setupldr!BlLoadImageEx函数分析和setupldr!_EXTERNAL_SERVICES_TABLE的关系

setupldr!BlLoadImageEx函数分析和setupldr!_EXTERNAL_SERVICES_TABLE的关系

kd> t

Breakpoint 11 hit

eax=0000014c ebx=00000000 ecx=00000006 edx=00000048 esi=00348198 edi=00002335

eip=00316859 esp=00060ba0 ebp=00060df4 iopl=0 nv up di pl nz na po nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000002

setupldr!BlLoadImageEx:

00316859 55 push ebp

kd> kc 5

00 setupldr!BlLoadImageEx

01 setupldr!SlInit

02 setupldr!BlStartup

03 setupldr!NtProcessStartup

WARNING: Frame IP not in any known module. Following frames may be wrong.

04 0x0

kd> dv

DeviceId = 0xa

MemoryType = LoaderSystemCode (0n9)

LoadFile = 0x00348198 "\I386\ntkrnlmp.exe"

ImageType = 0x14c

PreferredAlignment = 0

PreferredBasePage = 0

ImageBase = 0x00060dd4

kd> x setupldr!BlAmd64UseLongMode

0034385c setupldr!BlAmd64UseLongMode = 0x00 ''

if (BlAmd64UseLongMode == FALSE) {

status = BlLoadImage32Ex( DeviceId,

MemoryType,

LoadFile,

ImageType,

PreferredAlignment,

PreferredBasePage,

ImageBase );

}

kd> kc 5

00 setupldr!BlLoadImage32Ex

01 setupldr!SlInit

02 setupldr!BlStartup

03 setupldr!NtProcessStartup

WARNING: Frame IP not in any known module. Following frames may be wrong.

04 0x0

kd> kv 6

ChildEBP RetAddr Args to Child

00 00060b9c 00327dfb 0000000a 00000009 00348198 setupldr!BlLoadImage32Ex (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\peldrt.c @ 89]

01 00060df4 00322a21 01060e2c 0000000b 00000000 setupldr!SlInit+0x1db5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\setup\setup.c @ 2511]

02 00060ed0 003015aa 00379400 0038164f 00061d68 setupldr!BlStartup+0x1bd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\setup\i386\initx86.c @ 208]

03 00061ff0 10101010 00000002 00810081 00810081 setupldr!NtProcessStartup+0x208 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\i386\entry.c @ 348]

WARNING: Frame IP not in any known module. Following frames may be wrong.

04 00061ff8 00810081 00810081 00010081 00010001 0x10101010

05 00061ffc 00810081 00010081 00010001 00010001 0x810081

kd> dv

DeviceId = 0xa

MemoryType = LoaderSystemCode (0n9)

LoadFile = 0x00348198 "\I386\ntkrnlmp.exe"

ImageType = 0x14c

PreferredAlignment = 0

PreferredBasePage = 0

ARC_STATUS

XferExtendedPhysicalDiskSectors(

IN UCHAR Int13UnitNumber,

IN ULONGLONG StartSector,

IN USHORT SectorCount,

PUCHAR Buffer,

IN BOOLEAN Write

)

{

ARC_STATUS s;

ULONG l,h;

UCHAR Operation;

//

// Buffer must be under 1MB to be addressable in real mode.

// The hardcoded 512 is wrong the CD-ROM case, but close enough.

//

if(((ULONG)Buffer + (SectorCount * 512)) > 0x100000) {

return(EFAULT);

}

if(!SectorCount) {

return(ESUCCESS);

}

l = (ULONG)StartSector;

h = (ULONG)(StartSector >> 32);

Operation = (UCHAR)(Write ? 0x43 : 0x42);

//

// Retry a couple of times if this fails.

// We don't reset since this routine is only used on hard drives and

// CD-ROMs, and we don't totally understand the effect of a disk reset

// on ElTorito.

