nt!MiInitializeLoadedModuleList分析和全局变量nt!PsLoadedModuleList初始化和LoaderBlock-＞LoadOrderListHead的关系非常重要

nt!MiInitializeLoadedModuleList分析和全局变量nt!PsLoadedModuleList初始化和LoaderBlock->LoadOrderListHead的关系非常重要

kd> t
Breakpoint 6 hit
eax=00000001 ebx=00000000 ecx=00000000 edx=00000004 esi=00000001 edi=c0603840
eip=80ec6342 esp=80b1e43c ebp=80b1e4b4 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
nt!MiInitializeLoadedModuleList:
80ec6342 55              push    ebp
kd> kc
 # 
00 nt!MiInitializeLoadedModuleList
01 nt!MmInitSystem
02 nt!ExpInitializeExecutive
03 nt!KiInitializeKernel
04 nt!KiSystemStartup
kd> kv
 # ChildEBP RetAddr  Args to Child              
00 80b1e438 80ecda7b 80076000 00000000 800798e8 nt!MiInitializeLoadedModuleList (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\mm\sysload.c @ 7852] 
01 80b1e4b4 80eb1e55 01000001 80076000 80b2a460 nt!MmInitSystem+0x15fd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\mm\mminit.c @ 2181] 
02 80b1e638 80ec26cf 00000000 00000002 8003fc00 nt!ExpInitializeExecutive+0x2c7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\init\init.c @ 1031] 
03 80b1e68c 80ec0696 80b2a6c0 80b2a460 80b1e950 nt!KiInitializeKernel+0x409 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\i386\kernlini.c @ 785] 
04 00000000 00000000 00000000 00000000 00000000 nt!KiSystemStartup+0x2d6 [d:\srv03rtm\base\ntos\ke\i386\newsysbg.asm @ 573] 
kd> dv
    LoaderBlock = 0x80076000
 CommittedPages = 0x80ec6342
      NextEntry = 0x00000008

kd> x nt!PsLoadedModuleList
80c2dd70          nt!PsLoadedModuleList = struct _LIST_ENTRY [ 0x0 - 0x0 ]
kd> dx -r1 (*((ntkrpamp!_LIST_ENTRY *)0x80c2dd70))
(*((ntkrpamp!_LIST_ENTRY *)0x80c2dd70))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x0 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0x0 [Type: _LIST_ENTRY *]

kd> dv
    LoaderBlock = 0x80076000
 CommittedPages = 0x80ec6342
      NextEntry = 0x00000008

kd> dx -r1 ((ntkrpamp!_LOADER_PARAMETER_BLOCK *)0x80076000)
((ntkrpamp!_LOADER_PARAMETER_BLOCK *)0x80076000)                 : 0x80076000 [Type: _LOADER_PARAMETER_BLOCK *]
    [+0x000] LoadOrderListHead [Type: _LIST_ENTRY]
    [+0x008] MemoryDescriptorListHead [Type: _LIST_ENTRY]
    [+0x010] BootDriverListHead [Type: _LIST_ENTRY]
    [+0x018] KernelStack      : 0x80b1e950 [Type: unsigned long]
    [+0x01c] Prcb             : 0x0 [Type: unsigned long]
    [+0x020] Process          : 0x0 [Type: unsigned long]
    [+0x024] Thread           : 0x80b2a460 [Type: unsigned long]
    [+0x028] RegistryLength   : 0x240000 [Type: unsigned long]
    [+0x02c] RegistryBase     : 0x80100000 [Type: void *]
    [+0x030] ConfigurationRoot : 0x800777a8 [Type: _CONFIGURATION_COMPONENT_DATA *]
    [+0x034] ArcBootDeviceName : 0x80088398 : "multi(0)disk(0)rdisk(0)partition(1)" [Type: char *]
    [+0x038] ArcHalDeviceName : 0x800883d0 : "multi(0)disk(0)rdisk(0)partition(1)" [Type: char *]
    [+0x03c] NtBootPathName   : 0x800883c0 : "\WINDOWS\" [Type: char *]
    [+0x040] NtHalPathName    : 0x800883f8 : "\" [Type: char *]
    [+0x044] LoadOptions      : 0x80078168 : "FASTDETECT  BREAK  3G  PAE  DEBUG  DEBUGPORT=COM1:  BAUDRATE=115200  LASTBOOTSTATUS=2" [Type: char *]
    [+0x048] NlsData          : 0x8007cab0 [Type: _NLS_DATA_BLOCK *]
    [+0x04c] ArcDiskInformation : 0x80078208 [Type: _ARC_DISK_INFORMATION *]
    [+0x050] OemFontFile      : 0x80083090 [Type: void *]
    [+0x054] SetupLoaderBlock : 0x0 [Type: _SETUP_LOADER_BLOCK *]
    [+0x058] Extension        : 0x80076068 [Type: _LOADER_PARAMETER_EXTENSION *]
    [+0x05c] u                [Type: __unnamed]
kd> dx -r1 (*((ntkrpamp!_LIST_ENTRY *)0x80076000))
(*((ntkrpamp!_LIST_ENTRY *)0x80076000))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x800797a8 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0x80088300 [Type: _LIST_ENTRY *]

    NextEntry = LoaderBlock->LoadOrderListHead.Flink;
    NextEntryEnd = &LoaderBlock->LoadOrderListHead;

    DataTableEntry2 = CONTAINING_RECORD (NextEntry,
          &nb