NTLDR and real mode memory

NTDEV
1

Hi List,

I read on another post that there is a certain area of memory that Windows
doesnt use at pre-boot. Does anyone have any idea what the location of this
memory is?

I’m asking this because I have a full disk encryption product that i’m
developing and in the process I hook int 13h. This code is in real mode
memory and it works on Vista while it does not work on Windows XP. I suspect
NTLDR might be overwritting some part of memory where my int13 hook is.
Perhaps someone can shed some light on this strange behaviour.

Thanks!

Best wishes,
Kelvin

2

> I read on another post that there is a certain area of memory that Windows

doesnt use at pre-boot. Does anyone have any idea what the location of this
memory is?

I’m asking this because I have a full disk encryption product that i’m
developing and in the process I hook int 13h.

Hook the int11h and int15h chains in your real mode pre-NTLDR code, and fake
the response to “get memory size” and “get ACPI memory map” BIOS queries,
reporting, say, 1KB less of real-mode 640KB memory - 639KB.

This excluded 1KB can be used by your code for any purpose.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

3

Thanks Maxim,

There’s a very interesting suggestion. Would is be possible to “reserve” say
40KB of conventional memory. Any idea how much memory NTLDR actually needs ?

Best wishes,
Kelvin

On 6/28/07, Maxim S. Shatskih wrote:
>
> > I read on another post that there is a certain area of memory that
> Windows
> > doesnt use at pre-boot. Does anyone have any idea what the location of
> this
> > memory is?
> >
> > I’m asking this because I have a full disk encryption product that i’m
> > developing and in the process I hook int 13h.
>
> Hook the int11h and int15h chains in your real mode pre-NTLDR code, and
> fake
> the response to “get memory size” and “get ACPI memory map” BIOS queries,
> reporting, say, 1KB less of real-mode 640KB memory - 639KB.
>
> This excluded 1KB can be used by your code for any purpose.
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

4

I think that only practical trial can help.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

“kelvin lim” wrote in message news:xxxxx@ntdev…
> Thanks Maxim,
>
> There’s a very interesting suggestion. Would is be possible to “reserve” say
> 40KB of conventional memory. Any idea how much memory NTLDR actually needs ?
>
> Best wishes,
> Kelvin
>
> On 6/28/07, Maxim S. Shatskih wrote:
> >
> > > I read on another post that there is a certain area of memory that
> > Windows
> > > doesnt use at pre-boot. Does anyone have any idea what the location of
> > this
> > > memory is?
> > >
> > > I’m asking this because I have a full disk encryption product that i’m
> > > developing and in the process I hook int 13h.
> >
> > Hook the int11h and int15h chains in your real mode pre-NTLDR code, and
> > fake
> > the response to “get memory size” and “get ACPI memory map” BIOS queries,
> > reporting, say, 1KB less of real-mode 640KB memory - 639KB.
> >
> > This excluded 1KB can be used by your code for any purpose.
> >
> > –
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>

5

Probably. Just as Maxim suggested, you’ve got to break out WinDbg
configured for boot debugging and give it a try it. Also, some sort of
JTAG emulator like an Arium ECM-50 or other suitable hardware assisted
debugging technology, it will greatly help the exploring and debugging
the BIOS/pre ntldr part of the process. That being said, even the entry
level price is rather steep.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: Thursday, June 28, 2007 04:59
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] NTLDR and real mode memory

I think that only practical trial can help.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

“kelvin lim” wrote in message news:xxxxx@ntdev…
> Thanks Maxim,
>
> There’s a very interesting suggestion. Would is be possible to
“reserve” say
> 40KB of conventional memory. Any idea how much memory NTLDR actually
needs ?
>
> Best wishes,
> Kelvin
>
> On 6/28/07, Maxim S. Shatskih wrote:
> >
> > > I read on another post that there is a certain area of memory that
> > Windows
> > > doesnt use at pre-boot. Does anyone have any idea what the
location of
> > this
> > > memory is?
> > >
> > > I’m asking this because I have a full disk encryption product that
i’m
> > > developing and in the process I hook int 13h.
> >
> > Hook the int11h and int15h chains in your real mode pre-NTLDR code,
and
> > fake
> > the response to “get memory size” and “get ACPI memory map” BIOS
queries,
> > reporting, say, 1KB less of real-mode 640KB memory - 639KB.
> >
> > This excluded 1KB can be used by your code for any purpose.
> >
> > –
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

6

Thanks guys.

I just managed to hook it and apprently it does get called at the very last
part. But I can’t quite make out the data in the return buffer in ES:DI

Can anyone make some sense of it. I seem to get different results on
different hardware.

Best wishes,
Kelvin

On 6/28/07, Martin O’Brien wrote:
>
> Probably. Just as Maxim suggested, you’ve got to break out WinDbg
> configured for boot debugging and give it a try it. Also, some sort of
> JTAG emulator like an Arium ECM-50 or other suitable hardware assisted
> debugging technology, it will greatly help the exploring and debugging
> the BIOS/pre ntldr part of the process. That being said, even the entry
> level price is rather steep.
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
> Shatskih
> Sent: Thursday, June 28, 2007 04:59
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] NTLDR and real mode memory
>
> I think that only practical trial can help.
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> “kelvin lim” wrote in message news:xxxxx@ntdev…
> > Thanks Maxim,
> >
> > There’s a very interesting suggestion. Would is be possible to
> “reserve” say
> > 40KB of conventional memory. Any idea how much memory NTLDR actually
> needs ?
> >
> > Best wishes,
> > Kelvin
> >
> > On 6/28/07, Maxim S. Shatskih wrote:
> > >
> > > > I read on another post that there is a certain area of memory that
> > > Windows
> > > > doesnt use at pre-boot. Does anyone have any idea what the
> location of
> > > this
> > > > memory is?
> > > >
> > > > I’m asking this because I have a full disk encryption product that
> i’m
> > > > developing and in the process I hook int 13h.
> > >
> > > Hook the int11h and int15h chains in your real mode pre-NTLDR code,
> and
> > > fake
> > > the response to “get memory size” and “get ACPI memory map” BIOS
> queries,
> > > reporting, say, 1KB less of real-mode 640KB memory - 639KB.
> > >
> > > This excluded 1KB can be used by your code for any purpose.
> > >
> > > –
> > > Maxim Shatskih, Windows DDK MVP
> > > StorageCraft Corporation
> > > xxxxx@storagecraft.com
> > > http://www.storagecraft.com
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at
> > > http://www.osronline.com/page.cfm?name=ListServer
> > >
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

7

Are you talking about int 15 AX=E820 (AX is off the top of my head)? I
believe that ES:DI is supposed to be the same as the input value, which
is the address range descriptor to query:

0 BaseAddrLow Low 32 Bits of Base Address
4 BaseAddrHigh High 32 Bits of Base Address
8 LengthLow Low 32 Bits of Length in Bytes
12 LengthHigh High 32 Bits of Length in Bytes
16 Type Address type of this range.

