15 replies to this topic

[RulerOf]

Good day folks!

I've got a curious question about how the Windows NT6 startup process works that doesn't seem to be explicitly stated in the docs I've read thus far. The most comprehensive one I've come across is here, and it's basically what I'm referring to.

I had used to think that "the big switch" from real to protected or long mode in the CPU was what prevented access to things like RAM disks created by bootloaders like GRUB4DOS or modules like MEMDISK and similarly invalidted BIOS INT handlers. However after reading that article, knowing that I've chainloaded bootmgr from RAM disks and from SAN via gPXE all via INT 13 hooks, and seeing that bootmgr itself contains code to switch the CPU out of real mode, I'm realizing that WINLOAD picks up an environment that's already in protected mode. From there, it uses BIOS INT 13 to drag things like the SYSTEM hive and HAL and the kernel up from the disk, and then it loads boot start drivers.

And then it enables paging (is this where drivers are required for further disk access?) and passes control to the kernel (and does the kernel require "protection" from a driver to not overwrite a RAM disk here?).

Once the kernel takes control, there's a small litany of processes that occur:

How Windows NT 6's kernel initializes

The Windows NT 6 kernel performs the usual Windows NT kernel initialization steps, that are largely unchanged from Windows NT version 3.1:

• Request the HAL to initialize the interrupt controller.
• Initialize the Memory Manager, the Object Manager, the Security Reference Monitor, and the Process Manager.
• Request the HAL to enable interrupts.
• Start all non-boot CPUs.
• Reinitialize the Object Manager.
• Initialize the "Executive".
• Initialize the "Microkernel".
• Reinitialize the Security Reference Monitor.
• Reinitialize the Memory Manager
• Initialize the Cache Manager.
• Initialize the Local Procedure Call system.
• Initialize the I/O Manager. Initialization of the I/O manager initializes all of the pre-loaded, "boot" class, device drivers.
• Initialize the Process Manager.

The operating system kernel then scans the registry, the in-memory copy passed to it by WINLOAD, for the configured device drivers. It loads and all of the device drivers that are in the "system" class.

The kernel checks the digital signatures of all of the image files from which it loads device drivers, using routines exported from ci.dll, the kernel-mode DLL that provides a set of "code integrity" library functions. (Much of the content of ci.dll is exactly the same cryptographic code that is statically linked into winload.exe, including the 8 hardwired Root Certification Authorities.)

The kernel finally invokes the first user process, the so-called Session Manager Subsystem (SMSS).

I'm assuming that at some point in here, if not before it, INT 13 access and non-driver-protected RAM disks become invalid. Was my earlier hypothesis correct, or is it when the HAL starts its own interrupt handling?

I'm super curious about this because I'm frankly fascinated by the way boot start drivers work and would like to start making a mess of some virtual machines with the Native API by pulling apart WinVBlock and Firadisk, but before I do, I'd like to get to know our good friend 0x7B a little better

Many thanks, and of course, to the New Year

-RulerOf

[Wonko the Sane]

It seems to me like the article you cited describes correctly what happens:

The Microsoft boot manager therefore contains a 16-bit stub program, prepended to the boot manager proper (which is a PE-format 32-bit executable that follows the stub program), that switches the processor into 32-bit, flat memory model, protected mode before invoking the boot manager proper. Essentially, the real mode stub sets up the same environment that would occur if ...

At least this is the same way I personally (mind you I am NOT a programmer) have always understood the "old" NTLDR (with which I am more familiar).

As I understand the NT boot process, and pardon me if I use some layman's terms NTLDR (please read as BOOTMGR) contains a minimal, real mode Operating Systems (let's call it mini-DOS) that "trusts" BIOS, and that once has gathered the very basic info loads NTDETECT.COM (now integrated in BOOTMGR) that re-scans the devices and switches to protected mode.

In other words "old" booting was:

• NTLDR <-real mode
• NTDETECT.COM <- switch to protected mode
• whatever loads windows kernel (cannot say if NTDETECT.COM or a 32 bit part of NTLDR)

and "new" booting is:

• BOOTMGR <-real mode
• BOOTMGR <-switch to protected mode
• WINLOAD.EXE <- which should be the whatever that actually loads windows kernel

OT , but as always not that much , what about a RSOD (RED SCREEN OF DEATH)?
http://blogs.technet...14/3374820.aspx


Wonko

[RulerOf]

At least this is the same way I personally (mind you I am NOT a programmer) have always understood the "old" NTLDR (with which I am more familiar).

