3 replies to this topic

[joakim]

Some time ago when trying to make a workaround for the old and buggy amibios, like Dietmar's ntdetect.com for nt5.x, I made this special bootmgr. It had a bcd store embedded in itself and was launched directly from memory without searching for it on-disk. It never really solved any issues and I cannot come up with any real life usage for it. But I thought maybe someone would find it interesting anyway, and so I prepared a patcher for those who are curious. If you do a diff and try to locate anything, you will be dissapointed. But if anybody is interested, I will try to recall what I did and post it (it was a few months ago).

The embedded bcd is a minimal one that only supports flat booting of nt6, both WinPE and non-WinPE. Booting off a wim is broken, although an antry is present in the embedded BCD. The resulting bootmgr is based off version 6.1.7600.16385 and is added the file extension of bcd.

Link to "patcher"; http://www.mediafire...bcd_patcher.zip

[joakim]

Here's some of the notes I found;

Fixing some integrity stuff in real mode (the 16-bit stub);

0x5f3 [90 90] (integrity of exe in vista sp0)

0x6f9 [90 90] (integrity of exe in win 7 rtm)

0xe28 change 7403 -> eb08  (crc of exe in vista sp0)

0x105e change 7403 -> eb08  (crc of exe in win 7 rtm)

Fixing some integrity stuff in protected mode (bootmgr.exe);

00401231 mov eax,1 [b8 01 00 00 00]

00401236 mov esp+18,eax [89 44 24 18]

0040123a nop [90 90 90]

00421ec5 nop [90 90]

original bcd size; 262 144 byte = 40.000h

section named joakim:
offset 72400h = va 004a2000 (containing the BCD store)
size 7e00h (32256 bytes - maybe the original section size restriction)

patch is 23 bytes starting at 43d2d3;

0043D2D3  B900204A00       mov ecx,L004A2000

0043D2D8  098DF0FFFFFF     or [ebp-00000010h],ecx

0043D2DE  B900600000       mov ecx,00006000h

0043D2E3  894DE4           mov [ebp-1Ch],ecx

0043D2E6  31C9             xor ecx,ecx

0043D2E8  EB53             jmp L0043D33D

My embedded BCD store is at 24 576 bytes (6000h) and can theoretically (as restricted by the section size) be over 5 times as big in size as it currently is. If you write a new BCD to that section remember to update the code to reflect a possibly different size. That can be done at the instruction at va 0043d2de or alternatively at raw offset 0x3c6df. There you currently find the value 00600000, which is little endian format for (0000)6000.

Bootdebugging;

16000010 (element constant)

132c on=01, off=00 (internal offset and determining value)

72400+132c=7372C (raw offset for the element)

788fc (?)

(I was fiddling with bootdebugging over firewire)

The already present BCD contains;

Windows Boot Manager

--------------------

identifier              {9dea862c-5cdd-4e70-acc1-f32b344d4795}

description             Windows Boot Manager

locale                  en-US

inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

default                 {7619dcc9-fafe-11d9-b411-000476eba25f}

displayorder            {7619dcc9-fafe-11d9-b411-000476eba25f}

                        {29e132fc-5570-11e0-a502-005056c00008}

                        {b9b69084-5570-11e0-a502-005056c00008}

toolsdisplayorder       {b2721d73-1db4-4c62-bf78-c548a880142d}

timeout                 30



Windows Boot Loader

-------------------

identifier              {29e132fc-5570-11e0-a502-005056c00008}

device                  boot

path                    \WINDOWS\system32\winload.exe

description             Flat WinPE without WIM

locale                  en-US

inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}

osdevice                boot

systemroot              \windows

detecthal               Yes

winpe                   Yes

ems                     No



Windows Boot Loader

-------------------

identifier              {7619dcc9-fafe-11d9-b411-000476eba25f}

device                  ramdisk=[boot]\sources\boot.wim,{7619dcc8-fafe-11d9-b411-000476eba25f}

path                    \windows\system32\boot\winload.exe

description             WinPE from boot.wim

locale                  en-US

inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}

osdevice                ramdisk=[boot]\sources\boot.wim,{7619dcc8-fafe-11d9-b411-000476eba25f}

systemroot              \windows

detecthal               Yes

winpe                   Yes

ems                     No



Windows Boot Loader

-------------------

identifier              {b9b69084-5570-11e0-a502-005056c00008}

device                  boot

path                    \WINDOWS\system32\winload.exe

description             Regular Windows nt6.x

locale                  en-US

inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}

osdevice                boot

systemroot              \windows

detecthal               Yes

winpe                   No

ems                     No



Windows Memory Tester

---------------------

identifier              {b2721d73-1db4-4c62-bf78-c548a880142d}

device                  boot

path                    \boot\memtest.exe

description             Windows Memory Diagnostic

locale                  en-US

inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}



EMS Settings

------------

identifier              {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}

bootems                 Yes



Debugger Settings

-----------------

identifier              {4636856e-540f-4170-a130-a84776f4c654}

debugtype               Serial

debugport               1

baudrate                115200



Global Settings

---------------

identifier              {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

inherit                 {4636856e-540f-4170-a130-a84776f4c654}

                        {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}



Boot Loader Settings

--------------------

identifier              {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}

inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

                        {7ff607e0-4395-11db-b0de-0800200c9a66}



Hypervisor Settings

-------------------

identifier              {7ff607e0-4395-11db-b0de-0800200c9a66}

description             Hypervisor Settings

hypervisordebugtype     Serial

hypervisordebugport     1

hypervisorbaudrate      115200



Device options

--------------

identifier              {7619dcc8-fafe-11d9-b411-000476eba25f}

ramdisksdidevice        boot

ramdisksdipath          \boot\boot.sdi

These notes are actually from the compressed version of bootmgr (ie with win7 stub) where I attached a slightly larger BCD than what the actual patcher generates, so some size/offsets may differ. The additional integrity patch in the header was necessary when adding sections bigger than some value I can't remember..

[milindsmart]

This is really cool. Seems to be a good solution for booting Windows from GPT disk on BIOS machines.

 

I'd like to know, how much harder is it to make a patcher that takes a bootmgr, AND a bcd, and gives bootmgr.bcd, instead of embedding a fixed bcd.. Would I be able to do it? I don't know any windows programming though, and I love the extreme straightforwardness of the program, just asking for one file select operand. 

 

If it is not too hard, can you make a patcher which accepts both? That would make it a perfect tool.

[joakim]

It is not so easy, and definetely not trivial to redo this task. It has do do with what size of data we can fit into it without breaking it. The bcd I included was a minimal one, for a reason. What you can do is modify that one directly with a hex editor. Or extract it, then modify it, and then paste it back it with a hex editor. But make sure the size has not increased.

 

On a  side note, I can add that the patch is dirty, and corrupts memory, but it is not severe enough to crash the system. And this only works on 1 specific version of bootmgr, not any version.