API tools faq
paste
Guest User

Untitled

a guest
May 17th, 2018
284
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.75 KB | None | 0 0
raw download clone embed print report
  1. By BlackBox/MotherBrain
  2. XP professional SP1
  3.  
  4.  
  5. A trip down the crux of how windows operating system install process goes...
  6.  
  7.  
  8. on windows xp SP1 install cd....
  9. you have these directories
  10. dr-x------ 1 ubuntu ubuntu 2048 2002-09-03 19:29 SUPPORT
  11. -r-------- 1 ubuntu ubuntu 10 2002-09-03 19:29 WIN51
  12. dr-x------ 1 ubuntu ubuntu 2048 2002-09-03 19:29 DOCS
  13. dr-x------ 1 ubuntu ubuntu 2048 2002-09-03 19:29 DOTNETFX
  14. dr-x------ 1 ubuntu ubuntu 309248 2002-09-03 20:07 I386
  15. dr-x------ 1 ubuntu ubuntu 2048 2002-09-03 20:07 VALUEADD
  16. -r-------- 1 ubuntu ubuntu 11387 2002-09-03 20:07 SPNOTES.HTM
  17. -r-------- 1 ubuntu ubuntu 1310720 2002-09-03 20:07 SETUP.EXE
  18. -r-------- 1 ubuntu ubuntu 3204 2002-09-03 20:07 README.HTM
  19. -r-------- 1 ubuntu ubuntu 110 2002-09-03 20:07 AUTORUN.INF
  20. -r-------- 1 ubuntu ubuntu 2 2002-09-03 20:07 WIN51IP.SP1
  21. -r-------- 1 ubuntu ubuntu 10 2002-09-03 20:07 WIN51IP
  22. dr-x------ 1 ubuntu ubuntu 2048 2002-09-03 20:07 $OEM$
  23.  
  24. They all have some importance
  25. But the key files are kept in I386 ( they probably named it this because of intel i386 cpu at the time 2001 ish :)
  26. They are hidden in the .cab files (note cabfiles are another form of zip file /i.e compressed)
  27. compression methods - MSZIP (aka deflate) and Quantum, a large-window LZ compressor using arithmetic coding, licensed from its author David Stafford (I have to say this was a brillant algorithm if you get into studying those things :))
  28.  
  29. You can use tools like cabextract --list to list the contents or extract the contents of whats in the cab files
  30.  
  31. I am not going to list all of them here
  32.  
  33. But a very important cab file is the DRIVER.CAB file under i386 folder
  34.  
  35. issueing cabextract --list DRIVER.CAB at command prompt/shell gives
  36.  
  37. Viewing cabinet: DRIVER.CAB
  38. File size | Date Time | Name
  39. -----------+---------------------+-------------
  40. 23552 | 17.08.2001 13:52:00 | abp480n5.sys
  41. 12800 | 17.08.2001 13:52:02 | aha154x.sys
  42. 26624 | 17.08.2001 13:49:02 | alifir.sys
  43. .....
  44.  
  45.  
  46. way is DRIVER.CAB important? because the kernel lives here before install
  47.  
  48. 1897984 | 17.08.2001 22:24:14 | ntkrnlmp.exe
  49. 1896704 | 17.08.2001 13:48:06 | ntkrnlpa.exe
  50. 1869824 | 17.08.2001 13:48:10 | ntkrpamp.exe
  51. 1982208 | 17.08.2001 22:24:20 | ntoskrnl.exe <----here is the windows kernel :)
  52. 1738496 | 17.08.2001 14:56:02 | nv4.dll
  53. 731648 | 17.08.2001 12:50:26 | nv4.sys
  54.  
  55. another thing you may find interesting is the extensions you will find in a .cab file... cabs in general can hold any file type but their are a few important types in microsoft os's .sys , .dll , .exe,
  56. exe = PE executable this is microsofts portable executable
  57. dll = users dynamic link libraries the equivalent to linux shared libraries .so
  58. sys = kernel/user device drivers io.sys , atapi.sys , ...and many others that you can find under the windows/system32/drivers folder in windows xp...
  59.  
  60. I use to write a few toy drivers with the DDK back in the day :0 think they renamed the developing kit for it though now.
  61. But the same principles exist ... hardware creaters uses this api to create their drivers to work with microsoft.
  62.  
  63. dll's can be produced by microsofts cool visual studios IDE as well as exe's
  64. .sys are produced from the DDK.
