[转帖]2000/xp下读硬盘序列号[汇编]

游侠无极限

我可没这个水平 9 e0 e, f2 s/ e) I! B$ ]8 C.686p .model flat, stdcall / }! i/ Y% F; {option casemap :none ; case sensitive ; ######################################################################### / X l: h- k m3 u, a1 tinclude \masm32\include\windows.inc 1 P' }* q" ^' iinclude \masm32\include\user32.inc & b& e3 U% ?" l+ F# Tinclude \masm32\include\kernel32.inc 1 R# O* {6 V6 |" vinclude \masm32\include\advapi32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\advapi32.lib 0 [- [- {3 Z* w+ H8 y/ l9 I* C0 EDEBUG = TRUE 6 A- N8 U) E r H2 D6 P' C% {: JHMODULE typedef dword NTSTATUS typedef dword PACL typedef dword , C) T4 ^. E0 f0 K& M# ]# S" C1 pPSECURITY_DESCRIPTOR typedef dword OBJ_INHERIT=2 OBJ_PERMANENT=10h % G6 B C3 K9 h8 f* l0 e: j, KOBJ_EXCLUSIVE=20h OBJ_CASE_INSENSITIVE=40h " M6 d6 j" s3 w* R qOBJ_OPENIF=80h OBJ_OPENLINK =100h OBJ_KERNEL_HANDLE=200 OBJ_VALID_ATTRIBUTES=3F2h SE_KERNEL_OBJECT = 6 GRANT_ACCESS =1 NO_INHERITANCE =0 - t: y4 u0 Y3 c6 u5 q( fTRUSTEE_IS_NAME=1 0 L6 R! I" K; vTRUSTEE_IS_USER=1 STATUS_SUCCESS =0 STATUS_ACCESS_DENIED =0C0000022h STATUS_ACCESS_VIOLATION equ 0C0000005h STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h SystemModuleInformation equ 11 4 O( _7 b+ Q) T( T' GPVOID TYPEDEF DWORD UNLONG TYPEDEF DWORD $ ^& u: X5 P1 ?5 r. QCHAR TYPEDEF BYTE UNICODE_STRING struct nLength word ? 9 d# C& b# ]. n+ T1 y; X MaximumLength word ? Buffer dword ? ; a8 q+ U$ i- j3 X9 _2 x" w9 |5 r0 aUNICODE_STRING ends 3 t4 n* t2 a b( Z5 @) \ ! F/ `, O2 g- G7 i, w2 A! TOBJECT_ATTRIBUTES struct 9 f* s" V# }5 Y6 |! A! c nLength dword ? V6 u2 G( r4 r) V. U$ K+ u RootDirectory HANDLE ? 6 S5 }7 Z3 G4 l/ g8 ^, U+ S% x, Z+ H ObjectName dword ?UNICODE_STRING 5 K( A0 K5 b& V! R Q Attributes dword ?; SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR ' R$ i' k. f$ o! v+ H SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE OBJECT_ATTRIBUTES ends ! o- {' C/ v8 j1 @6 j7 Y1 q : J I8 R/ M* b: }' s TRUSTEE struct ! U+ O0 B+ K6 r/ y- h5 ^ pMultipleTrustee dword ?TRUSTEE " g! }8 s9 S K, ?2 x MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION TrusteeForm dword ?;TRUSTEE_FORM TrusteeType dword ?;TRUSTEE_TYPE / L! c! o8 p6 B5 D ptstrName dword ?;LPTSTR & m, _* @# ~4 g$ x1 Z6 b/ TTRUSTEE ends 8 ]2 M8 ^3 m Y# d 3 S% Z! n+ @$ HEXPLICIT_ACCESS struct & V1 ^1 a! ?$ l4 n9 b* w grfAccessPermissions DWORD ? grfAccessMode dword ? ;ACCESS_MODE ' |* r2 V9 E" h5 ^7 U4 e1 y grfInheritance DWORD ? ; 6 A- A& _% r* [3 c ]$ l0 q Trustee TRUSTEE <> ; 9 A. ]! U3 g9 y8 p# d+ G: sEXPLICIT_ACCESS ends 4 j q/ p$ u: Z' K0 ]: t MyGATE struct ;门结构类型定义 " w% W1 _0 \. {3 Q7 h OFFSETL WORD ? ;32位偏移的低16位 SELECTOR WORd ? ;选择子 DCOUNT BYTE ? ;双字计数字段 GTYPE BYTE ? ;类型 OFFSETH WORD ? ;32位偏移的高16位 MyGATE ends * Z9 l R+ z+ ?