BOOTMGR with BCD embedded
#1
Posted 03 July 2011 - 09:17 PM
The embedded bcd is a minimal one that only supports flat booting of nt6, both WinPE and non-WinPE. Booting off a wim is broken, although an antry is present in the embedded BCD. The resulting bootmgr is based off version 6.1.7600.16385 and is added the file extension of bcd.
Link to "patcher"; http://www.mediafire...bcd_patcher.zip
#2
Posted 03 July 2011 - 10:29 PM
Fixing some integrity stuff in real mode (the 16-bit stub);
0x5f3 [90 90] (integrity of exe in vista sp0) 0x6f9 [90 90] (integrity of exe in win 7 rtm) 0xe28 change 7403 -> eb08 (crc of exe in vista sp0) 0x105e change 7403 -> eb08 (crc of exe in win 7 rtm)
Fixing some integrity stuff in protected mode (bootmgr.exe);
00401231 mov eax,1 [b8 01 00 00 00] 00401236 mov esp+18,eax [89 44 24 18] 0040123a nop [90 90 90] 00421ec5 nop [90 90]
original bcd size; 262 144 byte = 40.000h
section named joakim:
offset 72400h = va 004a2000 (containing the BCD store)
size 7e00h (32256 bytes - maybe the original section size restriction)
patch is 23 bytes starting at 43d2d3;
0043D2D3 B900204A00 mov ecx,L004A2000 0043D2D8 098DF0FFFFFF or [ebp-00000010h],ecx 0043D2DE B900600000 mov ecx,00006000h 0043D2E3 894DE4 mov [ebp-1Ch],ecx 0043D2E6 31C9 xor ecx,ecx 0043D2E8 EB53 jmp L0043D33D
My embedded BCD store is at 24 576 bytes (6000h) and can theoretically (as restricted by the section size) be over 5 times as big in size as it currently is. If you write a new BCD to that section remember to update the code to reflect a possibly different size. That can be done at the instruction at va 0043d2de or alternatively at raw offset 0x3c6df. There you currently find the value 00600000, which is little endian format for (0000)6000.
Bootdebugging;
16000010 (element constant) 132c on=01, off=00 (internal offset and determining value) 72400+132c=7372C (raw offset for the element) 788fc (?)(I was fiddling with bootdebugging over firewire)
The already present BCD contains;
Windows Boot Manager -------------------- identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795} description Windows Boot Manager locale en-US inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e} default {7619dcc9-fafe-11d9-b411-000476eba25f} displayorder {7619dcc9-fafe-11d9-b411-000476eba25f} {29e132fc-5570-11e0-a502-005056c00008} {b9b69084-5570-11e0-a502-005056c00008} toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d} timeout 30 Windows Boot Loader ------------------- identifier {29e132fc-5570-11e0-a502-005056c00008} device boot path \WINDOWS\system32\winload.exe description Flat WinPE without WIM locale en-US inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7} osdevice boot systemroot \windows detecthal Yes winpe Yes ems No Windows Boot Loader ------------------- identifier {7619dcc9-fafe-11d9-b411-000476eba25f} device ramdisk=[boot]\sources\boot.wim,{7619dcc8-fafe-11d9-b411-000476eba25f} path \windows\system32\boot\winload.exe description WinPE from boot.wim locale en-US inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7} osdevice ramdisk=[boot]\sources\boot.wim,{7619dcc8-fafe-11d9-b411-000476eba25f} systemroot \windows detecthal Yes winpe Yes ems No Windows Boot Loader ------------------- identifier {b9b69084-5570-11e0-a502-005056c00008} device boot path \WINDOWS\system32\winload.exe description Regular Windows nt6.x locale en-US inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7} osdevice boot systemroot \windows detecthal Yes winpe No ems No Windows Memory Tester --------------------- identifier {b2721d73-1db4-4c62-bf78-c548a880142d} device boot path \boot\memtest.exe description Windows Memory Diagnostic locale en-US inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e} EMS Settings ------------ identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9} bootems Yes Debugger Settings ----------------- identifier {4636856e-540f-4170-a130-a84776f4c654} debugtype Serial debugport 1 baudrate 115200 Global Settings --------------- identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e} inherit {4636856e-540f-4170-a130-a84776f4c654} {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9} Boot Loader Settings -------------------- identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7} inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e} {7ff607e0-4395-11db-b0de-0800200c9a66} Hypervisor Settings ------------------- identifier {7ff607e0-4395-11db-b0de-0800200c9a66} description Hypervisor Settings hypervisordebugtype Serial hypervisordebugport 1 hypervisorbaudrate 115200 Device options -------------- identifier {7619dcc8-fafe-11d9-b411-000476eba25f} ramdisksdidevice boot ramdisksdipath \boot\boot.sdi
These notes are actually from the compressed version of bootmgr (ie with win7 stub) where I attached a slightly larger BCD than what the actual patcher generates, so some size/offsets may differ. The additional integrity patch in the header was necessary when adding sections bigger than some value I can't remember..
#3
Posted 05 August 2014 - 04:20 PM
This is really cool. Seems to be a good solution for booting Windows from GPT disk on BIOS machines.
I'd like to know, how much harder is it to make a patcher that takes a bootmgr, AND a bcd, and gives bootmgr.bcd, instead of embedding a fixed bcd.. Would I be able to do it? I don't know any windows programming though, and I love the extreme straightforwardness of the program, just asking for one file select operand.
If it is not too hard, can you make a patcher which accepts both? That would make it a perfect tool.
#4
Posted 06 August 2014 - 05:34 AM
It is not so easy, and definetely not trivial to redo this task. It has do do with what size of data we can fit into it without breaking it. The bcd I included was a minimal one, for a reason. What you can do is modify that one directly with a hex editor. Or extract it, then modify it, and then paste it back it with a hex editor. But make sure the size has not increased.
On a side note, I can add that the patch is dirty, and corrupts memory, but it is not severe enough to crash the system. And this only works on 1 specific version of bootmgr, not any version.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users