当前位置：首页 > news >正文

setupldr!BlLoadImageEx函数分析从setupldr!IMAGE_DOS_HEADER到setupldr!_IMAGE_NT_HEADERS需要加0xE0

news 2026/5/11 23:10:48

第一部分：

MZ的魔数首字母"MZ"对应Mark Zbikowski，他在微软工作多年，显著推动了DOS和Windows的发展，是NTFS文件系统的关键人物。
MZ自1981年加入微软以来，便开始了他在技术领域的传奇生涯。
作为微软的第55号员工，他与鲍尔默有着深厚的渊源，曾在哈佛与盖茨共度求学时光。
1982年，他便接替Tim Paterson，担任MSDOS2.0-4.0的开发经理，为微软与IBM的联姻奠定了坚实的技术基础。
MZ在技术领域的贡献卓越，他不仅参与了DOS分级文件系统和OS/2可安装文件系统的开发，还主导了Cairo及OFS文件系统的研发。
这些重要成果为Windows 2000及其他产品的成功提供了有力支撑。
同时，他也是Windows NT内核的开发团队成员之一，并主导开发了NTFS文件系统，进一步推动了微软在操作系统领域的发展。

第二部分：
//
// Load Kernel Debugger DLL
//

strcpy(KdDllName, BootPath);
strcat(KdDllName, KdFileName);
SlGetDisk(KdFileName);
BlOutputLoadMessage(BootDevice, KdDllName, BlFindMessage(SL_KDDLL_NAME));
Status = BlLoadImage(BootDeviceId,
LoaderHalCode,
KdDllName,
TARGET_IMAGE,
&KdDllBase);

kd> kc 4
#
00 setupldr!BlLoadImageEx
01 setupldr!SlInit
02 setupldr!BlStartup
03 setupldr!NtProcessStartup
kd> dv
DeviceId = 0xa
MemoryType = LoaderHalCode (0n10)
LoadFile = 0x00348318 "\I386\KDCOM.DLL"
ImageType = 0x14c
PreferredAlignment = 0
PreferredBasePage = 0
ImageBase = 0x00060db0

kd> kc 5
#
00 setupldr!BlLoadImage32Ex
01 setupldr!SlInit
02 setupldr!BlStartup
03 setupldr!NtProcessStartup
WARNING: Frame IP not in any known module. Following frames may be wrong.
04 0x0
kd> dv
DeviceId = 0xa
MemoryType = LoaderHalCode (0n10)
LoadFile = 0x00348318 "\I386\KDCOM.DLL"
ImageType = 0x14c
PreferredAlignment = 0
PreferredBasePage = 0

//
// Attempt to open the image file.
//

Status = BlOpen(DeviceId, LoadFile, ArcOpenReadOnly, &FileId);
if (Status != ESUCCESS) {
goto cleanup;
}

kd> dv FileId
FileId = 0

kd> x setupldr!BlFileTable
00377d20 setupldr!BlFileTable = struct _BL_FILE_TABLE [48]
kd> dx -r1 (*((setupldr!_BL_FILE_TABLE (*)[48])0x377d20))
(*((setupldr!_BL_FILE_TABLE (*)[48])0x377d20)) [Type: _BL_FILE_TABLE [48]]
[0] [Type: _BL_FILE_TABLE]
[1] [Type: _BL_FILE_TABLE]
[2] [Type: _BL_FILE_TABLE]
[3] [Type: _BL_FILE_TABLE]
[4] [Type: _BL_FILE_TABLE]

kd> dx -r1 (*((setupldr!_BL_FILE_TABLE *)0x377d20))
(*((setupldr!_BL_FILE_TABLE *)0x377d20)) [Type: _BL_FILE_TABLE]
[+0x000] Flags [Type: _BL_FILE_FLAGS]
[+0x004] DeviceId : 0xa [Type: unsigned long]
[+0x008] Position : {0} [Type: _LARGE_INTEGER]
[+0x010] StructureContext : 0x348b18 [Type: void *]
[+0x014] DeviceEntryTable : 0x3435f0 [Type: _BL_DEVICE_ENTRY_TABLE *]
[+0x018] FileNameLength : 0x9 [Type: unsigned char]
[+0x019] FileName : "KDCOM.DL_dl_" [Type: char [32]]
[+0x040] u [Type: __unnamed]

//
// Read the first two sectors of the image header from the file.
//

Status = BlImageRead(&ImgCache, FileId, LocalPointer, SECTOR_SIZE * 2, &Count);
if (Status != ESUCCESS) {
goto cleanup;
}

//
// If the image file is not the specified type, is not executable, or is
// not a NT image, then return bad image type status.
//

NtHeaders = IMAGE_NT_HEADER(LocalPointer);
if (NtHeaders == NULL) {
Status = EBADF;
goto cleanup;
}

kd> p
eax=00000000 ebx=00000000 ecx=00060b90 edx=00060b64 esi=00060620 edi=00060b7c
eip=0031602e esp=00060610 ebp=00060b9c iopl=0 nv up di pl zr na pe nc
cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000046
setupldr!BlLoadImage32Ex+0xb6:
0031602e 56 push esi
kd> db 00060620
00060620 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
00060630 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
00060640 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00060650 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
00060660 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
00060670 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
00060680 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
00060690 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......