  65.  
  66. So here is how the install went back when microsoft shiped install cd's
  67. pop in the cd .... if you have that autorun automatically set the cd executes the instructions in autorun.inf
  68.  
  69. [AutoRun]
  70.  
  71. open=setup.exe
  72.  
  73. icon=setup.exe,0
  74.  
  75. which then calls setup.exe
  76. setup.exe is responseable for giving you that blue setup screen that allows you to partition ,... install the windows xp os
  77. from here setup may load helper exe files or it maybe self contained duno fully.... (but probably calls other exe's to help in the install)
  78.  
  79. what must happen after you execute setup.exe is it must write out the mbr , partition , and filesystem to the harddrive (NTFS is the microsofts file system the old one was called fat file allocation table)
  80. After that is created setup must create the windows directories i.e , program files , document and settings , system volume information,... then extract the files from the cab files to the proper directories it create.
  81.  
  82. What confused me at first is how the cd had all the programs on it where are they...hummm. The key was the cab files... They are important to look into :)
  83.  
  84. If you are think what I am think ....
  85. why not just create a primary parition using linux free os.... make the file system on it ntfs
  86. create a folder and put ntldr in it ( make sure to look up the LBA the ntldr starts on )
  87. copy grub to the mbr... set it to boot ntldr
  88. create the windows directories and using the cabextract tool copy the correct files to the correct directories
  89. obviously ntoskrnl goes under Windows/system32 (but it will be hard to find what goes where so if you have a spare newly installed copy you could lookup the file and write a small script to do it for you.
  90.  
  91. Once this is all done then in theory you should beable to load windows....
  92. (However I am sure their is some restrictions that microsoft will complain about when trying to load the ntldr but in theory if you can get the ntldr load at the correct address with the correct parameters if any passed to it.
  93. Then the rest should work because if the files are in the proper place the ntldr is built to use these locations i.e windows/system32 for finding the kernel) ntldr should do the rest or hand off control to do the rest
  94.  
  95. ntldr disassembly
  96.  
  97. 00000000 E9C3015253 jmp dword 0x535201c8 <---begining jmp code of ntldr
  98. 00000005 6800600733 push dword 0x33076000
  99. 0000000A DB8B4C03C745 fisttp dword [ebx+0x45c7034c]
  100. 00000010 0A00 or al,[eax]
  101. 00000012 00894D088B44 add [ecx+0x448b084d],cl
  102. 00000018 0B3D8000761F or edi,[dword 0x1f760080]
  103. 0000001E 51 push ecx
  104. 0000001F B88000FF5D mov eax,0x5dff0080
  105.  
  106. ..... on and on
  107.  
  108.  
  109. the ntldr does alot of stuff but eventually calls ntoskrnl.exe the kernel to load
  110. The kernel for xp sp1 is loaded into memory and the starting address is obtained by objdump utilty part of binutils...
  111. You can use this on windows if you install cywin or linux apt-get it.
  112.  
  113. ubuntu@ubuntu:/media/Windows/WINDOWS/system32$ objdump -f ntoskrnl.exe
  114. BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section .text
  115. BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section POOLMI
  116. BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section MISYSPTE
  117. BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section POOLCODE
  118. BFD: ntoskrnl.exe: Warning: Ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section .data
  119.  
  120. ntoskrnl.exe: file format pei-i386
  121. architecture: i386, flags 0x0000010b:
  122. HAS_RELOC, EXEC_P, HAS_DEBUG, D_PAGED
  123. start address 0x005bd864
  124.  
  125. The sections in the kernel are
  126.  
  127. ntoskrnl.exe: file format pei-i386
  128.  
