Geoff Chappell - Software Analyst
The BLDR_DATA_TABLE_ENTRY (formally _BLDR_DATA_TABLE_ENTRY) is the boot loader’s description of a binary that it loaded in advance of the kernel’s execution. It is here thought to date from version 6.2. In earlier versions, the boot loader uses the same KLDR_DATA_TABLE_ENTRY as does the kernel. Go far enough back and both the boot loader and kernel use the same LDR_DATA_TABLE_ENTRY as does NTDLL.
Though Microsoft is not known ever to have documented the BLDR_DATA_TABLE_ENTRY, Microsoft has published a C-language definition. This was in a header named arc.h in the Windows Driver Kit (WDK) for the original and 1511 releases of Windows 10. It must be noted, however, that this publication looks for all the world like an accidental disclosure. The header is in a subdirectory (named “minwin”) of a directory named “um” as if for user-mode programming, but the BLDR_DATA_TABLE_ENTRY, if not everything else in the header, is long gone by the time any user-mode code gets to execute. Mistake or not, the header then disappeared from the WDK.
Even while its C-language definitions were published, the BLDR_DATA_TABLE_ENTRY did not appear in public symbol files—not for the kernel, nor in any other symbol files in the downloadable packages of public symbols.
The BLDR_DATA_TABLE_ENTRY seems not to have changed at all, in terms of its members and definitions, since version 6.2 introduced it by appending members to the KLDR_DATA_TABLE_ENTRY. It is 0x8C and 0xE8 bytes in 32-bit and 64-bit Windows, respectively, at least to the 2004 release of WIndows 10.
Offsets and Microsoft’s definitions are known from the published ARC.H for two releases of Windows. Confirmation for other versions, starting from Windows 8 but ending with the 1903 release of Windows 10, is given by type information in a statically linked library named CLFSMGMT.LIB which Microsoft publishes with the Software Development Kit (SDK).
| Offset (x86) | Offset (x64) | Definition | Versions |
|---|---|---|---|
| 0x00 | 0x00 |
KLDR_DATA_TABLE_ENTRY KldrEntry; |
6.2 and higher |
| 0x5C | 0xA0 |
UNICODE_STRING CertificatePublisher; |
6.2 and higher |
| 0x64 | 0xB0 |
UNICODE_STRING CertificateIssuer; |
6.2 and higher |
| 0x6C | 0xC0 |
PVOID ImageHash; |
6.2 and higher |
| 0x70 | 0xC8 |
PVOID CertificateThumbprint; |
6.2 and higher |
| 0x74 | 0xD0 |
ULONG ImageHashAlgorithm; |
6.2 and higher |
| 0x78 | 0xD4 |
ULONG ThumbprintHashAlgorithm; |
6.2 and higher |
| 0x7C | 0xD8 |
ULONG ImageHashLength; |
6.2 and higher |
| 0x80 | 0xDC |
ULONG CertificateThumbprintLength; |
6.2 and higher |
| 0x84 | 0xE0 |
ULONG LoadInformation; |
6.2 and higher |
| 0x88 | 0xE4 |
ULONG Flags; |
6.2 and higher |
That the following bits are defined for the Flags is known from the published ARC.H:
| Mask | Name | Versions |
|---|---|---|
| 0x00000001 | BLDR_FLAGS_CORE_DRIVER_DEPENDENT_DLL | 6.2 and higher |
| 0x00000002 | BLDR_FLAGS_CORE_EXTENSION_DEPENDENT_DLL | 10.0 and higher |
As for which versions have which flags, this is from inspection of binaries. For whether later releases of Windows 10 define more flags (or even use more), further study is required.