D:\srv03rtm\base\boot/inc/ximagdef.h:61:#define IMAGE_NT_HEADER(x) ((PIMAGE_NT_HEADERS)RtlImageNtHeader(x))

kd> kc 6
#
00 setupldr!RtlImageNtHeader
01 setupldr!BlLoadImage32Ex
02 setupldr!SlInit
03 setupldr!BlStartup
04 setupldr!NtProcessStartup
WARNING: Frame IP not in any known module. Following frames may be wrong.
05 0x0
kd> kv 5
# ChildEBP RetAddr Args to Child
00 00060604 00316034 00060620 00348328 00348318 setupldr!RtlImageNtHeader (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\rtl\rtlimagentheader.c @ 216]
01 00060b9c 00327f9d 00000000 0000000a 00348318 setupldr!BlLoadImage32Ex+0xbc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\peldrt.c @ 182]
02 00060df4 00322a21 01060e2c 0000000b 00000000 setupldr!SlInit+0x1f57 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\setup\setup.c @ 2860]
03 00060ed0 003015aa 00379400 0038164f 00061d68 setupldr!BlStartup+0x1bd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\setup\i386\initx86.c @ 208]
04 00061ff0 10101010 00000002 00810081 00810081 setupldr!NtProcessStartup+0x208 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\i386\entry.c @ 348]
kd> dv
Base = 0x00060620
NtHeaders = 0x00000008

kd> kc 6
#
00 setupldr!RtlImageNtHeaderEx
01 setupldr!RtlImageNtHeader
02 setupldr!BlLoadImage32Ex
03 setupldr!SlInit
04 setupldr!BlStartup
05 setupldr!NtProcessStartup
kd> kv 6
# ChildEBP RetAddr Args to Child
00 000605e4 0031f1ba 00000001 00060620 00000000 setupldr!RtlImageNtHeaderEx (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\rtl\rtlimagentheader.c @ 90]
01 00060604 00316034 00060620 00348328 00348318 setupldr!RtlImageNtHeader+0x19 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\rtl\rtlimagentheader.c @ 219]
02 00060b9c 00327f9d 00000000 0000000a 00348318 setupldr!BlLoadImage32Ex+0xbc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\peldrt.c @ 182]
03 00060df4 00322a21 01060e2c 0000000b 00000000 setupldr!SlInit+0x1f57 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\setup\setup.c @ 2860]
04 00060ed0 003015aa 00379400 0038164f 00061d68 setupldr!BlStartup+0x1bd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\setup\i386\initx86.c @ 208]
05 00061ff0 10101010 00000002 00810081 00810081 setupldr!NtProcessStartup+0x208 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\i386\entry.c @ 348]
kd> dv
Flags = 1
Base = 0x00060620
Size = 0
OutHeaders = 0x00060600

e_lfanew = ((PIMAGE_DOS_HEADER)Base)->e_lfanew;

kd>dt IMAGE_DOS_HEADER 0x00060620
setupldr!IMAGE_DOS_HEADER
+0x000 e_magic : 0x5a4d
+0x002 e_cblp : 0x90
+0x004 e_cp : 3
+0x006 e_crlc : 0
+0x008 e_cparhdr : 4
+0x00a e_minalloc : 0
+0x00c e_maxalloc : 0xffff
+0x00e e_ss : 0
+0x010 e_sp : 0xb8
+0x012 e_csum : 0
+0x014 e_ip : 0
+0x016 e_cs : 0
+0x018 e_lfarlc : 0x40
+0x01a e_ovno : 0
+0x01c e_res : [4] 0
+0x024 e_oemid : 0
+0x026 e_oeminfo : 0
+0x028 e_res2 : [10] 0
+0x03c e_lfanew : 0n224

kd> ?0n224
Evaluate expression: 224 = 000000e0

NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)Base + e_lfanew);

