下沙论坛

 找回密码
 注册论坛(EC通行证)

QQ登录

QQ登录

下沙大学生网QQ群8(千人群)
群号:6490324 ,验证:下沙大学生网。
用手机发布本地信息严禁群发,各种宣传贴请发表在下沙信息版块有问必答,欢迎提问 提升会员等级,助你宣传
新会员必读 大学生的论坛下沙新生必读下沙币获得方法及使用
查看: 5567|回复: 6
打印 上一主题 下一主题

[转帖]2000/xp下读硬盘序列号[汇编]

[复制链接]

该用户从未签到

跳转到指定楼层
1
发表于 2003-11-2 18:09:00 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
我可没这个水平 7 M7 O2 d# @8 z4 p' s9 D9 x.686p 6 Y8 ?# E3 W0 a! |.model flat, stdcall. T0 q* o* y) @- |! b7 p) z option casemap :none ; case sensitive $ t# H$ V4 h, n9 L0 {; #########################################################################7 @( b) ~. P6 ? include \masm32\include\windows.inc 3 Q5 F8 t/ z+ X; F8 n. x- p: uinclude \masm32\include\user32.inc% f# T7 ^' J2 h% `, O* d6 T! o2 @& z include \masm32\include\kernel32.inc 9 X: h/ a) O+ C, K" T4 ginclude \masm32\include\advapi32.inc3 F9 H7 t5 k" c0 L2 f1 V9 {* N1 [; `" }) p 2 Q, n- G, a; o5 j2 \8 a- Eincludelib \masm32\lib\user32.lib6 Q; J7 ]5 h c- I ? includelib \masm32\lib\kernel32.lib5 E3 I+ ?! E2 ^& a( J includelib \masm32\lib\advapi32.lib 7 d( b; m, o+ k+ ?& NDEBUG = TRUE# b6 b8 g- `" A8 c$ [ 7 q4 e+ ~0 h3 D7 W* p4 ]8 q0 H+ l2 u( LHMODULE typedef dword / Z0 K1 \; A0 ENTSTATUS typedef dword 7 k) q# U! Q+ V1 L8 f, aPACL typedef dword- \' z1 Y& d4 U" ~1 H PSECURITY_DESCRIPTOR typedef dword 2 F6 r! A* V6 w6 w. l ( s& c$ x( ~5 g3 A# d1 v( ZOBJ_INHERIT=2 * ~" [) U# @# d! `% i& R+ B OBJ_PERMANENT=10h , E' q8 X- y& k. F9 A) M: hOBJ_EXCLUSIVE=20h * u- X" M- v" Q9 D7 u$ D/ Q3 n OBJ_CASE_INSENSITIVE=40h ; V A0 W* O5 s( JOBJ_OPENIF=80h + d. z( u' }4 G. j: }7 c OBJ_OPENLINK =100h + M/ e. d! v( u/ U OBJ_KERNEL_HANDLE=200 1 a- a- o5 v% l% |6 D; q OBJ_VALID_ATTRIBUTES=3F2h " Q+ D& U4 @. d* s& }2 P 1 Z9 ~" D! ]4 }( A: R( JSE_KERNEL_OBJECT = 6& ?* i4 h* @- Y2 I/ ]: {8 m GRANT_ACCESS =17 C) ^+ W, W6 s8 A( F- ~ NO_INHERITANCE =0% ~1 ?1 P; y i" Y, O TRUSTEE_IS_NAME=1 % Y% E; S) \0 u e/ o8 H" k& I7 e5 oTRUSTEE_IS_USER=1 : u- }& `' m% u% uSTATUS_SUCCESS =0 + d7 v1 I8 T4 H" v2 bSTATUS_ACCESS_DENIED =0C0000022h9 S: d: t+ `/ v, o. I, ?5 b1 X/ L , W) t+ R* o$ @# d$ x) R% D4 V STATUS_ACCESS_VIOLATION equ 0C0000005h $ w& X. G) F* r1 m- {STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h: `2 I7 e, M5 v2 w7 W1 \' B SystemModuleInformation equ 118 e0 O6 C- o4 z2 _ PVOID TYPEDEF DWORD p/ h+ {/ v b9 IUNLONG TYPEDEF DWORD1 _/ j2 {! q. b CHAR TYPEDEF BYTE! E2 G8 f0 s0 i( K- i8 U , w1 @" A7 O2 l6 u, ?2 W! UUNICODE_STRING struct ; k* p/ |) G& ] X u nLength word ? 3 C- N6 z$ L `) z MaximumLength word ? * p( h- i x( H Buffer dword ? 5 Z) g$ X5 M5 z- w) C2 d UNICODE_STRING ends 6 o" K/ s, F: d7 c% |! D0 N1 f! w" Z6 Y4 u, C; k OBJECT_ATTRIBUTES struct 1 R5 M8 M) u8 _# ]& { nLength dword ? / k/ E- i5 K; ?1 a: b" `; T0 u RootDirectory HANDLE ? $ U; Q. L. |' ^# a3 q ObjectName dword ?UNICODE_STRING + e8 Q3 [" O( M8 f- s Attributes dword ?; ! }7 `' E4 [ [7 J: u. ? SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR , z6 L1 R& A' L! T SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE ( {7 Q. L9 U/ r+ u4 }7 A$ h OBJECT_ATTRIBUTES ends ' M# f' {9 p& I8 M0 ` % S- Z* f9 j) Y( ^+ N/ f6 Q " M G/ _+ f- C. STRUSTEE struct 8 y8 w8 q. z- C3 p$ K5 ]4 p- ` pMultipleTrustee dword ?TRUSTEE : J r4 K% b9 {7 Q" w: Z MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION ( | E: F4 L0 ? TrusteeForm dword ?;TRUSTEE_FORM - q5 f) E! y0 a# ` TrusteeType dword ?;TRUSTEE_TYPE ( F& a8 p" J* v1 N, n4 X" Q/ d6 k ptstrName dword ?;LPTSTR , w5 l4 M% e& \' L/ {+ v; s- Z+ GTRUSTEE ends8 Q) i* a# j) z7 W$ I 5 K2 i/ ~. f I* ^, _( ]# w+ U+ D4 a' M4 M* u EXPLICIT_ACCESS struct7 e c1 g }/ H! S grfAccessPermissions DWORD ? * w) Q$ l8 p) t3 k1 z grfAccessMode dword ? ;ACCESS_MODE 0 x* Y8 Z Z6 H grfInheritance DWORD ? ; 1 f$ J2 i( W# Z5 G Trustee TRUSTEE <> ; ' M5 J& c* Q6 x" M8 zEXPLICIT_ACCESS ends 1 N6 Z7 C$ v' E3 D5 O. c: n! ~2 X- Q2 j6 Y MyGATE struct ;门结构类型定义 ( U: E, R, r5 U1 \* ? g OFFSETL WORD ? ;32位偏移的低16位 : x0 Y5 b: }( ]5 V+ v$ Z& Z, o SELECTOR WORd ? ;选择子 g. H) w% t2 N4 x/ U DCOUNT BYTE ? ;双字计数字段0 F P5 ^. Q0 b7 X/ F GTYPE BYTE ? ;类型 + ]; z& U+ L7 J+ \6 Z* K8 W' ~ OFFSETH WORD ? ;32位偏移的高16位6 O& ~9 i7 L+ Y MyGATE ends5 t* X+ {8 }( O0 K - |" R0 J/ d# m$ D C" e IDEINFO struct z4 C' b- d! h: g0 ?2 C, g3 \wGenConfig dw ? : c1 D. Z6 Y. |& H0 P: o9 n3 ?