 该用户从未签到
|
我可没这个水平
- e: | ^# N1 L9 p: n4 d.686p
; X8 ^8 P- A! T- m! P W1 N.model flat, stdcall
5 f1 e6 {/ e$ voption casemap :none ; case sensitive
+ e7 b6 q7 x O; l8 E P) b; #########################################################################
! A1 c1 s ?. u9 Pinclude \masm32\include\windows.inc
. ~3 A W! p' p9 Cinclude \masm32\include\user32.inc
. U: h3 \8 g+ @0 vinclude \masm32\include\kernel32.inc6 T/ H! R' B% c9 I3 p4 s
include \masm32\include\advapi32.inc
0 I4 w3 v! [4 J/ R2 Q2 w 6 v4 {$ Z* x7 O7 Y4 I
includelib \masm32\lib\user32.lib
1 ^1 P5 R4 F" h' a3 Aincludelib \masm32\lib\kernel32.lib; p5 i+ D9 p5 I0 i9 H3 c# S6 a
includelib \masm32\lib\advapi32.lib, Y6 |+ o7 X, r: {8 O+ B# K2 K
DEBUG = TRUE9 K) [& H; V3 \; P8 Z
4 L3 [+ k9 H. v' I/ |; IHMODULE typedef dword" Q, t/ c s) X+ z/ p |* X0 ?8 w
NTSTATUS typedef dword
" R( P* g; d4 P5 KPACL typedef dword, C& x" r$ e. l; A$ e3 i. z
PSECURITY_DESCRIPTOR typedef dword
! G' N# p; i! p' n: u9 r; M
( M1 n/ ^% \1 j7 D$ {OBJ_INHERIT=2
$ j0 Q" e( c/ x; e0 t& m5 UOBJ_PERMANENT=10h
& e7 x' t5 h- aOBJ_EXCLUSIVE=20h
- b# m: w; e. S( ?6 |OBJ_CASE_INSENSITIVE=40h
7 ?8 Q, @3 b. y- X7 @OBJ_OPENIF=80h - @" O" F- v0 I1 Q4 S1 h' y$ y
OBJ_OPENLINK =100h
* f: }, I$ }6 N* k z" _! f* w9 W! nOBJ_KERNEL_HANDLE=200
/ C0 ^' N' n4 m7 _OBJ_VALID_ATTRIBUTES=3F2h
4 U$ s* J! A4 ]# U) {+ x6 |% {0 H4 N8 k: H' G: n
SE_KERNEL_OBJECT = 6' @5 u, ?" I. P% x3 n+ e5 e& A
GRANT_ACCESS =1& M* I" R( R0 |2 W1 r* }) X0 Q& f
NO_INHERITANCE =0& C8 [6 ~4 N& G8 u5 j$ o
TRUSTEE_IS_NAME=1# p% o$ t; I( ` ?( y4 v, M
TRUSTEE_IS_USER=1
4 Z) m0 a- x/ oSTATUS_SUCCESS =0
) ^' K3 k) d1 ?% ~, P( |STATUS_ACCESS_DENIED =0C0000022h L& d& u& {1 |; n J, s! H
4 ^, Q( f& r% I3 ^7 e) o) L1 ?
STATUS_ACCESS_VIOLATION equ 0C0000005h
6 B- i0 m. {, uSTATUS_INFO_LENGTH_MISMATCH equ 0C0000004h7 b/ `7 f) M# k; I( K% d
SystemModuleInformation equ 11; q/ o% g3 ?/ P- [) W0 P/ b! K' y
PVOID TYPEDEF DWORD9 Q3 F' w/ k* J2 ]1 [
UNLONG TYPEDEF DWORD
. v# `. G4 A& l& }3 j! z0 }- OCHAR TYPEDEF BYTE% E6 s4 U) C; v, o) [
/ T4 ^3 Q+ q+ `" c. E( r P: P6 V
UNICODE_STRING struct : m8 e% h. ^+ y) q7 V
nLength word ? $ r3 p0 L/ S1 s3 @, w6 U8 ]
MaximumLength word ? h3 j. b# t; p/ \* A# m
Buffer dword ?
7 l. k1 S4 d ^4 hUNICODE_STRING ends6 @& t9 w o: P1 Y; \+ Z) P
6 ~( S* I, F( ?; R- @" {OBJECT_ATTRIBUTES struct ; E/ o4 s* p( [/ y/ E( Y; n
nLength dword ? , ?2 d) u+ V+ c3 K6 M0 k
RootDirectory HANDLE ?
3 Z X& X. n6 ? ObjectName dword ? UNICODE_STRING
0 r8 t5 Z. U4 \1 N4 S, |# L Attributes dword ?;
0 T4 V0 I) G+ w SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR 9 L- o+ G r& w6 |3 K9 |" p
SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE ! U( m. y! L ~" W( |: ?
