00000000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8635 esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!MiReloadBootLoadedDrivers+0x14b:
806a8635 0f820c300100 jb nt!MiReloadBootLoadedDrivers+0x14d (806bb647) [br=0]
kd>
eax=0000146d ebx=803f14b0 ecx=00000000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a863b esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!MiReloadBootLoadedDrivers+0x154:
806a863b 8bcf mov ecx,edi
kd>
eax=0000146d ebx=803f14b0 ecx=c03eacd4 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a863d esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!MiReloadBootLoadedDrivers+0x156:
806a863d e8e6e7e3ff call nt!MiDetermineUserGlobalPteMask (804e6e28)
kd>
eax=00000121 ebx=803f14b0 ecx=c03eacd4 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8642 esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x15b:
806a8642 8bce mov ecx,esi
kd>
eax=00000121 ebx=803f14b0 ecx=0000146d edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8644 esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x15d:
806a8644 c1e10c shl ecx,0Ch
kd>
eax=00000121 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8647 esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x160:
806a8647 0bc1 or eax,ecx
kd>
eax=0146d121 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8649 esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x162:
806a8649 0b05000f5580 or eax,dword ptr [nt!MmProtectToPteMask+0x18 (80550f00)] ds:0023:80550f00=00000002
kd>
eax=0146d123 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a864f esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!MiReloadBootLoadedDrivers+0x168:
806a864f 6a01 push 1
kd>
eax=0146d123 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8651 esp=80550628 ebp=80550670 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!MiReloadBootLoadedDrivers+0x16a:
806a8651 57 push edi
kd>
eax=0146d123 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8652 esp=80550624 ebp=80550670 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!MiReloadBootLoadedDrivers+0x16b:
806a8652 83c860 or eax,60h
kd>
eax=0146d163 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8655 esp=80550624 ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x16e:
806a8655 56 push esi
kd>
eax=0146d163 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8656 esp=80550620 ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x16f:
806a8656 8907 mov dword ptr [edi],eax ds:0023:c03eacd4=00000000
kd>
eax=0146d163 ebx=803f14b0 ecx=0146d000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8658 esp=80550620 ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x171:
806a8658 e8f1f2e3ff call nt!MiInitializePfn (804e794e)
kd>
eax=810181e0 ebx=803f14b0 ecx=81000000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a865d esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x176:
806a865d 8b0dc8f45580 mov ecx,dword ptr [nt!MmPfnDatabase (8055f4c8)] ds:0023:8055f4c8=81000000
kd>
eax=810181e0 ebx=803f14b0 ecx=81000000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8663 esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x17c:
806a8663 8d0476 lea eax,[esi+esi*2]
kd>
eax=00003d47 ebx=803f14b0 ecx=81000000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8666 esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x17f:
806a8666 8d04c1 lea eax,[ecx+eax*8]
kd>
eax=8101ea38 ebx=803f14b0 ecx=81000000 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8669 esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x182:
806a8669 8a4dff mov cl,byte ptr [ebp-1] ss:0010:8055066f=01
kd>
