Transfer NTLDR2004-8-6 9:27:14 with BOCHS
Debug NTLDR author: Tombkeeper [0x40] nsfocus [0x2e] COM tombeeper [0x40] xfocus [0x2e] ORG is done in: 2004.7.9 Keywords: Bochs, Bochsdbg, NTLDR, debugging a installation After the PC of the Windows NT Series operating system, after pressing the power switch, the first BIOS is first started, then the MBR, then the guiding fan, then the NTLDR. NTOSKRNL.EXE and HAL.DLL are NTLDR to load. That is to say, when running NTLDR, there is no application or driver in the system, and of course there is no software-based debugger available. Of course, omnipotent hardware debuggers are certain, but we don't have a hardware debugger. Fortunately, there is Bochs. Bochs is an open source X86 virtual machine software based on LGPL. Bochs's CPU instruction is completely simulated. This way is a slowerness of the speed; the advantage is that there is an unparalleled portability: there is a GCC where you can have Bochs. Even already running Bochs on PocketPC. The current Bochs has achieved a certain degree of debugging, although it is not possible to compare with Windbg, Softice, but the advantage is also very obvious in ease of use and function: the code that runs in Bochs, this is "hardware Debugger". For Windows version of Bochs, Bochsdbg.exe in the installation directory is the debug version of Bochs. Use it to run the Bochs virtual machine to perform "hardware debug". Bochs's debugging command style is designed according to GDB habits. This is undoubtedly painful for people who are used to windbg. It is good to be an open source software. It is not pleasing to see you can consider yourself. The debug commands supported by the current version of Bochs (Version 2.1.1) are as follows: [Note] 1. Use of the instructions in the use of Bochs and the real situation there is a big error and missing, the following command description According to the source code Make a lot of supplements and corrections. 2, the number involved in the seg (segment), OFF (offset), ADDR (address), VAL (value) can use hexadecimal, decimal or octal, but must be written in accordance with the following form: hex System 0xCDEF0123 Eight-on 01234567 Decimal 123456789 In particular, Bochs cannot automatically identify the number of 16-based numbers, nor does it accept 12345678h. [Performing Control] C | CONT is executed down, equivalent to "G" of Windbg. S | Step | Stepi [count] Single step, equivalent to "T" of Windbg, and Count defaults to 1. P | n | Next steps, similar to "P" of Windbg. Q | quit | EXIT exits debugging, and turn off the virtual machine at the same time. Ctrl-C ends the execution state and returns the debugger prompt. Ctrl-D if at Empty Line on Command Line, Exit (at least in the Windows version I did not find any function of Ctrl-D) [Perform breakpoint] VB | VBREAK [seg: OFF] and down points on the virtual address.
LB | LBREAK [Addr] Onlined addresses, which are equivalent to "BP" of Windbg. PB | PBREAK | B | BREAK [AddR] and breakpoints on the physical address. (To compatible with GDB grammar, a "*") can be added before the address. Blist shows a breakpoint state, equivalent to "BL" of Windbg. BPD | BPE [NUM] Disable / Enable breakpoint, "BE" and "BD" of Windbg. NUM is a break point, you can use the blist command to query. D | DEL | DELETE [NUM] Delete breakpoints, equivalent to "BC" of Windbg. MUM is a breakpoint, you can use the blist command to query. [Read Write Distance] Watch Read [AddR] sets the read breakpoint. Watch WRITE [AddR] sets the writing point. Unwatch Read [AddR] Clears the readout point. Unwatch Write [AddR] Clears the write breakpoint. Watch displays all current read and write breakpoints. Unwatch clears all current read and write breakpoints. Watch Stop | Continue Switch Options, the settings are interrupted when the read and write breakpoint is interrupted, but it continues to run. [Memory Operation] X / NUF [AddR] Display linear address content xp / nuf [addr] Displays the content N displayed by the physical address N, the size of each display unit, U can be one of the following: b byte h word W DWORD G DWORD64 Note: This naming method is in accordance with GDB habits, not in accordance with the Inter. f Display format, f can be one of the following: x Follow the hexadecimal display D decimal display u Follow the octal display t according to the octal display T Follow the binary display c, u is an optional parameter, if Not specified, u default is W, F default is x. If the previous x or XP command is used in front, the value used in the previous X or XP command is used. n defaults to 1. Addr is also an optional parameter. If not specified, AddR is 0, as before using the X or XP command, specified n = i, then the N defaults to i 1 when executed again. SetPMEM [AddR] [size] [VAL] sets the content of the physical memory.
