[转帖]2000/xp下读硬盘序列号[汇编]

游侠无极限

我可没这个水平 .686p 2 O3 r/ U3 j. r( L9 T1 ?- W+ s.model flat, stdcall option casemap :none ; case sensitive 7 |* s& R( m/ X2 _1 X9 l; ######################################################################### include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc & k7 V9 R' G6 p1 @" Cinclude \masm32\include\advapi32.inc 9 Q: T8 i: |( R includelib \masm32\lib\user32.lib / o2 O* _+ T- ]% [7 H5 c) Z' @+ iincludelib \masm32\lib\kernel32.lib : D6 l" \: z' m- X% I' y% fincludelib \masm32\lib\advapi32.lib DEBUG = TRUE f! G9 C5 H# hHMODULE typedef dword 8 l2 w$ d e% W3 K- } D" V8 @* yNTSTATUS typedef dword PACL typedef dword , l5 z- C% M6 x0 D' s: gPSECURITY_DESCRIPTOR typedef dword 4 Y! e- Z4 z+ L* C OBJ_INHERIT=2 OBJ_PERMANENT=10h OBJ_EXCLUSIVE=20h OBJ_CASE_INSENSITIVE=40h OBJ_OPENIF=80h OBJ_OPENLINK =100h OBJ_KERNEL_HANDLE=200 0 Z' L2 R: t9 t9 M8 V; yOBJ_VALID_ATTRIBUTES=3F2h , t9 n; ?6 K; ~6 c2 L" f: L9 b ' j# u* v0 V: A) [' g9 G6 O8 PSE_KERNEL_OBJECT = 6 5 t, o. s$ u3 qGRANT_ACCESS =1 NO_INHERITANCE =0 TRUSTEE_IS_NAME=1 TRUSTEE_IS_USER=1 STATUS_SUCCESS =0 STATUS_ACCESS_DENIED =0C0000022h 1 p: s) C- Z) m7 {2 QSTATUS_ACCESS_VIOLATION equ 0C0000005h STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h $ \( j, B6 s/ q, \SystemModuleInformation equ 11 PVOID TYPEDEF DWORD UNLONG TYPEDEF DWORD ! |1 R$ j) Z. Z4 W. P( I3 B" f" nCHAR TYPEDEF BYTE ) y: R- r" `. x 8 U( P9 A$ ~3 cUNICODE_STRING struct nLength word ? 6 y; n" M8 D3 @. K- \ MaximumLength word ? Buffer dword ? + o8 T6 j$ w% k( ?UNICODE_STRING ends ) B1 {) t% w5 V3 W1 _4 `* zOBJECT_ATTRIBUTES struct nLength dword ? RootDirectory HANDLE ? ObjectName dword ?UNICODE_STRING 7 c1 D9 U1 Y# K/ J1 q( k, w! [7 r Attributes dword ?; SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE OBJECT_ATTRIBUTES ends $ z. c* _" T& E# t2 ?" y" T+ [TRUSTEE struct . V6 t8 l9 p: _5 d" ?4 E pMultipleTrustee dword ?TRUSTEE MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION ; D2 _# _8 E/ Z TrusteeForm dword ?;TRUSTEE_FORM TrusteeType dword ?;TRUSTEE_TYPE " } q9 _ }7 @ ptstrName dword ?;LPTSTR ! g q" x3 F6 }& a3 bTRUSTEE ends 9 F% f- t& n: z% ?! R EXPLICIT_ACCESS struct ( t7 y7 P! G3 ]% i grfAccessPermissions DWORD ? . j5 }; J4 Y8 i9 ?