} else {

Status = BlOpen( DriveId,

"\\boot.ini",

ArcOpenReadOnly,

&BootFileId );

}

kd> p

osloader!BlStartup+0x1e4:

00427477 ff75f8 push dword ptr [ebp-8]

kd> p

osloader!BlStartup+0x1e7:

0042747a e8cce0fdff call osloader!BlOpen (0040554b)

kd> t

osloader!BlOpen:

0040554b 55 push ebp

kd> kc 4

00 osloader!BlOpen

01 osloader!BlStartup

02 osloader!NtProcessStartup

WARNING: Frame IP not in any known module. Following frames may be wrong.

03 0x0

kd> dv

DeviceId = 3

OpenPath = 0x00442470 "\boot.ini"

OpenMode = ArcOpenReadOnly (0n0)

Status = (_BlOpen(DeviceId,OpenPath,OpenMode,FileId));

kd> t

osloader!_BlOpen:

0040530b 55 push ebp

kd> kc 4

00 osloader!_BlOpen

01 osloader!BlOpen

02 osloader!BlStartup

03 osloader!NtProcessStartup

kd> dv

DeviceId = 3

OpenPath = 0x00442470 "\boot.ini"

OpenMode = ArcOpenReadOnly (0n0)

FileId = 0x00060ec0

// Someone has mounted the volume so now attempt to open the file.

*FileId = Index;

kd> p

osloader!_BlOpen+0x1dc:

004054e7 8b45f8 mov eax,dword ptr [ebp-8]

kd> p

osloader!_BlOpen+0x1df:

004054ea 8906 mov dword ptr [esi],eax

kd> r

eax=00000000 ebx=00000000 ecx=00000000 edx=80076430 esi=00060ec0

FileId = 0x00060ec0

Index = 0

if( Status != ESUCCESS ) {

Status = (BlFileTable[Index].DeviceEntryTable->Open)(OpenPath,

OpenMode,

FileId);

}

kd> p

osloader!_BlOpen+0x234:

0040553f ff5008 call dword ptr [eax+8]

kd> r

eax=00463a60 ebx=00000000 ecx=00000000 edx=000003f8 esi=00060ec0 edi=c000000d

eip=0040553f esp=0005fa94 ebp=00060d1c iopl=0 nv up di ng nz na po nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000082

osloader!_BlOpen+0x234:

0040553f ff5008 call dword ptr [eax+8] ds:0010:00463a68={osloader!NtfsOpen (0040fc5a)}

kd> x osloader!BlFileTable

00479a00 osloader!BlFileTable = struct _BL_FILE_TABLE [48]

kd> dx -r1 (*((osloader!_BL_FILE_TABLE (*)[48])0x479a00))

(*((osloader!_BL_FILE_TABLE (*)[48])0x479a00)) [Type: _BL_FILE_TABLE [48]]

0\] \[Type: _BL_FILE_TABLE

1\] \[Type: _BL_FILE_TABLE

2\] \[Type: _BL_FILE_TABLE

kd> dx -r1 (*((osloader!_BL_FILE_TABLE *)0x479a00))

(*((osloader!_BL_FILE_TABLE *)0x479a00)) [Type: _BL_FILE_TABLE]

+0x000\] Flags \[Type: _BL_FILE_FLAGS

+0x004\] DeviceId : 0x3 \[Type: unsigned long

+0x008\] Position : {0} \[Type: _LARGE_INTEGER

+0x010\] StructureContext : 0x80076430 \[Type: void \*

+0x014\] DeviceEntryTable : 0x463a60 \[Type: _BL_DEVICE_ENTRY_TABLE \*

+0x018\] FileNameLength : 0xc \[Type: unsigned char

+0x019\] FileName : "hiberfil.sys" \[Type: char \[32\]

+0x040\] u \[Type: __unnamed

kd> dx -r1 ((osloader!_BL_DEVICE_ENTRY_TABLE *)0x463a60)

((osloader!_BL_DEVICE_ENTRY_TABLE *)0x463a60) : 0x463a60 [Type: _BL_DEVICE_ENTRY_TABLE *]

+0x000\] Close : 0x411de9 \[Type: unsigned long (\*)(unsigned long)

+0x004\] Mount : 0x0 \[Type: unsigned long (\*)(char \*,_MOUNT_OPERATION)

+0x008\] Open : 0x40fc5a \[Type: unsigned long (\*)(char \*,_OPEN_MODE,unsigned long \*)

+0x00c\] Read : 0x40f270 \[Type: unsigned long (\*)(unsigned long,void \*,unsigned long,unsigned long \*)

+0x010\] GetReadStatus : 0x0 \[Type: unsigned long (\*)(unsigned long)

+0x014\] Seek : 0x40e3d3 \[Type: unsigned long (\*)(unsigned long,_LARGE_INTEGER \*,_SEEK_MODE)

+0x018\] Write : 0x40fb64 \[Type: unsigned long (\*)(unsigned long,void \*,unsigned long,unsigned long \*)

+0x01c\] GetFileInformation : 0x40fa70 \[Type: unsigned long (\*)(unsigned long,_FILE_INFORMATION \*)

+0x020\] SetFileInformation : 0x40cc63 \[Type: unsigned long (\*)(unsigned long,unsigned long,unsigned long)

+0x024\] Rename : 0x0 \[Type: unsigned long (\*)(unsigned long,char \*)

+0x028\] GetDirectoryEntry : 0x0 \[Type: unsigned long (\*)(unsigned long,_DIRECTORY_ENTRY \*,unsigned long,unsigned long \*)

+0x02c\] BootFsInfo : 0x4452d8 \[Type: _BOOTFS_INFO \*

kd> u 40f270

osloader!NtfsRead [d:\srv03rtm\base\boot\lib\ntfsboot.c @ 1324]:

0040f270 55 push ebp

0040f271 8bec mov ebp,esp

0040f273 53 push ebx

0040f274 56 push esi

0040f275 8b7508 mov esi,dword ptr [ebp+8]

0040f278 6bf668 imul esi,esi,68h

0040f27b 81c6009a4700 add esi,offset osloader!BlFileTable (00479a00)

0040f281 8b5e10 mov ebx,dword ptr [esi+10h]

kd> kc 5

00 osloader!NtfsOpen

01 osloader!_BlOpen

02 osloader!BlOpen

03 osloader!BlStartup

04 osloader!NtProcessStartup

kd> dv

RWFileName = 0x00442470 "\boot.ini"

