nt!MiInitializeLoadedModuleList分析和全局变量nt!PsLoadedModuleList初始化和LoaderBlock->LoadOrderListHead的关系非常重要
nt!MiInitializeLoadedModuleList分析和全局变量nt!PsLoadedModuleList初始化和LoaderBlock->LoadOrderListHead的关系非常重要
kd> t
Breakpoint 6 hit
eax=00000001 ebx=00000000 ecx=00000000 edx=00000004 esi=00000001 edi=c0603840
eip=80ec6342 esp=80b1e43c ebp=80b1e4b4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!MiInitializeLoadedModuleList:
80ec6342 55 push ebp
kd> kc
#
00 nt!MiInitializeLoadedModuleList
01 nt!MmInitSystem
02 nt!ExpInitializeExecutive
03 nt!KiInitializeKernel
04 nt!KiSystemStartup
kd> kv
# ChildEBP RetAddr Args to Child
00 80b1e438 80ecda7b 80076000 00000000 800798e8 nt!MiInitializeLoadedModuleList (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\mm\sysload.c @ 7852]
01 80b1e4b4 80eb1e55 01000001 80076000 80b2a460 nt!MmInitSystem+0x15fd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\mm\mminit.c @ 2181]
02 80b1e638 80ec26cf 00000000 00000002 8003fc00 nt!ExpInitializeExecutive+0x2c7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\init\init.c @ 1031]
03 80b1e68c 80ec0696 80b2a6c0 80b2a460 80b1e950 nt!KiInitializeKernel+0x409 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\i386\kernlini.c @ 785]
04 00000000 00000000 00000000 00000000 00000000 nt!KiSystemStartup+0x2d6 [d:\srv03rtm\base\ntos\ke\i386\newsysbg.asm @ 573]
kd> dv
LoaderBlock = 0x80076000
CommittedPages = 0x80ec6342
NextEntry = 0x00000008
kd> x nt!PsLoadedModuleList
80c2dd70 nt!PsLoadedModuleList = struct _LIST_ENTRY [ 0x0 - 0x0 ]
kd> dx -r1 (*((ntkrpamp!_LIST_ENTRY *)0x80c2dd70))
(*((ntkrpamp!_LIST_ENTRY *)0x80c2dd70)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x0 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x0 [Type: _LIST_ENTRY *]
kd> dv
LoaderBlock = 0x80076000
CommittedPages = 0x80ec6342
NextEntry = 0x00000008
kd> dx -r1 ((ntkrpamp!_LOADER_PARAMETER_BLOCK *)0x80076000)
((ntkrpamp!_LOADER_PARAMETER_BLOCK *)0x80076000) : 0x80076000 [Type: _LOADER_PARAMETER_BLOCK *]
[+0x000] LoadOrderListHead [Type: _LIST_ENTRY]
[+0x008] MemoryDescriptorListHead [Type: _LIST_ENTRY]
[+0x010] BootDriverListHead [Type: _LIST_ENTRY]
[+0x018] KernelStack : 0x80b1e950 [Type: unsigned long]
[+0x01c] Prcb : 0x0 [Type: unsigned long]
[+0x020] Process : 0x0 [Type: unsigned long]
[+0x024] Thread : 0x80b2a460 [Type: unsigned long]
[+0x028] RegistryLength : 0x240000 [Type: unsigned long]
[+0x02c] RegistryBase : 0x80100000 [Type: void *]
[+0x030] ConfigurationRoot : 0x800777a8 [Type: _CONFIGURATION_COMPONENT_DATA *]
[+0x034] ArcBootDeviceName : 0x80088398 : "multi(0)disk(0)rdisk(0)partition(1)" [Type: char *]
[+0x038] ArcHalDeviceName : 0x800883d0 : "multi(0)disk(0)rdisk(0)partition(1)" [Type: char *]
[+0x03c] NtBootPathName : 0x800883c0 : "\WINDOWS\" [Type: char *]
[+0x040] NtHalPathName : 0x800883f8 : "\" [Type: char *]
[+0x044] LoadOptions : 0x80078168 : "FASTDETECT BREAK 3G PAE DEBUG DEBUGPORT=COM1: BAUDRATE=115200 LASTBOOTSTATUS=2" [Type: char *]
[+0x048] NlsData : 0x8007cab0 [Type: _NLS_DATA_BLOCK *]
[+0x04c] ArcDiskInformation : 0x80078208 [Type: _ARC_DISK_INFORMATION *]
[+0x050] OemFontFile : 0x80083090 [Type: void *]
[+0x054] SetupLoaderBlock : 0x0 [Type: _SETUP_LOADER_BLOCK *]
[+0x058] Extension : 0x80076068 [Type: _LOADER_PARAMETER_EXTENSION *]
[+0x05c] u [Type: __unnamed]
kd> dx -r1 (*((ntkrpamp!_LIST_ENTRY *)0x80076000))
(*((ntkrpamp!_LIST_ENTRY *)0x80076000)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x800797a8 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x80088300 [Type: _LIST_ENTRY *]
NextEntry = LoaderBlock->LoadOrderListHead.Flink;
NextEntryEnd = &LoaderBlock->LoadOrderListHead;
DataTableEntry2 = CONTAINING_RECORD (NextEntry,
&nb