当前位置：首页 > news >正文

setupldr!BlLoadImage32Ex函数分析得到第一个节和IMAGE_FIRST_SECTION宏定义

news 2026/3/26 19:11:26

setupldr!BlLoadImage32Ex函数分析得到第一个节和IMAGE_FIRST_SECTION宏定义
//
// Compute the starting page and the number of pages that are consumed
// by the entire image, and then allocate a memory descriptor for the
// allocated region.
//

NumberOfSections = NtHeaders->FileHeader.NumberOfSections;
SectionHeader = IMAGE_FIRST_SECTION( NtHeaders );

D:\srv03rtm\base\boot>grep "IMAGE_FIRST_SECTION" -nr D:\srv03rtm\public\sdk\inc
D:\srv03rtm\public\sdk\inc/ntimage.h:395:// IMAGE_FIRST_SECTION doesn't need 32/64 versions since the file header is the same either way.
D:\srv03rtm\public\sdk\inc/ntimage.h:397:#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \
D:\srv03rtm\public\sdk\inc/winnt.h:6719:// IMAGE_FIRST_SECTION doesn't need 32/64 versions since the file header is the same either way.
D:\srv03rtm\public\sdk\inc/winnt.h:6721:#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \

#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \
((ULONG_PTR)ntheader + \
FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + \
((PIMAGE_NT_HEADERS)(ntheader))->FileHeader.SizeOfOptionalHeader \
))

kd> dt _IMAGE_NT_HEADERs 0x00060620+e0
setupldr!_IMAGE_NT_HEADERS
+0x000 Signature : 0x4550
+0x004 FileHeader : _IMAGE_FILE_HEADER
+0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER
kd> dx -r1 (*((setupldr!_IMAGE_FILE_HEADER *)0x60704))
(*((setupldr!_IMAGE_FILE_HEADER *)0x60704)) [Type: _IMAGE_FILE_HEADER]
[+0x000] Machine : 0x14c [Type: unsigned short]
[+0x002] NumberOfSections : 0x7 [Type: unsigned short]
[+0x004] TimeDateStamp : 0x66e5bdf0 [Type: unsigned long]
[+0x008] PointerToSymbolTable : 0x0 [Type: unsigned long]
[+0x00c] NumberOfSymbols : 0x0 [Type: unsigned long]
[+0x010] SizeOfOptionalHeader : 0xe0 [Type: unsigned short]
[+0x012] Characteristics : 0x210e [Type: unsigned short]
kd> dx -r1 (*((setupldr!_IMAGE_OPTIONAL_HEADER *)0x60718))
(*((setupldr!_IMAGE_OPTIONAL_HEADER *)0x60718)) [Type: _IMAGE_OPTIONAL_HEADER]
[+0x000] Magic : 0x10b [Type: unsigned short]
[+0x002] MajorLinkerVersion : 0x7 [Type: unsigned char]
[+0x003] MinorLinkerVersion : 0xa [Type: unsigned char]
[+0x004] SizeOfCode : 0x1400 [Type: unsigned long]
[+0x008] SizeOfInitializedData : 0xa00 [Type: unsigned long]
[+0x00c] SizeOfUninitializedData : 0x0 [Type: unsigned long]
[+0x010] AddressOfEntryPoint : 0x19f0 [Type: unsigned long]
[+0x014] BaseOfCode : 0x1000 [Type: unsigned long]
[+0x018] BaseOfData : 0x2000 [Type: unsigned long]
[+0x01c] ImageBase : 0x80010000 [Type: unsigned long]
[+0x020] SectionAlignment : 0x1000 [Type: unsigned long]
[+0x024] FileAlignment : 0x200 [Type: unsigned long]
[+0x028] MajorOperatingSystemVersion : 0x5 [Type: unsigned short]
[+0x02a] MinorOperatingSystemVersion : 0x2 [Type: unsigned short]
[+0x02c] MajorImageVersion : 0x5 [Type: unsigned short]
[+0x02e] MinorImageVersion : 0x2 [Type: unsigned short]
[+0x030] MajorSubsystemVersion : 0x5 [Type: unsigned short]
[+0x032] MinorSubsystemVersion : 0x2 [Type: unsigned short]
[+0x034] Win32VersionValue : 0x0 [Type: unsigned long]
[+0x038] SizeOfImage : 0x8000 [Type: unsigned long]
[+0x03c] SizeOfHeaders : 0x400 [Type: unsigned long]
[+0x040] CheckSum : 0x93db [Type: unsigned long]
[+0x044] Subsystem : 0x1 [Type: unsigned short]
[+0x046] DllCharacteristics : 0x400 [Type: unsigned short]
[+0x048] SizeOfStackReserve : 0x40000 [Type: unsigned long]
[+0x04c] SizeOfStackCommit : 0x1000 [Type: unsigned long]
[+0x050] SizeOfHeapReserve : 0x100000 [Type: unsigned long]
[+0x054] SizeOfHeapCommit : 0x1000 [Type: unsigned long]
[+0x058] LoaderFlags : 0x0 [Type: unsigned long]
[+0x05c] NumberOfRvaAndSizes : 0x10 [Type: unsigned long]
[+0x060] DataDirectory [Type: _IMAGE_DATA_DIRECTORY [16]]

kd> dt IMAGE_SECTION_HEADER 0x00060718+e0
setupldr!IMAGE_SECTION_HEADER
+0x000 Name : [8] ".text"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x1000
+0x010 SizeOfRawData : 0xc00
+0x014 PointerToRawData : 0x400
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics : 0x68000020
kd> dt IMAGE_SECTION_HEADER 0x00060718+e0+28*1
setupldr!IMAGE_SECTION_HEADER
+0x000 Name : [8] ".data"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x2000
+0x010 SizeOfRawData : 0x200
+0x014 PointerToRawData : 0x1000
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics : 0xc8000040
kd> dt IMAGE_SECTION_HEADER 0x00060718+e0+28*2
setupldr!IMAGE_SECTION_HEADER
+0x000 Name : [8] "PAGEKD"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x3000
+0x010 SizeOfRawData : 0x600
+0x014 PointerToRawData : 0x1200
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics : 0x60000020
kd> dt IMAGE_SECTION_HEADER 0x00060718+e0+28*3
setupldr!IMAGE_SECTION_HEADER
+0x000 Name : [8] ".edata"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x4000
+0x010 SizeOfRawData : 0x200
+0x014 PointerToRawData : 0x1800
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics : 0x40000040
kd> dt IMAGE_SECTION_HEADER 0x00060718+e0+28*4
setupldr!IMAGE_SECTION_HEADER
+0x000 Name : [8] "INIT"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x5000
+0x010 SizeOfRawData : 0x200
+0x014 PointerToRawData : 0x1a00
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics : 0xe2000020
kd> dt IMAGE_SECTION_HEADER 0x00060718+e0+28*5
setupldr!IMAGE_SECTION_HEADER
+0x000 Name : [8] ".rsrc"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x6000
+0x010 SizeOfRawData : 0x400
+0x014 PointerToRawData : 0x1c00
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics : 0x42000040
kd> dt IMAGE_SECTION_HEADER 0x00060718+e0+28*6
setupldr!IMAGE_SECTION_HEADER
+0x000 Name : [8] ".reloc"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x7000
+0x010 SizeOfRawData : 0x200
+0x014 PointerToRawData : 0x2000
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics : 0x42000040
kd> dt IMAGE_SECTION_HEADER 0x00060718+e0+28*7
setupldr!IMAGE_SECTION_HEADER
+0x000 Name : [8] ""
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0
+0x010 SizeOfRawData : 0
+0x014 PointerToRawData : 0
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics : 0

kd> db 0x00060718+e0
000607f8 2e 74 65 78 74 00 00 00-08 0a 00 00 00 10 00 00 .text...........
00060808 00 0c 00 00 00 04 00 00-00 00 00 00 00 00 00 00 ................
00060818 00 00 00 00 20 00 00 68-2e 64 61 74 61 00 00 00 .... ..h.data...
00060828 9c 00 00 00 00 20 00 00-00 02 00 00 00 10 00 00 ..... ..........
00060838 00 00 00 00 00 00 00 00-00 00 00 00 40 00 00 c8 ............@...
00060848 50 41 47 45 4b 44 00 00-e1 04 00 00 00 30 00 00 PAGEKD.......0..
00060858 00 06 00 00 00 12 00 00-00 00 00 00 00 00 00 00 ................
00060868 00 00 00 00 20 00 00 60-2e 65 64 61 74 61 00 00 .... ..`.edata..
kd> db 0x00060718+e0+80
00060878 fa 00 00 00 00 40 00 00-00 02 00 00 00 18 00 00 .....@..........
00060888 00 00 00 00 00 00 00 00-00 00 00 00 40 00 00 40 ............@..@
00060898 49 4e 49 54 00 00 00 00-b2 01 00 00 00 50 00 00 INIT.........P..
000608a8 00 02 00 00 00 1a 00 00-00 00 00 00 00 00 00 00 ................
000608b8 00 00 00 00 20 00 00 e2-2e 72 73 72 63 00 00 00 .... ....rsrc...
000608c8 e8 03 00 00 00 60 00 00-00 04 00 00 00 1c 00 00 .....`..........
000608d8 00 00 00 00 00 00 00 00-00 00 00 00 40 00 00 42 ............@..B
000608e8 2e 72 65 6c 6f 63 00 00-5c 01 00 00 00 70 00 00 .reloc..\....p..
kd> db 0x00060718+e0+80*2
000608f8 00 02 00 00 00 20 00 00-00 00 00 00 00 00 00 00 ..... ..........
00060908 00 00 00 00 40 00 00 42-00 00 00 00 00 00 00 00 ....@..B........
00060918 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00060928 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00060938 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00060948 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00060958 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00060968 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
kd> db 0x00060718+e0+80*3
00060978 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00060988 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00060998 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000609a8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000609b8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000609c8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000609d8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000609e8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
kd> db 0x00060718+e0+80*4
000609f8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00060a08 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................