nt!MmCreatePeb函数分析之peb中OSMajorVersion的由来

第一部分：

NTSTATUS
MmCreatePeb (
IN PEPROCESS TargetProcess,
IN PINITIAL_PEB InitialPeb,
OUT PPEB *Base
)
{
PPEB PebBase;

        PebBase->OSMajorVersion = NtMajorVersion;
PebBase->OSMinorVersion = NtMinorVersion;
PebBase->OSBuildNumber = (USHORT)(NtBuildNumber & 0x3FFF);
PebBase->OSPlatformId = 2;      // VER_PLATFORM_WIN32_NT from winbase.h
PebBase->OSCSDVersion = (USHORT)CmNtCSDVersion;

第二部分：

0: kd> kc

nt!MmCreatePeb
nt!PspCreateProcess
nt!NtCreateProcessEx
nt!_KiSystemService
SharedUserData!SystemCallStub
ntdll!ZwCreateProcessEx
kernel32!CreateProcessInternalW
kernel32!CreateProcessW
cmd!ExecPgm
cmd!ECWork
cmd!ExtCom
cmd!FindFixAndRun
cmd!Dispatch
cmd!main
cmd!mainCRTStartup
kernel32!BaseProcessStart
0: kd> kv
ChildEBP RetAddr  Args to Child              
ba10eb74 80d3a7da 892f72d0 ba10ec80 892f7460 nt!MmCreatePeb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\mm\procsup.c @ 6255]
ba10ecd8 80d3af36 0012fa74 001f0fff 00000000 nt!PspCreateProcess+0x61a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ps\create.c @ 1623]
ba10ed2c 80afbcb2 0012fa74 001f0fff 00000000 nt!NtCreateProcessEx+0xae (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ps\create.c @ 955]
ba10ed2c 7ffe0304 0012fa74 001f0fff 00000000 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ ba10ed64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
0012f0c0 77f2ed58 77e61163 0012fa74 001f0fff SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
0012f0c4 77e61163 0012fa74 001f0fff 00000000 ntdll!ZwCreateProcessEx+0xc (FPO: [9,0,0]) [d:\srv03rtm\base\ntdll\daytona\obj\i386\usrstubs.asm @ 523]
0012fa9c 77e61e74 00000000 00144d20 001466c0 kernel32!CreateProcessInternalW+0x11c8 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\process.c @ 3573]
0012fad4 4ad0c5de 00144d20 001466c0 00000000 kernel32!CreateProcessW+0x2a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\process.c @ 4637]
0012fc20 4ad0d1fa 00146630 001450a8 00000000 cmd!ExecPgm+0x200 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\cmd\cext.c @ 480]
0012fc54 4ad0d302 00146630 00000000 00000000 cmd!ECWork+0x6a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\cmd\cext.c @ 204]
0012fc6c 4ad124b1 00146630 00000001 00146630 cmd!ExtCom+0x3a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\cmd\cext.c @ 87]
0012fe98 4ad12dff 00146630 00000001 00000002 cmd!FindFixAndRun+0x111 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\cmd\cmd.c @ 1345]
0012fee0 4ad130cc 00000000 00000001 00000000 cmd!Dispatch+0x1a7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\cmd\cmd.c @ 683]
0012ff44 4ad21754 00000001 00363cf8 00362f68 cmd!main+0x280 (FPO: [Non-Fpo]) (CONV: cdecl) [d:\srv03rtm\base\cmd\cmd.c @ 431]
0012ffc0 77e62c34 00000000 00000000 7ffdf000 cmd!mainCRTStartup+0x12f (FPO: [Non-Fpo]) (CONV: cdecl) [d:\srv03rtm\base\crts\crtw32\dllstuff\crtexe.c @ 501]
0012fff0 00000000 4ad21625 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 580]

0: kd> x nt!NtMajorVersion
80a040ac nt!NtMajorVersion = 5

第三部分：

./base/ntos/init/init.c:137:const ULONG NtMajorVersion = VER_PRODUCTMAJORVERSION;

./base/ntos/init/init.c

#include "ntos.h"
#include "ntimage.h"
#include <zwapi.h>
#include <ntdddisk.h>
#include <kddll.h>
#include <setupblk.h>
#include <fsrtl.h>
#include <ntverp.h>        //#include <ntverp.h>

const ULONG NtMajorVersion = VER_PRODUCTMAJORVERSION;
const ULONG NtMinorVersion = VER_PRODUCTMINORVERSION;

#if DBG
ULONG NtBuildNumber = VER_PRODUCTBUILD | 0xC0000000;
#else
ULONG NtBuildNumber = VER_PRODUCTBUILD | 0xF0000000;
#endif