$ M* ^wNumCyls dw ?;拄面数 5 P$ [) {* y& {4 wwReserved dw ?- U1 G) a3 D; p6 s wNumHeads dw ?;磁头数 7 Z5 c. |" D6 m4 ~1 q4 |1 `wBytesPerTrack dw ?;每道字节数+ w( X; T3 r. q7 y wBytesPerSector dw ?;每扇区字节数9 `0 N( @/ O/ }) l( y- f( M wSectorsPerTrack dw ?;每道山区数8 u$ U( A/ B, [3 q wVendorUnique dw 3 dup (?)- z [8 g8 j" ]' C+ ?5 ~. f' o1 { sSerialNumber db 20 dup (?);硬盘序列号 # m4 r$ _, `+ ?wBufferType dw ?;. K' g0 v( A p! P: ?7 ]0 I( n wBufferSize dw ?; ;n * 512; x, I6 q' h& p! F0 a/ u2 ` wECCSize dw ?4 f6 O) C+ u D/ J$ o u sFirmwareRev db 8 dup (?); X; t; |: Q) U' \& l* p vsModelNumber db 40 dup (?)7 ~1 B- Q- f- W6 R3 w: t' G wMoreVendorUnique dw ? , ~4 _. X6 l9 D4 HwDoubleWordIO dw ?# w" `" l ?9 [: y wCapabilities dw ?/ @5 p2 z4 ~+ P7 b8 ^! w# M4 Q; U3 J wReserved1 dw ?$ q+ j! v! c0 V! O wPIOTiming dw ?; ( f* J7 C9 E4 G) ?4 LwDMATiming dw ?; & a+ G+ g, a3 x v+ ~! G0 |% {# LwBS dw ? 3 g. e' R# m1 f8 y; A/ p- bwNumCurrentCyls dw ?; ) u8 L. ]/ _5 J6 U( lwNumCurrentHeads dw ?; & M) U+ w, K( I8 }wNumCurrentSectorsPerTrack dw ?; . J9 S. m9 e) W: E1 adwCurrentSectorCapacity dd ?;" F& N9 f+ d N: i3 ?0 z2 K wMultSectorStuff dw ?; , `; U# F, _9 w! |9 `dwTotalAddressableSectors dd ?;$ _( v9 y; r, f! }7 o7 \ wSingleWordDMA dw ?;, }5 D+ x4 j" ~% t# ? wMultiWordDMA dw ?; * `4 D- U) `% \ `0 z, @bReserved db 128 dup (?) . L6 J1 V7 H% ~, e9 u& H1 y" xIDEINFO ends + y: y8 I5 }2 K; J) u * [$ a9 d& a$ y: n( Z% w1 {4 z" E; N6 _) V- x1 A/ t SetPhyscialMemorySectionCanBeWrited proto :dword: j- l/ `6 Z( }0 K1 ?: R& f5 F MiniMmGetPhysicalAddress proto :dword 2 U$ z0 `! l/ v' z/ p% Y 5 w( s$ E5 I+ \4 h+ Q5 r! XENTERRING0 macro ! ^& U, ]9 P. r6 A0 |/ |pushad . n$ U. A4 O5 N8 _pushfd . u4 t4 W2 ?. q9 o( U cli1 y! @( @7 b9 C; c1 T6 U mov eax,cr0 ;get rid off readonly protect3 W% G8 b) G8 n6 _) q and eax,0fffeffffh. N* Q5 c- ?, `% w% J mov cr0,eax . M* u0 ?/ E5 G3 Sendm- Q' q* H" _+ F3 x1 l ^ 8 o( Q& @2 t' I# X8 ZLEAVERING0 macro 1 J3 i5 z! o: ~$ i, Emov eax,cr0 ;restore readonly protect ! e# I" z' ?! o# H, {or eax,10000h t2 Y; X( u3 Z2 S7 _6 e mov cr0,eax6 J O! W% N- b9 x2 f sti$ ?3 F( T" a% l. R; l' Z0 L1 w# I popfd % U) I9 @% X* j popad - A; z) ^8 e, Zretf ' \/ d. Q( S$ z/ X: _2 `& h, @2 H2 rendm; H5 w# q2 T1 k6 O [# w 2 i( R4 Z' u) k" _$ L" ]1 X* ~ b; G* @& P0 d UNICODE_STR macro str, T6 U* e+ X- f4 J irpc _c,<str>! _4 Q' J3 S, u: s, U$ m db '&_c' $ f1 p' R; J' X+ S wdb 0 7 k- O, |$ @- H! C2 Q1 q8 Zendm " Q7 J1 [+ x( j. sendm% o$ M2 d$ Z; q0 x, z ' Q: N0 l. ?$ `' u.data? * ^, g9 t+ T' c3 N+ @ u, RGdtLimit dw ?: p, F, f7 x+ A0 c. |- V& S9 z GdtAddr dd ? 4 ?% R1 C. c' ?8 X+ r6 F0 Z: b, f5 A$ G- h mapAddr dd ?3 z: |8 F* S% _1 T: Y3 F6 j OldEsp dd ? ! V1 K) X6 l5 l5 x$ l, ~ v6 ~ ) |& x9 b! P; \( f& {2 d9 Xreaded dw ? 3 g; D" x9 b, J5 s# u+ ibuffer db 512 dup(?)' a. s( t9 k8 N4 W& r ShowText db 512*3 dup (?)* l# F6 j% k% J0 e# H* h/ y" e/ l ) A0 u5 L6 K* t x+ ] szBuffer db 1024 dup (?) % w& G' ~7 N/ L: \6 `* p% EszModelNumber db 41 dup (?)# `% v/ w7 M+ N" o# V szSerialNumber db 21 dup (?)) w7 O* v1 I1 f& `6 w3 q szFirmwareRev db 9 dup (?)5 q; H' R3 V8 j( P3 ~ % Y1 A: D. a } E, K |stIDEINFO IDEINFO . `! U) x1 k( Y. c9 m$ a7 l1 l0 F4 M .data6 B* y" P* k. w/ j0 C align 4 " K9 F3 R6 P4 D) T L6 fobjname dw objnamestr_size,objnamestr_size+2 0 V. u8 `1 T p& K9 h2 Q1 N5 v4 ^objnameptr dd 03 T4 F* f5 c. q" g# N objnamestr equ this byte" F6 X- l) F, W7 o- e0 G UNICODE_STR <\Device\PhysicalMemory>+ r8 B/ {) u6 T( m0 L/ ?