OpenMode = ArcOpenReadOnly (0n0)

FileId = 0x00060ec0

kd> dx -r1 ((osloader!unsigned long *)0x60ec0)

((osloader!unsigned long *)0x60ec0) : 0x60ec0 : 0x0 [Type: unsigned long *]

0x0 [Type: unsigned long]

// Search for the name in the current directory

SearchForFileName( StructureContext,

Name,

&FileRecord,

&Found,

&IsDirectory );

kd> p

osloader!NtfsOpen+0xb6:

0040fd10 ff75f8 push dword ptr [ebp-8]

kd> p

osloader!NtfsOpen+0xb9:

0040fd13 e8b8feffff call osloader!NtfsSearchForFileName (0040fbd0)

kd> p

Breakpoint 6 hit

osloader!NtfsReadDisk:

0040e41e 55 push ebp

kd> kc

00 osloader!NtfsReadDisk

01 osloader!NtfsReadNonresidentAttribute

02 osloader!NtfsReadAndDecodeFileRecord

03 osloader!NtfsLookupAttribute

04 osloader!NtfsInexactSortedDirectoryScan

05 osloader!NtfsSearchForFileName

06 osloader!NtfsOpen

07 osloader!_BlOpen

08 osloader!BlOpen

09 osloader!BlStartup

0a osloader!NtProcessStartup

WARNING: Frame IP not in any known module. Following frames may be wrong.

0b 0x0

0c osloader!`string'

0d 0x0

kd> dv

DeviceId = 3

Lbo = 0n3221230592

ByteCount = 0x400

Buffer = 0x004613c0

CacheNewData = 0x01 ''

i = 1

4 e Disable Clear 00405332 0001 (0001) osloader!_BlOpen+0x27

5 e Disable Clear 004055ad 0001 (0001) osloader!BlOpen+0x62

6 e Disable Clear 0040e41e 0001 (0001) osloader!NtfsReadDisk

7 e Disable Clear 0041d183 0001 (0001) osloader!BlDiskCacheRead

kd> p

osloader!NtfsReadDisk+0x1e:

0040e43c ff7508 push dword ptr [ebp+8]

kd> p

osloader!NtfsReadDisk+0x21:

0040e43f e83fed0000 call osloader!BlDiskCacheRead (0041d183)

kd> t

Breakpoint 7 hit

osloader!BlDiskCacheRead:

0041d183 55 push ebp

kd> t

Breakpoint 7 hit

osloader!BlDiskCacheRead:

0041d183 55 push ebp

kd> kc 8

00 osloader!BlDiskCacheRead

01 osloader!NtfsReadDisk

02 osloader!NtfsReadNonresidentAttribute

03 osloader!NtfsReadAndDecodeFileRecord

04 osloader!NtfsLookupAttribute

05 osloader!NtfsInexactSortedDirectoryScan

06 osloader!NtfsSearchForFileName

07 osloader!NtfsOpen

kd> dv

DeviceId = 3

pOffset = 0x0005f890 {3221230592}

Buffer = 0x004613c0

Length = 0x400

pCount = 0x0005f8a0

CacheNewData = 0x01 ''

ARC_STATUS

BlDiskCacheRead (

ULONG DeviceId,

PLARGE_INTEGER pOffset,

PVOID Buffer,

ULONG Length,

PULONG pCount,

BOOLEAN CacheNewData

)

{

SkipCache:

// Reset the number of bytes read.

*pCount = 0;

// If no cache was found or data could not be read from the cache,

// hand over to ArcRead.

if ((Status = ArcSeek(DeviceId, pOffset, SeekAbsolute)) != ESUCCESS)

{

return Status;

}

DPRINT(("DK: SkipCacheRead:%016I64x,%08x,%d\n",

LIReadOffset.QuadPart, pDest, CopyLength));

Status = ArcRead(DeviceId, Buffer, Length, pCount);

return Status;

}

kd> p

osloader!BlDiskCacheRead+0x3df:

0041d562 ff5070 call dword ptr [eax+70h]

kd> r

eax=00478f80 ebx=00000000 ecx=c0001800 edx=00000000 esi=0005f8a0 edi=0005f890

eip=0041d562 esp=0005f790 ebp=0005f864 iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000046

osloader!BlDiskCacheRead+0x3df:

0041d562 ff5070 call dword ptr [eax+70h] ds:0010:00478ff0={osloader!AESeek (00406bde)}

kd> p

Breakpoint 9 hit

osloader!AESeek:

00406bde 55 push ebp

kd> kc 9

00 osloader!AESeek

01 osloader!BlDiskCacheRead

02 osloader!NtfsReadDisk

03 osloader!NtfsReadNonresidentAttribute

04 osloader!NtfsReadAndDecodeFileRecord

05 osloader!NtfsLookupAttribute

06 osloader!NtfsInexactSortedDirectoryScan

07 osloader!NtfsSearchForFileName

08 osloader!NtfsOpen

kd> x osloader!BlFileTable

00479a00 osloader!BlFileTable = struct _BL_FILE_TABLE [48]

kd> dv

FileId = 3

Offset = 0x0005f890 {3221230592}

SeekMode = SeekAbsolute (0n0)

kd> dx -r1 (*((osloader!_BL_FILE_TABLE (*)[48])0x479a00))

(*((osloader!_BL_FILE_TABLE (*)[48])0x479a00)) [Type: _BL_FILE_TABLE [48]]

0\] \[Type: _BL_FILE_TABLE

1\] \[Type: _BL_FILE_TABLE

2\] \[Type: _BL_FILE_TABLE

3\] \[Type: _BL_FILE_TABLE

kd> dx -r1 (*((osloader!_BL_FILE_TABLE *)0x479b38))

(*((osloader!_BL_FILE_TABLE *)0x479b38)) [Type: _BL_FILE_TABLE]

+0x000\] Flags \[Type: _BL_FILE_FLAGS

+0x004\] DeviceId : 0x0 \[Type: unsigned long

+0x008\] Position : {3221226496} \[Type: _LARGE_INTEGER

+0x010\] StructureContext : 0x0 \[Type: void \*

+0x014\] DeviceEntryTable : 0x44621c \[Type: _BL_DEVICE_ENTRY_TABLE \*

+0x018\] FileNameLength : 0x0 \[Type: unsigned char

+0x019\] FileName : "" \[Type: char \[32\]

