[转帖]2000/xp下读硬盘序列号[汇编]

游侠无极限

我可没这个水平 .686p .model flat, stdcall option casemap :none ; case sensitive ; ######################################################################### include \masm32\include\windows.inc include \masm32\include\user32.inc 1 w* ^& K/ T" }' _% T3 vinclude \masm32\include\kernel32.inc % |+ m% F+ K2 Rinclude \masm32\include\advapi32.inc 2 [4 b$ h% t0 U, c7 I : G8 l$ y9 W1 _( W( [( kincludelib \masm32\lib\user32.lib / M7 X) [& v7 T# U' z$ M; Iincludelib \masm32\lib\kernel32.lib includelib \masm32\lib\advapi32.lib DEBUG = TRUE HMODULE typedef dword 3 m4 C; j9 _; H; Y* f$ ^ @8 `3 yNTSTATUS typedef dword 5 |! f, i. l) C \2 cPACL typedef dword PSECURITY_DESCRIPTOR typedef dword OBJ_INHERIT=2 " S$ ^' S3 B' IOBJ_PERMANENT=10h * _+ x( V. t% `! gOBJ_EXCLUSIVE=20h OBJ_CASE_INSENSITIVE=40h OBJ_OPENIF=80h $ G* Z9 N; F6 ^7 L) P/ bOBJ_OPENLINK =100h OBJ_KERNEL_HANDLE=200 , r8 E5 n. I0 w2 GOBJ_VALID_ATTRIBUTES=3F2h 2 w1 N( e2 C4 y( h* y SE_KERNEL_OBJECT = 6 GRANT_ACCESS =1 1 C+ y- T" j1 y* Z" sNO_INHERITANCE =0 TRUSTEE_IS_NAME=1 8 b3 d8 j- a/ r7 w% e( {TRUSTEE_IS_USER=1 STATUS_SUCCESS =0 # q% S( ?. m7 a g1 L+ KSTATUS_ACCESS_DENIED =0C0000022h ) u8 R8 h% s% O% `+ g8 W $ R1 {2 U) ]8 P3 lSTATUS_ACCESS_VIOLATION equ 0C0000005h STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h 6 I! C* `7 E5 a/ W$ ESystemModuleInformation equ 11 / R" E: j# c" }! k/ R1 n MPVOID TYPEDEF DWORD UNLONG TYPEDEF DWORD CHAR TYPEDEF BYTE 0 {) }# f* Z) n" X% z UNICODE_STRING struct nLength word ? MaximumLength word ? Buffer dword ? 1 m- Y: [# |- M6 YUNICODE_STRING ends : D, M, l0 ~8 q; J5 X0 l, Y OBJECT_ATTRIBUTES struct nLength dword ? 8 }, v$ u) w- j S RootDirectory HANDLE ? ObjectName dword ?UNICODE_STRING Attributes dword ?; SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE OBJECT_ATTRIBUTES ends / `' `# G) T' x& K: \5 n TRUSTEE struct pMultipleTrustee dword ?TRUSTEE , R% A: ]) V' C, E MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION TrusteeForm dword ?;TRUSTEE_FORM TrusteeType dword ?;TRUSTEE_TYPE " n3 ?3 T' _! R4 @' h ptstrName dword ?;LPTSTR 3 `8 |; ^4 |& H7 s3 s! D/ d @TRUSTEE ends 4 A( ]8 j9 U( B5 w9 A% e EXPLICIT_ACCESS struct . x* ^1 `9 r: E, S' [! Y# P grfAccessPermissions DWORD ? * A" ~* X. d5 g grfAccessMode dword ? ;ACCESS_MODE grfInheritance DWORD ? ; Trustee TRUSTEE <> ; EXPLICIT_ACCESS ends " h- e$ H0 T# |! p9 J! b MyGATE struct ;门结构类型定义 + G2 x& ?( B9 I- F" B4 R OFFSETL WORD ? ;32位偏移的低16位 SELECTOR WORd ? ;选择子 DCOUNT BYTE ? ;双字计数字段 / {! ^8 ^! V: {! n: ?. A9 v GTYPE BYTE ? ;类型 # @ q; d+ g% H7 q OFFSETH WORD ? ;32位偏移的高16位 MyGATE ends IDEINFO struct wGenConfig dw ? * e" X5 w/ `' {6 rwNumCyls dw ?;拄面数 , D1 C- m5 ~& I$ n/ J" k8 {' IwReserved dw ? wNumHeads dw ?;磁头数 wBytesPerTrack dw ?;每道字节数 wBytesPerSector dw ?;每扇区字节数 0 F# ]' m+ Q- s# i) \3 _+ iwSectorsPerTrack dw ?;每道山区数 3 K$ W( U4 i6 j4 X: ^wVendorUnique dw 3 dup (?) sSerialNumber db 20 dup (?);硬盘序列号 wBufferType dw ?; * k" h! D9 ^2 c+ I! @wBufferSize dw ?; ;n * 512 wECCSize dw ? # r; T L/ `6 z0 [( J6 E# B6 |/ GsFirmwareRev db 8 dup (?); 4 q0 x9 n* ^! z9 QsModelNumber db 40 dup (?) wMoreVendorUnique dw ? ; E. ]- `( }" @% qwDoubleWordIO dw ? % ~' ?7 y& j1 u7 q& PwCapabilities dw ? Y) j i" J( [/ y* uwReserved1 dw ? . ~( D0 @3 h0 pwPIOTiming dw ?; wDMATiming dw ?; wBS dw ? 