|
|
我可没这个水平
9 c9 X+ O* U% s# T0 ^4 P8 r.686p
! S7 ]3 r% Q3 K0 W.model flat, stdcall6 i/ \" X& s( F8 u6 r
option casemap :none ; case sensitive" k7 D, Q1 q6 S0 t
; #########################################################################% L M ^; w+ o
include \masm32\include\windows.inc
% y% t2 m# h" P) Xinclude \masm32\include\user32.inc
& w' k( F' c( h0 ^- Ainclude \masm32\include\kernel32.inc$ B8 n+ G( f {: l9 _
include \masm32\include\advapi32.inc( z3 }- `, M8 H
5 ]7 c/ K& u8 I- y2 [includelib \masm32\lib\user32.lib5 J- N0 q* ]' }4 f( U7 s
includelib \masm32\lib\kernel32.lib
! e0 |4 Z; v2 k% V, R F7 Pincludelib \masm32\lib\advapi32.lib* X& N! B! v* x' V% Q
DEBUG = TRUE0 X& Q0 n% Q+ \9 }9 C
( U+ o1 Y, g, Q( N0 MHMODULE typedef dword
) \1 ]/ J$ A K: K: P9 cNTSTATUS typedef dword
" K4 v( e& n( u: BPACL typedef dword
9 P2 E# L9 W7 y& K$ \! |6 QPSECURITY_DESCRIPTOR typedef dword3 d7 B" o; B8 W- A0 }" ]- C
' A6 ] V _* @/ ~) n4 E
OBJ_INHERIT=2
2 n4 X, |, d# F; cOBJ_PERMANENT=10h
" z$ Y. X+ A# F1 DOBJ_EXCLUSIVE=20h
0 n+ |; N: ]; m4 I( `! z. G! MOBJ_CASE_INSENSITIVE=40h
3 g6 H. o1 W* M5 W# J* ^OBJ_OPENIF=80h , l- k' Q9 e3 S0 N+ S4 K- Q$ R* e
OBJ_OPENLINK =100h s' h' a0 G F& F/ B
OBJ_KERNEL_HANDLE=200 * @- B1 R2 J+ I0 L" A) H! b7 K
OBJ_VALID_ATTRIBUTES=3F2h " _ Q& U) H1 {# A7 _3 ~6 H# ?
) J4 b" A6 a% A, h
SE_KERNEL_OBJECT = 6
w5 c. w) S4 ]GRANT_ACCESS =1
# k% G7 y7 ?7 g! w0 O2 XNO_INHERITANCE =0& _3 {0 o7 P: y/ c( p
TRUSTEE_IS_NAME=14 R1 X7 M2 e1 v; H G
TRUSTEE_IS_USER=1
; D* }! n7 J. j. M6 ]7 gSTATUS_SUCCESS =0 5 B& {/ \0 Y# D, L5 F
STATUS_ACCESS_DENIED =0C0000022h
6 Q; N5 k/ ~4 R, C/ _ ?( Q b
- s8 W! v1 r, w. v- m8 s( QSTATUS_ACCESS_VIOLATION equ 0C0000005h6 ^9 T$ Y; C7 \4 ]& z
STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h$ }* P" Y' w. D( b
SystemModuleInformation equ 117 a1 F; P0 Y/ k+ T' B9 s4 L
PVOID TYPEDEF DWORD: \- A& u/ r X
UNLONG TYPEDEF DWORD
. Z1 W7 b0 |0 Z5 |) t' dCHAR TYPEDEF BYTE& w4 o4 k: V T# } }8 u; }+ {
% p; Y5 X$ P$ U" ]UNICODE_STRING struct & d3 j9 e5 n; z
nLength word ?
1 W& v. u9 s9 e MaximumLength word ?
1 ~- a; ]* [, Q, T Z Buffer dword ?
( s6 _& k+ r e+ `2 }% fUNICODE_STRING ends
: I# o4 t# N8 N5 z7 ~6 b# x# o2 O1 b) ?" W+ n- }
OBJECT_ATTRIBUTES struct
4 s2 l0 D" J Y2 Y% \5 |8 ], ]5 M nLength dword ?
% e: G% I# b6 q' |, g; c RootDirectory HANDLE ? & x; p9 Y* D! r( n& x
ObjectName dword ? UNICODE_STRING
# e) H* @1 F3 w& R5 e! t! x& v Attributes dword ?; ( L/ F$ Q, E8 W/ s$ s6 e
SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR
' n( |7 O; P. s, v9 Y$ S SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE
7 a- Z0 a/ Z0 c" f5 X+ ~OBJECT_ATTRIBUTES ends
/ i. \3 J2 `, e& u2 w$ O" u3 C" {
8 C- O3 e1 y: d. z+ g
" C6 W+ O5 j- CTRUSTEE struct
2 n0 \% s2 }! X3 g2 ?1 \- \ pMultipleTrustee dword ?TRUSTEE
7 t: q# k! L$ {: t MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION
) r) F( b/ J1 C* l TrusteeForm dword ?;TRUSTEE_FORM8 ?8 W% V; a) c
TrusteeType dword ?;TRUSTEE_TYPE 8 I( `7 J2 K7 L9 _9 j5 z# u0 R
ptstrName dword ?;LPTSTR % j1 ^: d/ t" A6 {: f0 @% U
TRUSTEE ends& R! W: @$ x' l0 {: y
7 z* Q5 G5 a# `' t. l" ~& o* ^# Y2 x2 I4 A
EXPLICIT_ACCESS struct O, k- r, j) a
grfAccessPermissions DWORD ?