//

s = GET_EDDS_SECTOR(Int13UnitNumber,l,h,SectorCount,Buffer,Operation);

if(s) {

s = GET_EDDS_SECTOR(Int13UnitNumber,l,h,SectorCount,Buffer,Operation);

if(s) {

s = GET_EDDS_SECTOR(Int13UnitNumber,l,h,SectorCount,Buffer,Operation);

}

}

return(s);

}

参考：

kd> kc f

Memory

00 osloader!XferExtendedPhysicalDiskSectors

01 3c osloader!XferPhysicalDiskSectors

02 a0 osloader!pBiosDiskReadWorker

03 20 osloader!BiosDiskRead

04 2c osloader!BiosPartitionRead

05 38 osloader!AERead

06 e0 osloader!BlDiskCacheRead

07 20 osloader!NtfsReadDisk

08 38 osloader!NtfsReadNonresidentAttribute

09 2c osloader!NtfsReadAndDecodeFileRecord

0a 6c osloader!NtfsLookupAttribute

0b b8 osloader!NtfsInexactSortedDirectoryScan

0c 34 osloader!NtfsSearchForFileName

0d 4c osloader!NtfsOpen

0e 1290 osloader!_BlOpen

0f 11c osloader!BlOpen

10 98 osloader!BlStartup

11 1120 osloader!NtProcessStartup

s = GET_EDDS_SECTOR(Int13UnitNumber,l,h,SectorCount,Buffer,Operation);

if(s) {

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x46:

0041dc44 ff7508 push dword ptr [ebp+8]

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x49:

0041dc47 ff5030 call dword ptr [eax+30h]

kd> r

eax=000244ec ebx=00030000 ecx=00000031 edx=00000000 esi=00000000 edi=00000002

eip=0041dc47 esp=0005f600 ebp=0005f624 iopl=0 nv up di pl nz na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000006

osloader!XferExtendedPhysicalDiskSectors+0x49:

0041dc47 ff5030 call dword ptr [eax+30h] ds:0010:0002451c=00022e78

kd> dx -r1 ((osloader!_EXTERNAL_SERVICES_TABLE *)0x244ec)

((osloader!_EXTERNAL_SERVICES_TABLE *)0x244ec) : 0x244ec [Type: _EXTERNAL_SERVICES_TABLE *]

+0x000\] RebootProcessor : 0x22e60 \[Type: void (__cdecl\*)()

+0x004\] DiskIOSystem : 0x22e6c \[Type: long (__cdecl\*)(unsigned char,unsigned char,unsigned short,unsigned short,unsigned char,unsigned char,unsigned char \*)

+0x008\] GetKey : 0x22e84 \[Type: unsigned long (__cdecl\*)()

+0x00c\] GetCounter : 0x22e90 \[Type: unsigned long (__cdecl\*)()

+0x010\] Reboot : 0x22e9c \[Type: void (__cdecl\*)(unsigned long)

+0x014\] DetectHardware : 0x22ec0 \[Type: void (__cdecl\*)(unsigned long,unsigned long,void \*,unsigned long \*,char \*,unsigned long)

+0x018\] HardwareCursor : 0x22ea8 \[Type: void (__cdecl\*)(unsigned long,unsigned long)

+0x01c\] GetDateTime : 0x22eb4 \[Type: void (__cdecl\*)(unsigned long \*,unsigned long \*)

+0x020\] ComPort : 0x22ecc \[Type: void (__cdecl\*)(long,unsigned long,unsigned char)

+0x024\] GetStallCount : 0x22ed8 \[Type: unsigned long (__cdecl\*)()

+0x028\] InitializeDisplayForNt : 0x22ee4 \[Type: void (__cdecl\*)()

+0x02c\] GetMemoryDescriptor : 0x22ef0 \[Type: void (__cdecl\*)()