As I understand the NT boot process, and pardon me if I use some layman's terms NTLDR (please read as BOOTMGR) contains a minimal, real mode Operating Systems (let's call it mini-DOS) that "trusts" BIOS, and that once has gathered the very basic info loads NTDETECT.COM (now integrated in BOOTMGR) that re-scans the devices and switches to protected mode.
[/list]

But of course! What I'm getting at is basically that both NTLDR and WINLOAD (chained via BOOTMGR) operate in a 32 bit environment but still have access to BIOS INT handlers for communicating with hardware. If they didn't, they flat wouldn't work

Vis a vis:

WINLOAD simply loads the operating system kernel, system32\ntoskrnl.exe, the hardware abstraction layer, system32\hal.dll, the contents of the system registry hive, system32\config\system, all of the "boot" class device drivers, and any kernel-mode DLLs imported by any of the aforementioned, into memory.

All of that is done through BIOS... at least on machines that have a BIOS, of course!

I've become recently fascinated by the fact that boot start drivers are written to interact with Windows via the Native API at a time when BIOS INT handlers are still available to the system, and that allows for some very epic stuff to happen. Well, at least I think that WinVBlock, Firadisk, and iSCSI booting are epic

My curiosity is killing me on this one, but it might be most beneficial for me to hook a debugger into a VM and poke at it with some modified driver code.... which looks wonderfully daunting. At least hacking away in the Win32 API at all kinds of silly C/C++ stuff at work just to get a grip on it should help. I'm not a programmer either, really, but I find that I've been getting a lot better at editing others' C code and getting it to compile

OT , but as always not that much , what about a RSOD (RED SCREEN OF DEATH)?
http://blogs.technet...14/3374820.aspx


Wonko

Okay, that's pretty funny



-RulerOf

[karyonix]

Ntldr/bootmgr/winload stops using BIOS int 13h when it transfer control to kernel.

Ntldr/winload use BIOS int 13h to load system hive, kernel, HAL, and boot drivers into RAM.
After reading all required boot files, ntldr/winload then transfer control to kernel.

Kernel does not call BIOS.
Kernel starts initialize itself, and calls all boot drivers to initialize, then enumerates all accessible devices.
After boot disk is available, kernel calls boot drivers to to read from the disk.

I am not sure whether BIOS interrupt really become invalid after kernel starts.
It may be possible to change to real mode from a driver.
Hardware state may have been changed by HAL and other drivers. It may be in different state from what BIOS expected.
It is risky to use BIOS to access hardware at this time.
While in real mode, if BIOS is called, it may change hardware state to different state from what drivers expected.
When drivers resume control, it may behave strangely.
It is better not to call BIOS after kernel starts.

[sambul61]

It is risky to use BIOS to access hardware at this time...When drivers resume control, it may behave strangely.

Is that how UserPort driver works that's used by Victoria for Win to directly access hard drive I/O Ports from Win? There're no adverse consequences of doing that when control is returned back to Win HD drivers.

[karyonix]

@sambul61 #5
No.
Real mode and protected mode are different CPU modes.
User mode and kernel mode are just different software modes defined by OS. They both run in protected mode.

BIOS is software that run in real mode. It cannot be called directly from protected mode.

I/O ports are hardware. I/O ports can be accessed in both real mode and protected mode.
Real mode software can access I/O ports directly without calling BIOS.
In protected mode, some OSes forbid user mode software from accessing I/O ports.
In protected mode, kernel mode software can access I/O ports directly.

UserPort driver runs in kernel mode. It does not have to switch CPU to real mode to access I/O ports.

[RulerOf]

Thank you Karyonix!

Another question then:

If BIOS can't be accessed directly from protected mode, how WINLOAD and NTLDR use int 13h exactly? They don't constantly switch the CPU up and down, do they?

Most to the point I guess, other than the possibility of of leaving hardware in questionably initialized states, what prevents a boot time driver from digging back in to the BIOS interrupts or into other real mode programs after the kernel takes control?