7 r4 k" I( \; f grfAccessMode dword ? ;ACCESS_MODE / p L% T- R2 U% z: y* I9 z
grfInheritance DWORD ? ;
# I) ]8 I, s9 f: M8 ^3 Y% `* X Trustee TRUSTEE <> ;! O8 g' {% f' K! J! s* H6 ?
EXPLICIT_ACCESS ends
/ n0 V# G1 o( v- V" l& W
0 k9 n# I8 M4 e& ^& J: ~MyGATE struct ;门结构类型定义
6 P8 k, |- D+ V( y) l0 L OFFSETL WORD ? ;32位偏移的低16位
" h% s$ U/ x [* m SELECTOR WORd ? ;选择子" ?" v0 e* g. a' O! v4 S# O
DCOUNT BYTE ? ;双字计数字段0 Z: f$ g7 T1 W9 |' I* u0 R! T( {
GTYPE BYTE ? ;类型0 `8 O3 O/ [) C7 z# \( ?; y) P
OFFSETH WORD ? ;32位偏移的高16位
3 C4 _1 `% g, O5 @/ e' C4 sMyGATE ends
0 N2 j: q/ J) \/ d* C& H; m; t7 n& Y* G0 Z6 u, y
IDEINFO struct8 I% d/ v! r' P& p) P+ Z
wGenConfig dw ?
8 r* }5 n. A' V+ A% j# _- zwNumCyls dw ?;拄面数5 I" m# G1 o" \4 k3 c8 v
wReserved dw ?
* g5 d$ r2 \( q7 r$ ?: d ywNumHeads dw ?;磁头数2 D$ q$ b# o& `4 N; G
wBytesPerTrack dw ?;每道字节数5 W: n" m3 E8 C! u
wBytesPerSector dw ?;每扇区字节数. z% Q/ q& Z; f5 }5 |5 y
wSectorsPerTrack dw ?;每道山区数8 f( p) O: k' M6 R& u
wVendorUnique dw 3 dup (?)0 @. m2 R, y- Y* [. G/ p
sSerialNumber db 20 dup (?);硬盘序列号* a K0 g# I8 [/ ?$ y. k9 W* D- L
wBufferType dw ?;: t' s7 Y9 {3 ]6 x/ |) M; |
wBufferSize dw ?; ;n * 512. m: j G# A( I2 ^& ?
wECCSize dw ?' z' v6 n: w d& w
sFirmwareRev db 8 dup (?);7 |% R F: C; ~
sModelNumber db 40 dup (?)7 R! |' X" [% A/ {1 w* R
wMoreVendorUnique dw ?
, X3 l; j j. E7 K$ n" FwDoubleWordIO dw ?5 b% R6 h! Z3 t! k' {8 W- {" @
wCapabilities dw ?
) Y5 y: n+ o$ QwReserved1 dw ?- T# @/ f) G1 ~* {* D( P
wPIOTiming dw ?;
$ t" X3 r$ S# Q# x; awDMATiming dw ?;* d) G( P" b: E2 D% ^, p7 b
wBS dw ?! Z4 x( S2 P- ]9 Y
wNumCurrentCyls dw ?;8 A& Q$ G! a% a. l2 u
wNumCurrentHeads dw ?;$ a( Q' b2 G& K7 ]7 g( ^* h8 |3 D2 T
wNumCurrentSectorsPerTrack dw ?;
6 k" u6 L' q- R# e+ `; i4 [0 ZdwCurrentSectorCapacity dd ?;! I8 \. @8 F9 s- _ p
wMultSectorStuff dw ?;, y3 @* z1 W% [" w. g
dwTotalAddressableSectors dd ?;
* r& l6 w% Q( S" |! m6 h( c& T( mwSingleWordDMA dw ?;
; |8 P4 ^- V9 s6 e7 i. `4 K" ~wMultiWordDMA dw ?;( X1 \+ i9 x9 ^! H Q
bReserved db 128 dup (?)
% R# i0 c, {: S- n7 \4 V2 A% xIDEINFO ends5 t& c: s3 h; Y7 I/ w
% j5 C- `% H: U# [2 @' q
* I# K x' t4 n1 [
SetPhyscialMemorySectionCanBeWrited proto :dword
4 t# {, h' C7 r4 E2 ~4 _2 f+ |MiniMmGetPhysicalAddress proto :dword
8 K! h+ i) u3 Y/ m* `1 X, |
7 w6 ^0 L* P0 \" I1 B2 h: q/ DENTERRING0 macro
2 H: V; [( S: ]9 H/ S# Rpushad
# Z2 c9 ]5 d* _5 mpushfd
* E/ J+ X- O/ [cli5 `, n! N+ U$ ^: x
mov eax,cr0 ;get rid off readonly protect% Z7 J- W2 p0 S: q
and eax,0fffeffffh
; ~) ?! U; K' P/ P, C j/ Jmov cr0,eax0 K& B9 q- w( K8 B9 K5 b: O. Y
endm
1 U" \/ e; v! F# r
/ B8 r9 [5 w/ t! E' U# `5 }9 tLEAVERING0 macro. r' [) h8 f9 D+ g8 L/ o
mov eax,cr0 ;restore readonly protect# f1 e( |! m3 s5 }. d4 n8 ?
or eax,10000h
; t6 C) ~3 ? x: q8 {4 d$ kmov cr0,eax v d: M1 ?% t' a6 R
sti+ z2 U1 C- \# ^
popfd b. P' @; j C7 z+ y. N
popad
; M- f3 M+ S4 e6 m& ?& t7 L* Cretf
2 s ^/ U6 J& o$ X# O+ W- z tendm4 W( o: }* B( T1 |
; r; @8 \1 X* f% K2 p# E7 \
7 Z N; B: _' j" q
UNICODE_STR macro str
# }7 x5 i5 i! F) k0 tirpc _c,<str>6 Y" c$ I* q! T/ x+ Q* o# I' g# x# N
db '&_c'2 n+ u+ @' v1 f4 o" v
db 0
9 V' z. X* ?/ p& T4 Q A+ dendm5 e: ~5 H; @6 q/ @. A. v
endm9 C; i& _" J$ B6 d& Y
3 s! m# {3 m- i& _.data?