- \' ?3 ]9 A9 j grfAccessMode dword ? ;ACCESS_MODE * }/ t( F6 w( K# C grfInheritance DWORD ? ; Trustee TRUSTEE <> ; 1 W# V# J* C8 n- V$ SEXPLICIT_ACCESS ends $ o4 G+ G3 N0 e* i% h4 D5 s MyGATE struct ;门结构类型定义 $ Y/ g9 N/ a, [; g2 R- p" }# r OFFSETL WORD ? ;32位偏移的低16位 SELECTOR WORd ? ;选择子 8 R4 J* {! | A- \% Z! N DCOUNT BYTE ? ;双字计数字段 GTYPE BYTE ? ;类型 OFFSETH WORD ? ;32位偏移的高16位 ( Z6 u; Q; c2 O9 }1 XMyGATE ends 7 I6 v, L' V M 7 U) ~7 q8 K# B' k2 I5 xIDEINFO struct wGenConfig dw ? ( Z( H. Y+ ^' S4 ]wNumCyls dw ?;拄面数 ) O" R8 x8 |* O0 R6 T n/ T* T4 DwReserved dw ? + ]$ x' K$ `: B6 ^4 ywNumHeads dw ?;磁头数 wBytesPerTrack dw ?;每道字节数 * `% f3 h7 w8 w+ T* k* xwBytesPerSector dw ?;每扇区字节数 wSectorsPerTrack dw ?;每道山区数 7 D( l& m0 \' o( T. f8 M9 `wVendorUnique dw 3 dup (?) sSerialNumber db 20 dup (?);硬盘序列号 wBufferType dw ?; wBufferSize dw ?; ;n * 512 4 v+ }8 y+ h1 z b, C& AwECCSize dw ? - p3 d) H5 S$ ?3 v4 w6 `+ |sFirmwareRev db 8 dup (?); 7 n% Y7 ?! D* ]0 u. s% HsModelNumber db 40 dup (?) % V' g7 c, N& {/ w8 KwMoreVendorUnique dw ? 2 J2 @; @: o6 C( ]$ \6 ?wDoubleWordIO dw ? wCapabilities dw ? wReserved1 dw ? 2 n, c4 X: s6 | s9 OwPIOTiming dw ?; wDMATiming dw ?; wBS dw ? 7 k5 v6 W- _) h( P3 D% v& RwNumCurrentCyls dw ?; wNumCurrentHeads dw ?; + R) s! g, K0 R! w% p& x7 `wNumCurrentSectorsPerTrack dw ?; dwCurrentSectorCapacity dd ?; $ z' F7 E* r8 FwMultSectorStuff dw ?; dwTotalAddressableSectors dd ?; wSingleWordDMA dw ?; - J6 M) u" W. A4 Y% ZwMultiWordDMA dw ?; bReserved db 128 dup (?) - L- m, \. @; }. {' |4 v" O, ZIDEINFO ends , E% i( i& D7 I : v7 k+ z/ }, g { SetPhyscialMemorySectionCanBeWrited proto :dword MiniMmGetPhysicalAddress proto :dword , q R0 z1 k4 Y 7 n( ]7 M* J, h/ J, YENTERRING0 macro pushad 0 N. ~+ z- T' |! n) P; x; Y/ Lpushfd # Y" t" X f0 j$ r. O7 | ycli mov eax,cr0 ;get rid off readonly protect and eax,0fffeffffh mov cr0,eax endm # R& [5 W! v. j% \ 1 l5 j4 q3 ^/ ?, ?# r7 {( E1 s& ^9 tLEAVERING0 macro mov eax,cr0 ;restore readonly protect or eax,10000h ) i0 h& I: ]6 amov cr0,eax sti * G( l8 X2 C1 I! \- z6 `& a( Xpopfd popad retf + Z' U3 R7 c' n' b$ u7 @endm " P" G \; B# n ' l0 N3 Y9 }( b& J: b9 D6 }- MUNICODE_STR macro str irpc _c,<str> 8 |. b* B+ f- I; a& c1 I$ u; bdb '&_c' db 0 endm endm $ ?- o7 h5 r/ D5 d- o; s, t9 F.data? # B f& S& a7 Q5 |$ sGdtLimit dw ? GdtAddr dd ? ; k' Y4 F' e$ I& Z, |mapAddr dd ? OldEsp dd ? 2 Z3 y3 ]: M0 [readed dw ? buffer db 512 dup(?) ShowText db 512*3 dup (?) & L2 D" H, r" @, S szBuffer db 1024 dup (?) 1 U- }% t. u1 i9 S3 t# RszModelNumber db 41 dup (?) 