kd> dt _IMAGE_NT_HEADERs 0x00060620+e0
setupldr!_IMAGE_NT_HEADERS
+0x000 Signature : 0x4550
+0x004 FileHeader : _IMAGE_FILE_HEADER
+0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER
kd> dx -r1 (*((setupldr!_IMAGE_FILE_HEADER *)0x60704))
(*((setupldr!_IMAGE_FILE_HEADER *)0x60704)) [Type: _IMAGE_FILE_HEADER]
[+0x000] Machine : 0x14c [Type: unsigned short]
[+0x002] NumberOfSections : 0x7[Type: unsigned short]
[+0x004] TimeDateStamp : 0x66e5bdf0 [Type: unsigned long]
[+0x008] PointerToSymbolTable : 0x0 [Type: unsigned long]
[+0x00c] NumberOfSymbols : 0x0 [Type: unsigned long]
[+0x010] SizeOfOptionalHeader : 0xe0 [Type: unsigned short]
[+0x012] Characteristics : 0x210e [Type: unsigned short]
kd> dx -r1 (*((setupldr!_IMAGE_OPTIONAL_HEADER *)0x60718))
(*((setupldr!_IMAGE_OPTIONAL_HEADER *)0x60718)) [Type: _IMAGE_OPTIONAL_HEADER]
[+0x000] Magic : 0x10b [Type: unsigned short]
[+0x002] MajorLinkerVersion : 0x7 [Type: unsigned char]
[+0x003] MinorLinkerVersion : 0xa [Type: unsigned char]
[+0x004] SizeOfCode : 0x1400 [Type: unsigned long]
[+0x008] SizeOfInitializedData : 0xa00 [Type: unsigned long]
[+0x00c] SizeOfUninitializedData : 0x0 [Type: unsigned long]
[+0x010] AddressOfEntryPoint : 0x19f0 [Type: unsigned long]
[+0x014] BaseOfCode : 0x1000 [Type: unsigned long]
[+0x018] BaseOfData : 0x2000 [Type: unsigned long]
[+0x01c] ImageBase : 0x80010000 [Type: unsigned long]
[+0x020] SectionAlignment : 0x1000 [Type: unsigned long]
[+0x024] FileAlignment : 0x200 [Type: unsigned long]
[+0x028] MajorOperatingSystemVersion : 0x5 [Type: unsigned short]
[+0x02a] MinorOperatingSystemVersion : 0x2 [Type: unsigned short]
[+0x02c] MajorImageVersion : 0x5 [Type: unsigned short]
[+0x02e] MinorImageVersion : 0x2 [Type: unsigned short]
[+0x030] MajorSubsystemVersion : 0x5 [Type: unsigned short]
[+0x032] MinorSubsystemVersion : 0x2 [Type: unsigned short]
[+0x034] Win32VersionValue : 0x0 [Type: unsigned long]
[+0x038] SizeOfImage : 0x8000 [Type: unsigned long]
[+0x03c] SizeOfHeaders : 0x400 [Type: unsigned long]
[+0x040] CheckSum : 0x93db [Type: unsigned long]
[+0x044] Subsystem : 0x1 [Type: unsigned short]
[+0x046] DllCharacteristics : 0x400 [Type: unsigned short]
[+0x048] SizeOfStackReserve : 0x40000 [Type: unsigned long]
[+0x04c] SizeOfStackCommit : 0x1000 [Type: unsigned long]
[+0x050] SizeOfHeapReserve : 0x100000 [Type: unsigned long]
[+0x054] SizeOfHeapCommit : 0x1000 [Type: unsigned long]
[+0x058] LoaderFlags : 0x0 [Type: unsigned long]
[+0x05c] NumberOfRvaAndSizes : 0x10 [Type: unsigned long]
[+0x060] DataDirectory [Type: _IMAGE_DATA_DIRECTORY [16]]

kd> db 0x00060620
00060620 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00MZ..............
00060630 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
00060640 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00060650 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
00060660 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
00060670 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
00060680 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
00060690 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
kd> db 0x00060620+80
000606a0 37 61 67 4f 73 00 09 1c-73 00 09 1c 73 00 09 1c 7agOs...s...s...
000606b0 73 00 08 1c 7c 00 09 1c-f0 08 54 1c 76 00 09 1c s...|.....T.v...
000606c0 f0 08 55 1c 72 00 09 1c-fd 08 56 1c 77 00 09 1c ..U.r.....V.w...
000606d0 f0 08 57 1c 72 00 09 1c-f0 08 53 1c 72 00 09 1c ..W.r.....S.r...
000606e0 52 69 63 68 73 00 09 1c-00 00 00 00 00 00 00 00 Richs...........
000606f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00060700 50 45 00 00 4c 01 07 00-f0 bd e5 66 00 00 00 00PE..L......f....
00060710 00 00 00 00 e0 00 0e 21-0b 01 07 0a 00 14 00 00 .......!........

kd> gu
eax=00000000 ebx=00000000 ecx=00060700 edx=00000000 esi=00060620 edi=00060b7c
eip=0031f1ba esp=00060600 ebp=00060604 iopl=0 nv up di pl zr na pe nc
cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000046
setupldr!RtlImageNtHeader+0x19:
0031f1ba 8b45fc mov eax,dword ptr [ebp-4] ss:0010:00060600=00060700
kd> gu
eax=00060700 ebx=00000000 ecx=00060700 edx=00000000 esi=00060620 edi=00060b7c
eip=00316034 esp=00060610 ebp=00060b9c iopl=0 nv up di pl zr na pe nc
cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000046
setupldr!BlLoadImage32Ex+0xbc:
00316034 8bd8 mov ebx,eax

0x00060620+e0
kd> ?0x00060620+e0
Evaluate expression: 395008 = 00060700

查看全文

http://www.jsqmd.com/news/383899/