( \1 ?- f2 H* n5 x/ u' R- D8 `GdtLimit dw ?' V2 f8 \, c4 D& L9 e0 t/ w
GdtAddr dd ?; t; l) v0 a0 K
2 g |% G% ]8 n' Z/ }
mapAddr dd ?1 `; T# Z$ L( C) X% H
OldEsp dd ?
& ?$ T) O+ P% w9 [, }+ t$ h @3 [; v8 Q9 k, ?; P' I5 ?. c
readed dw ?
! \, H+ F$ j) I6 C/ Gbuffer db 512 dup(?) r) v, |! I4 F8 D7 `
ShowText db 512*3 dup (?)/ M1 J4 ?2 n: L
' ?, \9 k! H1 Z+ vszBuffer db 1024 dup (?); u) V1 g; }# [9 r6 M6 ?0 S3 U1 p. g
szModelNumber db 41 dup (?)# \6 j& n- k" h6 J) d. L' ?1 R
szSerialNumber db 21 dup (?)( e X1 @6 q# O1 y& p
szFirmwareRev db 9 dup (?)
! @. ]; z$ x5 k- J* u i! A
7 g+ M% ]% g* E0 ^6 OstIDEINFO IDEINFO
5 Z# ~8 Y9 g% s' o" B1 ?, |* A1 ]2 X3 C' w m$ v
.data
$ }: s- {2 M$ u$ }9 H' jalign 4
& m+ \) u7 @( @) O7 D6 l2 yobjname dw objnamestr_size,objnamestr_size+2
+ I1 _% Z4 O( G; M# hobjnameptr dd 0
0 ]1 ~3 q5 u, a' T6 q# c4 j' mobjnamestr equ this byte
: B& G. c+ Z: _/ ?UNICODE_STR <\Device\PhysicalMemory>
$ H+ F" A8 Z5 d: k3 ]0 ~objnamestr_size equ $-objnamestr
5 _3 ~$ Y( a; F; d. I9 D' a' O& j3 m7 ?
szTitle db 'IDE 硬盘信息',0
2 C7 J2 h+ }) i( rszErrInfo db '无法读取硬盘信息',0* \ L% P; b/ _ }1 p3 Z
szIDEInfo db '柱面数 : %d',0dh,0ah
# l6 L7 x- d7 x; ` P0 ] db '磁头数 : %d',0dh,0ah6 O" Y5 S! J) q, m) z
db '每道扇区数 : %d',0dh,0ah& t9 D0 A4 m- x# Q% Y" |
db '缓冲大小 : %d 扇区',0dh,0ah
1 L1 D1 ]9 B2 F) H% N2 v0 s( v db '硬盘型号 : %40s',0dh,0ah$ x3 \; h3 m* ~9 G8 P
db '序列号 : %20s',0dh,0ah
6 ?/ } H6 R! R! P( f0 }# l db '版本号 : %8s',0
' ` P$ ^/ }$ b" q, B
1 X4 @% T$ t, balign 4
: Y5 W7 s5 |, R. b; |' kObjAttr db 24 dup (0)1 `( X( A- V9 i6 h* N/ j8 F
" Q% T& K. m! S1 Q7 u
Callgt dq 0 ;call gate's sel ff3 N3 q0 O: j7 G" J
Caption db 'Windows XP绝对磁盘读写',0
* S- `+ l8 k2 x8 B( J, wDigit db '0123456789ABCDEF',0
$ D: r c* @* K.code
, Y/ a* u) ~7 b& i: Z- X_ShowBuffer proc ;显示所读出的信息# e/ n5 _/ R$ w
;把数据转换成16进制的形式% J# w' ]3 r, h
mov [readed],512$ V) s# F( o0 W/ m- k
mov esi,offset buffer ;数据
! c' n; ]1 C- R# t mov edi,offset ShowText ;转换后的数据( X3 J) [+ S J) F9 v3 M) P& N
mov ebx,offset Digit
$ y" ]- a* f m p) U5 i4 K; { xor ecx,ecx
1 s, E, k( H# E0 z8 _" }; T xor eax,eax- q, Q( D) Z; S- K+ [; u
computeAgain:( g8 u; L6 \5 x3 t. G) Y" V4 k
cmp [readed],0* s3 _/ I& D H
jz endCompute
/ x1 N" w2 n# u6 ^6 l dec [readed]5 t; y) h) I7 ?- |3 ?& @' F
lodsb Y8 @" E+ O. l b
push eax
* ^) P" e- o; V0 C% [7 d. S shr eax,4 ;高4位
* \( ^% i: c8 J xlatb
+ G: n( f3 \, p A0 B5 Y! h, \! @ stosb
2 n! _7 ?7 L2 x1 D& d pop eax
; ~- w7 p8 A; f; W, U$ v and eax,0fH ;低4位9 n% ]+ _1 N. E8 d
xlatb
% t c/ k% i( i, f2 K5 W: R g8 @! y stosb