+0x040\] u \[Type: __unnamed

kd> dx -r1 ((osloader!_BL_DEVICE_ENTRY_TABLE *)0x44621c)

((osloader!_BL_DEVICE_ENTRY_TABLE *)0x44621c) : 0x44621c [Type: _BL_DEVICE_ENTRY_TABLE *]

+0x000\] Close : 0x414d4b \[Type: unsigned long (\*)(unsigned long)

+0x004\] Mount : 0x406a56 \[Type: unsigned long (\*)(char \*,_MOUNT_OPERATION)

+0x008\] Open : 0x416019 \[Type: unsigned long (\*)(char \*,_OPEN_MODE,unsigned long \*)

+0x00c\] Read : 0x414d86 \[Type: unsigned long (\*)(unsigned long,void \*,unsigned long,unsigned long \*)

+0x010\] GetReadStatus : 0x406a56 \[Type: unsigned long (\*)(unsigned long)

+0x014\] Seek : 0x414dfb \[Type: unsigned long (\*)(unsigned long,_LARGE_INTEGER \*,_SEEK_MODE)

+0x018\] Write : 0x414e58 \[Type: unsigned long (\*)(unsigned long,void \*,unsigned long,unsigned long \*)

+0x01c\] GetFileInformation : 0x415f1b \[Type: unsigned long (\*)(unsigned long,_FILE_INFORMATION \*)

+0x020\] SetFileInformation : 0x406a56 \[Type: unsigned long (\*)(unsigned long,unsigned long,unsigned long)

+0x024\] Rename : 0x406a56 \[Type: unsigned long (\*)(unsigned long,char \*)

+0x028\] GetDirectoryEntry : 0x406a56 \[Type: unsigned long (\*)(unsigned long,_DIRECTORY_ENTRY \*,unsigned long,unsigned long \*)

+0x02c\] BootFsInfo : 0x0 \[Type: _BOOTFS_INFO \*

kd> u 414dfb

osloader!BiosPartitionSeek [d:\srv03rtm\base\boot\lib\i386\biosdrv.c @ 548]:

00414dfb 55 push ebp

00414dfc 8bec mov ebp,esp

00414dfe 8b4510 mov eax,dword ptr [ebp+10h]

00414e01 83e800 sub eax,0

00414e04 7432 je osloader!BiosPartitionSeek+0x3d (00414e38)

00414e06 48 dec eax

00414e07 7414 je osloader!BiosPartitionSeek+0x22 (00414e1d)

00414e09 ff7510 push dword ptr [ebp+10h]

kd> u 414d86

osloader!BiosPartitionRead [d:\srv03rtm\base\boot\lib\i386\biosdrv.c @ 488]:

00414d86 55 push ebp

00414d87 8bec mov ebp,esp

00414d89 51 push ecx

00414d8a 51 push ecx

00414d8b 53 push ebx

00414d8c 56 push esi

00414d8d 8b7508 mov esi,dword ptr [ebp+8]

00414d90 6bf668 imul esi,esi,68h

kd> kc 9

00 osloader!BiosPartitionSeek

01 osloader!BlDiskCacheRead

02 osloader!NtfsReadDisk

03 osloader!NtfsReadNonresidentAttribute

04 osloader!NtfsReadAndDecodeFileRecord

05 osloader!NtfsLookupAttribute

06 osloader!NtfsInexactSortedDirectoryScan

07 osloader!NtfsSearchForFileName

08 osloader!NtfsOpen

switch (SeekMode) {

case SeekAbsolute:

BlFileTable[FileId].Position = *Offset;

kd> dv

FileId = 3

Offset = 0x0005f890 {3221230592}

kd> dx -r1 (*((osloader!_BL_FILE_TABLE *)0x479b38))

(*((osloader!_BL_FILE_TABLE *)0x479b38)) [Type: _BL_FILE_TABLE]

+0x000\] Flags \[Type: _BL_FILE_FLAGS

+0x004\] DeviceId : 0x0 \[Type: unsigned long

+0x008\] Position : {3221226496} \[Type: _LARGE_INTEGER

+0x010\] StructureContext : 0x0 \[Type: void \*

+0x014\] DeviceEntryTable : 0x44621c \[Type: _BL_DEVICE_ENTRY_TABLE \*

+0x018\] FileNameLength : 0x0 \[Type: unsigned char

+0x019\] FileName : "" \[Type: char \[32\]

+0x040\] u \[Type: __unnamed

kd> dx -r1 (*((osloader!_LARGE_INTEGER *)0x479b40))

(*((osloader!_LARGE_INTEGER *)0x479b40)) : {3221226496} [Type: _LARGE_INTEGER]

\\] \[Type: _LARGE_INTEGER

kd> dx -r1 -nv (*((osloader!_LARGE_INTEGER *)0x479b40))

(*((osloader!_LARGE_INTEGER *)0x479b40)) : {3221226496} [Type: _LARGE_INTEGER]

+0x000\] LowPart : 0xc0000400 \[Type: unsigned long

+0x004\] HighPart : 0 \[Type: long

+0x000\] u \[Type: __unnamed

+0x000\] QuadPart : 3221226496 \[Type: __int64

switch (SeekMode) {

case SeekAbsolute:

BlFileTable[FileId].Position = *Offset;之后：

kd> dx -r1 (*((osloader!_BL_FILE_TABLE *)0x479b38))

(*((osloader!_BL_FILE_TABLE *)0x479b38)) [Type: _BL_FILE_TABLE]

+0x000\] Flags \[Type: _BL_FILE_FLAGS

+0x004\] DeviceId : 0x0 \[Type: unsigned long

+0x008\] Position : {3221230592} \[Type: _LARGE_INTEGER

+0x010\] StructureContext : 0x0 \[Type: void \*

+0x014\] DeviceEntryTable : 0x44621c \[Type: _BL_DEVICE_ENTRY_TABLE \*

+0x018\] FileNameLength : 0x0 \[Type: unsigned char

+0x019\] FileName : "" \[Type: char \[32\]

+0x040\] u \[Type: __unnamed

kd> dx -r1 (*((osloader!_LARGE_INTEGER *)0x479b40))

(*((osloader!_LARGE_INTEGER *)0x479b40)) : {3221230592} [Type: _LARGE_INTEGER]

\\] \[Type: _LARGE_INTEGER

kd> dx -r1 -nv (*((osloader!_LARGE_INTEGER *)0x479b40))

(*((osloader!_LARGE_INTEGER *)0x479b40)) : {3221230592} [Type: _LARGE_INTEGER]