Is this what you are looking for? If what I wrote above is correct,
then my guess would be that different vendors implement the routine
differently as the output is not supposed to matter anyway, but I really
don’t know.

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kelvin lim
Sent: Thursday, June 28, 2007 06:46
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NTLDR and real mode memory

Thanks guys.

I just managed to hook it and apprently it does get called at the very
last part. But I can’t quite make out the data in the return buffer in
ES:DI

Can anyone make some sense of it. I seem to get different results on
different hardware.

Best wishes,

Kelvin

On 6/28/07, Martin O’Brien wrote:

Probably. Just as Maxim suggested, you’ve got to break out WinDbg
configured for boot debugging and give it a try it. Also, some sort of
JTAG emulator like an Arium ECM-50 or other suitable hardware assisted
debugging technology, it will greatly help the exploring and debugging
the BIOS/pre ntldr part of the process. That being said, even the entry

level price is rather steep.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto: xxxxx@lists.osr.com
mailto:xxxxx] On Behalf Of Maxim S.
Shatskih
Sent: Thursday, June 28, 2007 04:59
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] NTLDR and real mode memory

I think that only practical trial can help.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

“kelvin lim” wrote in message news:xxxxx@ntdev…
> Thanks Maxim,
>
> There’s a very interesting suggestion. Would is be possible to
“reserve” say
> 40KB of conventional memory. Any idea how much memory NTLDR actually
needs ?
>
> Best wishes,
> Kelvin
>
> On 6/28/07, Maxim S. Shatskih < xxxxx@storagecraft.com
mailto:xxxxx > wrote:
> >
> > > I read on another post that there is a certain area of memory that
> > Windows
> > > doesnt use at pre-boot. Does anyone have any idea what the
location of
> > this
> > > memory is?
> > >
> > > I’m asking this because I have a full disk encryption product that
i’m
> > > developing and in the process I hook int 13h.
> >
> > Hook the int11h and int15h chains in your real mode pre-NTLDR code,
and
> > fake
> > the response to “get memory size” and “get ACPI memory map” BIOS
queries,
> > reporting, say, 1KB less of real-mode 640KB memory - 639KB.
> >
> > This excluded 1KB can be used by your code for any purpose.
> >
> > –
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

8

Ignore what I just wrote. My head is not quite working yet today.
ES:DI should be the same, but, obviously what they point to gets
modified, which is presumably what your interested in. Sorry about
that. In any case, could you post a couple of examples of output from
different platforms?

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kelvin lim
Sent: Thursday, June 28, 2007 06:46
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NTLDR and real mode memory

Thanks guys.

I just managed to hook it and apprently it does get called at the very
last part. But I can’t quite make out the data in the return buffer in
ES:DI

Can anyone make some sense of it. I seem to get different results on
different hardware.

Best wishes,

Kelvin

On 6/28/07, Martin O’Brien wrote:

Probably. Just as Maxim suggested, you’ve got to break out WinDbg
configured for boot debugging and give it a try it. Also, some sort of
JTAG emulator like an Arium ECM-50 or other suitable hardware assisted
debugging technology, it will greatly help the exploring and debugging
the BIOS/pre ntldr part of the process. That being said, even the entry

level price is rather steep.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto: xxxxx@lists.osr.com
mailto:xxxxx] On Behalf Of Maxim S.
Shatskih
Sent: Thursday, June 28, 2007 04:59
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] NTLDR and real mode memory

I think that only practical trial can help.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

“kelvin lim” wrote in message news:xxxxx@ntdev…
> Thanks Maxim,
>
> There’s a very interesting suggestion. Would is be possible to
“reserve” say
> 40KB of conventional memory. Any idea how much memory NTLDR actually
needs ?
>
> Best wishes,
> Kelvin
>
> On 6/28/07, Maxim S. Shatskih < xxxxx@storagecraft.com
mailto:xxxxx > wrote:
> >
> > > I read on another post that there is a certain area of memory that
> > Windows
> > > doesnt use at pre-boot. Does anyone have any idea what the
location of
> > this
> > > memory is?
> > >
> > > I’m asking this because I have a full disk encryption product that
i’m
> > > developing and in the process I hook int 13h.
> >
> > Hook the int11h and int15h chains in your real mode pre-NTLDR code,
and
> > fake
> > the response to “get memory size” and “get ACPI memory map” BIOS
queries,
> > reporting, say, 1KB less of real-mode 640KB memory - 639KB.
> >
> > This excluded 1KB can be used by your code for any purpose.
> >
> > –
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

9

Yes that’s the one I’m referring to. If the output doesnt matter why is
NTLDR calling it ?

