Victor Havin
Reputation: 1183
What is in the Reserved1 field of the IMAGE_LOAD_CONFIG_DIRECTORY32 structure?
Looking at the IMAGE_LOAD_CONFIG_DIRECTORY32 structure for the kernelbase.dll I see the following:
0:000> dt IMAGE_LOAD_CONFIG_DIRECTORY32 761dc810
DebugMe!IMAGE_LOAD_CONFIG_DIRECTORY32
+0x000 Size : 0x80
+0x004 TimeDateStamp : 0
+0x008 MajorVersion : 0
+0x00a MinorVersion : 0
+0x00c GlobalFlagsClear : 0
+0x010 GlobalFlagsSet : 0
+0x014 CriticalSectionDefaultTimeout : 0
+0x018 DeCommitFreeBlockThreshold : 0
+0x01c DeCommitTotalFreeThreshold : 0
+0x020 LockPrefixTable : 0
+0x024 MaximumAllocationSize : 0
+0x028 VirtualMemoryThreshold : 0
+0x02c ProcessHeapFlags : 0
+0x030 ProcessAffinityMask : 0
+0x034 CSDVersion : 0
+0x036 Reserved1 : 0x800
+0x038 EditList : 0
+0x03c SecurityCookie : 0x76334b94
+0x040 SEHandlerTable : 0x7626db60
+0x044 SEHandlerCount : 3
`It looks like the Reserved1 field is set to 0x800 for most system DLLs. It also looks like the presence of this field changes the Ldrp behavior. Does anybody know what is this field about and what are the possible flag values in it?
Upvotes: 0
Views: 549
Answers (1)
Victor Havin
Reputation: 1183
OK. I have figured it out. The Reserved1 field in the IMAGE_LOAD_CONFIG_DIRECTORY32 now is used to control how the dependent modules are loaded. So far the only value I found in the system dlls was 0x0800. When this flag is present, dependent modules are searched only in the system directories.
If you are interested in the details - read on.
ModLoad: 4ef80000 4f041000 C:\vlh\pplus\builds\2016.09.23\OciVOB\DevInstall_debug\x86\cache\$Pcrt4.dll
eax=00000000 ebx=00800000 ecx=01b6f6c1 edx=0000008c esi=00000000 edi=002e8000
eip=77e6de8c esp=01b6f9c4 ebp=01b6fa20 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!NtMapViewOfSection+0xc:
// Module $Pcrt4 being mapped
0:003> kbn
# ChildEBP RetAddr Args to Child
00 01b6f9c0 77e324c9 000000d8 ffffffff 0174d040 ntdll!NtMapViewOfSection+0xc // Arg3 - Pointer to DllBase in _LDR_DATA_TABLE_ENTRY (offset 18)
01 01b6fa20 77e3209a 01748590 00000000 0174d040 ntdll!LdrpMapViewOfSection+0x76
02 01b6fa70 77e31fc7 00008020 01b6fa8c 0174bf10 ntdll!LdrpMapImage+0x40
03 01b6fa90 77e2ef85 c0000135 0174d028 0174bf10 ntdll!LdrpMapDllWithSectionHandle+0x20
04 01b6fae8 77e2f21d 77f0eb60 0174bf10 00000000 ntdll!LdrpMapDllNtFileName+0xde
05 01b6fc94 77e31ebf 4a35c2d6 77f0eb60 0174bf30 ntdll!LdrpMapDllSearchPath+0x1e1
06 01b6fce4 77e34d09 01b6feac 01744d78 01746878 ntdll!LdrpProcessWork+0x84
07 01b6fcf4 77e37538 01b6feac 00000000 01744d78 ntdll!LdrpWorkCallback+0x59
08 01b6fde4 77e363b6 01b6feac 01744df0 4a35c1b2 ntdll!TppWorkpExecuteCallback+0x1e8
09 01b6ff80 75ca62c4 01745940 75ca62a0 48108a65 ntdll!TppWorkerThread+0x396
0a 01b6ff94 77e60609 01745940 4a35c1ee 00000000 KERNEL32!BaseThreadInitThunk+0x24
0b 01b6ffdc 77e605d4 ffffffff 77e82516 00000000 ntdll!__RtlUserThreadStart+0x2f
0c 01b6ffec 00000000 77e36020 01745940 00000000 ntdll!_RtlUserThreadStart+0x1b
0:003> !dlls 0x0174d028
0x0174d028: C:\vlh\pplus\builds\2016.09.23\OciVOB\DevInstall_debug\x86\cache\$Pcrt4.dll
Base 0x00000000 EntryPoint 0x00000000 Size 0x00000000 DdagNode 0x0174bfa8
