|
|
我可没这个水平
' ^3 O& V1 `" {.686p
. r0 c. a( X% v* G.model flat, stdcall, t6 d2 P, P5 O9 S
option casemap :none ; case sensitive
0 ^5 z- y& H0 q0 J) \& `; #########################################################################
, J" E. Y! }7 winclude \masm32\include\windows.inc
) y! c2 R4 C3 O) M, Rinclude \masm32\include\user32.inc1 o8 J) q& k3 z3 R6 c( f" d' R
include \masm32\include\kernel32.inc+ p0 A3 m& p" n0 r ]
include \masm32\include\advapi32.inc
" D4 q4 I; J9 n) j3 D6 Q1 R# ? {- U' Q& w8 D, Y
includelib \masm32\lib\user32.lib$ T7 o$ P6 l. L/ |0 _! F' Q5 {
includelib \masm32\lib\kernel32.lib
9 c. N3 T* I, Q" }includelib \masm32\lib\advapi32.lib# V8 L9 }1 I# r. i# l
DEBUG = TRUE/ ~; |0 j3 Z, y# N- N5 t6 o6 h& R$ L
" o6 D, t# S! j6 n/ S- a" E" q
HMODULE typedef dword m/ C7 r9 i4 z% x1 H" k
NTSTATUS typedef dword0 _: e: |- o) P
PACL typedef dword
4 p0 {# U# o3 V& c; QPSECURITY_DESCRIPTOR typedef dword
, V0 V+ Z. s* t# e& D* c/ X4 k8 v4 E4 ^( |
OBJ_INHERIT=2
1 Z9 \& E, v8 z3 ^( nOBJ_PERMANENT=10h, t3 u$ T( ~) f. A4 y& z. h
OBJ_EXCLUSIVE=20h |0 y, D6 `/ J6 f' w8 X
OBJ_CASE_INSENSITIVE=40h 3 |; W( }, d7 L+ n3 C( J( \" Q; {
OBJ_OPENIF=80h
1 v, `: D9 [9 r- ]% q& j; ?5 q6 ?OBJ_OPENLINK =100h ( Z- I/ d/ I2 @; J- A6 c0 g
OBJ_KERNEL_HANDLE=200
/ T; D8 p( P( TOBJ_VALID_ATTRIBUTES=3F2h ! Y) f& f5 |/ M, ^% U) L: {' W( Y9 {
; v% H8 `% L& ^2 C Y. h8 YSE_KERNEL_OBJECT = 6
2 J! V, g0 A0 ~! Y$ w x. e( ZGRANT_ACCESS =1
4 e: q$ D5 I7 u) GNO_INHERITANCE =0
* z- A$ b) E$ p7 R3 [, q5 vTRUSTEE_IS_NAME=1
, A. w# g; k2 `' w$ P! ^! @. oTRUSTEE_IS_USER=1! w+ Y. X, u* ~; j" B6 _; O
STATUS_SUCCESS =0 ' R8 E* Y% F& q
STATUS_ACCESS_DENIED =0C0000022h
) C4 O; J/ j7 b# i
* k0 o6 K+ P6 Q0 ?7 k2 ySTATUS_ACCESS_VIOLATION equ 0C0000005h, o' ?# y& @- D4 _+ z2 X
STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h
8 z9 s/ Q! W3 g+ iSystemModuleInformation equ 11- {5 G- K$ [# u- W6 n0 z
PVOID TYPEDEF DWORD, R) Q) @/ R) t$ }6 X" V0 [
UNLONG TYPEDEF DWORD/ E T7 l3 [0 C& l6 E& E
CHAR TYPEDEF BYTE* a" f: C- w0 V& L; [7 `# x: X7 ]
1 Z3 G! I9 l$ s' U4 ?4 wUNICODE_STRING struct - f$ v; H; g! |! l* E
nLength word ?
4 L# C8 I1 ~. A) J MaximumLength word ?
# T3 V8 q) l/ i6 r Buffer dword ?
8 Y. `" J, w) [6 w9 e/ XUNICODE_STRING ends& u1 y- i! {- i
: ?! C, t7 P0 _4 W1 X8 m% bOBJECT_ATTRIBUTES struct " i" M0 A" G ?+ t; s2 D
nLength dword ?
