Monthly Archives: October 2010

__chkstk and stack “overflow”

Entering into NtProcessStartup(), the first function it calls is __chkstk. .text:004013C8 _NtProcessStartup@4 proc near .text:004013C8 .text:004013C8 var_1114        = dword ptr -1114h .text:004013C8 var_1110        = dword ptr -1110h .text:004013C8 var_110C        = dword ptr -110Ch .text:004013C8 var_1108        = dword ptr -1108h .text:004013C8 … Continue reading

Posted in Windows (WRK) | Leave a comment

NTLDR – first part

NTLDR actually consists of two parts. The first part is relatively simple which is nothing but raw instructions get loaded to 2000:0 by NTFS boot sector. From there it tries to pave the way for the second part which is … Continue reading

Posted in Windows (WRK) | Leave a comment

Enter into NTLDR

The NTFS Boot Sector’s bootstrap code does one simple thing: try to find ntldr on the volume’s root directory, load it into memory and execute from there. We can use the utility program “nfi.exe” to see where ntldr is located … Continue reading

Posted in Windows (WRK) | Leave a comment

NTFS File with Multiple Streams

NTFS has the capability to support multiple streams in a file. Most windows applications are not designed to work with alternate named stream, i.e. they only work with default unnamed stream, however, both echo and more commands can. The following … Continue reading

Posted in Windows (WRK) | Leave a comment

Bios Parameter Block

NTFS boot sector contains at its head Bios Parameter Block (BPB) and Extended BPB which provides information for boot strip code to identify NTLDR. Here is the snapshot of the first part of the boot sector: We will look at … Continue reading

Posted in Windows (WRK) | Leave a comment

NTFS Boot Sector

Following the similar approach, we got the disassembled code below. Again the NTFS boot sector is also loaded to 0000:7C00H. The first instruction is nothing but a short jump 0000:7C00:                jmp     short 0000:7C54 The following code disable interrupt to … Continue reading

Posted in Windows (WRK) | Leave a comment

MBR

Master Boot Record, usually known as MBR for short, is the first step towards operation system territory ever since the control leaves firmware which is nothing but code pre-programmed into flash device on the mother board. Bios will load first … Continue reading

Posted in Windows (WRK) | Leave a comment

Name Decoration

Name decoration, a.k.a. name mangling, is commonly known to provide ways to discern C functions with identical names. However, it’s also interesting to know that a language such as C can also take use of name decoration, and this is … Continue reading

Posted in Windows (WRK) | Leave a comment

Windbg first connection

When Windbg first connect to target WRK box it shows the following in its msg windows: I am especially interested in the part “3800.WRKP1.2(daveprobert)”  as this cannot be found in WRK’s source code. Having dug a bit deeper and turns … Continue reading

Posted in Windows (WRK) | Leave a comment

Lost Symbol

Saw something weird today while looking at one disassembled snippet from dumpbin of one of WRK’s prebuilt lib: (wrk-v1.2/base/ntos/build/prebuilt/i386/ntoswrk.lib) 0000048D: 68 00 00 00 00     push        offset $SG41221 00000492: 8D 85 68 FE FF FF  lea         eax,[ebp-198h] 00000498: 50                 push        … Continue reading

Posted in Windows (WRK) | Leave a comment