On 6/28/07, Martin O’Brien wrote:
>
> Are you talking about int 15 AX=E820 (AX is off the top of my head)? I
> believe that ES:DI is supposed to be the same as the input value, which is
> the address range descriptor to query:
>
>
>
> 0 BaseAddrLow Low 32 Bits of Base Address
>
> 4 BaseAddrHigh High 32 Bits of Base Address
>
> 8 LengthLow Low 32 Bits of Length in Bytes
>
> 12 LengthHigh High 32 Bits of Length in Bytes
>
> 16 Type Address type of this range.
>
>
>
> Is this what you are looking for? If what I wrote above is correct, then my guess would be that different vendors implement the routine differently as the output is not supposed to matter anyway, but I really don’t know.
>
>
>
> mm
>
>
>
>
>
>
> ------------------------------
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *kelvin lim
> Sent: Thursday, June 28, 2007 06:46
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] NTLDR and real mode memory
>
>
>
> Thanks guys.
>
>
>
> I just managed to hook it and apprently it does get called at the very
> last part. But I can’t quite make out the data in the return buffer in ES:DI
>
>
>
> Can anyone make some sense of it. I seem to get different results on
> different hardware.
>
>
>
> Best wishes,
>
> Kelvin
>
>
>
> On 6/28/07, Martin O’Brien wrote:
>
> Probably. Just as Maxim suggested, you’ve got to break out WinDbg
> configured for boot debugging and give it a try it. Also, some sort of
> JTAG emulator like an Arium ECM-50 or other suitable hardware assisted
> debugging technology, it will greatly help the exploring and debugging
> the BIOS/pre ntldr part of the process. That being said, even the entry
> level price is rather steep.
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto: xxxxx@lists.osr.com] On Behalf Of Maxim S.
> Shatskih
> Sent: Thursday, June 28, 2007 04:59
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] NTLDR and real mode memory
>
> I think that only practical trial can help.
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> “kelvin lim” wrote in message news:xxxxx@ntdev…
> > Thanks Maxim,
> >
> > There’s a very interesting suggestion. Would is be possible to
> “reserve” say
> > 40KB of conventional memory. Any idea how much memory NTLDR actually
> needs ?
> >
> > Best wishes,
> > Kelvin
> >
> > On 6/28/07, Maxim S. Shatskih < xxxxx@storagecraft.com> wrote:
> > >
> > > > I read on another post that there is a certain area of memory that
> > > Windows
> > > > doesnt use at pre-boot. Does anyone have any idea what the
> location of
> > > this
> > > > memory is?
> > > >
> > > > I’m asking this because I have a full disk encryption product that
> i’m
> > > > developing and in the process I hook int 13h.
> > >
> > > Hook the int11h and int15h chains in your real mode pre-NTLDR code,
> and
> > > fake
> > > the response to “get memory size” and “get ACPI memory map” BIOS
> queries,
> > > reporting, say, 1KB less of real-mode 640KB memory - 639KB.
> > >
> > > This excluded 1KB can be used by your code for any purpose.
> > >
> > > –
> > > Maxim Shatskih, Windows DDK MVP
> > > StorageCraft Corporation
> > > xxxxx@storagecraft.com
> > > http://www.storagecraft.com
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at
> > > http://www.osronline.com/page.cfm?name=ListServer
> > >
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> — Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List
> Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

10

Ok,

I have 3 outputs so far

One 2 of the computers where my encryption solution works I get this :

00 00 00 00 00 00 00 00 00 F0 09 00 00 00 01 00

and

00 00 00 00 00 00 00 00 00 F8 09 00 00 00 01 00

On the computer which my encryption does not work I get this

00 00 00 00 00 00 00 00 00 00 09 00 00 00 01 00

It seems to be the last call that NTLDR makes before it hangs.

Kelvin
On 6/28/07, Martin O’Brien wrote:
>
> Ignore what I just wrote. My head is not quite working yet today. ES:DI
> should be the same, but, obviously what they point to gets modified, which
> is presumably what your interested in. Sorry about that. In any case,
> could you post a couple of examples of output from different platforms?
>
>
>
> mm
>
>
> ------------------------------
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *kelvin lim
> Sent: Thursday, June 28, 2007 06:46
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] NTLDR and real mode memory
>
>
>
> Thanks guys.
>
>
>
> I just managed to hook it and apprently it does get called at the very
> last part. But I can’t quite make out the data in the return buffer in ES:DI
>
>
>
> Can anyone make some sense of it. I seem to get different results on
> different hardware.
>
>
>
> Best wishes,
>
> Kelvin
>
>
>
> On 6/28/07, Martin O’Brien wrote:
>
> Probably. Just as Maxim suggested, you’ve got to break out WinDbg
> configured for boot debugging and give it a try it. Also, some sort of
> JTAG emulator like an Arium ECM-50 or other suitable hardware assisted
> debugging technology, it will greatly help the exploring and debugging
> the BIOS/pre ntldr part of the process. That being said, even the entry
> level price is rather steep.
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto: xxxxx@lists.osr.com] On Behalf Of Maxim S.
> Shatskih
> Sent: Thursday, June 28, 2007 04:59
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] NTLDR and real mode memory
>
> I think that only practical trial can help.
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> “kelvin lim” wrote in message news:xxxxx@ntdev…
> > Thanks Maxim,
> >
> > There’s a very interesting suggestion. Would is be possible to
> “reserve” say
> > 40KB of conventional memory. Any idea how much memory NTLDR actually
> needs ?
> >
> > Best wishes,
> > Kelvin
> >
> > On 6/28/07, Maxim S. Shatskih < xxxxx@storagecraft.com> wrote:
> > >
> > > > I read on another post that there is a certain area of memory that
> > > Windows
> > > > doesnt use at pre-boot. Does anyone have any idea what the
> location of
> > > this
> > > > memory is?
> > > >
> > > > I’m asking this because I have a full disk encryption product that
> i’m
> > > > developing and in the process I hook int 13h.
> > >
> > > Hook the int11h and int15h chains in your real mode pre-NTLDR code,
> and
> > > fake
> > > the response to “get memory size” and “get ACPI memory map” BIOS
> queries,
> > > reporting, say, 1KB less of real-mode 640KB memory - 639KB.
> > >
> > > This excluded 1KB can be used by your code for any purpose.
> > >
> > > –
> > > Maxim Shatskih, Windows DDK MVP
> > > StorageCraft Corporation
> > > xxxxx@storagecraft.com
> > > http://www.storagecraft.com
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at
> > > http://www.osronline.com/page.cfm?name=ListServer
> > >
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> — Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List
> Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

11

What will be the effect if I modify these values. How will Windows react?