( W0 \4 u4 D4 o/ v/ j2 I8 c- Z mov byte ptr[edi],' ' ;空格
$ n! }3 {/ x4 i: B* q inc edi9 q4 L& D3 O& I( L8 j
inc ecx
$ q; b7 {( t) G G$ ` cmp ecx,16# O5 f0 J4 H9 s8 G8 m: g
jnz computeAgain( ~8 E6 W/ @: U$ ~+ Q( i* R
xor ecx,ecx1 ?- _. ^7 k) X. |& C3 R
mov byte ptr[edi-1],13 ;回车
$ r) L3 ~& k8 x' z! r2 a) Z jmp computeAgain
# b- H3 U+ W/ Y1 P8 L) E3 lendCompute:
- r! U4 q* T) b1 L% h! E1 j ;显示- M0 G% o- }* V7 _) I/ M( D
invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK
% R3 G/ e0 s( K( A' \ ret
. U, m: m* K' d4 {( Q& ? k% p, Y2 K_ShowBuffer endp
: v9 [4 L8 G2 }2 B. Q; m a2 I0 [6 a- {. M
SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE 4 {1 F; ]1 ^+ H
local pDacl: PACL 6 }' g* d! H9 N1 ^1 G
local pNewDacl ACL
3 b% X' H1 a7 N% S) F6 H: Plocal pSD SECURITY_DESCRIPTOR . [( V' J5 u2 _1 @( r
local dwRes:DWORD ;
" i/ b \: H( E( wlocal ea:EXPLICIT_ACCESS ;) X# D0 p# l% u- Q1 z. T5 g
invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD
9 C# s' m" q( C$ {: [$ ~cmp eax,ERROR_SUCCESS4 O# c* P+ g ^; q. U
jz @f9 x* H/ x3 `; B) v3 x. j H P2 ^3 R
jmp OutSet
z. I. g% w: B* _@@:
& @; N3 g' J7 R S! g9 pmov dwRes,eax
& [7 k4 p( Z5 i- mmov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2
3 B3 E+ o" l. l. l2 D3 E2 Umov ea.grfAccessMode ,GRANT_ACCESS;1
9 ?) F/ @/ X: t$ @. X) cmov ea.grfInheritance,NO_INHERITANCE;09 W! E* U E6 r! |5 Q/ p- x( x$ Q
mov ea.Trustee.pMultipleTrustee,0
& g( I7 W7 L" L/ @; a* omov ea.Trustee.MultipleTrusteeOperation,00 h/ k! b2 M1 u2 Z/ D8 B
mov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;14 Z, L# [, V* G, f& k
mov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1) u" p+ ^+ z J0 f
call @f1 ], b% _7 L6 C$ _! u& T7 d$ c
db "CURRENT_USER",0 u) a: t2 ]" n; |; M
@@:/ l2 ~4 A: X9 y
pop edx
. h$ Z5 P+ U+ K# [( `) Q1 hmov ea.Trustee.ptstrName,edx7 p) H( r D G0 z; W
invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl% x: A; J1 B0 b. ^; r i1 G
cmp eax,ERROR_SUCCESS$ Z0 G* }, ~ f4 Q; T8 |* U
jz @f
( |7 U/ J% O4 g1 v2 |$ n) @9 qjmp OutSet m1 `' a% N/ F
@@:
) @: H. {6 e Q/ k9 V" U% Kinvoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL9 y, U3 n2 x# t3 O7 a
OutSet:
- }0 l- k4 I: E( ]6 y7 d* ?cmp pSD,00 O* c" p9 e4 j, L
jz @f) a8 \ p5 F& R6 b) Z. \
invoke LocalFree,pSD
: v" y1 b, i8 l2 J8 T) t@@:# I! H2 M6 K$ H6 w
cmp pNewDacl,00 H# h4 c3 Q: D8 w! a R
jz @f
: r2 g) s! Z, o* I! x* S9 qinvoke LocalFree,pNewDacl
+ q* ]4 J0 }" n@@:/ I1 R1 o7 Z0 Q* ^. o
ret
% H4 x/ |. p" ~SetPhyscialMemorySectionCanBeWrited endp, q' o2 n/ N( |! ^3 {9 r5 S6 B8 ?