eax=8101ea38 ebx=803f14b0 ecx=81000001 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a866c esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x185:
806a866c 83480c01 or dword ptr [eax+0Ch],1 ds:0023:8101ea44=00011601
kd>
eax=8101ea38 ebx=803f14b0 ecx=81000001 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8670 esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!MiReloadBootLoadedDrivers+0x189:
806a8670 832000 and dword ptr [eax],0 ds:0023:8101ea38=00000000
kd>
eax=8101ea38 ebx=803f14b0 ecx=81000001 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8673 esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x18c:
806a8673 ff1570764d80 call dword ptr [nt!_imp_KfLowerIrql (804d7670)] ds:0023:804d7670={hal!KfLowerIrql (806ed070)}
kd>
eax=00000000 ebx=803f14b0 ecx=00000001 edx=000014ad esi=0000146d edi=c03eacd4
eip=806a8679 esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x192:
806a8679 8b75f4 mov esi,dword ptr [ebp-0Ch] ss:0010:80550664=80128000
kd>
eax=00000000 ebx=803f14b0 ecx=00000001 edx=000014ad esi=80128000 edi=c03eacd4
eip=806a867c esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x195:
806a867c 8b7dec mov edi,dword ptr [ebp-14h] ss:0010:8055065c=fab35000
kd>
eax=00000000 ebx=803f14b0 ecx=00000001 edx=000014ad esi=80128000 edi=fab35000
eip=806a867f esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x198:
806a867f b800100000 mov eax,1000h
kd>
eax=00001000 ebx=803f14b0 ecx=00000001 edx=000014ad esi=80128000 edi=fab35000
eip=806a8684 esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x19d:
806a8684 0145ec add dword ptr [ebp-14h],eax ss:0010:8055065c=fab35000
kd>
eax=00001000 ebx=803f14b0 ecx=00000001 edx=000014ad esi=80128000 edi=fab35000
eip=806a8687 esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!MiReloadBootLoadedDrivers+0x1a0:
806a8687 0145f4 add dword ptr [ebp-0Ch],eax ss:0010:80550664=80128000
kd>
eax=00001000 ebx=803f14b0 ecx=00000001 edx=000014ad esi=80128000 edi=fab35000
eip=806a868a esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!MiReloadBootLoadedDrivers+0x1a3:
806a868a b900040000 mov ecx,400h
kd>
Breakpoint 1 hit
eax=00001000 ebx=803f14b0 ecx=00000400 edx=000014ad esi=80128000 edi=fab35000
eip=806a868f esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!MiReloadBootLoadedDrivers+0x1a8:
806a868f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
kd> bd 1;p;be 1;
kd> g
Breakpoint 1 hit
eax=00001000 ebx=803f14b0 ecx=00000400 edx=000014ae esi=80129000 edi=fab36000
eip=806a868f esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!MiReloadBootLoadedDrivers+0x1a8:
806a868f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
kd> bd 1;p;be 1;
kd> g
Breakpoint 1 hit
eax=00001000 ebx=803f14b0 ecx=00000400 edx=000014af esi=8012a000 edi=fab37000
eip=806a868f esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!MiReloadBootLoadedDrivers+0x1a8:
806a868f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
kd> bd 1;p;be 1;
kd> g
Breakpoint 1 hit
eax=00001000 ebx=803f14b0 ecx=00000400 edx=000014b0 esi=8012b000 edi=fab38000
eip=806a868f esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!MiReloadBootLoadedDrivers+0x1a8:
806a868f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
kd> bd 1;p;be 1;
kd> g
Breakpoint 1 hit
eax=00001000 ebx=803f14b0 ecx=00000400 edx=000014b1 esi=8012c000 edi=fab39000
eip=806a868f esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!MiReloadBootLoadedDrivers+0x1a8:
806a868f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
kd> bd 1;p;be 1;
kd> g
Breakpoint 1 hit
eax=00001000 ebx=803f14b0 ecx=00000400 edx=00001472 esi=8012d000 edi=fab3a000
eip=806a868f esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!MiReloadBootLoadedDrivers+0x1a8:
806a868f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
kd> bd 1;p;be 1;
kd> p
eax=00001000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=8012e000 edi=c03eace8
eip=806a8694 esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!MiReloadBootLoadedDrivers+0x1ad:
806a8694 8b75cc mov esi,dword ptr [ebp-34h] ss:0010:8055063c=0000002e
kd>
eax=00001000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=0000002e edi=c03eace8
eip=806a8697 esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!MiReloadBootLoadedDrivers+0x1d0:
806a8697 8345f804 add dword ptr [ebp-8],4 ss:0010:80550668=c02004b4
kd>
eax=00001000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=0000002e edi=c03eace8
eip=806a869b esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!MiReloadBootLoadedDrivers+0x1d4:
806a869b 83c704 add edi,4
kd>
eax=00001000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=0000002e edi=c03eacec
eip=806a869e esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!MiReloadBootLoadedDrivers+0x1d7:
806a869e 3b7df0 cmp edi,dword ptr [ebp-10h] ss:0010:80550660=c03eacec
kd>
eax=00001000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=0000002e edi=c03eacec
eip=806a86a1 esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x1da:
806a86a1 897ddc mov dword ptr [ebp-24h],edi ss:0010:8055064c=c03eace8
kd>
eax=00001000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=0000002e edi=c03eacec
eip=806a86a4 esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x1dd:
806a86a4 0f8245ffffff jb nt!MiReloadBootLoadedDrivers+0x105 (806a85ef) [br=0]
kd>
eax=00001000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=0000002e edi=c03eacec
eip=806a86aa esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x1e3:
806a86aa 8b45e8 mov eax,dword ptr [ebp-18h] ss:0010:80550658=fab0d000
kd>
eax=fab0d000 ebx=803f14b0 ecx=00000000 edx=00001472 esi=0000002e edi=c03eacec
eip=806a86ad esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x1e6:
806a86ad 8b55d0 mov edx,dword ptr [ebp-30h] ss:0010:80550640={ACPI!OSInitializeCallbacks <PERF> (ACPI+0xc8) (801000c8)}
kd> p
eax=fab0d000 ebx=803f14b0 ecx=00000000 edx=801000c8 esi=0000002e edi=c03eacec
eip=806a86b0 esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x1e9:
806a86b0 8bce mov ecx,esi
kd> dd edx
801000c8 00004550 0008014c 41107d27 00000000
801000d8 00000000 010e00e0 0a07010b 00026180
801000e8 00007900 00000000 00029059 00000300
801000f8 0001b200 00010000 00000080 00000080
80100108 00010005 00010005 00010005 00000000
80100118 0002dd80 00000300 00033106 04000001
80100128 00040000 00001000 00100000 00001000
80100138 00000000 00000010 00000000 00000000
kd> p
eax=fab0d000 ebx=803f14b0 ecx=0000002e edx=801000c8 esi=0000002e edi=c03eacec
eip=806a86b2 esp=8055062c ebp=80550670 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers+0x1eb:
806a86b2 c1e102 shl ecx,2
kd>
eax=fab0d000 ebx=803f14b0 ecx=000000b8 edx=801000c8 esi=0000002e edi=c03eacec
eip=806a86b5 esp=8055062c ebp=80550670 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!MiReloadBootLoadedDrivers+0x1ee:
806a86b5 2bf9 sub edi,ecx
kd>
eax=fab0d000 ebx=803f14b0 ecx=000000b8 edx=801000c8 esi=0000002e edi=c03eac34
eip=806a86b7 esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!MiReloadBootLoadedDrivers+0x1f0:
806a86b7 8b4dd4 mov ecx,dword ptr [ebp-2Ch] ss:0010:80550644={ACPI!OSInitializeCallbacks <PERF> (ACPI+0x0) (80100000)}
kd> p
eax=fab0d000 ebx=803f14b0 ecx=80100000 edx=801000c8 esi=0000002e edi=c03eac34
eip=806a86ba esp=8055062c ebp=80550670 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!MiReloadBootLoadedDrivers+0x1f3:
806a86ba 894a34 mov dword ptr [edx+34h],ecx ds:0023:801000fc=00010000