OBJECT_ATTRIBUTES ends ( d7 z- [) p: M( j8 d- {" K- Z
" l# m- G$ I0 ?: ?( q0 E& ^3 J9 Q
TRUSTEE struct
4 k5 }- V7 w6 |% v U pMultipleTrustee dword ?TRUSTEE # O8 U' i% [& X9 m; p
MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION 4 S i& I0 Z( F' r
TrusteeForm dword ?;TRUSTEE_FORM& n0 i9 I: O, Y2 z& v$ T
TrusteeType dword ?;TRUSTEE_TYPE $ Q7 ~ b a, W$ H j1 {% W' w
ptstrName dword ?;LPTSTR
1 F+ O; t7 `' l9 Z9 i r9 s6 K0 ATRUSTEE ends G {% X* ^& x
& u* S9 K+ x& g+ u, b! t
X3 O! O! s' n& M1 FEXPLICIT_ACCESS struct7 {7 K1 T+ l$ A: b1 @0 [
grfAccessPermissions DWORD ? % \4 L8 \* C. [. b; z* O6 ]) T
grfAccessMode dword ? ;ACCESS_MODE 3 `/ c7 N+ o: Q2 g3 r/ ~0 R
grfInheritance DWORD ? ;
# P: I9 f, m5 R" y. X Trustee TRUSTEE <> ;
$ K. s2 O- q- F7 {EXPLICIT_ACCESS ends
% Z% d' t C/ G2 Y3 C9 G& `1 _8 l f' `# R, f' a+ s
MyGATE struct ;门结构类型定义, J, _ k" C" v5 s( g5 A
OFFSETL WORD ? ;32位偏移的低16位; s( a3 N/ s2 w
SELECTOR WORd ? ;选择子 s' H* s5 {# L7 h% m/ G
DCOUNT BYTE ? ;双字计数字段( ?5 \2 C, K; k
GTYPE BYTE ? ;类型- E* P6 w6 j6 M4 _$ P; X
OFFSETH WORD ? ;32位偏移的高16位) S% J. Q6 @' l/ _* Z
MyGATE ends
* [/ o- [0 ?- y& k5 v! n2 K* E, b D9 A5 q
IDEINFO struct
% p9 j: L* G/ P) L: S& k. z; MwGenConfig dw ?
# [& j. S% Y8 H5 O0 V& U) _wNumCyls dw ?;拄面数% Z+ y- `, h4 n# G3 Z
wReserved dw ?* M/ `" W& A; K+ u" I. K) j
wNumHeads dw ?;磁头数! [' O9 {2 E/ u! |( {. c
wBytesPerTrack dw ?;每道字节数
9 f( \ }# A2 S6 s- O! p* \wBytesPerSector dw ?;每扇区字节数
. x9 Y _ o/ P7 O) d5 e/ |wSectorsPerTrack dw ?;每道山区数( F2 r# j0 F6 t- I( E7 w' I
wVendorUnique dw 3 dup (?)* E" l( `5 W) N! X) A; s& H
sSerialNumber db 20 dup (?);硬盘序列号
- h9 b! w$ g1 {! f* I" wwBufferType dw ?; f- @# e* h/ M% G2 X" y7 e* g/ B
wBufferSize dw ?; ;n * 512
" d& B5 s* T$ `8 \/ T3 M% C/ Y# twECCSize dw ?
+ G* {6 S. ?9 B8 Q9 _. R# VsFirmwareRev db 8 dup (?);
$ L" P! h; }* D6 csModelNumber db 40 dup (?)
& O$ _. i6 E7 I' e7 |wMoreVendorUnique dw ?
( ?' A+ k" s5 ^4 K( T" CwDoubleWordIO dw ?
' P. L0 u! T, X: A( }4 ^) fwCapabilities dw ?
) K7 F: a& u2 N+ VwReserved1 dw ?" O" R# k) k$ G3 h; K: }
wPIOTiming dw ?;0 w3 V. G6 J3 U
wDMATiming dw ?;
1 t1 u @# P' G$ N1 u8 |/ B8 uwBS dw ?
; q% r: T; t, m% R3 H# iwNumCurrentCyls dw ?;
$ P( e+ |$ L: C5 x' owNumCurrentHeads dw ?;; H5 \3 V5 [" r7 V" V* U
wNumCurrentSectorsPerTrack dw ?;
7 j% f: l6 v9 j$ ?" ?* jdwCurrentSectorCapacity dd ?;
3 |; k* H7 u! B5 o5 d% UwMultSectorStuff dw ?; A o% ~4 E* Q, L, ]' _
dwTotalAddressableSectors dd ?;
8 I- E( k$ k4 c% z1 l. y6 C9 D. }6 X" c8 u7 kwSingleWordDMA dw ?;
0 B2 z% G5 O; K6 hwMultiWordDMA dw ?;2 G( C: K2 Z( z" G# J
bReserved db 128 dup (?)4 C ]$ j, Z# Q( R3 v8 T" `9 f# L
IDEINFO ends
/ O- U5 e, n7 Y/ w) `
3 @. J" ^0 \/ `! ~# C; S7 e* C+ D+ X* v# D3 K% O% j6 @
SetPhyscialMemorySectionCanBeWrited proto :dword0 R) u3 }* y3 Q! n- ~! ~; m/ P
MiniMmGetPhysicalAddress proto :dword
! e$ h$ k$ P( Z
; U7 @, j, g7 u+ w: F9 X0 RENTERRING0 macro- E- F( l1 h0 J0 u# k) k; b! ]
pushad ' H+ a' \' u' P% H2 R( j* i
pushfd 5 V. ~- D6 s2 Q. B! Y
cli
+ n z3 `% C2 T' {: S- Umov eax,cr0 ;get rid off readonly protect" Q+ N6 \0 A6 w
and eax,0fffeffffh8 ]3 p! g1 w" x' U6 m% H
mov cr0,eax
; k% ~4 s1 G uendm
. H/ m; N- k) w% Q5 Z A1 z7 q
& r& m) E0 S1 Z! T$ m, ULEAVERING0 macro9 n7 H' O0 D4 r+ U E r
mov eax,cr0 ;restore readonly protect# Q% s% o) ?( b! C6 I* A
or eax,10000h5 @+ _1 h- Z" \0 I, |1 G
mov cr0,eax, w2 }- Q4 w- N! A
sti; m8 K4 `: S; b# ~" F" }
popfd
1 g& N! _+ ^& j( S5 g5 Dpopad 1 g+ A% R6 W# ]9 |- u
retf
! E; J1 F ?/ ]) }+ r2 a# cendm; S4 E% I; n- T5 v
/ ^; d6 B0 K1 o( k! h9 Q! U( x6 S3 x5 G1 [+ F8 d" \! v2 |
UNICODE_STR macro str
/ l. A v" ^- m+ @$ \( n( G& Pirpc _c,<str>
- r; J' ^ u5 [db '&_c'
+ p5 d' y' Y' D0 gdb 0
3 c/ a: a3 {# G# yendm' ]- g/ b6 _; T. e2 @6 z" `2 D1 A
endm n/ N0 A% V; K5 F( I) L \
7 Z4 A3 F% z% D
.data?2 l! ^% Z, w" m
GdtLimit dw ?