% | objnamestr_size equ $-objnamestr s2 V$ _* k2 M7 e! R( ]3 q/ Y ; U8 @' r( _0 k2 x. DszTitle db 'IDE 硬盘信息',06 W- O, R! G R& H szErrInfo db '无法读取硬盘信息',0 - E5 g, y8 F' D: D/ iszIDEInfo db '柱面数 : %d',0dh,0ah; l$ ]/ N! e- s/ e+ `% V0 w db '磁头数 : %d',0dh,0ah o1 T/ o+ Q$ H& _0 K db '每道扇区数 : %d',0dh,0ah : l+ a. e+ c1 {" N* C1 ~. k db '缓冲大小 : %d 扇区',0dh,0ah . e% e/ h: a! Y4 a$ c3 {& a db '硬盘型号 : %40s',0dh,0ah " @. c9 u" t. i2 W db '序列号 : %20s',0dh,0ah ) A6 v2 o9 g. K3 D8 Y db '版本号 : %8s',0 7 x" K% ]# y6 O$ Z # ?4 o9 r! P7 A2 U- qalign 4 * J5 }- @, q2 p) ~* xObjAttr db 24 dup (0)5 L! T5 n$ [1 a+ l, d$ H9 x& {/ | 6 _7 A0 s' C9 nCallgt dq 0 ;call gate's selff9 ^1 Q- A5 |7 H$ a Caption db 'Windows XP绝对磁盘读写',0 " Q2 v+ ~& Q: x4 P* e5 C# vDigit db '0123456789ABCDEF',0 # X+ \- h+ J) s& u1 J.code 5 h. P1 y7 ~* n7 U$ b2 M6 o_ShowBuffer proc ;显示所读出的信息 0 Q- J9 h: B, Z: N2 r ;把数据转换成16进制的形式 2 N+ m: G1 t" h( u$ c! t mov [readed],5121 r4 K' Y/ ^1 z& O3 m/ c9 M2 Y! U: W mov esi,offset buffer ;数据; N* D4 d. {) e! M0 b% t mov edi,offset ShowText ;转换后的数据( `4 F+ U! x. V. S mov ebx,offset Digit0 ~9 M* p# n6 X xor ecx,ecx9 d ^; C; x# A6 d# C% ]2 g xor eax,eax& U: u& U. E: z3 g9 G( T% y: U( d( Q computeAgain:( N/ a: j4 l7 M9 P! ^: s; D' u cmp [readed],0 - _8 Q7 g# O9 y) h) { jz endCompute! A! D8 I! G4 s dec [readed] + J% x! z$ b% b9 _3 p- Y1 F lodsb 5 L+ H o( {& h push eax 7 }" E6 T; e- \% T* T* N+ q shr eax,4 ;高4位 ) x* H1 V' o. e: U- z1 f$ t; { xlatb , e* i# t# J# q9 Q2 ?( [7 p stosb4 M U( |% ~. i$ V pop eax ( @9 k6 }3 _' B+ _( n and eax,0fH ;低4位 & S; Q' g2 s- h xlatb) N& w6 S; g: O4 x) T/ B- \% g stosb 2 L2 z2 Y3 e8 q* t5 n- E$ f c mov byte ptr[edi],' ' ;空格% t! K6 q" H9 D& q inc edi; e6 S! T( W: q: W inc ecx) G1 S; T9 h. l# I; U" ?6 T cmp ecx,16 5 l: f {4 b* j: m) k jnz computeAgain4 p9 U! q7 v; a* z" q: J$ \ xor ecx,ecx \9 k- o% N' e) f0 Y0 z& [1 h mov byte ptr[edi-1],13 ;回车 5 v6 R. l; f& x/ T jmp computeAgain8 @% S! m# v3 K5 c+ {0 _9 P endCompute: 1 a5 W5 r3 ?8 ]# z ;显示% X" x: j. T7 q/ D invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK& v+ M3 a, T; \ z, K) d# w ret 5 [" A3 A2 O1 {' D4 M% E" M2 d_ShowBuffer endp; t) ^+ S. c8 q9 e' F! W* x L+ ^ + L, {6 d8 f5 \ J SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE ' j$ C. K' k1 C" e. Y6 s" Ylocal pDacl: PACL " |2 q; I# \! Q5 c. d5 D local pNewDaclACL % [* R- V$ ]9 Y# P0 Z$ Zlocal pSD SECURITY_DESCRIPTOR $ Z0 q5 t2 x# K9 u# w7 f4 Q local dwRes:DWORD ;7 v- j+ `, ?2 V7 K1 q local ea:EXPLICIT_ACCESS ;% b1 M* O; _" {* n U invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD ! x$ s2 {8 |$ Ucmp eax,ERROR_SUCCESS - s2 {3 U( S3 zjz @f 0 K4 |2 P' U: Z Z( cjmp OutSet" S$ k3 {+ [ ^+ J9 v2 H5 G3 h @@:* y) o9 ]- K: S" U) z mov dwRes,eax * c% p6 I7 n5 b! U4 R* p1 K U1 Wmov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2$ ~5 ], L1 X a) |* q9 J; ^ mov ea.grfAccessMode ,GRANT_ACCESS;1 / i: o4 w# t: u+ j% ?mov ea.grfInheritance,NO_INHERITANCE;08 G* L2 N; J0 k mov ea.Trustee.pMultipleTrustee,0 / w' T0 @8 Z4 @9 n! \% a. U/ Amov ea.Trustee.MultipleTrusteeOperation,0. K d& H- |3 j0 Q. H5 l: J mov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;18 o# h2 H' r9 U, W+ { mov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;16 Y0 G' Y) C" s6 k call @f: j* M/ }( K `: E1 s db "CURRENT_USER",0 3 ~4 w2 T! d/ E2 @+ p. L@@:0 F. U- N ~2 q+ ^4 h9 n5 Q; [0 g pop edx: ]3 S) O. x2 _0 ` mov ea.Trustee.ptstrName,edx # j# `3 ]: p1 F" n1 ~! Vinvoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl) T) y% r; M9 d2 M0 {% E cmp eax,ERROR_SUCCESS3 {3 n. _1 H4 _7 ?6 [ jz @f ( ^* ~7 m9 {. k! }( U6 Tjmp OutSet5 x) U# t, l1 F- F3 w @@: & F% q6 M1 z2 yinvoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL 5 P) T4 g( a% p L' A; xOutSet: * @ F) F: [* f$ A) Qcmp pSD,0 0 u) ^! Y6 ]; p, `3 l( ijz @f) S: P& H {5 L9 o% _% o/ G invoke LocalFree,pSD 3 J% J% ?