Kayaker
November 15th, 2008, 17:17
Hehe, blabberer I was hoping you'd do your Winny trick of breaking on early kernel loading. You seem to have caught it nicely there with nt!MiReloadBootLoadedDrivers.

Is there any way you can break at the start of MiReloadBootLoadedDrivers and display the hidden structure pointed to by arg_0? There are some interesting bits in there, such as pointed to by [ebx+18h] = ImageBase, [ebx+1Ch] [ebx+20h] [ebx+37h]. It may point to an array of structures for each boot driver.

The function looks to be constructed as a loop that rebases all the boot drivers in turn. The loopcounter seems to indicate it skips the first 2 drivers (nt & hal?) before rebasing the rest.

Adding a few definitions such as IMAGE_NT_HEADERS32 and the analysis looks like this.

Code:

:005D1503 ; __stdcall MiReloadBootLoadedDrivers(x)
:005D1503 _MiReloadBootLoadedDrivers@4 proc near ; CODE XREF: InbvIndicateProgress()+F7F3p
:005D1503
:005D1503 var_38 = dword ptr -38h
:005D1503 var_34 = dword ptr -34h
:005D1503 NtHeaders = dword ptr -30h
:005D1503 var_2C = dword ptr -2Ch
:005D1503 var_28 = dword ptr -28h
:005D1503 var_24 = dword ptr -24h
:005D1503 var_20 = dword ptr -20h
:005D1503 loopcounter = dword ptr -1Ch
:005D1503 ImageBase = dword ptr -18h
:005D1503 var_14 = dword ptr -14h
:005D1503 var_10 = dword ptr -10h
:005D1503 var_C = dword ptr -0Ch
:005D1503 var_8 = dword ptr -8
:005D1503 var_1 = byte ptr -1
:005D1503 _pInteresting_struct= dword ptr 8
:005D1503
:005D1503 ; FUNCTION CHUNK AT :005D14DD SIZE 00000021 BYTES
:005D1503 ; FUNCTION CHUNK AT :005E463F SIZE 000000FB BYTES
:005D1503
:005D1503 mov edi, edi
:005D1505 push ebp
:005D1506 mov ebp, esp
:005D1508 sub esp, 38h
:005D150B mov eax, [ebp+_pInteresting_struct]
:005D150E and [ebp+var_20], 0
:005D1512 and [ebp+loopcounter], 0
:005D1516 push ebx
:005D1517 mov ebx, [eax]
:005D1519 cmp ebx, eax
:005D151B jz short _ret
:005D151D push esi
:005D151E push edi
:005D151F
:005D151F loopNextImage: ; CODE XREF: MiReloadBootLoadedDrivers(x)-Ej
:005D151F inc [ebp+loopcounter]
:005D1522 cmp [ebp+loopcounter], 2
:005D1526 jbe short NextImage
:005D1528 push dword ptr [ebx+18h] ; ImageBase
:005D152B call _RtlImageNtHeader@4 ; RtlImageNtHeader(x)
:005D1530 test eax, eax
:005D1532 mov [ebp+NtHeaders], eax
:005D1535 jz short NextImage
:005D1537 test byte ptr [eax+IMAGE_NT_HEADERS32.FileHeader.Characteristics], 1
:005D153B jnz short NextImage
:005D153D cmp [eax+IMAGE_NT_HEADERS32.OptionalHeader.NumberOfRvaAndSizes], 5
:005D1541 jbe short NextImage
:005D1543 add eax, 0A0h ; [PE + A0] = BaseRelocationTable
:005D1543 ;
:005D1543 ; typedef struct _IMAGE_BASE_RELOCATION {
:005D1543 ; DWORD VirtualAddress;
:005D1543 ; DWORD SizeOfBlock;
:005D1543 ; } IMAGE_BASE_RELOCATION;
:005D1548 mov ecx, [eax]
:005D154A test ecx, ecx
:005D154C jz loc_5E463F
:005D1552 mov eax, [eax+IMAGE_BASE_RELOCATION.SizeOfBlock]
:005D1555 add eax, ecx ; Virtual Address + SizeOfBlock
:005D1557 cmp eax, [ebx+20h]
:005D155A ja short NextImage
:005D155C mov [ebp+var_28], 1
:005D1563
:005D1563 loc_5D1563: ; CODE XREF: MiReloadBootLoadedDrivers(x)+1313Fj
:005D1563 mov edi, [ebx+18h]
:005D1566 mov esi, [ebx+20h]
:005D1569 mov [ebp+var_2C], edi
:005D156C shr edi, 0Ah
:005D156F and edi, 3FFFFCh