5 m' ?7 J: {: J! k$ S& mGdtAddr dd ?/ x) H/ v7 g( p; L
$ q( L" e# W7 b7 E1 ymapAddr dd ?
, Q1 P' ]) w: q+ g! F: R: dOldEsp dd ?
9 y4 }+ y6 Y+ z4 }
! q9 c3 ~ A) c5 Ireaded dw ?
5 ]( t8 `# Q2 e3 r E& ?8 C: Qbuffer db 512 dup(?) q0 |7 j* |5 U% V+ I
ShowText db 512*3 dup (?)
$ {( @9 e; I. r) L3 o* A9 ~$ r `
U0 `7 L0 g! i2 J9 BszBuffer db 1024 dup (?)
3 e v$ P* s/ V3 |& g8 H% A4 C7 [szModelNumber db 41 dup (?)
* b* R8 i; B8 `( J5 {szSerialNumber db 21 dup (?)
1 o% j* I; V* A% nszFirmwareRev db 9 dup (?)7 M2 r1 ]2 ]. d6 N
0 I6 h* |0 M/ Z! K9 T8 mstIDEINFO IDEINFO ' T: n; {2 W/ M F) C4 b4 A9 x2 i% ]
+ k' G5 V4 G1 b& m# p1 k.data
& x2 n1 t1 D2 T& d' W$ V& aalign 4
& p1 L0 x3 @4 ]2 Gobjname dw objnamestr_size,objnamestr_size+2* S a, j/ y5 B
objnameptr dd 0
, h4 _" a) O5 N: S9 p1 Hobjnamestr equ this byte8 J) m- r' Z/ N
UNICODE_STR <\Device\PhysicalMemory>1 z; E( i! } g; w, B
objnamestr_size equ $-objnamestr
# e8 E3 w3 n! F( c0 z* E
8 ?( b+ Q" R% e3 e6 A# \ eszTitle db 'IDE 硬盘信息',0% h& U* T+ P' J# L( H
szErrInfo db '无法读取硬盘信息',0
) z' p$ F e/ S8 C" t. `# c! _szIDEInfo db '柱面数 : %d',0dh,0ah
0 n* h$ G, y. w+ e _% y* H3 D/ C db '磁头数 : %d',0dh,0ah
6 l+ U% {5 ^- ?, h% b# a5 @2 c4 H db '每道扇区数 : %d',0dh,0ah8 ^7 d% w$ [0 S" @
db '缓冲大小 : %d 扇区',0dh,0ah: [( D, a z9 p8 `; k+ E6 Y
db '硬盘型号 : %40s',0dh,0ah
1 e5 Z$ L& i5 H, V% j5 O- e! s db '序列号 : %20s',0dh,0ah, d* C: c1 d# B1 S, ^1 h O b* L
db '版本号 : %8s',0
- o; V. L1 d! C# [) z" [" a X5 S# j# v! k: A; I4 c
align 4* S7 B0 A% c( Y5 C# c
ObjAttr db 24 dup (0). w6 h. M6 c1 f5 c# V p* Z
( N; y# y: _0 E+ N) x0 E- c- `) U
Callgt dq 0 ;call gate's sel ff% L$ w8 _0 I: [- u. Z6 v8 l2 z# {9 ?
Caption db 'Windows XP绝对磁盘读写',09 `7 R6 _+ A9 l9 N0 K
Digit db '0123456789ABCDEF',0
& c: o- f6 u* Z.code' K* U/ n; J3 A* M$ z, [/ m
_ShowBuffer proc ;显示所读出的信息( B/ u* H M/ o# r
;把数据转换成16进制的形式
! G2 i9 S# Y0 J0 M" `8 I7 U5 t8 ~% Y y mov [readed],5125 s) ^1 b# l2 k( Y
mov esi,offset buffer ;数据" ]! v, w* u A) Y" q( x: r5 P
mov edi,offset ShowText ;转换后的数据8 |. H4 N- N% l6 e8 p
mov ebx,offset Digit
% z, [5 v% q0 R D# z+ h xor ecx,ecx
' r* P; r# g1 q" [: G; \ xor eax,eax$ ]; U# C7 z9 B1 }% e8 W, d) A5 ?5 u
computeAgain:5 {2 o* x+ N0 `2 O' X
cmp [readed],0. h+ B) N3 h9 w
jz endCompute
2 \1 T! z/ \0 ]) R1 @2 u dec [readed]. @' ^1 X1 [4 d1 N" s6 {- L
lodsb/ O! R$ e3 D3 H& |+ m& [. `
push eax5 R: R# Q! F) s, d7 c
shr eax,4 ;高4位0 D$ H- s& Q! P/ c$ u. S/ K" d
xlatb
# e6 X( q* l3 i$ t/ I8 z4 s stosb
9 H. U- {: k. p4 k; Y2 e pop eax
5 U' D9 r! l) [( \% y# R and eax,0fH ;低4位$ M/ v6 E# ?- C1 ^6 @" |
xlatb
) c1 W$ b7 |; a% i) P stosb
: _7 v* ^- x$ ~ mov byte ptr[edi],' ' ;空格
+ k$ D, _1 Q2 | i inc edi) q. s2 s* H/ u- m4 ^$ h4 Z
inc ecx: G0 r/ ~( e$ T6 Z3 u2 S# T
cmp ecx,16
( p1 d7 v: O0 B- k& C* o5 i- P* N$ U jnz computeAgain
& I$ z: G+ \. P xor ecx,ecx% p4 M( i3 @5 O/ f; c0 o' I6 C