1 y+ q, E+ i3 v& P# SszSerialNumber db 21 dup (?) . C0 M7 {- v. T6 X8 E sszFirmwareRev db 9 dup (?) " A' T# D) B" h2 y/ [stIDEINFO IDEINFO 3 `, x B8 c2 h. i% j2 X& p + I% X; u* B' E8 c% @7 q.data 2 p1 @( I9 x1 l3 }! y' Calign 4 ' n9 Q) {5 X: ]- i# Pobjname dw objnamestr_size,objnamestr_size+2 objnameptr dd 0 objnamestr equ this byte ( E/ T8 w b- y+ q! }UNICODE_STR <\Device\PhysicalMemory> objnamestr_size equ $-objnamestr szTitle db 'IDE 硬盘信息',0 ! X2 o1 ` x' F$ q5 EszErrInfo db '无法读取硬盘信息',0 * l' V l3 d% l5 d+ V' kszIDEInfo db '柱面数 : %d',0dh,0ah l9 W" B* L& w- F db '磁头数 : %d',0dh,0ah & D8 M |& }, [: R! B db '每道扇区数 : %d',0dh,0ah 6 ~% S3 z7 a) K db '缓冲大小 : %d 扇区',0dh,0ah db '硬盘型号 : %40s',0dh,0ah db '序列号 : %20s',0dh,0ah 5 N& m6 v/ ]# w9 A) {7 W db '版本号 : %8s',0 align 4 9 ?* b( J2 o0 O3 C! _6 }ObjAttr db 24 dup (0) 4 e- {4 v1 j& L& j/ k+ \4 Q- C8 ? Callgt dq 0 ;call gate's selff Caption db 'Windows XP绝对磁盘读写',0 5 X7 a& Q3 m G' {3 kDigit db '0123456789ABCDEF',0 .code % L" p" V, @2 p7 \_ShowBuffer proc ;显示所读出的信息 $ @5 g) S% {) }& Z% B3 N' O. H4 t# v ;把数据转换成16进制的形式 mov [readed],512 " Q1 y) q; Z8 I( G mov esi,offset buffer ;数据 9 i0 R7 E. A, b6 `5 M& k6 V& J7 @ mov edi,offset ShowText ;转换后的数据 mov ebx,offset Digit ?9 g* O9 K8 H7 P+ w) E2 N5 ] xor ecx,ecx 1 ~& m8 q& q5 B. O/ S xor eax,eax computeAgain: cmp [readed],0 jz endCompute dec [readed] lodsb push eax ; A% E) ]3 ~6 c2 v8 G! e5 Y1 H shr eax,4 ;高4位 xlatb stosb 9 x! M$ \7 j& k; ^! H, g- t pop eax , D/ a y6 C" K; Y9 G% G6 g) K4 W and eax,0fH ;低4位 xlatb stosb mov byte ptr[edi],' ' ;空格 . M$ F: o& Q0 r/ f" P, ? inc edi inc ecx cmp ecx,16 jnz computeAgain " _. L2 W! M: B/ ?6 ` xor ecx,ecx + t* a, Z$ s, }; n mov byte ptr[edi-1],13 ;回车 jmp computeAgain $ \5 W9 A4 U: ` t8 T) a! b. \6 O. D( o3 bendCompute: " y+ R$ @) g( {1 J" X$ A1 y% t7 z ;显示 $ D: \6 z' N% o invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK ret . F4 I1 ` P6 |4 H3 ~_ShowBuffer endp . j! [( H! e+ e/ k: p9 j 5 m8 O5 V( a) Q) gSetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE ( A* b2 F. W- j+ Z# U; Clocal pDacl: PACL * I" a' w6 ]5 [! Ilocal pNewDaclACL local pSD SECURITY_DESCRIPTOR local dwRes:DWORD ; m o4 {5 I, Llocal ea:EXPLICIT_ACCESS ; invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD cmp eax,ERROR_SUCCESS . K5 n6 `* `5 s- ~# wjz @f jmp OutSet 2 o, s- C% D% i4 ?6 l@@: mov dwRes,eax # c1 D/ P+ m, K$ |! e, [0 Amov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2 mov ea.grfAccessMode ,GRANT_ACCESS;1 ( g8 M- E& b5 Q% gmov ea.grfInheritance,NO_INHERITANCE;0 mov ea.Trustee.pMultipleTrustee,0 mov ea.Trustee.MultipleTrusteeOperation,0 mov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1 9 u* | B0 g: Z/ fmov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1 call @f db "CURRENT_USER",0 @@: pop edx mov ea.Trustee.ptstrName,edx invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl cmp eax,ERROR_SUCCESS ; H% ~- ]7 