:005D1575 add esi, 0FFFh
:005D157B sub edi, 40000000h
:005D1581 shr esi, 0Ch
:005D1584 mov [ebp+var_8], edi
:005D1587 mov [ebp+var_34], esi
:005D158A call ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
:005D1590 mov [ebp+var_1], al
:005D1593 lea ecx, [edi+esi*4]
:005D1596
:005D1596 loc_5D1596: ; CODE XREF: MiReloadBootLoadedDrivers(x)+AFj
:005D1596 cmp edi, ecx
:005D1598 jnb short loc_5D15B4
:005D159A mov edx, [edi]
:005D159C shr edx, 0Ch
:005D159F lea eax, [edx+edx*2]
:005D15A2 mov edx, _MmPfnDatabase
:005D15A8 lea edx, [edx+eax*8]
:005D15AB or dword ptr [edx+0Ch], 1
:005D15AF add edi, 4
:005D15B2 jmp short loc_5D1596
:005D15B4 ; ---------------------------------------------------------------------------
:005D15B4
:005D15B4 loc_5D15B4: ; CODE XREF: MiReloadBootLoadedDrivers(x)+95j
:005D15B4 mov cl, [ebp+var_1]
:005D15B7 call ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
:005D15BD push 0
:005D15BF push esi
:005D15C0 call _MiReserveSystemPtes@8 ; MiReserveSystemPtes(x,x)
:005D15C5 mov edi, eax
:005D15C7 test edi, edi
:005D15C9 mov [ebp+var_24], edi
:005D15CC jz NextImage
:005D15D2 mov edx, [ebx+18h]
:005D15D5 lea ecx, [edi+esi*4]
:005D15D8 shl eax, 0Ah
:005D15DB cmp edi, ecx
:005D15DD mov [ebp+var_10], ecx
:005D15E0 mov [ebp+ImageBase], eax
:005D15E3 mov [ebp+var_14], eax
:005D15E6 mov [ebp+var_C], edx
:005D15E9 jnb loc_5D16AD
:005D15EF
:005D15EF loc_5D15EF: ; CODE XREF: MiReloadBootLoadedDrivers(x)+1A1j
:005D15EF cmp _MmMakeLowMemory, 1
:005D15F6 mov eax, [ebp+var_8]
:005D15F9 mov eax, [eax]
:005D15FB mov [ebp+var_38], eax
:005D15FE jnz loc_5E4653
:005D1604 call ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
:005D160A xor edx, edx
:005D160C xor ecx, ecx
:005D160E mov [ebp+var_1], al
:005D1611 call @MiEnsureAvailablePageOrWait@8 ; MiEnsureAvailablePageOrWait(x,x)
:005D1616 mov ecx, _MmSecondaryColorMask
:005D161C and ecx, _MmSystemPageColor
:005D1622 inc _MmSystemPageColor
:005D1628 call @MiRemoveAnyPage@4 ; MiRemoveAnyPage(x)
:005D162D mov esi, eax
:005D162F cmp esi, 1000h
:005D1635 jb loc_5E4647
:005D163B
:005D163B loc_5D163B: ; CODE XREF: MiReloadBootLoadedDrivers(x)+1314Bj
:005D163B mov ecx, edi
:005D163D call @MiDetermineUserGlobalPteMask@4 ; MiDetermineUserGlobalPteMask(x)
:005D1642 mov ecx, esi
:005D1644 shl ecx, 0Ch
:005D1647 or eax, ecx
:005D1649 or eax, dword_479F00
:005D164F push 1
:005D1651 push edi
:005D1652 or eax, 60h
:005D1655 push esi
:005D1656 mov [edi], eax
:005D1658 call _MiializePfn@12 ; MiializePfn(x,x,x)
:005D165D mov ecx, _MmPfnDatabase
:005D1663 lea eax, [esi+esi*2]
:005D1666 lea eax, [ecx+eax*8]
:005D1669 mov cl, [ebp+var_1]
:005D166C or dword ptr [eax+0Ch], 1
:005D1670 and dword ptr [eax], 0
:005D1673 call ds:__imp_@KfLowerIrql@4 ; KfLowerIrql(x)
:005D1679 mov esi, [ebp+var_C]
:005D167C mov edi, [ebp+var_14]
:005D167F mov eax, 1000h
:005D1684 add [ebp+var_14], eax
:005D1687 add [ebp+var_C], eax
:005D168A mov ecx, 400h
:005D168F rep movsd
:005D1691 mov edi, [ebp+var_24]
:005D1694 mov esi, [ebp+var_34]
:005D1697
:005D1697 loc_5D1697: ; CODE XREF: MiReloadBootLoadedDrivers(x)+1316Ej
:005D1697 add [ebp+var_8], 4
:005D169B add edi, 4
:005D169E cmp edi, [ebp+var_10]
:005D16A1 mov [ebp+var_24], edi
:005D16A4 jb loc_5D15EF