# k" z7 R+ ]2 z, L( X9 r@@: ' k0 |9 H8 V! z0 m: ocmp pNewDacl,0 5 \' R1 v7 K! g/ Yjz @f 3 H j% m2 \% ]. p: Xinvoke LocalFree,pNewDacl( H; q7 H' ` e @@: . m. H3 K. i9 y: Fret 7 ~/ L+ b/ H1 m& k9 W3 a% a& OSetPhyscialMemorySectionCanBeWrited endp5 g R5 U3 r" K) T6 W 0 ?0 k3 Z% y( V MiniMmGetPhysicalAddress proc virtualaddress:dword/ l4 u& w- \/ }0 H6 W9 x mov eax,virtualaddress 8 o, p: q$ T- A+ T+ C cmp eax,80000000h & l' X" u6 Y1 x5 M2 x8 g$ M jb @f / U2 X' j* z1 S! \3 c: y cmp eax,0a0000000h " \) ^# C# S1 w1 F3 c2 ]. C jae @f, Y" E& }. c* m+ ]5 r. S( L% E0 W and eax,1FFFF000h( C& j: N' O9 A" m M! h ret E5 L% u( V5 W' u; R u- ?+ H @@:' V1 U0 D1 Y8 @. K/ S" d- j mov eax,04 b6 `3 m) P% @- ^ ret8 @ o' v1 D+ X MiniMmGetPhysicalAddress endp " d0 s+ v) F9 L3 H# \7 I; J6 b6 W$ N3 s0 \( E( \; ? c ExecRing0Proc proc 6 M$ W. M- A$ d6 I local tmpSel:dword$ W- x, q7 M( D# b6 ^+ k0 D2 P local setcg:dword* U: u3 J4 @) D1 d- p6 l5 h local BaseAddress:dword 5 Q' S( W/ \3 J- y0 e( g" S5 nlocal NtdllMod :dword0 T1 L( o/ T: S5 U: ]; r local hSection:HANDLE ) Y: w/ @" g% e! |: m. O+ u9 Olocal status:NTSTATUS 9 p6 I# d$ d5 z% ~% @0 j jlocal objectAttributes:OBJECT_ATTRIBUTES 8 G* }& @+ D* ~# V/ v, y local objName:UNICODE_STRING$ v+ X% j6 t, h/ j4 R( P mov status,STATUS_SUCCESS; 0 ~+ P/ x% I' | sgdt GdtLimit * H1 E$ y6 B! L2 a- k- kinvoke MiniMmGetPhysicalAddress,GdtAddr. n y# {5 l" ^* p2 T mov mapAddr,eax4 S5 A* W0 K9 k* l$ Q4 j test eax,eax4 R- h/ F) v7 Z7 d3 B! F- M jz Exit12 ^: a P+ J! s# ~0 I. W. j1 q call @f : Q' U: o' ?, @' e8 E% G, U& ]db "Ntdll.dll",0 / D1 x, j; D4 Y$ u. y' b) m& n3 f( c2 B@@:! h7 |+ i* `$ Y" ~ call LoadLibraryA 4 Z1 U4 x6 W) w( {8 f5 Y4 [: c( vmov NtdllMod,eax 4 f! f0 o" E# s' j7 v2 v: M! l7 L7 X8 \0 x: t6 D- J2 l- A lea edx,objnamestr ! N6 U" c& l+ J) [8 M4 V: S( Xmov objnameptr,edx 1 L y- Q0 U4 P: A# qlea edi,ObjAttr% J) w# L8 H* `# E5 [* k, } and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail+ n, ?+ Y' @9 `' H; m" g8 U: H push edi ;edi->ObjAttr/ p& Q; p4 ?' z6 ? push 24 ;length of <\Device\PhysicalMemory>% @5 z9 I+ x9 I4 x# t$ i pop ecx ' O; Q% c7 @$ o% e+ I; rpush ecx 5 B. E0 ^2 r1 {; @6 _xor eax,eax ( ~, N- |1 K( I" T# v9 Mrep stosb ;put ObjAttr with 0 " T, v4 u) a7 Ppop ecx0 F* C6 a7 U- N. u- R$ A pop edi- {$ W6 W1 {- l0 G- f6 c mov esi,edi % F( m8 l3 A: U4 D! M. ]stosd # g. a3 r% l0 Z3 w! S5 ]& Mmov dword ptr[esi],ecx 9 O1 p8 O4 e( V( I. j4 Qstosd ; U( \) R) t. O- k g: M" W, s lea eax,[edx-8] ;eax->objname0 _- J" f h. Q1 J I% |" C0 \1 l$ b stosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0)! I( ?( ^ Y ^% m2 O v! l% x mov dword ptr [edi],240h) t/ }0 d- I5 s/ J; c9 U+ z* A , A# J# L4 B! T! ^call @f h9 E* I) J$ \' j* P& _db "ZwOpenSection",0 6 O) z. u: ?% K1 h4 Z! p, J6 b@@:3 d$ z# N9 T6 ?; V push NtdllMod ; I. [6 w, Y' X3 w0 u8 F8 \$ [1 a2 tcall GetProcAddress 3 q2 E1 q! |1 J. x- X. d! Fmov ebx,eax ;ebx=ZwOpenSection 1 O; X8 k: g/ s. g, t7 |8 E# @- z$ H& ?& r6 M: E, r1 J: v+ F9 G push esi ;esi->ObjAttr) a. o! e) u# D; ] push SECTION_MAP_READ or SECTION_MAP_WRITE0 l1 A1 ^) A; X( F lea edi,hSection1 K( X3 z$ H) _7 ] push edi ;edi->hSection2 B6 C( ~% A Q0 v& [ call eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)% O: O0 r* t6 b4 \" t# E* l * z, {% f2 q K5 A( m6 N mov status,eax* P& F" Y! @5 Y0 G4 t# \ cmp status,STATUS_ACCESS_DENIED % p$ n5 M) ^9 Q0 o. z8 @2 Sjnz AccessPermit0 S$ K, U f& r5 w) k mov eax,ebx " H3 `9 A' o+ @5 h5 ^" @$ G4 n% h6 Y* t7 W push esi 9 ]& P6 V; R# I3 F# q+ @# x push READ_CONTROL or WRITE_DAC ' k1 i4 t2 k# s" q+ ~, }: {/ Epush edi ! L9 J* N8 b& u3 n4 d, H' O call eax % b2 ^0 Z* z+ U# ?