[转帖]2000/xp下读硬盘序列号[汇编]

游侠无极限

我可没这个水平 7 Y* i1 b9 D/ r3 k3 s5 f% k.686p .model flat, stdcall option casemap :none ; case sensitive ; ######################################################################### : B0 ^3 Q: H5 X, R& m8 Finclude \masm32\include\windows.inc 5 I4 g) ~) p9 u4 D" V1 D9 H; winclude \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\advapi32.inc 9 O, @7 V; l! o+ C: ~: Wincludelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib / E6 l: N9 e/ f' Z3 Hincludelib \masm32\lib\advapi32.lib 2 X8 W1 h8 K5 `2 {DEBUG = TRUE 3 D! S+ r; c5 \! H % t) M8 `$ Q7 [9 THMODULE typedef dword NTSTATUS typedef dword $ a* P; W* a' q: u) HPACL typedef dword / z/ ^4 a0 e; @% d$ UPSECURITY_DESCRIPTOR typedef dword ( | C& d( I8 `, r3 U- D% y; ROBJ_INHERIT=2 OBJ_PERMANENT=10h , z# n. q/ t8 R, O1 XOBJ_EXCLUSIVE=20h 1 t; U1 e4 r& s- Y8 D4 UOBJ_CASE_INSENSITIVE=40h 1 o" |& Z1 I4 p7 sOBJ_OPENIF=80h 1 S8 ]4 c$ z8 F7 H C5 L( G. T5 HOBJ_OPENLINK =100h OBJ_KERNEL_HANDLE=200 ( [* k" S0 {* Q; COBJ_VALID_ATTRIBUTES=3F2h 6 g/ V9 t6 R4 |; o$ u' { SE_KERNEL_OBJECT = 6 GRANT_ACCESS =1 ( y0 e3 N( k+ {9 A( V X& ^NO_INHERITANCE =0 TRUSTEE_IS_NAME=1 TRUSTEE_IS_USER=1 STATUS_SUCCESS =0 STATUS_ACCESS_DENIED =0C0000022h ! i [9 C/ q9 v1 N* v STATUS_ACCESS_VIOLATION equ 0C0000005h . A w! G2 ]4 f" d; y3 y: A; [STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h SystemModuleInformation equ 11 / x9 o9 b' q4 @' ]PVOID TYPEDEF DWORD UNLONG TYPEDEF DWORD 4 i% F+ P# @2 D$ S" e% wCHAR TYPEDEF BYTE , L6 m' C7 V8 Q2 ]) | ) X& z( `! t' Q9 {UNICODE_STRING struct ! R& C1 m; S8 D( ] nLength word ? 3 j5 q, A1 {; H MaximumLength word ? Buffer dword ? UNICODE_STRING ends " ?4 \0 Z+ `9 ~ 8 c: Q0 l+ p! ~6 ~OBJECT_ATTRIBUTES struct nLength dword ? ) ?" w2 w9 O8 i7 ^1 x3 [ RootDirectory HANDLE ? 4 `, `3 h2 h9 y ObjectName dword ?UNICODE_STRING 5 }8 \. S7 R2 Q& y' @+ P9 G Attributes dword ?; , y9 A" A) Q3 U/ R8 j" v SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR 1 Q0 n1 U( \$ s% `5 H! c SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE ; k6 _0 i: d% U: fOBJECT_ATTRIBUTES ends / A' I: ~. X1 A& B+ h 7 H. v, g0 O; QTRUSTEE struct % x- b+ |: K/ }8 M. b9 i, r6 s pMultipleTrustee dword ?TRUSTEE " @' j$ Y. U; q$ e* A3 g MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION TrusteeForm dword ?;TRUSTEE_FORM 6 e+ ~- @0 p6 A+ D TrusteeType dword ?;TRUSTEE_TYPE 9 s7 M2 L0 ?