  129. Sections:
  130. Idx Name Size VMA LMA File off Algn
  131. 0 .text 00066651 00400580 00400580 00000580 2**2
  132. CONTENTS, ALLOC, LOAD, READONLY, CODE
  133. 1 POOLMI 00001199 00466c00 00466c00 00066c00 2**2
  134. CONTENTS, ALLOC, LOAD, READONLY, CODE
  135. 2 MISYSPTE 000006cd 00467e00 00467e00 00067e00 2**2
  136. CONTENTS, ALLOC, LOAD, READONLY, CODE
  137. 3 POOLCODE 0000158f 00468500 00468500 00068500 2**2
  138. CONTENTS, ALLOC, LOAD, READONLY, CODE
  139. 4 .data 00012880 00469b00 00469b00 00069b00 2**2
  140. CONTENTS, ALLOC, LOAD, DATA
  141. 5 PAGE 000e937f 0047c380 0047c380 0007c380 2**2
  142. CONTENTS, ALLOC, LOAD, READONLY, CODE
  143. 6 PAGELK 0000d8ec 00565700 00565700 00165700 2**2
  144. CONTENTS, ALLOC, LOAD, READONLY, CODE
  145. 7 PAGEVRFY 0000e1a6 00573000 00573000 00173000 2**2
  146. CONTENTS, ALLOC, LOAD, READONLY, CODE
  147. 8 PAGEWMI 000016a2 00581200 00581200 00181200 2**2
  148. CONTENTS, ALLOC, LOAD, READONLY, CODE
  149. 9 PAGEKD 00003bd5 00582900 00582900 00182900 2**2
  150. CONTENTS, ALLOC, LOAD, READONLY, CODE
  151. 10 PAGESPEC 00000b4e 00586500 00586500 00186500 2**2
  152. CONTENTS, ALLOC, LOAD, READONLY, CODE
  153. 11 PAGEHDLS 00001d18 00587080 00587080 00187080 2**2
  154. CONTENTS, ALLOC, LOAD, READONLY, CODE
  155. 12 .edata 0000b258 00588e00 00588e00 00188e00 2**2
  156. CONTENTS, ALLOC, LOAD, READONLY, DATA
  157. 13 PAGEDATA 00001594 00594080 00594080 00194080 2**2
  158. CONTENTS, ALLOC, LOAD, DATA
  159. 14 PAGEKD 0000c021 00595680 00595680 00195680 2**2
  160. CONTENTS, ALLOC, LOAD, DATA
  161. 15 PAGECONS 0000018c 005a1700 005a1700 001a1700 2**2
  162. CONTENTS, ALLOC, LOAD, DATA
  163. 16 PAGEVRFC 0000341d 005a1900 005a1900 001a1900 2**2
  164. CONTENTS, ALLOC, LOAD, READONLY, DATA
  165. 17 PAGEVRFD 00000648 005a4d80 005a4d80 001a4d80 2**2
  166. CONTENTS, ALLOC, LOAD, DATA
  167. 18 INIT 00029f54 005a5400 005a5400 001a5400 2**2
  168. CONTENTS, ALLOC, LOAD, CODE
  169. 19 .rsrc 000144a0 005cf380 005cf380 001cf380 2**2
  170. CONTENTS, ALLOC, LOAD, READONLY, DATA
  171. 20 .reloc 0000f08c 005e3880 005e3880 001e3880 2**2
  172. CONTENTS, ALLOC, LOAD, READONLY, DATA
  173.  
  174.  
  175.  
  176. One can even disassembly the code for the kernel by objdump -d ntoskrnl.exe
  177.  
  178. ntoskrnl.exe: file format pei-i386
  179.  
  180.  
  181. Disassembly of section .text:
  182.  
  183. 00400580 <.text>:
  184. 400580: 14 ec adc $0xec,%al ; imagine modifying this to jmp to itself over and over again :)
  185. 400582: 1c 00 sbb $0x0,%al
  186. 400584: 2e cs
  187. 400585: ec in (%dx),%al
  188. 400586: 1c 00 sbb $0x0,%al
  189. 400588: 48 dec %eax
  190. 400589: ec in (%dx),%al
  191. 40058a: 1c 00 sbb $0x0,%al
  192.  
  193. ... on and on
  194.  
  195.  
  196. Another cool fact is
  197. ubuntu@ubuntu:/media/Windows/WINDOWS/system32$ ls -ltr | grep ntoskrnl
  198. -rwxrwxrwx 1 ubuntu ubuntu 2042240 2002-09-03 19:50 ntoskrnl.exe
  199. -rwxrwxrwx 1 ubuntu ubuntu 30761398 2012-01-05 19:26 ntoskrnl.s
  200.  
  201. the disassemblied source is about 15 times larger then the binary for it. (That is using objdump -D ntoskrnl.exe which does every thing not just the .text segment ) (stupid me :)
  202.  
  203. And also the kernel should load into just over 2MB of memory so why the requirements of 64MB , 128MB,...etc because mapped io for pci , usb , vga devices takes up alot of additional space (MMIO: is usually a memory pig ).
  204.  
  205. Hopefully this spires people to start becoming expert asm guys .... at least it did for me
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!