( I5 z% h . F3 B" i1 e7 O" Nmov status,eax/ S! _5 E5 P5 a+ e0 d2 o! [! P invoke SetPhyscialMemorySectionCanBeWrited,hSection 6 T& } x- G: _ " o. M5 q' R# P call @f1 l7 F: a* Q. C* b( n db "ZwClose",0; z G) D, J) \ o4 j% J+ n% a @@: 9 F% f; l7 Z& z& A- Z8 E* spush NtdllMod2 u8 n& Y6 z; {& o1 V& M( k call GetProcAddress0 ?$ p' V, E# ?. h# O ( I3 Y) z) p: u" V* z9 l" Xpush hSection+ S' ]: s; W( M8 R \ call eax ;zwClose hSection" N* e/ b) f ~9 X 0 E0 F$ K& N( {' U mov eax,ebx5 m1 x8 X$ o% \; v2 | ) L$ T4 l( s% _ V! a6 H push esi - d! `, }+ I% |8 M0 I5 ] push SECTION_MAP_READ or SECTION_MAP_WRITE ( L% b! X7 B/ A8 V1 ]7 jlea edi,hSection 3 g/ G9 D9 Y* v' [9 J* e, l7 Jpush edi % S; l+ h: _( t& a6 ]# Ecall eax0 Y$ C7 P! c9 R& s mov status ,eax7 Q5 K5 ?4 d4 p( u& B; t ;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); ?+ A9 e2 [" a) }" r9 f* o# C3 Z" GAccessPermit: 8 U; B) o0 f$ [, Y! W1 dcmp status ,STATUS_SUCCESS % C7 W9 r1 }1 Z, H jz @f0 E9 k9 `" N f4 x/ f9 F# X" Z4 \ ;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); + E. R( d* x1 A;return 0; Z! d1 m% K" h. F+ x+ ~ mov eax,0 A+ B- ]4 X3 _$ ~* j& ? ret) u0 {7 x% F4 N, W @@: 4 P, k: W: H! I movzx eax,word ptr[GdtLimit] 8 b8 v0 x+ u7 L% `, Y4 sinc eax& ^3 Z1 q. w( C4 z9 Z invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax P0 G1 d* K3 X( S- l mov BaseAddress,eax 7 F2 Y4 }- ~# n# s, Q) Jcmp BaseAddress,0' U* a( c6 G# c jnz @f / {/ i) `, F; {, H, T8 \9 Y;printf("Error MapViewOffile:"); " e4 m5 P3 H# \( x2 I! orintWin32Error(GetLastError()); return 0; 3 K+ w' p+ M: S$ _; X1 Kmov eax,08 ` y% {; x: b ret 8 ^# T! z% {! G@@: $ E+ `: E% z- M mov esi,eax ;esi->gdt base @9 Y, D8 S. d) n mov ecx,3e0h 6 o9 `; h6 T0 G% f* amov eax,GdtAddr ' \6 U* M u9 v, @1 j" `1 \% K.if dword ptr [esi+ecx+2]!=0ec0003e8h 2 s2 R2 t- e$ Qmov byte ptr [esi],0c3h6 D+ M4 p, k, A0 K( X+ B ) C. O( s# }" z/ ] mov word ptr [esi+ecx],ax! s9 h. l0 ]6 k6 e" m# J' Y- y0 b shr eax,16 6 W9 }) ^* w; S. Y! M- A' Fmov word ptr [esi+ecx+6],ax2 m( l6 ?8 `2 q6 l/ I( ?1 u mov dword ptr [esi+ecx+2],0ec0003e8h 3 ~7 w. e) Q# v2 C# k+ p; k% b7 ^& G; G" V* T/ B1 E mov dword ptr [esi+ecx+8],0000ffffh& V2 h1 q% ^: h u: E5 R6 z mov dword ptr [esi+ecx+12],00cf9a00h( n+ Q1 w" Z, @ .endif * p0 Q8 z$ g" \9 L4 y1 S$ Y5 F , p9 r5 h) l0 w1 { w, l! m9 qmov setcg,TRUE3 H. F5 P( }: K+ r0 g! A& H( p/ i cmp setcg,08 I( G3 U) c* [# L6 K5 F* k O7 v jnz ChangeOK : d) @& F2 J$ M3 n7 ycall @f % Y# G) q4 b, g( R) K9 w& Y: G* Vdb "ZwClose",0. z" e! _ K, B. G' l @@: # K ? h8 ]( H4 ?push NtdllMod , @4 d+ ]; u0 lcall GetProcAddress( D+ ]4 u2 C# h8 R8 s3 { push hSection ! y. ?& J* C- T5 y% H9 T% Dcall eax1 d# V {. M" H' R xor eax,eax / U9 {0 Q& e" v( q5 s( D9 e/ Fret% S o6 K. `5 Z& w+ A& c& X ChangeOK:4 T& a# X( f9 y6 k and dword ptr Callgt,0 4 H, _1 @& f0 w; G xor eax,eax! j$ D9 V" ~ \; w mov ax,3e0h 3 i8 O; a7 ^% T: Por al,3h- I9 d" [/ L4 M7 v) k! L8 g& e) R3 L mov word ptr [Callgt+4],ax % l2 g5 T. N5 H u* A$ l* O. J. Q;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate; $ {3 e+ ?$ V- j. z5 E5 [7 S& d- c lea eax,_Ring0Proc 4 I# p( m/ a* _) [;invoke VirtualLock,eax,seglen 2 ]3 i% j: I `) [% L; ] test eax,eax( y/ F7 |9 p/ r jnz @f9 X4 \% N/ \& C xor eax,eax 1 F8 r1 ]: Z- m9 Nret2 N4 M& t% y; t @@: - l/ [% Q$ U% c9 n* [. Z2 _( finvoke GetCurrentThread . J9 C) V& }6 s( C6 s: P0 Rinvoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL . }5 A7 Y; E. g$ g ; D e# n: N) Z5 {invoke Sleep,0 5 H8 u* D5 z0 D4 i, M" G/ ~ call fword ptr [Callgt] ;use callgate to Ring0!