8 I7 \9 u2 H1 k3 AwNumCurrentCyls dw ?; wNumCurrentHeads dw ?; wNumCurrentSectorsPerTrack dw ?; + e! R5 ~* R3 F5 l2 g5 wdwCurrentSectorCapacity dd ?; wMultSectorStuff dw ?; dwTotalAddressableSectors dd ?; wSingleWordDMA dw ?; wMultiWordDMA dw ?; bReserved db 128 dup (?) 5 s% M, b1 `, C. T$ r, [2 G) m8 @IDEINFO ends % `: ?# |. Q/ N& g- E SetPhyscialMemorySectionCanBeWrited proto :dword MiniMmGetPhysicalAddress proto :dword ENTERRING0 macro pushad pushfd cli : t+ V! M. g7 x. A% j: L+ lmov eax,cr0 ;get rid off readonly protect $ y h: G% S& T( Sand eax,0fffeffffh . Y, l @# n p6 p0 \' x7 ^mov cr0,eax 3 {/ [$ U% d0 t$ J& Gendm 1 }7 E' ]& a" \* wLEAVERING0 macro 4 h: M9 B6 E" emov eax,cr0 ;restore readonly protect or eax,10000h mov cr0,eax sti popfd popad retf endm 1 F/ B; B3 q2 E- A+ @ 0 W* @- d& l# A7 J4 FUNICODE_STR macro str irpc _c,<str> j4 `* N$ q; {* r( G! Rdb '&_c' db 0 8 C! W8 H/ ~: g% ]endm endm . O" F% Y( Z. i2 C# _7 d .data? GdtLimit dw ? 4 A9 t3 S6 j* ?0 }0 r7 tGdtAddr dd ? + X7 V0 o; n$ \+ g5 ?* `4 O mapAddr dd ? OldEsp dd ? 6 `/ B/ f6 K5 \9 E; e 3 V$ O/ L! D4 x- g$ treaded dw ? 1 @! Y9 U8 Z! j, A6 A! @buffer db 512 dup(?) : r C! W: l4 E# P3 fShowText db 512*3 dup (?) ' U& k+ b7 k3 ?szBuffer db 1024 dup (?) szModelNumber db 41 dup (?) szSerialNumber db 21 dup (?) ( M" A) |$ F2 K, bszFirmwareRev db 9 dup (?) stIDEINFO IDEINFO 5 u/ f( w7 O5 u0 y$ P$ ~# K ; s0 N% I" M( o. r7 D/ A2 [/ R.data align 4 objname dw objnamestr_size,objnamestr_size+2 objnameptr dd 0 objnamestr equ this byte UNICODE_STR <\Device\PhysicalMemory> ! R" p" O- ]# I" S6 hobjnamestr_size equ $-objnamestr 8 k( X! ~- g$ k7 x/ @0 v% a ' A9 Q% b5 a' Y. a7 jszTitle db 'IDE 硬盘信息',0 $ n8 \ I" y% \2 P6 C# c1 ~szErrInfo db '无法读取硬盘信息',0 szIDEInfo db '柱面数 : %d',0dh,0ah 2 r4 H/ f0 g- r9 ]: m- M db '磁头数 : %d',0dh,0ah 6 t! T2 M3 m: H; R; w3 s7 D db '每道扇区数 : %d',0dh,0ah db '缓冲大小 : %d 扇区',0dh,0ah " u! j8 ]" |; E- ~ db '硬盘型号 : %40s',0dh,0ah : c; f' s, f. F db '序列号 : %20s',0dh,0ah , d3 Q8 T; q9 J/ Y db '版本号 : %8s',0 " | B$ D$ U+ p0 r1 B0 X& \: s , I4 r+ E% Z& kalign 4 2 a* x6 ^" D7 i, @. a5 ~( X. LObjAttr db 24 dup (0) Callgt dq 0 ;call gate's selff Caption db 'Windows XP绝对磁盘读写',0 Digit db '0123456789ABCDEF',0 ! z# w/ U$ _$ [.code / C9 x8 V! n' [- e, B_ShowBuffer proc ;显示所读出的信息 ;把数据转换成16进制的形式 mov [readed],512 ! O/ s( w$ Q ], x# \% G' d* ^ mov esi,offset buffer ;数据 mov edi,offset ShowText ;转换后的数据 ' ~3 U$ \" O$ L7 P mov ebx,offset Digit xor ecx,ecx " h3 b: |6 V- V8 }/ k- i xor eax,eax ' l$ _# [3 K mcomputeAgain: ' k+ s! J Z4 N1 c- ^; n! i0 B cmp [readed],0 jz endCompute ; `4 E+ Q7 ~1 Y; V' p3 m dec [readed] " E5 c: ^. W! E lodsb push eax shr eax,4 ;高4位 xlatb ?! B: v( J5 l6 D stosb pop eax and eax,0fH ;低4位 xlatb stosb mov byte ptr[edi],' ' ;空格 inc edi inc ecx 0 |2 U; {/ R! }# h- z1 h* j cmp ecx,16 ) S! n6 v$ F3 k* H& p# y6 M jnz computeAgain xor ecx,ecx - ]9 l" i. z6 a& X0 U8 V mov byte ptr[edi-1],13 ;回车 : I: b" O1 L7 m. u0 Z" n/ ~1 d jmp computeAgain endCompute: ;显示 invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK ret : ]4 s2 g* T6 |_ShowBuffer endp SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE local pDacl: PACL local pNewDaclACL local pSD SECURITY_DESCRIPTOR 7 q4 `$ H4 l1 N0 H2 V; z! Rlocal dwRes:DWORD ; 5 d% o4 t# c* S( l* zlocal ea:EXPLICIT_ACCESS ; invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD cmp eax,ERROR_SUCCESS ! [+ b! p" O) y+ B8 V6 o& n# Mjz @f 6 `6 w4 B4 C" w) N, H3 q3 z9 Vjmp OutSet ) t9 S3 ]; i/ C4 L, g) ]! {0 [ i, H@@: 5 z. ^$ v- V3 b: r$ n% Tmov dwRes,eax / q9 Y8 ~1 W2 y, smov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2 mov ea.grfAccessMode ,GRANT_ACCESS;1 ' Z! k; Y# S/ B0 `3 dmov ea.grfInheritance,NO_INHERITANCE;0 . \& y4 _ c# hmov ea.Trustee.pMultipleTrustee,0 mov ea.Trustee.MultipleTrusteeOperation,0 $ u. L0 v- e- ^' k/ p; q/ dmov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1 . n2 n1 J& x6 |4 lmov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1 ( c1 m' G! o7 y; Z7 P% @9 G! P0 Dcall @f ) j+ ?+ x# A9 k0 T j9 `db "CURRENT_USER",0 @@: & W$ m8 k" o- F+ M2 ^pop edx - E6 V! C5 n) T- y1 l u1 G; }mov ea.Trustee.ptstrName,edx invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl 1 {7 w7 y5 m/ Acmp eax,ERROR_SUCCESS % | e4 s% u) T! G! fjz @f jmp OutSet @@: * y- r5 V6 E% x6 j! Sinvoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL 8 X( e5 _! Q# f% P) J+ O* }, t. l! tOutSet: cmp pSD,0 jz @f 9 }1 X- h- Q" tinvoke LocalFree,pSD : S2 K" b2 f+ g/ c: P m) X@@: n+ y/ n8 J- s' b( D7 X9 f3 scmp pNewDacl,0 jz @f invoke LocalFree,pNewDacl , B; x, w3 a8 r5 U8 I( D6 X& o, O@@: ret SetPhyscialMemorySectionCanBeWrited endp 7 A6 K4 n% s) A8 sMiniMmGetPhysicalAddress proc virtualaddress:dword x, w) V# P$ a/ q: y mov eax,virtualaddress cmp eax,80000000h jb @f cmp eax,0a0000000h 3 @. H8 Q5 d) S8 C, \9 C4 }* k4 W jae @f & F# l9 u/ l: o- N; s and eax,1FFFF000h ret @@: , U9 A" D! r+ Y+ q mov eax,0 ret MiniMmGetPhysicalAddress endp 8 i5 d. `4 F1 H& k9 Q" k+ _8 mExecRing0Proc proc local tmpSel:dword 1 q0 m$ M% K+ E y: ?, `local setcg:dword local BaseAddress:dword - Q5 l8 P O( E1 F% e+ B: alocal NtdllMod :dword " ?9 a# y* e: n3 E Hlocal hSection:HANDLE 0 D, R/ X* f) Clocal status:NTSTATUS local objectAttributes:OBJECT_ATTRIBUTES - \- M! y S/ plocal objName:UNICODE_STRING mov status,STATUS_SUCCESS; sgdt GdtLimit invoke MiniMmGetPhysicalAddress,GdtAddr mov mapAddr,eax test eax,eax & w: z/ @7 J1 V) s3 P/ zjz Exit1 call @f db "Ntdll.dll",0 / I- z6 |* B( I4 i. h! E@@: / \9 u2 W! L; Ncall LoadLibraryA ( b% {8 W' `" H. Xmov NtdllMod,eax / `6 P# C' ~# B5 U( r) d& S4 o lea edx,objnamestr mov objnameptr,edx lea edi,ObjAttr " l- ]& v8 Q6 U0 V5 b; Yand di,0fffch ;align to 4 bytes,or ZwOpenSection will fail push edi ;edi->ObjAttr push 24 ;length of <\Device\PhysicalMemory> pop ecx 9 P' j4 S* o3 L# X* O$ s0 O& x3 Y; mpush ecx 7 _3 Z. y, Q0 ^5 x x' ]xor eax,eax rep stosb ;put ObjAttr with 0 $ g6 W, P# n- g/ a4 _pop ecx pop edi mov esi,edi 7 a/ I8 {! F R% S7 ]stosd 0 ^/ ?: r! Y+ J; w* E! smov dword ptr[esi],ecx ( [, ~* K; T8 [stosd lea eax,[edx-8] ;eax->objname 5 v- s& g& v- a4 e' estosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0) mov dword ptr [edi],240h 3 O ~0 a) r5 K+ ~, ~$ bcall @f 0 ^, U S( y' c8 H, ?db "ZwOpenSection",0 @@: push NtdllMod call GetProcAddress + A2 Y9 K; U; y: [9 t) bmov ebx,eax ;ebx=ZwOpenSection - u9 v. G1 u' L# o) g+ d: F( v 0 w/ @, O" R% Spush esi ;esi->ObjAttr : S1 H, k8 d* k( Rpush SECTION_MAP_READ or SECTION_MAP_WRITE 1 n) B! v: d# K1 Z5 O5 u' C0 plea edi,hSection push edi ;edi->hSection call eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr) * U( _- g7 }0 g' F7 |! emov status,eax ; ?0 g7 u: z, a. D9 S' e* b9 rcmp status,STATUS_ACCESS_DENIED ! N5 F' G: R% A c, G j% |( njnz AccessPermit - J0 @1 H* |: O! Y# U1 amov eax,ebx $ z8 q- g* G% b9 o6 t; u 0 o0 g( ?/ ~. E" b) i8 ?+ v) Vpush esi ; f- v9 A0 v# B3 w7 h% o3 opush READ_CONTROL or WRITE_DAC push edi % s6 K% x1 C9 E/ O7 |4 U+ kcall eax $ \* _5 @3 O7 N$ P5 c: O$ P 7 |& k% F( z- r2 b0 Y. Imov status,eax 4 r) u; R0 L9 h( U+ minvoke SetPhyscialMemorySectionCanBeWrited,hSection ' R3 L' [2 l" s ; j* Y- ^/ A. A! @& Wcall @f db "ZwClose",0 : ~# B) d2 q. W! ~. b! \@@: push NtdllMod call GetProcAddress # K" c" s4 a! t. Y |push hSection * P: `9 c2 w3 r( Qcall eax ;zwClose hSection ' H% z/ x: g' ` mov eax,ebx . O6 U3 q' K+ b6 r lpush esi 8 K" O/ L6 ]" n4 u0 [1 U9 jpush SECTION_MAP_READ or SECTION_MAP_WRITE ( C, @# @+ e( X6 Qlea edi,hSection 3 Z" [6 T2 `* S( v( A4 Hpush edi call eax 0 D8 F: v9 G4 E4 J* U* [mov status ,eax / E3 m" p! ?* k;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); AccessPermit: , f( s+ [2 }. G) _, Y I, Kcmp status ,STATUS_SUCCESS jz @f " A! L1 l. s* ~' H8 }2 \;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); $ Q! i: _; o! r/ ?2 B/ I, C;return 0; mov eax,0 / E3 n4 p1 j* v0 ?4 X2 Oret @@: movzx eax,word ptr[GdtLimit] 8 `) I9 U. b3 D" Kinc eax J5 C) [( B Y& d" w5 ]invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax mov BaseAddress,eax cmp BaseAddress,0 . K% [9 }% u5 ^! _ Kjnz @f " L( A5 Y( b; k7 A9 X( ];printf("Error MapViewOffile:"); . `( B; `8 Z& d# C; Z. K2 [% urintWin32Error(GetLastError()); return 0; mov eax,0 ret * D6 o1 i; ?) |: N" l1 l@@: mov esi,eax ;esi->gdt base : d# A, \# u: s, [& a5 x4 Kmov ecx,3e0h ! ^- m1 J* i6 ^9 P0 j6 U7 emov eax,GdtAddr 9 p. }2 k$ H z# q* ]9 G: v/ t! b.if dword ptr [esi+ecx+2]!