hfiref0x/OslpDetermineKernelHal

## OslpDetermineKernelHal
winload!BlArchIsFiveLevelPagingActive

  bResult = 0;
  cr0value = __readcr0();
  if ( (cr0value & 0x80000000) != 0 && (__readmsr(0xC0000080) & 0x400) != 0 )
  {
    cr4value = __readcr4();
    return (cr4value & 0x1000) != 0i64;
  }
  return bResult;


 winload!OslpDetermineKernelHal

  if ( !BlAppendUnicodeToString(HalName, L"hal.dll") )
    return 0xC0000017i64;
  result = BlUtlGetAcpiTable(&v12, 'CIPA');
  if ( result < 0 )
    return result;
  IsFiveLevelPagingActive = BlArchIsFiveLevelPagingActive();
  FileName = L"ntoskrnl.exe";
  if ( IsFiveLevelPagingActive )
    FileName = L"ntkrla57.exe";
  if ( !BlAppendUnicodeToString(KernelName, FileName) )

## OslpLoadAllModules.c
winload!OslpLoadAllModules

ntStatus = OslpDetermineKernelHal(&KernelFileName, &HalFileName);
  if ( ntStatus >= 0 )
  {
    if ( BlAppendUnicodeToString(KernelFullPathName, L"system32\\") )
    {
      LOWORD(v105) = KernelFullPathName->Length;
      if ( !OslIsTcbLaunchEnabled(v17) )
      {
        ntStatus = OslpAllocateSystemBuffers(
                     &KernelFullPathName->Length,
                     a3,
                     v9,
                     &KernelFileName,
                     Src,
                     &v101,
                     &v100,
                     &v89,
                     &v102,
                     &v95);
        if ( ntStatus < 0 )
          goto LABEL_101;
        v13 = v100;
        v14 = v89;
      }
      if ( BlAppendUnicodeToString(KernelFullPathName, KernelFileName.Buffer) )
      {
        v18 = a1 + 2;
        ntStatus = OslLoadImage(
                     a3,
                     0i64,
                     0xE0000012,
                     KernelFullPathName->Buffer,
                     L"ntoskrnl.exe",
                     0i64,
                     v13,
                     v14,
                     (a1 + 2),
                     &v91,
                     v81,
                     v84,
                     4,
                     0x100u,
                     0i64);

.......


    KernelFullPathName->Buffer[v33] = 0;
        KernelFullPathName->Length = v31;
        if ( BlAppendUnicodeToString(KernelFullPathName, Buffer) )
        {
          Image = OslLoadImage(
                    a3,
                    0i64,
                    -536870894,
                    KernelFullPathName->Buffer,
                    L"hal.dll",
                    0i64,
                    0i64,
                    0,
                    (a1 + 2),
                    &v96,
                    v82,
                    v85,
                    0,
                    0x101u,
                    0i64);
	winload!BlArchIsFiveLevelPagingActive

	bResult = 0;
	cr0value = __readcr0();
	if ( (cr0value & 0x80000000) != 0 && (__readmsr(0xC0000080) & 0x400) != 0 )
	{
	cr4value = __readcr4();
	return (cr4value & 0x1000) != 0i64;
	}
	return bResult;


	winload!OslpDetermineKernelHal

	if ( !BlAppendUnicodeToString(HalName, L"hal.dll") )
	return 0xC0000017i64;
	result = BlUtlGetAcpiTable(&v12, 'CIPA');
	if ( result < 0 )
	return result;
	IsFiveLevelPagingActive = BlArchIsFiveLevelPagingActive();
	FileName = L"ntoskrnl.exe";
	if ( IsFiveLevelPagingActive )
	FileName = L"ntkrla57.exe";
	if ( !BlAppendUnicodeToString(KernelName, FileName) )
	winload!OslpLoadAllModules

	ntStatus = OslpDetermineKernelHal(&KernelFileName, &HalFileName);
	if ( ntStatus >= 0 )
	{
	if ( BlAppendUnicodeToString(KernelFullPathName, L"system32\\") )
	{
	LOWORD(v105) = KernelFullPathName->Length;
	if ( !OslIsTcbLaunchEnabled(v17) )
	{
	ntStatus = OslpAllocateSystemBuffers(
	&KernelFullPathName->Length,
	a3,
	v9,
	&KernelFileName,
	Src,
	&v101,
	&v100,
	&v89,
	&v102,
	&v95);
	if ( ntStatus < 0 )
	goto LABEL_101;
	v13 = v100;
	v14 = v89;
	}
	if ( BlAppendUnicodeToString(KernelFullPathName, KernelFileName.Buffer) )
	{
	v18 = a1 + 2;
	ntStatus = OslLoadImage(
	a3,
	0i64,
	0xE0000012,
	KernelFullPathName->Buffer,
	L"ntoskrnl.exe",
	0i64,
	v13,
	v14,
	(a1 + 2),
	&v91,
	v81,
	v84,
	4,
	0x100u,
	0i64);

	.......


	KernelFullPathName->Buffer[v33] = 0;
	KernelFullPathName->Length = v31;
	if ( BlAppendUnicodeToString(KernelFullPathName, Buffer) )
	{
	Image = OslLoadImage(
	a3,
	0i64,
	-536870894,
	KernelFullPathName->Buffer,
	L"hal.dll",
	0i64,
	0i64,
	0,
	(a1 + 2),
	&v96,
	v82,
	v85,
	0,
	0x101u,
	0i64);