:005D16AA mov eax, [ebp+ImageBase]
:005D16AD
:005D16AD loc_5D16AD: ; CODE XREF: MiReloadBootLoadedDrivers(x)+E6j
:005D16AD mov edx, [ebp+NtHeaders]
:005D16B0 mov ecx, esi
:005D16B2 shl ecx, 2
:005D16B5 sub edi, ecx
:005D16B7 mov ecx, [ebp+var_2C]
:005D16BA mov [edx+IMAGE_NT_HEADERS32.OptionalHeader.ImageBase], ecx
:005D16BD cmp _MmMakeLowMemory, 1
:005D16C4 jnz short loc_5D16D3
:005D16C6 mov eax, [ebp+var_14]
:005D16C9 sub eax, [ebp+var_C]
:005D16CC mov [eax+edx+34h], ecx
:005D16D0 mov eax, [ebp+ImageBase]
:005D16D3
:005D16D3 loc_5D16D3: ; CODE XREF: MiReloadBootLoadedDrivers(x)+1C1j
:005D16D3 cmp [ebp+var_28], 1
:005D16D7 jnz short loc_5D16FE
:005D16D9 push 0C000007Bh ; int
:005D16DE push 0C0000018h ; int
:005D16E3 push 0 ; int
:005D16E5 push offset aSysldr_0 ; "SYSLDR"
:005D16EA push eax ; ImageBase
:005D16EB call _LdrRelocateImage@20 ;
:005D16EB ; Also called by MmLoadSystemImage()
:005D16F0 test eax, eax
:005D16F2 jl loc_5E4676
:005D16F8 mov ecx, [ebp+var_2C]
:005D16FB mov eax, [ebp+ImageBase]
:005D16FE
:005D16FE loc_5D16FE: ; CODE XREF: MiReloadBootLoadedDrivers(x)+1D4j
:005D16FE push dword ptr [ebx+20h] ; Size
:005D1701 mov edx, [ebx+18h]
:005D1704 push eax ; int
:005D1705 push ecx ; int
:005D1706 push [ebp+_pInteresting_struct]; int
:005D1709 mov [ebp+var_C], edx
:005D170C mov [ebx+18h], eax
:005D170F call _MiUpdateThunks@16 ; MiUpdateThunks(x,x,x,x)
:005D1714 mov eax, [ebp+ImageBase]
:005D1717 or byte ptr [ebx+37h], 1
:005D171B mov ecx, [ebp+NtHeaders]
:005D171E mov [ebx+18h], eax
:005D1721 mov ecx, [ecx+IMAGE_NT_HEADERS32.OptionalHeader.AddressOfEntryPoint]
:005D1724 add ecx, eax
:005D1726 shl esi, 0Ch
:005D1729 push ebx
:005D172A mov [ebx+1Ch], ecx
:005D172D mov [ebx+20h], esi
:005D1730 call _MiCaptureImageExceptionValues@4 ; MiCaptureImageExceptionValues(x)
:005D1735 mov eax, [ebp+var_C]
:005D1738 shr eax, 0Ah
:005D173B and eax, 3FFFFCh
:005D1740 sub eax, 40000000h
:005D1745 mov [ebp+var_8], eax
:005D1748 call ds:__imp__KeRaiseIrqlToDpcLevel@0 ; KeRaiseIrqlToDpcLevel()
:005D174E mov [ebp+var_1], al
:005D1751 jmp short loc_5D1760
:005D1751 ; ---------------------------------------------------------------------------
:005D1753 align 4
:005D1754 aSysldr_0 db 'SYSLDR',0 ; DATA XREF: MiReloadBootLoadedDrivers(x)+1E2o
:005D175B align 10h
:005D1760
:005D1760 loc_5D1760: ; CODE XREF: MiReloadBootLoadedDrivers(x)+24Ej
:005D1760 ; MiReloadBootLoadedDrivers(x)+2ADj
:005D1760 cmp edi, [ebp+var_10]
:005D1763 jnb loc_5D14DD
:005D1769 cmp _MmMakeLowMemory, 1
:005D1770 mov ecx, _MmPfnDatabase
:005D1776 jnz loc_5E46D2
:005D177C mov eax, [ebp+var_8]
:005D177F mov esi, [eax]
:005D1781 shr esi, 0Ch
:005D1784 lea eax, [esi+esi*2]
:005D1787 lea eax, [ecx+eax*8]
:005D178A mov ecx, [eax+14h]
:005D178D and ecx, 3FFFFFFh
:005D1793 mov [ebp+ImageBase], eax
:005D1796 call @MiDecrementShareCount@4 ; MiDecrementShareCount(x)
:005D179B mov eax, [ebp+ImageBase]
:005D179E or dword ptr [eax+4], 1
:005D17A2 mov ecx, esi
:005D17A4 call @MiDecrementShareCount@4 ; MiDecrementShareCount(x)
:005D17A9 add [ebp+var_8], 4
:005D17AD
:005D17AD loc_5D17AD: ; CODE XREF: MiReloadBootLoadedDrivers(x)+13226j
:005D17AD add edi, 4
:005D17B0 jmp short loc_5D1760
:005D17B0 _MiReloadBootLoadedDrivers@4 endp
:005D17B0