+0x000\] LowPart : 0xc0001400 \[Type: unsigned long

+0x004\] HighPart : 0 \[Type: long

+0x000\] u \[Type: __unnamed

+0x000\] QuadPart : 3221230592 \[Type: __int64

Offset = 0x0005f890 {3221230592}

kd> ?0n3221230592

Evaluate expression: -1073736704 = c0001400

DPRINT(("DK: SkipCacheRead:%016I64x,%08x,%d\n",

LIReadOffset.QuadPart, pDest, CopyLength));

Status = ArcRead(DeviceId, Buffer, Length, pCount);

kd> p

osloader!BlDiskCacheRead+0x3f5:

0041d578 ff5064 call dword ptr [eax+64h]

kd> r

eax=00478f80 ebx=00000000 ecx=00000138 edx=c0001400 esi=0005f8a0 edi=0005f890

eip=0041d578 esp=0005f78c ebp=0005f864 iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000046

osloader!BlDiskCacheRead+0x3f5:

0041d578 ff5064 call dword ptr [eax+64h] ds:0010:00478fe4={osloader!AERead (004074ce)}

kd> t

Breakpoint 8 hit

osloader!AERead:

004074ce 55 push ebp

kd> kc 9

00 osloader!AERead

01 osloader!BlDiskCacheRead

02 osloader!NtfsReadDisk

03 osloader!NtfsReadNonresidentAttribute

04 osloader!NtfsReadAndDecodeFileRecord

05 osloader!NtfsLookupAttribute

06 osloader!NtfsInexactSortedDirectoryScan

07 osloader!NtfsSearchForFileName

08 osloader!NtfsOpen

kd> dv

FileId = 3

Buffer = 0x004613c0

Length = 0x400

Count = 0x0005f8a0

TmpBuffer = 0x004074ce "U???"

kd> r

eax=004613c0 ebx=00000400 ecx=0044621c edx=0005f774 esi=0005f8a0 edi=004613c0

eip=00407965 esp=0005f754 ebp=0005f784 iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000046

osloader!AERead+0x497:

00407965 ff510c call dword ptr [ecx+0Ch] ds:0010:00446228={osloader!BiosPartitionRead (00414d86)}

kd> kc e

00 osloader!BiosPartitionRead

01 osloader!AERead

02 osloader!BlDiskCacheRead

03 osloader!NtfsReadDisk

04 osloader!NtfsReadNonresidentAttribute

05 osloader!NtfsReadAndDecodeFileRecord

06 osloader!NtfsLookupAttribute

07 osloader!NtfsInexactSortedDirectoryScan

08 osloader!NtfsSearchForFileName

09 osloader!NtfsOpen

0a osloader!_BlOpen

0b osloader!BlOpen

0c osloader!BlStartup

0d osloader!NtProcessStartup

PhysicalOffset.QuadPart = BlFileTable[FileId].Position.QuadPart +

SECTOR_SIZE * (LONGLONG)BlFileTable[FileId].u.PartitionContext.StartingSector;

kd> dx -r1 (*((osloader!_BL_FILE_TABLE *)0x479b38))

(*((osloader!_BL_FILE_TABLE *)0x479b38)) [Type: _BL_FILE_TABLE]

+0x000\] Flags \[Type: _BL_FILE_FLAGS

+0x004\] DeviceId : 0x0 \[Type: unsigned long

+0x008\] Position : {3221230592} \[Type: _LARGE_INTEGER

+0x010\] StructureContext : 0x0 \[Type: void \*

+0x014\] DeviceEntryTable : 0x44621c \[Type: _BL_DEVICE_ENTRY_TABLE \*

+0x018\] FileNameLength : 0x0 \[Type: unsigned char

+0x019\] FileName : "" \[Type: char \[32\]

+0x040\] u \[Type: __unnamed

kd> dx -r1 (*((osloader!_LARGE_INTEGER *)0x479b40))

(*((osloader!_LARGE_INTEGER *)0x479b40)) : {3221230592} [Type: _LARGE_INTEGER]

\\] \[Type: _LARGE_INTEGER

kd> dx -r1 -nv (*((osloader!_LARGE_INTEGER *)0x479b40))

(*((osloader!_LARGE_INTEGER *)0x479b40)) : {3221230592} [Type: _LARGE_INTEGER]

+0x000\] LowPart : 0xc0001400 \[Type: unsigned long

+0x004\] HighPart : 0 \[Type: long

+0x000\] u \[Type: __unnamed

+0x000\] QuadPart : 3221230592 \[Type: __int64

kd> dx -r1 (*((osloader!__unnamed *)0x479b78))

(*((osloader!__unnamed *)0x479b78)) [Type: __unnamed]

+0x000\] NtfsFileContext \[Type: _NTFS_FILE_CONTEXT

+0x000\] FatFileContext \[Type: _FAT_FILE_CONTEXT

+0x000\] UdfsFileContext \[Type: _UDFS_FILE_CONTEXT

+0x000\] CdfsFileContext \[Type: _CDFS_FILE_CONTEXT

+0x000\] EtfsFileContext \[Type: _ETFS_FILE_CONTEXT

+0x000\] NetFileContext \[Type: _NET_FILE_CONTEXT

+0x000\] PartitionContext \[Type: _PARTITION_CONTEXT

+0x000\] SerialContext \[Type: _SERIAL_CONTEXT

+0x000\] DriveContext \[Type: _DRIVE_CONTEXT

+0x000\] FloppyContext \[Type: _FLOPPY_CONTEXT

+0x000\] KeyboardContext \[Type: _KEYBOARD_CONTEXT

+0x000\] ConsoleContext \[Type: _CONSOLE_CONTEXT

+0x000\] EfiContext \[Type: _EFI_ARC_OPEN_CONTEXT

kd> dx -r1 (*((osloader!_PARTITION_CONTEXT *)0x479b78))

(*((osloader!_PARTITION_CONTEXT *)0x479b78)) [Type: _PARTITION_CONTEXT]

+0x000\] PartitionLength : {48855252992} \[Type: _LARGE_INTEGER

+0x008\] StartingSector : 0x8493800 \[Type: unsigned long

kd> ?0x8493800*0x200

Evaluate expression: 71176290304 = 00000010`92700000

kd> ?0x8493800*0x200+0xc0001400

Evaluate expression: 74397520896 = 00000011`52701400

DiskId = BlFileTable[FileId].u.PartitionContext.DiskId;

kd> dx -r1 (*((osloader!_PARTITION_CONTEXT *)0x479b78))