/ J; o% Z' g6 o l l5 ?0 ? ;_asm call fword ptr [farcall] : X" t6 p, g5 ]6 i2 H8 k_Ring0Proc: ; Ring0 code here.. , D/ i# f7 O9 v2 [mov eax,esp ;save ring0 esp' J4 G% c" D' I" n3 s mov esp,[esp+4];->ring3 esp/ o7 G, Y9 @- N$ [/ a, x( X push eax ' g" `) u0 r$ x- m+ e mov ebx,offset stIDEINFO & j7 H8 A5 p) w3 q7 g assume ebx:ptr IDEINFO 5 j2 H: t! C8 {;********************************************************************$ J) s" q6 ]5 O/ s1 \ ; 等待硬盘就绪 # N0 ^. ] G! r* S/ o& @- Q+ n;********************************************************************0 b- f5 f: v2 ~- ]7 f- h mov ecx,10000h; `' n, T. h# P7 o t mov dx,01f7h 9 n& `0 L$ `7 B2 q @@:! E2 N/ `$ S' x2 d4 q& N& z8 F6 p in al,dx & E$ g9 z# |5 o1 ~- Z0 T cmp al,50h % O& y5 T/ u# Y6 t) ^ jz @F # |7 o7 j% Z# M loop @B" S, \. i3 z% L7 T- N% ?% a jmp _II_TimeOut h* I2 y* F: c* t0 g @@: ' N" D7 y8 K& w1 e Z;********************************************************************0 p7 i& ~6 U# ^ ; 发送命令# c: G, D: |% _; L/ ^ ; 如果向主控制发送命令,则端口为 1f0h-1f7h" q8 @ g8 K H2 \ ; 如果向副控制发送命令,则端口为 170h-177h) S& |# d: }# _ ; 1f6h 如果要检测的设备为该IDE接口的主(MASTER)设备,. N& G0 N( w j; Z8 U2 F ; 那么发送 a0,如果为从那么发送 b0 ^$ r, f8 A2 W. m' ] ; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec % P( b- O4 Y6 h0 a( ~& ^; X; 如果为 ATAPI 设备那么发送 a19 s& q/ p( E7 y! f$ `( \ ;********************************************************************( r# b1 _9 e4 }! [; y mov al,0a0h ;Drive 0,Head 0 ( b( E. o7 R6 E5 w0 ~3 V0 H mov dx,01f6h ;Drive and head port + G4 V7 ?( D, f" B out dx,al 9 Z- a! Y( c5 U" B0 L1 b T( n ( K4 y* ?0 L% V8 H' k mov al,0ech # u! Z/ n( E& [0 y4 M inc dx ;Command port ( v9 o# `6 U: `8 D5 T* h3 @ out dx,al% F$ k5 B3 ]; K. Z U4 h; g ;********************************************************************7 s( v/ N2 y O; H) G ; 等待硬盘就绪; e: L: D4 C) G. m ;******************************************************************** 6 m8 f! r1 [: {' t) [. R mov ecx,10000h + y5 E5 e( o+ \' g: V2 m @@:; r- s8 ]0 u9 h+ D in al,dx;1f7 (r-status register) ! Z% u; M; \& V( E cmp al,58h;(driver is ready ,and seek complete)# E3 F) n7 v& P* [' A. U! Z4 `' X jz @F * Y0 D4 L( B* w) j% Z6 c1 @ loop @B0 n1 R8 [: e0 X4 w9 K! ^ jmp _II_TimeOut' ?, K2 n$ i; E3 A. j# L @@:- C% H4 @7 ^& A8 U# V! I& ~ ;********************************************************************# P' }# G% ?4 y; @( U ; 将返回信息读回; p! b0 P2 A# w: t4 {/ `! L ; 注意一定要读满 100h 个字长; u/ X i) P& H) g: F3 e( \ ;******************************************************************** 2 v4 @$ v7 s: b1 L4 k# Y cld E: M/ u1 W0 Q. j3 [2 | mov edx,01f0h;data port - data comes in and out here! y3 C& S/ V; y1 K! I6 q6 E mov edi,ebx' d0 [4 w# b3 h! o mov ecx,0100h / T/ s8 i0 i7 I! h2 K; y% q rep insw* P: \& X- P/ o9 |2 N& u$ V3 O1 c ;******************************************************************** . A: J- e8 G! K; 返回的信息中,型号、序列号、版本号为字形式 ! k- a9 n( l3 Q; 需要整理到字符串的形式7 @$ O p2 ~$ |* B: D+ w. n( L9 c ;********************************************************************4 x% D9 d* W0 \' c3 j; A) h lea esi,[ebx].sSerialNumber 1 Q7 c% \/ ]. ?, i: g3 ], e! X mov edi,esi* M& p* G+ z4 @ mov ecx,10 ; q% V1 G( X& k- I4 q @@: + I1 N( ^' H, ]2 T lodsw$ b6 Y) i, F! U( z1 K/ D3 B xchg ah,al* j% ^+ E% z/ _5 o stosw + |: i% { o' n+ R5 V# W) j loop @B % l. ^7 [) n) d# X) j! \# D& y- k5 Z! T5 c! ` lea esi,[ebx].sFirmwareRev: T$ L* w5 V7 N# J/ h3 i9 J. } mov edi,esi7 ^; M. H6 o4 i! J. D) w) z8 i mov ecx,24. D/ g: d( @* M) E$ m: o9 e @@: . d6 b0 ]. m8 A: |7 {9 w- R lodsw 4 g" s9 ?2 T7 q- I- ^ r; R xchg ah,al & L) G* ~' l$ w& j: Q* D0 S- _ stosw9 Q+ M7 D3 r; ]3 k: {; @7 |7 k loop @B" B# I9 i' X* _$ o _II_TimeOut: R+ l) |$ c) ^& }2 @# q2 Aassume ebx:nothing / e5 {! V1 }: ^$ \/ {# L7 I8 P % t9 h( _, C l pop esp ;restore ring0 esp* X# r5 A' E! C* k$ E push offset Ring3 $ R7 Z @7 A5 P5 P5 `5 v8 j+ g4 g% ^retf$ E: O" r6 q" X' y/ l, G' B Ring0CodeLen=$-_Ring0Proc 4 E" [& c, J% I4 {6 @: O " Y9 L2 C! q* Z! g- E8 m# zRing3:: Z; g1 }7 ^, n* M invoke GetCurrentThread 0 q$ F( R+ |' a1 o' uinvoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL 7 e& V2 D) A7 m7 L1 ?1 N/ { ) w! H5 [5 T9 O; G! m Y5 l ;invoke VirtualUnlock,Entry,seglen / u2 z# A! V& c: ]6 _ 4 o3 i2 f# P. G ?