+0x030\] GetEddsSector : 0x22e78 \[Type: long (__cdecl\*)(unsigned char,unsigned long,unsigned long,unsigned short,unsigned char \*,unsigned char)

+0x034\] GetElToritoStatus : 0x22efc \[Type: long (__cdecl\*)(unsigned char \*,unsigned char)

+0x038\] GetExtendedInt13Params : 0x22f08 \[Type: unsigned char (__cdecl\*)(unsigned char \*,unsigned char)

+0x03c\] NetPcRomServices : 0x0 \[Type: unsigned short (__cdecl\*)(unsigned long,void \*)

+0x040\] ApmAttemptReconnect : 0x22f14 \[Type: void (__cdecl\*)()

+0x044\] BiosRedirectService : 0x0 \[Type: unsigned long (__cdecl\*)(unsigned long)

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x4c:

0041dc4a 83c418 add esp,18h

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x4f:

0041dc4d 85c0 test eax,eax

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x51:

0041dc4f 7432 je osloader!XferExtendedPhysicalDiskSectors+0x85 (0041dc83)

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x85:

0041dc83 5e pop esi

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x86:

0041dc84 5f pop edi

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x87:

0041dc85 5b pop ebx

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x88:

0041dc86 5d pop ebp

kd> p

osloader!XferExtendedPhysicalDiskSectors+0x89:

0041dc87 c21800 ret 18h

kd> dv

Int13UnitNumber = 0x80 ''

StartSector = 0x8a9380a

SectorCount = 0x1302

Buffer = 0x00030000 "FILE0"

Write = 0x31 '1'

Operation = 0x31 '1'

参考结束：

//

// Attempt to open the image file.

//

Status = BlOpen(DeviceId, LoadFile, ArcOpenReadOnly, &FileId);

kd> kc 5

00 setupldr!BlOpen

01 setupldr!BlLoadImage32Ex

02 setupldr!SlInit

03 setupldr!BlStartup

04 setupldr!NtProcessStartup

kd> dv

DeviceId = 0xa

OpenPath = 0x00348198 "\I386\ntkrnlmp.exe"

OpenMode = ArcOpenReadOnly (0n0)

FileId = 0x00060b94

CompressedName = char [256] " ???"

kd> gu

Breakpoint 13 hit

eax=00000001 ebx=00000001 ecx=0005e920 edx=00000000 esi=00000800 edi=00000410

eip=003190e2 esp=0005e6f4 ebp=0005e780 iopl=0 nv up di pl nz na po nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000002

setupldr!XferExtendedPhysicalDiskSectors:

003190e2 55 push ebp

kd> kc

00 setupldr!XferExtendedPhysicalDiskSectors

01 setupldr!pBiosDiskReadWorker

02 setupldr!BiosElToritoDiskRead

03 setupldr!AERead

04 setupldr!BlDiskCacheRead

05 setupldr!CdfsReadDisk

06 setupldr!EtfsSearchDirectory

07 setupldr!EtfsOpen

08 setupldr!_BlOpen

09 setupldr!BlOpen

0a setupldr!BlLoadImage32Ex

0b setupldr!SlInit

0c setupldr!BlStartup

0d setupldr!NtProcessStartup

WARNING: Frame IP not in any known module. Following frames may be wrong.

0e 0x0

0f 0x0

kd> kv

ChildEBP RetAddr Args to Child

00 0005e6f0 003116d3 5456459f 00000016 00000000 setupldr!XferExtendedPhysicalDiskSectors (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\i386\machine.c @ 68]

01 0005e780 003118e5 0000000a 0005e901 0005e920 setupldr!pBiosDiskReadWorker+0x251 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\i386\biosdrv.c @ 2218]

02 0005e7a0 00305686 0000000a 0005e920 00000800 setupldr!BiosElToritoDiskRead+0x1b (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\i386\biosdrv.c @ 2349]

03 0005e7d8 003185ec 0000000a 0005e920 00000800 setupldr!AERead+0x49a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\i386\arcemul.c @ 1697]