5 N& i) F1 K6 R+ F8 ? RootDirectory HANDLE ?
1 H" C2 e2 K$ r. u# d ObjectName dword ? UNICODE_STRING
, Y; e- s, {7 i7 p Attributes dword ?; : v! L8 I/ v) N# h; c; b
SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR
, p/ l9 \2 I( a+ O- R$ d7 q SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE
: Y# ]7 J* ~- t, u6 Z1 cOBJECT_ATTRIBUTES ends
q% [$ O; z$ @
! Q8 A, c" X2 q. _; E( N, n4 z8 v7 ?7 U# n4 y" A+ \
TRUSTEE struct
+ p% g7 N9 W+ t$ M pMultipleTrustee dword ?TRUSTEE
" k* @; I# L$ Y/ O" M- o MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION . z( n+ }& y# k
TrusteeForm dword ?;TRUSTEE_FORM
2 t3 {& f. `' q' W TrusteeType dword ?;TRUSTEE_TYPE , w" X0 \* w2 T
ptstrName dword ?;LPTSTR , Y5 K. u7 I B( r( _% v/ }
TRUSTEE ends
- ~1 e+ M0 H# {# q1 J& g5 z) n0 g# t3 ]3 ?, ]
* b1 T9 i% ]( \: N
EXPLICIT_ACCESS struct
/ [$ a+ }' j5 U+ Y/ r( S% ] grfAccessPermissions DWORD ? / g6 U/ _: M1 t% _& M8 M
grfAccessMode dword ? ;ACCESS_MODE
. v: c. Q/ M7 C% \ grfInheritance DWORD ? ;
4 [! Z7 Q& ]+ C# s Trustee TRUSTEE <> ;
6 j5 o$ C& |' _4 b8 D1 EEXPLICIT_ACCESS ends- u0 S9 r' Z* R3 R; a9 v1 Z, r' f) y
4 K6 h7 a8 L. m8 h1 M- e5 yMyGATE struct ;门结构类型定义
# I7 U$ w8 S& E" V& _ OFFSETL WORD ? ;32位偏移的低16位
' {$ }: G, @. s SELECTOR WORd ? ;选择子 |: j8 ]6 \ \2 }
DCOUNT BYTE ? ;双字计数字段
- a) _$ c/ `' n; e GTYPE BYTE ? ;类型$ G1 B% F% S3 w8 M
OFFSETH WORD ? ;32位偏移的高16位' j1 r0 F2 _ J# w0 ]/ w- x: f
MyGATE ends0 h# v0 |& u5 i! p" K v
) ^# V% j0 m: ^( S @5 P5 h! DIDEINFO struct
8 F5 l, b& ^+ WwGenConfig dw ?
' O7 l* l/ j! T( QwNumCyls dw ?;拄面数0 M1 A/ i, u# ~( j
wReserved dw ?, G- ], n. [: J Z) X( \
wNumHeads dw ?;磁头数4 s: h, O; c! |" H. M% p+ d
wBytesPerTrack dw ?;每道字节数
$ S, {$ S t2 B5 |wBytesPerSector dw ?;每扇区字节数; _; E: u3 S1 H
wSectorsPerTrack dw ?;每道山区数' g% x! b5 I( P$ @% Q
wVendorUnique dw 3 dup (?)
6 I. B4 K& p1 {9 csSerialNumber db 20 dup (?);硬盘序列号
& [( l( _8 j0 s/ iwBufferType dw ?;
" o' \& r. d) q" E# LwBufferSize dw ?; ;n * 512 ]& N2 k" H- \/ N
wECCSize dw ?' K+ p* e& t. z1 a0 _
sFirmwareRev db 8 dup (?);
+ b3 S+ W1 U$ B7 w9 b5 qsModelNumber db 40 dup (?)/ ]1 T9 L2 R. |$ V" L, o/ }& Z- x
wMoreVendorUnique dw ?8 v6 h% U# m0 }) ~/ t
wDoubleWordIO dw ?
+ i; ~5 b% q+ M! u2 ^8 K0 wwCapabilities dw ?+ `7 \6 E- Y/ @9 [, M
wReserved1 dw ?
4 X4 m) P0 f$ l2 g# Q! Y6 PwPIOTiming dw ?;
( T! Z, Q6 P' U) u! wwDMATiming dw ?;
; ?; c% h( j; H& g7 }8 `1 swBS dw ?
7 L/ ]5 c6 R' S% L2 h9 @wNumCurrentCyls dw ?;
; D1 e4 _+ \& H. LwNumCurrentHeads dw ?;
- j! g! @! u: C7 P4 WwNumCurrentSectorsPerTrack dw ?; v: ?) S. K* |* s
dwCurrentSectorCapacity dd ?;! p5 r; V4 z1 t' l$ _9 C
wMultSectorStuff dw ?;8 f8 f. n) X7 L% ?( J
dwTotalAddressableSectors dd ?;' B, i* P% @! p, v
wSingleWordDMA dw ?;$ S- g$ Z f! S' Q. x0 H6 I8 A1 `4 i
wMultiWordDMA dw ?;, R) i! v0 @! S3 t
bReserved db 128 dup (?)
K# _% p9 l; N0 O8 P/ _1 S. PIDEINFO ends
' Z9 E+ t# y" o: G- X7 h! i
3 _+ K; s' Y& R2 \* f) {; m6 v! g. v" w, ?0 [2 u0 W
SetPhyscialMemorySectionCanBeWrited proto :dword
9 q" S e: t3 Q5 VMiniMmGetPhysicalAddress proto :dword$ e& a+ q/ y# n/ h2 ]
T o* s) ?3 C4 t
ENTERRING0 macro
2 \4 P. `- ^+ j: B; \pushad
4 J5 P2 L# }% Ppushfd
1 l7 M( \3 P4 \* H( D kcli
* [% T; ^/ E6 ?) b# T- ~mov eax,cr0 ;get rid off readonly protect
3 E) t4 P& G7 h' J( mand eax,0fffeffffh
4 P, }" I% g/ y1 U" Ymov cr0,eax( t& U2 d2 f Q9 [7 C
endm
1 h- C" h- c0 u- E
: K* P/ w8 f; lLEAVERING0 macro
5 l6 {; v6 G6 J! U; Qmov eax,cr0 ;restore readonly protect
) [) I0 j7 d9 R; dor eax,10000h2 V) S% z- V& H
mov cr0,eax
( ^ q. `; I5 G- f7 Tsti
( J4 Y) B- q" C$ V* e* e) X- G; o: Wpopfd
7 s6 q9 G' E# g: i: ?# {popad 0 I/ y) k# q( H; C o8 z
retf
7 k& R% H0 Q3 y2 xendm
8 P: C& ~! g- n S, I. e
' ?6 Q5 h ~7 n) p9 B5 C% ^8 h3 F
UNICODE_STR macro str! O6 Q7 x( n6 I+ S
irpc _c,<str>
8 @# Y. [' B- J0 B( |' |db '&_c'
# w, L7 D; J, Hdb 0& ^; b4 u1 q) s8 c# E8 ~
endm* c6 m" E; k0 _) k7 n6 E* u$ z l
endm
2 Z, e6 B8 j" A; F" B/ |, x8 f9 F6 e9 B6 p+ d; L) z6 }5 T; k# g7 w
.data?