=0ec0003e8h 2 b4 V% H' H) d" q- {" ^mov byte ptr [esi],0c3h . |+ f0 ] W5 N0 O1 m/ O: A7 L 0 g, Z5 E, u) T% ^' Dmov word ptr [esi+ecx],ax ) x: }1 |* l3 |( ~# p! \shr eax,16 7 L2 c: {8 m* T Z% h, H; [mov word ptr [esi+ecx+6],ax & Z$ ^) G5 Z! q0 L5 Hmov dword ptr [esi+ecx+2],0ec0003e8h # n6 l D# ~% p' S0 a mov dword ptr [esi+ecx+8],0000ffffh mov dword ptr [esi+ecx+12],00cf9a00h ) \# B [1 l& }5 f, _" W! y" ?.endif mov setcg,TRUE cmp setcg,0 jnz ChangeOK , @6 ?0 X" v3 V2 \1 p! y: F% M+ Wcall @f db "ZwClose",0 @@: ( e( R0 w# M: Mpush NtdllMod 3 w" O/ W, g& @, o: d0 l Wcall GetProcAddress ) p3 b9 @5 E, x5 _1 Wpush hSection * h' q9 Z1 v1 F# ]call eax $ M0 a O2 d+ T* Vxor eax,eax ret ChangeOK: and dword ptr Callgt,0 xor eax,eax mov ax,3e0h or al,3h ! @. u' r; [! h2 Smov word ptr [Callgt+4],ax ;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate; lea eax,_Ring0Proc 0 c- {5 Q5 t# G( v9 e;invoke VirtualLock,eax,seglen 5 y6 y% N. s' Z: a" Etest eax,eax jnz @f 5 k% t1 S+ c, V7 {xor eax,eax ret 5 @9 } `: ]7 i6 {2 y" s' e@@: , |$ N8 M, ]4 i9 C" k- s9 q7 I) iinvoke GetCurrentThread invoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL invoke Sleep,0 # q, @3 e- n* }& U% V+ lcall fword ptr [Callgt] ;use callgate to Ring0! # [; O% \/ O. h- R* D* q;_asm call fword ptr [farcall] _Ring0Proc: ; Ring0 code here.. % \9 N6 x6 b1 C) U: d9 h6 omov eax,esp ;save ring0 esp mov esp,[esp+4];->ring3 esp 4 R; G+ y# n* S8 ~- zpush eax # e7 Q7 E( o0 ~ mov ebx,offset stIDEINFO assume ebx:ptr IDEINFO $ a a( N# v6 _5 P;******************************************************************** ; 等待硬盘就绪 ;******************************************************************** mov ecx,10000h 7 U4 M, {+ [7 H0 L0 J5 m; T: u r mov dx,01f7h @@: in al,dx cmp al,50h ' c" E) l# v2 p$ { jz @F - a% \/ G0 ?4 Q loop @B 1 H8 O# w' } b M) u jmp _II_TimeOut @@: ;******************************************************************** * |2 l. H' O+ Q: u$ C; 发送命令 ' u( Q7 f+ w A; 如果向主控制发送命令，则端口为 1f0h-1f7h 2 p" M2 j# L# n3 C7 ?, l; 如果向副控制发送命令，则端口为 170h-177h . L ?) K: X" x4 ?; ?9 l$ E; 1f6h 如果要检测的设备为该IDE接口的主（MASTER）设备， ; 那么发送 a0，如果为从那么发送 b0 ; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec ; H1 ~' q1 j+ x; 如果为 ATAPI 设备那么发送 a1 ;******************************************************************** mov al,0a0h ;Drive 0,Head 0 mov dx,01f6h ;Drive and head port & J4 p" D5 H: u: {' \ out dx,al 4 |0 A3 F% s* x, _2 v* ` mov al,0ech inc dx ;Command port out dx,al ;******************************************************************** % C8 |# q$ r% i' \5 ]: x$ o; 等待硬盘就绪 ;******************************************************************** + T- j6 I4 S+ s1 ^* _ mov ecx,10000h ; e7 b' _& w1 a5 Z; K, i* o, ` @@: , I5 k; R$ g7 S in al,dx;1f7 (r-status register) cmp al,58h;(driver is ready ,and seek complete) jz @F 6 @6 F: H: L7 R8 j loop @B jmp _II_TimeOut @@: ;******************************************************************** / T: v2 [3 n6 R( ^& U2 a# n! t/ g3 @; 将返回信息读回 R2 w0 { n0 |& r0 l; 注意一定要读满 100h 个字长 - O; l I3 v" [;******************************************************************** cld : }1 i4 I6 \# M8 E mov edx,01f0h;data port - data comes in and out here mov edi,ebx / e7 D7 ?9 n1 X mov ecx,0100h 1 A; }' ?