daily pastebin goal
3%
SHARE
TWEET

Untitled

a guest May 17th, 2018 195 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. By BlackBox/MotherBrain
  2. XP professional SP1
  3.  
  4.  
  5. A trip down the crux of how windows operating system install process goes...
  6.  
  7.  
  8. on windows xp SP1 install cd....
  9. you have these directories
  10. dr-x------ 1 ubuntu ubuntu    2048 2002-09-03 19:29 SUPPORT
  11. -r-------- 1 ubuntu ubuntu      10 2002-09-03 19:29 WIN51
  12. dr-x------ 1 ubuntu ubuntu    2048 2002-09-03 19:29 DOCS
  13. dr-x------ 1 ubuntu ubuntu    2048 2002-09-03 19:29 DOTNETFX
  14. dr-x------ 1 ubuntu ubuntu  309248 2002-09-03 20:07 I386
  15. dr-x------ 1 ubuntu ubuntu    2048 2002-09-03 20:07 VALUEADD
  16. -r-------- 1 ubuntu ubuntu   11387 2002-09-03 20:07 SPNOTES.HTM
  17. -r-------- 1 ubuntu ubuntu 1310720 2002-09-03 20:07 SETUP.EXE
  18. -r-------- 1 ubuntu ubuntu    3204 2002-09-03 20:07 README.HTM
  19. -r-------- 1 ubuntu ubuntu     110 2002-09-03 20:07 AUTORUN.INF
  20. -r-------- 1 ubuntu ubuntu       2 2002-09-03 20:07 WIN51IP.SP1
  21. -r-------- 1 ubuntu ubuntu      10 2002-09-03 20:07 WIN51IP
  22. dr-x------ 1 ubuntu ubuntu    2048 2002-09-03 20:07 $OEM$
  23.  
  24. They all have some importance
  25. But the key files are kept in I386 ( they probably named it this because of intel i386 cpu at the time 2001 ish :)
  26. They are hidden in the .cab files (note cabfiles are another form of zip file /i.e compressed)
  27. compression methods - MSZIP (aka deflate) and Quantum, a large-window LZ compressor using arithmetic coding, licensed from its author David Stafford (I have to say this was a brillant algorithm if you get into studying those things :))
  28.  
  29. You can use tools like cabextract --list to list the contents or extract the contents of whats in the cab files
  30.  
  31. I am not going to list all of them here
  32.  
  33. But a very important cab file is the DRIVER.CAB file under i386 folder
  34.  
  35. issueing cabextract --list DRIVER.CAB at command prompt/shell gives
  36.  
  37. Viewing cabinet: DRIVER.CAB
  38.  File size | Date       Time     | Name
  39. -----------+---------------------+-------------
  40.      23552 | 17.08.2001 13:52:00 | abp480n5.sys
  41.      12800 | 17.08.2001 13:52:02 | aha154x.sys
  42.      26624 | 17.08.2001 13:49:02 | alifir.sys
  43. .....
  44.  
  45.  
  46. way is DRIVER.CAB important? because the kernel lives here before install
  47.  
  48.    1897984 | 17.08.2001 22:24:14 | ntkrnlmp.exe
  49.    1896704 | 17.08.2001 13:48:06 | ntkrnlpa.exe
  50.    1869824 | 17.08.2001 13:48:10 | ntkrpamp.exe
  51.    1982208 | 17.08.2001 22:24:20 | ntoskrnl.exe  <----here is the windows kernel :)
  52.    1738496 | 17.08.2001 14:56:02 | nv4.dll
  53.     731648 | 17.08.2001 12:50:26 | nv4.sys
  54.  
  55. another thing you may find interesting is the extensions you will find in a .cab file... cabs in general can hold any file type but their are a few important types in microsoft os's .sys , .dll , .exe,
  56. exe = PE executable this is microsofts portable executable
  57. dll = users dynamic link libraries the equivalent to linux shared libraries .so
  58. sys = kernel/user device drivers io.sys , atapi.sys , ...and many others that you can find under the windows/system32/drivers folder in windows xp...
  59.  
  60. I use to write a few toy drivers with the DDK back in the day :0 think they renamed the developing kit for it though now.
  61. But the same principles exist ... hardware creaters uses this api to create their drivers to work with microsoft.
  62.  
  63. dll's can be produced by microsofts cool visual studios IDE as well as exe's
  64. .sys are produced from the DDK.
  65.  