mov byte ptr[edi-1],13 ;回车3 {- h" k' @# b0 H' F
jmp computeAgain. l7 Q* M# Y+ X$ k$ z
endCompute:/ W6 x4 Q3 }, ]$ V6 H c: j- k2 i5 y
;显示. f+ n5 K$ m0 \( y( o+ t( b! V N% @
invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK; ~% [+ Q! f& C% U: K9 u( W6 r
ret% [+ }; ?' t, T) u) t! r
_ShowBuffer endp
0 _. f! m" i2 o* J0 ]+ H3 t& Q( B1 ?# t+ u6 y/ n
SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE
( @$ S* H' I, h+ L5 {local pDacl: PACL
X% X4 }$ z4 W6 ~% u. @local pNewDacl ACL
1 V: c& x, f& X2 \2 x8 y [local pSD SECURITY_DESCRIPTOR
" S% O* ]$ C' X2 V* a8 c& U' V* flocal dwRes:DWORD ;! A3 C) U# ]8 H# r
local ea:EXPLICIT_ACCESS ;
+ q' `& f# c% M+ C9 qinvoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD# m. a( h$ r \
cmp eax,ERROR_SUCCESS( _2 B: f$ O( x" G
jz @f6 F8 x# x+ y- L' }; d5 Y1 w5 a
jmp OutSet
0 m* e* V% p1 H# g@@:" \1 n4 l# C. G! |! g# m
mov dwRes,eax' U; w) w3 y$ _, ]7 w$ l* q
mov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2' w: ?- ?- i6 k& \3 W6 @6 _" o
mov ea.grfAccessMode ,GRANT_ACCESS;1
$ f+ x0 `0 u% F+ C3 T+ `mov ea.grfInheritance,NO_INHERITANCE;0
6 Z2 [; A) h; ^. d9 I- s5 A2 n% H7 Omov ea.Trustee.pMultipleTrustee,0/ F/ ?4 j6 W) W# ~9 J
mov ea.Trustee.MultipleTrusteeOperation,0! W) V6 ?6 w: ]: Q5 i- R/ C, d
mov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1
6 v6 C$ o0 R# L, ]5 f" A' \mov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1
9 D1 j: y- F: s/ i' Tcall @f
0 K3 Q* ~/ g4 i& K! C- o3 |db "CURRENT_USER",0
( W& V# b! g& P' C@@:
3 Q( l _4 a/ ]. Q: l, rpop edx
8 `7 N- H- Y( i8 U, L: amov ea.Trustee.ptstrName,edx
. o, u! C/ C F8 j5 R' c) G! b2 oinvoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl
) S! h1 V+ B( Y. M1 ]- ?8 T* B9 S+ wcmp eax,ERROR_SUCCESS
S. {$ M8 T" H/ R! p4 W }4 ujz @f
4 Z3 n7 S) E0 W. ]7 Y( p$ Ojmp OutSet( |" ~- P/ c. R @3 I/ K
@@:2 ?+ n' r K4 k0 Y, ^2 m
invoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL
; n, R( w, a& }5 h, A" {OutSet:
$ V9 X: U# |8 G- |) {1 Ncmp pSD,0% B8 t; K) S$ a3 ^
jz @f% L* j+ w! n4 N5 \
invoke LocalFree,pSD! b1 }* N# c0 p4 C; y' c, A
@@:
! D1 @/ V9 y7 U% kcmp pNewDacl,0
+ u8 V- L8 [, p3 A' Z/ ?# mjz @f
8 p- u8 D0 o3 x2 {' p) J; @invoke LocalFree,pNewDacl
. d& }. C- o% C( m- o# |@@:
2 ?- A( e- ~3 g3 c1 P' hret
. ?2 n; m) M' J3 ~SetPhyscialMemorySectionCanBeWrited endp& k/ D+ T( a m, j# z
. Z# p/ [7 l* {& `$ s
MiniMmGetPhysicalAddress proc virtualaddress:dword4 u) K& u, l4 T
mov eax,virtualaddress
1 n; z$ _0 [! Y& [3 N' I7 u2 V" ]/ U cmp eax,80000000h% j8 x5 k6 ]7 _* D; F# e
jb @f
% O+ H! s. Y+ N8 p& R6 P( t cmp eax,0a0000000h4 e7 {! w4 x$ T) L% Y' B: P; e
jae @f
" _3 Z2 A( ~0 B4 P and eax,1FFFF000h, l! W. U7 R8 f2 F4 }) @
ret
8 f! m4 X% w6 _# I4 \ @@:
- t' }: u' | o mov eax,0
8 |7 @3 @, q0 S9 S% K ret