u, m; ]jz @f + C1 i' I/ U' X. ]1 ejmp OutSet @@: / [& o- w2 C; J) Dinvoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL OutSet: cmp pSD,0 5 p1 ]9 ?5 `# Q/ Qjz @f 9 ]) k4 u1 ]! P$ B1 F V0 i9 ~invoke LocalFree,pSD @@: cmp pNewDacl,0 ( M/ \" T+ @7 z' p( G: f( jjz @f invoke LocalFree,pNewDacl @@: ret 9 x$ N8 {/ F( tSetPhyscialMemorySectionCanBeWrited endp MiniMmGetPhysicalAddress proc virtualaddress:dword mov eax,virtualaddress : x/ g/ b* h- `( N cmp eax,80000000h - R4 l& S- F; P6 w jb @f cmp eax,0a0000000h / f: l) |9 D1 E3 A. O2 P jae @f and eax,1FFFF000h ret ! F" [/ ?+ j. P0 }1 P @@: 7 t0 y# b2 [' q' T! X3 i3 p mov eax,0 ret 1 {* G1 Q6 x" {" l. N" L9 pMiniMmGetPhysicalAddress endp . T: s$ F# ]' Q& @1 {# J) z# g1 d- i ExecRing0Proc proc local tmpSel:dword local setcg:dword local BaseAddress:dword 8 u' l+ | [7 ilocal NtdllMod :dword " l ~/ t( \7 z- }" @+ L1 Zlocal hSection:HANDLE ; _8 X3 Y/ o+ v, wlocal status:NTSTATUS local objectAttributes:OBJECT_ATTRIBUTES 2 u6 |" F) G# o' ^- `: z) U! {local objName:UNICODE_STRING $ @2 ]5 M0 s. ^ K$ O# Cmov status,STATUS_SUCCESS; ! {/ l0 A, l0 }; \sgdt GdtLimit . H9 V4 a$ Y+ {8 v3 minvoke MiniMmGetPhysicalAddress,GdtAddr / c1 h) m+ R# M' M" N- E: |mov mapAddr,eax test eax,eax jz Exit1 call @f : c9 \+ K, f/ ~& Rdb "Ntdll.dll",0 l# ^3 f! O3 @# a9 n7 Z& q j2 F- }@@: call LoadLibraryA 6 O# c! U' D0 j; J! w* Omov NtdllMod,eax ' H6 Z! V* ]% u* G* c, a+ r T1 a+ m9 q) c8 s& Olea edx,objnamestr 8 M) X4 o8 A, a% B: t% w) U0 Nmov objnameptr,edx 4 u( v& l6 d" c( P5 S4 j7 clea edi,ObjAttr 6 L1 W$ U/ B2 t; r" q% tand di,0fffch ;align to 4 bytes,or ZwOpenSection will fail 1 H+ t6 o Z! Q/ u0 s; E6 Y. J. kpush edi ;edi->ObjAttr & V+ N+ M, Z/ v0 @+ u0 t% opush 24 ;length of <\Device\PhysicalMemory> 3 n6 k8 a! x5 `pop ecx push ecx 3 d3 L4 e o4 ?xor eax,eax ( V7 }. u: g& J a5 V- k0 X6 l3 Wrep stosb ;put ObjAttr with 0 pop ecx , N3 L. l8 S$ z8 F Npop edi 4 o- i- a+ @3 h cmov esi,edi , K( {, ~ n6 G+ U( g9 w+ dstosd 8 l% c8 s& |' V X" ^mov dword ptr[esi],ecx stosd 9 _9 Z% v/ D. {8 \) ]lea eax,[edx-8] ;eax->objname 0 M6 ~5 \1 o' c2 `( q+ fstosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0) mov dword ptr [edi],240h ! `. j9 B! X& y3 Fcall @f db "ZwOpenSection",0 |& O; a1 \* B1 e# m% l. q@@: 1 p6 L$ G, r/ G8 Y0 Y6 X4 Bpush NtdllMod call GetProcAddress - {$ t0 V5 y- |" [* g0 p6 R* \; [$ M Bmov ebx,eax ;ebx=ZwOpenSection $ v4 E5 Z8 f9 T& [# a* s" B7 q push esi ;esi->ObjAttr push SECTION_MAP_READ or SECTION_MAP_WRITE - B& k; S! m$ |% y# Mlea edi,hSection $ r8 W( a; J p) \& gpush edi ;edi->hSection 8 \* ?2 _1 S. t) X6 xcall eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr) mov status,eax cmp status,STATUS_ACCESS_DENIED : K$ p. p) z1 p' F8 L* \8 ajnz AccessPermit , Q6 ?8 p. Y! k: k- J: ]: ?' Xmov eax,ebx * ~; s, i) |- [+ i6 `* K# T ~0 T7 `/ ^0 o! m$ z# zpush esi 5 F3 u9 w1 y1 L5 b5 T: f0 qpush READ_CONTROL or WRITE_DAC push edi 7 |* ]1 n. {% H( b2 Ycall eax }- M* K% `( T; _3 O 5 Z: G3 V& j) G& Q& ]* Y; m; {' e( fmov status,eax 5 B: i \6 @" @5 vinvoke SetPhyscialMemorySectionCanBeWrited,hSection & G) o' C( L, o3 [call @f ; k! H8 y( M u: ~) N# {db "ZwClose",0 @@: 7 c3 U" a$ C# Q/ @7 spush NtdllMod ) y z4 t( f) B) X6 u0 L# G. ]) ?call GetProcAddress / }2 x- O2 a! i : @1 q* I# X" @% b; vpush hSection call eax ;zwClose hSection 3 C0 d# s$ {/ T; F5 e- Z$ E$ a $ ?4 P8 u, ]' X+ O3 @/ ^mov eax,ebx $ E1 r/ e$ w# j' i% r ! Y( S: d+ E$ E1 I( {/ Tpush esi push SECTION_MAP_READ or SECTION_MAP_WRITE % Y3 [& {& k7 O- C- A) w9 m6 ?lea edi,hSection z4 E% B/ N' ]# bpush edi S7 G4 F. J+ Z e- F, n8 ocall eax mov status ,eax ;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); 0 x: [+ \2 k/ s8 W: ~# s W/ c* MAccessPermit: 5 U9 h5 M# _, S9 ~" Y" wcmp status ,STATUS_SUCCESS 9 C; p) x( {8 t7 J! D# bjz @f ( \" w9 l8 C8 `;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); ;return 0; mov eax,0 : w3 M$ \; j. e: f2 t/ C$ m9 a) eret @@: 5 x4 q5 S, `) D* X9 O0 Qmovzx eax,word ptr[GdtLimit] inc eax invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax 6 l0 n! j* m$ v) C9 K: Omov BaseAddress,eax 3 N1 T: u8 H* R& bcmp BaseAddress,0 ) k4 w: E1 w1 O+ b8 Y4 Njnz @f 1 A" c" K% I% e9 e;printf("Error MapViewOffile:"); rintWin32Error(GetLastError()); return 0; ; W* e2 X9 v5 s% Tmov eax,0 ret 3 N" g' w" |5 A; r) J@@: " M+ k3 b* P' S! H/ W/ v% v" rmov esi,eax ;esi->gdt base mov ecx,3e0h : ^2 D& E0 |8 W2 Pmov eax,GdtAddr - C, q6 x& Z. @3 b.if dword ptr [esi+ecx+2]!=0ec0003e8h mov byte ptr [esi],0c3h mov word ptr [esi+ecx],ax shr eax,16 - k# R: L! M/ x3 G/ D# Wmov word ptr [esi+ecx+6],ax : ?+ @# Q- L. t' x+ mmov dword ptr [esi+ecx+2],0ec0003e8h 4 F% s& b" I6 K' u3 O% [0 I mov dword ptr [esi+ecx+8],0000ffffh * G2 [( i$ g" B* f0 ^4 B: }( r7 hmov dword ptr [esi+ecx+12],00cf9a00h .endif mov setcg,TRUE cmp setcg,0 jnz ChangeOK call @f ) e( h' T d5 H+ a% Adb "ZwClose",0 1 G! d, T! k( d4 L2 B/ x@@: ) |4 S2 f1 D% K: e1 p' ]push NtdllMod call GetProcAddress 1 S1 G# \( l1 ^# L# K* p8 A Tpush hSection call eax * T/ U* m- U$ ~xor eax,eax ' I% `7 v! @5 M( ~" H6 \ret + E3 l8 p+ D% E @ChangeOK: 4 E2 H' a" y& g! r- Xand dword ptr Callgt,0 % O) _6 ?