下沙论坛

 找回密码
 注册论坛(EC通行证)

QQ登录

QQ登录

下沙大学生网QQ群8(千人群)
群号:6490324 ,验证:下沙大学生网。
用手机发布本地信息严禁群发,各种宣传贴请发表在下沙信息版块有问必答,欢迎提问 提升会员等级,助你宣传
新会员必读 大学生的论坛下沙新生必读下沙币获得方法及使用
查看: 5566|回复: 6
打印 上一主题 下一主题

[转帖]2000/xp下读硬盘序列号[汇编]

[复制链接]

该用户从未签到

跳转到指定楼层
1
发表于 2003-11-2 18:09:00 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
我可没这个水平: b. l# t4 F' y/ ?9 ^7 s .686p 2 @7 N2 Z: ^' b M8 q5 B$ W# Y.model flat, stdcall T! @8 F4 ~9 c: B' |option casemap :none ; case sensitive ( o9 ^# l2 Z' j( v; #########################################################################: r; _! V4 S& l) g' G include \masm32\include\windows.inc 1 \3 M* Y7 U( ]- @" n; z5 X+ l& Einclude \masm32\include\user32.inc # \, ^1 U7 `. N* Y5 h* linclude \masm32\include\kernel32.inc / Q9 w3 G/ O( hinclude \masm32\include\advapi32.inc, T( l& Z* j$ M3 Q5 i. U$ A5 a1 E4 ~ 6 q9 ^+ \- B9 _2 \- ^$ o! F# F includelib \masm32\lib\user32.lib ' c6 W% }" Y1 X% h$ Vincludelib \masm32\lib\kernel32.lib 8 C' N" P5 m' ] Z7 R1 V, jincludelib \masm32\lib\advapi32.lib ) ]( I! @; ]2 Z6 Z' t$ lDEBUG = TRUE % z0 t# w) s6 L9 n: u5 I7 i0 d& M- b$ _2 X# h* N+ a: B HMODULE typedef dword y* E# Q2 d, d: G6 _, BNTSTATUS typedef dword $ P l0 g* w$ b; V. y" mPACL typedef dword# b3 h1 A* l+ X$ w. K6 U PSECURITY_DESCRIPTOR typedef dword; y, K" q# W+ i) I( o( S 0 e' ?: k' `8 x; NOBJ_INHERIT=2 $ |; p: r, p3 X& n; a4 W9 `* ^! COBJ_PERMANENT=10h' N' K) h$ V! b8 k/ P OBJ_EXCLUSIVE=20h " r1 h* n3 g r OBJ_CASE_INSENSITIVE=40h / N- O+ u% \' r' `6 T: `$ m OBJ_OPENIF=80h ' m P$ t5 }! W' v4 K) Z6 SOBJ_OPENLINK =100h 9 m# g/ H- }1 M! x OBJ_KERNEL_HANDLE=200 + U0 s- _' T+ u7 G- B OBJ_VALID_ATTRIBUTES=3F2h 1 \3 |! S! t! ]( w/ N 7 c2 z/ M( G/ t9 E% n2 hSE_KERNEL_OBJECT = 6 % s" E! E6 }' k1 M& h) ^GRANT_ACCESS =1 ! H# o( A" Q2 cNO_INHERITANCE =0 5 n7 x1 K5 m f1 }7 [& OTRUSTEE_IS_NAME=1" V/ C1 |$ R1 k$ B, H TRUSTEE_IS_USER=1& G6 G D+ ?6 |3 V! E STATUS_SUCCESS =0 # |: K9 C$ \5 g# w3 I+ d STATUS_ACCESS_DENIED =0C0000022h4 f# G$ V1 h2 Z/ [; b. c4 u - P' {( l, O# w& G' S9 A, GSTATUS_ACCESS_VIOLATION equ 0C0000005h 6 L: U" g* m% g' A; g1 H" aSTATUS_INFO_LENGTH_MISMATCH equ 0C0000004h- `8 ~& C" t4 c9 }" j$ i SystemModuleInformation equ 11 9 u# z3 f9 \/ XPVOID TYPEDEF DWORD0 U0 M+ J( y) r/ N8 {! Q UNLONG TYPEDEF DWORD1 [/ J E3 I' b4 K" b CHAR TYPEDEF BYTE 5 d* E4 ^5 Q7 I# S3 p+ Y: L" |/ m5 g( J; {. o8 G) V# O( H UNICODE_STRING struct ! N& F1 f0 y3 E- K! e- L nLength word ? 