* d % ^) s A- N; J; tIDEINFO struct wGenConfig dw ? ( H/ Y9 r% }6 R rwNumCyls dw ?;拄面数 w: m4 E# d! S5 ^: v, W+ NwReserved dw ? , I7 e& E1 K& J0 k- Z5 }5 PwNumHeads dw ?;磁头数 ( P4 c: j4 e+ k7 v" i# gwBytesPerTrack dw ?;每道字节数 6 b6 O p! K! I/ y$ Q+ IwBytesPerSector dw ?;每扇区字节数 wSectorsPerTrack dw ?;每道山区数 wVendorUnique dw 3 dup (?) sSerialNumber db 20 dup (?);硬盘序列号 wBufferType dw ?; / Z& a9 w. f+ bwBufferSize dw ?; ;n * 512 wECCSize dw ? sFirmwareRev db 8 dup (?); $ L! ]% b4 E; Z2 H! l3 KsModelNumber db 40 dup (?) ) ^# B% Z3 u1 K$ bwMoreVendorUnique dw ? wDoubleWordIO dw ? 0 S+ V9 g/ W( ~wCapabilities dw ? " h2 Z1 V& n2 X' m% z9 awReserved1 dw ? wPIOTiming dw ?; wDMATiming dw ?; wBS dw ? wNumCurrentCyls dw ?; wNumCurrentHeads dw ?; ' C( A7 M; i8 N% t! hwNumCurrentSectorsPerTrack dw ?; dwCurrentSectorCapacity dd ?; wMultSectorStuff dw ?; 9 z9 K" g0 I, x5 N5 qdwTotalAddressableSectors dd ?; wSingleWordDMA dw ?; wMultiWordDMA dw ?; % @6 D: H, @4 P9 _+ [9 q0 }* HbReserved db 128 dup (?) 2 M5 W0 y/ K; w3 y( _. WIDEINFO ends 5 u( s+ l- l8 e+ `! K3 S' X! j# c# ^ : J6 G3 M/ R! y" P2 K- \SetPhyscialMemorySectionCanBeWrited proto :dword 7 J5 S1 D8 [ iMiniMmGetPhysicalAddress proto :dword . H2 ~* B- `6 \% X6 PENTERRING0 macro pushad pushfd ( x* c# G* J v& Pcli mov eax,cr0 ;get rid off readonly protect 1 |5 ^" |* p5 r) eand eax,0fffeffffh $ X# S8 }/ O: L0 D9 H/ ?* Hmov cr0,eax 1 c0 D6 d/ ]* m% s" Dendm LEAVERING0 macro mov eax,cr0 ;restore readonly protect or eax,10000h mov cr0,eax sti popfd , i, t: [4 q, J3 ppopad ) N: a+ f+ Y0 v1 i/ A/ R( \: tretf endm . [( H# Z( R# E( N, k % f! x9 Z* w E5 E$ N UNICODE_STR macro str ) X: P' m$ b+ X9 q R2 Birpc _c,<str> 2 P) N* I# _! b* Ddb '&_c' % N. z: t* x* i ?db 0 endm endm 2 t2 Z2 C5 h' u1 m% I .data? 9 N9 U+ n* M; i1 B$ ZGdtLimit dw ? GdtAddr dd ? ) ]7 _4 U4 s% p' l v% MmapAddr dd ? , V1 A) a5 }7 ]2 _OldEsp dd ? readed dw ? buffer db 512 dup(?) ShowText db 512*3 dup (?) , A, ~' T" b+ D5 g8 v5 W- z# J( U szBuffer db 1024 dup (?) 7 E+ ?8 N: M( AszModelNumber db 41 dup (?) + Y" e- B/ s' G& Z. `szSerialNumber db 21 dup (?) . y4 O. Q0 @5 V% VszFirmwareRev db 9 dup (?) stIDEINFO IDEINFO : a: i9 W7 u, h' X) v/ _ .data / ]" j% U7 |" U/ j% h$ ialign 4 objname dw objnamestr_size,objnamestr_size+2 objnameptr dd 0 ! e; K3 \9 }# Qobjnamestr equ this byte UNICODE_STR <\Device\PhysicalMemory> , O$ i8 l6 v! I2 y! Q, S, t7 Oobjnamestr_size equ $-objnamestr 0 i; T9 m: }, ]% r+ e ; c4 \ ?4 A# Z' O0 t8 j# D, v; z1 PszTitle db 'IDE 硬盘信息',0 szErrInfo db '无法读取硬盘信息',0 7 R; S- d0 ] w5 M; G" i& yszIDEInfo db '柱面数 : %d',0dh,0ah db '磁头数 : %d',0dh,0ah & m" M. K/ b2 C3 f* H- Q9 R db '每道扇区数 : %d',0dh,0ah db '缓冲大小 : %d 扇区',0dh,0ah db '硬盘型号 : %40s',0dh,0ah db '序列号 : %20s',0dh,0ah db '版本号 : %8s',0 % i$ N. `. p4 balign 4 ObjAttr db 24 dup (0) 2 Z$ }2 i; `. [' p& y6 n 7 w# F# Y" f5 B+ w+ O& p9 G4 mCallgt dq 0 ;call gate's selff 6 c: X* Y; R( c c: ACaption db 'Windows XP绝对磁盘读写',0 4 J0 S* b7 ~+ o- f: eDigit db '0123456789ABCDEF',0 - T( j, v9 E; [3 B+ q2 _.code _ShowBuffer proc ;显示所读出的信息 5 G& w. d3 L4 w ;把数据转换成16进制的形式 mov [readed],512 mov esi,offset buffer ;数据 mov edi,offset ShowText ;转换后的数据 mov ebx,offset Digit xor ecx,ecx * x0 }. Q9 W$ |- a xor eax,eax % z8 b9 |- b8 {4 i9 S7 scomputeAgain: ( Y( O S2 @" H# }8 e- ?; v cmp [readed],0 jz endCompute 0 h0 k6 q/ ^& b" ? dec [readed] % _- k$ J% i, x( N% p# c p lodsb : t$ J7 r) P( i, p* t push eax shr eax,4 ;高4位 xlatb 5 x9 {, v6 b2 b( }5 | stosb pop eax & ~# C$ e6 C `7 E and eax,0fH ;低4位 : X# j. k: L, b# }% O p) d xlatb stosb 9 u0 n7 b! H8 \ H5 _1 Q8 e [ mov byte ptr[edi],' ' ;空格 3 e! }. L6 h2 P; | inc edi inc ecx 4 u8 k V4 A& Y5 d6 l/ s cmp ecx,16 _3 G6 m( E- G8 |' P jnz computeAgain ( l' B2 Y- b3 f+ A# t0 w: \ xor ecx,ecx mov byte ptr[edi-1],13 ;回车 jmp computeAgain endCompute: ;显示 invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK ' l) t3 Y! R3 L3 F/ S" x& {6 d ret 5 t: ]) N, n: e, s9 k7 z. t_ShowBuffer endp SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE local pDacl: PACL ) c0 s9 u# ~ J8 W4 w* Tlocal pNewDaclACL $ z4 J. z! \2 Mlocal pSD SECURITY_DESCRIPTOR 0 i0 P, |. E& X b4 K% U* T, }% Mlocal dwRes:DWORD ; local ea:EXPLICIT_ACCESS ; invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD 1 M" a' h; j7 m' `# tcmp eax,ERROR_SUCCESS , q) a1 ]) |$ A# E$ s, hjz @f jmp OutSet . B4 F b+ r% ] n8 r3 ^@@: # u0 M1 R4 V+ J8 Wmov dwRes,eax ( L$ m3 O3 W$ `- j! jmov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2 mov ea.grfAccessMode ,GRANT_ACCESS;1 mov ea.grfInheritance,NO_INHERITANCE;0 mov ea.Trustee.pMultipleTrustee,0 mov ea.Trustee.MultipleTrusteeOperation,0 mov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1 x) l, ?2 k, }2 Kmov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1 call @f db "CURRENT_USER",0 ( }, p* `8 R$ K@@: 4 G/ N. ~4 f0 V! U/ Q3 Ypop edx , s, H+ ?( ~3 L* ?) o h9 q Qmov ea.Trustee.ptstrName,edx invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl cmp eax,ERROR_SUCCESS - k- E* H0 }5 u; E7 m& Ljz @f jmp OutSet * y" @& W2 [; u1 f* E+ C@@: invoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL OutSet: cmp pSD,0 5 H4 E) e# [+ e9 Z8 q2 |+ bjz @f 8 v# x5 ]* x# g C- F X# Hinvoke LocalFree,pSD @@: cmp pNewDacl,0 g8 \1 |1 U1 `7 Y% [jz @f invoke LocalFree,pNewDacl ! b4 y! o l7 K8 ]2 o; B3 o6 a@@: 1 }4 h, g, ]/ Nret SetPhyscialMemorySectionCanBeWrited endp - Y' H0 e; U% j! v/ Z8 P8 n2 jMiniMmGetPhysicalAddress proc virtualaddress:dword F% W/ }! e- ]; I. y. L0 p mov eax,virtualaddress cmp eax,80000000h jb @f cmp eax,0a0000000h jae @f and eax,1FFFF000h ' n: k2 [ P7 a2 j ret @@: 2 [: E0 t$ i/ O1 y mov eax,0 6 h% S: ~3 ~" [. V) h3 B q7 Z ret + d( N8 A% t. A6 v. WMiniMmGetPhysicalAddress endp 7 ]* j" j y3 J ExecRing0Proc proc local tmpSel:dword local setcg:dword local BaseAddress:dword local NtdllMod :dword 6 m0 e# m6 c/ n1 Nlocal hSection:HANDLE local status:NTSTATUS * _0 D( k: F* q' z0 i, Z+ k- olocal objectAttributes:OBJECT_ATTRIBUTES 4 P2 S7 K, J' r7 Plocal objName:UNICODE_STRING mov status,STATUS_SUCCESS; & T; \2 