% r% w, `5 C9 o4 ~3 ^MiniMmGetPhysicalAddress proc virtualaddress:dword
d2 h9 k& }5 g3 L mov eax,virtualaddress
) t6 ], {+ c6 ^; }3 C5 G cmp eax,80000000h$ T) ?. y! u1 ?0 r/ H
jb @f
% s7 w' m" T: E) s! v( Z8 U cmp eax,0a0000000h4 P G) f: O8 ^# `6 H
jae @f
! l" F# f8 [. _7 G0 F" c3 r1 ~* x, A and eax,1FFFF000h! r# e& }3 M4 H' G2 q& X
ret+ y0 C. N: M3 U, L g/ t
@@:
& `; W2 X& ]3 `3 h$ t mov eax,0( L) R7 g9 }& P2 J. m! T
ret
. y# n/ ?9 v- d6 N% b% i- e' O. KMiniMmGetPhysicalAddress endp
; {" e5 {; Q+ c
% d! u1 {/ f0 y+ U& H6 K; k% iExecRing0Proc proc # t s2 Z7 ]5 ^% x/ x9 Q, o* u
local tmpSel:dword
0 W/ b6 {4 |+ [/ Elocal setcg:dword
0 `. t8 A3 L* ~$ Tlocal BaseAddress:dword q7 }- m+ b3 w# @: M4 B3 F: ^) H
local NtdllMod :dword
. G3 G& ?" n9 A( F! Ilocal hSection:HANDLE
6 v5 ]% P. ~* `5 r9 _: D# a8 glocal status:NTSTATUS
$ U$ {% l4 i2 x/ V5 i" }: J% Elocal objectAttributes:OBJECT_ATTRIBUTES
2 _$ x) z) V! r6 E1 |local objName:UNICODE_STRING8 y/ m4 I" m9 r" ?5 z2 `, m8 u% Y
mov status,STATUS_SUCCESS;
& m! J/ u5 A6 Q+ J. f9 ~sgdt GdtLimit
+ M0 z7 h9 A- x' Hinvoke MiniMmGetPhysicalAddress,GdtAddr
4 z# o- G2 l2 E% P% I mmov mapAddr,eax; h( |: }, H0 K7 E) p; e
test eax,eax
1 E( z9 b N# p1 u( C% Ajz Exit1# Z# z- \9 Q, a9 d9 C
call @f
8 I$ G& ?- `" _0 hdb "Ntdll.dll",0
+ R ?0 \" x+ V( Y! k6 y |@@:5 s$ g# |8 [& ~+ v j
call LoadLibraryA
3 g6 B8 I. C v- F0 G Cmov NtdllMod,eax1 @# W5 q) H, i- X7 k/ x
& |/ W9 d/ B, N& g2 M8 a
lea edx,objnamestr
2 G5 S/ \5 u# T! k/ N Omov objnameptr,edx
) A7 a1 r" r# P4 Q% T: m Ulea edi,ObjAttr
" F8 u. G* z/ Dand di,0fffch ;align to 4 bytes,or ZwOpenSection will fail/ O3 g2 C6 u7 U8 v, I) F9 H. a# W
push edi ;edi->ObjAttr+ w- J2 X9 w% A" I! Y+ v" n
push 24 ;length of <\Device\PhysicalMemory>9 O6 x% G* W! `8 p- f3 j9 ?
pop ecx+ X2 B; X, F c3 @7 p
push ecx
- E6 m9 O. {8 K1 N4 f9 U2 [xor eax,eax
3 z4 J$ b4 g" h1 F$ vrep stosb ;put ObjAttr with 0, {- `0 v' j# h4 p8 Y- Y, }
pop ecx
c* n: J" e" f. j( ~pop edi; x# S1 ?0 M; X6 | Z; H' t, m. _+ C5 z
mov esi,edi
* ~6 r. a7 j+ Z: V# kstosd+ K7 o* ?1 ?( Q1 N/ I
mov dword ptr[esi],ecx
: m7 b$ N1 Q9 f# P$ K( b% tstosd y8 P2 [2 d' } J% y
lea eax,[edx-8] ;eax->objname
7 v# R4 f; o; estosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0)
u L! Q+ p1 g4 Imov dword ptr [edi],240h. b+ `$ d. G& C5 Y+ H6 S2 u# v
' h: W& r0 R6 Ecall @f
; M( l4 i$ P9 i7 `, cdb "ZwOpenSection",0
* V* s) x. d6 w0 y9 v@@:% h9 \6 X" k7 G" r0 r
push NtdllMod% h" M1 @1 p" ]8 | z6 y& g( G
call GetProcAddress) n6 F8 r/ h5 u% J) x% L- R
mov ebx,eax ;ebx=ZwOpenSection
5 R* t& g8 |/ E5 m0 ^, u1 x a2 d* R
push esi ;esi->ObjAttr' u& y, Y. ]; m3 F$ K/ f1 z3 j
push SECTION_MAP_READ or SECTION_MAP_WRITE# h# `7 t# T4 U
lea edi,hSection
7 p9 ^# Y3 w- f, f& a% p2 H0 |( hpush edi ;edi->hSection
% x4 [) S& s2 k3 v! ~7 ?+ icall eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)
" A. l% J; C. s' A0 H; g. L/ R+ Z" T6 ?0 Q1 N9 L U1 \
mov status,eax' r9 \+ v& A1 D' z8 q5 T. O( ]" t t
cmp status,STATUS_ACCESS_DENIED; n3 h; Q9 N! R/ E5 D) k
jnz AccessPermit
5 K2 \% W, D6 ?7 C' X( ^6 @mov eax,ebx6 Q) Z2 P) d- G; Z# K" h9 K
9 q7 b7 W# V+ [7 P+ |* Jpush esi
* r; L3 G6 Y7 [" `$ Kpush READ_CONTROL or WRITE_DAC 7 f# a* D4 N6 a. ]& A3 F d
push edi
9 ]$ O+ T" Z" \& gcall eax
7 b6 [8 _% f0 S( L! ]/ W
! |" u- w- D% fmov status,eax
7 l, F, D8 U% Cinvoke SetPhyscialMemorySectionCanBeWrited,hSection
1 u b+ V/ w3 p7 y @1 J
8 m3 C8 T, z( \6 `9 M# m/ T: pcall @f' X8 G+ A) M/ S5 L1 ^" N& U
db "ZwClose",0
