Jump to content











Photo
- - - - -

How to get rid of SETUPDD.SYS?


  • Please log in to reply
8 replies to this topic

#1 386

386

    Newbie

  • Members
  • 11 posts

Posted 04 December 2021 - 03:41 PM

Hi everyone!

Is it possible to get rid of SETUPDD.SYS in PE 1.x?

I mean SETUPLDR.BIN loads kernel, kernel loads ntdll.dll, smss.exe and so on, just like normal NTLDR.



#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 04 December 2021 - 04:29 PM

There are/were ideas about a "mixed mode" loading, cannot say if they apply to your (this and the other thread of yours) questions/ideas.

 

http://reboot.pro/to...e-fast-boot-pe/

 

:duff:

Wonko



#3 386

386

    Newbie

  • Members
  • 11 posts

Posted 04 December 2021 - 05:25 PM

Thanks, Wonko! I've read that info and also another one on forum.ru-board.com from Alexey32, but it does not fit me, because NTLDR can't load compressed files and also compressed RAMDISKs. So I made some researches.

 

If delete SETUPDD.SYS, then SETUPLDR produce an error loading SETUPDD.SYS.

 

If replace SETUPDD.SYS with dummy driver, then SETUPLDR loads it, but after loading the kernel, will appear BSOD 7B, which means "inaccessible boot device", as I assume.

 

So I replaced SETUPDD.SYS with renamed disk controller driver and BSOD 0x7B disappeared (kernel could find boot device, as I assume). But I saw another BSOD - 0x6B, PROCESS1_INITIALIZATION_FAILED, which means that kernel can't find or load ntdll.dll and/or smss.exe.

 

I stuck on this stage (BSOD 0x6B). I tried almost everything including patching ntoskrnl.exe to replace relative \SystemRoot\ with fixed \Device\... path. It works for smss.exe, but not for ntdll.dll. So I need some help, because I don't know what to do.

 

Is there some way to explicitly tell the kernel, what the "SystemRoot" path is?


Edited by 386, 04 December 2021 - 05:43 PM.


#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 04 December 2021 - 06:31 PM

I see.

 

Shao started working on a "special" ntbootdd.sys (which code might be useful/reusable):

http://reboot.pro/in...showtopic=14019

 

but I think it was abandoned.

 

Check also here, maybe there is something useful:

https://web.archive....opic.php?t=1696

https://web.archive.....php/t-323.html

 

and here :unsure::

http://reboot.pro/in...?showtopic=7801

 

:duff:

Wonko



#5 386

386

    Newbie

  • Members
  • 11 posts

Posted 04 December 2021 - 09:49 PM

Wonko, thanks for very interesting info! I've read with big interest.

Unfortunately, I couldn't find info about my problem...

 

One more question: how the XP kernel knows, from where it should boot at kernel phase (after it was loaded)?

It should be some kind of regkey, I assume. Some kind of NT "\Device\..." or ARC "multi(0)..." path.

How the SETUPLDR tells NT kernel about the SystemRoot?



#6 386

386

    Newbie

  • Members
  • 11 posts

Posted 05 December 2021 - 01:14 AM

I've installed the checked version of NT kernel and it wrote me correct ARC Path for SystemRoot.

So, the problem seems to be not in the path...



#7 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 05 December 2021 - 10:22 AM

I believe that it starts with an ARC path that at some stage is translated into a NT \\Device\.. path, but no idea about when exactly the switch happens (i.e. it should be "past" NTLDR or SETUPLDR.BIN, but don't know exactly when it happens).

 

If I recall correctly the XP Kansas City Shuffle or fake signature method, see:

https://web.archive....showtopic=21242

 

http://reboot.pro/in...?showtopic=6672

 

relied on this, the disk signature (which is part of the NT \\Device\ address verification) is checked at a later stage.

 

Some more info roughly related to the matter can be found here:

http://reboot.pro/in...?showtopic=4186

and here:

https://web.archive....&st=40&start=40

 

But the above is almost all I can remember about the topic (or near it).

 

:duff:

Wonko



#8 386

386

    Newbie

  • Members
  • 11 posts

Posted 05 December 2021 - 11:41 AM

Thanks, Wonko!

 

Tricking NT kernel is the greatest game ever! biggrin.png



#9 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 05 December 2021 - 01:30 PM

Before I forget, take some time looking for posts by user AeroXP/threads where he commented, he did some nice work mish-mashing/mixing XP files with PE files and tinykrnl ones, there may be something of use among his contributions.

 

:duff:

Wonko






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users