Y5 E$ M" `5 `sgdt GdtLimit invoke MiniMmGetPhysicalAddress,GdtAddr 7 o. m$ z3 Q' v9 Y% zmov mapAddr,eax 4 t7 d/ B ~7 N" ~3 ^, ztest eax,eax ! l8 \! p# ], J* Djz Exit1 call @f 8 R! g& T; Q6 P! Vdb "Ntdll.dll",0 2 O' ^" a- Y- B1 |. z7 {6 n: H@@: 0 S) t6 A" D, t& R; \call LoadLibraryA . ]) a% h! S( Bmov NtdllMod,eax lea edx,objnamestr % g! V. c1 ?! u$ K$ f8 x- Bmov objnameptr,edx lea edi,ObjAttr and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail + e/ \7 R. D, x- r: r9 Hpush edi ;edi->ObjAttr + X; J) {' D. r; cpush 24 ;length of <\Device\PhysicalMemory> pop ecx push ecx xor eax,eax / `" F7 t7 ?8 qrep stosb ;put ObjAttr with 0 ( V% \. w( A" F0 J$ P, q z& X9 ypop ecx 2 Q: d% R3 z8 S) c; Qpop edi ! B8 |. T& K/ _4 G: C/ g, v6 Y6 Dmov esi,edi stosd mov dword ptr[esi],ecx + r/ I; t9 H( Z+ R; t+ n8 qstosd lea eax,[edx-8] ;eax->objname stosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0) mov dword ptr [edi],240h 6 Z: {$ F6 R- @- w call @f 3 @+ p* H p) q( `db "ZwOpenSection",0 @@: push NtdllMod call GetProcAddress ! ~4 t! N7 }0 d) f0 Wmov ebx,eax ;ebx=ZwOpenSection ! a6 h! r0 ?% m push esi ;esi->ObjAttr push SECTION_MAP_READ or SECTION_MAP_WRITE lea edi,hSection push edi ;edi->hSection , p7 V+ R: p0 p8 J/ A( K2 P* w8 hcall eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr) + l! z1 q: x8 v2 r( Amov status,eax cmp status,STATUS_ACCESS_DENIED , H% [; n( F6 x. J( u* Tjnz AccessPermit mov eax,ebx . P! a i) i0 o9 h% U0 l9 G' r- ^ 4 H# ?6 V* o+ ]9 l: {. O; j8 D4 qpush esi push READ_CONTROL or WRITE_DAC push edi 0 L/ D1 s+ o. p' W/ ]( e, B0 Ucall eax ; T- \2 L# L& m- t. ^4 F; f" | / j% @5 _' V# E9 G7 y: tmov status,eax invoke SetPhyscialMemorySectionCanBeWrited,hSection 1 h) ~8 j5 N$ H5 H2 J 0 m' s1 P6 V6 |9 q6 e* T( ~. Ycall @f 1 d% S6 _# L, B& pdb "ZwClose",0 @@: 5 ~- L$ I0 y/ N9 Y. J2 E; S0 h4 ppush NtdllMod call GetProcAddress # {3 M, M' Z5 d0 C. o push hSection call eax ;zwClose hSection / c2 Q/ F/ C* F$ t9 i/ y' I mov eax,ebx push esi " e1 D! y; Z2 ~! Upush SECTION_MAP_READ or SECTION_MAP_WRITE lea edi,hSection push edi 2 J8 K1 U$ h" f+ h$ d9 d, ]6 Jcall eax 0 ^7 a, r- ~! q j3 Z% V* ~, Z6 _mov status ,eax ;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); AccessPermit: cmp status ,STATUS_SUCCESS jz @f 9 v2 f. C$ ^2 c6 N1 q& ?;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); ;return 0; mov eax,0 ret 0 s2 P7 E5 C3 E9 P% ]@@: ) E! F) @& c% nmovzx eax,word ptr[GdtLimit] inc eax invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax * C1 E( x* Z1 `( s+ |7 q! Gmov BaseAddress,eax cmp BaseAddress,0 jnz @f 7 G/ }% w/ ]9 r3 W, Q1 ];printf("Error MapViewOffile:"); rintWin32Error(GetLastError()); return 0; 2 d% J( B1 k- p. c7 Pmov eax,0 ret @@: 5 m+ r; g3 m3 r4 p; |mov esi,eax ;esi->gdt base mov ecx,3e0h mov eax,GdtAddr z, f, l1 m- }6 v.if dword ptr [esi+ecx+2]!