Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- By BlackBox/MotherBrain
- XP professional SP1
- A trip down the crux of how windows operating system install process goes...
- on windows xp SP1 install cd....
- you have these directories
- dr-x------ 1 ubuntu ubuntu 2048 2002-09-03 19:29 SUPPORT
- -r-------- 1 ubuntu ubuntu 10 2002-09-03 19:29 WIN51
- dr-x------ 1 ubuntu ubuntu 2048 2002-09-03 19:29 DOCS
- dr-x------ 1 ubuntu ubuntu 2048 2002-09-03 19:29 DOTNETFX
- dr-x------ 1 ubuntu ubuntu 309248 2002-09-03 20:07 I386
- dr-x------ 1 ubuntu ubuntu 2048 2002-09-03 20:07 VALUEADD
- -r-------- 1 ubuntu ubuntu 11387 2002-09-03 20:07 SPNOTES.HTM
- -r-------- 1 ubuntu ubuntu 1310720 2002-09-03 20:07 SETUP.EXE
- -r-------- 1 ubuntu ubuntu 3204 2002-09-03 20:07 README.HTM
- -r-------- 1 ubuntu ubuntu 110 2002-09-03 20:07 AUTORUN.INF
- -r-------- 1 ubuntu ubuntu 2 2002-09-03 20:07 WIN51IP.SP1
- -r-------- 1 ubuntu ubuntu 10 2002-09-03 20:07 WIN51IP
- dr-x------ 1 ubuntu ubuntu 2048 2002-09-03 20:07 $OEM$
- They all have some importance
- But the key files are kept in I386 ( they probably named it this because of intel i386 cpu at the time 2001 ish :)
- They are hidden in the .cab files (note cabfiles are another form of zip file /i.e compressed)
- compression methods - MSZIP (aka deflate) and Quantum, a large-window LZ compressor using arithmetic coding, licensed from its author David Stafford (I have to say this was a brillant algorithm if you get into studying those things :))
- You can use tools like cabextract --list to list the contents or extract the contents of whats in the cab files
- I am not going to list all of them here
- But a very important cab file is the DRIVER.CAB file under i386 folder
- issueing cabextract --list DRIVER.CAB at command prompt/shell gives
- Viewing cabinet: DRIVER.CAB
- File size | Date Time | Name
- -----------+---------------------+-------------
- 23552 | 17.08.2001 13:52:00 | abp480n5.sys
- 12800 | 17.08.2001 13:52:02 | aha154x.sys
- 26624 | 17.08.2001 13:49:02 | alifir.sys
- .....
- way is DRIVER.CAB important? because the kernel lives here before install
- 1897984 | 17.08.2001 22:24:14 | ntkrnlmp.exe
- 1896704 | 17.08.2001 13:48:06 | ntkrnlpa.exe
- 1869824 | 17.08.2001 13:48:10 | ntkrpamp.exe
- 1982208 | 17.08.2001 22:24:20 | ntoskrnl.exe <----here is the windows kernel :)
- 1738496 | 17.08.2001 14:56:02 | nv4.dll
- 731648 | 17.08.2001 12:50:26 | nv4.sys
- another thing you may find interesting is the extensions you will find in a .cab file... cabs in general can hold any file type but their are a few important types in microsoft os's .sys , .dll , .exe,
- exe = PE executable this is microsofts portable executable
- dll = users dynamic link libraries the equivalent to linux shared libraries .so
- sys = kernel/user device drivers io.sys , atapi.sys , ...and many others that you can find under the windows/system32/drivers folder in windows xp...
- I use to write a few toy drivers with the DDK back in the day :0 think they renamed the developing kit for it though now.
- But the same principles exist ... hardware creaters uses this api to create their drivers to work with microsoft.
- dll's can be produced by microsofts cool visual studios IDE as well as exe's
- .sys are produced from the DDK.
- So here is how the install went back when microsoft shiped install cd's
- pop in the cd .... if you have that autorun automatically set the cd executes the instructions in autorun.inf
- [AutoRun]
- open=setup.exe
- icon=setup.exe,0
- which then calls setup.exe
- setup.exe is responseable for giving you that blue setup screen that allows you to partition ,... install the windows xp os
- from here setup may load helper exe files or it maybe self contained duno fully.... (but probably calls other exe's to help in the install)
- what must happen after you execute setup.exe is it must write out the mbr , partition , and filesystem to the harddrive (NTFS is the microsofts file system the old one was called fat file allocation table)
- After that is created setup must create the windows directories i.e , program files , document and settings , system volume information,... then extract the files from the cab files to the proper directories it create.
- What confused me at first is how the cd had all the programs on it where are they...hummm. The key was the cab files... They are important to look into :)
- If you are think what I am think ....
- why not just create a primary parition using linux free os.... make the file system on it ntfs
- create a folder and put ntldr in it ( make sure to look up the LBA the ntldr starts on )
- copy grub to the mbr... set it to boot ntldr
- create the windows directories and using the cabextract tool copy the correct files to the correct directories
- obviously ntoskrnl goes under Windows/system32 (but it will be hard to find what goes where so if you have a spare newly installed copy you could lookup the file and write a small script to do it for you.
- Once this is all done then in theory you should beable to load windows....
- (However I am sure their is some restrictions that microsoft will complain about when trying to load the ntldr but in theory if you can get the ntldr load at the correct address with the correct parameters if any passed to it.