[sambul61]

DOS box under Win runs in Virtual Real Mode, and has access to its own BIOS ROM copy. May be that's how the bootloaders access BIOS after kernel takes control? Old PC Guide has a lot of interesting staff that was never so artfully and briefly described in newer guides.

[karyonix]

@RulerOf #7
They switch to real mode, call BIOS. After return from BIOS, they can switch to protected mode again.

Drivers have the same privilege as kernel. They can takeover and do anything as pleased.

Real mode code must be in first MB of physical address.
Nothing prevents you from overwrite any existing data in conventional memory with your code.

To call BIOS, you need correct interrupt vector table and correct data in BIOS data area. BIOS may also use other parts of RAM to store its state.
When kernel takes control, it owns all RAM not marked as reserved, including those memory areas.

From my experience, interrupt vector 0x13 and GRUB4DOS's resident code are still intact when boot drivers initialize. It is destroyed later.
When Firadisk driver is loaded early at boot time, it can read GRUB4DOS drive map table. But if Firadisk driver is loaded later, it cannot find GRUB4DOS drive map table.
The conventional memory is altered. It may be allocated and used like other part of RAM or it may be used for some special purpose. I don't know exactly.

So, don't expect BIOS' data to be intact after protected mode OS runs.

@sambul61 #8
DOSBox is virtual machine with built-in DOS-like service. Its BIOS is not computer BIOS. DOSBox BIOS have no direct access to real hardware.

[RulerOf]

They switch to real mode, call BIOS. After return from BIOS, they can switch to protected mode again.

Really? Like flip/flopping back and forth to drag data from the hard disk via int 13h and then loading it into RAM? Is this how MEMDISK and GRUB4DOS load images into RAM disks (mem map type stuff)?

Drivers have the same privilege as kernel. They can takeover and do anything as pleased.

Real mode code must be in first MB of physical address.
Nothing prevents you from overwrite any existing data in conventional memory with your code.

To call BIOS, you need correct interrupt vector table and correct data in BIOS data area. BIOS may also use other parts of RAM to store its state.
When kernel takes control, it owns all RAM not marked as reserved, including those memory areas.

From my experience, interrupt vector 0x13 and GRUB4DOS's resident code are still intact when boot drivers initialize. It is destroyed later.

So to extrapolate what I'm reading here, the bootloader (NTLDR/WINLOAD/GRUB/etc) needs the interrupt vector table and the interrupt programs provided by BIOS so they purposefully protect those memory areas while, for Windows, loading the registry, kernel, and boot-start drivers into (upper? extended?) RAM.

From that point, when the bootloader is done strapping all those files into play, it hops the CPU back into protected mode and executes the kernel before unloading... or perhaps it just stops executing and gets overwritten by the kernel at some later point in time? I suppose that's inconsequential, but I'm curious

When Firadisk driver is loaded early at boot time, it can read GRUB4DOS drive map table. But if Firadisk driver is loaded later, it cannot find GRUB4DOS drive map table. The conventional memory is altered. It may be allocated and used like other part of RAM or it may be used for some special purpose. I don't know exactly.

The kernel then, operating wholly in protected mode, initializes itself, and I'm assuming that this doesn't overwrite anything loaded into memory by GRUB4DOS or MEMDISK or any other bootloader... otherwise things like an iBFT, mBFT, and whatever you'd call GRUB4DOS's drive map table wouldn't work, right? Perhaps the kernel always loads a certain area of memory that these boot programs consider reserved?

Either way, once that's done, drivers are initialized. It's at some point during those initialization procedures that certain areas of memory are marked as reserved. Firadisk and WinVBlock, for example, scans conventional memory then for GRUB4DOS's drive maps and reserves them in the kernel so that Windows knows not to overwrite them. Then the driver creates the mappings for the disk/volume/whatever objects so that Windows can find them, and of course executes any code or instructions needed for I/O requests to work with the storage device. Windows makes a grab at the storage objects exposed by the boot start drivers to find its boot volume (I forget how it keeps track of that. MBR signature maybe?) to continue with the next phases of the Windows boot.

...I think

So, don't expect BIOS' data to be intact after protected mode OS runs.

I guess what I'm thinking here is that there's a very limited time during which the kernel initializes boot start drivers that BIOS and other real-mode data is available to the system. That data is either then reserved by the boot start drivers or lost in the process of the kernel's loading ever more things into memory.

