[转帖]2000/xp下读硬盘序列号[汇编]

游侠无极限

我可没这个水平 + u% H; J! g$ ~9 F( S.686p .model flat, stdcall option casemap :none ; case sensitive ; ######################################################################### 2 L/ ?, e! x+ U ginclude \masm32\include\windows.inc - C. y1 n$ i n a$ Yinclude \masm32\include\user32.inc ' S q0 e( `& a, l zinclude \masm32\include\kernel32.inc ) C: @/ Z* o. ?! f6 }include \masm32\include\advapi32.inc ! U9 X% b( i. z! L2 T includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib 7 {6 y8 p p* V0 a' D# V! Vincludelib \masm32\lib\advapi32.lib ( M6 D; c6 A6 B' VDEBUG = TRUE " O" r( v0 \$ A! w: ]: W HMODULE typedef dword / R" D* d8 d9 t: RNTSTATUS typedef dword 5 T+ s* F+ R0 O- u, p' YPACL typedef dword PSECURITY_DESCRIPTOR typedef dword OBJ_INHERIT=2 ) |7 P: _' n& \& D# q* v# u& t' sOBJ_PERMANENT=10h OBJ_EXCLUSIVE=20h OBJ_CASE_INSENSITIVE=40h ( \4 D; O$ ~! `6 u$ gOBJ_OPENIF=80h / @: I Z5 \- [OBJ_OPENLINK =100h OBJ_KERNEL_HANDLE=200 OBJ_VALID_ATTRIBUTES=3F2h 3 y$ K& H) m- B7 M U" T SE_KERNEL_OBJECT = 6 ! P0 u+ u* ]" ]) z3 k% xGRANT_ACCESS =1 # W# O5 S6 \6 aNO_INHERITANCE =0 9 w9 v( C8 n( I! q9 D$ G9 s+ ]8 YTRUSTEE_IS_NAME=1 8 i8 G% n2 S4 R, ~TRUSTEE_IS_USER=1 STATUS_SUCCESS =0 STATUS_ACCESS_DENIED =0C0000022h 3 p2 M& j* K2 x 5 F" |- |" }/ j/ V! ^2 QSTATUS_ACCESS_VIOLATION equ 0C0000005h 6 W3 A" w$ P6 q- F6 ]STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h SystemModuleInformation equ 11 : y7 r( e. c( D ]# j+ v" YPVOID TYPEDEF DWORD UNLONG TYPEDEF DWORD CHAR TYPEDEF BYTE & U- V/ L, ~& K: WUNICODE_STRING struct nLength word ? MaximumLength word ? Buffer dword ? UNICODE_STRING ends : s0 r4 l' r+ e; U- d- o6 V 9 ~) [' [, W8 ^* h. i; n% ^8 dOBJECT_ATTRIBUTES struct I3 s( e2 N! L) ~/ Y: z' E nLength dword ? RootDirectory HANDLE ? ObjectName dword ?UNICODE_STRING Attributes dword ?; , G2 [$ Y2 W) G/ o6 {9 ]$ [ SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR : k, z' |" `2 Q9 ]* m SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE OBJECT_ATTRIBUTES ends TRUSTEE struct , Q! [% l7 p: D$ S$ U4 ^6 D, D pMultipleTrustee dword ?TRUSTEE " M/ L/ D; o0 S7 l7 @* d6 y5 r5 e MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION TrusteeForm dword ?;TRUSTEE_FORM 4 n5 t8 z+ C/ }0 s7 X' N; N* C5 ? TrusteeType dword ?;TRUSTEE_TYPE ptstrName dword ?;LPTSTR : w8 q$ w9 N2 c4 H: P4 S6 MTRUSTEE ends / H( y! H$ n6 g" k$ J8 w . M2 k9 C& `; i4 [' kEXPLICIT_ACCESS struct grfAccessPermissions DWORD ? grfAccessMode dword ? ;ACCESS_MODE grfInheritance DWORD ? ; , q) v& R- {2 N! P) b% A% \/ x Trustee TRUSTEE <> ; : H" t' v0 v( _2 N7 m" J/ aEXPLICIT_ACCESS ends r% x0 s% k0 W5 e+ W MyGATE struct ;门结构类型定义 # _" I# ?