It should be noted that you can only set up to DWord each time:
Val is the 64-bit integer, ending in l, shaped as "1000L" SBA [VAL] is interrupted from the VAL article instruction since this run. Val is the 64-bit integer, ends with L, and is interrupted when the "1000L" ModeBP setting is switched to the V86 mode. Record ["filename"] records the input debug instruction into the file. The file name must contain quotation marks. Playback ["filename"] plays back the record file of Record. The file name must contain quotation marks. Print-Stack [NUM] Displays the stack, Num defaults to 16, indicating the number of printed bars. ? | CALC and WindBG's "?" commands, similar to the value of the expression. Load-symbols [global] filename [offset] Load symbol file. If the "Global" keyword is set, the symbol is valid for all context. OFFSET will be applied to all Symbol addresses by default. The format of the Symbol file is: "% x% s". [Info Command] Info Program Displays the case of execution. Info Registers | REG | R Displays information about the register. Info PB | PBREAK | B | Break is equivalent to BlistInfo Dirty shows the page address of the dirty page. The INFO CPU displays the value of all CPU registers. The INFO FPU displays the value of all FPU registers. INFO IDT displays IDT. INFO GDT [NUM] shows GDT. INFO LDT shows LDT. INFO TSS shows TSS. INFO PIC displays a PIC. Info IVT [NUM] [NUM] shows IVT. INFO FLAGS Displays Status Register. INFO CR Displays the CR Series Register. INFO SYMBOLS Displays Symbol information. INFO NE2K | NE2000 shows virtual NE2K network card information. I understand the debug command, then you can start the NTLDR debugging work. The work performed below is implemented on Windows Bochs 2.1.1. We assume readers to understand the basic methods and terms of Bochs. First install a BOCHS virtual machine for Windows NT 4. 1. Create a virtual hard disk. Run BxImage.exe, create a virtual hard disk file "C.IMG" of 500M, Flat mode. 2. Create a Windows NT installation disc's ISO file "nt.iso" if you intend to install the disc installation, you can also save this step.
3, create bochsrc.txt content can be refer to below: ########################################################################################################################################################################################################################################################################## #####################?32romage: file = $ bxshare / bios-bochs-limited, address = 0xf0000vgaromiMage: $ bxshare / vgabios-LGPL- Latestata0: enabled = 1, IOADDR1 = 0x1f0, IOADDR2 = 0x3f0, IRQ = 14ata0-master: type = disk, path = "c.img", mode = flat, cylinders = 1015, heads = 16, SPT = 63ata0-slave: TYPE = CDROM, PATH = "nt.iso", status = INSERTEDNEWHARDDRIVESUPPORT: enabled = 1boot: cdromlog: nulmouse: enabled = 1Clock: sync = realTIME, TIME0 = local ############# #############################> Create start.bat content as follows :: ::::: :::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::::: ": ::::: :::::::::::::::::::::: :::::::::: Put C.IMG, NT.ISO, Bochsrc.txt, Start.bat in the same directory, run Start.bat, and install Windows NT. In fact, if it is just to debug MBR, guide fan and NTLDR, there is no need to install a complete operating system, as long as there are several files such as NTLDR in the root directory. Here is the Windows NT instead of Windows 2000 or higher, on the one hand, on the one hand, it is considered speed problems, on the other hand, Windows NT is the ability to securely install successfully on Bochs. If you want to debug NTLDR of Windows 2000 / XP / 2003, just replace Windows NT with the NTLDR file of these operating systems. After the Windows NT is installed, NTLDR is debugged. Replace "Bochs.exe" in Start.Bat with "Bochsdbg.exe". Then run Start.bat.
The following is the screen copy of the operation: =========================================== ============== Bochs x86 emulator 2.1.1 february 08, 2004 =========================== ======================================== 00000000000i [] Reading configuration from bochsrc.txt00000000000i [] installing win32 module as the bochs Gui00000000000i [ ] WARNING: NO RC File Specified.00000000000i [] USING LOG FILE NULNEXT AT T = 0 // Start bochsdbg.exe, which is automatically stopped on the first instruction of the BIOS. (0) Context Not Implement Because BX_HAVE_HASH_MAP = 0 [0x000FFFF0] F000: FFF0 (UNK. CTXT): JMP F000: E05B; EA5BE000F0
Next At t = 861712 (0) [0x00020000] 2000: 0000 (unk. Ctxt): JMP 0x1f6; E9f301 Now, we can look like God, look at the operating system step by step, everything is in the bottom, even You can see that the system startup process is switched to the protected mode: (0). [28734582] [0x00020247] 2000: 0247 (UNK. CTXT): Opsize or Eax, 0x1; 6683C801 (0). [28734583] [ 0x0002024B] 2000: 024B (UNK): MOV CR0, EAX; 0F22C0 (0). [28734584] [0x0002024E] 2000: 0000024E (UNK): XCHG BX, BX; 87DB (0). [28734585] [ 0x00020250] 2000: 00000250: JMP 0x253; EB01 (0). [28734586] [0x00020253] 2000: 00000253 (UNK. CTXT): PUSH 0X58; 6A58 (0). [28734587] [0x00020255] 2000: 00000255: PUSH 0X259; 685902 (0). [2873458] 2000: 00000258 (UNK. CTXT): RETF; CB Reference: Bochs document and source code. Publisher: Xu Ziling