(*((osloader!_PARTITION_CONTEXT *)0x479b78)) [Type: _PARTITION_CONTEXT]

+0x000\] PartitionLength : {48855252992} \[Type: _LARGE_INTEGER

+0x008\] StartingSector : 0x8493800 \[Type: unsigned long

+0x00c\] EndingSector : 0x0 \[Type: unsigned long

+0x010\] DiskId : 0x2 \[Type: unsigned char

+0x011\] DeviceUnit : 0x0 \[Type: unsigned char

+0x012\] TargetId : 0x0 \[Type: unsigned char

+0x013\] PathId : 0x0 \[Type: unsigned char

+0x014\] SectorShift : 0x0 \[Type: unsigned long

+0x018\] Size : 0x0 \[Type: unsigned long

+0x01c\] PortDeviceObject : 0x0 \[Type: _DEVICE_OBJECT \*

Status = (BlFileTable[DiskId].DeviceEntryTable->Seek)(DiskId,

&PhysicalOffset,

SeekAbsolute );

kd> r

eax=0044624c ebx=00000002 ecx=0005f744 edx=00000011 esi=00000138 edi=00479ae4

eip=00414dce esp=0005f72c ebp=0005f74c iopl=0 nv up di pl nz na po nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000002

osloader!BiosPartitionRead+0x48:

00414dce ff5014 call dword ptr [eax+14h] ds:0010:00446260={osloader!BiosPartitionSeek (00414dfb)}

kd> t

osloader!BiosPartitionSeek:

00414dfb 55 push ebp

kd> kc 10

00 osloader!BiosPartitionSeek

01 osloader!BiosPartitionRead

02 osloader!AERead

03 osloader!BlDiskCacheRead

04 osloader!NtfsReadDisk

05 osloader!NtfsReadNonresidentAttribute

06 osloader!NtfsReadAndDecodeFileRecord

07 osloader!NtfsLookupAttribute

08 osloader!NtfsInexactSortedDirectoryScan

09 osloader!NtfsSearchForFileName

0a osloader!NtfsOpen

0b osloader!_BlOpen

0c osloader!BlOpen

0d osloader!BlStartup

0e osloader!NtProcessStartup

kd> dv

FileId = 2

Offset = 0x0005f744 {74397520896}

SeekMode = SeekAbsolute (0n0)

kd> ?0n74397520896

Evaluate expression: 74397520896 = 00000011`52701400

{

switch (SeekMode) {

case SeekAbsolute:

BlFileTable[FileId].Position = *Offset;

kd> dx -r1 (*((osloader!_LARGE_INTEGER *)0x479ad8))

(*((osloader!_LARGE_INTEGER *)0x479ad8)) : {74397520896} [Type: _LARGE_INTEGER]

\\] \[Type: _LARGE_INTEGER

kd> dx -r1 -nv (*((osloader!_LARGE_INTEGER *)0x479ad8))

(*((osloader!_LARGE_INTEGER *)0x479ad8)) : {74397520896} [Type: _LARGE_INTEGER]

+0x000\] LowPart : 0x52701400 \[Type: unsigned long

+0x004\] HighPart : 17 \[Type: long

+0x000\] u \[Type: __unnamed

+0x000\] QuadPart : 74397520896 \[Type: __int64

kd> dx -r1 (*((osloader!_BL_FILE_TABLE *)0x479ad0))

(*((osloader!_BL_FILE_TABLE *)0x479ad0)) [Type: _BL_FILE_TABLE]

+0x000\] Flags \[Type: _BL_FILE_FLAGS

+0x004\] DeviceId : 0x0 \[Type: unsigned long

+0x008\] Position : {74397516800} \[Type: _LARGE_INTEGER

+0x010\] StructureContext : 0x0 \[Type: void \*

+0x014\] DeviceEntryTable : 0x44624c \[Type: _BL_DEVICE_ENTRY_TABLE \*

+0x018\] FileNameLength : 0x0 \[Type: unsigned char

+0x019\] FileName : "" \[Type: char \[32\]

+0x040\] u \[Type: __unnamed

kd> dx -r1 ((osloader!_BL_DEVICE_ENTRY_TABLE *)0x44624c)

((osloader!_BL_DEVICE_ENTRY_TABLE *)0x44624c) : 0x44624c [Type: _BL_DEVICE_ENTRY_TABLE *]

+0x000\] Close : 0x414d0c \[Type: unsigned long (\*)(unsigned long)

+0x004\] Mount : 0x406a56 \[Type: unsigned long (\*)(char \*,_MOUNT_OPERATION)

+0x008\] Open : 0x415526 \[Type: unsigned long (\*)(char \*,_OPEN_MODE,unsigned long \*)

+0x00c\] Read : 0x415edd \[Type: unsigned long (\*)(unsigned long,void \*,unsigned long,unsigned long \*)

+0x010\] GetReadStatus : 0x406a56 \[Type: unsigned long (\*)(unsigned long)

+0x014\] Seek : 0x414dfb \[Type: unsigned long (\*)(unsigned long,_LARGE_INTEGER \*,_SEEK_MODE)

+0x018\] Write : 0x415798 \[Type: unsigned long (\*)(unsigned long,void \*,unsigned long,unsigned long \*)

+0x01c\] GetFileInformation : 0x415f70 \[Type: unsigned long (\*)(unsigned long,_FILE_INFORMATION \*)

+0x020\] SetFileInformation : 0x406a56 \[Type: unsigned long (\*)(unsigned long,unsigned long,unsigned long)

+0x024\] Rename : 0x406a56 \[Type: unsigned long (\*)(unsigned long,char \*)

+0x028\] GetDirectoryEntry : 0x406a56 \[Type: unsigned long (\*)(unsigned long,_DIRECTORY_ENTRY \*,unsigned long,unsigned long \*)

+0x02c\] BootFsInfo : 0x0 \[Type: _BOOTFS_INFO \*

kd> u 414dfb

osloader!BiosPartitionSeek [d:\srv03rtm\base\boot\lib\i386\biosdrv.c @ 548]:

00414dfb 55 push ebp

00414dfc 8bec mov ebp,esp

00414dfe 8b4510 mov eax,dword ptr [ebp+10h]

00414e01 83e800 sub eax,0

00414e04 7432 je osloader!BiosPartitionSeek+0x3d (00414e38)