% v ptstrName dword ?;LPTSTR TRUSTEE ends ( _4 @! @ b7 Y. H: m EXPLICIT_ACCESS struct grfAccessPermissions DWORD ? # k7 d: [* j! O# F grfAccessMode dword ? ;ACCESS_MODE M1 j, K0 @+ v$ J8 U: c- n grfInheritance DWORD ? ; Trustee TRUSTEE <> ; % [7 |: R' W) Y( O2 G) WEXPLICIT_ACCESS ends 4 q, W1 q3 u' D; H7 X) mMyGATE struct ;门结构类型定义 OFFSETL WORD ? ;32位偏移的低16位 SELECTOR WORd ? ;选择子 DCOUNT BYTE ? ;双字计数字段 GTYPE BYTE ? ;类型 $ q0 @* |' C+ a9 I OFFSETH WORD ? ;32位偏移的高16位 ! z t! G1 s* C5 x/ y$ w+ CMyGATE ends , I7 q0 b0 s- A s, ?; J: {- L ; n& b- B( H: {# T3 T. \IDEINFO struct wGenConfig dw ? 9 [% i/ Q% \0 R9 i0 OwNumCyls dw ?;拄面数 wReserved dw ? wNumHeads dw ?;磁头数 wBytesPerTrack dw ?;每道字节数 wBytesPerSector dw ?;每扇区字节数 $ C" E( e3 h9 D2 ~wSectorsPerTrack dw ?;每道山区数 wVendorUnique dw 3 dup (?) d0 A5 \/ A0 I3 p. e+ xsSerialNumber db 20 dup (?);硬盘序列号 wBufferType dw ?; $ } [$ x8 V6 Q, ] n1 z4 B- }wBufferSize dw ?; ;n * 512 # `! A& D3 S0 nwECCSize dw ? 8 e) N( c# h6 s& x" D9 JsFirmwareRev db 8 dup (?); sModelNumber db 40 dup (?) 0 Z9 s7 g1 D2 ^% q% u& h7 }wMoreVendorUnique dw ? ) E' X2 k) F) q: b8 L8 ewDoubleWordIO dw ? - {2 b: P8 J/ x2 TwCapabilities dw ? wReserved1 dw ? wPIOTiming dw ?; : n2 |: R) }$ L; |" UwDMATiming dw ?; wBS dw ? - U8 [; }, A/ I. E) E$ cwNumCurrentCyls dw ?; wNumCurrentHeads dw ?; ) \, Z7 c3 A' [4 X) _( C( Z+ ~6 b; GwNumCurrentSectorsPerTrack dw ?; . K" ?# e7 T2 [1 ~- MdwCurrentSectorCapacity dd ?; wMultSectorStuff dw ?; dwTotalAddressableSectors dd ?; wSingleWordDMA dw ?; 7 e7 ]: F% y/ ewMultiWordDMA dw ?; 7 Y: l& M4 i7 x6 k# e( ebReserved db 128 dup (?) IDEINFO ends + p# m; i3 T+ H* p- J8 R SetPhyscialMemorySectionCanBeWrited proto :dword MiniMmGetPhysicalAddress proto :dword ) a+ }: `9 e4 |ENTERRING0 macro pushad pushfd 6 q f9 J2 V9 Z+ b4 pcli % t/ n( s' V! a" m4 K1 @ Pmov eax,cr0 ;get rid off readonly protect ; ]" K# b4 ^ p# s+ D: dand eax,0fffeffffh mov cr0,eax * Z, i5 g8 s: |6 eendm ! E1 k1 x$ @/ {; P5 Q) A9 Z LEAVERING0 macro mov eax,cr0 ;restore readonly protect 3 S1 s0 C+ ?. c& I( n7 U5 h2 n ^or eax,10000h mov cr0,eax sti ; [+ D: U+ y) N, n+ cpopfd popad " c. Z1 c" ?# @! z0 fretf endm 7 p7 Y5 Z( k( w + ^# g* K' C3 D- D* F# K # X. Z' i- ~$ x- y# \/ pUNICODE_STR macro str ; f4 d; v8 a. j7 n7 ]8 r3 ]0 rirpc _c,<str> 5 t7 H0 v1 O; O5 K- l; j- v+ I3 [db '&_c' db 0 endm : g9 f- d, N+ V- G* U) s+ B4 lendm .data? : Z; q t8 }2 XGdtLimit dw ? GdtAddr dd ? mapAddr dd ? ; h) N- Y5 ^8 H6 @9 O& ~' [OldEsp dd ? 