# U2 { jcall @f0 }. _4 t- w) y5 _ db "ZwClose",0 ) a' L9 {' m9 f0 V! Z+ [3 y@@: 4 l; f- R/ ]1 `6 F! i: cpush NtdllMod5 n4 Q& T) q. ^& y, L$ a call GetProcAddress& ?6 a. L+ z" L/ d push hSection % x! _! c: i7 V+ Q' L, ncall eax # h) G2 y" b% m. b3 jmov eax,TRUE% A) u) H! D9 c& b( ?' P4 J, l( A5 j ret , J/ m/ [. ^. b! f; z# vExecRing0Proc endp ! b% M. Y' P4 u) ^ A+ T% t! D , B: R- j9 E! Q. j* U: k( R; V ]. Kmain: / N3 l) G0 q; Q# W" X! ~assume fs:nothing 0 _0 R6 J, A7 }, u, }$ j4 ]push offset MySEH* h; w) E+ ] F* H3 A! H push fs:[0]! H% [0 b- }" c" A; j: P mov fs:[0],esp 2 S9 _% h: _( b e' j- s9 y! gmov OldEsp,esp 4 E+ @7 V( D0 N0 |6 x' H, nmov ax,ds ;if Win9x?( J$ I8 _8 w, p test ax,4 8 w9 L( M- c/ _6 c0 G3 |jnz Exit1! R6 h4 ~/ k n: T- Q; c invoke ExecRing0Proc5 E; \) {, h3 V8 [) p * T2 }! N# [# ]+ ?+ u .if stIDEINFO.wNumCyls # S& h# a' _8 A6 K lea esi,stIDEINFO.sModelNumber 4 S! y, Q4 s( s; M2 O, a mov edi,offset szModelNumber- B2 d1 |8 @. T) n mov ecx,sizeof stIDEINFO.sModelNumber * z% q$ O0 T7 S8 x rep movsb) r7 l' D! @4 V+ x# W n 2 d. ~( v. c, V# `2 J lea esi,stIDEINFO.sSerialNumber : P: P- r; V/ E) O7 ^2 k' o6 ^ mov edi,offset szSerialNumber2 D. c* h& g. t+ K mov ecx,sizeof stIDEINFO.sSerialNumber, X0 |. M. f6 s' }- M9 E rep movsb u' U! ~5 D+ w _ 8 X4 X9 Y) }3 [% G lea esi,stIDEINFO.sFirmwareRev% i5 g" h+ {6 K4 a mov edi,offset szFirmwareRev . X H4 B: w7 Z. b( T) _0 }- z mov ecx,sizeof stIDEINFO.sFirmwareRev# V/ s F0 B9 `1 R) n/ g/ f' Y rep movsb / U- P, O5 }0 f# ?0 l, q# [) s3 z5 W 1 t! w7 K+ b T8 J movzx eax,stIDEINFO.wNumCyls6 e, M- E; y/ I9 U& A movzx ebx,stIDEINFO.wNumHeads - U0 Y( ?. ?0 a i4 K! h, C' V movzx ecx,stIDEINFO.wSectorsPerTrack % h0 _# r0 o/ ^1 `5 g movzx edx,stIDEINFO.wBufferSize% g- X) t$ u, H M4 b$ { invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev 7 v$ z! I) @$ `" [$ ^% ~/ G' H# b/ V mov eax,offset szBuffer+ [! S& C) O# z6 x- t5 x) M( \; ~ .else " a% T) R+ b5 U' z/ C mov eax,offset szErrInfo ! u, I' T' p6 w5 z0 [ U% \- |.endif $ b% V% S- h. ]4 F% q6 q& Q@@: . y+ `( [9 s8 F3 a; x" i6 yinvoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK5 M' _0 B' k% `. C0 } Exit1:# `/ d. `! _3 }- t% L3 k pop fs:[0]( ?) j* L- u% ~ add esp,4' j+ v9 }; J9 M- ^! H! i; ]/ ?: g1 w invoke ExitProcess,0- i. @: N9 e* W - L3 s/ L% i U' s MySEH :* ~ R/ w4 |* R mov esp,OldEsp, N1 X' {. l# I. @" c pop fs:[0] : q8 z- u6 y5 c7 l2 S3 A6 xadd esp,4' O0 N/ n( ?, _, P0 Z. Z( p1 g invoke ExitProcess,-1- U: s1 H% {8 h3 t end main 8 Q* q* R7 z& s 8 E- Y4 ]3 Z0 d1 R/ Q B- i
[此贴子已经被作者于2003-11-2 18:14:02编辑过]
/ W8 e9 G7 t0 T: v+ k% J- p
分享到:  QQ好友和群QQ好友和群 QQ空间QQ空间 腾讯微博腾讯微博 腾讯朋友腾讯朋友
收藏收藏 分享分享 顶 踩
bigfoot 该用户已被删除
2
发表于 2003-11-3 16:22:00 | 只看该作者
呵呵,ExecRing0Proc 这段程序甚妙,先得到gdt,然后构造一个调用门call gate's ,使程序从用户模式(ring 3)进入内核模式(ring 0)。进入内核模式之后,就可以没有限制地对系统干任何勾当。这段程序确实为高手所为,在下佩服得紧。
* V' p2 E- t, F至于读硬盘序列号之类,只不过是在内核模式下的一个I/O应用罢了。
5 z* j1 ^2 U0 d其实在NT/2000下读取硬盘序列号只要打开\\.\PhysicalDriveX(X:设备号0~26)设备,然后用DeviceIoControl()就可以读取了,不需要绕ring0这么一个大圈子
( ?+ W9 a9 P: ~
, a5 @6 f6 j9 U- \这个程序也可以C语言实现,不过中间必须嵌入几条汇编的指令,如sgdt GdtLimit
; `5 n5 t' F& h但还是用c来写更方便,例如:
8 U7 ^+ t5 k4 k* }+ ?) qcall @f
2 T( S1 e( A8 p* c3 ^* R& vdb "ZwOpenSection",0! d) y, E+ [6 Y% t8 R, [
@@:8 `2 E; T1 R% B( s8 _
push NtdllMod* L) h) _/ w6 q. R; a9 W7 |1 `
call GetProcAddress& K' ~1 J4 O+ ~+ |) k" f
mov ebx,eax ;ebx=ZwOpenSection
# I- m1 ]/ p, ?. {4 dpush esi ;esi->ObjAttr/ J& I  q3 r' A, I
push SECTION_MAP_READ or SECTION_MAP_WRITE
8 W0 B0 i- o" O- w& h  S) Plea edi,hSection% m3 }& \' {8 F1 ~9 q# s" H5 ^, S
push edi ;edi->hSection" M, m! i! i- |5 U8 r/ l; w; i
call eax ;
% S6 F* B1 f8 O  m3 Y- j) M
6 r' B, F( D$ N用c的话只要一句就可以了2 c$ ]1 h& V; @
ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr);4 w+ |. u$ j4 m) ~1 U' S
因此懂汇编,然后用C/C++编程,是成为高手的捷径& {0 M; b! s0 c% S/ S