00414e06 48 dec eax

00414e07 7414 je osloader!BiosPartitionSeek+0x22 (00414e1d)

00414e09 ff7510 push dword ptr [ebp+10h]

Status = (BlFileTable[FileId].DeviceEntryTable->Read)( FileId,

(fUseAlignedBuf) ? AlignedBuf : (PCHAR)TmpBuffer,

kd> r

eax=0044624c ebx=00000002 ecx=000000d0 edx=52701400 esi=00000138 edi=0005f774

eip=00414de2 esp=0005f728 ebp=0005f74c iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000046

osloader!BiosPartitionRead+0x5c:

00414de2 ff500c call dword ptr [eax+0Ch] ds:0010:00446258={osloader!BiosDiskRead (00415edd)}

kd> t

osloader!BiosDiskRead:

00415edd 55 push ebp

kd> kc 11

00 osloader!BiosDiskRead

01 osloader!BiosPartitionRead

02 osloader!AERead

03 osloader!BlDiskCacheRead

04 osloader!NtfsReadDisk

05 osloader!NtfsReadNonresidentAttribute

06 osloader!NtfsReadAndDecodeFileRecord

07 osloader!NtfsLookupAttribute

08 osloader!NtfsInexactSortedDirectoryScan

09 osloader!NtfsSearchForFileName

0a osloader!NtfsOpen

0b osloader!_BlOpen

0c osloader!BlOpen

0d osloader!BlStartup

0e osloader!NtProcessStartup

ARC_STATUS

BiosDiskRead(

IN ULONG FileId,

OUT PVOID Buffer,

IN ULONG Length,

OUT PULONG Count

)

{

USHORT PhysicalSectors;

PhysicalSectors = SECTOR_SIZE;

return(pBiosDiskReadWorker(FileId,Buffer,Length,Count,PhysicalSectors,FALSE));

}

kd> dv

FileId = 2

Buffer = 0x004613c0

Length = 0x400

Count = 0x0005f774

kd> t

Breakpoint 11 hit

osloader!pBiosDiskReadWorker:

00415ab4 55 push ebp

kd> kc b

00 osloader!pBiosDiskReadWorker

01 osloader!BiosDiskRead

02 osloader!BiosPartitionRead

03 osloader!AERead

04 osloader!BlDiskCacheRead

05 osloader!NtfsReadDisk

06 osloader!NtfsReadNonresidentAttribute

07 osloader!NtfsReadAndDecodeFileRecord

08 osloader!NtfsLookupAttribute

09 osloader!NtfsInexactSortedDirectoryScan

0a osloader!NtfsSearchForFileName

kd> dv

FileId = 2

Buffer = 0x004613c0

Length = 0x400

Count = 0x0005f774

SectorSize = 0x200

xInt13 = 0x00 ''

// Perform the read.

if(xInt13) {

Status = ReadExtendedPhysicalSectors(Int13Unit,

CurrentSector,

SectorsToTransfer,

pTransferDest);

} else {

Status = ReadPhysicalSectors(Int13Unit,

CurrentSector,

SectorsToTransfer,

pTransferDest,

SectorsPerTrack,

Heads,

Cylinders,

AllowXInt13);

}

#define ReadPhysicalSectors(d,a,n,p,s,h,c,f) \

XferPhysicalDiskSectors((d),(a),(n),(p),(s),(h),(c),(f),FALSE)

#define WritePhysicalSectors(d,a,n,p,s,h,c,f) \

XferPhysicalDiskSectors((d),(a),(n),(p),(s),(h),(c),(f),TRUE)

4 e Disable Clear 00405332 0001 (0001) osloader!_BlOpen+0x27

5 e Disable Clear 004055ad 0001 (0001) osloader!BlOpen+0x62

6 e Disable Clear 0040e41e 0001 (0001) osloader!NtfsReadDisk

7 e Disable Clear 0041d183 0001 (0001) osloader!BlDiskCacheRead

8 e Disable Clear 004074ce 0001 (0001) osloader!AERead

9 e Disable Clear 00406bde 0001 (0001) osloader!AESeek

10 e Disable Clear 00414d86 0001 (0001) osloader!BiosPartitionRead

11 e Disable Clear 00415ab4 0001 (0001) osloader!pBiosDiskReadWorker

12 e Disable Clear 0041dcc0 0001 (0001) osloader!XferPhysicalDiskSectors

kd> kf

Memory ChildEBP RetAddr

00 0005f660 00415d27 osloader!XferPhysicalDiskSectors [d:\srv03rtm\base\boot\lib\i386\machine.c @ 171]

01 a0 0005f700 00415ef8 osloader!pBiosDiskReadWorker+0x273 [d:\srv03rtm\base\boot\lib\i386\biosdrv.c @ 2229]

02 20 0005f720 00414de5 osloader!BiosDiskRead+0x1b [d:\srv03rtm\base\boot\lib\i386\biosdrv.c @ 2337]

03 2c 0005f74c 00407968 osloader!BiosPartitionRead+0x5f [d:\srv03rtm\base\boot\lib\i386\biosdrv.c @ 510]

04 38 0005f784 0041d57b osloader!AERead+0x49a [d:\srv03rtm\base\boot\lib\i386\arcemul.c @ 1697]

05 e0 0005f864 0040e444 osloader!BlDiskCacheRead+0x3f8 [d:\srv03rtm\base\boot\lib\blcache.c @ 1021]

06 20 0005f884 0040e6e7 osloader!NtfsReadDisk+0x26 [d:\srv03rtm\base\boot\lib\ntfsboot.c @ 1692]

07 38 0005f8bc 0040ec46 osloader!NtfsReadNonresidentAttribute+0x256 [d:\srv03rtm\base\boot\lib\ntfsboot.c @ 2431]

08 2c 0005f8e8 0040f2fd osloader!NtfsReadAndDecodeFileRecord+0xc1 [d:\srv03rtm\base\boot\lib\ntfsboot.c @ 2696]

09 6c 0005f954 0040f6fa osloader!NtfsLookupAttribute+0x20 [d:\srv03rtm\base\boot\lib\ntfsboot.c @ 1863]

0a b8 0005fa0c 0040fc12 osloader!NtfsInexactSortedDirectoryScan+0x2a [d:\srv03rtm\base\boot\lib\ntfsboot.c @ 3164]

0b 34 0005fa40 0040fd18 osloader!NtfsSearchForFileName+0x42 [d:\srv03rtm\base\boot\lib\ntfsboot.c @ 3070]

0c 4c 0005fa8c 00405542 osloader!NtfsOpen+0xbe [d:\srv03rtm\base\boot\lib\ntfsboot.c @ 1172]

0d 1290 00060d1c 004055ad osloader!_BlOpen+0x237 [d:\srv03rtm\base\boot\lib\blio.c @ 584]

0e 11c 00060e38 0042747f osloader!BlOpen+0x62 [d:\srv03rtm\base\boot\lib\blio.c @ 662]

0f 98 00060ed0 004015aa osloader!BlStartup+0x1ec [d:\srv03rtm\base\boot\bldr\i386\initx86.c @ 276]

10 1120 00061ff0 10101010 osloader!NtProcessStartup+0x208 [d:\srv03rtm\base\boot\lib\i386\entry.c @ 348]

WARNING: Frame IP not in any known module. Following frames may be wrong.