9 k; L. T( `; H" Z/ t& F. X readed dw ? , ?" c" ?8 n, K9 Sbuffer db 512 dup(?) ShowText db 512*3 dup (?) ! I9 E5 k; C. g; Q0 ]szBuffer db 1024 dup (?) szModelNumber db 41 dup (?) # ?; x& { U" O# m) [* |) {szSerialNumber db 21 dup (?) + e) d* R* V3 H# ~( Z; wszFirmwareRev db 9 dup (?) stIDEINFO IDEINFO 6 @/ R4 e1 o3 \) t8 z9 o.data 2 c" Y2 u# p# |+ \& N% palign 4 objname dw objnamestr_size,objnamestr_size+2 objnameptr dd 0 objnamestr equ this byte UNICODE_STR <\Device\PhysicalMemory> ; R* g* t* s, |$ jobjnamestr_size equ $-objnamestr ) V- b6 g7 b; x* M+ [& l szTitle db 'IDE 硬盘信息',0 + B7 A, N0 v4 ^* c; QszErrInfo db '无法读取硬盘信息',0 szIDEInfo db '柱面数 : %d',0dh,0ah db '磁头数 : %d',0dh,0ah db '每道扇区数 : %d',0dh,0ah ' @9 n- W( L; D) l$ K db '缓冲大小 : %d 扇区',0dh,0ah db '硬盘型号 : %40s',0dh,0ah 8 E+ s; Q4 y8 l4 Y1 u" I/ v db '序列号 : %20s',0dh,0ah ( w/ b- ^: T. D db '版本号 : %8s',0 ' Y, ^8 x9 c; E. Aalign 4 8 R' E$ T; \. g. C+ JObjAttr db 24 dup (0) & k4 o6 Y! N* l4 A/ u 5 F2 Y+ ~! R: u) S+ C/ ZCallgt dq 0 ;call gate's selff w8 F& ^' X( ~' ICaption db 'Windows XP绝对磁盘读写',0 Digit db '0123456789ABCDEF',0 .code 9 b3 `7 g% B9 R8 S# \$ u_ShowBuffer proc ;显示所读出的信息 ;把数据转换成16进制的形式 * H* J- t8 N4 D7 G8 s! I8 ^, ~ mov [readed],512 7 _' A4 @$ H( H4 g mov esi,offset buffer ;数据 3 a6 q& D# @0 o mov edi,offset ShowText ;转换后的数据 mov ebx,offset Digit xor ecx,ecx / t5 \+ T+ R. }2 y$ |4 J/ ~ xor eax,eax % m4 r* q2 k- u0 m4 l- H& YcomputeAgain: ; E8 O# l4 {8 {+ v' J, Z% F cmp [readed],0 jz endCompute 9 L7 b" o/ I; e0 T dec [readed] lodsb - F/ l& h% `( o- Z7 I push eax shr eax,4 ;高4位 xlatb stosb pop eax ' Q9 [5 m& N) Q+ J and eax,0fH ;低4位 6 ?5 q! O. C u: U+ N5 }1 ~- d3 I xlatb stosb ' k( A% D% j0 J1 I4 C. s, h mov byte ptr[edi],' ' ;空格 ) a! Q$ G% _" k inc edi 3 o6 ^+ t' c2 N inc ecx cmp ecx,16 jnz computeAgain ( a4 n9 d' w, Y' Z8 D o/ `( R0 A xor ecx,ecx 7 p. f4 ^) g. k mov byte ptr[edi-1],13 ;回车 . h) `) ]& ?; E+ T! U, C6 b0 k jmp computeAgain $ r' n" w) U& p( b- \endCompute: : I. N- p# u6 M! O+ T2 @% M8 x# W ;显示 ! }# ?/ P' A* v6 U invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK ret _ShowBuffer endp SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE local pDacl: PACL local pNewDaclACL 4 I* U- V) u. S% S! T; k5 P$ Zlocal pSD SECURITY_DESCRIPTOR local dwRes:DWORD ; local ea:EXPLICIT_ACCESS ; $ W' `2 A8 a* W6 s" v* Z' ninvoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD cmp eax,ERROR_SUCCESS jz @f + K" P" Y @8 G' Sjmp OutSet + O; S4 N" n [3 @. F@@: 6 y' w' v9 C# M. @mov dwRes,eax mov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2 9 x' Z, R. V( _& u, Y' s* lmov ea.grfAccessMode ,GRANT_ACCESS;1 s. Y2 Q+ t% G o4 @1 }. J# hmov ea.grfInheritance,NO_INHERITANCE;0 mov ea.Trustee.pMultipleTrustee,0 mov ea.Trustee.MultipleTrusteeOperation,0 3 p9 q* N% |% w4 b0 Emov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1 mov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1 call @f 8 d& ?