Author Topic: Passing control to Windows during boot  (Read 2168 times)

juergenp

  • Newbie
  • *
  • Posts: 14
Passing control to Windows during boot
« on: September 16, 2008, 02:11:04 am »
Hello all,

I am interested to learn about the steps that take place during the system start phase if the boot partition is encrypted. I've looked at the source code and found everything as I expected, but there's one step that I don't understand: what happens once the PBA authentication is successfully completed? What steps are executed in the process of bringing the system to the point at which the DC filter driver is activated (and it searching through memory for the magical configuration identification bytes)?

Thanks!
Juergen

Tom

  • Newbie
  • *
  • Posts: 12
Re: Passing control to Windows during boot
« Reply #1 on: September 18, 2008, 01:15:27 pm »
Hello Jürgen

there is nothing special or magical in this process. The only thing you have to know is that there are *two* filterdrivers involved: One for the BIOS INT13 Routine (part of the bootloader), and one for Windows (dcrypt.sys).
The preboot authentication, if successful, redirects INT13 (disk access) through the int13-filter, which decrypts sectors of the encrypted partition. With this redirection, the normal (windows) ntldr starts the system the usual way:
- reads all necessary files with INT13 calls (going through DC's int13-filter)
- launches the kernel
The kernel redirects the BIOS interrrupts, that is, as soon as the kernel is running, the int13-filter is bypassed and no longer active. At this point, the Windows filterdriver has to be started and has to decrypt the systempartition (otherwise you get a BSOD, STOP 0x0000007B, INACCESSIBLE_BOOT_DEVICE)

regards
Thomas

juergenp

  • Newbie
  • *
  • Posts: 14
Re: Passing control to Windows during boot
« Reply #2 on: September 18, 2008, 02:12:41 pm »
Thomas,

thank you for your explanation, it's exactly what I thought to have understood about the windows start process. However, if the int13 hook is released/replaced once the Windows Kernel takes over: how does the (windows-)driver for DC get loaded? I see the following possibilities:
  • The DC windows-driver gets loaded before the Windows Kernel takes over
  • The Windows Kernel continues to use int13h until a device specific driver is activated
Number two seems to make sense to me, as the lower lever filter driver is a prerequisite (has to be loaded before the device-specific driver takes over) to the device specific driver (either a generic driver like IDE or SCSI, or a manufacturer-specific driver). Is that so?

Juergen

ntldr

  • Administrator
  • Hero Member
  • *****
  • Posts: 1079
Re: Passing control to Windows during boot
« Reply #3 on: September 18, 2008, 03:12:10 pm »
Windows kernel and boot drivers is loaded over int13 BIOS interrupt.