1 ?6 |0 e7 O- O4 d: ^ MaximumLength word ? / {* D$ F; v6 ?2 t Buffer dword ? / J' m$ j5 u1 H1 q& Q6 O$ y UNICODE_STRING ends+ ]2 @- w7 { Z9 d. t* {! A , A) K' s. n# `; b. d# G: j; H) L, XOBJECT_ATTRIBUTES struct $ q' n ~; h0 b5 B' @) P7 ~9 l nLength dword ? - J+ x1 q2 |: D" Q0 A* f% M RootDirectory HANDLE ? # A5 q! p* U( T' U! a. c ObjectName dword ?UNICODE_STRING 7 O: ~( k0 y/ E @3 \! k# R! h Attributes dword ?; % G3 q7 b6 k+ V+ w e SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR L" G8 z0 M) S. l+ E SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE . F% O8 W `) {! H; u OBJECT_ATTRIBUTES ends 4 o" p4 v5 F7 K0 u g4 N6 g5 M2 ? A1 D" O0 y $ J" p4 Z. }5 p E6 U7 DTRUSTEE struct ! E' o7 [, S( L1 Z pMultipleTrustee dword ?TRUSTEE , J+ m0 k7 } s8 F: s MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION 9 B# c0 ], K' ?5 g& F TrusteeForm dword ?;TRUSTEE_FORM # ]( U) A% P6 ~+ E TrusteeType dword ?;TRUSTEE_TYPE 9 S% Z" R" k2 v7 T+ h4 v/ C3 v# C ptstrName dword ?;LPTSTR 1 c6 O0 v' F& @9 A6 y TRUSTEE ends " V. M" `$ @; L E ! L7 _) ~: q h F# E: ~$ n" L: Y: i/ p) a+ j3 q+ U8 i# w; L EXPLICIT_ACCESS struct * k. }) u3 h) ?; M) ?- ? grfAccessPermissions DWORD ? 3 y, V1 F& d: ~' N: ]- C grfAccessMode dword ? ;ACCESS_MODE 4 }% t v, J. r z grfInheritance DWORD ? ;/ b: b1 K* |2 Z1 K; t" l8 i6 ? Trustee TRUSTEE <> ; " G2 Q2 H% y) `7 h# M% I$ eEXPLICIT_ACCESS ends4 q& O: h0 Y" L0 d: v: C% O4 z 3 M, K. Z) G/ F& J: X6 `# V' T4 N MyGATE struct ;门结构类型定义 3 _2 H& G( h+ v Q OFFSETL WORD ? ;32位偏移的低16位 3 ?! e4 T0 i0 N/ E1 S+ s4 ~. k SELECTOR WORd ? ;选择子 $ g* l; G" s! Y, m DCOUNT BYTE ? ;双字计数字段5 j6 A4 ]+ W. }" }2 J# O GTYPE BYTE ? ;类型 2 G9 e b: S7 \# J; b2 Z& F6 v8 @$ F# L% \ OFFSETH WORD ? ;32位偏移的高16位, u4 K4 U6 u' @4 E MyGATE ends8 W7 e: c+ W* T ; X- P! M" q& f L$ wIDEINFO struct : l. y' r5 [. E5 E+ A) twGenConfig dw ? - c% d; y2 O* T) s. I Y* P0 awNumCyls dw ?;拄面数( B: V. S9 Y5 O2 n( r0 @* {. @ wReserved dw ?