( c2 T. Y. K1 }+ k0 m2 Y' E OFFSETL WORD ? ;32位偏移的低16位 6 c9 K6 o2 c) y6 G! c& B SELECTOR WORd ? ;选择子 DCOUNT BYTE ? ;双字计数字段 GTYPE BYTE ? ;类型 OFFSETH WORD ? ;32位偏移的高16位 ! h, w5 K5 _9 {& O! QMyGATE ends IDEINFO struct : F, x% G1 `* {7 r- ^/ ^. h, `7 JwGenConfig dw ? " Y/ k4 \! Q* S; O7 cwNumCyls dw ?;拄面数 wReserved dw ? 7 _2 G7 Q6 \+ z3 c7 b/ E* CwNumHeads dw ?;磁头数 ' ? T/ T9 v/ rwBytesPerTrack dw ?;每道字节数 " v9 T* _$ O" N. m$ {+ HwBytesPerSector dw ?;每扇区字节数 + u4 d, z9 A+ `5 XwSectorsPerTrack dw ?;每道山区数 0 B2 s# E1 W& w6 |wVendorUnique dw 3 dup (?) " `* @$ T- x* p- y& M' R( f, wsSerialNumber db 20 dup (?);硬盘序列号 4 l, R+ n' C# j3 R- N5 ~wBufferType dw ?; / V3 e. O1 U2 f; `$ J9 L6 FwBufferSize dw ?; ;n * 512 . [) l0 g# D- t0 R2 V6 q0 XwECCSize dw ? sFirmwareRev db 8 dup (?); sModelNumber db 40 dup (?) . H$ ^3 c5 h$ U, xwMoreVendorUnique dw ? % u& J# k) K& E' c7 S2 uwDoubleWordIO dw ? wCapabilities dw ? wReserved1 dw ? wPIOTiming dw ?; wDMATiming dw ?; ; r& H# q8 F, S* B4 fwBS dw ? wNumCurrentCyls dw ?; 1 N% q5 F9 |" f+ v6 \wNumCurrentHeads dw ?; wNumCurrentSectorsPerTrack dw ?; % R8 ]% ~: o3 fdwCurrentSectorCapacity dd ?; : d L: k+ x3 d2 E' F. ^! H7 {wMultSectorStuff dw ?; : W5 u4 j. O n/ C7 ?. fdwTotalAddressableSectors dd ?; wSingleWordDMA dw ?; ( B; Z& W6 C/ M- TwMultiWordDMA dw ?; bReserved db 128 dup (?) 5 q5 g- C: G5 l. C6 |4 u1 g) RIDEINFO ends SetPhyscialMemorySectionCanBeWrited proto :dword MiniMmGetPhysicalAddress proto :dword % b+ _- R; g4 {& E: P ENTERRING0 macro - }0 k. A$ ?5 i! X( y! N6 F) D0 Z1 Mpushad . C) s1 l" d8 p5 n$ cpushfd ) i8 R0 G* z+ d6 Xcli mov eax,cr0 ;get rid off readonly protect 3 z% ^$ @+ Z! R. ]. |8 fand eax,0fffeffffh mov cr0,eax , ^+ ^5 M% \& y- c6 d6 Y5 Mendm 8 Z# H* u. W) e1 [4 A; S/ o LEAVERING0 macro mov eax,cr0 ;restore readonly protect , {9 V5 {4 g1 I6 o8 _or eax,10000h mov cr0,eax sti 2 x6 Z& c, S8 r) Z& ]3 opopfd popad retf endm 7 q; P8 t- R# q9 K; O8 m UNICODE_STR macro str 3 `% F% S+ L+ A+ dirpc _c,<str> ; l( I. f; A8 r' f- w8 udb '&_c' ) P/ T5 K* E' w5 pdb 0 endm endm : D/ k, d S# Z) F' D/ L q2 U ) h0 W! ~$ ?, B. I% T2 A# ^.data? GdtLimit dw ? 