| _boot_context结构定义: Kt6C43]7
typedef struct _BOOT_CONTEXT <B9X~a
{ IHDZf:)!p
PFSCONTEXT_RECORD FSContextPointer; :EB.{O
PEXTERNAL_SERVICES_TABLE ExternalServicesTable; o'L*Q95
PSU_MEMORY_DESCRIPTOR MemoryDescriptorList; Z98?,h/P|J
ULONG MachineType; )~b 2}4O
ULONG OsLoaderStart; [}F^5
ULONG OsLoaderEnd; hMwanXq
ULONG ResourceDirectory; 4ysGY"#V
ULONG ResourceOffset; nh3)a/:nd
ULONG OsLoaderBase; CZx(nh*
ULONG OsLoaderExports; _w&A1
}BOOT_CONTEXT, *PBOOT_CONTEXT; p$T!m o$`k
CVuiyM|
在sudata.asm中我找到了_BootRecord的定义: V#IV
align 4 ~$/aPv:
Public _BootRecord BHC= Zkd
_BootRecord dw offset _TEXT:_FsContext Q*/d}xq&K
dw SU_LOAD_ADDRESS SHR 16 DO_;)A AK
49|"c?
dw offset _TEXT:_ExportEntryTable BJfmbL/[
dw SU_LOAD_ADDRESS SHR 16 Ok;R<Ax>,T
; iD ^/V
; The memory descriptor table begins at 0x70000 5_F;oRAw
; c5>-<c
dw 0 kt{EPaWJ
dw 7 Tj<CIV
kOt`~
public _MachineType 4&@Yz+J'
_MachineType dd 0 ; Machine type infor. FyW.5%o;%0
; 2p:c~B Ls
; pointer to where osloader.exe is in memory A)HzMVU*
; 3b0!A/mac
public _OsLoaderStart ~Xm#,{l
_OsLoaderStart dd 0 [} # f8
public _OsLoaderEnd UlHtNU4G
_OsLoaderEnd dd 0 b<iH%?<Fr
public _ResourceDirectory /or9,A8qG
_ResourceDirectory dd 0 Q ;tp7F &
public _ResourceOffset :&<)]X1)
_ResourceOffset dd 0 c_0yF#*K
public _OsLoaderBase 6*|{(de
_OsLoaderBase dd 0 $Wk=8.p)Ha
public _OsLoaderExports Y@s ~p
_OsLoaderExports dd 0 <]?:5
仔细的比较一下,是不是与上面的 _boot_context 结构是一致的,你会发现这其中只有一个成员不太一样:_ExportEntryTable,他对应C代码结构中的ExternalServicesTable,而_ExportEntryTable在sudata.asm中是预先定义好的,剩下的其他成员就比较好理解了。 UjPdX
align 4 p<m7{3y
public _ExportEntryTable $ m1Qz
_ExportEntryTable equ $ 9?s<GF}
dw offset _TEXT:RebootProcessor OE ;jKL2
dw SU_LOAD_ADDRESS SHR 16 +be&B2@,
dw offset _TEXT:GetSector b}m-xCR1K
dw SU_LOAD_ADDRESS SHR 16 sblEr iv!
dw offset _TEXT:GetKey x/W}ihf
dw SU_LOAD_ADDRESS SHR 16 J|6NM=I
dw offset _TEXT:GetCounter z8/g0uH
dw SU_LOAD_ADDRESS SHR 16 ~=/I)ENv`
dw offset _TEXT:Reboot ]XCDbbgTi
dw SU_LOAD_ADDRESS SHR 16 O;j |N >|
dw offset _TEXT:AbiosServices 04](l>F
dw SU_LOAD_ADDRESS SHR 16 DT yQ=bP
dw offset _TEXT:DetectHardware )WXC qBj
dw SU_LOAD_ADDRESS SHR 16 ]1/]L[un
dw offset _TEXT:HardwareCursor Y>q0dGn'f?