11 8 00061ff8 0043b06c 0x10101010

12 4 00061ffc 4c555209 osloader!`string'

13 3d9070 0043b06c 00000000 0x4c555209

if(AllowExtendedInt13) {

s = XferExtendedPhysicalDiskSectors(

Int13UnitNumber,

StartSector,

SectorCount,

Buffer,

Write

);

kd> kc f

Memory

00 osloader!XferExtendedPhysicalDiskSectors

01 3c osloader!XferPhysicalDiskSectors

02 a0 osloader!pBiosDiskReadWorker

03 20 osloader!BiosDiskRead

04 2c osloader!BiosPartitionRead

05 38 osloader!AERead

06 e0 osloader!BlDiskCacheRead

07 20 osloader!NtfsReadDisk

08 38 osloader!NtfsReadNonresidentAttribute

09 2c osloader!NtfsReadAndDecodeFileRecord

0a 6c osloader!NtfsLookupAttribute

0b b8 osloader!NtfsInexactSortedDirectoryScan

0c 34 osloader!NtfsSearchForFileName

0d 4c osloader!NtfsOpen

0e 1290 osloader!_BlOpen

0f 11c osloader!BlOpen

10 98 osloader!BlStartup

11 1120 osloader!NtProcessStartup

s = GET_EDDS_SECTOR(Int13UnitNumber,l,h,SectorCount,Buffer,Operation);

if(s) {

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x46:

0041dc44 ff7508 push dword ptr [ebp+8]

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x49:

0041dc47 ff5030 call dword ptr [eax+30h]

kd> r

eax=000244ec ebx=00030000 ecx=00000031 edx=00000000 esi=00000000 edi=00000002

eip=0041dc47 esp=0005f600 ebp=0005f624 iopl=0 nv up di pl nz na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000006

osloader!XferExtendedPhysicalDiskSectors+0x49:

0041dc47 ff5030 call dword ptr [eax+30h] ds:0010:0002451c=00022e78

kd> dx -r1 ((osloader!_EXTERNAL_SERVICES_TABLE *)0x244ec)

((osloader!_EXTERNAL_SERVICES_TABLE *)0x244ec) : 0x244ec [Type: _EXTERNAL_SERVICES_TABLE *]

+0x000\] RebootProcessor : 0x22e60 \[Type: void (__cdecl\*)()

+0x004\] DiskIOSystem : 0x22e6c \[Type: long (__cdecl\*)(unsigned char,unsigned char,unsigned short,unsigned short,unsigned char,unsigned char,unsigned char \*)

+0x008\] GetKey : 0x22e84 \[Type: unsigned long (__cdecl\*)()

+0x00c\] GetCounter : 0x22e90 \[Type: unsigned long (__cdecl\*)()

+0x010\] Reboot : 0x22e9c \[Type: void (__cdecl\*)(unsigned long)

+0x014\] DetectHardware : 0x22ec0 \[Type: void (__cdecl\*)(unsigned long,unsigned long,void \*,unsigned long \*,char \*,unsigned long)

+0x018\] HardwareCursor : 0x22ea8 \[Type: void (__cdecl\*)(unsigned long,unsigned long)

+0x01c\] GetDateTime : 0x22eb4 \[Type: void (__cdecl\*)(unsigned long \*,unsigned long \*)

+0x020\] ComPort : 0x22ecc \[Type: void (__cdecl\*)(long,unsigned long,unsigned char)

+0x024\] GetStallCount : 0x22ed8 \[Type: unsigned long (__cdecl\*)()

+0x028\] InitializeDisplayForNt : 0x22ee4 \[Type: void (__cdecl\*)()

+0x02c\] GetMemoryDescriptor : 0x22ef0 \[Type: void (__cdecl\*)()

+0x030\] GetEddsSector : 0x22e78 \[Type: long (__cdecl\*)(unsigned char,unsigned long,unsigned long,unsigned short,unsigned char \*,unsigned char)

+0x034\] GetElToritoStatus : 0x22efc \[Type: long (__cdecl\*)(unsigned char \*,unsigned char)

+0x038\] GetExtendedInt13Params : 0x22f08 \[Type: unsigned char (__cdecl\*)(unsigned char \*,unsigned char)

+0x03c\] NetPcRomServices : 0x0 \[Type: unsigned short (__cdecl\*)(unsigned long,void \*)

+0x040\] ApmAttemptReconnect : 0x22f14 \[Type: void (__cdecl\*)()

+0x044\] BiosRedirectService : 0x0 \[Type: unsigned long (__cdecl\*)(unsigned long)

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x4c:

0041dc4a 83c418 add esp,18h

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x4f:

0041dc4d 85c0 test eax,eax

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x51:

0041dc4f 7432 je osloader!XferExtendedPhysicalDiskSectors+0x85 (0041dc83)

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x85:

0041dc83 5e pop esi

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x86:

0041dc84 5f pop edi

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x87:

0041dc85 5b pop ebx

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x88:

0041dc86 5d pop ebp

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x89:

0041dc87 c21800 ret 18h

kd> dv

Int13UnitNumber = 0x80 ''

StartSector = 0x8a9380a

SectorCount = 0x1302

Buffer = 0x00030000 "FILE0"

Write = 0x31 '1'

Operation = 0x31 '1'

kd> dd 0x00030000

00030000 454c4946 00030030 070a55a8 00000000

00030010 00010005 00030038 00000348 00000400

00030020 00000000 00000000 0000000b 00000005

00030030 0500004c 00000000 00000010 00000048

00030040 00180000 00000000 00000030 00000018

00030050 2f249c2f 01dbfe2b 70fad988 01dc029e

00030060 70fad988 01dc029e 70fad988 01dc029e

00030070 00000006 00000000 00000000 00000000

kd> db 0x00030000

00030000 46 49 4c 45 30 00 03 00-a8 55 0a 07 00 00 00 00 FILE0....U......