On 6/28/07, kelvin lim wrote:
>
> Ok,
>
> I have 3 outputs so far
>
> One 2 of the computers where my encryption solution works I get this :
>
> 00 00 00 00 00 00 00 00 00 F0 09 00 00 00 01 00
>
> and
>
> 00 00 00 00 00 00 00 00 00 F8 09 00 00 00 01 00
>
> On the computer which my encryption does not work I get this
>
> 00 00 00 00 00 00 00 00 00 00 09 00 00 00 01 00
>
> It seems to be the last call that NTLDR makes before it hangs.
>
>
> Kelvin
> On 6/28/07, Martin O’Brien wrote:
> >
> > Ignore what I just wrote. My head is not quite working yet today.
> > ES:DI should be the same, but, obviously what they point to gets modified,
> > which is presumably what your interested in. Sorry about that. In any
> > case, could you post a couple of examples of output from different
> > platforms?
> >
> >
> >
> > mm
> >
> >
> > ------------------------------
> >
> > From: xxxxx@lists.osr.com [mailto:
> > xxxxx@lists.osr.com] *On Behalf Of *kelvin lim
> > Sent: Thursday, June 28, 2007 06:46
> > To: Windows System Software Devs Interest List
> > Subject: Re: [ntdev] NTLDR and real mode memory
> >
> >
> >
> > Thanks guys.
> >
> >
> >
> > I just managed to hook it and apprently it does get called at the very
> > last part. But I can’t quite make out the data in the return buffer in ES:DI
> >
> >
> >
> >
> > Can anyone make some sense of it. I seem to get different results on
> > different hardware.
> >
> >
> >
> > Best wishes,
> >
> > Kelvin
> >
> >
> >
> > On 6/28/07, Martin O’Brien < xxxxx@evitechnology.com> wrote:
> >
> > Probably. Just as Maxim suggested, you’ve got to break out WinDbg
> > configured for boot debugging and give it a try it. Also, some sort of
> > JTAG emulator like an Arium ECM-50 or other suitable hardware assisted
> > debugging technology, it will greatly help the exploring and debugging
> > the BIOS/pre ntldr part of the process. That being said, even the entry
> >
> > level price is rather steep.
> >
> > mm
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto: xxxxx@lists.osr.com] On Behalf Of Maxim S.
> > Shatskih
> > Sent: Thursday, June 28, 2007 04:59
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] NTLDR and real mode memory
> >
> > I think that only practical trial can help.
> >
> > –
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> > “kelvin lim” wrote in message news:xxxxx@ntdev…
> > > Thanks Maxim,
> > >
> > > There’s a very interesting suggestion. Would is be possible to
> > “reserve” say
> > > 40KB of conventional memory. Any idea how much memory NTLDR actually
> > needs ?
> > >
> > > Best wishes,
> > > Kelvin
> > >
> > > On 6/28/07, Maxim S. Shatskih < xxxxx@storagecraft.com > wrote:
> > > >
> > > > > I read on another post that there is a certain area of memory that
> > > > Windows
> > > > > doesnt use at pre-boot. Does anyone have any idea what the
> > location of
> > > > this
> > > > > memory is?
> > > > >
> > > > > I’m asking this because I have a full disk encryption product that
> > i’m
> > > > > developing and in the process I hook int 13h.
> > > >
> > > > Hook the int11h and int15h chains in your real mode pre-NTLDR code,
> > and
> > > > fake
> > > > the response to “get memory size” and “get ACPI memory map” BIOS
> > queries,
> > > > reporting, say, 1KB less of real-mode 640KB memory - 639KB.
> > > >
> > > > This excluded 1KB can be used by your code for any purpose.
> > > >
> > > > –
> > > > Maxim Shatskih, Windows DDK MVP
> > > > StorageCraft Corporation
> > > > xxxxx@storagecraft.com
> > > > http://www.storagecraft.com
> > > >
> > > >
> > > > —
> > > > Questions? First check the Kernel Driver FAQ at
> > > > http://www.osronline.com/article.cfm?id=256
> > > >
> > > > To unsubscribe, visit the List Server section of OSR Online at
> > > > http://www.osronline.com/page.cfm?name=ListServer
> > > >
> > >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> > — Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
> > List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
>

12

I’ve got a few things I can add here:

First, bochs (with bochsdbg) was a HUGE help debugging, so I can recommend it for exploration and test code. I also recommend reading through Ralf Brown’s interrupt list, with special attention to int15,ax=e820 (which might be all you need). See http://www.ctyme.com/intr/rb-1741.htm (you’ve probably seen this already, but …)

If you’re just looking to reserve a small amount of conventional memory, you could change the value at 0:0413h to indicate a new base memory size. This would be a much easier alternative. To use a larger amount of memory, you’d definitely need to go to an int15 hook, but it is a bit of a PITA to use, since you’ve got to hop in and out of protected mode to access it.

In the hook that I wrote, I was able to steal large chunks of memory (>32M, I’m sure it can be more) by using an int15/e820 hook, finding the largest descriptor, and reducing it’s length appropriately. This left available memory at the end of that range which Windows didn’t touch, but the hook could.

-Brian

----- Original Message -----
From: kelvin lim
To: Windows System Software Devs Interest List
Sent: Wednesday, June 27, 2007 10:57 PM
Subject: Re: [ntdev] NTLDR and real mode memory

Thanks Maxim,

There’s a very interesting suggestion. Would is be possible to “reserve” say 40KB of conventional memory. Any idea how much memory NTLDR actually needs ?

Best wishes,
Kelvin

On 6/28/07, Maxim S. Shatskih wrote:
> I read on another post that there is a certain area of memory that Windows
> doesnt use at pre-boot. Does anyone have any idea what the location of this
> memory is?
>
> I’m asking this because I have a full disk encryption product that i’m
> developing and in the process I hook int 13h.

Hook the int11h and int15h chains in your real mode pre-NTLDR code, and fake
the response to “get memory size” and “get ACPI memory map” BIOS queries,
reporting, say, 1KB less of real-mode 640KB memory - 639KB.

This excluded 1KB can be used by your code for any purpose.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

------------------------------------------------------------------------------

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.9.10/873 - Release Date: 6/26/2007 11:54 PM

13

If I’m reading this correctly, I think it is saying that the last
example has about 63K less memory than the other two??? Is this after
you hook and claim memory? If what I just wrote is correct, which I’m
not really all that sure it is, as it has been quite a while since I
looked at NTLDR, something apparently is. I haven’t any idea of what
NTLDR might do under such a circumstance.

How are you debugging this?

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kelvin lim
Sent: Thursday, June 28, 2007 11:24
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NTLDR and real mode memory

Ok,

I have 3 outputs so far

One 2 of the computers where my encryption solution works I get this :

00 00 00 00 00 00 00 00 00 F0 09 00 00 00 01 00

and

00 00 00 00 00 00 00 00 00 F8 09 00 00 00 01 00

On the computer which my encryption does not work I get this

00 00 00 00 00 00 00 00 00 00 09 00 00 00 01 00

It seems to be the last call that NTLDR makes before it hangs.