2 y& C3 F3 D& y4 @% vMiniMmGetPhysicalAddress endp0 w% R* L& W6 W' f9 @: v
) Z7 M' K& V7 ]3 T* rExecRing0Proc proc
. M$ {3 K* o7 {7 ]+ y7 Y% slocal tmpSel:dword p( Z( r$ S- I: E
local setcg:dword
0 `3 r0 Q% N9 C1 V( s$ [& n" Q3 G' ?local BaseAddress:dword* [% H& X. L3 H8 D- t. \4 C! w
local NtdllMod :dword
y' j& l; [: j0 h, Olocal hSection:HANDLE 5 V% R5 f. d8 Y& y+ U# j& J1 X
local status:NTSTATUS! a- F$ l% d3 U6 g
local objectAttributes:OBJECT_ATTRIBUTES ' O) s" p. _% g% y* p9 K
local objName:UNICODE_STRING
- j0 V9 N/ e" |& E& _+ Y% Mmov status,STATUS_SUCCESS; * n+ `% T2 c3 u4 C K5 @, O; R' i
sgdt GdtLimit
8 |( ]$ l9 y/ U- d( n$ m; ~invoke MiniMmGetPhysicalAddress,GdtAddr2 r( \8 |) f+ I3 z" z
mov mapAddr,eax z7 O3 c- ]* T$ c! T" Y
test eax,eax
9 p8 O; `9 w# rjz Exit1
3 k6 u5 W; n# w! v/ ucall @f
% O2 `4 h! z8 }7 H+ R7 M! Edb "Ntdll.dll",0
) Z$ M* Y. k4 F' T: o@@:
* I9 O! ^3 Y- m" {* Tcall LoadLibraryA d8 W7 f; U3 f
mov NtdllMod,eax
5 n' F5 K5 i! f" u
7 A5 _6 y0 B" X1 |lea edx,objnamestr
/ N6 }0 @1 ?5 d! {. _. Tmov objnameptr,edx" R5 H5 d% ?" N: o& B X
lea edi,ObjAttr
) X' `1 A$ f' W, y: ]- A7 R( Jand di,0fffch ;align to 4 bytes,or ZwOpenSection will fail! R4 ?4 f9 l0 \8 A
push edi ;edi->ObjAttr
/ U$ l* T, v( c ppush 24 ;length of <\Device\PhysicalMemory>3 N/ K" c( E% y# a
pop ecx. }; X: p* D# `" J6 q* ?
push ecx0 d0 }0 }1 }# o4 {$ m
xor eax,eax+ N$ w" {/ O# x- K9 \" o
rep stosb ;put ObjAttr with 09 i1 V. k+ f+ d# n( q
pop ecx6 G4 U5 z3 V x% s) g$ `0 X
pop edi& K- p, f1 K s) H
mov esi,edi* T: V8 ~1 F7 u
stosd
3 K' p5 t$ e, C% D2 Pmov dword ptr[esi],ecx9 |- u1 l9 G/ }+ a+ |+ o0 }
stosd 2 k1 Z+ W' K d9 {2 {0 P9 k
lea eax,[edx-8] ;eax->objname
d# i* Y- o: m' Cstosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0)- H7 i, k; K7 x! F
mov dword ptr [edi],240h
- E' k" K9 h( o' b, n* {8 |
8 j' H$ T6 I: I- T2 g* @/ Mcall @f
: n, N9 `- v4 Wdb "ZwOpenSection",0
- G; ?: r. @0 o; [- l4 m/ Y5 U& T@@:
0 X2 J- O1 E0 o$ v" cpush NtdllMod+ ^: V5 n: J1 Z. }
call GetProcAddress
# k5 f; B5 F0 d, E0 m4 C8 Imov ebx,eax ;ebx=ZwOpenSection3 y1 G* c( o- n) e' o; j
1 ]) ?6 s' }1 V% v Cpush esi ;esi->ObjAttr
3 \+ c% s! B4 Z6 w6 K; Npush SECTION_MAP_READ or SECTION_MAP_WRITE
: M9 y0 |: _' R4 e! g; ^+ Glea edi,hSection
$ @+ s/ T1 c X7 ~push edi ;edi->hSection3 V& }1 e$ C- f' X' _
call eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)
6 D% J7 m. ~/ f3 Z: S/ e [; y' f$ n' ^
mov status,eax
o: F1 }- Q* C: H4 F; Icmp status,STATUS_ACCESS_DENIED
) {2 z. \6 L' p5 qjnz AccessPermit" a8 q Q: X5 c6 ?* m# }
mov eax,ebx R% B8 p+ _& V [& x
. [) l2 t2 s5 u8 [
push esi * T# D& p7 X8 L7 i
push READ_CONTROL or WRITE_DAC ) b: @, j/ n! D- m6 B' j
push edi 0 e( c" E. @& v4 U' y2 a) b( o
call eax
# C9 N9 J4 T& ~" s0 }% W( m4 ^$ q8 p2 q# f: {) z) ]
mov status,eax# ^ O& o: `) H- I2 ?