/ N( J6 u5 |7 F# Idb "CURRENT_USER",0 @@: pop edx mov ea.Trustee.ptstrName,edx * X q8 h: n# r! U: R; cinvoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl cmp eax,ERROR_SUCCESS ( _" \% x6 A0 ]4 V; N% cjz @f * B6 r7 w0 v2 k2 u: n( d8 Y) ?! F' b, @jmp OutSet @@: invoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL - M s( V" z$ I; ?2 ]. WOutSet: 8 a1 I2 s' ?3 T ^* qcmp pSD,0 jz @f invoke LocalFree,pSD 1 q! b9 y1 \2 u/ w@@: cmp pNewDacl,0 jz @f invoke LocalFree,pNewDacl @@: ret SetPhyscialMemorySectionCanBeWrited endp 4 S1 x @6 x; T5 A8 @ MiniMmGetPhysicalAddress proc virtualaddress:dword mov eax,virtualaddress 6 {9 T0 e& ]0 i cmp eax,80000000h / y+ f0 f' I# b( L5 d jb @f ' u3 O$ {: N, ] b+ ?7 K3 y" a6 g cmp eax,0a0000000h # F8 W/ J9 g+ N3 t' B: \ jae @f and eax,1FFFF000h $ F7 p. ?; Z3 D4 u- r! S ret @@: 4 @# ~+ _- \! z. E- ^& K mov eax,0 0 Z. [, E6 L7 y" ~. t/ T ret 2 w4 c, w# }" }# `/ c5 xMiniMmGetPhysicalAddress endp & U6 v: k4 v2 a- b) cExecRing0Proc proc 8 N$ }2 S: @% Z# I: Clocal tmpSel:dword [; _6 [2 a; _" Q% c0 P9 Glocal setcg:dword 0 n$ N" E6 B9 x/ Elocal BaseAddress:dword local NtdllMod :dword 2 @! |5 O* n- Q3 R% Ilocal hSection:HANDLE local status:NTSTATUS local objectAttributes:OBJECT_ATTRIBUTES ! r8 T; Z% g0 G1 y/ Dlocal objName:UNICODE_STRING mov status,STATUS_SUCCESS; : \. {" L4 E& S7 L& Hsgdt GdtLimit U* B+ F2 R( q; linvoke MiniMmGetPhysicalAddress,GdtAddr 5 m1 F2 p' P J2 a/ Rmov mapAddr,eax 4 o* O2 U) F& D/ r& K! q5 rtest eax,eax jz Exit1 call @f * f' \+ _0 } E$ \% M( E# K* G0 e! ldb "Ntdll.dll",0 @@: call LoadLibraryA mov NtdllMod,eax $ ?' r2 W' [+ ^6 m! c# Z lea edx,objnamestr * T6 E" }+ A" y! b4 e) lmov objnameptr,edx lea edi,ObjAttr % d; R( S# x' B; Xand di,0fffch ;align to 4 bytes,or ZwOpenSection will fail & M1 r0 U; s/ s% x7 u: Dpush edi ;edi->ObjAttr push 24 ;length of <\Device\PhysicalMemory> pop ecx push ecx 9 a0 `% p, ~ a& U; A7 bxor eax,eax rep stosb ;put ObjAttr with 0 7 m+ t1 D3 _$ j( u) opop ecx pop edi mov esi,edi stosd % y I6 T; m/ }9 i% Bmov dword ptr[esi],ecx $ P! F u' ~5 @8 ^* \) [stosd 2 @1 G0 c8 S% k0 O# ?7 Llea eax,[edx-8] ;eax->objname stosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0) & I( F( w" v) O% d# Hmov dword ptr [edi],240h 5 Q+ N8 y8 b7 D0 U) u + ^/ X, f, P+ A! D9 wcall @f - S% V5 X$ W' j& {$ T: ndb "ZwOpenSection",0 r# K) H0 D* y6 W$ l@@: 0 C, x- j) L: z* Y" z; @" {. m; A2 ?push NtdllMod - Q6 l. Q! r7 W7 s; A2 G( Z, zcall GetProcAddress 2 }9 a# T2 f+ _% ?2 Gmov ebx,eax ;ebx=ZwOpenSection ( @4 k9 f+ Z: b7 a 7 z0 l& b' |- T/ bpush esi ;esi->ObjAttr push SECTION_MAP_READ or SECTION_MAP_WRITE