7 q+ ^( \$ [0 F6 r; @* }0 UGdtAddr dd ? mapAddr dd ? & d% F2 v# Y' O9 \% d. R S" D0 z; XOldEsp dd ? - v& b- |' n: } Q readed dw ? & d1 {* a3 `- ~buffer db 512 dup(?) % \3 ~, e! W3 _1 Q' \ShowText db 512*3 dup (?) 3 r1 z ~% B3 i! ~0 q6 C, l5 e 2 {% J5 F4 }, L/ p3 Q- x# @9 FszBuffer db 1024 dup (?) szModelNumber db 41 dup (?) szSerialNumber db 21 dup (?) szFirmwareRev db 9 dup (?) " _% o7 H0 S- O% T0 x. DstIDEINFO IDEINFO $ V0 Z4 J, x' T$ x. E; B.data 2 g$ _+ a+ R8 X6 ?( Ealign 4 + T! U, S. j/ B/ Z& W' ]; Pobjname dw objnamestr_size,objnamestr_size+2 8 Y* n( V* Z4 w% X- gobjnameptr dd 0 $ f" g& \0 ^+ z7 ]2 I7 lobjnamestr equ this byte ( Y; ]+ i( g5 _UNICODE_STR <\Device\PhysicalMemory> / d/ T/ M* h& F) ?) W" ?objnamestr_size equ $-objnamestr szTitle db 'IDE 硬盘信息',0 szErrInfo db '无法读取硬盘信息',0 szIDEInfo db '柱面数 : %d',0dh,0ah $ ]: V( j( ?& T* |6 q db '磁头数 : %d',0dh,0ah db '每道扇区数 : %d',0dh,0ah db '缓冲大小 : %d 扇区',0dh,0ah ; _) m: E- g2 L# p: C$ o0 b; N" q db '硬盘型号 : %40s',0dh,0ah # @# `7 _9 p m% _5 C& { db '序列号 : %20s',0dh,0ah / [- q; j! W' \* s- ?, z db '版本号 : %8s',0 9 r+ i, U; I7 ]9 C) j$ j align 4 ObjAttr db 24 dup (0) Callgt dq 0 ;call gate's selff ! {+ S2 [" X9 OCaption db 'Windows XP绝对磁盘读写',0 Digit db '0123456789ABCDEF',0 8 P3 P2 y5 U0 `* X/ y. P.code 6 W0 G- R2 M- o. Q, D; |8 x2 Q. K# |_ShowBuffer proc ;显示所读出的信息 : U; ]. t2 Y/ d: _ ;把数据转换成16进制的形式 mov [readed],512 mov esi,offset buffer ;数据 ; U. F9 V4 l$ E mov edi,offset ShowText ;转换后的数据 mov ebx,offset Digit : D% n Q( o* d6 y xor ecx,ecx - u- P, [; h4 x5 N, ]2 ]3 I xor eax,eax computeAgain: ; j8 O! X4 \$ ]1 `6 }% C# d) ~# t7 o% a cmp [readed],0 jz endCompute dec [readed] ; g$ l* {! [# u+ y* H2 T6 g8 Z lodsb push eax shr eax,4 ;高4位 xlatb stosb 3 p) D! u8 h+ z$ K pop eax : X9 y' D, Q5 u) P! I3 k and eax,0fH ;低4位 ( N1 @" e; J* U8 _! S xlatb c+ `$ F9 w. x/ N8 E$ e# w) L5 i stosb mov byte ptr[edi],' ' ;空格 9 S% V+ C3 |+ N& x. t8 w, p inc edi 1 y+ K8 k# B$ x. U4 f inc ecx cmp ecx,16 jnz computeAgain 2 ?! n- N2 H# n" F( j xor ecx,ecx mov byte ptr[edi-1],13 ;回车 - y' r. k$ ]) x% a7 e1 P& Q+ C jmp computeAgain - G9 |3 A+ P8 J; UendCompute: ;显示 : L7 h( r9 X* a invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK ret ; `/ [6 s! X4 g: B_ShowBuffer endp 5 B8 r0 A* r, |% H' @! e) r: N SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE ; \2 J3 O+ c' ulocal pDacl: PACL 8 o* R( n* z, I$ ]local pNewDaclACL local pSD SECURITY_DESCRIPTOR local dwRes:DWORD ; local ea:EXPLICIT_ACCESS ; - h' l& K p: R' J! z- [invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD - L0 ?