:005D14F0 NextImage: ; CODE XREF: MiReloadBootLoadedDrivers(x)+23j

:005D14F0 mov ebx, [ebx]
:005D14F2 cmp ebx, [ebp+_pInteresting_struct]
:005D14F5 jnz short loopNextImage
:005D14F7 pop edi
:005D14F8 pop esi
:005D14F9
:005D14F9 _ret: ; CODE XREF: MiReloadBootLoadedDrivers(x)+18j
:005D14F9 pop ebx
:005D14FA leave
:005D14FB retn 4
:005D14FB ; END OF FUNCTION CHUNK FOR _MiReloadBootLoadedDrivers@4



blabberer
November 15th, 2008, 18:57
nt!MiReloadBootLoadedDrivers take one parameter

Code:

kd> .fnent nt!MiReloadBootLoadedDrivers
Debugger function entry 05ed9018 for:
(806a8503) nt!MiReloadBootLoadedDrivers | (806a87b7) nt!MxConvertToLargePage
Exact matches:
nt!MiReloadBootLoadedDrivers = <no type information>

OffStart: 001d1503
ProcSize: 0x3b4
Prologue: 0x14
Params: 0n1 (0x4 bytes)
Locals: 0n14 (0x38 bytes)
Non-FPO


it is a pointer to LOADER_PARAMETER_BLOCK


Code:

Breakpoint 0 hit
eax=8131dd88 ebx=00000000 ecx=00000003 edx=8131c7fe esi=00000001 edi=8055aaa8
eip=806a8503 esp=80550674 ebp=805506d8 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MiReloadBootLoadedDrivers:
806a8503 8bff mov edi,edi
kd> dt -b LOADER_PARAMETER_BLOCK poi(esp+4)
testdll!LOADER_PARAMETER_BLOCK
+0x000 LoadOrderListHead : _LIST_ENTRY [ 0x8008a950 - 0x803f24a0 ]
+0x000 Flink : 0x8008a950
+0x004 Blink : 0x803f24a0
+0x008 MemoryDescriptorListHead : _LIST_ENTRY [ 0x80087138 - 0x80087270 ]
+0x000 Flink : 0x80087138
+0x004 Blink : 0x80087270
+0x010 BootDriverListHead : _LIST_ENTRY [ 0x80095128 - 0x80095bb8 ]
+0x000 Flink : 0x80095128
+0x004 Blink : 0x80095bb8
+0x018 KernelStack : 0x80550b80
+0x01c Prcb : 0
+0x020 Process : 0
+0x024 Thread : 0x80559320
+0x028 RegistryLength : 0x480000
+0x02c RegistryBase : 0x80a02000
+0x030 ConfigurationRoot : 0x80088580
+0x034 ArcBootDeviceName : 0x803f2510 "multi(0)disk(0)rdisk(0)partition(1)"
+0x038 ArcHalDeviceName : 0x803f2548 "multi(0)disk(0)rdisk(0)partition(1)"
+0x03c NtBootPathName : 0x803f2538 "\WINDOWS\"
+0x040 NtHalPathName : 0x803f2570 "\"
+0x044 LoadOptions : 0x80089300 "FASTDETECT NOEXECUTE=OPTIN DEBUG DEBUGPORT=COM1 BREAK LASTBOOTSTATUS=2"
+0x048 NlsData : 0x8008dc58
+0x04c ArcDiskInformation : 0x80089398
+0x050 OemFontFile : 0x803f01d0
+0x054 SetupLdrBlock : (null)
+0x058 Extension : 0x80087068
+0x05c u : __unnamed
+0x000 I386 : _I386_LOADER_BLOCK
+0x000 CommonDataArea : (null)
+0x004 MachineType : 0
+0x008 VirtualBias : 0
+0x000 Alpha : _ALPHA_LOADER_BLOCK
+0x000 PlaceHolder : 0
+0x000 Ia64 : _IA64_LOADER_BLOCK
+0x000 PlaceHolder : 0
+0x000 PowerPC : _PPC_LOADER_BLOCK
+0x000 BootInfo : (null)

Kayaker
November 15th, 2008, 20:54
Ah sweet Match that up with the ReactOS definition of MiReloadBootLoadedDrivers and the disasm starts to make sense.

http://www.koders.com/c/fid9C821527F895855A80DA07EFE73CC806FD33A5D5.aspx

http://www.nirsoft.net/kernel_struct/vista/LOADER_PARAMETER_BLOCK.html