Flags 0x00000064 TlsIndex 0x00000000 LoadCount 0x00000001 NodeRefCount 0x00000000
// ldrDataTableEntry before loadConfig was processed
0:003> dt _LDR_DATA_TABLE_ENTRY 0x0174d028
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x77f0ebec - 0x174cda0 ]
+0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x77f0ebf4 - 0x174cda8 ]
+0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x018 DllBase : (null)
+0x01c EntryPoint : (null)
+0x020 SizeOfImage : 0
+0x024 FullDllName : _UNICODE_STRING "C:\vlh\pplus\builds\2016.09.23\OciVOB\DevInstall_debug\x86\cache\$Pcrt4.dll"
+0x02c BaseDllName : _UNICODE_STRING "$Pcrt4.dll"
+0x034 FlagGroup : [4] "d"
+0x034 Flags : 0x64
+0x034 PackagedBinary : 0y0
+0x034 MarkedForRemoval : 0y0
+0x034 ImageDll : 0y1
+0x034 LoadNotificationsSent : 0y0
+0x034 TelemetryEntryProcessed : 0y0
+0x034 ProcessStaticImport : 0y1
+0x034 InLegacyLists : 0y1
+0x034 InIndexes : 0y0
+0x034 ShimDll : 0y0
+0x034 InExceptionTable : 0y0
+0x034 ReservedFlags1 : 0y00
+0x034 LoadInProgress : 0y0
+0x034 LoadConfigProcessed : 0y0
+0x034 EntryProcessed : 0y0
+0x034 ProtectDelayLoad : 0y0
+0x034 ReservedFlags3 : 0y00
+0x034 DontCallForThreads : 0y0
+0x034 ProcessAttachCalled : 0y0
+0x034 ProcessAttachFailed : 0y0
+0x034 CorDeferredValidate : 0y0
+0x034 CorImage : 0y0
+0x034 DontRelocate : 0y0
+0x034 CorILOnly : 0y0
+0x034 ReservedFlags5 : 0y000
+0x034 Redirected : 0y0
+0x034 ReservedFlags6 : 0y00
+0x034 CompatDatabaseProcessed : 0y0
+0x038 ObsoleteLoadCount : 6
+0x03a TlsIndex : 0
+0x03c HashLinks : _LIST_ENTRY [ 0x77f0ea68 - 0x77f0ea68 ]
+0x044 TimeDateStamp : 0
+0x048 EntryPointActivationContext : (null)
+0x04c Lock : (null)
+0x050 DdagNode : 0x0174bfa8 _LDR_DDAG_NODE
+0x054 NodeModuleLink : _LIST_ENTRY [ 0x174bfa8 - 0x174bfa8 ]
+0x05c LoadContext : 0x0174bf10 _LDRP_LOAD_CONTEXT
+0x060 ParentDllBase : (null)
+0x064 SwitchBackContext : (null)
+0x068 BaseAddressIndexNode : _RTL_BALANCED_NODE
+0x074 MappingInfoIndexNode : _RTL_BALANCED_NODE
+0x080 OriginalBase : 0
+0x088 LoadTime : _LARGE_INTEGER 0x0
+0x090 BaseNameHashValue : 0xc03583f1
+0x094 LoadReason : 0 ( LoadReasonStaticDependency )
+0x098 ImplicitPathOptions : 0
+0x09c ReferenceCount : 2
+0x0a0 DependentLoadFlags : 0
// loadConfig Processing:
0:003> k
# ChildEBP RetAddr
00 01b6fa4c 77e3260f ntdll!LdrpCfgProcessLoadConfig+0x37
01 01b6fa78 77e31fe3 ntdll!LdrpProcessMappedModule+0x110
02 01b6fa90 77e2ef85 ntdll!LdrpMapDllWithSectionHandle+0x3c
03 01b6fae8 77e2f21d ntdll!LdrpMapDllNtFileName+0xde
04 01b6fc94 77e31ebf ntdll!LdrpMapDllSearchPath+0x1e1
05 01b6fce4 77e34d09 ntdll!LdrpProcessWork+0x84
06 01b6fcf4 77e37538 ntdll!LdrpWorkCallback+0x59
07 01b6fde4 77e363b6 ntdll!TppWorkpExecuteCallback+0x1e8
08 01b6ff80 75ca62c4 ntdll!TppWorkerThread+0x396
09 01b6ff94 77e60609 KERNEL32!BaseThreadInitThunk+0x24
0a 01b6ffdc 77e605d4 ntdll!__RtlUserThreadStart+0x2f
0b 01b6ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
ldrDataTableEntry.DependentLoadFlags = loadConfig.Reserved1;
// LdrpMapDllSearchPath looking at the ldrDataTableEntry.DependentLoadFlags
0:003> k
# ChildEBP RetAddr
00 01b6fc94 77e31ebf ntdll!LdrpMapDllSearchPath+0x259
01 01b6fce4 77e34d09 ntdll!LdrpProcessWork+0x84