invoke SetPhyscialMemorySectionCanBeWrited,hSection , o! d" p, w& F9 l3 M* I
; h1 ~' t H5 ~1 w% X( d- wcall @f
: _; j3 w0 R8 k8 `, }db "ZwClose",0( s% w* F w- K/ s) b! Q5 A) Y- X% ~. {
@@:
6 ]9 `* q4 H2 J& Jpush NtdllMod
' l+ m5 k: Y. `/ [call GetProcAddress4 a& j/ |4 r2 I) E3 A# j
) z# V6 L* M) W9 F
push hSection+ ^& H9 v2 Q/ {; z: a2 e3 e
call eax ;zwClose hSection+ e9 i+ }- t* K/ [* O, ^6 i
6 k% a2 y9 E: \* T& Rmov eax,ebx0 b/ S0 b- Y% D: x
' ?/ p8 H3 A X% ^+ Ypush esi
9 l( |* ]5 B2 h% v& m# s% `" Gpush SECTION_MAP_READ or SECTION_MAP_WRITE # Y$ b* P9 y" ~7 ^; w7 s d
lea edi,hSection n$ [- q v; n- T. t- Q. t$ N3 H
push edi # n) A S* g% x1 a3 c
call eax; P5 G; I. m( Z% B) k, B5 `$ z# K; y
mov status ,eax& d: F# N( E) Q6 ~2 p2 D4 Z
;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes);
. ^* l+ M* g# ]) sAccessPermit:" I Q' e f+ `, y# p8 P7 ]% J" w
cmp status ,STATUS_SUCCESS 3 _7 I! J# F. q- v
jz @f
/ d; Q2 F' S# M' l# k3 ~;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); $ S, E. {9 z1 o: B" X0 ^, W: Y# K
;return 0;
7 O* J( n8 S$ k8 j9 P/ rmov eax,0
' z) K: l1 w: Q. Z* h7 | K. Zret
# o& x9 Z/ C3 u0 n( l8 s@@:
) M D- l) d- f% x9 d6 D2 G- Hmovzx eax,word ptr[GdtLimit]- `+ [$ ~1 U! ~+ v, F1 _+ z8 G
inc eax' P- {; b) Y, \4 A
invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax ; |* }5 @9 R2 u8 T. J
mov BaseAddress,eax7 `3 w4 Z- J0 q4 D4 J2 G
cmp BaseAddress,0$ }) r: |) a" g$ }$ w
jnz @f! I! v4 C. v1 _2 M0 j& O/ g* d
;printf("Error MapViewOffile:"); 4 s l: t5 N1 w6 U
rintWin32Error(GetLastError()); return 0;
' `& u7 S- u, W3 P+ Nmov eax,0# @# h3 \1 i: e' k
ret1 ]9 m3 v$ }2 H- x5 I' ^9 y
@@: ! F7 |9 F5 L& a4 m% E( k6 R
mov esi,eax ;esi->gdt base$ Q. f2 q. z- G6 t6 b- `6 @
mov ecx,3e0h
4 x' C& v' |# G* m* H5 k9 b+ tmov eax,GdtAddr
3 ~7 t* [6 S9 R/ c* u.if dword ptr [esi+ecx+2]!=0ec0003e8h
. R+ ]& W! o' ^# d$ i# ]mov byte ptr [esi],0c3h
4 f/ d* ]; c; _. ^' i- u( c W' e% C6 U
mov word ptr [esi+ecx],ax
, P# h- e. d) B @" Bshr eax,16! N3 p% ^1 \( m* R- y: ?8 r7 Z
mov word ptr [esi+ecx+6],ax
+ ?9 W; _; C, N# O4 T8 g0 Qmov dword ptr [esi+ecx+2],0ec0003e8h/ ?0 G$ [+ K% h0 P+ A* h5 E
, c6 m! V1 ^6 ^! K7 Z# F6 B
mov dword ptr [esi+ecx+8],0000ffffh1 o. o( Z6 S6 Z" e7 r F' r
mov dword ptr [esi+ecx+12],00cf9a00h# _# }& Y+ a; ? ^( t+ p
.endif9 U% Q' t T/ E0 g; _% }. U U' a
0 e- L1 v" P" M- x+ O/ ^7 L; k% G
mov setcg,TRUE
0 o$ i) M# o2 b3 N! Mcmp setcg,05 a6 }4 R$ {- s5 y4 g1 ~8 x& ]2 d- W
jnz ChangeOK
! P( K2 N8 e. v# @6 [5 N3 [+ |call @f* H' X, p2 E: t( k2 B
db "ZwClose",06 O2 \3 Y7 ~1 q$ V6 ^
@@:
# b- F- ?+ u4 ?: e9 f4 ^9 _* ~push NtdllMod
+ Q8 L `' k4 j6 e. Z$ Pcall GetProcAddress: w) L9 ]; U. r4 u
push hSection9 d+ K2 \# J J1 \) k
call eax9 l4 L2 t. I& l
xor eax,eax
2 |: b+ `$ S: h1 O* ]: aret( x( {: S8 Y7 D0 K: I# b1 j
ChangeOK:" V8 m6 g% R& E8 b
and dword ptr Callgt,0
( Y: o0 v4 l+ `1 _. m, B; Sxor eax,eax9 F) O& ]+ c! K9 x1 z6 X/ k0 K3 y
mov ax,3e0h1 r; j+ U& w! A/ ]/ C* Q
or al,3h8 q5 @: Y* q* ]- q$ V
mov word ptr [Callgt+4],ax $ l! E# ~) F+ r5 @. l3 @) E
;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;
) O; y# n) f; I( o Alea eax,_Ring0Proc
4 k9 ?" {5 X: \9 o4 K; j;invoke VirtualLock,eax,seglen ' [7 f! s5 _" }( |& o. ~) h6 L: `
test eax,eax
" u* |6 o/ W# [' |jnz @f
5 Q& v9 o" ^& q2 d U! T1 O! F3 jxor eax,eax4 i3 N- ]9 P5 Y1 t' a' R$ C
ret
0 n: w, v) _$ D% \@@:
9 [9 ]4 w) s8 [invoke GetCurrentThread
: H& z: F3 _8 k* ~# g, m( Y& Jinvoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL
. v. E, p, S; E; u) Y" h1 Y% o0 k7 ^3 O2 J7 l
invoke Sleep,0 , a/ o2 @4 K, N( K' w. n" v2 c
call fword ptr [Callgt] ;use callgate to Ring0!! J3 L/ |4 h8 u5 g P
;_asm call fword ptr [farcall]0 _! C: i+ L6 g# U# U+ P
_Ring0Proc: ; Ring0 code here..