=0ec0003e8h , \) b8 j4 }" y2 r2 h) Y7 w; S6 emov byte ptr [esi],0c3h mov word ptr [esi+ecx],ax shr eax,16 % h7 X+ o, E, {, Z3 amov word ptr [esi+ecx+6],ax * }; a# V9 q( G8 S' R6 L; gmov dword ptr [esi+ecx+2],0ec0003e8h mov dword ptr [esi+ecx+8],0000ffffh 4 b$ g/ U6 u9 _* n/ ^2 Dmov dword ptr [esi+ecx+12],00cf9a00h 6 k9 g/ Z" j/ O0 k/ [.endif % t- v% I0 F" t5 fmov setcg,TRUE cmp setcg,0 jnz ChangeOK call @f db "ZwClose",0 @@: push NtdllMod call GetProcAddress push hSection 0 {+ `! z! e! M6 E; y( q; j$ ccall eax " L* u* m, S4 g) y0 Y5 Hxor eax,eax . h6 H1 e! L- B2 R! Z: i& Nret - o( C) }4 Q# C o0 ZChangeOK: 5 g6 N; P4 Q# c3 P w5 @! C# a, qand dword ptr Callgt,0 xor eax,eax mov ax,3e0h or al,3h ; o5 [( T0 a1 j$ L% J" ?% R! [mov word ptr [Callgt+4],ax 3 m% G& p0 w4 J4 D;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate; 6 t. |2 _* w" m3 l8 F3 E, ^5 llea eax,_Ring0Proc * O8 S0 {& B" y: @; ^;invoke VirtualLock,eax,seglen 8 |, \: {) C- G1 F' Jtest eax,eax & \8 ]3 { Y0 Vjnz @f * h# y) n% R6 ?+ u) C1 e" Yxor eax,eax ret ) x( b1 h0 X0 k1 M@@: invoke GetCurrentThread invoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL $ t1 a+ S* t- I% n* @3 P2 ^2 finvoke Sleep,0 call fword ptr [Callgt] ;use callgate to Ring0! ;_asm call fword ptr [farcall] ) X/ b$ [2 y: z_Ring0Proc: ; Ring0 code here.. mov eax,esp ;save ring0 esp mov esp,[esp+4];->ring3 esp - B; E, R! u, |* p' `3 P! Q8 Mpush eax ! B: W0 u; x9 T& F9 | mov ebx,offset stIDEINFO assume ebx:ptr IDEINFO * r$ t+ r% z4 ^% v# Y4 ^6 b6 O2 H6 m, l;******************************************************************** ; 等待硬盘就绪 0 R6 v( G4 |* o9 s3 t& E;******************************************************************** mov ecx,10000h % h. s# x. G- f2 s mov dx,01f7h @@: # z, l0 x& r( ]* H in al,dx 9 g: ^7 z7 e9 c) S cmp al,50h jz @F ( y8 J' t: p! Q8 X% ` loop @B 1 A _' F! B: b& h5 F2 i jmp _II_TimeOut 1 m; T$ y8 w0 i; u, F$ T. h @@: ;******************************************************************** ! x) L* D1 _2 _; 发送命令 & B8 J5 G8 e( _4 r; h; 如果向主控制发送命令，则端口为 1f0h-1f7h ; 如果向副控制发送命令，则端口为 170h-177h ; 1f6h 如果要检测的设备为该IDE接口的主（MASTER）设备， 1 B3 A. V3 p. D$ `! R; 那么发送 a0，如果为从那么发送 b0 ; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec ; 如果为 ATAPI 设备那么发送 a1 ;******************************************************************** 9 D- m* q# J% {. G mov al,0a0h ;Drive 0,Head 0 ' [- z( n8 Q3 P6 I) h; j2 Q mov dx,01f6h ;Drive and head port out dx,al mov al,0ech inc dx ;Command port out dx,al ;******************************************************************** ; 等待硬盘就绪 ;******************************************************************** ' [5 J) `1 o" ], X" n ^ mov ecx,10000h + c) y% n* y9 |5 e4 W @@: 8 q1 B g/ O9 m6 r) I" s- o in al,dx;1f7 (r-status register) cmp al,58h;(driver is ready ,and seek complete) 4 S* @8 O X. Y& i3 ` jz @F 8 ~' @+ X6 E0 ~; Z loop @B 6 b! X/ h o. \- @* Q; `4 j5 n jmp _II_TimeOut @@: ;******************************************************************** 4 l1 H: C) y1 ~- Y; 将返回信息读回 2 z2 F/ m" b- l; 注意一定要读满 100h 个字长 ;******************************************************************** 0 c5 O0 g c+ g$ I& C cld mov edx,01f0h;data port - data comes in and out here ) k! L* u5 v z/ E2 B8 g# v mov edi,ebx mov ecx,0100h rep insw ;******************************************************************** $ |- O/ n H+ z6 r; 返回的信息中，型号、序列号、版本号为字形式 ; 需要整理到字符串的形式 " H3 ]4 G; a% y8 m- u3 {;******************************************************************** lea esi,[ebx].sSerialNumber 4 b; H! G9 j3 ?; Z1 G% X1 ~# Y mov edi,esi mov ecx,10 @@: - b% w+ s5 O( t lodsw xchg ah,al . v" s9 T! h/ L9 z% e stosw loop @B + T8 v5 L3 @. u9 N" n lea esi,[ebx].sFirmwareRev mov edi,esi mov ecx,24 / m- }4 j; x, g* F @@: lodsw / X7 [5 a- a) M/ `* x/ N* D: c Q' J xchg ah,al + [* D; u* E9 i" X4 n: \ stosw - N' J6 Z/ Y( d loop @B _II_TimeOut: ) B, A" }3 L) }+ sassume ebx:nothing pop esp ;restore ring0 esp + l# O$ W# h8 [; I" `8 G$ Mpush offset Ring3 ! a- C" j* p; U" `' h' u* J5 eretf Ring0CodeLen=$-_Ring0Proc Ring3: , @" _: L: R0 f7 Uinvoke GetCurrentThread invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL % J4 p. F3 y* G, `2 P" k;invoke VirtualUnlock,Entry,seglen call @f db "ZwClose",0 @@: ' e2 r9 V0 q/ e& r0 w6 {" j% l( Npush NtdllMod # n% b1 i: Y* a) dcall GetProcAddress push hSection : j* \/ S4 K" r- n0 ^. ucall eax mov eax,TRUE ret ExecRing0Proc endp ; K" D1 _/ x6 {$ [8 x" |) L) Z) } 9 v' W3 C9 U0 smain: " f7 a6 N& Z& R7 ~/ {& Passume fs:nothing push offset MySEH push fs:[0] mov fs:[0],esp / H* N9 i5 O& S, k+ v/ Cmov OldEsp,esp mov ax,ds ;if Win9x? ; j# q* D3 t3 L* x: K. `test ax,4 9 w6 S. X; N& y7 p1 ]jnz Exit1 4 e) F# U! d3 {4 S( N3 A6 einvoke ExecRing0Proc : ]# ^% ?$ W; Q7 X7 D# N! y9 u.if stIDEINFO.wNumCyls ; e% [6 m( B- K/ l% `. g- W- l lea esi,stIDEINFO.sModelNumber ( \% j0 C+ f, v3 [+ \ mov edi,offset szModelNumber mov ecx,sizeof stIDEINFO.sModelNumber / d. p' U9 N3 Y- c rep movsb lea esi,stIDEINFO.sSerialNumber 2 Z5 m G& w' d9 c$ H mov edi,offset szSerialNumber mov ecx,sizeof stIDEINFO.sSerialNumber - h& @' [8 |1 G) L; x3 j7 i# I% E rep movsb lea esi,stIDEINFO.sFirmwareRev 1 U8 k9 A' L3 F7 s mov edi,offset szFirmwareRev mov ecx,sizeof stIDEINFO.sFirmwareRev ; X' D, ^2 m% { rep movsb ' I( z; ?* \5 c7 J! o * d. Z. u, H, @3 j; b+ C movzx eax,stIDEINFO.wNumCyls " D+ B+ U o5 n/ ?2 g movzx ebx,stIDEINFO.wNumHeads + t9 P3 C- I5 I; S movzx ecx,stIDEINFO.wSectorsPerTrack - ^8 _5 H( b9 |1 n1 \ movzx edx,stIDEINFO.wBufferSize invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev mov eax,offset szBuffer .else mov eax,offset szErrInfo .endif ' Y7 I2 b H" N% D5 M6 Z@@: 0 H L0 l+ W7 L4 A2 h6 U8 dinvoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK 7 W7 |5 _& G) d' B5 BExit1: pop fs:[0] add esp,4 invoke ExitProcess,0 - a, I+ ~' S- Y* D MySEH : " Y6 F+ E* J" w8 s* zmov esp,OldEsp ! ]) R% F# x/ F& Q& E- lpop fs:[0] 4 p, K# }3 O$ Z( ^: v, Radd esp,4 invoke ExitProcess,-1 end main