% c( G4 S b& B3 k, N4 i@@:( E8 _7 X% ?9 ^0 m8 B9 H* k- ]; M
push NtdllMod' P3 @) x& l0 E3 h6 ^
call GetProcAddress
- g$ K v2 U: I. {$ Y
8 Z8 h+ W" Q8 A: g- ]push hSection5 X2 Y' |7 J' D+ T& T
call eax ;zwClose hSection/ g" k& \# Y% H0 H! W
3 \$ U9 _ q1 G: G! M' imov eax,ebx
# z4 t2 H) p% k
2 c( Z y1 F, [! j/ d! epush esi
; K# T* P& e- w- R, T& e+ dpush SECTION_MAP_READ or SECTION_MAP_WRITE
2 G% ^% s" I- D3 M1 {: jlea edi,hSection. e0 H, ?* i) R; c
push edi 3 t# M+ |3 t" }
call eax
" Q+ x, D0 n. b$ Y7 o9 wmov status ,eax) \) h/ o. I6 F+ \2 F/ q
;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); 5 E/ W- L4 H5 Y9 o- k2 q" t' o
AccessPermit:3 b% |, C, ]" b2 J( ~4 N* @4 ]
cmp status ,STATUS_SUCCESS
. {1 m/ x G5 y% t& ~' @0 ?jz @f& c# j8 Q3 p* k1 Y& M& e
;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status);
( p; _5 \! A8 r. c. G1 A;return 0;
" X& D$ I; c. @1 e7 }mov eax,0
: R T K r$ x7 {) n( cret+ B6 w9 O+ }5 I9 ^8 m5 P
@@: ; @+ v' A7 f3 Q' h
movzx eax,word ptr[GdtLimit]) e2 N4 d7 b3 [: x7 U- v1 U
inc eax
& J6 l' v! H, x: U1 H, S( A. {invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax , b6 K7 Y6 |! Q( p$ W) q
mov BaseAddress,eax+ G* m0 z+ s7 X& M' g) i' q
cmp BaseAddress,0( D7 Z' z7 ^; x8 \3 j9 J0 g- j9 r
jnz @f# W' P# b; `2 t, ^
;printf("Error MapViewOffile:"); 1 I% R( `/ Y5 u0 x% P7 B& m" c
rintWin32Error(GetLastError()); return 0; / t$ t3 e+ | F; e! r9 v
mov eax,0- W, S. \" {) r! ~) I/ m m
ret: x$ D- Z$ ~! h/ T5 O6 f; g8 `3 I+ ~
@@: 1 ~4 K6 G: O/ u( o& H
mov esi,eax ;esi->gdt base9 J3 L1 p4 S) Z# A
mov ecx,3e0h( o/ S4 I# ]2 g! D. O
mov eax,GdtAddr
; @! h: M9 g; y.if dword ptr [esi+ecx+2]!=0ec0003e8h
5 V# \& j- u, a2 {0 X7 ymov byte ptr [esi],0c3h
( J1 ?( f6 e# k* F8 k: f9 s$ w" F! R
mov word ptr [esi+ecx],ax
! v0 }) `9 J+ T9 ^shr eax,16 q* l9 C( Z2 A4 O6 j' z4 C: [: y9 r1 \% }
mov word ptr [esi+ecx+6],ax
( e3 T. v0 N9 j' D. J4 t! Umov dword ptr [esi+ecx+2],0ec0003e8h. i( T5 M1 r `7 K4 |
' Q/ |' @0 n2 i7 Hmov dword ptr [esi+ecx+8],0000ffffh
* x$ r7 x$ O% ] G% r! _! |; Lmov dword ptr [esi+ecx+12],00cf9a00h v% J! r8 P- d% U. H8 i
.endif8 K5 D- m0 j8 U: Z
, J, r# f! Y6 ~/ c
mov setcg,TRUE% P, V' W- w; O8 t' r3 C; P* r
cmp setcg,00 S, B; z/ [& `3 s1 }( U" A
jnz ChangeOK7 @) M1 {, F* e
call @f6 H% j% C6 U3 w2 h
db "ZwClose",0
# W( N; Y6 A0 G9 L: q! H3 w@@:
% M% X) M) X q* M8 npush NtdllMod
3 ?( ?7 d- ?2 W7 x/ H# acall GetProcAddress# G* y# [! G: U6 r! J
push hSection J; b. \6 `/ u. Y) d4 R
call eax
- |" J7 D" t- m& A2 @( z( h4 Bxor eax,eax
$ h; U9 p, X1 P! Z# zret4 c9 o; ?$ y7 s, R4 H
ChangeOK:
( D* O- |+ {2 {- gand dword ptr Callgt,0 7 m: z1 o( i" K, \" K/ c* L; d# d" z2 o
xor eax,eax
3 V+ j" Q( C0 i" P; }- O8 ~1 Vmov ax,3e0h
( Z. W8 K$ R7 Ior al,3h+ G2 C: `6 Z0 I% V0 B1 T
mov word ptr [Callgt+4],ax " J& P* r6 l3 l0 f4 n @
;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;
$ O* g r- n8 M/ U6 D6 L' ~ flea eax,_Ring0Proc! y% j' z* S( N+ }6 @- F
;invoke VirtualLock,eax,seglen
' f% @8 a0 |5 }6 l" ^test eax,eax- e/ V( ?* A3 V
jnz @f
9 v& R7 L6 M3 ^' Cxor eax,eax
+ M+ I, ^1 [3 m6 Q. u8 ]) gret$ ]) u9 A" Z5 i$ X; T7 w
@@:
2 B" [5 B$ I& @0 jinvoke GetCurrentThread
; J# z" Q8 A' k4 G0 \invoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL
( N, M: y. c0 Z: z* f( ?9 Y# h7 Z. A4 q& q+ m
invoke Sleep,0 4 o" W2 K2 O7 q0 j4 }
call fword ptr [Callgt] ;use callgate to Ring0!
: @/ b& b) Z; S/ i, h# {4 l5 j5 d;_asm call fword ptr [farcall]# D% a( p* V- g
_Ring0Proc: ; Ring0 code here..