& u* |5 `$ z1 K" i+ S& imov eax,esp ;save ring0 esp; |- C& R6 r2 b3 l
mov esp,[esp+4];->ring3 esp
+ l* _# k! A/ H$ o! r1 J. U# Lpush eax6 J( O6 K) M/ W# S
mov ebx,offset stIDEINFO
! ~" C) H: r) a/ E4 p% s% r assume ebx:ptr IDEINFO
4 R0 @* j( y5 r$ A$ U, J9 H; K6 i;********************************************************************4 }+ u2 F$ u' U: ^* v" m
; 等待硬盘就绪
: _/ z+ f3 M* t;********************************************************************
2 u! e4 r- J% K mov ecx,10000h
5 q: W" _+ p; t% U7 Y- ] n) w$ } mov dx,01f7h' j$ x7 z3 |+ w* a: N2 a% c
@@:$ S' i/ I, T. q- ^
in al,dx& Y+ X$ M ]- W N. `. T2 v
cmp al,50h
, N( ]% y0 ^. p/ W! P. e jz @F
% Z3 W% E4 _# C9 F loop @B
: a2 i1 W* C1 N9 Q9 v jmp _II_TimeOut8 y8 }/ T! n: Y( d" Q% f
@@:
" w$ t8 @5 L% N# N, t7 {$ q' U;********************************************************************
& a' ~$ y! o3 c3 Z% o; 发送命令9 t9 e3 V2 O# D. a1 j
; 如果向主控制发送命令,则端口为 1f0h-1f7h
# G" E& U) u' C( p/ c# G# }; 如果向副控制发送命令,则端口为 170h-177h
; B& q/ Q" P: s; 1f6h 如果要检测的设备为该IDE接口的主(MASTER)设备,
6 A6 ?6 D" u- K; 那么发送 a0,如果为从那么发送 b0: s/ e8 ?; @& Z/ G
; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec6 l2 A/ z) s+ u8 \# ^0 U3 @/ }
; 如果为 ATAPI 设备那么发送 a1
2 e3 T3 u i5 Z+ a;********************************************************************
5 h' @! ^1 z( P; v$ D mov al,0a0h ;Drive 0,Head 06 l1 ]7 ~3 n$ }5 N2 v! |: N. x4 D5 Z
mov dx,01f6h ;Drive and head port
2 n+ @6 |# C, P out dx,al% P, e8 ^) L' n3 \7 I
9 R/ `) A# [; X) Z# j
mov al,0ech * Z; ?' W) X5 u
inc dx ;Command port
% N3 S( Z* e; j8 c; c9 H/ `7 ? out dx,al3 i6 q% Y7 [# X& s6 j
;********************************************************************
$ V4 S$ M& S8 R# h; 等待硬盘就绪
+ ^$ [6 I9 H) C) E) G;********************************************************************- M7 P2 ?9 l! |! m* _. t9 x
mov ecx,10000h
- ?( r4 H: X7 S& }! ~5 ? @@:
8 I! @+ ] J4 z4 s in al,dx;1f7 (r-status register)
6 R/ c8 w% } _ cmp al,58h;(driver is ready ,and seek complete)
% p+ z7 a; g1 ?$ W jz @F. |& Z' `+ D. J* i
loop @B5 ~! q1 A* X+ W
jmp _II_TimeOut n/ a" y" {3 R9 \
@@:
8 B% M- J% _0 H% D. P$ l. L$ m+ I;********************************************************************# p5 e0 i- ?" ^/ J" R1 Q* f8 W
; 将返回信息读回
7 M+ S: w6 z6 b% H5 O- d8 n; 注意一定要读满 100h 个字长
/ M. B7 O8 m0 Q( E3 i$ g' h8 c0 C;********************************************************************
. R; k0 \% b$ ~0 [% v- N cld
- [ w& p4 }; d% F6 \! F mov edx,01f0h;data port - data comes in and out here
* H& E q- h' O2 H9 m: C mov edi,ebx
6 `9 A) G- {2 \$ f# w4 `& u mov ecx,0100h* ^% H/ u2 k7 v' z6 A' t. X$ Z; Y
rep insw
$ F1 B7 q9 q% V6 C;********************************************************************
1 B3 ?7 Z0 y2 V; 返回的信息中,型号、序列号、版本号为字形式& }5 E, W, A, E& G0 F. `
; 需要整理到字符串的形式; J% h& t3 K) Y8 I' G! `
;********************************************************************
# S9 y6 C6 v1 A0 b( u lea esi,[ebx].sSerialNumber k) J. h9 ~& P2 q
mov edi,esi( Q/ _' f5 z' R) Z2 J
mov ecx,10
( w, |% I" e( k _$ |4 S @@:
2 w9 {6 [9 L) q0 B% a! A8 }" T lodsw
% Q4 S. X; K! m9 l xchg ah,al
3 G# B& B5 h; q stosw. K" C2 N$ a1 [4 d. `
loop @B
9 D5 P+ H8 r1 V' N1 X- J6 F6 K+ i6 r9 }/ ]* ~: G3 @
lea esi,[ebx].sFirmwareRev. j2 Z7 \; j! N, l# o+ U
mov edi,esi P4 N. z7 S! t5 `/ |4 _
mov ecx,24
( ]7 N2 o6 v& h8 Q @@:9 P1 J" k& |: L, c
lodsw; F1 O* V% w- C; S+ B0 R; R+ h4 F6 P
xchg ah,al
. A) t) c- w4 W! R stosw