04 0005e8b8 00307a32 0000000a 0005e8d8 0005e920 setupldr!BlDiskCacheRead+0x3f8 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\blcache.c @ 1021]

05 0005e8e0 0030ce5e 0000000a 00000000 00000800 setupldr!CdfsReadDisk+0x32 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\cdfsboot.c @ 1116]

06 0005f224 0030cfea 0005f23c 0005f25f 00060b94 setupldr!EtfsSearchDirectory+0xb2 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\etfsboot.c @ 1476]

07 0005f24c 003035ca 000604f8 00000000 01060b94 setupldr!EtfsOpen+0x9d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\etfsboot.c @ 529]

08 000604dc 0030360b 0000000a 000604f8 00000000 setupldr!_BlOpen+0x237 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\blio.c @ 584]

09 000605f8 00315fc5 0000000a 00348198 00000000 setupldr!BlOpen+0x38 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\blio.c @ 638]

0a 00060b9c 00327dfb 0000000a 00000009 00348198 setupldr!BlLoadImage32Ex+0x4d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\peldrt.c @ 137]

0b 00060df4 00322a21 01060e2c 0000000b 00000000 setupldr!SlInit+0x1db5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\setup\setup.c @ 2511]

0c 00060ed0 003015aa 00379400 0038164f 00061d68 setupldr!BlStartup+0x1bd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\setup\i386\initx86.c @ 208]

0d 00061ff0 10101010 00000002 00810081 00810081 setupldr!NtProcessStartup+0x208 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\boot\lib\i386\entry.c @ 348]

WARNING: Frame IP not in any known module. Following frames may be wrong.

0e 00061ff8 00810081 00810081 00010081 00010001 0x10101010

kd> dv

Int13UnitNumber = 0x9f ''

StartSector = 0x16

SectorCount = 1

Buffer = 0x0005e920 "THELPS.CH_,"

Write = 0x00 ''

Operation = 0x00 ''

//

// Retry a couple of times if this fails.

// We don't reset since this routine is only used on hard drives and

// CD-ROMs, and we don't totally understand the effect of a disk reset

// on ElTorito.

//

s = GET_EDDS_SECTOR(Int13UnitNumber,l,h,SectorCount,Buffer,Operation);

if(s) {

kd> p

eax=00000001 ebx=00000001 ecx=0005e920 edx=00000000 esi=00000800 edi=00000410

eip=003190e6 esp=0005e6ec ebp=0005e6f0 iopl=0 nv up di pl nz na po nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000002

setupldr!XferExtendedPhysicalDiskSectors+0x4:

003190e6 8b5d18 mov ebx,dword ptr [ebp+18h] ss:0010:0005e708=0005e920

kd> p

eax=0005eb20 ebx=0005e920 ecx=0005e920 edx=00000000 esi=00000800 edi=00000001

eip=00319101 esp=0005e6e8 ebp=0005e6f0 iopl=0 nv up di ng nz na po cy

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000083

setupldr!XferExtendedPhysicalDiskSectors+0x1f:

00319101 6685ff test di,di

kd> p

eax=0005eb20 ebx=0005e920 ecx=0005e920 edx=00000000 esi=00000800 edi=00000001

eip=0031910a esp=0005e6e8 ebp=0005e6f0 iopl=0 nv up di pl nz na po nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000002

setupldr!XferExtendedPhysicalDiskSectors+0x28:

0031910a 807d1c00 cmp byte ptr [ebp+1Ch],0 ss:0010:0005e70c=00

kd> p

eax=0005eb42 ebx=0005e920 ecx=0005e920 edx=00000000 esi=00000000 edi=00000001

eip=0031911a esp=0005e6e4 ebp=0005e6f0 iopl=0 nv up di pl nz na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000006

setupldr!XferExtendedPhysicalDiskSectors+0x38:

0031911a ff751c push dword ptr [ebp+1Ch] ss:0010:0005e70c=00000042

kd> p

eax=0005eb42 ebx=0005e920 ecx=0005e920 edx=00000000 esi=00000000 edi=00000001

eip=0031911d esp=0005e6e0 ebp=0005e6f0 iopl=0 nv up di pl nz na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000006

setupldr!XferExtendedPhysicalDiskSectors+0x3b:

0031911d a150943700 mov eax,dword ptr [setupldr!ExternalServicesTable (00379450)] ds:0010:00379450=000244ec

kd> p

eax=000244ec ebx=0005e920 ecx=0005e920 edx=00000000 esi=00000000 edi=00000001

eip=00319122 esp=0005e6e0 ebp=0005e6f0 iopl=0 nv up di pl nz na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000006

setupldr!XferExtendedPhysicalDiskSectors+0x40:

00319122 53 push ebx

kd> p

eax=000244ec ebx=0005e920 ecx=0005e920 edx=00000000 esi=00000000 edi=00000001

eip=00319123 esp=0005e6dc ebp=0005e6f0 iopl=0 nv up di pl nz na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000006

setupldr!XferExtendedPhysicalDiskSectors+0x41:

00319123 57 push edi

kd> p

eax=000244ec ebx=0005e920 ecx=0005e920 edx=00000000 esi=00000000 edi=00000001

eip=00319124 esp=0005e6d8 ebp=0005e6f0 iopl=0 nv up di pl nz na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000006

setupldr!XferExtendedPhysicalDiskSectors+0x42:

00319124 56 push esi

kd> p

eax=000244ec ebx=0005e920 ecx=0005e920 edx=00000000 esi=00000000 edi=00000001

eip=00319125 esp=0005e6d4 ebp=0005e6f0 iopl=0 nv up di pl nz na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000006

setupldr!XferExtendedPhysicalDiskSectors+0x43:

00319125 ff750c push dword ptr [ebp+0Ch] ss:0010:0005e6fc=00000016

kd> p

eax=000244ec ebx=0005e920 ecx=0005e920 edx=00000000 esi=00000000 edi=00000001

eip=00319128 esp=0005e6d0 ebp=0005e6f0 iopl=0 nv up di pl nz na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000006

setupldr!XferExtendedPhysicalDiskSectors+0x46:

00319128 ff7508 push dword ptr [ebp+8] ss:0010:0005e6f8=5456459f

kd> p

eax=000244ec ebx=0005e920 ecx=0005e920 edx=00000000 esi=00000000 edi=00000001

eip=0031912b esp=0005e6cc ebp=0005e6f0 iopl=0 nv up di pl nz na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000006

setupldr!XferExtendedPhysicalDiskSectors+0x49:

0031912b ff5030 call dword ptr [eax+30h] ds:0010:0002451c=00022e78

kd> dt setupldr!_EXTERNAL_SERVICES_TABLE 000244ec

+0x000 RebootProcessor : 0x00022e60 void +22e60

+0x004 DiskIOSystem : 0x00022e6c long +22e6c

+0x008 GetKey : 0x00022e84 unsigned long +22e84

+0x00c GetCounter : 0x00022e90 unsigned long +22e90

+0x010 Reboot : 0x00022e9c void +22e9c

+0x014 DetectHardware : 0x00022ec0 void +22ec0

+0x018 HardwareCursor : 0x00022ea8 void +22ea8

+0x01c GetDateTime : 0x00022eb4 void +22eb4

+0x020 ComPort : 0x00022ecc void +22ecc

+0x024 GetStallCount : 0x00022ed8 unsigned long +22ed8

+0x028 InitializeDisplayForNt : 0x00022ee4 void +22ee4

+0x02c GetMemoryDescriptor : 0x00022ef0 void +22ef0

+0x030 GetEddsSector : 0x00022e78 long +22e78 +0x030 GetEddsSector : 0x00022e78 long +22e78