% s+ ], e5 I7 V1 U7 u: [5 d3 pcmp eax,ERROR_SUCCESS 6 K( W/ c0 H5 a- G" zjz @f jmp OutSet , r! A6 Y7 z( K8 v+ ~3 v@@: mov dwRes,eax mov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2 , q& h; y4 n9 a. k0 t0 ~) r+ w0 wmov ea.grfAccessMode ,GRANT_ACCESS;1 $ R- |* C$ h0 N$ g/ Ymov ea.grfInheritance,NO_INHERITANCE;0 mov ea.Trustee.pMultipleTrustee,0 mov ea.Trustee.MultipleTrusteeOperation,0 mov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1 mov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1 call @f a! y/ I/ I6 V* v, Z; e- mdb "CURRENT_USER",0 @@: % r8 `) S# C9 U8 npop edx ' M7 o( T4 c) y1 ^! r. Ymov ea.Trustee.ptstrName,edx invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl . c6 X5 |0 Y- z0 u o$ {' \$ ycmp eax,ERROR_SUCCESS jz @f jmp OutSet @@: 6 b* c6 j2 w3 b2 l6 D* U1 D0 {invoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL ' K3 j& V- _$ X8 R' VOutSet: 9 A* l3 B+ L- X) T# p4 ?cmp pSD,0 ) h; P- Y5 u: H) d* v% x9 ?jz @f # @3 h2 c3 u3 s- M f- |3 uinvoke LocalFree,pSD @@: cmp pNewDacl,0 jz @f & v* m1 G5 y9 z+ Z; ninvoke LocalFree,pNewDacl @@: b% Z- g, [6 `" r9 pret SetPhyscialMemorySectionCanBeWrited endp MiniMmGetPhysicalAddress proc virtualaddress:dword mov eax,virtualaddress cmp eax,80000000h , T u) w9 d0 Y! @% \% B( ? jb @f % g( s+ c3 i7 r2 W0 k! A cmp eax,0a0000000h jae @f % O/ q# n4 e4 D6 ^/ g) q5 M& M7 g) \9 O and eax,1FFFF000h ! {% o& j* y0 r# p% G ret % [& H# E$ C4 Y& K) w8 N# ` @@: mov eax,0 ret # Q' g5 [+ _ C% ?* wMiniMmGetPhysicalAddress endp 5 O: T$ h7 F4 U( Q A) qExecRing0Proc proc , S# E$ z+ f( f1 m6 I6 _0 {9 plocal tmpSel:dword local setcg:dword 6 P6 X7 y n c0 S. ~5 J: Mlocal BaseAddress:dword local NtdllMod :dword local hSection:HANDLE ; t" t: g7 p4 rlocal status:NTSTATUS local objectAttributes:OBJECT_ATTRIBUTES local objName:UNICODE_STRING mov status,STATUS_SUCCESS; 3 F1 w: k6 F0 H9 s" {sgdt GdtLimit 4 r2 y7 b$ [/ x9 [0 [8 ?invoke MiniMmGetPhysicalAddress,GdtAddr ) e" ]9 Q# F/ Q" s0 ]( Xmov mapAddr,eax % A( j& w1 x' ztest eax,eax jz Exit1 call @f db "Ntdll.dll",0 @@: 1 E8 b" w4 @8 wcall LoadLibraryA ; |/ ~4 j/ v8 m/ X. b# F/ qmov NtdllMod,eax lea edx,objnamestr 3 ]& j# ^9 y) _% jmov objnameptr,edx ' g. A- @9 D; u# S, @lea edi,ObjAttr e E) \9 ?5 |and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail * ] p4 B9 ]0 U5 L5 E3 npush edi ;edi->ObjAttr push 24 ;length of <\Device\PhysicalMemory> " k( [, v3 K8 Wpop ecx ' J2 W1 V( Y+ G; W; \, cpush ecx ! q P* ~$ o3 P% O3 k8 Wxor eax,eax rep stosb ;put ObjAttr with 0 pop ecx 4 G, j6 {. ^6 U6 Bpop edi mov esi,edi stosd ; W l, t" l, l* _) ]$ z' Wmov dword ptr[esi],ecx stosd ) Y/ v+ K/ c2 P4 ^9 ~1 e# B7 xlea eax,[edx-8] ;eax->objname p+ w& F- q% Z3 cstosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0) 7 c4 G+ a( U2 _1 B8 a- q; kmov dword ptr [edi],240h 9 t- W) c! X' D( A ~3 r$ z# x( pcall @f * _# E* ^3 I; P3 z- _2 Y, Ndb "ZwOpenSection",0 8 z: m }$ s% l& X7 t@@: push NtdllMod " T$ t& j7 U: w8 I, d% X8 hcall GetProcAddress $ Z! I' n# a9 P* m4 d4 Nmov ebx,eax ;ebx=ZwOpenSection ' r5 k7 ^; Y, ?4 k/ x. _; O & y' x+ T6 J6 X5 Y) U9 m/ Apush esi ;esi->ObjAttr push SECTION_MAP_READ or SECTION_MAP_WRITE lea edi,hSection push edi ;edi->hSection call eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr) mov status,eax * g0 B/ i* h' @! @# t5 ?cmp status,STATUS_ACCESS_DENIED 4 H4 H$ b, v8 ?8 ~4 y; E) y4 ejnz AccessPermit mov eax,ebx push esi push READ_CONTROL or WRITE_DAC push edi call eax mov status,eax invoke SetPhyscialMemorySectionCanBeWrited,hSection 8 c3 l! ^. z( Q4 `call @f db "ZwClose",0 . I3 Y# v2 `, _9 `. [) l9 v@@: ! i [; ?+ n. t, q- v+ jpush NtdllMod call GetProcAddress ' R5 A& A9 X$ s! M$ m7 @push hSection call eax ;zwClose hSection % J9 U* X3 ]9 B: n0 r% h7 ~: y5 J 9 m1 p) H/ M7 T( _0 F) t2 [% tmov eax,ebx 8 Q) y& R3 ?; [- a" a1 ^ . ^ ?' j+ |, @, i/ kpush esi push SECTION_MAP_READ or SECTION_MAP_WRITE ' Q1 m7 {' c* L: A4 B2 ]lea edi,hSection push edi call eax mov status ,eax ;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); / |$ B: J& y* DAccessPermit: cmp status ,STATUS_SUCCESS jz @f 9 r# F0 M- o, T3 y; W* A5 [;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); 8 x4 B4 q! B- P u/ d! r;return 0; mov eax,0 + \- a8 ?$ v% F1 Tret @@: / }3 v3 n6 ]8 ^movzx eax,word ptr[GdtLimit] ?% C. z4 C$ v8 y2 @inc eax invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax mov BaseAddress,eax cmp BaseAddress,0 jnz @f ;printf("Error MapViewOffile:"); 6 |& w) `0 E R. g7 [rintWin32Error(GetLastError()); return 0; # E8 N3 D* h; V, c$ a: Omov eax,0 ret @@: 8 a/ c* K& C6 I- emov esi,eax ;esi->gdt base 9 e" T% D- f+ Z& n* D! mmov ecx,3e0h ) |0 F3 u( @. R; lmov eax,GdtAddr & T/ {9 J( I* L2 t+ {.if dword ptr [esi+ecx+2]!