This is an incomplete specification for the data structures used to convey information between stages of the Windows NT6 (Vista, Server 2008 and later) boot process.
BOOTAPP programs are 32-bit PE executables. At entry, the CPU is using flat 32-bit addressing with paging disabled, and interrupts are disabled.
A single parameter is passed on the stack: a pointer to a BOOTAPP structure.
Offset | Type | Contents |
---|---|---|
0x00 | char[8] | “BOOT APP” signature |
0x08 | dword | Version? |
0x0c | dword | Total length of all structures |
0x10 | dword | Machine architecture |
0x14 | dword | Zero |
0x18 | dword | Pointer to PE header |
0x1c | dword | Zero |
0x20 | dword | Length of PE in memory |
0x24 | dword | Offset to memory descriptor structure |
0x28 | dword | Offset to BTAPENT structure |
0x2c | dword | Offset to BTAPENT-duplicate-fragment structure |
0x30 | dword | Offset to callback structure |
0x34 | dword | Offset to pointless structure |
Offset | Type | Contents |
---|---|---|
0x00 | dword | Version? |
0x04 | dword | Length of this header |
0x08 | dword | Number of memory region descriptors |
0x0c | dword | Length of each memory region descriptor |
0x10 | dword | 0x00000008 ? |
0x14 | array | Array of memory region descriptors |
Offset | Type | Contents |
---|---|---|
0x00 | dword | Zero |
0x04 | dword | Zero |
0x08 | qword | Start page address |
0x10 | dword | Zero |
0x14 | dword | Zero |
0x18 | qword | Number of pages |
0x20 | dword | Zero |
0x24 | dword | Flags ? |
Offset | Type | Contents |
---|---|---|
0x00 | char[8] | “BTAPENT” signature |
0x08 | dword | 0x00000021 ? |
0x0c | guid | GUID of boot entry |
0x1c | dword | Zero |
0x20 | dword | Zero |
0x24 | dword | Zero |
0x28 | dword | Zero |
0x2c | struct | BTAPENT-0x2c structure |
Offset | Type | Contents |
---|---|---|
0x00 | dword | 0x11000001 ? |
0x04 | dword | Length of this header |
0x08 | dword | Total length of following structures within BTAPENT |
0x0c | dword | Zero |
0x10 | dword | Zero |
0x14 | dword | Zero |
Offset | Type | Contents |
---|---|---|
0x00 | dword | Zero |
0x04 | dword | Zero |
0x08 | dword | Zero |
0x0c | dword | Zero |
Offset | Type | Contents |
---|---|---|
0x00 | dword | 0x00000004 ? |
0x04 | dword | Zero |
0x08 | dword | Length of this structure |
0x0c | dword | Zero |
0x10 | dword | 0x00000100 ? |
0x14-0x45 | byte | Zero |
Copy of BTAPENT-0x2c-0x18-0x10 structure
Offset | Type | Contents |
---|---|---|
0x00 | dword | Pointer to pointer to callback entry points |
0x04 | dword | Zero |
Offset | Type | Contents |
---|---|---|
0x00 | dword | Version? |
0x04 | dword | Zero |
0x08 | dword | Zero |
0x0c | dword | Zero |
0x10 | dword | Zero |
0x14 | dword | Zero |
0x18 | dword | Zero |
Offset | Type | Contents |
---|---|---|
0x00 | dword | INT number or segment:offset address to call |
0x04 | dword | %eax value |
0x08 | dword | %ebx value |
0x0c | dword | %ecx value |
0x10 | dword | %edx value |
0x14 | dword | Ignored (%esp placeholder?) |
0x18 | dword | Ignored (%ebp placeholder?) |
0x1c | dword | %esi value |
0x20 | dword | %edi value |
0x24 | dword | Ignored (%cs placeholder?) |
0x28 | dword | %ds value |
0x2c | dword | Ignored (%ss placeholder?) |
0x30 | dword | %es value |
0x34 | dword | %fs value |
0x38 | dword | %gs value |
0x3c | dword | eflags value (return only) |