& w& Fxor eax,eax " y, L: w4 S# x8 ?0 cmov ax,3e0h 7 E, d1 ~; x) G5 _4 o) Qor al,3h mov word ptr [Callgt+4],ax ;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate; % I9 B1 i: L8 ]! I7 Blea eax,_Ring0Proc * Q/ x. u0 D4 s0 h6 ^;invoke VirtualLock,eax,seglen 8 U3 Y R8 H( x% K2 M/ j1 L& ltest eax,eax jnz @f . q/ v) N$ o2 t+ L# Uxor eax,eax ret / a i( P# y2 ^1 @4 V: T( W@@: invoke GetCurrentThread invoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL invoke Sleep,0 # }8 u% l( s: o& I* h( `call fword ptr [Callgt] ;use callgate to Ring0! 8 }/ T1 S6 _* g' [) O% r;_asm call fword ptr [farcall] _Ring0Proc: ; Ring0 code here.. + t1 h2 |' [& ~; bmov eax,esp ;save ring0 esp . M: @0 u& j5 w6 y; Hmov esp,[esp+4];->ring3 esp push eax mov ebx,offset stIDEINFO assume ebx:ptr IDEINFO Z; Q5 F3 p; {* N \3 m0 F8 R;******************************************************************** ; 等待硬盘就绪 " P# @4 D! y& L/ c ]% P;******************************************************************** mov ecx,10000h / X3 @' C$ a; V# p mov dx,01f7h @@: in al,dx ) D/ H6 W0 w: t) v+ I8 d) x cmp al,50h jz @F / }* m2 P q( g$ }; A& [ loop @B jmp _II_TimeOut @@: * t' q- ]' ~* R: y9 N1 G;******************************************************************** ; 发送命令 ; 如果向主控制发送命令，则端口为 1f0h-1f7h " L' _! q6 P0 d& h; 如果向副控制发送命令，则端口为 170h-177h ; 1f6h 如果要检测的设备为该IDE接口的主（MASTER）设备， 7 Q1 o( Y2 G+ ^; 那么发送 a0，如果为从那么发送 b0 ; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec 7 \8 c) U* }' W1 g0 }$ A, Z; 如果为 ATAPI 设备那么发送 a1 ;******************************************************************** mov al,0a0h ;Drive 0,Head 0 mov dx,01f6h ;Drive and head port out dx,al mov al,0ech inc dx ;Command port out dx,al ;******************************************************************** ; 等待硬盘就绪 ;******************************************************************** mov ecx,10000h , m# C5 ?2 o" F4 K* U' O# X @@: & C, F, E, [2 T2 `* W5 C4 b/ D in al,dx;1f7 (r-status register) cmp al,58h;(driver is ready ,and seek complete) % B; s1 s* y" l" h; p b2 J+ d jz @F " K2 p, |7 R! I* Q+ H b loop @B ( y# d- x/ G {3 }: A jmp _II_TimeOut 4 Q! Z2 _4 [7 P5 U1 ], b @@: ;******************************************************************** ; 将返回信息读回 r3 S: T/ n" u/ U# j ^& P Y; 注意一定要读满 100h 个字长 ;******************************************************************** cld mov edx,01f0h;data port - data comes in and out here mov edi,ebx # C. j! e) ]4 X% {! I' m8 H mov ecx,0100h rep insw $ s2 t7 I$ R' X$ Y9 |; e;******************************************************************** ; 