( S7 O0 O' }8 p. @; |: zGdtLimit dw ?
o. K/ H) U; w) x/ U& V9 R" C+ X) }GdtAddr dd ?* h# n0 A4 ]4 K( D3 ~, I3 G+ R" }
, R" x! J( L* C* h9 n
mapAddr dd ?
$ V; ?" \" q# r% a2 @5 J; I, u8 u* KOldEsp dd ?- k+ a3 d# x3 Q" A5 [. A& R
! S& e( N- s: ^6 greaded dw ?
! ]" x# M9 N7 l/ Nbuffer db 512 dup(?)8 H% V' g; a/ e* S; }# v
ShowText db 512*3 dup (?)( x0 c/ W" S! [7 E& @" i3 z
3 ?0 c7 Z0 y1 P; H6 H, ^$ g
szBuffer db 1024 dup (?) H- t! Z$ X$ A- ]( q. n v. P
szModelNumber db 41 dup (?)
5 H$ D& i/ [5 G" ]" jszSerialNumber db 21 dup (?)
. \5 T# p- X5 i# OszFirmwareRev db 9 dup (?)
* l# V8 T$ T% `3 }0 j; ~% H% p9 u7 A# L( a9 `, E: Y9 ?
stIDEINFO IDEINFO 2 F/ J/ {( N; \3 Q' z6 z
* O! b+ f/ j9 E0 b7 b! c( Z3 v7 z
.data1 _, J4 J9 Q+ \5 G8 L3 M
align 44 R/ B% e' p; t: C4 `
objname dw objnamestr_size,objnamestr_size+20 Z6 b7 a" u) m6 |, U& N9 P0 x
objnameptr dd 0
( {2 ^- d. H* g! M! I3 |objnamestr equ this byte
9 K z; E9 ~) r' ^' N7 p% dUNICODE_STR <\Device\PhysicalMemory>& |5 A7 V$ E3 S5 E% q. s( m9 m a
objnamestr_size equ $-objnamestr% }8 D9 N* Z% Z( _6 {' l
! o+ N1 ]; \6 x. g
szTitle db 'IDE 硬盘信息',00 K6 J" U! @! Z" ~+ F) L
szErrInfo db '无法读取硬盘信息',0
: \6 Y9 u. a: ?, _szIDEInfo db '柱面数 : %d',0dh,0ah* r# X- O+ y4 ~
db '磁头数 : %d',0dh,0ah. a4 }# s( Q7 f8 T* J7 F6 \
db '每道扇区数 : %d',0dh,0ah( t. a( A# e5 f- {3 {9 g2 b; Z& P
db '缓冲大小 : %d 扇区',0dh,0ah
# O9 m, A, x: M2 B8 D2 u/ h db '硬盘型号 : %40s',0dh,0ah
, e. s- ]' L _+ g; ]) | db '序列号 : %20s',0dh,0ah: k% M" h- z, n
db '版本号 : %8s',09 a8 f4 ^; {% G! x" N
3 B$ r& `. i: M9 t- ]! Z0 I
align 4
8 X7 H9 I5 F+ A+ hObjAttr db 24 dup (0)
3 C2 t# V/ Q2 j. A1 N$ c8 Y% B' k; [) s! ^6 L
Callgt dq 0 ;call gate's sel ff
9 E2 H. k, R0 B; T8 ?2 wCaption db 'Windows XP绝对磁盘读写',09 E8 {+ T1 N& i# j5 [( y, X
Digit db '0123456789ABCDEF',0
/ \; ]& r V+ m1 O P, A.code
/ X+ k' w4 L0 F: o: D8 s_ShowBuffer proc ;显示所读出的信息: G# V; P; `0 m8 E
;把数据转换成16进制的形式, s/ f) s% P/ ^" k) O; }+ E' O! Y. n
mov [readed],512
2 I, o! w9 ]& K5 e, e" N# q0 m8 r/ V mov esi,offset buffer ;数据
, G( h- N a8 O( l5 ~" y( R mov edi,offset ShowText ;转换后的数据
* P3 [% O$ m6 T) M mov ebx,offset Digit
8 {- ?1 x! H y xor ecx,ecx1 |4 N# J/ l9 P
xor eax,eax5 m5 v8 K1 [4 s* v
computeAgain:* G( M7 | T. \: e+ n
cmp [readed],0" y, ?7 A0 [$ v6 k M+ [
jz endCompute' d; Q$ P2 z+ o Q5 S, L6 n
dec [readed]2 g! y- R- y% L, o
lodsb) F9 J: t* g3 \; L6 R. O
push eax5 u6 f/ Q& d$ v+ M1 I+ M
shr eax,4 ;高4位+ w3 b3 ^4 u1 w8 ]# ?' A+ r! @! z
xlatb s$ a: @; Q/ A b
stosb: X7 S9 G7 Y# P" p1 ]6 L Z
pop eax
6 A7 x* V$ v4 J& S and eax,0fH ;低4位
: r a1 f- d# n& j xlatb
+ U# P9 a# E& c1 U, {( `; A' L5 o4 O9 o+ E stosb
- }4 x$ a1 y% r9 E mov byte ptr[edi],' ' ;空格: U& ]# x8 c6 f1 }3 E3 g, I
inc edi; A$ v2 B \1 C6 ~- y: Z& }
inc ecx
7 U7 u9 `* N/ Z6 X, C cmp ecx,16
! t, H4 F* b* ^/ B9 T1 U jnz computeAgain
* ?2 Y) \* w3 ~& |# K1 G xor ecx,ecx/ y ^. P5 s2 {+ h0 k/ j5 J$ p
mov byte ptr[edi-1],13 ;回车 J; n# Z8 }% ?3 X4 l9 @
jmp computeAgain0 G9 V- J6 B1 u# O# a2 y
endCompute:% D* X! n6 S7 q' C3 v4 B
;显示
. z1 p- G* }# o2 A, U' [ invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK0 k& i7 ?& s: b- E6 [
ret
' s, `- d' |3 o! E" q7 Z9 E7 Y_ShowBuffer endp& ]. C6 h- O6 i& h3 V! S& ?
