You will need:
- A hex-editor, such as TinyHexer.
- The checked build of NTLDR, from Microsoft.
- The Windows Debugger (WinDbg), from Microsoft.
- The QEmu virtual machine software[4].
- An HDD image file suitable for use with QEmu, with at least a licensed set of files for XP/2003. This set can be pretty minimal if you are not interested in debugging past where the kernel begins to run. A minimal set might be something like:
- \NTLDR
- \NTDETECT.COM
- \BOOT.INI
- \Windows\System32\NTOSKrnl.exe
- \Windows\System32\HAL.DLL
- \Windows\System32\BootVID.DLL
- \Windows\System32\KDCOM.DLL
- \Windows\System32\Config\SYSTEM
[boot loader] timeout=10 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [debug] /debug /debugport=COM1 /baudrate=115200 /debugstop [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="UP HALACPI" /noexecute=optin /fastdetect /sosYou need to use your hex-editor to search NTLDR for the MZ signature, then copy everything from the MZ onward and save that file as OSLoader.exe on your host system.
Assuming your disk image is called TEST.HDD and it is in the current working directory, launch QEmu with:
qemu -hda test.hdd -serial pipe:com_1Maybe your HDD image doesn't boot. You might need GRUB4DOS's GRUB.EXE and something like:
qemu -kernel grub.exe -append "--config-file=root (hd0,0); chainloader /ntldr" -hda test.hdd -serial pipe:com_1QEmu should launch and freeze, awaiting a connection from WinDbg. So launch WinDbg with:
"C:\Program Files\Debugging Tools for Windows\windbg.exe" -k com:pipe,port=\\.\pipe\com_1,baud=115200,resets=0,reconnect -bAssuming a temporary directory of C:\TMP\, configure WinDbg with a symbol path like:
srv*c:\tmp*http://msdl.microsoft.com/download/symbolsOnce NTLDR runs inside the QEmu VM, it should show something like:
And WinDbg should attach and show:Boot Debugger Using: COM1 (Baud Rate 115200)
Now you must establish the symbols for NTLDR. Assuming you saved OSLOADER.EXE to the current directory, in WinDbg, do:Microsoft ® Windows Debugger Version 6.7.0005.0
Copyright © Microsoft Corporation. All rights reserved.
Opened \\.\pipe\com_1
Waiting to reconnect...
Connected to Windows Boot Debugger 2600 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established. (Initial Breakpoint requested)
Symbol search path is: srv*c:\tmp*http://msdl.microsoft.com/download/symbols
Executable search path is:
Module List address is NULL - debugger not initialized properly.
WARNING: .reload failed, module list may be incomplete
KdDebuggerData.KernBase < SystemRangeStart
Windows Boot Debugger Kernel Version 2600 UP Checked x86 compatible
Primary image base = 0x00000000 Loaded module list = 0x00000000
System Uptime: not available
The call to LoadLibrary(bootext) failed, Win32 error 0n2
"The system cannot find the file specified."
Please check your debugger configuration and/or network access.
Break instruction exception - code 80000003 (first chance)
0041ee8c cc int 3
.readmem osloader.exe 0x400000 L0x1000 .imgscan /l /r 00400000
Let's have a look at NTLDR symbols:MZ at 00400000 - size 81000
Name: osloader.EXE
Loaded osloader.EXE module
x osloader!How about a look at symbols for dealing with the SYSTEM Registry hive:
x osloader!*system*Ooh, look. There's one called BlLoadAndScanSystemHive. Let's set a break-point:
bp osloader!BlLoadAndScanSystemHiveNow let's let NTLDR execute.
gThanks to the /SOS switch in BOOT.INI, QEmu yields:
Control is returned to WinDbg right when the SYSTEM hive would be loaded. Yay.multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\system32\NTOSKRNL.EXE
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\system32\HAL.DLL
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\system32\KDCOM.DLL
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\system32\BOOTVID.DLL
- Sha0
[1] Courtesy of Anand Choubey Re: Debug version of ntldr for Windows XP SP3
[2] Courtesy of Microsoft: Windows XP Service Pack 3, Checked Build
[3] Courtesy of Samuel Bronson: Undocumented [debug] section in boot.ini enables boot debugger
[4] Courtesy of Toshiya Takeda: QEMU on Windows