+ c$ V7 q# [ rep insw 9 Y d: o5 q3 W: `/ J;******************************************************************** ; 返回的信息中，型号、序列号、版本号为字形式 ; 需要整理到字符串的形式 ;******************************************************************** lea esi,[ebx].sSerialNumber mov edi,esi . \: E7 p) Y7 ~9 l# Q/ U mov ecx,10 . o8 ^3 [& \; G8 L @@: lodsw xchg ah,al * V# F9 x- h; ^6 ?6 G stosw 4 a' A. j; T/ ~% Y. V) [ loop @B lea esi,[ebx].sFirmwareRev : C7 n7 |% {2 u9 Y: `" q C3 D mov edi,esi mov ecx,24 @@: lodsw 5 S) i. O( K. r xchg ah,al stosw loop @B 8 v4 \& d0 y% ?/ y l_II_TimeOut: assume ebx:nothing 1 C, E5 b. O5 f) u- J ' |+ M, u R r9 w" c0 U: Ypop esp ;restore ring0 esp & p/ Z( ^; G1 o8 p% j1 Xpush offset Ring3 % P3 x @! I$ m A% n- x$ Uretf 0 f, Z: M% P+ ^$ SRing0CodeLen=$-_Ring0Proc Ring3: invoke GetCurrentThread invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL ;invoke VirtualUnlock,Entry,seglen 9 f/ d7 l* E: G! ~& zcall @f 6 l+ s" h n: {1 X6 X& k7 Sdb "ZwClose",0 @@: push NtdllMod call GetProcAddress % _7 R4 o9 v4 \3 U6 n @* ?push hSection call eax mov eax,TRUE 7 _1 [# e8 n0 C% Z* d0 c7 h$ s: Tret ExecRing0Proc endp ; a4 M1 Q& j) y2 q. K main: assume fs:nothing push offset MySEH 9 e* N+ ?( U2 y5 C% rpush fs:[0] mov fs:[0],esp mov OldEsp,esp ) d* ~8 _; [' Wmov ax,ds ;if Win9x? 6 O$ @4 L* n2 H9 N9 k1 _6 itest ax,4 jnz Exit1 invoke ExecRing0Proc ; l% a& T/ x; R& Z' `) Y% a2 n.if stIDEINFO.wNumCyls lea esi,stIDEINFO.sModelNumber mov edi,offset szModelNumber ' a- _: P' } n- C( D* ^ mov ecx,sizeof stIDEINFO.sModelNumber rep movsb 0 n! G: t9 }3 v3 ~* v- G k lea esi,stIDEINFO.sSerialNumber mov edi,offset szSerialNumber mov ecx,sizeof stIDEINFO.sSerialNumber rep movsb % L% K9 B! f1 d2 P4 J, | lea esi,stIDEINFO.sFirmwareRev # [; J" c/ i3 D% T' |: h mov edi,offset szFirmwareRev " @0 w6 }$ ]- Z( p0 ~ mov ecx,sizeof stIDEINFO.sFirmwareRev rep movsb ; _+ X0 y3 `1 D/ z3 s movzx eax,stIDEINFO.wNumCyls movzx ebx,stIDEINFO.wNumHeads movzx ecx,stIDEINFO.wSectorsPerTrack 8 b/ ~* a8 e, a1 s movzx edx,stIDEINFO.wBufferSize 7 p0 p* d/ h( g invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev : [: q% P2 R9 e2 ~! t" i mov eax,offset szBuffer .else . A% L" c# q: ] mov eax,offset szErrInfo .endif @@: & @# |! V1 N1 ]7 \( Sinvoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK Exit1: pop fs:[0] ! y/ E- R) ^$ b; {, Q" hadd esp,4 invoke ExitProcess,0 MySEH : T8 F" }, v# m% A% I; ^# D: y5 Hmov esp,OldEsp / A4 \4 |' P1 z7 F/ W, I: d, d2 cpop fs:[0] add esp,4 s/ q9 L v9 _invoke ExitProcess,-1 end main 8 u: f' N; U/ C( ]8 { 6 _" ?8 q/ \: c