# \. }. J$ i4 n& j" L3 WSetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE
- F7 K" X4 v0 h( E0 m! v! Clocal pDacl: PACL - ?' N' {8 J8 M6 e1 n& U) J$ e1 ?/ L, ?
local pNewDacl ACL
% K/ v$ W, d# s7 m m& O- blocal pSD SECURITY_DESCRIPTOR ! |8 t: A5 J I$ u* v% T
local dwRes:DWORD ;, C$ h, x! k& ]* \! C6 G
local ea:EXPLICIT_ACCESS ;" r5 U% h- \! ]( F* W' n1 ?
invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD
9 P% V0 k7 W* M% T8 Scmp eax,ERROR_SUCCESS
( }' K$ a M& i7 V" y( Qjz @f1 S! {; Q1 k. K5 i- {0 z
jmp OutSet$ u' T" C6 q V. f
@@:
7 _( U2 d+ v. `. Umov dwRes,eax
& e" V* ]* q. N9 L( umov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2
: E: q3 S! F5 \. Gmov ea.grfAccessMode ,GRANT_ACCESS;14 g* w. w* a( u- J
mov ea.grfInheritance,NO_INHERITANCE;04 _ ]' `2 d t) t: V7 c
mov ea.Trustee.pMultipleTrustee,0/ n- g8 `2 {0 r+ a; f% u j+ e
mov ea.Trustee.MultipleTrusteeOperation,0$ u1 z+ B" A0 m# P7 e
mov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1
. M$ @; i' o8 q% b( Smov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1
4 q( J5 m4 l1 H, l, p3 f1 Ecall @f Y& _0 R- M( e% X M
db "CURRENT_USER",0
, j& t7 c$ t j& i# z@@:
" H& A- w/ p" }6 opop edx
7 | g' s" z6 G( H" gmov ea.Trustee.ptstrName,edx
' _+ q3 B) w% C% vinvoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl: ^+ y: x8 e+ c+ E9 p* n9 x, J! ?/ n
cmp eax,ERROR_SUCCESS2 |$ Y) F( Z. }& p% A
jz @f
) t1 J3 [4 {& ?jmp OutSet- g; m+ }" C2 G2 y1 J4 ]5 |/ [' [
@@:
" x h& [& M+ u: |$ I Hinvoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL$ x% X# ^- {1 n7 s1 G
OutSet:/ f( O( i# R% _5 J5 z8 y7 e
cmp pSD,08 R$ O2 R( f/ x" Y( p: s
jz @f
% s& |- u$ F+ \9 d3 Ninvoke LocalFree,pSD3 f3 B" E3 p7 I8 j& a) d
@@:
8 H4 t5 {8 q& l2 J# rcmp pNewDacl,0
! O' \( F- r3 c+ fjz @f- z3 x$ G' j( r+ q& i Z
invoke LocalFree,pNewDacl/ p- `! E; w; ?9 v7 C w5 R( e
@@:3 v: V5 l! O! n
ret9 c6 a; D4 E( ~: P/ j ^
SetPhyscialMemorySectionCanBeWrited endp* s# M" Y+ b8 R
, v. j' P7 [- M) D8 V
MiniMmGetPhysicalAddress proc virtualaddress:dword2 c0 e6 d+ O6 e
mov eax,virtualaddress
, v4 j5 w6 y$ n1 K% q& I cmp eax,80000000h# j6 q0 I( w' X; g R' y
jb @f3 _/ q' f: Z0 V6 o4 X$ n: H' X2 Z
cmp eax,0a0000000h t; W! q; Q; v
jae @f
6 R; r- B; U: v F* x and eax,1FFFF000h. _' i$ k- V# q% d5 Z. e, Z
ret
2 v* M0 T! y o$ i @@:
) B" O' M [" u- e% r2 X) M; F mov eax,0
6 l3 O$ {/ E: X' M8 a, S ret3 h( S0 r$ G# c! t2 V
MiniMmGetPhysicalAddress endp
2 v/ h7 k/ H( ^4 Q* p p( h( ]7 Y1 `# Z) F' ^8 s6 N
ExecRing0Proc proc
0 A( t) o6 H, V$ w+ ~local tmpSel:dword
6 ?# E; E8 D# O2 ]! T4 xlocal setcg:dword, ]" y C' C& `# _" t5 j4 u/ f0 g
local BaseAddress:dword' j0 K+ z( l+ i6 Z9 Z
local NtdllMod :dword
; t( Q4 R( Z5 U1 l6 {( H, Tlocal hSection:HANDLE # T+ \: e' r# H1 Z6 W+ X
local status:NTSTATUS
" ]) a, o+ Q" g) d- \* t9 hlocal objectAttributes:OBJECT_ATTRIBUTES
8 D' w9 K6 K% Y& p. I( i Llocal objName:UNICODE_STRING! m% e8 {" L/ O
mov status,STATUS_SUCCESS; ! z1 `6 B& l. x% D- B0 S
