2021年reactos仿windows系统内核源代码研究

引导序号
引导程
引导执行代码位数
目标文件名称
1         
引导代码（Master Boot Record (MBR)code）寻找活动分区然读入引导扇区代码
16位执行代码
reactosbootfreeldrbootsectdosmbrasm
2         
引导扇区代码寻找根引导程序里寻找freeldrsys
16位执行代码
reactosbootfreeldrbootsect fatasm
reactosbootfreeldrbootsectfat32asm
3         
ReactOS加载程序freeldrsys加载haldllntoskrnlexe读取FREELDRINI配置文件
16位32位代码
reactosbootfreeldr
4         
ntoskrnlexe加载驱动程序初始化核工作
 
32位代码
reactosntoskrnl
normal DOS boot sector
Ported to nasm from FreeDOS fdisk 120 by
Casper Hornstrup (chorns@userssourceforgenet)
global _bootnormal_code
_bootnormal_code

ENTRY (copied from freedos bootsector)

IN DL boot drive
OUT DL boot drive


真正启动开中断
real_start cli
cld
xor ax ax
mov ss ax initialize stack
mov ds ax
mov bp 0x7c00
lea sp [bp0x20]
sti

mov ax 0x1FE0
mov es ax
mov si bp
mov di bp
mov cx 0x0100
rep movsw

jmp word 0x1FE00x7c00+ contreal_start

cont mov ds ax
mov ss ax
xor axax
mov esax


search for active partition 搜索活动分区
lea di [bp+0x1be] start of partition table
test_next_for_active
test byte [di]0x80
jne active_partition_found
add di0x10 next table
cmp di 07c00h+0x1fe scanned beyond end of table 扫描分区表
jb test_next_for_active

*****************************************************************
call print
db ＇no active partition found＇0

WAIT_FOR_REBOOT
jmp


*****************************************************************
trouble_reading_drive
call print
db ＇read error while reading drive＇0
jmp WAIT_FOR_REBOOT

*****************************************************************

invalid_partition_code
call print
db ＇partition signature 55AA＇0

jmp WAIT_FOR_REBOOT


*****************************************************************
查找分区表
active_partition_found
call print
db ＇loading active partition＇0

call read_boot_sector

jc trouble_reading_drive

cmp word [es0x7c00+0x1fe]0xaa55
jne invalid_partition_code

jmp word 0x00x7c00 and jump to boot sector code


*****************************
read_boot_sector

IN DI> partition info
OUTCARRY
*****************************

read_boot_sector
* check for LBA support *
mov bx0x55aa
mov ah0x41
int 0x13

jc StandardBios if (regsbx 0xaa55 || (regsflags & 0x01))
cmp bx0xaa55 goto StandardBios
jne StandardBios

* if DAP cannot be used don＇t use LBA *
if ((regscx & 1) 0)
goto StandardBios
test cl1
jz StandardBios

jmp short LBABios


_bios_LBA_address_packet
db 0x10
db 0
db 4 read four sectors why not
db 0
dw 0x7c00 fixed boot address for DOS sector
dw 0x0000
_bios_LBA_low dw 0
_bios_LBA_high dw 0
dw 00
LBABios
copy start address of partition to DAP
mov ax[di+8]
mov [0x7c00+ (_bios_LBA_lowreal_start)]ax
mov ax[di+8+2]
mov [0x7c00+ (_bios_LBA_highreal_start)]ax

mov ax0x4200 regsax LBA_READ
mov si0x7c00+ (_bios_LBA_address_packetreal_start) regssi FP_OFF(&dap)
int 0x13
ret
*****************************************************************
read disk using standard BIOS

StandardBios
mov ax0x0204 regsax 0x0201
mov bx0x7c00 regsbx FP_OFF(buffer)
mov cx[di+2] regscx
((chsCylinder & 0xff) << 8) + ((chsCylinder & 0x300) >> 2) +
chsSector
that was easy )
mov dh[di+1] regsdbh chsHead
regses FP_SEG(buffer)
int 0x13
ret
****** PRINT
prints text after call to this function

print_1char
xor bx bx video page 0
mov ah 0x0E else print it
int 0x10 via TTY mode
print pop si this is the first character
print1 lodsb get token
push si stack up potential return address
cmp al 0 end of string
jne print_1char until done
ret and jump to it



times 0x1fe+ db 0
db 0x550xaa
BIOS 引导 硬盘中MBR 512字节分区表查找分区表 然找 FAT中 Freeldrsys 文件然Freeldrsys 中引导核文件
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
FATASM
FAT1216 Boot Sector
Copyright (c) 1998 2001 2002 Brian Palmer
This is a FAT1216 file system boot sector
that searches the entire root directory
for the file freeldrsys and loads it into
memory 文件系统中查找 freeldrsys 文件

The stack is set to 00007BF2 so that the first
WORD pushed will be placed at 00007BF0

The DWORD at 00007BFC or BP04h is the logical
sector number of the start of the data area

The DWORD at 00007BF8 or BP08h is the total
sector count of the boot drive as reported by
the computers bios

The WORD at 00007BF6 or BP0ah is the offset
of the ReadSectors function in the boot sector

The WORD at 00007BF4 or BP0ch is the offset
of the ReadCluster function in the boot sector

The WORD at 00007BF2 or BP0eh is the offset
of the PutChars function in the boot sector

When it locates freeldrsys on the disk it will
load the first sector of the file to 00008000
With the help of this sector we should be able
to load the entire file off the disk no matter
how fragmented it is

We load the entire FAT table into memory at
70000000 This improves the speed of floppy disk
boots dramatically


BootSectorStackTop equ 0x7bf2
DataAreaStartHigh equ 0x2
DataAreaStartLow equ 0x4
BiosCHSDriveSizeHigh equ 0x6
BiosCHSDriveSizeLow equ 0x8
BiosCHSDriveSize equ 0x8
ReadSectorsOffset equ 0xa
ReadClusterOffset equ 0xc
PutCharsOffset equ 0xe


org 7c00h

segment text

bits 16

start
jmp short main
nop

OEMName db ＇FrLdr10＇
BytesPerSector dw 512
SectsPerCluster db 1
ReservedSectors dw 1
NumberOfFats db 2
MaxRootEntries dw 224
TotalSectors dw 2880
MediaDescriptor db 0f0h
SectorsPerFat dw 9
SectorsPerTrack dw 18
NumberOfHeads dw 2
HiddenSectors dd 0
TotalSectorsBig dd 0
BootDrive db 0xff
Reserved db 0
ExtendSig db 29h
SerialNumber dd 00000000h
VolumeLabel db ＇NO NAME ＇
FileSystem db ＇FAT12 ＇

main
xor axax
mov ssax
mov bp7c00h
mov spBootSectorStackTop Setup a stack
mov dsax Make DS correct
mov esax Make ES correct


cmp BYTE [BYTE bp+BootDrive]BYTE 0xff If they have specified a boot drive then use it
jne GetDriveParameters

mov [BYTE bp+BootDrive]dl Save the boot drive


GetDriveParameters
mov ah08h
mov dl[BYTE bp+BootDrive] Get boot drive in dl
int 13h Request drive parameters from the bios
jnc CalcDriveSize If the call succeeded then calculate the drive size

If we get here then the call to the BIOS failed
so just set CHS equal to the maximum addressable
size
mov cx0ffffh
mov dhcl

CalcDriveSize
Now that we have the drive geometry
lets calculate the drive size
mov blch Put the low 8bits of the cylinder count into BL
mov bhcl Put the high 2bits in BH
shr bh6 Shift them into position now BX contains the cylinder count
and cl3fh Mask off cylinder bits from sector count
CL now contains sectors per track and DH contains head count
movzx eaxdh Move the heads into EAX
movzx ebxbx Move the cylinders into EBX
movzx ecxcl Move the sectors per track into ECX
inc eax Make it one based because the bios returns it zero based
inc ebx Make the cylinder count one based also
mul ecx Multiply heads with the sectors per track result in edxeax
mul ebx Multiply the cylinders with (heads * sectors) [stored in edxeax already]

We now have the total number of sectors as reported
by the bios in eax so store it in our variable
mov [BYTE bpBiosCHSDriveSize]eax


Now we must find our way to the first sector of the root directory
xor axax
xor cxcx
mov al[BYTE bp+NumberOfFats] Number of fats
mul WORD [BYTE bp+SectorsPerFat] Times sectors per fat
add axWORD [BYTE bp+HiddenSectors]
adc dxWORD [BYTE bp+HiddenSectors+2] Add the number of hidden sectors
add axWORD [BYTE bp+ReservedSectors] Add the number of reserved sectors
adc dxcx Add carry bit
mov WORD [BYTE bpDataAreaStartLow]ax Save the starting sector of the root directory
mov WORD [BYTE bpDataAreaStartHigh]dx Save it in the first 4 bytes before the boot sector
mov siWORD [BYTE bp+MaxRootEntries] Get number of root dir entries in SI
pusha Save 32bit logical start sector of root dir
DXAX now has the number of the starting sector of the root directory

Now calculate the size of the root directory
xor dxdx
mov ax0020h Size of dir entry
mul si Times the number of entries
mov bx[BYTE bp+BytesPerSector]
add axbx
dec ax
div bx Divided by the size of a sector
AX now has the number of root directory sectors

add [BYTE bpDataAreaStartLow]ax Add the number of sectors of the root directory to our other value
adc [BYTE bpDataAreaStartHigh]cx Now the first 4 bytes before the boot sector contain the starting sector of the data area
popa Restore root dir logical sector start to DXAX

LoadRootDirSector
mov bx7e0h We will load the root directory sector
mov esbx Right after the boot sector in memory
xor bxbx We will load it to [00007e00h]
xor cxcx Zero out CX
inc cx Now increment it to 1 we are reading one sector
xor didi Zero out di
push es Save ES because it will get incremented by 20h
call ReadSectors Read the first sector of the root directory
pop es Restore ES (ESDI 07E00000)

SearchRootDirSector
cmp [esdi]ch If the first byte of the directory entry is zero then we have
jz ErrBoot reached the end of the directory and FREELDRSYS is not here so reboot
pusha Save all registers
mov cl0xb Put 11 in cl (length of filename in directory entry)
mov sifilename Put offset of filename string in DSSI
repe cmpsb Compare this directory entry against ＇FREELDR SYS＇
popa Restore all the registers
jz FoundFreeLoader If we found it then jump
dec si SI holds MaxRootEntries subtract one
jz ErrBoot If we are out of root dir entries then reboot
add diBYTE +0x20 Increment DI by the size of a directory entry
cmp di0200h Compare DI to 512 (DI has offset to next dir entry make sure we haven＇t gone over one sector)
jc SearchRootDirSector If DI is less than 512 loop again
jmp short LoadRootDirSector Didn＇t find FREELDRSYS in this directory sector try again

FoundFreeLoader
We found freeldrsys on the disk 查找文件
so we need to load the first 512
bytes of it to 00008000
ESDI has dir entry (ESDI 07E0XXXX)
mov axWORD [esdi+1ah] Get start cluster
push ax Save start cluster
push WORD 800h Put 800h on the stack and load it
pop es Into ES so that we load the cluster at 00008000
call ReadCluster Read the cluster
pop ax Restore start cluster of FreeLoader

Save the addresses of needed functions so
the helper code will know where to call them
mov WORD [BYTE bpReadSectorsOffset]ReadSectors Save the address of ReadSectors
mov WORD [BYTE bpReadClusterOffset]ReadCluster Save the address of ReadCluster
mov WORD [BYTE bpPutCharsOffset]PutChars Save the address of PutChars

Now AX has start cluster of FreeLoader and we
have loaded the helper code in the first 512 bytes
of FreeLoader to 00008000 Now transfer control
to the helper code Skip the first three bytes
because they contain a jump instruction to skip
over the helper code in the FreeLoader image
jmp 00008003h
jmp 8003h
Displays an error message
And reboots
ErrBoot
mov simsgFreeLdr FreeLdr not found message
call PutChars Display it

Reboot
mov simsgAnyKey Press any key message
call PutChars Display it
xor axax
int 16h Wait for a keypress
int 19h Reboot

PutChars
lodsb
or alal
jz short Done
mov ah0eh
mov bx07h
int 10h
jmp short PutChars
Done
retn

Displays a bad boot message
And reboots
BadBoot
mov simsgDiskError Bad boot disk message
call PutChars Display it

jmp short Reboot


Reads cluster number in AX into [ES0000]
ReadCluster
StartSector ((Cluster 2) * SectorsPerCluster) + ReservedSectors + HiddenSectors
dec ax Adjust start cluster by 2
dec ax Because the data area starts on cluster 2
xor chch
mov clBYTE [BYTE bp+SectsPerCluster]
mul cx Times sectors per cluster
add ax[BYTE bpDataAreaStartLow] Add start of data area
adc dx[BYTE bpDataAreaStartHigh] Now we have DXAX with the logical start sector of OSLOADERSYS
xor bxbx We will load it to [ES0000] ES loaded before function call
mov clBYTE [BYTE bp+SectsPerCluster] Sectors per cluster still in CX
call ReadSectors
ret
Reads logical sectors into [ESBX]
DXAX has logical sector number to read
CX has number of sectors to read
ReadSectors
We can＇t just check if the start sector is
in the BIOS CHS range We have to check if
the start sector + length is in that range
pusha
dec cx
add axcx
adc dxbyte 0

cmp dxWORD [BYTE bpBiosCHSDriveSizeHigh] Check if they are reading a sector within CHS range
ja ReadSectorsLBA No go to the LBA routine
jb ReadSectorsCHS Yes go to the old CHS routine
cmp axWORD [BYTE bpBiosCHSDriveSizeLow] Check if they are reading a sector within CHS range
jbe ReadSectorsCHS Yes go to the old CHS routine

ReadSectorsLBA
popa
ReadSectorsLBALoop
pusha Save logical sector number & sector count

o32 push byte 0
push dx Put 64bit logical
push ax block address on stack
push es Put transfer segment on stack
push bx Put transfer offset on stack
push byte 1 Set transfer count to 1 sector
push byte 0x10 Set size of packet to 10h
mov sisp Setup disk address packet on stack

We are so totally out of space here that I am forced to
comment out this very beautifully written piece of code
It would have been nice to have had this check
CheckInt13hExtensions Now make sure this computer supports extended reads
mov ah0x41 AH 41h
mov bx0x55aa BX 55AAh
mov dl[BYTE bp+BootDrive] DL drive (80hFFh)
int 13h IBMMS INT 13 Extensions INSTALLATION CHECK
jc PrintDiskError CF set on error (extensions not supported)
cmp bx0xaa55 BX AA55h if installed
jne PrintDiskError
test cl1 CX API subset support bitmap
jz PrintDiskError Bit 0 extended disk access functions (AH42h44h47h48h) supported


Good we＇re here so the computer supports LBA disk access
So finish the extended read
mov dl[BYTE bp+BootDrive] Drive number
mov ah42h Int 13h AH 42h Extended Read
int 13h Call BIOS
jc BadBoot If the read failed then abort

add spbyte 0x10 Remove disk address packet from stack

popa Restore sector count & logical sector number

inc ax Increment Sector to Read
adc dxbyte 0

push bx
mov bxes
add bxbyte 20h Increment read buffer for next sector
mov esbx
pop bx

loop ReadSectorsLBALoop Read next sector

ret


Reads logical sectors into [ESBX]
DXAX has logical sector number to read
CX has number of sectors to read
CarryFlag set on error
ReadSectorsCHS
popa
ReadSectorsCHSLoop
pusha
xchg axcx
xchg axdx
xor dxdx
div WORD [BYTE bp+SectorsPerTrack]
xchg axcx
div WORD [BYTE bp+SectorsPerTrack] Divide logical by SectorsPerTrack
inc dx Sectors numbering starts at 1 not 0
xchg cxdx
div WORD [BYTE bp+NumberOfHeads] Number of heads
mov dhdl Head to DH drive to DL
mov dl[BYTE bp+BootDrive] Drive number
mov chal Cylinder in CX
ror ah2 Low 8 bits of cylinder in CH high 2 bits
in CL shifted to bits 6 & 7
or clah Or with sector number
mov ax0201h
int 13h DISK READ SECTORS INTO MEMORY
AL number of sectors to read CH track CL sector
DH head DL drive ESBX > buffer to fill
Return CF set on error AH status (see AH01h) AL number of sectors read

jc BadBoot

popa
inc ax Increment Sector to Read
jnz NoCarryCHS
inc dx
NoCarryCHS
push bx
mov bxes
add bxbyte 20h
mov esbx
pop bx
Increment read buffer for next sector
loop ReadSectorsCHSLoop Read next sector

ret


msgDiskError db ＇Disk error＇0dh0ah0
msgFreeLdr db ＇freeldrsys not found＇0dh0ah0
Sorry need the space
msgAnyKey db ＇Press any key to restart＇0dh0ah0
msgAnyKey db ＇Press any key＇0dh0ah0
filename db ＇FREELDR SYS＇

times 509() db 0 Pad to 509 bytes

BootPartition
db 0

BootSignature
dw 0aa55h BootSector signature

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

*
 * FILE            ntoskrnlkei386bootS
 * COPYRIGHT       See COPYING in the top level directory
 * PURPOSE         FreeLDR Wrapper Bootstrap Code and Bootstrap Trampoline
 * PROGRAMMERs     Alex Ionescu (alex@relsoftnet)
 *                  Thomas Weidenmueller 
 *
 第 启动文件 
* INCLUDES ******************************************************************

#include 
intel_syntax noprefix

* GLOBALS *******************************************************************

bss        数段 
align 16   16 位排列

* Kernel Boot Stack * 核启动 栈变量
globl _P0BootStack
space KERNEL_STACK_SIZE  般 4K B 
_P0BootStack

* Kernel DoubleFault and Temporary DPC Stack *
globl _KiDoubleFaultStack  页面二级异常
space KERNEL_STACK_SIZE
_KiDoubleFaultStack

* FUNCTIONS *****************************************************************
     系统启动 Freeldrsys 文件中VOID LoadReactOSSetup2(VOID) 函数中函数指针 
     引导  核基址
     引导跳转  KiSystemStartup 函数中
text     代码段 
globl _KiSystemStartup  安装硬盘 核启动函数  直接启动  0x80000000 址
func KiSystemStartup    Rosxxx  安装时启动函数终 
_KiSystemStartup
    * NTLDR Boot Call the main kernel initialization *
    test dword ptr [esp+4] 0x80000000 
    jnz _KiSystemStartupReal@4   测试函数 0   传入LoaderBlock 变量  
    * FREELDR Boot Call the FreeLDR wrapper *面函数 freeldr 引导中 外包中
    jmp @KiRosPrepareForSystemStartup@8   否函数中进入  _KiSystemStartupReal 中
endfunc

globl _KiSetupStackAndInitializeKernel@24   函数里 初始化线程进程 
func KiSetupStackAndInitializeKernel@24
_KiSetupStackAndInitializeKernel@24

    * Save current stack *
    mov esi esp

    * Setup the new stack *
    mov esp [esp+12]
    sub esp NPX_FRAME_LENGTH + KTRAP_FRAME_ALIGN + KTRAP_FRAME_LENGTH
    push CR0_EM + CR0_TS + CR0_MP

    * Copy all parameters to the new stack *
    push [esi+24]
    push [esi+20]
    push [esi+16]
    push [esi+12]
    push [esi+8]
    push [esi+4]
    xor ebp ebp
    进入函数 进入 执行体 函数中 然进入 线程部分 
    call _KiInitializeKernel@24   *****非常关键*   初始化核 容里面

    * Set the priority of this thread to 0 *
    mov ebx PCR[KPCR_CURRENT_THREAD]        获取前线程
    mov byte ptr [ebx+KTHREAD_PRIORITY] 0   设置前线程优先级

    * Force interrupts enabled and lower IRQL back to DISPATCH_LEVEL *
    sti
    mov ecx DISPATCH_LEVEL
    call @KfLowerIrql@4        降低中断级 引起 线程调度

    * Set the right wait IRQL *
    mov byte ptr [ebx+KTHREAD_WAIT_IRQL] DISPATCH_LEVEL

    * Jump into the idle loop *
    jmp @KiIdleLoop@0             Idleexe 系统线程 处理脏 页面
endfunc
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
系统真正启动函数  直接 硬盘 者 光盘 启动时候 boots 中_KiSystemStartup  先调
VOID
NTAPI      
KiSystemStartupReal(IN PLOADER_PARAMETER_BLOCK LoaderBlock)  LoaderBlockfreeldr中全局变量 已构造
{          函数 重  关键理解 果构造第线程 现没线程呢  
           面 载入参数块
    ULONG Cpu
    PKTHREAD InitialThread  指针 线程 变量
    ULONG InitialStack
    PKGDTENTRY Gdt          全局描述表
    PKIDTENTRY Idt
    KIDTENTRY NmiEntry DoubleFaultEntry  中断描写表
    PKTSS Tss  务状态段 
    PKIPCR Pcr

    * Save the loader block and get the current CPU *
    KeLoaderBlock  LoaderBlock  保存载入块 构造
    Cpu  KeNumberProcessors
    if (Cpu) 0 启动CPU
    {
        * If this is the boot CPU set FS and the CPU Number*
        Ke386SetFs(KGDT_R0_PCR)
        __writefsdword(KPCR_PROCESSOR_NUMBER Cpu)

        * Set the initial stack and idle thread as well *
        LoaderBlock>KernelStack  (ULONG_PTR)P0BootStack
        LoaderBlock>Thread  (ULONG_PTR)&KiInitialThread 址值 里面没初始化
    }

    * Save the initial thread and stack *
    InitialStack  LoaderBlock>KernelStack 核栈
    InitialThread  (PKTHREAD)LoaderBlock>Thread   启动线程 面赋值 没少值

    * Clean the APC List Head *
    InitializeListHead(&InitialThread>ApcStateApcListHead[KernelMode])

    * Initialize the machine type *
    KiInitializeMachineType()

    * Skip initial setup if this isn＇t the Boot CPU *
    if (Cpu) goto AppCpuInit

    * Get GDT IDT PCR and TSS pointers *
    KiGetMachineBootPointers(&Gdt &Idt &Pcr &Tss)  初始化寄存器段 

    * Setup the TSS descriptors and entries *
    Ki386InitializeTss(Tss Idt Gdt) 安装 TSS 

    * Initialize the PCR *
    RtlZeroMemory(Pcr PAGE_SIZE) 初始化PCR 结构  里重 4 Kb 
    KiInitializePcr(Cpu           
                    Pcr
                    Idt
                    Gdt
                    Tss
                    InitialThread
                    KiDoubleFaultStack)

    * Set us as the current process *  初始化进程 里初始化啊
    InitialThread>ApcStateProcess  &KiInitialProcessPcb

    * Clear DR67 to cleanup bootloader debugging *
    __writefsdword(KPCR_TEB 0) 清线程环境块
    __writefsdword(KPCR_DR6 0)
    __writefsdword(KPCR_DR7 0)

    * Setup the IDT *
    KeInitExceptions() 安装中断描述表

    * Load Ring 3 selectors for DSES *
    Ke386SetDs(KGDT_R3_DATA | RPL_MASK)  载入户态 选择子
    Ke386SetEs(KGDT_R3_DATA | RPL_MASK)

    * Save NMI and double fault traps *
    RtlCopyMemory(&NmiEntry &Idt[2] sizeof(KIDTENTRY))
    RtlCopyMemory(&DoubleFaultEntry &Idt[8] sizeof(KIDTENTRY))

    * Copy kernel＇s trap handlers *
    RtlCopyMemory(Idt
                  (PVOID)KiIdtDescriptorBase
                  KiIdtDescriptorLimit + 1)

    * Restore NMI and double fault *
    RtlCopyMemory(&Idt[2] &NmiEntry sizeof(KIDTENTRY))
    RtlCopyMemory(&Idt[8] &DoubleFaultEntry sizeof(KIDTENTRY))

AppCpuInit
    * Loop until we can release the freeze lock *
    do
    {
        * Loop until execution can continue *
        while (*(volatile PKSPIN_LOCK*)&KiFreezeExecutionLock  (PVOID)1)
    } while(InterlockedBitTestAndSet((PLONG)&KiFreezeExecutionLock 0))

    * Setup CPUrelated fields *
    __writefsdword(KPCR_NUMBER Cpu)
    __writefsdword(KPCR_SET_MEMBER 1 << Cpu)
    __writefsdword(KPCR_SET_MEMBER_COPY 1 << Cpu)
    __writefsdword(KPCR_PRCB_SET_MEMBER 1 << Cpu)

    * Initialize the Processor with HAL *
    HalInitializeProcessor(Cpu KeLoaderBlock)

    * Set active processors *
    KeActiveProcessors | __readfsdword(KPCR_SET_MEMBER)
    KeNumberProcessors++

    * Check if this is the boot CPU *
    if (Cpu)
    {
        * Initialize debugging system *
        KdInitSystem(0 KeLoaderBlock)

        * Check for breakin *
        if (KdPollBreakIn()) DbgBreakPointWithStatus(DBG_STATUS_CONTROL_C)
    }

    * Raise to HIGH_LEVEL *
    KfRaiseIrql(HIGH_LEVEL)

    * Align stack and make space for the trap frame and NPX frame *
    InitialStack & ~(KTRAP_FRAME_ALIGN  1)
    
函数里 初始化线程进程  boots 中然  
    * Switch to new kernel stack and start kernel bootstrapping 启动核引导 * boot中asm代码中
    KiSetupStackAndInitializeKernel(&KiInitialProcessPcb
                                    InitialThread
                                    (PVOID)InitialStack
                                    (PKPRCB)__readfsdword(KPCR_PRCB)
                                    (CCHAR)Cpu
                                    KeLoaderBlock)
     里  物理页面清零
}
+++++++++++++++++++++++++++++++++++++++++
VOID
FASTCALL
KiRosPrepareForSystemStartup(IN ULONG Dummy
                             IN PROS_LOADER_PARAMETER_BLOCK LoaderBlock)
{
    PLOADER_PARAMETER_BLOCK NtLoaderBlock
    ULONG size i  0 *ent
#if defined(_X86_)
    PKTSS Tss
    PKGDTENTRY TssEntry
    KDESCRIPTOR IdtDescriptor

    __sidt(&IdtDescriptorLimit) 
    RtlCopyMemory(KiBootIdt (PVOID)IdtDescriptorBase IdtDescriptorLimit + 1)
    IdtDescriptorBase  (ULONG)&KiBootIdt 变量重 启动
    IdtDescriptorLimit  sizeof(KiBootIdt)  1

    * Load the GDT and IDT *
    Ke386SetGlobalDescriptorTable(&KiGdtDescriptorLimit) 全局描述符
    __lidt(&IdtDescriptorLimit)                          局部描述符 

    * Initialize the boot TSS *
    Tss  &KiBootTss 指 TSS 变量
    
    TssEntry  &KiBootGdt[KGDT_TSS  sizeof(KGDTENTRY)]
    TssEntry>HighWordBitsType  I386_TSS
    TssEntry>HighWordBitsPres  1
    TssEntry>HighWordBitsDpl  0
    TssEntry>BaseLow  (USHORT)((ULONG_PTR)Tss & 0xFFFF)
    TssEntry>HighWordBytesBaseMid  (UCHAR)((ULONG_PTR)Tss >> 16)
    TssEntry>HighWordBytesBaseHi  (UCHAR)((ULONG_PTR)Tss >> 24)

    * Set the TSS selector *
    Ke386SetTr(KGDT_TSS) 安装TSS 寄存器变量
#endif

#if defined(_M_PPC)
     Zero bats  We might have residual bats set that will interfere with
     our mapping of ofwldr
    for (i  0 i < 4 i++)
    {
        SetBat(i 0 0 0) SetBat(i 1 0 0)
    }
    KiSetupSyscallHandler()  什意思
    
    DbgPrint(Kernel Power (08x)＼n LoaderBlock)
    DbgPrint(ArchExtra (08x)＼n LoaderBlock>ArchExtra)
#endif

    * Save pointer to ROS Block *
    KeRosLoaderBlock  LoaderBlock

    * Save memory manager data *
    KeMemoryMapRangeCount  0
    if (LoaderBlock>Flags & MB_FLAGS_MMAP_INFO)  映射BIOS 存
    {
        * We have a memory map from the nice BIOS *
        ent  ((PULONG)(LoaderBlock>MmapAddr  sizeof(ULONG)))
        size  *ent
        i  0

        * Map it until we run out of size *5
        while (i < LoaderBlock>MmapLength)
        {
            * Copy into the Kernel Memory Map *
            memcpy (&KeMemoryMap[KeMemoryMapRangeCount]
            (PVOID)(LoaderBlock>MmapAddr + i)
            sizeof(ADDRESS_RANGE))

            * Increase Memory Map Count *
            KeMemoryMapRangeCount++

            * Increase Size *
            i + size
        }

        * Save data *
        LoaderBlock>MmapLength  KeMemoryMapRangeCount * sizeof(ADDRESS_RANGE)
        LoaderBlock>MmapAddr  (ULONG)KeMemoryMap
    }
    else
    {
        * Nothing from BIOS *
        LoaderBlock>MmapLength  0
        LoaderBlock>MmapAddr  (ULONG)KeMemoryMap
    }

    * Convert the loader block *
    KiRosFrldrLpbToNtLpb(KeRosLoaderBlock &NtLoaderBlock)

#if defined(_M_PPC)
    DbgPrint(Finished KiRosFrldrLpbToNtLpb＼n)
#endif

    * Do general System Startup *
    KiSystemStartupReal(NtLoaderBlock) kiinitc 文件中
}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Bootsect MBRasm 扇区磁盘中 程序  freeldrsys 载入存  
 然 freeldrsys  载入存 ntoskernlexe  启动

 call _KiInitializeKernel@24   *****非常关键*   初始化核 容里面
                KiSetupStackAndInitializeKernel  调 初始化核函数中完成疑问处进程线程什时候创建？
VOID
NTAPI                                        
KiInitializeKernel(IN PKPROCESS InitProcess 
                   IN PKTHREAD InitThread   
                   IN PVOID IdleStack
                   IN PKPRCB Prcb
                   IN CCHAR Number
                   IN PLOADER_PARAMETER_BLOCK LoaderBlock)
{
    BOOLEAN NpxPresent
    ULONG FeatureBits
    ULONG PageDirectory[2]
    PVOID DpcStack
    ULONG Vendor[3]

    * Detect and set the CPU Type *
    KiSetProcessorType() 设置cpu类型

    * Set CR0 features based on detected CPU *
    KiSetCR0Bits()  设置页面 寄存器类型

    * Check if an FPU is present *
    NpxPresent  KiIsNpxPresent()

    * Initialize the Power Management Support for this PRCB *
    PoInitializePrcb(Prcb)

    * Bugcheck if this is a 386 CPU *
    if (Prcb>CpuType  3) KeBugCheckEx(0x5D 0x386 0 0 0)

    * Get the processor features for the CPU *
    FeatureBits  KiGetFeatureBits()

    * Set the default NX policy (optin) *
    SharedUserData>NXSupportPolicy  NX_SUPPORT_POLICY_OPTIN

    * Check if NPX is always on *
    if (strstr(KeLoaderBlock>LoadOptions NOEXECUTEALWAYSON))
    {
        * Set it always on *
        SharedUserData>NXSupportPolicy  NX_SUPPORT_POLICY_ALWAYSON
        FeatureBits | KF_NX_ENABLED
    }
    else if (strstr(KeLoaderBlock>LoadOptions NOEXECUTEOPTOUT))
    {
        * Set it in optout mode *
        SharedUserData>NXSupportPolicy  NX_SUPPORT_POLICY_OPTOUT
        FeatureBits | KF_NX_ENABLED
    }
    else if ((strstr(KeLoaderBlock>LoadOptions NOEXECUTEOPTIN)) ||
             (strstr(KeLoaderBlock>LoadOptions NOEXECUTE)))
    {
        * Set the feature bits *
        FeatureBits | KF_NX_ENABLED
    }
    else if ((strstr(KeLoaderBlock>LoadOptions NOEXECUTEALWAYSOFF)) ||
             (strstr(KeLoaderBlock>LoadOptions EXECUTE)))
    {
        * Set disabled mode *
        SharedUserData>NXSupportPolicy  NX_SUPPORT_POLICY_ALWAYSOFF
        FeatureBits | KF_NX_DISABLED
    }

    * Save feature bits *
    Prcb>FeatureBits  FeatureBits

    * Save CPU state *
    KiSaveProcessorControlState(&Prcb>ProcessorState)

    * Get cache line information for this CPU *
    KiGetCacheInformation()

    * Initialize spinlocks and DPC data *
    KiInitSpinLocks(Prcb Number)

    * Check if this is the Boot CPU *
    if (Number)  启动CPU
    {
        * Set Node Data *
        KeNodeBlock[0]  &KiNode0
        Prcb>ParentNode  KeNodeBlock[0]
        KeNodeBlock[0]>ProcessorMask  Prcb>SetMember

        * Set bootlevel flags *
        KeI386NpxPresent  NpxPresent
        KeI386CpuType  Prcb>CpuType
        KeI386CpuStep  Prcb>CpuStep
        KeProcessorArchitecture  PROCESSOR_ARCHITECTURE_INTEL
        KeProcessorLevel  (USHORT)Prcb>CpuType
        if (Prcb>CpuID) KeProcessorRevision  Prcb>CpuStep
        KeFeatureBits  FeatureBits
        KeI386FxsrPresent  (KeFeatureBits & KF_FXSR)  TRUE  FALSE
        KeI386XMMIPresent  (KeFeatureBits & KF_XMMI)  TRUE  FALSE

        * Detect 8byte compare exchange support *
        if ((KeFeatureBits & KF_CMPXCHG8B))
        {
            * Copy the vendor string *
            RtlCopyMemory(Vendor Prcb>VendorString sizeof(Vendor))

            * Bugcheck the system Windows *requires* this *
            KeBugCheckEx(0x5D
                         (1 << 24 ) | (Prcb>CpuType << 16) | Prcb>CpuStep
                         Vendor[0]
                         Vendor[1]
                         Vendor[2])
        }

        * Set the current MP Master KPRCB to the Boot PRCB *
        Prcb>MultiThreadSetMaster  Prcb

        * Lower to APC_LEVEL *
        KeLowerIrql(APC_LEVEL)

        * Initialize some spinlocks *
        KeInitializeSpinLock(&KiFreezeExecutionLock)
        KeInitializeSpinLock(&Ki486CompatibilityLock)

        * Initialize portable parts of the OS *
        KiInitSystem()      初始化系统 变量 尤系统服务表 函数

        * Initialize the Idle Process and the Process Listhead *
        InitializeListHead(&KiProcessListHead)
        PageDirectory[0]  0
        PageDirectory[1]  0
        初始化进程 赋值
        KeInitializeProcess(InitProcess
                            0
                            0xFFFFFFFF
                            PageDirectory
                            FALSE)
        InitProcess>QuantumReset  MAXCHAR
    }
    else
    {
        * FIXME *
        DPRINT1(SMP Boot support not yet present＼n)
    }

    * Setup the Idle Thread * 安装空闲线程 安装
    KeInitializeThread(InitProcess
                       InitThread
                       NULL
                       NULL
                       NULL
                       NULL
                       NULL
                       IdleStack)

    InitThread>NextProcessor  Number
    InitThread>Priority  HIGH_PRIORITY
    InitThread>State  Running
    InitThread>Affinity  1 << Number
    InitThread>WaitIrql  DISPATCH_LEVEL
    InitProcess>ActiveProcessors  1 << Number

    * HACK for MmUpdatePageDir * 处单线程  建立线程 赋值初始化进程
    ((PETHREAD)InitThread)>ThreadsProcess  (PEPROCESS)InitProcess

    * Set basic CPU Features that user mode can read *
    SharedUserData>ProcessorFeatures[PF_MMX_INSTRUCTIONS_AVAILABLE] 
        (KeFeatureBits & KF_MMX)  TRUE FALSE
    SharedUserData>ProcessorFeatures[PF_COMPARE_EXCHANGE_DOUBLE] 
        (KeFeatureBits & KF_CMPXCHG8B)  TRUE FALSE
    SharedUserData>ProcessorFeatures[PF_XMMI_INSTRUCTIONS_AVAILABLE] 
        ((KeFeatureBits & KF_FXSR) && (KeFeatureBits & KF_XMMI))  TRUE FALSE
    SharedUserData>ProcessorFeatures[PF_XMMI64_INSTRUCTIONS_AVAILABLE] 
        ((KeFeatureBits & KF_FXSR) && (KeFeatureBits & KF_XMMI64))  TRUE FALSE
    SharedUserData>ProcessorFeatures[PF_3DNOW_INSTRUCTIONS_AVAILABLE] 
        (KeFeatureBits & KF_3DNOW)  TRUE FALSE
    SharedUserData>ProcessorFeatures[PF_RDTSC_INSTRUCTION_AVAILABLE] 
        (KeFeatureBits & KF_RDTSC)  TRUE FALSE

    * Set up the threadrelated fields in the PRCB *
    Prcb>CurrentThread  InitThread前线程等 空闲线程  没线程 
    Prcb>NextThread  NULL
    Prcb>IdleThread  InitThread  第线程终堕落 空闲线程

    * Initialize the Kernel Executive * 执行体阶段  关键处
    ExpInitializeExecutive(Number LoaderBlock)
    执行体 完成变成线程   返回 未必执行   
    然回 boots 中 页面清零函数中
    *
    call @KfLowerIrql@4        降低中断级 引起 线程调度
    * Set the right wait IRQL *
    mov byte ptr [ebx+KTHREAD_WAIT_IRQL] DISPATCH_LEVEL
    
    * Jump into the idle loop *
    jmp @KiIdleLoop@0             Idleexe 系统线程 处理脏 页面
    *
    * Only do this on the boot CPU *
    if (Number)
    {
        * Calculate the time reciprocal *
        KiTimeIncrementReciprocal 
            KiComputeReciprocal(KeMaximumIncrement
                                &KiTimeIncrementShiftCount)
        * Update DPC Values in case they got updated by the executive *
        Prcb>MaximumDpcQueueDepth  KiMaximumDpcQueueDepth
        Prcb>MinimumDpcRate  KiMinimumDpcRate
        Prcb>AdjustDpcThreshold  KiAdjustDpcThreshold

        * Allocate the DPC Stack *
        DpcStack  MmCreateKernelStack(FALSE 0)
        
        if (DpcStack) KeBugCheckEx(NO_PAGES_AVAILABLE 1 0 0 0)
        Prcb>DpcStack  DpcStack
        * Allocate the IOPM save area *
        Ki386IopmSaveArea  ExAllocatePoolWithTag(PagedPool
                                                  PAGE_SIZE * 2
                                                  ＇  eK＇)
        if (Ki386IopmSaveArea)
        {
            * Bugcheck We need this for V86VDM support *
            KeBugCheckEx(NO_PAGES_AVAILABLE 2 PAGE_SIZE * 2 0 0)
        }
    }
    * Raise to Dispatch *
    KfRaiseIrql(DISPATCH_LEVEL)
    * Set the Idle Priority to 0 This will jump into Phase 1 *
    KeSetPriorityThread(InitThread 0)
    * If there＇s no thread scheduled put this CPU in the Idle summary *
    KiAcquirePrcbLock(Prcb)
    if (Prcb>NextThread) KiIdleSummary | 1 << Number
    KiReleasePrcbLock(Prcb)

    * Raise back to HIGH_LEVEL and clear the PRCB for the loader block *
    KfRaiseIrql(HIGH_LEVEL)
    LoaderBlock>Prcb  0
}
++++++++++++++++++++++++++++++++++++++++++++++

VOID
NTAPI
ExpInitializeExecutive(IN ULONG Cpu            初始化执行体 组件
                       IN PLOADER_PARAMETER_BLOCK LoaderBlock)
{
    PNLS_DATA_BLOCK NlsData
    CHAR Buffer[256]
    ANSI_STRING AnsiPath
    NTSTATUS Status
    PCHAR CommandLine PerfMem
    ULONG PerfMemUsed
    PLDR_DATA_TABLE_ENTRY NtosEntry
    PRTL_MESSAGE_RESOURCE_ENTRY MsgEntry
    ANSI_STRING CsdString
    ULONG Remaining  0
    PCHAR RcEnd  NULL
    CHAR VersionBuffer [65]

    * Validate Loader *
    if (ExpIsLoaderValid(LoaderBlock))
    {
        * Invalid loader version *
        KeBugCheckEx(MISMATCHED_HAL
                     3
                     LoaderBlock>Extension>Size
                     LoaderBlock>Extension>MajorVersion
                     LoaderBlock>Extension>MinorVersion)
    }

    * Initialize PRCB pool lookaside pointers *
    ExInitPoolLookasidePointers()

    * Check if this is an application CPU *
    if (Cpu)
    {
        * Then simply initialize it with HAL *
        if (HalInitSystem(ExpInitializationPhase LoaderBlock))
        {
            * Initialization failed *
            KeBugCheck(HAL_INITIALIZATION_FAILED)
        }

        * We＇re done *
        return
    }

    * Assume no textmode or remote boot *
    ExpInTextModeSetup  FALSE
    IoRemoteBootClient  FALSE

    * Check if we have a setup loader block *
    if (LoaderBlock>SetupLdrBlock)
    {
        * Check if this is textmode setup *
        if (LoaderBlock>SetupLdrBlock>Flags & SETUPLDR_TEXT_MODE) ExpInTextModeSetup  TRUE

        * Check if this is network boot *
        if (LoaderBlock>SetupLdrBlock>Flags & SETUPLDR_REMOTE_BOOT)
        {
            * Set variable *
            IoRemoteBootClient  TRUE

            * Make sure we＇re actually booting off the network *
            ASSERT(_memicmp(LoaderBlock>ArcBootDeviceName net(0) 6))
        }
    }

    * Set phase to 0 *
    ExpInitializationPhase  0

    * Get boot command line *
    CommandLine  LoaderBlock>LoadOptions
    if (CommandLine)
    {
        * Upcase it for comparison and check if we＇re in performance mode *
        _strupr(CommandLine)
        PerfMem  strstr(CommandLine PERFMEM)
        if (PerfMem)
        {
            * Check if the user gave a number of bytes to use *
            PerfMem  strstr(PerfMem )
            if (PerfMem)
            {
                * Read the number of pages we＇ll use *
                PerfMemUsed  atol(PerfMem + 1) * (1024 * 1024  PAGE_SIZE)
                if (PerfMem)
                {
                    * FIXME TODO *
                    DPRINT1(BBT performance mode not yet supported
                            PERFMEM option ignored＼n)
                }
            }
        }

        * Check if we＇re burning memory *
        PerfMem  strstr(CommandLine BURNMEMORY)
        if (PerfMem)
        {
            * Check if the user gave a number of bytes to use *
            PerfMem  strstr(PerfMem )
            if (PerfMem)
            {
                * Read the number of pages we＇ll use *
                PerfMemUsed  atol(PerfMem + 1) * (1024 * 1024  PAGE_SIZE)
                if (PerfMem)
                {
                    * FIXME TODO *
                    DPRINT1(Burnable memory support not yet present
                            BURNMEM option ignored＼n)
                }
            }
        }
    }

    * Setup NLS Base and offsets *
    NlsData  LoaderBlock>NlsData
    ExpNlsTableBase  NlsData>AnsiCodePageData
    ExpAnsiCodePageDataOffset  0
    ExpOemCodePageDataOffset  ((ULONG_PTR)NlsData>OemCodePageData 
                                (ULONG_PTR)NlsData>AnsiCodePageData)
    ExpUnicodeCaseTableDataOffset  ((ULONG_PTR)NlsData>UnicodeCodePageData 
                                     (ULONG_PTR)NlsData>AnsiCodePageData)

    * Initialize the NLS Tables *
    RtlInitNlsTables((PVOID)((ULONG_PTR)ExpNlsTableBase +
                             ExpAnsiCodePageDataOffset)
                     (PVOID)((ULONG_PTR)ExpNlsTableBase +
                             ExpOemCodePageDataOffset)
                     (PVOID)((ULONG_PTR)ExpNlsTableBase +
                             ExpUnicodeCaseTableDataOffset)
                     &ExpNlsTableInfo)

    RtlResetRtlTranslations(&ExpNlsTableInfo)

    * Now initialize the HAL *
    if (HalInitSystem(ExpInitializationPhase LoaderBlock))
    {
        * HAL failed to initialize bugcheck *
        KeBugCheck(HAL_INITIALIZATION_FAILED)
    }

    * Make sure interrupts are active now *
    _enable()

    * Clear the crypto exponent *
    SharedUserData>CryptoExponent  0

    * Set global flags for the checked build *
#if DBG
    NtGlobalFlag | FLG_ENABLE_CLOSE_EXCEPTIONS |
                    FLG_ENABLE_KDEBUG_SYMBOL_LOAD
#endif

    * Setup NT System Root Path *
    sprintf(Buffer Cs LoaderBlock>NtBootPathName)

    * Convert to ANSI_STRING and nullterminate it *
    RtlInitString(&AnsiPath Buffer)
    Buffer[AnsiPathLength]  ANSI_NULL

    * Get the string from KUSER_SHARED_DATA＇s buffer *
    RtlInitEmptyUnicodeString(&NtSystemRoot
                              SharedUserData>NtSystemRoot
                              sizeof(SharedUserData>NtSystemRoot))

    * Now fill it in *
    Status  RtlAnsiStringToUnicodeString(&NtSystemRoot &AnsiPath FALSE)
    if (NT_SUCCESS(Status)) KeBugCheck(SESSION3_INITIALIZATION_FAILED)

    * Setup bugcheck messages *
    KiInitializeBugCheck()

    * Setup initial system settings *
    CmGetSystemControlValues(LoaderBlock>RegistryBase CmControlVector)

    * Load static defaults for Service Pack 1 and add our SVN revision *
    CmNtCSDVersion  0x100 | (KERNEL_VERSION_BUILD_HEX << 16)
    CmNtCSDReleaseType  0

    * Set Service Pack data for Service Pack 1 *
    CmNtSpBuildNumber  1830
    if ((CmNtCSDVersion & 0xFFFF0000))
    {
        * Check the release type *
        if (CmNtCSDReleaseType  1) CmNtSpBuildNumber | 1830 << 16
    }

    * Initialize the executive at phase 0 *
    if (ExInitSystem()) KeBugCheck(PHASE0_INITIALIZATION_FAILED)

    * Initialize the memory manager at phase 0 *
    if (MmInitSystem(0 LoaderBlock)) KeBugCheck(PHASE0_INITIALIZATION_FAILED)

    * Load boot symbols *
    ExpLoadBootSymbols(LoaderBlock)

    * Check if we should break after symbol load *
    if (KdBreakAfterSymbolLoad) DbgBreakPointWithStatus(DBG_STATUS_CONTROL_C)

    * Check if this loader is compatible with NT 52 *
    if (LoaderBlock>Extension>Size > sizeof(LOADER_PARAMETER_EXTENSION))
    {
        * Setup headless terminal settings *
        HeadlessInit(LoaderBlock)
    }

    * Set system ranges *
    SharedUserData>Reserved1  (ULONG_PTR)MmHighestUserAddress
    SharedUserData>Reserved3  (ULONG_PTR)MmSystemRangeStart

    * Make a copy of the NLS Tables *
    ExpInitNls(LoaderBlock)

    * Get the kernel＇s load entry *
    NtosEntry  CONTAINING_RECORD(LoaderBlock>LoadOrderListHeadFlink
                                  LDR_DATA_TABLE_ENTRY
                                  InLoadOrderLinks)

    * Check if this is a service pack *
    if (CmNtCSDVersion & 0xFFFF)
    {
        * Get the service pack string *
        Status  RtlFindMessage(NtosEntry>DllBase
                                11
                                0
                                WINDOWS_NT_CSD_STRING
                                &MsgEntry)
        if (NT_SUCCESS(Status))
        {
            * Setup the string *
            RtlInitAnsiString(&CsdString MsgEntry>Text)

            * Remove trailing newline *
            while ((CsdStringLength > 0) &&
                   ((CsdStringBuffer[CsdStringLength  1]  ＇＼r＇) ||
                    (CsdStringBuffer[CsdStringLength  1]  ＇＼n＇)))
            {
                * Skip the trailing character *
                CsdStringLength
            }

            * Fill the buffer with version information *
            Status  RtlStringCbPrintfA(Buffer
                                        sizeof(Buffer)
                                        Z uc
                                        &CsdString
                                        (CmNtCSDVersion & 0xFF00) >> 8
                                        (CmNtCSDVersion & 0xFF) 
                                        ＇A＇ + (CmNtCSDVersion & 0xFF)  1 
                                        ANSI_NULL)
        }
        else
        {
            * Build default string *
            Status  RtlStringCbPrintfA(Buffer
                                        sizeof(Buffer)
                                        CSD 04x
                                        CmNtCSDVersion)
        }

        * Check for success *
        if (NT_SUCCESS(Status))
        {
            * Fail *
            KeBugCheckEx(PHASE0_INITIALIZATION_FAILED Status 0 0 0)
        }
    }
    else
    {
        * Then this is a beta *
        Status  RtlStringCbCopyExA(Buffer
                                    sizeof(Buffer)
                                    VER_PRODUCTBETA_STR
                                    NULL
                                    &Remaining
                                    0)
        if (NT_SUCCESS(Status))
        {
            * Fail *
            KeBugCheckEx(PHASE0_INITIALIZATION_FAILED Status 0 0 0)
        }

        * Update length *
        CmCSDVersionStringMaximumLength  sizeof(Buffer)  (USHORT)Remaining
    }

    * Check if we have an RC number *
    if (CmNtCSDVersion & 0xFFFF0000)
    {
        * Check if we have no version data yet *
        if ((*Buffer))
        {
            * Set defaults *
            Remaining  sizeof(Buffer)
            RcEnd  Buffer
        }
        else
        {
            * Add comma and space *
            Status  RtlStringCbCatExA(Buffer
                                       sizeof(Buffer)
                                        
                                       &RcEnd
                                       &Remaining
                                       0)
            if (NT_SUCCESS(Status))
            {
                * Fail *
                KeBugCheckEx(PHASE0_INITIALIZATION_FAILED Status 0 0 0)
            }
        }

        * Add the version format string *
        Status  RtlStringCbPrintfA(RcEnd
                                    Remaining
                                    v u
                                    (CmNtCSDVersion & 0xFFFF0000) >> 16)
        if (NT_SUCCESS(Status))
        {
            * Fail *
            KeBugCheckEx(PHASE0_INITIALIZATION_FAILED Status 0 0 0)
        }
    }

    * Now setup the final string *
    RtlInitAnsiString(&CsdString Buffer)
    Status  RtlAnsiStringToUnicodeString(&CmCSDVersionString
                                          &CsdString
                                          TRUE)
    if (NT_SUCCESS(Status))
    {
        * Fail *
        KeBugCheckEx(PHASE0_INITIALIZATION_FAILED Status 0 0 0)
    }

    * Add our version *
    Status  RtlStringCbPrintfA(VersionBuffer
                                sizeof(VersionBuffer)
                                uu
                                VER_PRODUCTMAJORVERSION
                                VER_PRODUCTMINORVERSION)
    if (NT_SUCCESS(Status))
    {
        * Fail *
        KeBugCheckEx(PHASE0_INITIALIZATION_FAILED Status 0 0 0)
    }

    * Build the final version string *
    RtlCreateUnicodeStringFromAsciiz(&CmVersionString VersionBuffer)

    * Check if the user wants a kernel stack trace database *
    if (NtGlobalFlag & FLG_KERNEL_STACK_TRACE_DB)
    {
        * FIXME TODO *
        DPRINT1(Kernelmode stack trace support not yet present
                FLG_KERNEL_STACK_TRACE_DB flag ignored＼n)
    }

    * Check if he wanted exception logging *
    if (NtGlobalFlag & FLG_ENABLE_EXCEPTION_LOGGING)
    {
        * FIXME TODO *
        DPRINT1(Kernelmode exception logging support not yet present
                FLG_ENABLE_EXCEPTION_LOGGING flag ignored＼n)
    }

    * Initialize the Handle Table *
    ExpInitializeHandleTables()   执行体中句柄表 系统全局 句柄表进程句柄表

#if DBG
    * On checked builds allocate the system call count table *
    KeServiceDescriptorTable[0]Count 
        ExAllocatePoolWithTag(NonPagedPool
                              KiServiceLimit * sizeof(ULONG)
                              ＇llaC＇)

    * Use it for the shadow table too *
    KeServiceDescriptorTableShadow[0]Count  KeServiceDescriptorTable[0]Count

    * Make sure allocation succeeded *
    if (KeServiceDescriptorTable[0]Count)
    {
        * Zero the call counts to 0 *
        RtlZeroMemory(KeServiceDescriptorTable[0]Count
                      KiServiceLimit * sizeof(ULONG))
    }
#endif

    * Create the Basic Object Manager Types to allow new Object Types *
    if (ObInitSystem()) KeBugCheck(OBJECT_INITIALIZATION_FAILED)

    * Load basic Security for other Managers *
    if (SeInitSystem()) KeBugCheck(SECURITY_INITIALIZATION_FAILED)

    * Initialize the Process Manager *
    if (PsInitSystem(LoaderBlock)) KeBugCheck(PROCESS_INITIALIZATION_FAILED)

    * Initialize the PnP Manager *
    if (PpInitSystem()) KeBugCheck(PP0_INITIALIZATION_FAILED)

    * Initialize the UserMode Debugging Subsystem *
    DbgkInitialize()

    * Calculate the tick count multiplier *
    ExpTickCountMultiplier  ExComputeTickCountMultiplier(KeMaximumIncrement)
    SharedUserData>TickCountMultiplier  ExpTickCountMultiplier

    * Set the OS Version *
    SharedUserData>NtMajorVersion  NtMajorVersion
    SharedUserData>NtMinorVersion  NtMinorVersion

    * Set the machine type *
    SharedUserData>ImageNumberLow  IMAGE_FILE_MACHINE_ARCHITECTURE
    SharedUserData>ImageNumberHigh  IMAGE_FILE_MACHINE_ARCHITECTURE
}

VOID NTAPI Phase1Initialization(IN PVOID Context)
{
* Do the INIT part of Phase 1 which we can free later *
Phase1InitializationDiscard(Context)
* Jump into zero page thread *
MmZeroPageThreadMain(NULL) 页面清零 函数
}

VOID
NTAPI
Phase1InitializationDiscard(IN PVOID Context)       系统线程 关键函数  
{
    PLOADER_PARAMETER_BLOCK LoaderBlock  Context
    NTSTATUS Status MsgStatus
    TIME_FIELDS TimeFields
    LARGE_INTEGER SystemBootTime UniversalBootTime OldTime Timeout
    BOOLEAN SosEnabled NoGuiBoot ResetBias  FALSE AlternateShell  FALSE
    PLDR_DATA_TABLE_ENTRY NtosEntry
    PRTL_MESSAGE_RESOURCE_ENTRY MsgEntry
    PCHAR CommandLine Y2KHackRequired SafeBoot Environment
    PCHAR StringBuffer EndBuffer BeginBuffer MpString  
    PINIT_BUFFER InitBuffer
    ANSI_STRING TempString
    ULONG LastTzBias Size Length YearHack  0 Disposition MessageCode  0
    PRTL_USER_PROCESS_INFORMATION ProcessInfo      户进程 会话进程
    KEY_VALUE_PARTIAL_INFORMATION KeyPartialInfo
    UNICODE_STRING KeyName DebugString
    OBJECT_ATTRIBUTES ObjectAttributes
    HANDLE KeyHandle OptionHandle
    PRTL_USER_PROCESS_PARAMETERS ProcessParameters  NULL

    * Allocate the initialization buffer *
    InitBuffer  ExAllocatePoolWithTag(NonPagedPool
                                       sizeof(INIT_BUFFER)
                                       ＇tinI＇)
    if (InitBuffer)
    {
        * Bugcheck *
        KeBugCheckEx(PHASE1_INITIALIZATION_FAILED STATUS_NO_MEMORY 8 0 0)
    }

    * Set to phase 1 *
    ExpInitializationPhase  1  阶段 值 增加 1 开始第二次 调

    * Set us at maximum priority *
    KeSetPriorityThread(KeGetCurrentThread() HIGH_PRIORITY)

    * Do Phase 1 HAL Initialization *
    if (HalInitSystem(1 LoaderBlock)) KeBugCheck(HAL1_INITIALIZATION_FAILED)

    * Get the command line and upcase it *
    CommandLine  _strupr(LoaderBlock>LoadOptions)

    * Check if GUI Boot is enabled *
    NoGuiBoot  (strstr(CommandLine NOGUIBOOT))  TRUE FALSE

    * Get the SOS setting *
    SosEnabled  strstr(CommandLine SOS)  TRUE FALSE

    * Setup the boot driver *
    InbvEnableBootDriver(NoGuiBoot)  启动 端口 视频驱动 然 显示图画 
    InbvDriverInitialize(LoaderBlock 18)

    * Check if GUI boot is enabled *
    if (NoGuiBoot)
    {
        * It is display the boot logo and enable printing strings *
        InbvEnableDisplayString(SosEnabled)
        DisplayBootBitmap(SosEnabled)
    }
    else
    {
        * Release display ownership if not using GUI boot *
        InbvNotifyDisplayOwnershipLost(NULL)

        * Don＇t allow boottime strings *
        InbvEnableDisplayString(FALSE)
    }

    * Check if this is LiveCD (WinPE) mode *
    if (strstr(CommandLine MININT))
    {
        * Setup WinPE Settings *
        InitIsWinPEMode  TRUE
        InitWinPEModeType | (strstr(CommandLine INRAM))  0x80000000  1
    }

    * Get the kernel＇s load entry *
    NtosEntry  CONTAINING_RECORD(LoaderBlock>LoadOrderListHeadFlink
                                  LDR_DATA_TABLE_ENTRY
                                  InLoadOrderLinks)

    * Find the banner message *
    MsgStatus  RtlFindMessage(NtosEntry>DllBase
                               11
                               0
                               WINDOWS_NT_BANNER
                               &MsgEntry)

    * Setup defaults and check if we have a version string *
    StringBuffer  InitBuffer>VersionBuffer
    BeginBuffer  StringBuffer
    EndBuffer  StringBuffer
    Length  256
    if (CmCSDVersionStringLength)
    {
        * Print the version string *
        Status  RtlStringCbPrintfExA(StringBuffer
                                      255
                                      &EndBuffer
                                      &Length
                                      0
                                       wZ
                                      &CmCSDVersionString)
        if (NT_SUCCESS(Status))
        {
            * Bugcheck *
            KeBugCheckEx(PHASE1_INITIALIZATION_FAILED Status 7 0 0)
        }
    }
    else
    {
        * No version *
        Length  255
    }

    * Nullterminate the string *
    *EndBuffer++  ANSI_NULL

    * Build the version number *
    StringBuffer  InitBuffer>VersionNumber
    Status  RtlStringCbPrintfA(StringBuffer
                                24
                                uu
                                VER_PRODUCTMAJORVERSION
                                VER_PRODUCTMINORVERSION)
    if (NT_SUCCESS(Status))
    {
        * Bugcheck *
        KeBugCheckEx(PHASE1_INITIALIZATION_FAILED Status 7 0 0)
    }

    * Check if we had found a banner message *
    if (NT_SUCCESS(MsgStatus))
    {
        * Create the banner message *
        Status  RtlStringCbPrintfA(EndBuffer
                                    Length
                                    MsgEntry>Text
                                    StringBuffer
                                    NtBuildNumber & 0xFFFF
                                    BeginBuffer)
        if (NT_SUCCESS(Status))
        {
            * Bugcheck *
            KeBugCheckEx(PHASE1_INITIALIZATION_FAILED Status 7 0 0)
        }
    }
    else
    {
        * Use hardcoded banner message *
        Status  RtlStringCbCopyA(EndBuffer Length REACTOS (R)＼n)
        if (NT_SUCCESS(Status))
        {
            * Bugcheck *
            KeBugCheckEx(PHASE1_INITIALIZATION_FAILED Status 7 0 0)
        }
    }

    * Display the version string onscreen *
    InbvDisplayString(EndBuffer)

    * Initialize Power Subsystem in Phase 0 *
    if (PoInitSystem(0)) 
       KeBugCheck(INTERNAL_POWER_ERROR)

    * Check for Y2K hack *
    Y2KHackRequired  strstr(CommandLine YEAR)
    if (Y2KHackRequired) Y2KHackRequired  strstr(Y2KHackRequired )
    if (Y2KHackRequired) YearHack  atol(Y2KHackRequired + 1)

    * Query the clock *
    if ((ExCmosClockIsSane) && (HalQueryRealTimeClock(&TimeFields)))
    {
        * Check if we＇re using the Y2K hack *
        if (Y2KHackRequired) TimeFieldsYear  (CSHORT)YearHack

        * Convert to time fields *
        RtlTimeFieldsToTime(&TimeFields &SystemBootTime)
        UniversalBootTime  SystemBootTime

        * Check if real time is GMT *
        if (ExpRealTimeIsUniversal)
        {
            * Check if we don＇t have a valid bias *
            if (ExpLastTimeZoneBias  MAXULONG)
            {
                * Reset *
                ResetBias  TRUE
                ExpLastTimeZoneBias  ExpAltTimeZoneBias
            }

            * Calculate the bias in seconds *
            ExpTimeZoneBiasQuadPart  Int32x32To64(ExpLastTimeZoneBias * 60
                                                    10000000)

            * Set the boot timezone bias *
            SharedUserData>TimeZoneBiasHigh2Time  ExpTimeZoneBiasHighPart
            SharedUserData>TimeZoneBiasLowPart  ExpTimeZoneBiasLowPart
            SharedUserData>TimeZoneBiasHigh1Time  ExpTimeZoneBiasHighPart

            * Convert the boot time to local time and set it *
            UniversalBootTimeQuadPart  SystemBootTimeQuadPart +
                                         ExpTimeZoneBiasQuadPart
        }

        * Update the system time *
        KeSetSystemTime(&UniversalBootTime &OldTime FALSE NULL)

        * Do system callback *
        PoNotifySystemTimeSet()

        * Remember this as the boot time *
        KeBootTime  UniversalBootTime
        KeBootTimeBias  0
    }

    * Initialize all processors *
    if (HalAllProcessorsStarted())
        KeBugCheck(HAL1_INITIALIZATION_FAILED)

#ifdef CONFIG_SMP
    * HACK We should use RtlFindMessage and not only fallback to this *
    MpString  MultiProcessor Kernel＼r＼n
#endif

    * Setup the MP String *
    RtlInitAnsiString(&TempString MpString)

    * Make sure to remove the ＼r＼n if we actually have a string *
    while ((TempStringLength > 0) &&
           ((TempStringBuffer[TempStringLength  1]  ＇＼r＇) ||
            (TempStringBuffer[TempStringLength  1]  ＇＼n＇)))
    {
        * Skip the trailing character *
        TempStringLength
    }

    * Get the information string from our resource file *
    MsgStatus  RtlFindMessage(NtosEntry>DllBase
                               11
                               0
                               KeNumberProcessors > 1 
                               WINDOWS_NT_INFO_STRING_PLURAL 
                               WINDOWS_NT_INFO_STRING
                               &MsgEntry)

    * Get total RAM size *
    Size  MmNumberOfPhysicalPages * PAGE_SIZE  1024  1024

    * Create the string *
    StringBuffer  InitBuffer>VersionBuffer
    Status  RtlStringCbPrintfA(StringBuffer
                                256
                                NT_SUCCESS(MsgStatus) 
                                MsgEntry>Text 
                                u System Processor [u MB Memory] Z＼n
                                KeNumberProcessors
                                Size
                                &TempString)
    if (NT_SUCCESS(Status))
    {
        * Bugcheck *
        KeBugCheckEx(PHASE1_INITIALIZATION_FAILED Status 4 0 0)
    }

    * Display RAM and CPU count *
    InbvDisplayString(StringBuffer)

    * Update the progress bar *
    InbvUpdateProgressBar(5)

    * Call OB initialization again *
    if (ObInitSystem()) KeBugCheck(OBJECT1_INITIALIZATION_FAILED)

    * Initialize Basic System Objects and Worker Threads *
    if (ExInitSystem()) KeBugCheckEx(PHASE1_INITIALIZATION_FAILED 0 0 1 0)

    * Initialize the later stages of the kernel *
    if (KeInitSystem()) KeBugCheckEx(PHASE1_INITIALIZATION_FAILED 0 0 2 0)