lea edi,hSection push edi ;edi->hSection call eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr) K7 K9 T, f* c2 q mov status,eax $ L2 G- t! `( j5 j" Q C! bcmp status,STATUS_ACCESS_DENIED 4 A. ~; w! o1 Ajnz AccessPermit & U5 C" l" r* C5 s" imov eax,ebx push esi 7 i9 z3 g! h' hpush READ_CONTROL or WRITE_DAC push edi call eax " {) A( \/ Y; _7 o2 d8 f: jmov status,eax invoke SetPhyscialMemorySectionCanBeWrited,hSection call @f db "ZwClose",0 @@: : a) H" G+ }* ~" B. mpush NtdllMod call GetProcAddress % h( k! J8 F; u* Y push hSection ; y9 y3 j* T! G7 ^call eax ;zwClose hSection 1 ?9 i0 n% d; I" ^- ? : p `3 ~" j2 C8 N4 ]7 m4 tmov eax,ebx push esi 6 Z) s2 f7 ~- N; x/ @9 f5 }push SECTION_MAP_READ or SECTION_MAP_WRITE . h& `" ~' f4 O& L* t, ulea edi,hSection / U! N$ V9 {8 ]) }! l8 e$ }push edi call eax mov status ,eax ;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); AccessPermit: cmp status ,STATUS_SUCCESS jz @f ) h4 Q2 u7 J5 D+ w0 L c, t;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); ;return 0; / b0 C! j- g% g7 k# lmov eax,0 ret - I6 s& |( R W; m9 y' F@@: " t# F; ]/ O, {movzx eax,word ptr[GdtLimit] inc eax invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax . d j( i0 P# s. C9 f Tmov BaseAddress,eax 8 c: U/ ]2 x; M5 ~% K% ocmp BaseAddress,0 jnz @f ;printf("Error MapViewOffile:"); 6 J9 d" P/ N) X/ u5 L+ Y! XrintWin32Error(GetLastError()); return 0; & p0 o. `( C3 x( ?( Mmov eax,0 ret @@: 4 U; _3 a6 I) e* t) Z- ]+ Z# ~mov esi,eax ;esi->gdt base mov ecx,3e0h mov eax,GdtAddr ( V( @: c- Z4 j6 k% m.if dword ptr [esi+ecx+2]!=0ec0003e8h mov byte ptr [esi],0c3h 7 a z" B7 R m, L+ X 7 k& J2 P" R" W$ ]" Emov word ptr [esi+ecx],ax shr eax,16 / T8 F4 n- e) Y; t1 Z+ F; Xmov word ptr [esi+ecx+6],ax mov dword ptr [esi+ecx+2],0ec0003e8h 5 \# U- _" D; D8 smov dword ptr [esi+ecx+8],0000ffffh ; N, D5 I2 I ^- Cmov dword ptr [esi+ecx+12],00cf9a00h .endif / H- G4 U8 I% c+ B: C8 H 2 @$ P) m3 {( e0 omov setcg,TRUE 7 Z7 S$ M5 ?& @3 l O* @- rcmp setcg,0 + ~/ z i9 |# yjnz ChangeOK ) {: Z) |1 E" Fcall @f db "ZwClose",0 6 J- j& a6 ]2 a: J@@: & t( d& F! T' [. l- }push NtdllMod $ v5 G" z3 U' ^% @call GetProcAddress . w1 S% v2 ^2 S. [" fpush hSection ; v. L' `. S/ |2 Z3 o, Ncall eax xor eax,eax ret ) q" F6 s( {( O, yChangeOK: . ?