/ Z9 \2 A- B2 {) n; d* G: U; n
[此贴子已经被作者于2003-11-3 16:46:50编辑过]
/ T* t6 ]5 R' o

该用户从未签到

3
发表于 2003-11-19 00:12:00 | 只看该作者
win32位汇编,真的很不错,业余的时间,全都投进去了

该用户从未签到

4
发表于 2003-11-26 19:36:00 | 只看该作者
要能有台机器试一下多好,学汇编还从没想过去ring0,也感觉没哪个必要。
" i8 _& k4 d1 ^4 J9 @现在闲着真相试试。这片文章我在家保存了有快一年了。不用感觉可惜了。一直停着不用,我都快忘了那些曾经那些依稀的记忆了。水能给我一台电脑,我力马高喊:有你这么富的吗?
fyer 该用户已被删除
5
发表于 2003-12-3 03:31:00 | 只看该作者
很久以前的一段代码

该用户从未签到

6
 楼主| 发表于 2003-12-3 15:33:00 | 只看该作者
很久以前?
# S2 t/ V4 q' z9 h: e; J; H/ B: {不是吧,这个是 轻描淡写 编程论坛的斑竹写的
fyer 该用户已被删除
7
发表于 2003-12-24 19:21:00 | 只看该作者
看到过的。

本版积分规则

关闭

下沙大学生网推荐上一条 /1 下一条

快速回复 返回顶部 返回列表