9 K1 @& m$ a- fmov eax,esp ;save ring0 esp3 @* ?0 c) n7 R; U1 K. u% ?+ z% H
mov esp,[esp+4];->ring3 esp% [/ O2 e4 m u
push eax
' J; R" P6 _! Q- t+ [: M* c; [( v mov ebx,offset stIDEINFO0 D4 m+ O5 u ?
assume ebx:ptr IDEINFO
4 q4 B3 T2 O$ ^. a;********************************************************************% b$ B' Q* m0 f/ A7 q: m5 s
; 等待硬盘就绪) T# g: e4 I @
;********************************************************************; `2 D2 K* D9 {$ X0 y H% D7 j
mov ecx,10000h
9 {. Z: }. E" S) \ mov dx,01f7h
; t. Z: F: r: r1 f( ^+ R! f4 K @@:
3 \) Q F' }$ N# }2 e2 y in al,dx
5 c: j0 N/ r! p4 k cmp al,50h- }; A# W3 } d5 B, u6 M
jz @F
" D9 U7 u' u$ l( L0 M loop @B
5 f: V4 z) H- D& ^) w% s" Z jmp _II_TimeOut9 r5 Y; G/ x: @( |" D
@@:9 k G: l! p. a0 G( U* J' ^
;********************************************************************& R9 M" Z( H6 z
; 发送命令
1 |5 u2 k" Z, q: C/ {- @; 如果向主控制发送命令,则端口为 1f0h-1f7h
) d6 V$ ?1 i# w5 ?2 p/ j8 x; 如果向副控制发送命令,则端口为 170h-177h; e C8 c0 c A: o
; 1f6h 如果要检测的设备为该IDE接口的主(MASTER)设备,
+ p' O" A5 h( v- x/ F; 那么发送 a0,如果为从那么发送 b00 ?; @" L4 ]5 f J
; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec' \: ]7 T- t" H
; 如果为 ATAPI 设备那么发送 a1- Z& I8 b1 n# @$ i# i
;********************************************************************& K6 G: D; {1 X6 Q
mov al,0a0h ;Drive 0,Head 0. a2 O9 u/ P' F, G. D' f) V9 _
mov dx,01f6h ;Drive and head port
; Q: l. e2 V2 ?% g$ L out dx,al
( w/ |* Q+ e) Q/ @
- f% j. x# F8 r2 U8 \2 t0 ] mov al,0ech & V+ Q; F. }, V0 _. ^ I8 p* X( J
inc dx ;Command port
/ k O& m8 z8 O4 D' s- Z out dx,al# D% j4 \% ^9 v/ K' F) a
;********************************************************************
" X' Y- }) C9 l3 u; 等待硬盘就绪* @6 n2 I' P' y8 R: C$ n/ a1 Z# t
;********************************************************************' x; M& L3 L1 r$ c. P- ~
mov ecx,10000h8 n+ w& Q0 ^9 H0 V( E: R$ \; N
@@:- ~6 C" w! A3 w, [' w. {6 o
in al,dx;1f7 (r-status register)
2 w6 f# ^4 y4 M8 X cmp al,58h;(driver is ready ,and seek complete); y+ i+ p$ u! C, v5 O& I) o3 ~
jz @F; C0 P I4 P" c s% E x8 f$ f
loop @B2 V v* W+ D# H1 b7 F" A$ X: s G
jmp _II_TimeOut- N+ h: Y$ J! X9 J
@@:- o( r3 _, x R
;********************************************************************7 \; F1 e2 }+ r1 L+ \
; 将返回信息读回
# m, {! k' r. U; 注意一定要读满 100h 个字长
b+ B( j/ n5 q4 ]" C" N5 t;********************************************************************$ ]; ]! f" S) z. X0 s
cld _5 s8 m8 z6 ?& j1 o! G
mov edx,01f0h;data port - data comes in and out here5 w+ L W% U @( J+ }# ^' ^. h( F
mov edi,ebx0 @ O8 E0 _: y# C
mov ecx,0100h
9 r; W$ M* K, [! V( N rep insw, ?- K8 h. @9 A7 a/ l+ q5 g* |
;********************************************************************
1 |- }! v1 d" _; y0 R; 返回的信息中,型号、序列号、版本号为字形式" j# K8 t1 h# F" F l( i! M
; 需要整理到字符串的形式1 k: n, P9 o+ q) B" t, N
;******************************************************************** I2 y% G% }# l# \- M
lea esi,[ebx].sSerialNumber( Y4 `6 ~! ]. m$ S( v% z
mov edi,esi
5 C% }- j0 c" K1 A* u) h mov ecx,10
% O) e3 G" Q* Z @@:
! S) O3 D2 o9 i* K" p lodsw1 H. R; r5 H; w& d5 a. @
xchg ah,al
: h- g0 m6 p8 Q$ s& X4 x stosw2 B2 }. K' `! g- y( P' K
loop @B- [9 I1 X/ ? K$ h: i+ x
+ \) [1 P) F0 b: ^0 D
lea esi,[ebx].sFirmwareRev: k( ]8 g6 q3 w$ M: Q" D/ g! u
mov edi,esi( V" P' e( H4 }0 K3 K% r& v* P: {! E
mov ecx,24! R' s! y# k6 b
@@:) E2 v* v8 a, F9 M
lodsw! Q, ?/ d1 n c& x |
xchg ah,al- b6 i6 l2 o4 U6 X' |3 V R
stosw
' ?: r; ]5 `) G0 g5 X loop @B
) M/ k7 ?9 [7 K: Q5 j4 i; j' |& J_II_TimeOut:) W& J+ V& q8 i9 u$ _/ ?8 ]
assume ebx:nothing7 H0 Y2 C: Z0 Z
" H0 J" J0 C$ U" A- z
pop esp ;restore ring0 esp7 e1 v$ `9 X1 @6 m1 U# b' D1 r
push offset Ring3
2 z! Q2 n' v. Y" k5 e5 Eretf' E! y+ d% {& v% f8 }0 x' ~& G" ?2 o
Ring0CodeLen=$-_Ring0Proc
/ R& w2 o; v r' ^4 Q) ?