- Then the rest should work because if the files are in the proper place the ntldr is built to use these locations i.e windows/system32 for finding the kernel) ntldr should do the rest or hand off control to do the rest
- ntldr disassembly
- 00000000 E9C3015253 jmp dword 0x535201c8 <---begining jmp code of ntldr
- 00000005 6800600733 push dword 0x33076000
- 0000000A DB8B4C03C745 fisttp dword [ebx+0x45c7034c]
- 00000010 0A00 or al,[eax]
- 00000012 00894D088B44 add [ecx+0x448b084d],cl
- 00000018 0B3D8000761F or edi,[dword 0x1f760080]
- 0000001E 51 push ecx
- 0000001F B88000FF5D mov eax,0x5dff0080
- ..... on and on
- the ntldr does alot of stuff but eventually calls ntoskrnl.exe the kernel to load
- The kernel for xp sp1 is loaded into memory and the starting address is obtained by objdump utilty part of binutils...
- You can use this on windows if you install cywin or linux apt-get it.
- ubuntu@ubuntu:/media/Windows/WINDOWS/system32$ objdump -f ntoskrnl.exe
- BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section .text
- BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section POOLMI
- BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section MISYSPTE
- BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section POOLCODE
- BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section .data
- ntoskrnl.exe: file format pei-i386
- architecture: i386, flags 0x0000010b:
- HAS_RELOC, EXEC_P, HAS_DEBUG, D_PAGED
- start address 0x005bd864
- The sections in the kernel are
- ntoskrnl.exe: file format pei-i386
- Sections:
- Idx Name Size VMA LMA File off Algn
- 0 .text 00066651 00400580 00400580 00000580 2**2
- CONTENTS, ALLOC, LOAD, READONLY, CODE
- 1 POOLMI 00001199 00466c00 00466c00 00066c00 2**2
- CONTENTS, ALLOC, LOAD, READONLY, CODE
- 2 MISYSPTE 000006cd 00467e00 00467e00 00067e00 2**2
- CONTENTS, ALLOC, LOAD, READONLY, CODE
- 3 POOLCODE 0000158f 00468500 00468500 00068500 2**2
- CONTENTS, ALLOC, LOAD, READONLY, CODE
- 4 .data 00012880 00469b00 00469b00 00069b00 2**2
- CONTENTS, ALLOC, LOAD, DATA
- 5 PAGE 000e937f 0047c380 0047c380 0007c380 2**2
- CONTENTS, ALLOC, LOAD, READONLY, CODE
- 6 PAGELK 0000d8ec 00565700 00565700 00165700 2**2
- CONTENTS, ALLOC, LOAD, READONLY, CODE
- 7 PAGEVRFY 0000e1a6 00573000 00573000 00173000 2**2
- CONTENTS, ALLOC, LOAD, READONLY, CODE
- 8 PAGEWMI 000016a2 00581200 00581200 00181200 2**2
- CONTENTS, ALLOC, LOAD, READONLY, CODE
- 9 PAGEKD 00003bd5 00582900 00582900 00182900 2**2
- CONTENTS, ALLOC, LOAD, READONLY, CODE
- 10 PAGESPEC 00000b4e 00586500 00586500 00186500 2**2
- CONTENTS, ALLOC, LOAD, READONLY, CODE
- 11 PAGEHDLS 00001d18 00587080 00587080 00187080 2**2
- CONTENTS, ALLOC, LOAD, READONLY, CODE
- 12 .edata 0000b258 00588e00 00588e00 00188e00 2**2
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 13 PAGEDATA 00001594 00594080 00594080 00194080 2**2
- CONTENTS, ALLOC, LOAD, DATA
- 14 PAGEKD 0000c021 00595680 00595680 00195680 2**2
- CONTENTS, ALLOC, LOAD, DATA
- 15 PAGECONS 0000018c 005a1700 005a1700 001a1700 2**2
- CONTENTS, ALLOC, LOAD, DATA
- 16 PAGEVRFC 0000341d 005a1900 005a1900 001a1900 2**2
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 17 PAGEVRFD 00000648 005a4d80 005a4d80 001a4d80 2**2
- CONTENTS, ALLOC, LOAD, DATA
- 18 INIT 00029f54 005a5400 005a5400 001a5400 2**2
- CONTENTS, ALLOC, LOAD, CODE
- 19 .rsrc 000144a0 005cf380 005cf380 001cf380 2**2
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 20 .reloc 0000f08c 005e3880 005e3880 001e3880 2**2
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- One can even disassembly the code for the kernel by objdump -d ntoskrnl.exe
- ntoskrnl.exe: file format pei-i386
- Disassembly of section .text:
- 00400580 <.text>:
- 400580: 14 ec adc $0xec,%al ; imagine modifying this to jmp to itself over and over again :)
- 400582: 1c 00 sbb $0x0,%al
- 400584: 2e cs
- 400585: ec in (%dx),%al
- 400586: 1c 00 sbb $0x0,%al
- 400588: 48 dec %eax
- 400589: ec in (%dx),%al
- 40058a: 1c 00 sbb $0x0,%al
- ... on and on
- Another cool fact is
- ubuntu@ubuntu:/media/Windows/WINDOWS/system32$ ls -ltr | grep ntoskrnl
- -rwxrwxrwx 1 ubuntu ubuntu 2042240 2002-09-03 19:50 ntoskrnl.exe
- -rwxrwxrwx 1 ubuntu ubuntu 30761398 2012-01-05 19:26 ntoskrnl.s
- the disassemblied source is about 15 times larger then the binary for it. (That is using objdump -D ntoskrnl.exe which does every thing not just the .text segment ) (stupid me :)
- And also the kernel should load into just over 2MB of memory so why the requirements of 64MB , 128MB,...etc because mapped io for pci , usb , vga devices takes up alot of additional space (MMIO: is usually a memory pig ).
- Hopefully this spires people to start becoming expert asm guys .... at least it did for me
Add Comment
Please, Sign In to add comment