Hi,

I'm trying to figure out the minimum amount of RAM that NTLoader requires under the A000h limit to load, execute properly and ultimately boot NT / Win2k / XP (assuming that there's plenty of RAM available above the low 1 meg, of course)

I have considered desassembling parts of NTLoader, but after some looking into it, I realized that it was a pseudo .com file, followed by a rather large PE. Even with the (considerable) help of our old friend IDA, that would be a daunting task.

After looking around, finding and reading Andrea Geddon great parper "Understanding Windows 2K Sources (part 1)", I realized that
1) there were other ways to attack the problem :-)
2) it had already been done the right way and studied by some smart cookies.

So far, I only know that NTLoader itself is loaded at 2000 (thanks Andrea), and that its load size is likely to be in the 200+K. But that doesn't take into account the amount of RAM that it is might insist to use in the low RAM area.
If things come to worse, I have the empirical (and labor intensive for a start) solution of loading a small piece of code just below A000, that would hook into Int 15h SMAP call and return fake SMAP information, reducing the available segment below A000 until NTLoader refuses to... NTLoad.

If someone here had part or all of the answer at hand, I would really appreciate it!

Thanks in advance!

Originally posted by filofel@Feb 21 2006, 07:43 PM
Hi,

I'm trying to figure out the minimum amount of RAM that NTLoader requires under the A000h limit to load, execute properly and ultimately boot NT / Win2k / XP (assuming that there's plenty of RAM available above the low 1 meg, of course)

I have considered desassembling parts of NTLoader, but after some looking into it, I realized that it was a pseudo .com file, followed by a rather large PE. Even with the (considerable) help of our old friend IDA, that would be a daunting task.

After looking around, finding and reading Andrea Geddon great parper "Understanding Windows 2K Sources (part 1)", I realized that
1) there were other ways to attack the problem :-)
2) it had already been done the right way and studied by some smart cookies.

So far, I only know that NTLoader itself is loaded at 2000 (thanks Andrea), and that its load size is likely to be in the 200+K. But that doesn't take into account the amount of RAM that it is might insist to use in the low RAM area.
If things come to worse, I have the empirical (and labor intensive for a start) solution of loading a small piece of code just below A000, that would hook into Int 15h SMAP call and return fake SMAP information, reducing the available segment below A000 until NTLoader refuses to... NTLoad.

If someone here had part or all of the answer at hand, I would really appreciate it!

Thanks in advance!
1293


Hi there!

The 16-bit ".com" portion of XP's NtLoader has a minimum memory check that ensures that at least 512Kb of low memory is present before continuing. The 16-bit portion of NtLoader doesn't actually use any lower memory above NtLoader's memory image. Some memory descriptors are set up in the 32-bit NtLoader code that describe memory ranges used by the loader and OS. The memory descriptors for lower memory appear to end at the 392Kb boundary. So from what I understand so far, it could get by with less than 512Kb, if it weren't for that check. Though I could be wrong, I have a long way to go in the NtLoader's 32-bit code...

cya,
rwid.

rwid,

That's precisely the information I was after.

I'm sure I can give it the low 512K, even if it only uses 392.
That leaves me more space than I need to put my stuff in (even with the whole greedy PXE stack active up there).

Thanks a lot! /Ph.