dw SU_LOAD_ADDRESS SHR 16 I=s4 ;dw
dw offset _TEXT:GetDateTime $A" WnR
dw SU_LOAD_ADDRESS SHR 16 G,wdl~J
dw offset _TEXT:ComPort 7aXh_
dw SU_LOAD_ADDRESS SHR 16 /W* mN5+
dw offset _TEXT:IsMcaMachine Djw(x4@
dw SU_LOAD_ADDRESS SHR 16 /xV}B
dw offset _TEXT:GetStallCount kGb-n
dw SU_LOAD_ADDRESS SHR 16 S9oBAj
dw offset _TEXT:InitializeDisplayForNt 5I~)uOI
dw SU_LOAD_ADDRESS SHR 16 )K, =- ;
dw offset _TEXT:GetMemoryDescriptor <[d^QV;pi
dw SU_LOAD_ADDRESS SHR 16 aR)5%t
dw offset _TEXT:GetEddsSector 9r0kM$_KD
dw SU_LOAD_ADDRESS SHR 16 ,-BX%r
dw offset _TEXT:GetElToritoStatus yi$7EX}
dw SU_LOAD_ADDRESS SHR 16 2~HcnH[j
dd 0 D )y#z"
既然讲到这里,我顺便把ExternalServicesTable和_ExportEntryTable全部的映射关系讲清楚: F Lg' B4/
//在ExternalServicesTable中定义的函数指针: 1u|p"* 3Y=
typedef struct _EXTERNAL_SERVICES_TABLE { va.ZN
VOID (__cdecl * RebootProcessor)(VOID); VO5g[ZcFL
NTSTATUS (__cdecl * DiskIOSystem)(USHORT,USHORT,USHORT,USHORT,USHORT,USHORT,PUCHAR); !m6*S=O
ULONG (__cdecl * GetKey)(VOID); u2l4zs <j
ULONG (__cdecl * GetCounter)(VOID); d<=p xE{
VOID (__cdecl * Reboot)(ULONG); Qbur57zXF
ULONG (__cdecl * AbiosServices)(USHORT,PUCHAR,PUCHAR,PUCHAR,PUCHAR,USHORT,USHORT); (pt* SPt;
VOID (__cdecl * DetectHardware)(ULONG, ULONG, PVOID, PULONG, PCHAR, ULONG); "&la{$:1
VOID (__cdecl * HardwareCursor)(ULONG,ULONG); <mDe;qLCO
VOID (__cdecl * GetDateTime)(PULONG,PULONG); xZots &fy
VOID (__cdecl * ComPort)(LONG,ULONG,UCHAR); sY==lLcw
BOOLEAN (__cdecl * IsMcaMachine)(VOID); 1T,: ]:l
ULONG (__cdecl * GetStallCount)(VOID); gke[wL(:
VOID (__cdecl * InitializeDisplayForNt)(VOID); ]VW>{4s
VOID (__cdecl * GetMemoryDescriptor)(P820FRAME); H)h2g
#if defined(ELTORITO) bF=aQF9mE
NTSTATUS (__cdecl * GetEddsSector)(ULONG,ULONG,ULONG,ULONG,PUCHAR); ]M1fp
NTSTATUS (__cdecl * GetElToritoStatus)(PUCHAR,ULONG); d4GwK#/"
#endif u9<oti= B
} EXTERNAL_SERVICES_TABLE, *PEXTERNAL_SERVICES_TABLE; q-6 ! p"o
extern PEXTERNAL_SERVICES_TABLE ExternalServicesTable; ~46NU*R
但是在程序中调用ExternalServicesTable中的函数时并不是该结构中定义的那些函数指针,在调用这些ExternalServicesT时是使用下面的宏定义函数: FFB|1w]~
#define REBOOT_PROCESSOR (*ExternalServicesTable->RebootProcessor) , 7[K m3
#define GET_SECTOR (*ExternalServicesTable->DiskIOSystem) @2+2g(Ik@c
#define RESET_DISK (*ExternalServicesTable->DiskIOSystem) N$G3[ 2.(
#define BIOS_IO (*ExternalServicesTable->DiskIOSystem) VdNR?w~!