    * Call KD Providers at Phase 1 *
    if (KdInitSystem(ExpInitializationPhase KeLoaderBlock))
    {
        * Failed bugcheck *
        KeBugCheckEx(PHASE1_INITIALIZATION_FAILED 0 0 3 0)
    }

    * Initialize the SRM in Phase 1 *
    if (SeInitSystem()) KeBugCheck(SECURITY1_INITIALIZATION_FAILED)

    * Update the progress bar *
    InbvUpdateProgressBar(10)

    * Create SystemRoot Link *
    Status  ExpCreateSystemRootLink(LoaderBlock)
    if (NT_SUCCESS(Status))
    {
        * Failed to create the system root link *
        KeBugCheckEx(SYMBOLIC_INITIALIZATION_FAILED Status 0 0 0)
    }

    * Set up Region Maps Sections and the Paging File *
    if (MmInitSystem(1 LoaderBlock)) KeBugCheck(MEMORY1_INITIALIZATION_FAILED)

    * Create NLS section *
    ExpInitNls(KeLoaderBlock)

    * Initialize Cache Views *
    if (CcInitializeCacheManager()) KeBugCheck(CACHE_INITIALIZATION_FAILED)

    * Initialize the Registry *
    if (CmInitSystem1()) KeBugCheck(CONFIG_INITIALIZATION_FAILED)

    * Initialize Prefetcher *
    CcPfInitializePrefetcher()

    * Update progress bar *
    InbvUpdateProgressBar(15)

    * Update timezone information *
    LastTzBias  ExpLastTimeZoneBias
    ExRefreshTimeZoneInformation(&SystemBootTime)

    * Check if we＇re resetting timezone data *
    if (ResetBias)
    {
        * Convert the local time to system time *
        ExLocalTimeToSystemTime(&SystemBootTime &UniversalBootTime)
        KeBootTime  UniversalBootTime
        KeBootTimeBias  0

        * Set the new time *
        KeSetSystemTime(&UniversalBootTime &OldTime FALSE NULL)
    }
    else
    {
        * Check if the timezone switched and update the time *
        if (LastTzBias  ExpLastTimeZoneBias) 
        ZwSetSystemTime(NULL NULL)
    }

    * Initialize the File System Runtime Library *
    if (FsRtlInitSystem()) KeBugCheck(FILE_INITIALIZATION_FAILED)

    * Initialize range lists *
    RtlInitializeRangeListPackage()

    * Report all resources used by HAL *
    HalReportResourceUsage()

    * Call the debugger DLL *
    KdDebuggerInitialize1(LoaderBlock)

    * Setup PnP Manager in phase 1 *
    if (PpInitSystem()) KeBugCheck(PP1_INITIALIZATION_FAILED)

    * Update progress bar *
    InbvUpdateProgressBar(20)

    * Initialize LPC *
    if (LpcInitSystem()) KeBugCheck(LPC_INITIALIZATION_FAILED)

    * Make sure we have a command line *
    if (CommandLine)
    {
        * Check if this is a safe mode boot *
        SafeBoot  strstr(CommandLine SAFEBOOT)
        if (SafeBoot)
        {
            * Check what kind of boot this is *
            SafeBoot + 9
            if (strncmp(SafeBoot MINIMAL 7))
            {
                * Minimal mode *
                InitSafeBootMode  1
                SafeBoot + 7
                MessageCode  BOOTING_IN_SAFEMODE_MINIMAL
            }
            else if (strncmp(SafeBoot NETWORK 7))
            {
                * With Networking *
                InitSafeBootMode  1
                SafeBoot + 7
                MessageCode  BOOTING_IN_SAFEMODE_NETWORK
            }
            else if (strncmp(SafeBoot DSREPAIR 8))
            {
                * Domain Server Repair *
                InitSafeBootMode  3
                SafeBoot + 8
                MessageCode  BOOTING_IN_SAFEMODE_DSREPAIR

            }
            else
            {
                * Invalid *
                InitSafeBootMode  0
            }

            * Check if there＇s any settings left *
            if (*SafeBoot)
            {
                * Check if an alternate shell was requested *
                if (strncmp(SafeBoot (ALTERNATESHELL) 16))
                {
                    * Remember this for later *
                    AlternateShell  TRUE
                }
            }

            * Find the message to print out *
            Status  RtlFindMessage(NtosEntry>DllBase
                                    11
                                    0
                                    MessageCode
                                    &MsgEntry)
            if (NT_SUCCESS(Status))
            {
                * Display it *
                InbvDisplayString(MsgEntry>Text)
            }
        }
    }

    * Make sure we have a command line *
    if (CommandLine)
    {
        * Check if bootlogging is enabled *
        if (strstr(CommandLine BOOTLOG))
        {
            * Find the message to print out *
            Status  RtlFindMessage(NtosEntry>DllBase
                                    11
                                    0
                                    BOOTLOG_ENABLED
                                    &MsgEntry)
            if (NT_SUCCESS(Status))
            {
                * Display it *
                InbvDisplayString(MsgEntry>Text)
            }

            * Setup boot logging *
            IopInitializeBootLogging(LoaderBlock InitBuffer>BootlogHeader)
        }
    }

    * Setup the Executive in Phase 2 *
    ExInitSystemPhase2()

    * Update progress bar *
    InbvUpdateProgressBar(25)

#ifdef _WINKD_
    * No KD Time Slip is pending *
    KdpTimeSlipPending  0
#endif

    * Initialize inplace execution support *
    XIPInit(LoaderBlock)

    * Set maximum update to 75 *
    InbvSetProgressBarSubset(25 75)

    * Initialize the IO Subsystem *
    if (IoInitSystem(LoaderBlock)) KeBugCheck(IO1_INITIALIZATION_FAILED)

    * Set maximum update to 100 *
    InbvSetProgressBarSubset(0 100)

    * Are we in safe mode *
    if (InitSafeBootMode)
    {
        * Open the safe boot key *
        RtlInitUnicodeString(&KeyName
                             L＼＼REGISTRY＼＼MACHINE＼＼SYSTEM＼＼CURRENTCONTROLSET
                             L＼＼CONTROL＼＼SAFEBOOT)
        InitializeObjectAttributes(&ObjectAttributes
                                   &KeyName
                                   OBJ_CASE_INSENSITIVE
                                   NULL
                                   NULL)
        Status  ZwOpenKey(&KeyHandle KEY_ALL_ACCESS &ObjectAttributes)
        if (NT_SUCCESS(Status))
        {
            * First check if we have an alternate shell *
            if (AlternateShell)
            {
                * Make sure that the registry has one setup *
                RtlInitUnicodeString(&KeyName LAlternateShell)
                Status  NtQueryValueKey(KeyHandle
                                         &KeyName
                                         KeyValuePartialInformation
                                         &KeyPartialInfo
                                         sizeof(KeyPartialInfo)
                                         &Length)
                if (NT_SUCCESS(Status)) AlternateShell  FALSE
            }

            * Create the option key *
            RtlInitUnicodeString(&KeyName LOption)
            InitializeObjectAttributes(&ObjectAttributes
                                       &KeyName
                                       OBJ_CASE_INSENSITIVE
                                       KeyHandle
                                       NULL)
            Status  ZwCreateKey(&OptionHandle
                                 KEY_ALL_ACCESS
                                 &ObjectAttributes
                                 0
                                 NULL
                                 REG_OPTION_VOLATILE
                                 &Disposition)
            NtClose(KeyHandle)

            * Check if the key create worked *
            if (NT_SUCCESS(Status))
            {
                * Write the safe boot type *
                RtlInitUnicodeString(&KeyName LOptionValue)
                NtSetValueKey(OptionHandle
                              &KeyName
                              0
                              REG_DWORD
                              &InitSafeBootMode
                              sizeof(InitSafeBootMode))

                * Check if we have to use an alternate shell *
                if (AlternateShell)
                {
                    * Remember this for later *
                    Disposition  TRUE
                    RtlInitUnicodeString(&KeyName LUseAlternateShell)
                    NtSetValueKey(OptionHandle
                                  &KeyName
                                  0
                                  REG_DWORD
                                  &Disposition
                                  sizeof(Disposition))
                }

                * Close the options key handle *
                NtClose(OptionHandle)
            }
        }
    }

    * Are we in Win PE mode *
    if (InitIsWinPEMode)
    {
        * Open the safe control key *
        RtlInitUnicodeString(&KeyName
                             L＼＼REGISTRY＼＼MACHINE＼＼SYSTEM＼＼CURRENTCONTROLSET
                             L＼＼CONTROL)
        InitializeObjectAttributes(&ObjectAttributes
                                   &KeyName
                                   OBJ_CASE_INSENSITIVE
                                   NULL
                                   NULL)
        Status  ZwOpenKey(&KeyHandle KEY_ALL_ACCESS &ObjectAttributes)
        if (NT_SUCCESS(Status))
        {
            * Bugcheck *
            KeBugCheckEx(PHASE1_INITIALIZATION_FAILED Status 6 0 0)
        }

        * Create the MiniNT key *
        RtlInitUnicodeString(&KeyName LMiniNT)
        InitializeObjectAttributes(&ObjectAttributes
                                   &KeyName
                                   OBJ_CASE_INSENSITIVE
                                   KeyHandle
                                   NULL)
        Status  ZwCreateKey(&OptionHandle
                             KEY_ALL_ACCESS
                             &ObjectAttributes
                             0
                             NULL
                             REG_OPTION_VOLATILE
                             &Disposition)
        if (NT_SUCCESS(Status))
        {
            * Bugcheck *
            KeBugCheckEx(PHASE1_INITIALIZATION_FAILED Status 6 0 0)
        }

        * Close the handles *
        NtClose(KeyHandle)
        NtClose(OptionHandle)
    }

    * Unmap Low memory and initialize the MPW and Balancer Thread *
    MmInitSystem(2 LoaderBlock)

    * Update progress bar *
    InbvUpdateProgressBar(80)

    * Initialize VDM support *
#if defined(_M_IX86)
    KeI386VdmInitialize()
#endif

    * Initialize Power Subsystem in Phase 1*
    if (PoInitSystem(1)) KeBugCheck(INTERNAL_POWER_ERROR)

    * Initialize the Process Manager at Phase 1 *
    if (PsInitSystem(LoaderBlock)) KeBugCheck(PROCESS1_INITIALIZATION_FAILED)

    * Update progress bar *
    InbvUpdateProgressBar(85)

    * Make sure nobody touches the loader block again *
    if (LoaderBlock  KeLoaderBlock) KeLoaderBlock  NULL
    LoaderBlock  Context  NULL

    * Update progress bar *
    InbvUpdateProgressBar(90)

    * Launch initial process *
    ProcessInfo  &InitBuffer>ProcessInfo 面载入 smssexe 核应程序
    ExpLoadInitialProcess(InitBuffer &ProcessParameters &Environment)

    * Update progress bar *
    InbvUpdateProgressBar(100)

    * Allow strings to be displayed *
    InbvEnableDisplayString(TRUE)