8 W: V: [4 [* Z4 @- ~! y. H* H loop @B. Y j7 r* D: d* `; i
_II_TimeOut:
* ?' }' k$ v+ R4 gassume ebx:nothing
2 @' {$ V" \4 f0 e% n
T; k4 M0 v: W- spop esp ;restore ring0 esp( t: j- F7 s. v; M
push offset Ring3
- j* `# M" ^. V! ^retf
1 H* i6 h: Y( B/ G7 U# I; Y' ^2 iRing0CodeLen=$-_Ring0Proc4 k4 e6 m4 b) X4 J
$ |" w, o$ s: S
Ring3:
1 p/ g. P2 U) ?; {9 Cinvoke GetCurrentThread* z) W; g8 h# F& V' \6 Q
invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL
) w% ]$ R; [9 g6 I& v0 y
* t8 K9 ?* O! h+ }! \;invoke VirtualUnlock,Entry,seglen . e3 i" z1 O1 j3 k# o
+ z% z$ w: u3 U8 @7 g& a
call @f
* F' A9 k+ L0 m- O, k% Mdb "ZwClose",0
# v0 |0 G6 A. \- d0 X9 z@@:! J5 ^9 v3 L! Z9 S8 F
push NtdllMod) s C* c2 Q% y/ P+ x1 I/ [+ t% u) ~
call GetProcAddress
8 E% Y2 Y. c* q7 Q/ S* I8 epush hSection2 C) ]! \. w% r K! I
call eax! |6 V5 e) h$ i! T3 v: w
mov eax,TRUE2 V$ y# s3 S* a( r+ `6 g, g
ret9 d' H9 Z3 @ ?0 B6 u; T/ d8 G
ExecRing0Proc endp
' `# X; X- p: C, z0 R3 g. t
4 f' v7 e$ [, m" `9 emain:% O) T& D1 O {; j5 l0 ~2 x9 r4 z
assume fs:nothing
M/ {$ U; R" | |push offset MySEH* B+ ^ Q0 n3 D3 E- ^5 m
push fs:[0]: h, a; U! t8 N8 i% u! m h8 A& d! b
mov fs:[0],esp
2 a, d8 q/ R, O: [mov OldEsp,esp
% l1 v' y! s' J- m/ t( L% I& Amov ax,ds ;if Win9x? I- F0 `" }6 l$ d' `
test ax,4( ^6 g( n1 n; [& P) ]
jnz Exit1
5 t' R) z/ T8 {# v/ U5 W5 kinvoke ExecRing0Proc
! `; E5 Z6 E/ _" a& G' a/ \3 x6 ^. i# J ~ Q
.if stIDEINFO.wNumCyls
: A" D: Y6 v9 w2 p7 o" x$ Z! a# H5 o lea esi,stIDEINFO.sModelNumber
+ X, L P1 y3 w mov edi,offset szModelNumber
( P: p2 @8 g$ F1 v mov ecx,sizeof stIDEINFO.sModelNumber8 v. }; h2 ]! X5 s/ f$ C: c* [3 W
rep movsb
9 T) e7 r& h7 l3 s r
5 V! b& U0 h- O- I0 M: N& x lea esi,stIDEINFO.sSerialNumber$ t- M, ?$ x1 i: n5 t- ]0 Q
mov edi,offset szSerialNumber
5 R" I8 q8 H2 ^* _7 L mov ecx,sizeof stIDEINFO.sSerialNumber5 m! W! k: w. P1 T5 l8 \
rep movsb
" d0 w/ W' [) h+ n& G w) q2 k' @0 ?8 ~# n2 T3 m" F
lea esi,stIDEINFO.sFirmwareRev; p u& P! S+ h1 e: ?& e$ ?
mov edi,offset szFirmwareRev' E, }0 `( q6 v$ r# D" r, m' H, |: x
mov ecx,sizeof stIDEINFO.sFirmwareRev
- \, n$ O7 b9 f1 g) W rep movsb
, R W, r) m9 L9 I" I* Y- B% Y5 P7 z
movzx eax,stIDEINFO.wNumCyls
; |& a# N/ g" T8 S movzx ebx,stIDEINFO.wNumHeads
0 k( Z$ x5 u+ Z7 ~5 j movzx ecx,stIDEINFO.wSectorsPerTrack
) m l) }% p0 k) F9 L% G movzx edx,stIDEINFO.wBufferSize
- |3 \3 Z0 g( D. D+ l invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev7 f4 z X/ k' F+ }0 y+ X# ~% }
mov eax,offset szBuffer
, y7 e2 a& P. n0 [6 l+ n$ d0 v.else! t0 r6 u9 y# s E* e& [ _
mov eax,offset szErrInfo
7 h& D. v" m. y' {.endif7 Y+ `# Y% j5 {8 i+ Y" E+ A
@@:( U- H [: m6 d0 @/ w
invoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK
% e2 k( t" _; Q, QExit1:
# p3 b" t$ S* \0 g) p: zpop fs:[0]2 p- D! U! P4 _
add esp,4' m# O3 \( e; k0 I0 S% w6 i
invoke ExitProcess,0
9 K; P( {+ ?) H/ j* ^: h) R7 W# E( U/ S7 _% ^% f. I% ?
MySEH :4 l# b7 T8 t, v7 G% ~
mov esp,OldEsp
+ L$ R, e6 ]6 J; b5 r# L' b# q# i( Q! fpop fs:[0]
: d! u5 ], V$ {7 m9 o L, T, `add esp,41 m$ A1 [, ]/ k
invoke ExitProcess,-1
7 B* }5 r/ H+ T) P$ Q% H) H$ Zend main! w" H1 ]6 k; K: _: P: K) O
/ C9 @2 h; o% J2 A( X) O1 }
[此贴子已经被作者于2003-11-2 18:14:02编辑过]
8 a; U4 j! E7 W9 {6 j% r1 R |
|
/1 
IP卡
狗仔卡
发表于 2003-11-2 18:09:00
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
分享
顶
踩
转发到微博
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡
发表于 2003-11-3 16:22:00
楼主