Kelvin

On 6/28/07, Martin O’Brien wrote:

Ignore what I just wrote. My head is not quite working yet today.
ES:DI should be the same, but, obviously what they point to gets
modified, which is presumably what your interested in. Sorry about
that. In any case, could you post a couple of examples of output from
different platforms?

mm

________________________________

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kelvin lim
Sent: Thursday, June 28, 2007 06:46

To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NTLDR and real mode memory

Thanks guys.

I just managed to hook it and apprently it does get called at the very
last part. But I can’t quite make out the data in the return buffer in
ES:DI

Can anyone make some sense of it. I seem to get different results on
different hardware.

Best wishes,

Kelvin

On 6/28/07, Martin O’Brien < xxxxx@evitechnology.com
mailto:xxxxx > wrote:

Probably. Just as Maxim suggested, you’ve got to break out WinDbg
configured for boot debugging and give it a try it. Also, some sort of
JTAG emulator like an Arium ECM-50 or other suitable hardware assisted
debugging technology, it will greatly help the exploring and debugging
the BIOS/pre ntldr part of the process. That being said, even the entry

level price is rather steep.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto: xxxxx@lists.osr.com
mailto:xxxxx] On Behalf Of Maxim S.
Shatskih
Sent: Thursday, June 28, 2007 04:59
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] NTLDR and real mode memory

I think that only practical trial can help.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com http:</http:>

“kelvin lim” wrote in message news:xxxxx@ntdev…
> Thanks Maxim,
>
> There’s a very interesting suggestion. Would is be possible to
“reserve” say
> 40KB of conventional memory. Any idea how much memory NTLDR actually
needs ?
>
> Best wishes,
> Kelvin
>
> On 6/28/07, Maxim S. Shatskih < xxxxx@storagecraft.com
mailto:xxxxx > wrote:
> >
> > > I read on another post that there is a certain area of memory that
> > Windows
> > > doesnt use at pre-boot. Does anyone have any idea what the
location of
> > this
> > > memory is?
> > >
> > > I’m asking this because I have a full disk encryption product that
i’m
> > > developing and in the process I hook int 13h.
> >
> > Hook the int11h and int15h chains in your real mode pre-NTLDR code,
and
> > fake
> > the response to “get memory size” and “get ACPI memory map” BIOS
queries,
> > reporting, say, 1KB less of real-mode 640KB memory - 639KB.
> >
> > This excluded 1KB can be used by your code for any purpose.
> >
> > –
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com http:</http:>
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

14

The details of INT15H, E820H can be found in ACPI spec
http://www.acpi.info/DOWNLOADS/ACPIspec10b.pdf (section 14.1).

Our product hooks to int15h, modifies the returns of this
function from original BIOS to steal memory from Windows too. So I have
observed BIOS returns of a few PCs and found the result consistent.
Below is one of the sample output from original BIOS. These debug output
are read from Address Range Descriptor Structure pointed by ES:DI, and
you have to repeatedly call INT15h E820h until returned EBX = 0 to get
the whole memory map.

Output msg Format: Find: baseaddrhigh:baseaddrlow len:
lengthhigh:lengthlow Type: :

Find: 00000000:00000000 len: 00000000:0009F800 Type: 00000001

Find: 00000000:000F0000 len: 00000000:00010000 Type: 00000002

Find: 00000000:FFFF0000 len: 00000000:00010000 Type: 00000002

Find: 00000000:1EFF3000 len: 00000000:0000D000 Type: 00000003

Find: 00000000:1EFF0000 len: 00000000:00003000 Type: 00000004

Find: 00000000:0009F800 len: 00000000:00000800 Type: 00000002

Find: 00000000:00100000 len: 00000000:1EEF0000 Type: 00000001

From what I observe, both XP & Vista use this memory map to
decide what memory can be used. The difference I see so far is:

On XP, it uses memory ranges that are explicitly claimed as
AddressRangeMemory (value = 1) only

On Vista, it uses memory ranges that are NOT explicitly claimed as
AddressRangeReserved (2) or AddressRangeACPI (3) or AddressRangeNVS (4).
Hence we have to add some codes to explicitly claim a certain range of
memory as AddressRangeReserved to make work on Vista. Your problem
seems to be different than ours so I am not sure the exact cause. But
trying to work on BIOS memory map returns is the right direction, I
believe.

Note that there are some memory ranges that, although not
explicitly specified as reserved from the memory map, OS will not use
it. E.g. video memory at A0000 - BFFFF, BIOS interrupt table (0:0) and
data area (40:0)

Mandy



From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kelvin lim
Sent: Thursday, June 28, 2007 8:24 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NTLDR and real mode memory

Ok,

I have 3 outputs so far

One 2 of the computers where my encryption solution works I get this :

00 00 00 00 00 00 00 00 00 F0 09 00 00 00 01 00

and

00 00 00 00 00 00 00 00 00 F8 09 00 00 00 01 00

On the computer which my encryption does not work I get this

00 00 00 00 00 00 00 00 00 00 09 00 00 00 01 00

It seems to be the last call that NTLDR makes before it hangs.

Kelvin

On 6/28/07, Martin O’Brien wrote:

Ignore what I just wrote. My head is not quite working yet today.
ES:DI should be the same, but, obviously what they point to gets
modified, which is presumably what your interested in. Sorry about
that. In any case, could you post a couple of examples of output from
different platforms?

mm



From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kelvin lim
Sent: Thursday, June 28, 2007 06:46

To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NTLDR and real mode memory

Thanks guys.

I just managed to hook it and apprently it does get called at the very
last part. But I can’t quite make out the data in the return buffer in
ES:DI

Can anyone make some sense of it. I seem to get different results on
different hardware.