返回的信息中，型号、序列号、版本号为字形式 - t# h( p- ]% u; 需要整理到字符串的形式 ;******************************************************************** ! c+ g& o% }2 e lea esi,[ebx].sSerialNumber mov edi,esi % F7 q8 L* }6 |0 c mov ecx,10 6 D9 p) w; Q* M! y+ `7 c @@: 3 {) @. w# ~! \- m" ~* p lodsw xchg ah,al & O0 _! k2 ?3 U stosw - |6 K; z- _( k loop @B lea esi,[ebx].sFirmwareRev # h, g- \6 _1 c' Y6 t" E: D mov edi,esi mov ecx,24 @@: ( y+ |; V+ e% K ] lodsw xchg ah,al stosw 6 ]0 z- q1 B, W& ?1 { loop @B 9 {; B4 w3 l) @3 i+ D9 j_II_TimeOut: ! \, _. z7 Q8 m' C# H6 xassume ebx:nothing pop esp ;restore ring0 esp , N6 U* u" Z1 q6 n, S, n* |push offset Ring3 retf Ring0CodeLen=$-_Ring0Proc 4 M* l" P" E+ W( Y( \( W 4 F3 m) [, e* J5 `9 P" V! nRing3: invoke GetCurrentThread invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL ;invoke VirtualUnlock,Entry,seglen 2 r; M9 i. `4 D, P% \& j9 M. L4 S " f2 W) k5 ]( n, Vcall @f db "ZwClose",0 @@: push NtdllMod % I$ j% A- F) [# k% Ucall GetProcAddress push hSection call eax mov eax,TRUE 0 N$ r/ n+ `# c0 n7 Eret 1 u" [5 M+ i( d; F6 D# qExecRing0Proc endp + R2 g, Z; w' w0 h$ y3 o main: assume fs:nothing push offset MySEH 8 O+ G3 M/ J$ o9 `5 q# jpush fs:[0] ! v2 [, T, j7 t, e& U& Umov fs:[0],esp : D6 q! ^- e# Z. U: o2 G" R/ Ymov OldEsp,esp mov ax,ds ;if Win9x? test ax,4 jnz Exit1 , [% w& Y4 _5 a. xinvoke ExecRing0Proc .if stIDEINFO.wNumCyls lea esi,stIDEINFO.sModelNumber mov edi,offset szModelNumber mov ecx,sizeof stIDEINFO.sModelNumber rep movsb % S/ N& j$ p+ {5 ]+ m lea esi,stIDEINFO.sSerialNumber , b8 J4 N" y2 X" o4 B# Q! P% d mov edi,offset szSerialNumber ; I/ I% g9 K4 D2 ]: G mov ecx,sizeof stIDEINFO.sSerialNumber rep movsb + P$ B& \5 A% s3 O% K lea esi,stIDEINFO.sFirmwareRev mov edi,offset szFirmwareRev mov ecx,sizeof stIDEINFO.sFirmwareRev rep movsb - e9 g2 b5 e; s7 L 7 D" a4 V8 `6 u' V5 W1 G movzx eax,stIDEINFO.wNumCyls movzx ebx,stIDEINFO.wNumHeads $ \5 j. _& Q) ^5 E0 \* k n movzx ecx,stIDEINFO.wSectorsPerTrack movzx edx,stIDEINFO.wBufferSize invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev mov eax,offset szBuffer .else , ~( C7 K4 i) g4 B$ S mov eax,offset szErrInfo 4 r1 h2 a* P5 Z7 l. V, O.endif @@: 3 _$ N0 M h; r. i9 G# Iinvoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK Exit1: - y" W* J( q6 S: L5 t epop fs:[0] 5 R: V3 z2 n h) ~3 v/ }add esp,4 " ]# o7 ^: ]6 l# k9 m: z4 j& Einvoke ExitProcess,0 1 R$ }) k6 }3 _ 9 I3 M$ _/ T9 bMySEH : mov esp,OldEsp # U- D2 l. Q! f8 W- j1 Gpop fs:[0] 0 v, I |; A3 ~4 R( a& fadd esp,4 invoke ExitProcess,-1 1 B# i9 ~8 ^5 v. A" }end main

