Wednesday, June 8, 2016

Disassembling NT system files

Most NT files are stripped. This means that trying to disassemble them is a bit annoying because there are no symbols available. Checked builds of NT came with the symbol files (e.g. support/debug/ppc/symbols/exe/ntoskrnl.dbg for ntoskrnl.exe), but tools like Microsoft's dumpbin or OpenWatcom's wdis don't use them.

Now there's https://github.com/andreiw/dbgsplice to add the COFF symbol table back!


Sadly, the OpenWatcom analogue is quite buggy, so it's hard to suggest. It was a capable disassembler around setupldr and veneer.exe, but it gets horribly confused with complicated section layouts.

Of course the DBG files contain quite a bit more info (and we can do a lot more with the aux COFF syms too for annotating code than dumpbin suggests).

2 comments:

  1. I've gotten to a point in prephv where I probably need to do this to see what IO is failing.

    It's interesting to see it call firmware to open disk 0, seek 0 and then close...I wonder if it's trying disk io?

    ReplyDelete
    Replies
    1. setupldr uses the ARC interface implemented by veneer.exe to load the components necessary for setup (NT kernel, hal, setupdd "driver", and other stuff). It does this by doing block I/O (which must mean setupldr understands filesystems itself).

      Once everything is loaded setupldr hands off to NT kernel, where we die today because prephv doesn't really model the vcpu. Once in NT, ARC is not used anymore, so any messages seen from firmware come way before the kernel starts. I don't think we're anywhere close to seeing I/O yet, certainly not disk I/O. Best idea is to dump the instruction stream and correlate with a kernel and hal disassembly.

      Delete