[此贴子已经被作者于2003-11-2 18:14:02编辑过]

看到过的。

游侠无极限

很久以前?
不是吧,这个是 轻描淡写 编程论坛的斑竹写的

很久以前的一段代码

唐明

要能有台机器试一下多好，学汇编还从没想过去ring0，也感觉没哪个必要。
- d" S. `# o& ~, D$ v现在闲着真相试试。这片文章我在家保存了有快一年了。不用感觉可惜了。一直停着不用，我都快忘了那些曾经那些依稀的记忆了。水能给我一台电脑，我力马高喊：有你这么富的吗？

firelinux

win32位汇编，真的很不错，业余的时间，全都投进去了

呵呵，ExecRing0Proc 这段程序甚妙，先得到gdt，然后构造一个调用门call gate's ,使程序从用户模式(ring 3)进入内核模式(ring 0)。进入内核模式之后，就可以没有限制地对系统干任何勾当。这段程序确实为高手所为，在下佩服得紧。
7 X" J% |: f0 O$ W3 o+ N至于读硬盘序列号之类，只不过是在内核模式下的一个I/O应用罢了。
其实在NT/2000下读取硬盘序列号只要打开\\.\PhysicalDriveX(X:设备号0~26）设备，然后用DeviceIoControl()就可以读取了，不需要绕ring0这么一个大圈子
! D2 Z0 C: f: M: e. w
这个程序也可以C语言实现，不过中间必须嵌入几条汇编的指令，如sgdt GdtLimit
, }( |, q- |2 M9 Q但还是用c来写更方便，例如：
3 h& [3 D. g% N0 f3 gcall @f
7 }9 P. t' o  X3 x. U6 n2 s" j7 sdb "ZwOpenSection",0
@@:
2 T7 s3 z3 H& _; s) Hpush NtdllMod
call GetProcAddress
mov ebx,eax ;ebx=ZwOpenSection
push esi ;esi->ObjAttr
push SECTION_MAP_READ or SECTION_MAP_WRITE
lea edi,hSection
. g0 P2 [' K! c, Y5 Apush edi ;edi->hSection
8 o7 r5 K; _* r# \4 k5 jcall eax ;
: N; u" U6 V, Q, G  s. X
用c的话只要一句就可以了
ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)；
因此懂汇编，然后用C/C++编程，是成为高手的捷径

7 u; j9 m2 Z* R- T, }2 f

[此贴子已经被作者于2003-11-3 16:46:50编辑过]