02 01b6fcf4 77e37538 ntdll!LdrpWorkCallback+0x59
03 01b6fde4 77e363b6 ntdll!TppWorkpExecuteCallback+0x1e8
04 01b6ff80 75ca62c4 ntdll!TppWorkerThread+0x396
05 01b6ff94 77e60609 KERNEL32!BaseThreadInitThunk+0x24
06 01b6ffdc 77e605d4 ntdll!__RtlUserThreadStart+0x2f
07 01b6ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
LdrpMapDllSearchPath()
{
77e2f28f 8b91a0000000 mov edx,dword ptr [ecx+0A0h] // edx = ldrDataTableEntry.DependentLoadFlags;
77e2f295 85d2 test edx,edx // if(edx == 0) {
77e2f297 7520 jne ntdll!LdrpMapDllSearchPath+0x27d (77e2f2b9)
77e2f299 e90afeffff jmp ntdll!LdrpMapDllSearchPath+0x6c (77e2f0a8)
-----------------------------------------------------------------------------------------------------------------------------------
77e2f0a8 6a50 push 50h // memset(pathConfig, 0, sizeof(pathConfig);
77e2f0aa 52 push edx
77e2f0ab 8d842450010000 lea eax,[esp+150h]
77e2f0b2 50 push eax
77e2f0b3 e8d84e0400 call ntdll!memset (77e73f90)
77e2f0b8 83a4246001000000 and dword ptr [esp+160h],0
77e2f0c0 83c40c add esp,0Ch
77e2f0c3 83a4245801000000 and dword ptr [esp+158h],0
77e2f0cb 8b4b08 mov ecx,dword ptr [ebx+8]
// L1:
77e2f0ce 894c2424 mov dword ptr [esp+24h],ecx //
77e2f0d2 0fb6430c movzx eax,byte ptr [ebx+0Ch]
77e2f0d6 8d54241c lea edx,[esp+1Ch]
77e2f0da 52 push edx
77e2f0db 8d542413 lea edx,[esp+13h]
77e2f0df c1e803 shr eax,3
77e2f0e2 52 push edx
77e2f0e3 8d542418 lea edx,[esp+18h]
77e2f0e7 83e001 and eax,1
77e2f0ea 52 push edx
77e2f0eb 8d542434 lea edx,[esp+34h]
77e2f0ef 52 push edx
77e2f0f0 8d542450 lea edx,[esp+50h]
77e2f0f4 52 push edx
77e2f0f5 8d54244c lea edx,[esp+4Ch]
77e2f0f9 52 push edx
77e2f0fa 8bd1 mov edx,ecx
77e2f0fc 8bcb mov ecx,ebx
77e2f0fe 50 push eax
77e2f0ff e818100000 call ntdll!LdrpSearchPath (77e3011c) // LdrpSearchPath(...);
77e2f104 807c240f00 cmp byte ptr [esp+0Fh],0
77e2f109 8bf8 mov edi,eax
77e2f10b 0f85b9ae0500 jne ntdll!LdrpMapDllSearchPath+0x5af8e (77e89fca)
// ...
// }
-----------------------------------------------------------------------------------------------------------------------------------
// else {
77e2f2b9 8b4928 mov ecx,dword ptr [ecx+28h]
77e2f2bc 8d842448010000 lea eax,[esp+148h]
77e2f2c3 50 push eax
77e2f2c4 83ca01 or edx,1 // dependentLoadFlags |= 1;
77e2f2c7 e895090100 call ntdll!LdrpInitializeDllPath (77e3fc61) // LdrpInitializePath(...);
77e2f2cc 8d8c2448010000 lea ecx,[esp+148h]
77e2f2d3 e9f6fdffff jmp ntdll!LdrpMapDllSearchPath+0x92 (77e2f0ce) // goto L1;
// }
------------------------------------------------------------------------------------------------------------------------------------
}
Upvotes: 1
Related Questions
- What is the image base (in windows PE files)
- What is there before ImageBase address in Virtual Address?
- EXE or DLL Image base address
- PE Loading: What to do with resource section?
- Windows initial execution context
- What is the "Isolated Image" attribute in a PE?
- What parts of a PE file are mapped into memory by the MS loader?
- Questions Regarding DLL Loading in a Process Address Space
- PIMAGE_SECTION_HEADER VirtualAddress and PointerToRawData fields
- What is the meaning / usage of IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG?