深入底层 评估Vista内核模式的安全性

核心提示： ***Windowsisunabletoverifythesignatureofthefile%s.Itwillbeallowedtoloadbecausethebootdebuggerisenabled.Usegtocontinue!!如果调试器是存在的，那么可以通过调用DbgBreak

　　　***Windowsisunabletoverifythesignatureofthefile%s.
　　Itwillbeallowedtoloadbecausethebootdebuggerisenabled.
　　Usegtocontinue!!

如果调试器是存在的，那么可以通过调用DbgBreakPoint来进行激活;另外，在这里通过调用ReportCodeIntegrityFailure替换了系统提示致命错误的错误形式。

当所有的完整性检查结束后(unless all integrity checks have been disabled)，OslInitializeCodeIntegrity会返回成功状态，然后会继续从OslMain开始执行。接着，OslpLoadAllModules被调用并开始加载系统模块。首先，会调用OslLoadImage来加载NTOSKRNL.EXE和HAL.DLL，在这里仅仅是加载，此时没有解决Imports;第二，如果内核调试被开启，调试驱动会依靠启动调试选项的情况被加载(kdcom.dll for serial port, kd1394.dll for IEEE1394, or kdusb.dll for USB)。第三，NTOSKRNL.EXE的Imports被加载和初始化(使用LoadImports和BindImportRefences函数)。

OslLoadImage calls GetImageValidationFlags to check the filename against a pre-defined list of boot drivers in LoadBootImagesTable. If integrity checks are enabled, then boot drivers must be signed by a trusted root authority and all the image hashes must match the signed catalog file unless a debugger is enabled. If a debugger is enabled, WINLOAD.EXE does not enforce this requirement. Instead it will print an error message to the debugger, but will otherwise ignore the code integrity check failure. However, the following boot drivers (also listed in Appendix A) must pass the code integrity checks even if a debugger is enabled (otherwise WINLOAD.EXE will refuse to boot Windows Vista):