+0x034 GetElToritoStatus : 0x00022efc long +22efc

+0x038 GetExtendedInt13Params : 0x00022f08 unsigned char +22f08

+0x03c NetPcRomServices : (null)

+0x040 ApmAttemptReconnect : 0x00022f14 void +22f14

+0x044 BiosRedirectService : (null)

kd> dv

Int13UnitNumber = 0x9f ''

StartSector = 0x16

SectorCount = 1

Buffer = 0x0005e920 """

Write = 0x42 'B'

Operation = 0x42 'B'

kd> db 0x0005e920

0005e920 22 00 16 00 00 00 00 00-00 16 04 02 00 00 00 00 "...............

0005e930 02 04 7e 02 0b 09 23 02-20 02 00 00 01 00 00 01 ..~...#. .......

0005e940 01 00 22 00 16 00 00 00-00 00 00 16 04 02 00 00 ..".............

0005e950 00 00 02 04 7e 02 0b 09-23 02 20 02 00 00 01 00 ....~...#. .....

0005e960 00 01 01 01 2c 00 fd 00-00 00 00 00 00 fd 6e 00 ....,.........n.

0005e970 00 00 00 00 00 6e 7c 09-0e 16 0a 12 20 00 00 00 .....n|..... ...

0005e980 01 00 00 01 0b 41 55 54-4f 52 55 4e 2e 49 4e 46 .....AUTORUN.INF

0005e990 26 00 17 00 00 00 00 00-00 17 82 01 00 00 00 00 &...............

kd> gu

eax=00000000 ebx=0005e920 ecx=00000800 edx=0005e920 esi=80079e60 edi=00000800

eip=00307a32 esp=0005e8d8 ebp=0005e8e0 iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000046

setupldr!CdfsReadDisk+0x32:

00307a32 85c0 test eax,eax

kd> gu

eax=00000000 ebx=0005e920 ecx=00000800 edx=0005e920 esi=80079e60 edi=00000800

eip=0030ce5e esp=0005e8fc ebp=0005f224 iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000046

setupldr!EtfsSearchDirectory+0xb2:

0030ce5e 85c0 test eax,eax

kd> gu

eax=00000000 ebx=00000001 ecx=0005f25f edx=0003bd2c esi=00000000 edi=c000000d

eip=0030cfea esp=0005f234 ebp=0005f24c iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000046

setupldr!EtfsOpen+0x9d:

0030cfea 83f80e cmp eax,0Eh

kd> gu

eax=00000000 ebx=00000000 ecx=00377d20 edx=00000016 esi=00060b94 edi=c000000d

eip=003035ca esp=0005f260 ebp=000604dc iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000046

setupldr!_BlOpen+0x237:

003035ca 8bf8 mov edi,eax

kd> gu

eax=00000000 ebx=00000000 ecx=00377d20 edx=00000016 esi=00060b94 edi=00060b7c

eip=0030360b esp=000604f4 ebp=000605f8 iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000046

setupldr!BlOpen+0x38:

0030360b 85c0 test eax,eax

kd> gu

eax=00000000 ebx=00000000 ecx=0000000c edx=00377d20 esi=00060620 edi=00060b7c

eip=00315fc5 esp=00060610 ebp=00060b9c iopl=0 nv up di pl nz ac po cy

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000013

setupldr!BlLoadImage32Ex+0x4d:

00315fc5 3bc3 cmp eax,ebx

kd> gu

BD: \I386\ntkrnlmp.exe base address 809F2000

eax=00000000 ebx=00000000 ecx=8021ebb0 edx=00000002 esi=00348198 edi=00002335

eip=00327dfb esp=00060bc0 ebp=00060df4 iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0010 es=0010 fs=0030 gs=0000 efl=00000046

setupldr!SlInit+0x1db5:

00327dfb 83f810 cmp eax,10h