There are a lot of questions in there, but I thank you for being so informative!

-RulerOf

[sfinktah]

Erm, I have a question....

What about accessing real mode when the operating system is shutting down... reason I ask: I have a Tablet, and I want to run a (perhaps modified) truecrypt boot loader.

The plan is, from a regular Windows 7 (32 bit) session, to stuff the BIOS keyboard buffer (0x40:1a) and hope that BIOS doesn't erase it during the reboot.

However, I'm not adverse to using other memory locations.

(reminder: tablet's don't have keyboards)

ps. hi all, yes been busy, still busy, vhd what now? hi sambul

[sfinktah]

Hmmm... maybe my question is rendered moot,

Microsoft have a lovely "Hello World" Kernel-mode device driver, as part of their kernel development kit, all part of the wonderful new VS2012RC

http://msdn.microsof...439665(v=vs.85)
-- Writing a hello world Kernel driver

With that, and the mountains of examples of how to use \\device\physicalmemory and ZwMapViewOfSection and what not, I think even *I* could manage to get what I want done.

[Sha0]

Really? Like flip/flopping back and forth to drag data from the hard disk via int 13h and then loading it into RAM? Is this how MEMDISK and GRUB4DOS load images into RAM disks (mem map type stuff)?

Yes. And in fact it can be even more complicated than that. Consider this:

• You've used MEMDISK to boot an HDD image with BootMgr
• BootMgr owns the system
• BootMgr wants to read the BCD using INT 0x13, so it changes the mode and requests the interrupt
• The MEMDISK INT 0x13 hook is thus invoked, which switches the mode
• MEMDISK now owns the system
• MEMDISK fetches the virtual disk data and copies it into the caller's buffer
• MEMDISK switches the mode
• The MEMDISK INT 0x13 hook returns control to the caller
• BootMgr switches the mode
• BootMgr now owns the system

This kind of scenario is extremely common. Throw in some other things and it's like a roller-coaster of up and down, with each hump named after something. But then consider the [now historical] NTBootDD.Sys concept, which doesn't use BIOS.

Using BIOS after the kernel has booted would break the abstraction. Handoff protocols (like the iBFT) help there to be a nice boundary.

I recommend thinking about John Stumpo's Kexec for Windows in regards to using BIOS at a post-kernel time. Note that he only does so around kernel shutdown time.

I think we figured out some time ago that the reason why GRUB4DOS data was being lost later in the boot process (karyonix typed about this) was because it wasn't being marked as off-limits in the memory map that's passed to Windows.

[milindsmart]

Oh yes... It does switch back and forth......

 

It's a LOT more than just a few times.... I think it's about a hundred times or so... or maybe even more.... 

 

And this is BEFORE a SINGLE thing has been displayed on the screen... the boot menu is YET to come... I am currently using Bochs to step through bootmgr code... 

 

The interesting thing is that it switches between Real Mode 16-bit and Protected Mode *16*-bit....

I have switched mode a whole bunch of times now, and I haven't even reached winload.exe,.. 

 

And what's worse, shouldn't winload.efi be MUCH smaller, since not much of this mode switching nonsense would be there? Nope... it's about as large... 

 

Sorry for the rant, my first time stepping through assembly.

[tinybit]

Just FYI,

 

With older versions of grub4dos, the int15 handler does not handle conventional memory, so it cannot protect the int13 and int15 handler from being destroyed (e.g., by a buggy Windows driver; also see reports elsewhere).

 

Newer versions will handle low memory correctly. But problems arised! On some machines Windows cannot successfully start up! So I have to add a new map option of --int15nolow=1 as a workaround. "map --int15nolow=1" will take effect after a "map --hook" or a "map --rehook". With --int15nolow=1, the int15 handler will not handle low memory, keeping low memory status as it was for the original ROM int15 handler. Later I also introduced another map option of --e820cycles, as mentioned elsewhere.

 

Someone told us on a Chinese board, the problems were caused by a buggy Windows XP video driver. And drivers for Win7 are OK according to those reports. I think it should be possible to replace the buggy XP video driver with a good one.

[milindsmart]

Actually, having unpacked and examined bootmgr, I can say it definitely does NOT use INT 13h. I really don't know how it is accessing the disk... 

 

It seems to be using DMA already... I have no idea how and where it sets up DMA so early in the boot process.