#define GET_KEY (*ExternalServicesTable->GetKey) ksT(5>V
#define GET_COUNTER (*ExternalServicesTable->GetCounter) oOoL,BzV
#define REBOOT (*ExternalServicesTable->Reboot) '*_G}(aa
#define ABIOS_SERVICES (*ExternalServicesTable->AbiosServices) [[CS=G8
#define DETECT_HARDWARE (*ExternalServicesTable->DetectHardware) xI=/T*S
#define HW_CURSOR (*ExternalServicesTable->HardwareCursor) !x65ZWn
#define GET_DATETIME (*ExternalServicesTable->GetDateTime) n74@[>zY
#define COMPORT (*ExternalServicesTable->ComPort) S9fcR6
#define ISMCA (*ExternalServicesTable->IsMcaMachine) "pnuL$E-B
#define GET_STALL_COUNT (*ExternalServicesTable->GetStallCount) (Zwk^S
#define SETUP_DISPLAY_FOR_NT (*ExternalServicesTable->InitializeDisplayForNt) cfcf`jy
#define GET_MEMORY_DESCRIPTOR (*ExternalServicesTable->GetMemoryDescriptor) m52c UN
#if defined(ELTORITO) S/HHkC{cgL
#define GET_EDDS_SECTOR (*ExternalServicesTable->GetEddsSector) a%o#CF
#define GET_ELTORITO_STATUS (*ExternalServicesTable->GetElToritoStatus) #U&!<Pc,
#endif 2tT]Q?
>.#+V06q
?:toDr`Fq
typedef struct _BL_FILE_FLAGS { I(J) G.
ULONG Open : 1; PMOExYX?U
ULONG Read : 1; (WKWNx~$i
ULONG Write : 1; 87V@ 7 gp
#ifdef DBLSPACE_LEGAL >&<C@j}C{
ULONG DoubleSpace : 1; 7tefxk
#endif ,*L"rqj
} BL_FILE_FLAGS, *PBL_FILE_FLAGS; }lels H
4/A1EaW
typedef struct _BL_FILE_TABLE { D8~'CH
BL_FILE_FLAGS Flags; zSw.*V.d(
ULONG DeviceId; )o_hpWqTh
LARGE_INTEGER Position; UCy6i3L
PVOID StructureContext; Q# B?}{V,
PBL_DEVICE_ENTRY_TABLE DeviceEntryTable; .Xf Wo&z[
UCHAR FileNameLength; 3>gd}9)k
CHAR FileName[MAXIMUM_FILE_NAME_LENGTH]; hW*B<D7
union { uH-kHK
HPFS_FILE_CONTEXT HpfsFileContext; L2?fS a$
NTFS_FILE_CONTEXT NtfsFileContext; CWG(3Q+"
FAT_FILE_CONTEXT FatFileContext; iXd;z>N"
CDFS_FILE_CONTEXT CdfsFileContext; 8?`bVK
#if defined(ELTORITO) 5r(@t7GJ+d
ETFS_FILE_CONTEXT EtfsFileContext; PY(GIFO*
#endif GBxz&63&~
PARTITION_CONTEXT PartitionContext; &s#Z_R3f
SERIAL_CONTEXT SerialContext; IUu.0y
DRIVE_CONTEXT DriveContext; uE U; _Z
FLOPPY_CONTEXT FloppyContext; ( m~.qO|i
KEYBOARD_CONTEXT KeyboardContext; PeUCyG6
CONSOLE_CONTEXT ConsoleContext; 73F4C/j%5'
} u; +A+/Pe7y
} BL_FILE_TABLE, *PBL_FILE_TABLE; g;ZATVOj
!|b`0PF
现在来看看ArcOpen()函数: v",odIy}
#define ArcOpen(OpenPath, OpenMode, FileId) / s~bzlpf ,
((PARC_OPEN_ROUTINE)(SYSTEM_BLOCK->FirmwareVector[OpenRoutine])) / Y9Ey"J=k
