====== BOOTAPP specification ====== This is an incomplete specification for the data structures used to convey information between stages of the Windows NT6 (Vista, Server 2008 and later) boot process. ===== Entry point ===== BOOTAPP programs are 32-bit PE executables. At entry, the CPU is using flat 32-bit addressing with paging disabled, and interrupts are disabled. A single parameter is passed on the stack: a pointer to a BOOTAPP structure. ===== BOOTAPP structure ===== ^ Offset ^ Type ^ Contents | ^ 0x00 | char[8] | "BOOT APP" signature | ^ 0x08 | dword | Version? | ^ 0x0c | dword | Total length of all structures | ^ 0x10 | dword | Machine architecture | ^ 0x14 | dword | Zero | ^ 0x18 | dword | Pointer to PE header | ^ 0x1c | dword | Zero | ^ 0x20 | dword | Length of PE in memory | ^ 0x24 | dword | Offset to memory descriptor structure | ^ 0x28 | dword | Offset to BTAPENT structure | ^ 0x2c | dword | Offset to BTAPENT-duplicate-fragment structure | ^ 0x30 | dword | Offset to callback structure | ^ 0x34 | dword | Offset to pointless structure | ===== Memory descriptor structure ===== ^ Offset ^ Type ^ Contents | ^ 0x00 | dword | Version? | ^ 0x04 | dword | Length of this header | ^ 0x08 | dword | Number of memory region descriptors | ^ 0x0c | dword | Length of each memory region descriptor | ^ 0x10 | dword | 0x00000008 ? | ^ 0x14 | array | Array of memory region descriptors | ==== Memory region descriptor ==== ^ Offset ^ Type ^ Contents | ^ 0x00 | dword | Zero | ^ 0x04 | dword | Zero | ^ 0x08 | qword | Start page address | ^ 0x10 | dword | Zero | ^ 0x14 | dword | Zero | ^ 0x18 | qword | Number of pages | ^ 0x20 | dword | Zero | ^ 0x24 | dword | Flags ? | ===== BTAPENT structure ===== ^ Offset ^ Type ^ Contents | ^ 0x00 | char[8] | "BTAPENT" signature | ^ 0x08 | dword | 0x00000021 ? | ^ 0x0c | guid | GUID of boot entry | ^ 0x1c | dword | Zero | ^ 0x20 | dword | Zero | ^ 0x24 | dword | Zero | ^ 0x28 | dword | Zero | ^ 0x2c | struct | BTAPENT-0x2c structure | ==== BTAPENT-0x2c structure ==== ^ Offset ^ Type ^ Contents | ^ 0x00 | dword | 0x11000001 ? | ^ 0x04 | dword | Length of this header | ^ 0x08 | dword | Total length of following structures within BTAPENT | ^ 0x0c | dword | Zero | ^ 0x10 | dword | Zero | ^ 0x14 | dword | Zero | ==== BTAPENT-0x2c-0x18 structure ==== ^ Offset ^ Type ^ Contents | ^ 0x00 | dword | Zero | ^ 0x04 | dword | Zero | ^ 0x08 | dword | Zero | ^ 0x0c | dword | Zero | ==== BTAPENT-0x2c-0x18-0x10 structure ==== ^ Offset ^ Type ^ Contents | ^ 0x00 | dword | 0x00000004 ? | ^ 0x04 | dword | Zero | ^ 0x08 | dword | Length of this structure | ^ 0x0c | dword | Zero | ^ 0x10 | dword | 0x00000100 ? | ^ 0x14-0x45 | byte | Zero | ===== BTAPENT-duplicate-fragment structure ===== Copy of BTAPENT-0x2c-0x18-0x10 structure ===== Callback structure ===== ^ Offset ^ Type ^ Contents | ^ 0x00 | dword | Pointer to pointer to callback entry points | ^ 0x04 | dword | Zero | ===== Pointless structure ===== ^ Offset ^ Type ^ Contents | ^ 0x00 | dword | Version? | ^ 0x04 | dword | Zero | ^ 0x08 | dword | Zero | ^ 0x0c | dword | Zero | ^ 0x10 | dword | Zero | ^ 0x14 | dword | Zero | ^ 0x18 | dword | Zero | ===== Real-mode callback parameters ===== ^ Offset ^ Type ^ Contents | ^ 0x00 | dword | INT number or segment:offset address to call | ^ 0x04 | dword | %eax value | ^ 0x08 | dword | %ebx value | ^ 0x0c | dword | %ecx value | ^ 0x10 | dword | %edx value | ^ 0x14 | dword | Ignored (%esp placeholder?) | ^ 0x18 | dword | Ignored (%ebp placeholder?) | ^ 0x1c | dword | %esi value | ^ 0x20 | dword | %edi value | ^ 0x24 | dword | Ignored (%cs placeholder?) | ^ 0x28 | dword | %ds value | ^ 0x2c | dword | Ignored (%ss placeholder?) | ^ 0x30 | dword | %es value | ^ 0x34 | dword | %fs value | ^ 0x38 | dword | %gs value | ^ 0x3c | dword | eflags value (return only) |