; T3 E' I5 e4 r; o+ \Ring3:- ?! D4 K1 t( A$ U/ c) [' s) Y
invoke GetCurrentThread
! s$ l) i* F B- rinvoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL # y) _. w, C0 D
" D1 Y) R, {; g6 w, A
;invoke VirtualUnlock,Entry,seglen $ z5 o3 F( @! ~% A
* r) T" F' |. u9 r! e
call @f( Z/ f% | t: ^& ^/ ^ @# [ \
db "ZwClose",0$ o& l: B' q( |
@@:2 o2 u/ U4 k) M n' F1 u/ \% Y
push NtdllMod
- n1 f% y2 f8 \! ecall GetProcAddress
. N- v" S: b2 ^% \+ hpush hSection
7 G3 }, P5 h; T1 T' tcall eax
7 e9 Z1 D4 G7 H, }" ~# xmov eax,TRUE
( m8 ]# D4 g: p. \ret" K' }; l* X# f7 e1 x* H5 \
ExecRing0Proc endp
8 U- Y1 I5 ?# h9 g" |# x1 M
( }/ d0 W( o7 W! m( jmain:
- [2 g; D) q% a. Oassume fs:nothing
+ R% Q$ i8 V/ J+ Mpush offset MySEH
9 i3 d# b: L4 B- d. cpush fs:[0]3 U5 f$ V3 h( \- d/ a) f( N7 g2 j, h
mov fs:[0],esp
" B+ M' Q$ x, d9 L: d- M# omov OldEsp,esp
" c4 L& R6 W/ g3 f% `: umov ax,ds ;if Win9x?# l. J: Q- A+ r5 T4 A
test ax,4
' }5 V" m; K8 r0 ^& W a: l! |" gjnz Exit1- i! [5 _$ f& [
invoke ExecRing0Proc- M' w$ I2 P' G1 ?
- o* g' m) a* K" g" t$ m.if stIDEINFO.wNumCyls
7 H- O: C- O7 g6 T; w lea esi,stIDEINFO.sModelNumber4 {9 W2 N5 R- l0 p3 s
mov edi,offset szModelNumber
: c& u" t c; z0 J2 G mov ecx,sizeof stIDEINFO.sModelNumber
* o( z% u/ h3 S) b" g9 k- a8 e rep movsb8 E& l+ ?% d+ R" i: n2 ?, A$ w( g
$ n' ]( |1 Z: J7 a t lea esi,stIDEINFO.sSerialNumber
2 K5 P5 l: X) `. |, T5 e3 c" R6 B' y mov edi,offset szSerialNumber
( A7 J6 w# a* L3 J. o mov ecx,sizeof stIDEINFO.sSerialNumber
8 n) f( N; T5 h# Z- w# | rep movsb# T/ s; v4 Y8 T; T! C5 [
( p* G# J5 p* @( P lea esi,stIDEINFO.sFirmwareRev
4 ~- F6 v4 t9 y' B( K mov edi,offset szFirmwareRev
M4 h1 x' E, M2 ^" y6 q mov ecx,sizeof stIDEINFO.sFirmwareRev
6 \: m' u, M7 j* F0 G6 o rep movsb ~4 J2 x9 ?- q# ^+ D$ v! \) H1 y+ u
% A, z; C3 ~+ c: V1 O9 e movzx eax,stIDEINFO.wNumCyls
0 v q3 S* K+ b movzx ebx,stIDEINFO.wNumHeads7 X, N) P: G' O0 d' c1 O' }: G) V
movzx ecx,stIDEINFO.wSectorsPerTrack& [; q4 I; S8 I6 t3 b' E
movzx edx,stIDEINFO.wBufferSize- x9 R* {- l7 A; Z
invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev
* X& _$ Y2 c n0 P mov eax,offset szBuffer6 \: S0 g+ y+ b8 o. L. C$ ^* x
.else w7 H9 d6 M% g& H& ^& N$ z7 p# U" a
mov eax,offset szErrInfo! M4 t6 k: L) N7 x% x9 Q) ?. F
.endif
/ u4 s3 C/ Z. {* D@@:
7 Z6 B! P2 `2 q, e9 P( Qinvoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK
& |" N+ L' F% t( MExit1:
; L4 P4 d0 V$ g5 d9 A2 Ypop fs:[0]
7 O5 r9 X! U( @. X. Fadd esp,4: W, f2 a: Q! G+ n6 x) T
invoke ExitProcess,09 n( J1 B+ u9 v8 k! y+ N
! H: V( w- e0 M8 V: [MySEH :7 \# x* j+ d' G: b
mov esp,OldEsp
) ?7 f# i+ g( ~, p% N A0 u b& ]4 Ipop fs:[0]1 k2 V7 L7 X4 W( h: e/ v% G. H
add esp,4% b V) ?5 r8 d: M( p X0 {6 Y
invoke ExitProcess,-1
3 I! [* R% C9 pend main
! f- P, p% l# Q" [, m Z4 S; Z! K$ I# r) m" Z
[此贴子已经被作者于2003-11-2 18:14:02编辑过] 5 r2 f3 e2 F! ?: `! h* X& g5 F
|
|
/1 
IP卡
狗仔卡
发表于 2003-11-2 18:09:00
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
分享
顶
踩
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡
发表于 2003-11-3 16:22:00
楼主