=0ec0003e8h 4 h6 @) p7 [, Emov byte ptr [esi],0c3h mov word ptr [esi+ecx],ax shr eax,16 5 ~7 b4 u1 K" T, nmov word ptr [esi+ecx+6],ax mov dword ptr [esi+ecx+2],0ec0003e8h mov dword ptr [esi+ecx+8],0000ffffh ( b4 w9 S0 Y+ a( o6 ymov dword ptr [esi+ecx+12],00cf9a00h .endif + D; ^" } Q2 X) G: ]5 ^; m mov setcg,TRUE cmp setcg,0 1 F7 u! I6 v1 bjnz ChangeOK call @f 5 _7 k0 Z2 O6 Z: B# S# k* n. x9 p* ddb "ZwClose",0 ; ~( i" f' }2 `' j@@: push NtdllMod call GetProcAddress push hSection call eax xor eax,eax S+ M2 {0 E2 m2 v) `ret ChangeOK: and dword ptr Callgt,0 xor eax,eax mov ax,3e0h or al,3h mov word ptr [Callgt+4],ax 4 ~* r- K1 I( L1 d( X/ T;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate; lea eax,_Ring0Proc ;invoke VirtualLock,eax,seglen $ @" g1 U6 r5 qtest eax,eax jnz @f xor eax,eax 7 l& O5 {# x! X4 j9 l+ S1 Eret @@: . M, W- d7 B/ K' _* {invoke GetCurrentThread 4 s, J- `; H1 J. Q& w9 R6 o/ Winvoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL # Z* J# t; j) einvoke Sleep,0 2 j8 ~& P8 ?; Qcall fword ptr [Callgt] ;use callgate to Ring0! ;_asm call fword ptr [farcall] _Ring0Proc: ; Ring0 code here.. mov eax,esp ;save ring0 esp ; P# Q* S ]( R F+ Q% P) Vmov esp,[esp+4];->ring3 esp push eax mov ebx,offset stIDEINFO assume ebx:ptr IDEINFO ;******************************************************************** \% i q7 ?, V3 y: Q. y8 N# `; 等待硬盘就绪 ;******************************************************************** , @8 O4 H' b( @& w" y& i mov ecx,10000h b2 \+ ]3 ^$ k5 i0 `0 i mov dx,01f7h @@: 6 U% v% L. i2 b5 J1 y* i in al,dx ! r# s1 V1 T& I6 @0 d+ W cmp al,50h 7 v/ g2 b4 \7 O1 s jz @F loop @B % `9 w W5 v0 y: ^7 u8 w jmp _II_TimeOut @@: ' u- p$ C' z* Q8 G;******************************************************************** , Q9 x9 \1 h4 ?" U& r2 \; 发送命令 ) u7 C9 n% C$ L, |- x- M; 如果向主控制发送命令，则端口为 1f0h-1f7h ; 如果向副控制发送命令，则端口为 170h-177h " n9 L) h+ Z$ ?1 m; 1f6h 如果要检测的设备为该IDE接口的主（MASTER）设备， ' }( ~% q8 b* R8 v" f4 ~; 那么发送 a0，如果为从那么发送 b0 ; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec ; 如果为 ATAPI 设备那么发送 a1 ;******************************************************************** + Q( s/ U$ W& E3 k o) g }' I mov al,0a0h ;Drive 0,Head 0 mov dx,01f6h ;Drive and head port out dx,al ( N3 _4 N7 Q) s+ @* h8 H( M$ { # p( F+ L% S* s5 J8 O+ ^; e* i1 K" q: p mov al,0ech ) t; d( i. d) L/ V6 W/ { inc dx ;Command port out dx,al ;******************************************************************** ; U+ X# y/ b x) O8 t0 H ~8 W$ u; 等待硬盘就绪 ;******************************************************************** mov ecx,10000h @@: in al,dx;1f7 (r-status register) cmp al,58h;(driver is ready ,and seek complete) jz @F loop @B jmp _II_TimeOut + K X0 w8 E/ H6 d @@: ;******************************************************************** ; 将返回信息读回 ; 注意一定要读满 100h 个字长 # b! t. U! _0 E% Y7 O1 l$ T! H;******************************************************************** 6 `- s1 H" y. Z+ s( W3 H- o7 z cld / {4 [" }" U3 a. G' F K mov edx,01f0h;data port - data comes in and out here 8 `/ x% D" S% x7 X6 D/ ^. J mov edi,ebx mov ecx,0100h & d5 q! X0 S8 D* F7 D: L rep insw ;******************************************************************** 4 D( m. u' D, k3 A N; 返回的信息中，型号、序列号、版本号为字形式 ; 需要整理到字符串的形式 : M/ ^: T2 Y7 E4 B7 m" C- x- r+ b3 |- b;******************************************************************** lea esi,[ebx].sSerialNumber / Z; a" j6 D! e& i. J mov edi,esi mov ecx,10 , C" K7 s% b$ e @@: lodsw - {# p" @4 [% z- d3 w" }: L xchg ah,al stosw % B: V& e1 I& c# M: ?9 v- i loop @B 9 q5 q' X( o2 W lea esi,[ebx].sFirmwareRev mov edi,esi mov ecx,24 0 T" u; R; d$ K @@: + t# j. m2 S4 j1 C; g lodsw xchg ah,al + `5 B; @# i: E; d' u5 y) A stosw loop @B _II_TimeOut: \4 V' r# q! ]1 gassume ebx:nothing V8 {; q+ F- d' X# | pop esp ;restore ring0 esp push offset Ring3 ) A1 |2 i$ ^& W6 \; O$ \retf : \1 ]' B7 H. LRing0CodeLen=$-_Ring0Proc Ring3: invoke GetCurrentThread ! X2 B9 s% A5 M9 G3 b; ~invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL $ \' R7 _! W4 ^ , O' `( ^, e- A& w;invoke VirtualUnlock,Entry,seglen call @f db "ZwClose",0 + Q+ p( `3 D5 u3 N9 P6 k2 {@@: push NtdllMod call GetProcAddress push hSection call eax $ f& B% \, V9 a0 Emov eax,TRUE ret ExecRing0Proc endp 4 X( P8 l8 s, E3 ~! O4 m ) _: C. b5 w( ^- Omain: 0 l4 u% ~- L$ k6 ~assume fs:nothing ) _) c7 @5 z9 G$ y6 Zpush offset MySEH / `; `$ G( k$ ?$ d2 Dpush fs:[0] 1 H! x7 G' j+ J) ^9 A/ qmov fs:[0],esp mov OldEsp,esp mov ax,ds ;if Win9x? test ax,4 jnz Exit1 invoke ExecRing0Proc .if stIDEINFO.wNumCyls ) f2 J" h5 F1 r' h; W lea esi,stIDEINFO.sModelNumber mov edi,offset szModelNumber mov ecx,sizeof stIDEINFO.sModelNumber 8 k' y' b: B) h2 Z+ [6 j rep movsb % y; V3 Z* v+ C$ m. `5 L, B lea esi,stIDEINFO.sSerialNumber 6 T+ u6 o3 B! r. Q$ T& N# R+ }! o mov edi,offset szSerialNumber 1 W3 l9 A C8 G1 V+ j8 F mov ecx,sizeof stIDEINFO.sSerialNumber rep movsb . v6 }1 X ^7 p lea esi,stIDEINFO.sFirmwareRev & ?4 `" O+ [# U, y) K! Q mov edi,offset szFirmwareRev mov ecx,sizeof stIDEINFO.sFirmwareRev rep movsb ) ~- c8 d6 h0 s! G% y' x% s : g4 z. H2 G2 A; M& U movzx eax,stIDEINFO.wNumCyls 3 k3 e. h7 Z+ P1 j% i& {" q movzx ebx,stIDEINFO.wNumHeads movzx ecx,stIDEINFO.wSectorsPerTrack / G* q3 J: e$ ~9 u1 ~3 [" a8 W movzx edx,stIDEINFO.wBufferSize invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev . v$ |2 ]3 l- b' B7 P q mov eax,offset szBuffer 5 b `( ?: R6 }* k- u1 k |.else ) ?( [) l! f1 e2 c mov eax,offset szErrInfo ' ~. e$ U2 e5 G. N R! q( W7 w.endif @@: & w; ^7 s1 a O( [invoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK Exit1: pop fs:[0] / J1 d( a/ c+ Y. ?' madd esp,4 3 ?+ M q' r8 |. M. Qinvoke ExitProcess,0 MySEH : ; I/ E4 O; m) X- L' F- [mov esp,OldEsp pop fs:[0] add esp,4 % q, L4 _$ [4 n; f5 t7 H% C( \invoke ExitProcess,-1 & \4 _" I" v0 yend main

[此贴子已经被作者于2003-11-2 18:14:02编辑过]

呵呵，ExecRing0Proc 这段程序甚妙，先得到gdt，然后构造一个调用门call gate's ,使程序从用户模式(ring 3)进入内核模式(ring 0)。进入内核模式之后，就可以没有限制地对系统干任何勾当。这段程序确实为高手所为，在下佩服得紧。
至于读硬盘序列号之类，只不过是在内核模式下的一个I/O应用罢了。
0 |. B3 N9 u7 K) e( y$ |2 g其实在NT/2000下读取硬盘序列号只要打开\\.\PhysicalDriveX(X:设备号0~26）设备，然后用DeviceIoControl()就可以读取了，不需要绕ring0这么一个大圈子
* k4 j5 g" \) A, e3 a6 j- H
: V& P2 T  P7 h3 N7 f' {这个程序也可以C语言实现，不过中间必须嵌入几条汇编的指令，如sgdt GdtLimit
0 o! Y% K& u7 o  a8 v, t2 w- ]但还是用c来写更方便，例如：
call @f
db "ZwOpenSection",0
@@:
9 ^. {" [% S& D0 O2 P$ }/ cpush NtdllMod
call GetProcAddress
/ B) O  `) p$ n/ U2 U2 jmov ebx,eax ;ebx=ZwOpenSection
! \! b( B, H6 y% x4 S" K; Z1 g  vpush esi ;esi->ObjAttr
8 f, y5 h9 H1 B, ^. L# x+ x7 \  ypush SECTION_MAP_READ or SECTION_MAP_WRITE
0 w8 `" ?( \$ V+ ylea edi,hSection
' U' t$ R* K% |9 n: {: N  Ppush edi ;edi->hSection
1 ~. |0 X9 x' F; a) fcall eax ;
7 n5 y& P, Z$ `( e6 P2 D: G$ l8 ?
用c的话只要一句就可以了
4 q# x1 g. D; S9 S6 V/ _ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)；
因此懂汇编，然后用C/C++编程，是成为高手的捷径
7 u6 ?/ k' I9 y6 J1 q6 R% {( r; H
! l  o! e. [# \, P" k) v( |: f

[此贴子已经被作者于2003-11-3 16:46:50编辑过]

& I! U1 w' V" I" V

firelinux

win32位汇编，真的很不错，业余的时间，全都投进去了

唐明

要能有台机器试一下多好，学汇编还从没想过去ring0，也感觉没哪个必要。
现在闲着真相试试。这片文章我在家保存了有快一年了。不用感觉可惜了。一直停着不用，我都快忘了那些曾经那些依稀的记忆了。水能给我一台电脑，我力马高喊：有你这么富的吗？

很久以前的一段代码

游侠无极限

很久以前?
不是吧,这个是 轻描淡写 编程论坛的斑竹写的

看到过的。