BOOTAPP specification

This is an incomplete specification for the data structures used to convey information between stages of the Windows NT6 (Vista, Server 2008 and later) boot process.

Entry point

BOOTAPP programs are 32-bit PE executables. At entry, the CPU is using flat 32-bit addressing with paging disabled, and interrupts are disabled.

A single parameter is passed on the stack: a pointer to a BOOTAPP structure.

BOOTAPP structure

Offset Type Contents
0x00 char[8] “BOOT APP” signature
0x08 dword Version?
0x0c dword Total length of all structures
0x10 dword Machine architecture
0x14 dword Zero
0x18 dword Pointer to PE header
0x1c dword Zero
0x20 dword Length of PE in memory
0x24 dword Offset to memory descriptor structure
0x28 dword Offset to BTAPENT structure
0x2c dword Offset to BTAPENT-duplicate-fragment structure
0x30 dword Offset to callback structure
0x34 dword Offset to pointless structure

Memory descriptor structure

Offset Type Contents
0x00 dword Version?
0x04 dword Length of this header
0x08 dword Number of memory region descriptors
0x0c dword Length of each memory region descriptor
0x10 dword 0x00000008 ?
0x14 array Array of memory region descriptors

Memory region descriptor

Offset Type Contents
0x00 dword Zero
0x04 dword Zero
0x08 qword Start page address
0x10 dword Zero
0x14 dword Zero
0x18 qword Number of pages
0x20 dword Zero
0x24 dword Flags ?

BTAPENT structure

Offset Type Contents
0x00 char[8] “BTAPENT” signature
0x08 dword 0x00000021 ?
0x0c guid GUID of boot entry
0x1c dword Zero
0x20 dword Zero
0x24 dword Zero
0x28 dword Zero
0x2c struct BTAPENT-0x2c structure

BTAPENT-0x2c structure

Offset Type Contents
0x00 dword 0x11000001 ?
0x04 dword Length of this header
0x08 dword Total length of following structures within BTAPENT
0x0c dword Zero
0x10 dword Zero
0x14 dword Zero

BTAPENT-0x2c-0x18 structure

Offset Type Contents
0x00 dword Zero
0x04 dword Zero
0x08 dword Zero
0x0c dword Zero

BTAPENT-0x2c-0x18-0x10 structure

Offset Type Contents
0x00 dword 0x00000004 ?
0x04 dword Zero
0x08 dword Length of this structure
0x0c dword Zero
0x10 dword 0x00000100 ?
0x14-0x45 byte Zero

BTAPENT-duplicate-fragment structure

Copy of BTAPENT-0x2c-0x18-0x10 structure

Callback structure

Offset Type Contents
0x00 dword Pointer to pointer to callback entry points
0x04 dword Zero

Pointless structure

Offset Type Contents
0x00 dword Version?
0x04 dword Zero
0x08 dword Zero
0x0c dword Zero
0x10 dword Zero
0x14 dword Zero
0x18 dword Zero

Real-mode callback parameters

Offset Type Contents
0x00 dword INT number or segment:offset address to call
0x04 dword %eax value
0x08 dword %ebx value
0x0c dword %ecx value
0x10 dword %edx value
0x14 dword Ignored (%esp placeholder?)
0x18 dword Ignored (%ebp placeholder?)
0x1c dword %esi value
0x20 dword %edi value
0x24 dword Ignored (%cs placeholder?)
0x28 dword %ds value
0x2c dword Ignored (%ss placeholder?)
0x30 dword %es value
0x34 dword %fs value
0x38 dword %gs value
0x3c dword eflags value (return only)
bootapp/spec.txt · Last modified: 2012/09/09 15:47 by mcb30
Recent changes RSS feed CC Attribution-Share Alike 4.0 International Driven by DokuWiki
All uses of this content must include an attribution to the iPXE project and the URL https://ipxe.org
References to "iPXE" may not be altered or removed.