((OpenPath), (OpenMode), (FileId)) X;D L2|4o
通过一一对应的关系,实际上调用ArcOpen()函数就是在调用AEOpen()函数,其他的ArcXXX函数依次类推。 ^:ay6f
Ze2C"J m
-6(x6_.3}
注意看其中的成员PBL_DEVICE_ENTRY_TABLE DeviceEntryTable,再来看PBL_DEVICE_ENTRY_TABLE结构的定义: #N/&=u~
typedef struct _BL_DEVICE_ENTRY_TABLE { Wtbl/HOFV
PARC_CLOSE_ROUTINE Close; 5M=/{L!N
PARC_MOUNT_ROUTINE Mount; yp()ve4
PARC_OPEN_ROUTINE Open; //注意 }HP1jrz
PARC_READ_ROUTINE Read; f18M=`{3y
PARC_READ_STATUS_ROUTINE GetReadStatus; &7:itcdK
PARC_SEEK_ROUTINE Seek; V<b(,/|O8
PARC_WRITE_ROUTINE Write; F3{v&j3
PARC_GET_FILE_INFO_ROUTINE GetFileInformation; >?@iS%<
PARC_SET_FILE_INFO_ROUTINE SetFileInformation; (%>r?DPNW
PRENAME_ROUTINE Rename; r 3.5s
PARC_GET_DIRECTORY_ENTRY_ROUTINE GetDirectoryEntry; FXl|/CK
PBOOTFS_INFO BootFsInfo; AR S_7Dvw
} BL_DEVICE_ENTRY_TABLE, *PBL_DEVICE_ENTRY_TABLE; 4ix$ |
ez4z(A,k9
a4Y7L}b0
faL4 V
通过一一对应的关系,实际上调用ArcOpen()函数就是在调用AEOpen()函数,其他的ArcXXX函数依次类推。 ,_ zc $
|@jAC
typedef struct _LOADER_PARAMETER_BLOCK { )mU(M oj
LIST_ENTRY LoadOrderListHead; *!{42B<'n
LIST_ENTRY MemoryDescriptorListHead; vbZ36zwQ
LIST_ENTRY BootDriverListHead; /QE)3J=4
ULONG KernelStack; ZP?h ;YM P
ULONG Prcb; I } dN?/FF
ULONG Process; zN@d
ULONG Thread; 7E]Hy,e81
ULONG RegistryLength; K^"]] Nv
PVOID RegistryBase; x@ oz)
PCONFIGURATION_COMPONENT_DATA ConfigurationRoot; ^/p m,KO?
PCHAR ArcBootDeviceName; OJBB$O/
PCHAR ArcHalDeviceName; UL+kZy(?V*
PCHAR NtBootPathName; SfW>`Fg7
PCHAR NtHalPathName; |'kUNfx#F
PCHAR LoadOptions; $o8YGFPS4
PNLS_DATA_BLOCK NlsData; A_ITE :N
PARC_DISK_INFORMATION ArcDiskInformation; oXpW |,uB
PVOID OemFontFile; :^T&I##}
struct _SETUP_LOADER_BLOCK *SetupLoaderBlock; ]n !x$
ULONG Spare1; V_ %M
k8tW {H
union { jE:bUTT0
I386_LOADER_BLOCK I386; /]mBlkI
MIPS_LOADER_BLOCK Mips; J'CBYr+
ALPHA_LOADER_BLOCK Alpha; A}~9XI&h
PPC_LOADER_BLOCK Ppc; 4>IFc"q%
} u; +B>5-
%>fXaNVZJ
} LOADER_PARAMETER_BLOCK, *PLOADER_PARAMETER_BLOCK; Y}dv#Dckg
72A 1&6
typedef struct _MEMORY_ALLOCATION_DESCRIPTOR { :HHamH
LIST_ENTRY ListEntry; T-oy$IRP
TYPE_OF_MEMORY MemoryType; 8r0 }u
ULONG BasePage; eoR?*TP
ULONG PageCount; "|NXvg@/
} MEMORY_ALLOCATION_DESCRIPTOR, *PMEMORY_ALLOCATION_DESCRIPTOR; }P_?)NSy |
本文深入探讨了ntldr的重要结构定义,包括分配表、文件结构和列表等,为理解其工作原理提供详细分析。
扫一扫
248
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