sgdt GdtLimit
" g- C' Z0 h/ winvoke MiniMmGetPhysicalAddress,GdtAddr5 T$ {: O- `. f1 @6 q
mov mapAddr,eax/ j# y7 W5 o$ ?0 I& L- V
test eax,eax
& a, q+ L: N- m% Rjz Exit15 y( _. w* u; F0 v" T0 u( T+ v. X
call @f5 m3 a* p% f! b$ y h
db "Ntdll.dll",0
2 |( m: j2 Z% Z; y6 h1 v@@:
' Z8 U* q/ z$ Q2 {9 m& dcall LoadLibraryA+ T, [: J0 |; r0 G
mov NtdllMod,eax
+ a+ V; f5 q7 h! V! g& ^9 G _& d" q# Q' e( `
lea edx,objnamestr
$ H. m$ z1 P& P5 l' h1 Q2 z5 }% Qmov objnameptr,edx' f) Y3 f9 e- g2 l9 d
lea edi,ObjAttr( X; }7 Q9 W% R
and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail2 m8 |; I P1 w9 Z% ~# x
push edi ;edi->ObjAttr& A" `. q. g% V" m: ]4 j
push 24 ;length of <\Device\PhysicalMemory>. ~" t' P) S9 h2 h9 U: y/ y
pop ecx3 ^9 ^' L4 J. E' I) |$ S9 p/ [
push ecx$ }; w1 Z% {3 ?( J$ @3 h
xor eax,eax
% h( F3 O- I5 [rep stosb ;put ObjAttr with 0
, z8 ~! l' r- Q, b; Opop ecx
' w7 p* h, c6 f: {: q8 U- {( |: |9 Lpop edi
2 u# A2 J1 i: R" {+ Omov esi,edi% q5 }6 p8 k* O1 e: Q' D
stosd
) U* L* z8 B/ K1 g0 Rmov dword ptr[esi],ecx5 M" a( _3 K8 f1 k n
stosd
1 s" w; [ Y: k( Clea eax,[edx-8] ;eax->objname6 e2 h& ?0 V8 F5 a2 P7 q
stosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0). ~2 A: y& R/ p/ ~
mov dword ptr [edi],240h9 c; U J% e% v, n! s
/ c$ y1 p; X3 ]; zcall @f8 s$ j7 w8 p* I; e# P; ]
db "ZwOpenSection",0/ f S+ [5 W. h8 `4 f/ I* D
@@:
0 \& r S. C) v \) Ypush NtdllMod
2 B) b1 b) ^/ ?! g' _1 e, `call GetProcAddress
9 i4 ?1 {' G/ O1 u/ `0 n: [mov ebx,eax ;ebx=ZwOpenSection
$ C# V6 c, t+ B7 I0 `$ ?0 s
; S: H# Y+ `) R9 X5 Cpush esi ;esi->ObjAttr. R0 @- o0 N, ?5 G/ v, f
push SECTION_MAP_READ or SECTION_MAP_WRITE
3 |8 ]- c$ q3 tlea edi,hSection
. T, h7 Y. w. P! spush edi ;edi->hSection' T6 ?- s$ H# p5 P1 W: H
call eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)
$ W: d3 c& `( t9 u" Q4 F v
6 U% K4 X" \0 E- F4 Z+ ?* jmov status,eax
/ l: w/ n" |- L. d* vcmp status,STATUS_ACCESS_DENIED/ [) h1 T& X! @( F% d
jnz AccessPermit
! z5 H& j) _" H9 d) C% Imov eax,ebx
+ T* \( p: _( \: ?4 K% j p6 F0 o3 a* O1 J' [# B
push esi 3 i6 {0 i! L& I M& A
push READ_CONTROL or WRITE_DAC 7 ]/ X( w H8 E, m7 l* t# C0 a$ T
push edi ( i+ C& w; [; \- y$ N
call eax
' {* T3 m7 z3 ?8 a7 i, P! p; L" g- j4 D0 q, j- `
mov status,eax
* A* B5 D0 Z3 N7 p" Tinvoke SetPhyscialMemorySectionCanBeWrited,hSection
, O7 W0 W2 P3 v4 a$ Y( A! r
8 \8 A+ J. g$ ^+ |4 dcall @f1 f0 ~3 U. \5 G( g* S. _
db "ZwClose",0* O* z' {& v: q8 i6 R3 i! U
@@:" P) m/ F Z8 i: `2 K; z9 C
push NtdllMod! J8 Y' g' i6 Q) K0 }0 k
call GetProcAddress
0 O- ^6 `# o! j; N7 z% H& b) z, s- e& d G' u5 d) n* J) i: ?# q: n
push hSection
# h: j* n b% `8 y, t- Gcall eax ;zwClose hSection+ I/ D+ c/ g2 j" F4 e6 O0 Q
, g3 a8 M; G. t- J8 C
mov eax,ebx
' U6 v% @( e# U K% G! d
4 g+ l2 \) y3 k& K$ |push esi
' ?, n3 b; x- F6 W% N/ Z' y/ vpush SECTION_MAP_READ or SECTION_MAP_WRITE
' x/ ]$ D) l ^4 ?8 D7 y ^+ klea edi,hSection! F) ]( }% I# d, ~- t; u
push edi , Z7 @' c. ^5 A- B
call eax