  66. So here is how the install went back when microsoft shiped install cd's
  67. pop in the cd .... if you have that autorun automatically set the cd executes the instructions in autorun.inf
  68.  
  69. [AutoRun]
  70.  
  71. open=setup.exe
  72.  
  73. icon=setup.exe,0
  74.  
  75. which then calls setup.exe
  76. setup.exe is responseable for giving you that blue setup screen that allows you to partition ,... install the windows xp os
  77. from here setup may load helper exe files or it maybe self contained duno fully.... (but probably calls other exe's to help in the install)
  78.  
  79. what must happen after you execute setup.exe is it must write out the mbr , partition , and filesystem to the harddrive (NTFS is the microsofts file system the old one was called fat file allocation table)
  80. After that is created setup must create the windows directories i.e , program files , document and settings , system volume information,... then extract the files from the cab files to the proper directories it create.
  81.  
  82. What confused me at first is how the cd had all the programs on it where are they...hummm. The key was the cab files... They are important to look into :)
  83.  
  84. If you are think what I am think ....
  85. why not just create a primary parition using linux free os.... make the file system on it ntfs
  86. create a folder and put ntldr in it ( make sure to look up the LBA the ntldr starts on )
  87. copy grub to the mbr... set it to boot ntldr
  88. create the windows directories and using the cabextract tool copy the correct files to the correct directories
  89. obviously ntoskrnl goes under Windows/system32 (but it will be hard to find what goes where so if you have a spare newly installed copy you could lookup the file and write a small script to do it for you.
  90.  
  91. Once this is all done then in theory you should beable to load windows....
  92. (However I am sure their is some restrictions that microsoft will complain about when trying to load the ntldr but in theory if you can get the ntldr load at the correct address with the correct parameters if any passed to it.
  93. Then the rest should work because if the files are in the proper place the ntldr is built to use these locations i.e windows/system32 for finding the kernel) ntldr should do the rest or hand off control to do the rest
  94.  
  95. ntldr disassembly
  96.  
  97. 00000000  E9C3015253        jmp dword 0x535201c8  <---begining jmp code of ntldr
  98. 00000005  6800600733        push dword 0x33076000
  99. 0000000A  DB8B4C03C745      fisttp dword [ebx+0x45c7034c]
  100. 00000010  0A00              or al,[eax]
  101. 00000012  00894D088B44      add [ecx+0x448b084d],cl
  102. 00000018  0B3D8000761F      or edi,[dword 0x1f760080]
  103. 0000001E  51                push ecx
  104. 0000001F  B88000FF5D        mov eax,0x5dff0080
  105.  
  106. ..... on and on
  107.  
  108.  
  109. the ntldr does alot of stuff but eventually calls ntoskrnl.exe the kernel to load
  110. The kernel for xp sp1 is loaded into memory and the starting address is obtained by objdump utilty part of binutils...
  111. You can use this on windows if you install cywin or linux apt-get it.
  112.  
  113. ubuntu@ubuntu:/media/Windows/WINDOWS/system32$ objdump -f ntoskrnl.exe
  114. BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section .text
  115. BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section POOLMI
  116. BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section MISYSPTE
  117. BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section POOLCODE
  118. BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section .data
  119.  
  120. ntoskrnl.exe:     file format pei-i386
  121. architecture: i386, flags 0x0000010b:
  122. HAS_RELOC, EXEC_P, HAS_DEBUG, D_PAGED
  123. start address 0x005bd864
  124.  
  125. The sections in the kernel are
  126.  
  127. ntoskrnl.exe:     file format pei-i386
  128.  
