[ipxe-devel] win10 bootmgr

Earl Chew earl_chew at yahoo.com
Sun Oct 11 16:30:59 UTC 2015


I have a new Win10 deployment where I'm looking to use wimboot.

The part I discovered trouble with was having wimboot extract
bootmgr.exe from the compressed bootmgr image.

I'm using the pre-compiled wimboot in 2.5.1 (2d5db9e) which uses
these checks to find the image:

         if ( ( ( compressed[0x02] & 0x03 ) == 0x00 ) &&
              ( compressed[0x03] == 'M' ) &&
              ( compressed[0x04] == 'Z' ) ) {
                  DBG ( "...checking for LZNT1-compressed bootmgr.exe at"
                       "+%#zx\n", offset );
                 decompress = lznt1_decompress;
        }

or

        if ( ( ( compressed[0x00] & 0x0f ) != 0x00 ) &&
             ( ( compressed[0x26] & 0xf0 ) != 0x00 ) &&
             ( ( compressed[0x2d] & 0x0f ) != 0x00 ) &&
             ( is_empty_pgh ( compressed - 0x10 ) ) &&
             ( ! is_empty_pgh ( ( compressed + 0x400 ) ) ) &&
             ( ! is_empty_pgh ( ( compressed + 0x800 ) ) ) &&
             ( ! is_empty_pgh ( ( compressed + 0xc00 ) ) ) ) {
                DBG ( "...checking for XCA-compressed bootmgr.exe at "
                               "+%#zx\n", offset );
                decompress = xca_decompress;
         }

In the Win10 deployment, these heuristics fail to find bootmgr.exe.

I suspect this is primarily because the code applies the heuristics at
paragraph boundaries, and this assumption fails to hold for win10:

00006840 60 ef 09 00 10 20 00 00 4d 5a 90 00 03 00 00 00
|`.......MZ......|
00006850 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00
|................|
00006860 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|@...............|
00006870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|................|
00006880 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd
|................|
00006890 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72
|!..L.!This progr|
000068a0 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e
|am cannot be run|
000068b0 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a
| in DOS mode....|

While investigating this issue I came across information about the
structure of the compressed bootmgr file:

http://reboot.pro/topic/16824-how-to-modify-bootmgr-of-windows-8/

An contributor to that thread has a program to extract bootmgr.exe
from the compressed file. I ported this to Linux to see if this
would work for win10 and found that it could successfully find
and extract bootmgr.exe:

https://github.com/earlchew/bmzip

The approach taken in bmzip.cpp is to find the archive signatures
"BMCI" or "BMXH" that delineate its contents, rather than find
the signatures of the target compression format.

What do you think is the best way to approach supporting win10 bootmgr ?

Earl



More information about the ipxe-devel mailing list