Best wishes,

Kelvin

On 6/28/07, Martin O’Brien < xxxxx@evitechnology.com
mailto:xxxxx > wrote:

Probably. Just as Maxim suggested, you’ve got to break out WinDbg
configured for boot debugging and give it a try it. Also, some sort of
JTAG emulator like an Arium ECM-50 or other suitable hardware assisted
debugging technology, it will greatly help the exploring and debugging
the BIOS/pre ntldr part of the process. That being said, even the entry

level price is rather steep.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto: xxxxx@lists.osr.com
mailto:xxxxx] On Behalf Of Maxim S.
Shatskih
Sent: Thursday, June 28, 2007 04:59
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] NTLDR and real mode memory

I think that only practical trial can help.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com http:</http:>

“kelvin lim” wrote in message news:xxxxx@ntdev…
> Thanks Maxim,
>
> There’s a very interesting suggestion. Would is be possible to
“reserve” say
> 40KB of conventional memory. Any idea how much memory NTLDR actually
needs ?
>
> Best wishes,
> Kelvin
>
> On 6/28/07, Maxim S. Shatskih < xxxxx@storagecraft.com
mailto:xxxxx > wrote:
> >
> > > I read on another post that there is a certain area of memory that
> > Windows
> > > doesnt use at pre-boot. Does anyone have any idea what the
location of
> > this
> > > memory is?
> > >
> > > I’m asking this because I have a full disk encryption product that
i’m
> > > developing and in the process I hook int 13h.
> >
> > Hook the int11h and int15h chains in your real mode pre-NTLDR code,
and
> > fake
> > the response to “get memory size” and “get ACPI memory map” BIOS
queries,
> > reporting, say, 1KB less of real-mode 640KB memory - 639KB.
> >
> > This excluded 1KB can be used by your code for any purpose.
> >
> > –
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com http:</http:>
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></lengthhigh:lengthlow></baseaddrhigh:baseaddrlow>

15

You’ve really got to try and see. I just don’t know.

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kelvin lim
Sent: Thursday, June 28, 2007 12:09
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NTLDR and real mode memory

What will be the effect if I modify these values. How will Windows
react?

On 6/28/07, kelvin lim wrote:

Ok,

I have 3 outputs so far

One 2 of the computers where my encryption solution works I get this :

00 00 00 00 00 00 00 00 00 F0 09 00 00 00 01 00

and

00 00 00 00 00 00 00 00 00 F8 09 00 00 00 01 00

On the computer which my encryption does not work I get this

00 00 00 00 00 00 00 00 00 00 09 00 00 00 01 00

It seems to be the last call that NTLDR makes before it hangs.

Kelvin

On 6/28/07, Martin O’Brien wrote:

Ignore what I just wrote. My head is not quite working yet today.
ES:DI should be the same, but, obviously what they point to gets
modified, which is presumably what your interested in. Sorry about
that. In any case, could you post a couple of examples of output from
different platforms?

mm

________________________________

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kelvin lim
Sent: Thursday, June 28, 2007 06:46

To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NTLDR and real mode memory

Thanks guys.

I just managed to hook it and apprently it does get called at the very
last part. But I can’t quite make out the data in the return buffer in
ES:DI

Can anyone make some sense of it. I seem to get different results on
different hardware.

Best wishes,

Kelvin

On 6/28/07, Martin O’Brien < xxxxx@evitechnology.com
mailto:xxxxx > wrote:

Probably. Just as Maxim suggested, you’ve got to break out WinDbg
configured for boot debugging and give it a try it. Also, some sort of
JTAG emulator like an Arium ECM-50 or other suitable hardware assisted
debugging technology, it will greatly help the exploring and debugging
the BIOS/pre ntldr part of the process. That being said, even the entry

level price is rather steep.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto: xxxxx@lists.osr.com
mailto:xxxxx] On Behalf Of Maxim S.
Shatskih
Sent: Thursday, June 28, 2007 04:59
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] NTLDR and real mode memory

I think that only practical trial can help.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com http:</http:>

“kelvin lim” wrote in message news:xxxxx@ntdev…
> Thanks Maxim,
>
> There’s a very interesting suggestion. Would is be possible to
“reserve” say
> 40KB of conventional memory. Any idea how much memory NTLDR actually
needs ?
>
> Best wishes,
> Kelvin
>
> On 6/28/07, Maxim S. Shatskih < xxxxx@storagecraft.com
mailto:xxxxx > wrote:
> >
> > > I read on another post that there is a certain area of memory that
> > Windows
> > > doesnt use at pre-boot. Does anyone have any idea what the
location of
> > this
> > > memory is?
> > >
> > > I’m asking this because I have a full disk encryption product that
i’m
> > > developing and in the process I hook int 13h.
> >
> > Hook the int11h and int15h chains in your real mode pre-NTLDR code,
and
> > fake
> > the response to “get memory size” and “get ACPI memory map” BIOS
queries,
> > reporting, say, 1KB less of real-mode 640KB memory - 639KB.
> >
> > This excluded 1KB can be used by your code for any purpose.
> >
> > –
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com http:</http:>
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

16

Well put. It seems like Kelvin’s third machine has about 64K less
conventional memory than the other two (although those differ slightly
as well). Assuming that this is correct, NTLDR could possibly get testy
as it does start in real mode; I have no idea. Sorry.

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mandy Lam
Sent: Thursday, June 28, 2007 12:32
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NTLDR and real mode memory

The details of INT15H, E820H can be found in ACPI spec
http://www.acpi.info/DOWNLOADS/ACPIspec10b.pdf (section 14.1).

Our product hooks to int15h, modifies the returns of this
function from original BIOS to steal memory from Windows too. So I have
observed BIOS returns of a few PCs and found the result consistent.
Below is one of the sample output from original BIOS. These debug output
are read from Address Range Descriptor Structure pointed by ES:DI, and
you have to repeatedly call INT15h E820h until returned EBX = 0 to get
the whole memory map.

Output msg Format: Find: baseaddrhigh:baseaddrlow len:
lengthhigh:lengthlow Type: :

Find: 00000000:00000000 len: 00000000:0009F800 Type: 00000001

Find: 00000000:000F0000 len: 00000000:00010000 Type: 00000002

Find: 00000000:FFFF0000 len: 00000000:00010000 Type: 00000002

Find: 00000000:1EFF3000 len: 00000000:0000D000 Type: 00000003

Find: 00000000:1EFF0000 len: 00000000:00003000 Type: 00000004

Find: 00000000:0009F800 len: 00000000:00000800 Type: 00000002

Find: 00000000:00100000 len: 00000000:1EEF0000 Type: 00000001

From what I observe, both XP & Vista use this memory map to
decide what memory can be used. The difference I see so far is:

On XP, it uses memory ranges that are explicitly claimed as
AddressRangeMemory (value = 1) only

On Vista, it uses memory ranges that are NOT explicitly claimed as
AddressRangeReserved (2) or AddressRangeACPI (3) or AddressRangeNVS (4).
Hence we have to add some codes to explicitly claim a certain range of
memory as AddressRangeReserved to make work on Vista. Your problem
seems to be different than ours so I am not sure the exact cause. But
trying to work on BIOS memory map returns is the right direction, I
believe.

Note that there are some memory ranges that, although not
explicitly specified as reserved from the memory map, OS will not use
it. E.g. video memory at A0000 - BFFFF, BIOS interrupt table (0:0) and
data area (40:0)

Mandy



From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kelvin lim
Sent: Thursday, June 28, 2007 8:24 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NTLDR and real mode memory

Ok,

I have 3 outputs so far

One 2 of the computers where my encryption solution works I get this :

00 00 00 00 00 00 00 00 00 F0 09 00 00 00 01 00

and

00 00 00 00 00 00 00 00 00 F8 09 00 00 00 01 00

On the computer which my encryption does not work I get this

00 00 00 00 00 00 00 00 00 00 09 00 00 00 01 00

It seems to be the last call that NTLDR makes before it hangs.

Kelvin

On 6/28/07, Martin O’Brien wrote:

Ignore what I just wrote. My head is not quite working yet today.
ES:DI should be the same, but, obviously what they point to gets
modified, which is presumably what your interested in. Sorry about
that. In any case, could you post a couple of examples of output from
different platforms?

mm



From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kelvin lim
Sent: Thursday, June 28, 2007 06:46

To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NTLDR and real mode memory

Thanks guys.

I just managed to hook it and apprently it does get called at the very
last part. But I can’t quite make out the data in the return buffer in
ES:DI

Can anyone make some sense of it. I seem to get different results on
different hardware.

Best wishes,

Kelvin

On 6/28/07, Martin O’Brien < xxxxx@evitechnology.com
mailto:xxxxx > wrote:

Probably. Just as Maxim suggested, you’ve got to break out WinDbg
configured for boot debugging and give it a try it. Also, some sort of
JTAG emulator like an Arium ECM-50 or other suitable hardware assisted
debugging technology, it will greatly help the exploring and debugging
the BIOS/pre ntldr part of the process. That being said, even the entry

level price is rather steep.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto: xxxxx@lists.osr.com
mailto:xxxxx] On Behalf Of Maxim S.
Shatskih
Sent: Thursday, June 28, 2007 04:59
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] NTLDR and real mode memory

I think that only practical trial can help.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com http:</http:>

“kelvin lim” wrote in message news:xxxxx@ntdev…
> Thanks Maxim,
>
> There’s a very interesting suggestion. Would is be possible to
“reserve” say
> 40KB of conventional memory. Any idea how much memory NTLDR actually
needs ?
>
> Best wishes,
> Kelvin
>
> On 6/28/07, Maxim S. Shatskih < xxxxx@storagecraft.com
mailto:xxxxx > wrote:
> >
> > > I read on another post that there is a certain area of memory that
> > Windows
> > > doesnt use at pre-boot. Does anyone have any idea what the
location of
> > this
> > > memory is?
> > >
> > > I’m asking this because I have a full disk encryption product that
i’m
> > > developing and in the process I hook int 13h.
> >
> > Hook the int11h and int15h chains in your real mode pre-NTLDR code,
and
> > fake
> > the response to “get memory size” and “get ACPI memory map” BIOS
queries,
> > reporting, say, 1KB less of real-mode 640KB memory - 639KB.
> >
> > This excluded 1KB can be used by your code for any purpose.
> >
> > –
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com http:</http:>
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></lengthhigh:lengthlow></baseaddrhigh:baseaddrlow>

17

Ok. Lets say that this is the problem. What could possibly cause the BIOS to
return this value? I have some of my code resident in the higher
conventional memory ( 600K + ) . But does the BIOS even care?

On 6/29/07, Martin O’Brien wrote:
>
> Well put. It seems like Kelvin’s third machine has about 64K less
> conventional memory than the other two (although those differ slightly as
> well). Assuming that this is correct, NTLDR could possibly get testy as it
> does start in real mode; I have no idea. Sorry.
>
>
>
> mm
>
>
>
>
> ------------------------------
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Mandy Lam
> Sent: Thursday, June 28, 2007 12:32
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] NTLDR and real mode memory
>
>
>
> The details of INT15H, E820H can be found in ACPI spec
> http://www.acpi.info/DOWNLOADS/ACPIspec10b.pdf (section 14.1).
>
> Our product hooks to int15h, modifies the returns of this
> function from original BIOS to steal memory from Windows too. So I have
> observed BIOS returns of a few PCs and found the result consistent. Below
> is one of the sample output from original BIOS. These debug output are read
> from Address Range Descriptor Structure pointed by ES:DI, and you have to
> repeatedly call INT15h E820h until returned EBX = 0 to get the whole memory
> map.
>
> Output msg Format: Find: baseaddrhigh:baseaddrlow len:
> lengthhigh:lengthlow Type: :
>
>
>
> Find: 00000000:00000000 len: 00000000:0009F800 Type: 00000001
>
> Find: 00000000:000F0000 len: 00000000:00010000 Type: 00000002
>
> Find: 00000000:FFFF0000 len: 00000000:00010000 Type: 00000002
>
> Find: 00000000:1EFF3000 len: 00000000:0000D000 Type: 00000003
>
> Find: 00000000:1EFF0000 len: 00000000:00003000 Type: 00000004
>
> Find: 00000000:0009F800 len: 00000000:00000800 Type: 00000002
>
> Find: 00000000:00100000 len: 00000000:1EEF0000 Type: 00000001
>
>
>
> From what I observe, both XP & Vista use this memory map to
> decide what memory can be used. The difference I see so far is:
>
> On XP, it uses memory ranges that are explicitly claimed as
> AddressRangeMemory (value = 1) only
>
> On Vista, it uses memory ranges that are NOT explicitly claimed as
> AddressRangeReserved (2) or AddressRangeACPI (3) or AddressRangeNVS (4).
> Hence we have to add some codes to explicitly claim a certain range of
> memory as AddressRangeReserved to make work on Vista. Your problem seems to
> be different than ours so I am not sure the exact cause. But trying to work
> on BIOS memory map returns is the right direction, I believe.
>
>
>
> Note that there are some memory ranges that, although not
> explicitly specified as reserved from the memory map, OS will not use it.
> E.g. video memory at A0000 - BFFFF, BIOS interrupt table (0:0) and data
> area (40:0)
>
>
>
> Mandy
>
>
>
>
>
>
> ------------------------------
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *kelvin lim
> Sent: Thursday, June 28, 2007 8:24 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] NTLDR and real mode memory
>
>
>
> Ok,
>
>
>
> I have 3 outputs so far
>
>
>
> One 2 of the computers where my encryption solution works I get this :
>
>
>
> 00 00 00 00 00 00 00 00 00 F0 09 00 00 00 01 00
>
>
>
> and
>
>
>
> 00 00 00 00 00 00 00 00 00 F8 09 00 00 00 01 00
>
>
>
> On the computer which my encryption does not work I get this
>
>
>
> 00 00 00 00 00 00 00 00 00 00 09 00 00 00 01 00
>
>
>
> It seems to be the last call that NTLDR makes before it hangs.
>
>
>
> Kelvin
>
> On 6/28/07, Martin O’Brien wrote:
>
> Ignore what I just wrote. My head is not quite working yet today. ES:DI
> should be the same, but, obviously what they point to gets modified, which
> is presumably what your interested in. Sorry about that. In any case,
> could you post a couple of examples of output from different platforms?
>
>
>
> mm
>
>
> ------------------------------
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *kelvin lim
> Sent: Thursday, June 28, 2007 06:46
>
>
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] NTLDR and real mode memory
>
>
>
> Thanks guys.
>
>
>
> I just managed to hook it and apprently it does get called at the very
> last part. But I can’t quite make out the data in the return buffer in ES:DI
>
>
>
>
> Can anyone make some sense of it. I seem to get different results on
> different hardware.
>
>
>
> Best wishes,
>
> Kelvin
>
>
>
> On 6/28/07, Martin O’Brien < xxxxx@evitechnology.com> wrote:
>
> Probably. Just as Maxim suggested, you’ve got to break out WinDbg
> configured for boot debugging and give it a try it. Also, some sort of
> JTAG emulator like an Arium ECM-50 or other suitable hardware assisted
> debugging technology, it will greatly help the exploring and debugging
> the BIOS/pre ntldr part of the process. That being said, even the entry
> level price is rather steep.
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto: xxxxx@lists.osr.com] On Behalf Of Maxim S.
> Shatskih
> Sent: Thursday, June 28, 2007 04:59
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] NTLDR and real mode memory
>
> I think that only practical trial can help.
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> “kelvin lim” wrote in message news:xxxxx@ntdev…
> > Thanks Maxim,
> >
> > There’s a very interesting suggestion. Would is be possible to
> “reserve” say
> > 40KB of conventional memory. Any idea how much memory NTLDR actually
> needs ?
> >
> > Best wishes,
> > Kelvin
> >
> > On 6/28/07, Maxim S. Shatskih < xxxxx@storagecraft.com > wrote:
> > >
> > > > I read on another post that there is a certain area of memory that
> > > Windows
> > > > doesnt use at pre-boot. Does anyone have any idea what the
> location of
> > > this
> > > > memory is?
> > > >
> > > > I’m asking this because I have a full disk encryption product that
> i’m
> > > > developing and in the process I hook int 13h.
> > >
> > > Hook the int11h and int15h chains in your real mode pre-NTLDR code,
> and
> > > fake
> > > the response to “get memory size” and “get ACPI memory map” BIOS
> queries,
> > > reporting, say, 1KB less of real-mode 640KB memory - 639KB.
> > >
> > > This excluded 1KB can be used by your code for any purpose.
> > >
> > > –
> > > Maxim Shatskih, Windows DDK MVP
> > > StorageCraft Corporation
> > > xxxxx@storagecraft.com
> > > http://www.storagecraft.com
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at
> > > http://www.osronline.com/page.cfm?name=ListServer
> > >
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> — Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List
> Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> — Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List
> Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></lengthhigh:lengthlow></baseaddrhigh:baseaddrlow>

18

As others have said, if your int 13h filter is reserving memory using 40:13 or any other allocation method, it will additionally need to hook all interfaces that an OS or other software may use to obtain the system memory map. In addition to int 15h, ax-0e820h other interfaces include int 15h, ax=e801 and ax=88h. Hooking the later two is not required for Windows, but may be required for compatibility with other realmode software.

At a minimum, you need to hook int 15 ax=0e820h which Windows uses to obtain the system memory map. You will need to hook this interface to describe the memory you have allocated in your int 13h filter. You should either remove your memory region from the memory map or describe it as “firmware reserved” (type 2). If you are allocating memory under 640K, please recognize that this is a shared resource used by BIOS, option ROMs, OS boot loaders and various realmode software. 40K will likely be OK, but if you need much more memory you should consider reserving memory over 1MB.

-jamie

19

After the hook, it seems to hang there. Maybe someone can look at my code:

_Int15Hook proc far
jmp short Int15Hook_start
nop
Int15Hook_start:
cmp AX,0E820h
jnz originalInt15
call dword ptr DGROUP:[OldInt15Vector]
retf
originalInt15:
jmp dword ptr DGROUP:[OldInt15Vector]
_Int15Hook endp

currently I’m not doing anything in the hook, I just want to be able to
return from it. But the system seems to hang. The original Int 15 vector is
stored in DGROUP:[OldInt15Vector]. Does this look right?

Thanks.

On 6/29/07, xxxxx@windows.microsoft.com
wrote:
>
> As others have said, if your int 13h filter is reserving memory using
> 40:13 or any other allocation method, it will additionally need to hook all
> interfaces that an OS or other software may use to obtain the system memory
> map. In addition to int 15h, ax-0e820h other interfaces include int 15h,
> ax=e801 and ax=88h. Hooking the later two is not required for Windows, but
> may be required for compatibility with other realmode software.
>
> At a minimum, you need to hook int 15 ax=0e820h which Windows uses to
> obtain the system memory map. You will need to hook this interface to
> describe the memory you have allocated in your int 13h filter. You should
> either remove your memory region from the memory map or describe it as
> “firmware reserved” (type 2). If you are allocating memory under 640K,
> please recognize that this is a shared resource used by BIOS, option ROMs,
> OS boot loaders and various realmode software. 40K will likely be OK, but
> if you need much more memory you should consider reserving memory over 1MB.
>
> -jamie
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

20

Since it’s an interrupt, I believe you need an iret, not a retf…