  129. Sections:
  130. Idx Name          Size      VMA               LMA               File off  Algn
  131.   0 .text         00066651  00400580  00400580  00000580  2**2
  132.                   CONTENTS, ALLOC, LOAD, READONLY, CODE
  133.   1 POOLMI        00001199  00466c00  00466c00  00066c00  2**2
  134.                   CONTENTS, ALLOC, LOAD, READONLY, CODE
  135.   2 MISYSPTE      000006cd  00467e00  00467e00  00067e00  2**2
  136.                   CONTENTS, ALLOC, LOAD, READONLY, CODE
  137.   3 POOLCODE      0000158f  00468500  00468500  00068500  2**2
  138.                   CONTENTS, ALLOC, LOAD, READONLY, CODE
  139.   4 .data         00012880  00469b00  00469b00  00069b00  2**2
  140.                   CONTENTS, ALLOC, LOAD, DATA
  141.   5 PAGE          000e937f  0047c380  0047c380  0007c380  2**2
  142.                   CONTENTS, ALLOC, LOAD, READONLY, CODE
  143.   6 PAGELK        0000d8ec  00565700  00565700  00165700  2**2
  144.                   CONTENTS, ALLOC, LOAD, READONLY, CODE
  145.   7 PAGEVRFY      0000e1a6  00573000  00573000  00173000  2**2
  146.                   CONTENTS, ALLOC, LOAD, READONLY, CODE
  147.   8 PAGEWMI       000016a2  00581200  00581200  00181200  2**2
  148.                   CONTENTS, ALLOC, LOAD, READONLY, CODE
  149.   9 PAGEKD        00003bd5  00582900  00582900  00182900  2**2
  150.                   CONTENTS, ALLOC, LOAD, READONLY, CODE
  151.  10 PAGESPEC      00000b4e  00586500  00586500  00186500  2**2
  152.                   CONTENTS, ALLOC, LOAD, READONLY, CODE
  153.  11 PAGEHDLS      00001d18  00587080  00587080  00187080  2**2
  154.                   CONTENTS, ALLOC, LOAD, READONLY, CODE
  155.  12 .edata        0000b258  00588e00  00588e00  00188e00  2**2
  156.                   CONTENTS, ALLOC, LOAD, READONLY, DATA
  157.  13 PAGEDATA      00001594  00594080  00594080  00194080  2**2
  158.                   CONTENTS, ALLOC, LOAD, DATA
  159.  14 PAGEKD        0000c021  00595680  00595680  00195680  2**2
  160.                   CONTENTS, ALLOC, LOAD, DATA
  161.  15 PAGECONS      0000018c  005a1700  005a1700  001a1700  2**2
  162.                   CONTENTS, ALLOC, LOAD, DATA
  163.  16 PAGEVRFC      0000341d  005a1900  005a1900  001a1900  2**2
  164.                   CONTENTS, ALLOC, LOAD, READONLY, DATA
  165.  17 PAGEVRFD      00000648  005a4d80  005a4d80  001a4d80  2**2
  166.                   CONTENTS, ALLOC, LOAD, DATA
  167.  18 INIT          00029f54  005a5400  005a5400  001a5400  2**2
  168.                   CONTENTS, ALLOC, LOAD, CODE
  169.  19 .rsrc         000144a0  005cf380  005cf380  001cf380  2**2
  170.                   CONTENTS, ALLOC, LOAD, READONLY, DATA
  171.  20 .reloc        0000f08c  005e3880  005e3880  001e3880  2**2
  172.                   CONTENTS, ALLOC, LOAD, READONLY, DATA
  173.  
  174.  
  175.  
  176. One can even disassembly the code for the kernel by objdump -d ntoskrnl.exe
  177.  
  178. ntoskrnl.exe:     file format pei-i386
  179.  
  180.  
  181. Disassembly of section .text:
  182.  
  183. 00400580 <.text>:
  184.   400580:   14 ec                   adc    $0xec,%al ; imagine modifying this to jmp to itself over and over again :)
  185.   400582:   1c 00                   sbb    $0x0,%al
  186.   400584:   2e                      cs
  187.   400585:   ec                      in     (%dx),%al
  188.   400586:   1c 00                   sbb    $0x0,%al
  189.   400588:   48                      dec    %eax
  190.   400589:   ec                      in     (%dx),%al
  191.   40058a:   1c 00                   sbb    $0x0,%al
  192.  
  193. ... on and on
  194.  
  195.  
  196. Another cool fact is
  197. ubuntu@ubuntu:/media/Windows/WINDOWS/system32$ ls -ltr | grep ntoskrnl
  198. -rwxrwxrwx 1 ubuntu ubuntu  2042240 2002-09-03 19:50 ntoskrnl.exe
  199. -rwxrwxrwx 1 ubuntu ubuntu 30761398 2012-01-05 19:26 ntoskrnl.s
  200.  
  201. the disassemblied source is about 15 times larger then the binary for it. (That is using objdump -D ntoskrnl.exe which does every thing not just the .text segment ) (stupid me :)
  202.  
  203. And also the kernel should load into just over 2MB of memory so why the requirements of 64MB , 128MB,...etc because mapped io for pci , usb , vga devices takes up alot of additional space (MMIO: is usually a memory pig ).
  204.  
  205. Hopefully this spires people to start becoming expert asm guys .... at least it did for me
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top