00030010 05 00 01 00 38 00 03 00-48 03 00 00 00 04 00 00 ....8...H.......

00030020 00 00 00 00 00 00 00 00-0b 00 00 00 05 00 00 00 ................

00030030 4c 00 00 05 00 00 00 00-10 00 00 00 48 00 00 00 L...........H...

00030040 00 00 18 00 00 00 00 00-30 00 00 00 18 00 00 00 ........0.......

00030050 2f 9c 24 2f 2b fe db 01-88 d9 fa 70 9e 02 dc 01 /.$/+......p....

00030060 88 d9 fa 70 9e 02 dc 01-88 d9 fa 70 9e 02 dc 01 ...p.......p....

00030070 06 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

kd> dt _FILE_RECORD_SEGMENT_HEADER 0x00030000

osloader!_FILE_RECORD_SEGMENT_HEADER

+0x000 MultiSectorHeader : _MULTI_SECTOR_HEADER

+0x008 Lsn : _LARGE_INTEGER 0x70a55a8

+0x010 SequenceNumber : 5

+0x012 ReferenceCount : 1

+0x014 FirstAttributeOffset : 0x38

+0x016 Flags : 3

+0x018 FirstFreeByte : 0x348

+0x01c BytesAvailable : 0x400

+0x020 BaseFileRecordSegment : _MFT_SEGMENT_REFERENCE

+0x028 NextAttributeInstance : 0xb

+0x02a SegmentNumberHighPart : 0

+0x02c SegmentNumberLowPart : 5

+0x030 UpdateArrayForCreateOnly : [1] 0x4c

kd> dx -r1 (*((osloader!_MULTI_SECTOR_HEADER *)0x30000))

(*((osloader!_MULTI_SECTOR_HEADER *)0x30000)) [Type: _MULTI_SECTOR_HEADER]

+0x000\] Signature \[Type: unsigned char \[4\]

+0x004\] UpdateSequenceArrayOffset : 0x30 \[Type: unsigned short

+0x006\] UpdateSequenceArraySize : 0x3 \[Type: unsigned short

kd> dx -r1 (*((osloader!unsigned char (*)[4])0x30000))

(*((osloader!unsigned char (*)[4])0x30000)) [Type: unsigned char [4]]

0\] : 0x46 \[Type: unsigned char

1\] : 0x49 \[Type: unsigned char

2\] : 0x4c \[Type: unsigned char

3\] : 0x45 \[Type: unsigned char

kd> dt _ATTRIBUTE_RECORD_HEADER 0x00030000+38

osloader!_ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0x10

+0x004 RecordLength : 0x48

+0x008 FormCode : 0 ''

+0x009 NameLength : 0 ''

+0x00a NameOffset : 0x18

+0x00c Flags : 0

+0x00e Instance : 0

+0x010 Form : __unnamed

kd> dt _ATTRIBUTE_RECORD_HEADER 0x00030000+38+48

osloader!_ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0x30

+0x004 RecordLength : 0x60

+0x008 FormCode : 0 ''

+0x009 NameLength : 0 ''

+0x00a NameOffset : 0x18

+0x00c Flags : 0

+0x00e Instance : 1

+0x010 Form : __unnamed

kd> dt _ATTRIBUTE_RECORD_HEADER 0x00030000+38+48+60

osloader!_ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0x40

+0x004 RecordLength : 0x28

+0x008 FormCode : 0 ''

+0x009 NameLength : 0 ''

+0x00a NameOffset : 0

+0x00c Flags : 0

+0x00e Instance : 0xa

+0x010 Form : __unnamed

kd> dt _ATTRIBUTE_RECORD_HEADER 0x00030000+38+48+60+28

osloader!_ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0x50

+0x004 RecordLength : 0x100

+0x008 FormCode : 0 ''

+0x009 NameLength : 0 ''

+0x00a NameOffset : 0x18

+0x00c Flags : 0

+0x00e Instance : 2

+0x010 Form : __unnamed

kd> dt _ATTRIBUTE_RECORD_HEADER 0x00030000+38+48+60+28+100

osloader!_ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0x90

+0x004 RecordLength : 0x58

+0x008 FormCode : 0 ''

+0x009 NameLength : 0x4 ''

+0x00a NameOffset : 0x18

+0x00c Flags : 0

+0x00e Instance : 6

+0x010 Form : __unnamed

kd> dt _ATTRIBUTE_RECORD_HEADER 0x00030000+38+48+60+28+100+58

osloader!_ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0xa0

+0x004 RecordLength : 0x50

+0x008 FormCode : 0x1 ''

+0x009 NameLength : 0x4 ''

+0x00a NameOffset : 0x40

+0x00c Flags : 0

+0x00e Instance : 8

+0x010 Form : __unnamed

kd> dt _ATTRIBUTE_RECORD_HEADER 0x00030000+38+48+60+28+100+58+50

osloader!_ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0xb0

+0x004 RecordLength : 0x28

+0x008 FormCode : 0 ''

+0x009 NameLength : 0x4 ''

+0x00a NameOffset : 0x18

+0x00c Flags : 0

+0x00e Instance : 7

+0x010 Form : __unnamed

kd> dt _ATTRIBUTE_RECORD_HEADER 0x00030000+38+48+60+28+100+58+50+28

osloader!_ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0x100

+0x004 RecordLength : 0x68

+0x008 FormCode : 0 ''

+0x009 NameLength : 0x9 ''

+0x00a NameOffset : 0x18

+0x00c Flags : 0

+0x00e Instance : 9

+0x010 Form : __unnamed

kd> dt _ATTRIBUTE_RECORD_HEADER 0x00030000+38+48+60+28+100+58+50+28+68

osloader!_ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0xffffffff

+0x004 RecordLength : 0

+0x008 FormCode : 0 ''

+0x009 NameLength : 0 ''

+0x00a NameOffset : 0

+0x00c Flags : 0

+0x00e Instance : 0

+0x010 Form : __unnamed

osloader!BlOpen 函数分析----NTLDR源代码分析

Memory ChildEBP RetAddr

Memory