8 l! w) v( X) G( lmov status ,eax
9 `$ G: r# y4 J3 S;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes);
+ ^4 i& T, I0 a6 |, U6 E/ k# ?AccessPermit:
* V1 [; v0 R* R% j: ^6 n4 `cmp status ,STATUS_SUCCESS
4 o, o* S6 z: o: {; e9 I$ Fjz @f
( z# w+ E% g, {" y;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); : f* L# c6 a$ ^# ?. {7 s2 M" K
;return 0;
0 F4 O& G$ D" Y& K: t. |! tmov eax,0
# J. ?: X+ L1 o' t6 Z6 jret9 k' a( ?0 C P8 N ` D8 ~0 W8 w
@@:
6 n) s2 b, E/ l0 Wmovzx eax,word ptr[GdtLimit]
" }! q2 }* _' n9 i* m5 ]1 E. xinc eax& {9 J: G: t- G& u
invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax
( v1 p* ]* m) H( }; r. X, U+ dmov BaseAddress,eax+ g' b. F5 q% |4 p; k# V
cmp BaseAddress,0
; L8 R. I9 r; u/ [+ b; K3 h5 tjnz @f* x7 ~- `! B9 K7 N
;printf("Error MapViewOffile:"); ! p% f' o5 B% Y% P7 J/ b" f
rintWin32Error(GetLastError()); return 0; 8 w+ t! {7 D# R8 a. }7 q/ X
mov eax,0; K8 h& l* X. I/ A# N/ ]' B2 X
ret
( H) X7 u0 G h) _2 [% _4 B@@:
: c4 G8 n0 |! Emov esi,eax ;esi->gdt base
- |" m4 ~7 s4 h3 g4 z* B' amov ecx,3e0h! I2 ~6 e- L2 }8 f2 H
mov eax,GdtAddr4 r' f$ N8 P0 H k5 J
.if dword ptr [esi+ecx+2]!=0ec0003e8h
. f# i+ q6 |* emov byte ptr [esi],0c3h
L4 M6 I* ], E) x9 O2 j" E
, N2 ~+ Y; ^" C4 E! \7 |mov word ptr [esi+ecx],ax
$ d+ d: a# x; e! j% l* dshr eax,16
) @) N' ]# M3 o" _/ S0 Bmov word ptr [esi+ecx+6],ax& E5 c, _" N) B1 O" S1 T7 |3 c; `; b
mov dword ptr [esi+ecx+2],0ec0003e8h$ J0 y- Y: t. v# t9 k+ Q
- y6 G( w- T% W3 J$ _
mov dword ptr [esi+ecx+8],0000ffffh- i' O' K1 e' M* H; d
mov dword ptr [esi+ecx+12],00cf9a00h% Z+ J+ V+ ~7 _3 N& o6 p! i. ~
.endif9 M( `& r0 X& @
/ ^6 b X! l& \4 I- j" L
mov setcg,TRUE
* p+ u9 i- ]) e q! {cmp setcg,0
7 ?6 n3 \0 U5 [jnz ChangeOK
3 A9 m1 ~. U; N! P1 X/ ~call @f+ K4 K8 \) j. L3 ~
db "ZwClose",0
( {, _/ U) n8 Q@@:) B; x% q9 J2 b! W& {) C! Y
push NtdllMod
b! T. i% |& }% M8 ^" O4 X" Wcall GetProcAddress9 A! B/ M/ s! d
push hSection# I2 g4 |, f1 b& Z4 u9 `
call eax
6 W8 ~" V0 {$ v- |8 P! C3 Cxor eax,eax2 k$ X3 n& N- g
ret
" h: j! h8 U( X% Z" dChangeOK:
! Z/ [4 Z6 I( Tand dword ptr Callgt,0
$ c; l/ q* B7 a" O$ x9 rxor eax,eax3 |' L. h0 l' y0 _5 O9 ]
mov ax,3e0h _( o: I$ V4 V9 u% V
or al,3h3 |3 h7 N5 o }" d) L% {
mov word ptr [Callgt+4],ax
0 ]" H5 |* W6 C+ X;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate; - v& j% f a* x
lea eax,_Ring0Proc! O: [2 E, T9 s0 R3 t& `) I6 V! {
;invoke VirtualLock,eax,seglen - _$ h! u; H( H! k T$ K# Q1 [
test eax,eax' u1 f K' y: U9 z U4 t
jnz @f4 _# s' f% n/ s M. @9 I
xor eax,eax
9 s) _' c8 G/ q" ]8 z& ~ f( mret8 q8 n4 d8 W2 [9 k6 n
@@:+ q! F- z8 r. y& u6 S9 I; p
invoke GetCurrentThread4 G# @7 c8 A' Z0 T2 ?
invoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL 4 C5 N G; H% a/ T3 R
9 }1 b7 a) _( n4 @4 ]
invoke Sleep,0
5 p' H( I. D4 |call fword ptr [Callgt] ;use callgate to Ring0!
7 P. J+ s$ h' U7 G* [: t# M4 K E;_asm call fword ptr [farcall]1 h/ I+ q9 y+ e0 N4 p" x: Z
_Ring0Proc: ; Ring0 code here..