$ y8 B1 r6 \, e7 a* H5 Oand dword ptr Callgt,0 2 A/ O0 y( [, j( Q$ E8 P( O* mxor eax,eax mov ax,3e0h or al,3h mov word ptr [Callgt+4],ax 3 X& E& `7 r: I' p+ i;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate; ( Z4 p1 L& P4 \8 S8 o* w# clea eax,_Ring0Proc ;invoke VirtualLock,eax,seglen 2 z4 `+ @( z/ ?0 y# U+ }0 Ytest eax,eax jnz @f xor eax,eax ' y2 ^+ w% j7 V+ P/ y0 v2 ~ret @@: invoke GetCurrentThread # H' a$ U# o; A1 `( l5 B/ qinvoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL invoke Sleep,0 - w+ }& _4 N$ P+ w5 l2 @: ucall fword ptr [Callgt] ;use callgate to Ring0! ;_asm call fword ptr [farcall] _Ring0Proc: ; Ring0 code here.. # f$ u0 p4 S) E% b$ |, m0 ?6 Z" }) Lmov eax,esp ;save ring0 esp + y$ h; R2 Z. U: Nmov esp,[esp+4];->ring3 esp " z5 N+ k* f/ W* ppush eax " X; p& t* g- R& o2 {# n mov ebx,offset stIDEINFO assume ebx:ptr IDEINFO ;******************************************************************** ; P2 y+ V0 f U- Z/ |; 等待硬盘就绪 ;******************************************************************** mov ecx,10000h mov dx,01f7h @@: in al,dx " F3 j( k, I& [0 h6 C0 F1 d3 I7 M cmp al,50h jz @F loop @B jmp _II_TimeOut , t# G4 E3 C5 ^4 W" }2 W @@: 9 z9 N, F* }/ G' C3 w8 @;******************************************************************** X+ ]: ~- }/ `+ |% M& i4 n; 发送命令 % f- I/ f: ^- F7 y! ?- q; 如果向主控制发送命令，则端口为 1f0h-1f7h ; 如果向副控制发送命令，则端口为 170h-177h ; 1f6h 如果要检测的设备为该IDE接口的主（MASTER）设备， - z, z$ ^" a) J3 I; 那么发送 a0，如果为从那么发送 b0 , C+ ?9 n4 P' a q5 O. {; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec # W* D6 a- \' k; 如果为 ATAPI 设备那么发送 a1 ! @" O- m" A, G- Z;******************************************************************** * \) h: ^$ u6 S7 i, ?( ?5 ^$ N mov al,0a0h ;Drive 0,Head 0 a2 Q- [- Q; g: C8 O# @ mov dx,01f6h ;Drive and head port 1 c7 N0 y; N) f out dx,al " x/ a; N9 j0 X mov al,0ech inc dx ;Command port out dx,al ;******************************************************************** ; 等待硬盘就绪 ;******************************************************************** mov ecx,10000h - U( C1 d8 W# x! _7 ^ @@: $ b1 y5 T1 n! \3 s& K in al,dx;1f7 (r-status register) cmp al,58h;(driver is ready ,and seek complete) jz @F - b. E8 i% z5 a# V' M5 M loop @B jmp _II_TimeOut @@: ( j v* q8 ^+ |/ Y0 p;******************************************************************** ; 将返回信息读回 ; 注意一定要读满 100h 个字长 2 Z% H, `( @1 a0 a5 y( v;******************************************************************** 2 K- o; H9 e2 r% s- Z cld 3 y# E6 y& S/ I mov edx,01f0h;data port - data comes in and out here mov edi,ebx 3 n/ |9 \3 T3 N5 S& R mov ecx,0100h rep insw 1 F# U) s# C4 c! x5 j' Y3 r4 E;******************************************************************** . H3 R9 e: a, t M: k3 J; 返回的信息中，型号、序列号、版本号为字形式 ; 需要整理到字符串的形式 ;******************************************************************** - S& h1 I) B m. j5 Y P2 I U9 C lea esi,[ebx].sSerialNumber : p6 D4 \! t2 i4 M$ ~/ R9 C: \ mov edi,esi $ N. z* ~: ~7 I; r3 r mov ecx,10 @@: lodsw : c( J2 q! h% `0 P9 }* G xchg ah,al * _: Y8 M* O+ w" a& f( G! q. q9 o stosw loop @B 7 w r+ I1 G! x2 e ' H* @; \ l7 A' q lea esi,[ebx].sFirmwareRev * |. D# L" ~4 o% I* d/ | mov edi,esi % i0 o4 o+ t& R6 V mov ecx,24 # g! C2 Z- z* L( c: C8 P Z$ G* b @@: lodsw xchg ah,al stosw loop @B $ w+ J8 f. A) ]6 q3 S6 ^/ l) e_II_TimeOut: assume ebx:nothing pop esp ;restore ring0 esp * J; s$ u% n5 U. j# e9 j' |8 f9 e" D& ^push offset Ring3 ) V, J9 U6 _1 X! G! T9 j* v6 jretf " t# m$ `! z; _Ring0CodeLen=$-_Ring0Proc 1 c0 E" ]/ k: t7 p) h Ring3: - c7 k7 ^$ f) linvoke GetCurrentThread invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL % T- C1 J/ b1 Q2 q7 O 8 i, d7 h# L+ c: j;invoke VirtualUnlock,Entry,seglen 1 o: k; [, a- s o2 [- Y" n J5 K' a7 ?6 a" }4 Zcall @f db "ZwClose",0 # X. R9 I1 U% B& G: h@@: 4 K4 I. k4 ^) w! Spush NtdllMod call GetProcAddress push hSection call eax 6 e% W( L3 t4 {: I5 R3 |mov eax,TRUE ret ExecRing0Proc endp ) Y. O# e$ h: x* ?9 {1 \9 U! C4 n ) T) o* ?7 q) I7 }* H0 cmain: assume fs:nothing 5 \* i4 {7 r" vpush offset MySEH % f! F& l$ C. K2 Q! D$ O9 _push fs:[0] - w: j" K% ^, d( S3 ?8 Lmov fs:[0],esp mov OldEsp,esp ; C& H' O& C1 M) F7 d- Kmov ax,ds ;if Win9x? + n: x: _' J' ^test ax,4 jnz Exit1 1 n1 v& a& [4 L8 X" r$ w5 p) E! r0 Binvoke ExecRing0Proc ; w( v v! ]+ W9 W9 G; ^" m" Z* I9 l .if stIDEINFO.wNumCyls % Y; w% K' D" Y7 E L lea esi,stIDEINFO.sModelNumber ( o. _& X. o8 t! h! c mov edi,offset szModelNumber mov ecx,sizeof stIDEINFO.sModelNumber rep movsb - P- z" y- f& V7 J$ ^9 t + [ ]2 _" O8 g! Y8 R lea esi,stIDEINFO.sSerialNumber $ e* |( f8 U& ] mov edi,offset szSerialNumber 0 d% F8 }1 }) Q9 Z mov ecx,sizeof stIDEINFO.sSerialNumber ! Q# s+ B* }6 o5 o! m9 r H rep movsb lea esi,stIDEINFO.sFirmwareRev mov edi,offset szFirmwareRev mov ecx,sizeof stIDEINFO.sFirmwareRev rep movsb ! B* h, s9 ^# t+ e' r! M) z7 } - @+ U4 V# y+ p' Y E7 [ movzx eax,stIDEINFO.wNumCyls : j7 d' b2 ]! m% B/ W' j movzx ebx,stIDEINFO.wNumHeads / O, p7 U; I; @3 @, K movzx ecx,stIDEINFO.wSectorsPerTrack / W, O; V8 |: Q movzx edx,stIDEINFO.wBufferSize invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev mov eax,offset szBuffer 7 |7 K( Y2 g j B ].else mov eax,offset szErrInfo .endif & {; h! s! z" C8 K5 v2 [1 I@@: + f7 e2 ^' t: ]; R: O7 Vinvoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK Exit1: , e# S* |1 L) k gpop fs:[0] add esp,4 invoke ExitProcess,0 % _" t# L6 P9 A2 _9 S MySEH : mov esp,OldEsp . G+ G* U' u( K* ^* }pop fs:[0] add esp,4 1 `, n% a6 c3 |# v. M Pinvoke ExitProcess,-1 end main ( ?9 n5 c$ ?* ^1 x* S& k: g

[此贴子已经被作者于2003-11-2 18:14:02编辑过]

" J) m* F% b% ~8 e Q

呵呵，ExecRing0Proc 这段程序甚妙，先得到gdt，然后构造一个调用门call gate's ,使程序从用户模式(ring 3)进入内核模式(ring 0)。进入内核模式之后，就可以没有限制地对系统干任何勾当。这段程序确实为高手所为，在下佩服得紧。
( k8 W& N; }. R8 _3 t! K$ S至于读硬盘序列号之类，只不过是在内核模式下的一个I/O应用罢了。
其实在NT/2000下读取硬盘序列号只要打开\\.\PhysicalDriveX(X:设备号0~26）设备，然后用DeviceIoControl()就可以读取了，不需要绕ring0这么一个大圈子
. p* y" Z0 C9 z* @, _! b0 G
这个程序也可以C语言实现，不过中间必须嵌入几条汇编的指令，如sgdt GdtLimit
但还是用c来写更方便，例如：
call @f
* {  |2 C& p# I5 L7 k6 ?# w  ydb "ZwOpenSection",0
$ x3 g1 W& r# d6 O* y: \, s! U@@:
' _2 J/ L' T# h# c( y/ h4 F  Mpush NtdllMod
call GetProcAddress
mov ebx,eax ;ebx=ZwOpenSection
. @: \$ \6 Y- l' ^push esi ;esi->ObjAttr
push SECTION_MAP_READ or SECTION_MAP_WRITE
  ~' y4 s- n) q! \# v5 `# ulea edi,hSection
push edi ;edi->hSection
call eax ;

用c的话只要一句就可以了
ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)；
因此懂汇编，然后用C/C++编程，是成为高手的捷径
$ m5 c" e: J. _! {, r  t
: [' n; l1 k+ ]) |6 {. M

[此贴子已经被作者于2003-11-3 16:46:50编辑过]

firelinux

win32位汇编，真的很不错，业余的时间，全都投进去了

唐明

要能有台机器试一下多好，学汇编还从没想过去ring0，也感觉没哪个必要。
9 G6 T( `; L6 K5 k现在闲着真相试试。这片文章我在家保存了有快一年了。不用感觉可惜了。一直停着不用，我都快忘了那些曾经那些依稀的记忆了。水能给我一台电脑，我力马高喊：有你这么富的吗？

很久以前的一段代码

游侠无极限

很久以前?
( P5 a6 d) B+ m3 _7 H3 d  N; _' `不是吧,这个是 轻描淡写 编程论坛的斑竹写的

看到过的。