    * Wait 5 seconds for it to initialize *
    TimeoutQuadPart  Int32x32To64(5 10000000) 等面进程5秒钟 变成信号 否崩溃
    Status  ZwWaitForSingleObject(ProcessInfo>ProcessHandle FALSE &Timeout)
    if (InbvBootDriverInstalled) FinalizeBootLogo()
    if (Status  STATUS_SUCCESS)
    {
        * Failed display error * 失败显示 回话启动失败
        RtlInitUnicodeString(&DebugString LINIT Session Manager terminated)
        ZwDisplayString(&DebugString)

        * Bugcheck the system if SMSS couldn＇t initialize *
        KeBugCheck(SESSION5_INITIALIZATION_FAILED)
    }

    * Close process handles *
    ZwClose(ProcessInfo>ThreadHandle)
    ZwClose(ProcessInfo>ProcessHandle)

    * Free the initial process environment *
    Size  0
    ZwFreeVirtualMemory(NtCurrentProcess()
                        (PVOID*)&Environment
                        &Size
                        MEM_RELEASE)

    * Free the initial process parameters *
    Size  0
    ZwFreeVirtualMemory(NtCurrentProcess()
                        (PVOID*)&ProcessParameters
                        &Size
                        MEM_RELEASE)

    * Increase init phase *
    ExpInitializationPhase++

    * Free the boot buffer *
    ExFreePool(InitBuffer)
}

VOID
NTAPI
Phase1Initialization(IN PVOID Context)   systemThread 系统线程  入口函数
{
    * Do the INIT part of Phase 1 which we can free later *
    Phase1InitializationDiscard(Context)

    * Jump into zero page thread *
    MmZeroPageThreadMain(NULL)            堕落空闲线程 页面清零线程
}
BOOLEAN
NTAPI
PsInitSystem(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
{
    * Check the initialization phase *
    switch (ExpInitializationPhase)
    {
    case 0

        * Do Phase 0 *
        return PspInitPhase0(LoaderBlock)安装系统线程 线程

    case 1

        * Do Phase 1 *
        return PspInitPhase1()

    default

        * Don＇t know any other phase Bugcheck *
        KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL
                     1
                     ExpInitializationPhase
                     0
                     0)
        return FALSE
    }
}
BOOLEAN
NTAPI
PspInitPhase1()
{
    * Initialize the System DLL and return status of operation *
    if (NT_SUCCESS(PspInitializeSystemDll())) return FALSE
    return TRUE 载入映射 NTDLLdll 中介模块
}

BOOLEAN
NTAPI
PspInitPhase0(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
{
    NTSTATUS Status
    OBJECT_ATTRIBUTES ObjectAttributes
    HANDLE SysThreadHandle
    PETHREAD SysThread
    MM_SYSTEMSIZE SystemSize
    UNICODE_STRING Name
    OBJECT_TYPE_INITIALIZER ObjectTypeInitializer
    ULONG i

    * Get the system size *
    SystemSize  MmQuerySystemSize()

    * Setup some memory options *
    PspDefaultPagefileLimit  1
    switch (SystemSize)
    {
        * Medimum systems *
        case MmMediumSystem

            * Increase the WS sizes a bit *
            PsMinimumWorkingSet + 10
            PsMaximumWorkingSet + 100

        * Large systems *
        case MmLargeSystem

            * Increase the WS sizes a bit more *
            PsMinimumWorkingSet + 30
            PsMaximumWorkingSet + 300

        * Small and other systems *
        default
            break
    }

    * Setup callbacks *  安装种 回调函数
    for (i  0 i < PSP_MAX_CREATE_THREAD_NOTIFY i++)
    {
        ExInitializeCallBack(&PspThreadNotifyRoutine[i]) 线程安装时候回调函数
    }
    for (i  0 i < PSP_MAX_CREATE_PROCESS_NOTIFY i++)
    {
        ExInitializeCallBack(&PspProcessNotifyRoutine[i]) 进程安装时候回调函数
    }
    for (i  0 i < PSP_MAX_LOAD_IMAGE_NOTIFY i++)
    {
        ExInitializeCallBack(&PspLoadImageNotifyRoutine[i]) 载入模块时候回调函数
    }

    * Setup the quantum table *
    PsChangeQuantumTable(FALSE PsRawPrioritySeparation)

    * Set quota settings *
    if (PspDefaultPagedLimit) PspDefaultPagedLimit  0
    if (PspDefaultNonPagedLimit) PspDefaultNonPagedLimit  0
    if ((PspDefaultNonPagedLimit) && (PspDefaultPagedLimit))
    {
        * Enable givebacks *
        PspDoingGiveBacks  TRUE
    }
    else
    {
        * Disable them *
        PspDoingGiveBacks  FALSE
    }

    * Now multiply limits by 1MB *
    PspDefaultPagedLimit << 20
    PspDefaultNonPagedLimit << 20
    if (PspDefaultPagefileLimit  MAXULONG) PspDefaultPagefileLimit << 20

    * Initialize the Active Process List *
    InitializeListHead(&PsActiveProcessHead)  活动进程链表 
    KeInitializeGuardedMutex(&PspActiveProcessMutex)

    * Get the idle process *
    PsIdleProcess  PsGetCurrentProcess()

    * Setup the locks *
    PsIdleProcess>ProcessLockValue  0
    ExInitializeRundownProtection(&PsIdleProcess>RundownProtect)

    * Initialize the thread list *
    InitializeListHead(&PsIdleProcess>ThreadListHead)

    * Clear kernel time *
    PsIdleProcess>PcbKernelTime  0

    * Initialize Object Initializer *
    RtlZeroMemory(&ObjectTypeInitializer sizeof(ObjectTypeInitializer))
    ObjectTypeInitializerLength  sizeof(ObjectTypeInitializer)
    ObjectTypeInitializerInvalidAttributes  OBJ_OPENLINK |
                                              OBJ_PERMANENT |
                                              OBJ_EXCLUSIVE |
                                              OBJ_OPENIF
    ObjectTypeInitializerPoolType  NonPagedPool
    ObjectTypeInitializerSecurityRequired  TRUE

    * Initialize the Process type *
    RtlInitUnicodeString(&Name LProcess)
    ObjectTypeInitializerDefaultNonPagedPoolCharge  sizeof(EPROCESS)
    ObjectTypeInitializerGenericMapping  PspProcessMapping
    ObjectTypeInitializerValidAccessMask  PROCESS_ALL_ACCESS
    ObjectTypeInitializerDeleteProcedure  PspDeleteProcess
    ObCreateObjectType(&Name &ObjectTypeInitializer NULL &PsProcessType)

    *  Initialize the Thread type  *
    RtlInitUnicodeString(&Name LThread)
    ObjectTypeInitializerLength  sizeof(ObjectTypeInitializer)
    ObjectTypeInitializerDefaultNonPagedPoolCharge  sizeof(ETHREAD)
    ObjectTypeInitializerGenericMapping  PspThreadMapping
    ObjectTypeInitializerValidAccessMask  THREAD_ALL_ACCESS
    ObjectTypeInitializerDeleteProcedure  PspDeleteThread
    ObCreateObjectType(&Name &ObjectTypeInitializer NULL &PsThreadType)

    *  Initialize the Job type  *
    RtlInitUnicodeString(&Name LJob)
    ObjectTypeInitializerLength  sizeof(ObjectTypeInitializer)
    ObjectTypeInitializerDefaultNonPagedPoolCharge  sizeof(EJOB)
    ObjectTypeInitializerGenericMapping  PspJobMapping
    ObjectTypeInitializerValidAccessMask  JOB_OBJECT_ALL_ACCESS
    ObjectTypeInitializerDeleteProcedure  PspDeleteJob
    ObCreateObjectType(&Name &ObjectTypeInitializer NULL &PsJobType)

    * Initialize job structures external to this file *
    PspInitializeJobStructures()

    * Initialize the Working Set data *
    InitializeListHead(&PspWorkingSetChangeHeadList)
    KeInitializeGuardedMutex(&PspWorkingSetChangeHeadLock)

    * Create the CID Handle table *
    PspCidTable  ExCreateHandleTable(NULL)  全局 客户 句柄表
    if (PspCidTable) return FALSE

    * FIXME Initialize LDTVDM support *

    * Setup the reaper *
    ExInitializeWorkItem(&PspReaperWorkItem PspReapRoutine NULL)

    * Set the boot access token *
    PspBootAccessToken  (PTOKEN)(PsIdleProcess>TokenValue & ~MAX_FAST_REFS)

    * Setup default object attributes *
    InitializeObjectAttributes(&ObjectAttributes
                               NULL
                               0
                               NULL
                               NULL)  啥空

    * Create the Initial System Process *   system 进程
    Status  PspCreateProcess(&PspInitialSystemProcessHandle 初始化进程
                              PROCESS_ALL_ACCESS
                              &ObjectAttributes
                              0
                              FALSE
                              0
                              0
                              0
                              FALSE)
    if (NT_SUCCESS(Status)) return FALSE

    * Get a reference to it *
    ObReferenceObjectByHandle(PspInitialSystemProcessHandle
                              0
                              PsProcessType
                              KernelMode
                              (PVOID*)&PsInitialSystemProcess
                              NULL)

    * Copy the process names *  
    前面 没 进程结构体 构建 空闲进程 唯单线程吧
    strcpy(PsIdleProcess>ImageFileName Idle)  第进程    空闲进程 
    strcpy(PsInitialSystemProcess>ImageFileName System)  刚创建  系统进程

    * Allocate a structure for the audit name *  审核名字
    PsInitialSystemProcess>SeAuditProcessCreationInfoImageFileName 
        ExAllocatePoolWithTag(PagedPool
                              sizeof(OBJECT_NAME_INFORMATION)
                              TAG_SEPA)
    if (PsInitialSystemProcess>SeAuditProcessCreationInfoImageFileName)
    {
        * Allocation failed *
        return FALSE
    }
    * Zero it *
    RtlZeroMemory(PsInitialSystemProcess>
                  SeAuditProcessCreationInfoImageFileName
                 sizeof(OBJECT_NAME_INFORMATION))
    * Setup the system initialization thread *
    Status  PsCreateSystemThread(&SysThreadHandle
                                  THREAD_ALL_ACCESS
                                  &ObjectAttributes
                                  0
                                  NULL
                                  Phase1Initialization  安装系统线程 线程
                                  LoaderBlock)
    if (NT_SUCCESS(Status)) return FALSE
    * Create a handle to it *
    ObReferenceObjectByHandle(SysThreadHandle
                              0
                              PsThreadType
                              KernelMode
                              (PVOID*)&SysThread
                              NULL)
    ZwClose(SysThreadHandle)
    SysThreadCreated  TRUE
    * Return success *
    return TRUE
}
文档香网(httpswwwxiangdangnet)户传

《香当网》用户分享的内容，不代表《香当网》观点或立场，请自行判断内容的真实性和可靠性！
该内容是文档的文本内容，更好的格式请下载文档