[此贴子已经被作者于2003-11-2 18:14:02编辑过]

呵呵，ExecRing0Proc 这段程序甚妙，先得到gdt，然后构造一个调用门call gate's ,使程序从用户模式(ring 3)进入内核模式(ring 0)。进入内核模式之后，就可以没有限制地对系统干任何勾当。这段程序确实为高手所为，在下佩服得紧。
至于读硬盘序列号之类，只不过是在内核模式下的一个I/O应用罢了。
3 o$ U' Q  Q; `. ~- w2 W# ^' g其实在NT/2000下读取硬盘序列号只要打开\\.\PhysicalDriveX(X:设备号0~26）设备，然后用DeviceIoControl()就可以读取了，不需要绕ring0这么一个大圈子
4 j: s# j( ]1 g7 {6 S7 S, |1 v
这个程序也可以C语言实现，不过中间必须嵌入几条汇编的指令，如sgdt GdtLimit
但还是用c来写更方便，例如：
call @f
  I7 j9 R) e* M( ~" T! ^$ g1 L; udb "ZwOpenSection",0
@@:
push NtdllMod
- ^8 b1 v- M* s: ]call GetProcAddress
$ S0 k) h) v* q0 u' Omov ebx,eax ;ebx=ZwOpenSection
: O% ~" _: a0 I0 `, j4 z) k- Wpush esi ;esi->ObjAttr
push SECTION_MAP_READ or SECTION_MAP_WRITE
lea edi,hSection
push edi ;edi->hSection
+ S" X2 _2 @# Lcall eax ;

用c的话只要一句就可以了
ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)；
. ]" j/ e- [0 p: B因此懂汇编，然后用C/C++编程，是成为高手的捷径

[此贴子已经被作者于2003-11-3 16:46:50编辑过]

$ e" S1 W2 ?( h( N

firelinux

win32位汇编，真的很不错，业余的时间，全都投进去了

唐明

要能有台机器试一下多好，学汇编还从没想过去ring0，也感觉没哪个必要。
现在闲着真相试试。这片文章我在家保存了有快一年了。不用感觉可惜了。一直停着不用，我都快忘了那些曾经那些依稀的记忆了。水能给我一台电脑，我力马高喊：有你这么富的吗？

很久以前的一段代码

游侠无极限

很久以前?
不是吧,这个是 轻描淡写 编程论坛的斑竹写的

看到过的。