( F1 ]% y# c4 _; x1 Umov eax,esp ;save ring0 esp; Z3 L7 _1 Q* C0 o9 S+ c3 {
mov esp,[esp+4];->ring3 esp
, u4 S- \. m7 ~/ n8 W4 E8 @& \push eax
+ I2 B3 t: g( n0 n mov ebx,offset stIDEINFO0 h2 `( c* t6 P* A2 b
assume ebx:ptr IDEINFO
% ^4 ^3 y* d/ C' y. Q% A! V;******************************************************************** ^+ [7 ~2 n d) ~
; 等待硬盘就绪7 z( m$ ]: P" k+ x: U$ o* ~
;********************************************************************( B: A) J( U8 A) e2 L
mov ecx,10000h$ r u7 ^) F$ Q6 k
mov dx,01f7h0 d( P) ^7 T; ?" ~1 U: _
@@:
7 _+ J) e5 `! Q, M0 V in al,dx# r" c* [2 B2 n) s' E
cmp al,50h7 V# ~6 g: z% O% r7 P
jz @F
1 {* }( ?. f$ u) }3 B2 x% Q loop @B
) x I* p8 m( ?8 O) c& B. q jmp _II_TimeOut& V6 U j3 }9 P& H
@@:7 C; M3 u6 [! I6 ?3 O
;********************************************************************
; k3 q# V2 P# S; 发送命令/ y0 J5 e$ n6 V
; 如果向主控制发送命令,则端口为 1f0h-1f7h; F! x k5 G9 _& w
; 如果向副控制发送命令,则端口为 170h-177h
4 P1 \3 w8 U8 T* f; 1f6h 如果要检测的设备为该IDE接口的主(MASTER)设备,; r8 l) \2 _+ i4 X# S
; 那么发送 a0,如果为从那么发送 b01 G x6 S( p3 ^/ {7 U
; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec* p" M t& w/ D/ |8 e
; 如果为 ATAPI 设备那么发送 a1
2 k& y* s% m' A* [ p1 r; Z;********************************************************************4 T1 @$ L6 ^7 k( J& m$ N3 g
mov al,0a0h ;Drive 0,Head 0
/ ~8 Y, t0 u; A3 J1 W3 } mov dx,01f6h ;Drive and head port! \! ~( T* `: b% Q8 J) h
out dx,al0 a7 A" d! ?' D( `; |& \
F1 x. F4 F) P. H/ A mov al,0ech 3 z5 k6 Q- w0 r) B {7 ~7 n) L
inc dx ;Command port
3 \7 r' K3 Y% W! E$ j( g' w out dx,al
: Q" j& q9 S$ w! ]% g9 h" W7 j( D2 D;********************************************************************2 e$ n( X7 ^' l7 Q& F; ]
; 等待硬盘就绪
5 _* U5 R* e( l4 P: V;********************************************************************
- _. Q0 Y4 b4 G2 T8 e mov ecx,10000h0 B9 p; G# s9 n- n0 k" p& P3 y
@@:
; e; C+ n% N$ g) G! y! } in al,dx;1f7 (r-status register)9 j. o+ Y- P/ N8 [: R$ \5 D
cmp al,58h;(driver is ready ,and seek complete)" b( W1 |; |6 X; M- Y8 \5 t
jz @F2 v6 }+ G' X0 R9 F3 M# y1 @
loop @B; v) g$ N5 T# P2 Y
jmp _II_TimeOut6 y, _* r/ [! m1 [+ x1 g
@@:5 u' p& b9 H1 b- r& H3 s# A: M
;********************************************************************
7 v; Y8 e' @! Y5 p+ l; e1 S; 将返回信息读回7 L; \1 x2 ^- l( o; y* K
; 注意一定要读满 100h 个字长
, W8 ]1 U5 c7 O d;******************************************************************** x5 H' Z ?+ q! s8 A% \
cld
( z8 \. {' P' J0 D I mov edx,01f0h;data port - data comes in and out here5 ^: w: P4 M6 E& H+ ?
mov edi,ebx
% ^. W! E' Z! a/ V8 t0 e b mov ecx,0100h
! R& a0 U' N6 c- G2 j rep insw
5 P* q0 U2 i5 ^8 v;********************************************************************
6 Y! E, L" @. G' J; 返回的信息中,型号、序列号、版本号为字形式
0 u: [0 l/ H6 q) m; 需要整理到字符串的形式
8 {8 w# t0 B! M+ I;********************************************************************8 v5 q6 K! z" X1 A4 v3 I
lea esi,[ebx].sSerialNumber2 {' E1 l+ _4 K1 o4 k" `/ [
mov edi,esi7 L* v% o% ?8 T+ Q
mov ecx,10) p- j' C* E8 ~' a& t7 Q k
@@:
9 s* F- ^6 v% ?% C/ J1 f$ m lodsw
3 }7 V( R) a/ s+ G" N8 R8 W, k xchg ah,al9 n4 e( ?5 @ O: R( h' i
stosw' R" }4 h9 U: z/ f
loop @B( q, x. F4 |9 ?# E$ s; e, n
( U9 U2 P# W% p: Y lea esi,[ebx].sFirmwareRev
- R; V% X7 \1 r+ C* e mov edi,esi0 B2 z7 X: v E$ B& k9 z/ c8 y
mov ecx,24$ |' b/ I+ j9 }' D) r
@@:
9 M- E! g' m2 K/ f lodsw
0 i9 g" J0 C- m xchg ah,al; [; @; P% W2 O: Z
stosw
6 u% F0 w( u6 x loop @B
' I( _) N, M+ f7 O6 D_II_TimeOut:
$ O( n: C( T5 a; m: f( F7 Iassume ebx:nothing6 [# @- \1 n6 N
. ?& d5 z8 V5 d5 qpop esp ;restore ring0 esp
$ R' X0 @# ^1 vpush offset Ring3. Y B! c/ x3 t" N: z' L5 r9 s0 S
retf& g. T7 B% j7 ?5 `2 `% w
Ring0CodeLen=$-_Ring0Proc3 g; a2 K! M0 V. u5 j. o
4 _/ I9 \! t/ X& z4 ]
Ring3:( s, d; v- x) L8 h! B: m# W1 b
invoke GetCurrentThread( m5 n2 j ]0 x7 P; y& O/ o" l+ X
invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL 3 \9 u, f; B# q6 x- k3 t
# Q7 F8 E A3 |5 ?7 ^2 E
;invoke VirtualUnlock,Entry,seglen
; t7 j2 E) Y+ S+ A" K U0 U) v# ~1 x7 v. F7 O
call @f
$ M E3 D$ ?) r% c6 wdb "ZwClose",0. J. G, g: i+ h& d! w2 m
@@:& n, X$ }- X/ M; ~. {
push NtdllMod
/ A9 A+ j, m/ `% k/ Ycall GetProcAddress9 O# Q3 g h& n1 i! P# a2 X
push hSection% Y: G. X. @# V9 X' v7 h
call eax
, }" H4 Q5 H' ]6 M; ?mov eax,TRUE
8 W& c* {9 i$ e& M) A+ G) b& @4 uret
% V9 l; N5 i% e2 j3 O! SExecRing0Proc endp , }0 H' V' x: H# c5 [. l
* R3 t B5 E, n, Z* w# W7 O6 E0 c8 nmain:, h/ Q' f6 j3 V' D
assume fs:nothing1 K }& ^& U9 F+ t. V
push offset MySEH
- ]* B* y- P4 R5 L1 s4 v x& _push fs:[0]
$ |; B2 `* F1 ]1 \6 a0 Q- jmov fs:[0],esp
' R& ^" V4 b: Lmov OldEsp,esp Y0 }3 \' Z/ Q- [- ]: g" P
mov ax,ds ;if Win9x?
/ ?3 C E; F1 Q0 Q+ ttest ax,48 w" Z9 R5 u/ ]! A" W" s( g ~
jnz Exit1+ O% g0 s/ x& w$ r$ S8 r
invoke ExecRing0Proc
5 j5 n- b% ]6 n: g) Y6 ]& f$ y% n5 `# R; N% @
.if stIDEINFO.wNumCyls
8 F: { G3 B- y# B' l) n4 k9 P lea esi,stIDEINFO.sModelNumber
+ y3 P( Q2 D7 E' B mov edi,offset szModelNumber9 Y a9 t9 z2 b6 t; }$ O5 e" y
mov ecx,sizeof stIDEINFO.sModelNumber
. ~8 ]! K& k$ ]* _) s- D rep movsb$ f( s8 R& h% B) b7 a7 h0 `
* q6 O% C. o, h B8 N+ Z n
lea esi,stIDEINFO.sSerialNumber
+ H0 x% {, ^) N0 l8 \+ e5 n mov edi,offset szSerialNumber
* r& T/ m4 G3 e0 r# c mov ecx,sizeof stIDEINFO.sSerialNumber( `; n& g2 f+ ~/ @
rep movsb# N; M9 N: u6 P4 ?5 ~2 H) F# S2 P
0 j' N# V/ H" `* L' r( d3 r lea esi,stIDEINFO.sFirmwareRev7 a5 h0 C8 v9 z. `/ M
mov edi,offset szFirmwareRev- o- @$ [5 K( m9 T4 }& x. @
mov ecx,sizeof stIDEINFO.sFirmwareRev
- d8 j% M8 z) G rep movsb1 }: R/ n* A7 O/ z+ N- D
0 y1 w* `- s" b: k) V# h
movzx eax,stIDEINFO.wNumCyls. X/ n5 |2 }# G O$ p# K, ~% b
movzx ebx,stIDEINFO.wNumHeads$ B! f0 e$ R: m* i: u$ B6 @& y
movzx ecx,stIDEINFO.wSectorsPerTrack
. G: X9 W& ^' z5 i5 S movzx edx,stIDEINFO.wBufferSize W& l; e/ ?$ a% b
invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev
& e3 \5 E4 G5 G- E( [$ a2 m8 T mov eax,offset szBuffer
' M j+ h' E2 d.else
% g% y8 u- a8 [( S7 }5 x mov eax,offset szErrInfo+ P6 r# v6 k6 ?; G
.endif% d+ d/ S1 C; B1 w) X2 E/ E% f7 {
@@:
: g9 O1 x$ {8 M% vinvoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK; D( G# N K" E' w! U
Exit1:: j5 g, p( g0 A( X
pop fs:[0]
9 d# L' F6 G0 d& f* J/ C6 |add esp,4
2 u x* A( O- A g- s2 b" vinvoke ExitProcess,0: B/ B7 Z; a0 Y) s: x
, \- K; K9 `" g4 _1 @
MySEH :% j0 \9 m# r8 U
mov esp,OldEsp
) i$ ^2 I2 s3 A5 p; l7 r% Gpop fs:[0]
$ o" k D5 y/ G$ n) Cadd esp,48 a B6 T% q+ P
invoke ExitProcess,-1" b: o0 c( p: a1 B' `! H8 U
end main2 Z! `/ f* {; ?$ N4 ` M
( W* a+ O% y. m& _[此贴子已经被作者于2003-11-2 18:14:02编辑过]
6 M, Y* n: S& Y0 l |
|
/1 
IP卡
狗仔卡
发表于 2003-11-2 18:09:00
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
分享
顶
踩
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡
发表于 2003-11-3 16:22:00
楼主