[此贴子已经被作者于2003-11-2 18:14:02编辑过]

呵呵，ExecRing0Proc 这段程序甚妙，先得到gdt，然后构造一个调用门call gate's ,使程序从用户模式(ring 3)进入内核模式(ring 0)。进入内核模式之后，就可以没有限制地对系统干任何勾当。这段程序确实为高手所为，在下佩服得紧。
! M/ d3 e2 l4 i5 l. w: v至于读硬盘序列号之类，只不过是在内核模式下的一个I/O应用罢了。
其实在NT/2000下读取硬盘序列号只要打开\\.\PhysicalDriveX(X:设备号0~26）设备，然后用DeviceIoControl()就可以读取了，不需要绕ring0这么一个大圈子

; r4 P- ^3 C9 q这个程序也可以C语言实现，不过中间必须嵌入几条汇编的指令，如sgdt GdtLimit
但还是用c来写更方便，例如：
- Q, h. n: A2 W  n* H5 u- bcall @f
' H3 O4 B, T) S/ s7 i9 ~6 H4 Ddb "ZwOpenSection",0
@@:
push NtdllMod
: i6 _) M0 Y' z; Vcall GetProcAddress
mov ebx,eax ;ebx=ZwOpenSection
push esi ;esi->ObjAttr
push SECTION_MAP_READ or SECTION_MAP_WRITE
lea edi,hSection
push edi ;edi->hSection
9 g! x/ r0 m: @6 Z  g& z! \9 ecall eax ;
- m3 p5 S5 T- ~6 p# z# ^& \
用c的话只要一句就可以了
ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)；
因此懂汇编，然后用C/C++编程，是成为高手的捷径

[此贴子已经被作者于2003-11-3 16:46:50编辑过]

! N* m: \4 l& r$ V5 k4 \6 X9 |* {

firelinux

win32位汇编，真的很不错，业余的时间，全都投进去了

唐明

要能有台机器试一下多好，学汇编还从没想过去ring0，也感觉没哪个必要。
现在闲着真相试试。这片文章我在家保存了有快一年了。不用感觉可惜了。一直停着不用，我都快忘了那些曾经那些依稀的记忆了。水能给我一台电脑，我力马高喊：有你这么富的吗？

很久以前的一段代码

游侠无极限

很久以前?
* }/ B* @1 h7 p1 ?不是吧,这个是 轻描淡写 编程论坛的斑竹写的

看到过的。