/ w) i9 ]) b4 {5 V8 { wNumHeads dw ?;磁头数 - L7 c5 h: k/ x; G/ I# ]wBytesPerTrack dw ?;每道字节数 + D4 l% G4 w# t9 U: e! y2 v( CwBytesPerSector dw ?;每扇区字节数( e" O6 n5 A3 p/ P2 Z wSectorsPerTrack dw ?;每道山区数 }7 E0 p, S" b wVendorUnique dw 3 dup (?), w6 s, I3 J, G" G6 n5 W sSerialNumber db 20 dup (?);硬盘序列号 ' c' q7 i8 I( H+ T- P. ?2 `1 cwBufferType dw ?;* r, Y4 Y+ [8 q wBufferSize dw ?; ;n * 512 4 |& v% y" F ^( Z* l0 e8 iwECCSize dw ? ; u+ W' [) Z4 GsFirmwareRev db 8 dup (?);8 x$ R. D- o0 y" V: y& h1 _$ F) a sModelNumber db 40 dup (?)' P" v" e& x6 P {3 e+ X' j wMoreVendorUnique dw ? ) s% S5 n b( n3 M- N4 a; owDoubleWordIO dw ? ( Z- s% w) ^5 G. B P0 zwCapabilities dw ? % a4 U$ R* S$ f s$ `- {wReserved1 dw ?8 m0 i8 O0 Z6 Z0 S' ?0 r5 z d wPIOTiming dw ?;- t" ]$ e( u( U wDMATiming dw ?;, ^" u, o- e" t/ d3 H& D wBS dw ?' U' c$ A8 A# w6 R wNumCurrentCyls dw ?; % |; Y/ O. n- [- OwNumCurrentHeads dw ?;9 n9 T5 \0 X2 s m wNumCurrentSectorsPerTrack dw ?; ' t3 a: x; K5 f0 p8 w$ _dwCurrentSectorCapacity dd ?;6 \7 p$ i9 ^3 o( T+ G wMultSectorStuff dw ?;) [ Y/ |# ]2 _ dwTotalAddressableSectors dd ?;- @/ W# ]; E8 l- K# q& f; [8 { wSingleWordDMA dw ?; % }0 q7 a3 f C+ S1 ]wMultiWordDMA dw ?;- q: q% J5 t3 P% W1 e bReserved db 128 dup (?)" a7 s: j4 g8 ~" ~ IDEINFO ends! m, u3 L5 t" F, e 6 O$ {2 B8 Q8 b3 l 1 O" x# `8 ?: I4 _: Q" Z; wSetPhyscialMemorySectionCanBeWrited proto :dword/ U; ]8 _. [4 u1 K* W( [ MiniMmGetPhysicalAddress proto :dword ) H) y( V1 V1 ]2 c# P: b; t8 ?; Q( L* Z5 Q; B3 v: ]. K7 R" M ENTERRING0 macro * q0 |& B0 x9 v f; cpushad & w8 P; @- x; d \; p: y. v) [ pushfd # A7 w, ^4 m1 }! v4 zcli ^2 f. r- e$ x% A; O% l: ^ mov eax,cr0 ;get rid off readonly protect * P1 j% w3 A# o0 @ B8 d3 Nand eax,0fffeffffh " V# ~% D: T9 V' N' P1 U; w% s# @mov cr0,eax / K4 s' d! @* \5 bendm / R" f. J2 ^- e: F, O2 k" a3 G" }, B8 K& _. |: g LEAVERING0 macro1 s n( P3 t( f! i mov eax,cr0 ;restore readonly protect $ w& B% i0 m- M" yor eax,10000h 0 |: u2 m( L6 U! s( Qmov cr0,eax& u- l( L @5 B% r$ \$ K- o1 x sti 9 Q! A F0 L0 b- c* a: S) Epopfd ' o2 ^8 L: [3 V5 v$ [ popad ! ^$ A( I8 h; H/ _ retf4 G; m$ A* L2 h7 E& S& [% Q* |, X endm # ]! K# j. K9 v+ N+ B , t2 |! @6 E. w! S* h) m 8 \$ ^! F: N; s; ~2 MUNICODE_STR macro str# I4 v5 B6 |9 Q$ { irpc _c,<str>! S3 `5 Y9 n5 e db '&_c'2 V% Y8 B. F6 O4 [! _ db 07 E! ?0 Z0 [1 I; ]' E6 h# ~+ U% a endm$ Y9 ^ ?4 @9 u$ V# x" m& P endm ; K+ J$ E; y" o1 M + q. X L% a. v; Z# o.data?% M6 P" ^4 U& s GdtLimit dw ? 3 m, p0 E8 R% V8 p6 PGdtAddr dd ?5 a' U) [6 \$ f& A) T U/ w, i 4 m3 S: p, T- V' q: E" c mapAddr dd ? 6 k) g' H I" GOldEsp dd ? I Y4 e2 V, t" D " g+ ^& r- a7 W/ T" I1 Q+ `readed dw ?% Z" K2 P- e \$ Z1 s/ c buffer db 512 dup(?), b+ e3 E$ X# X6 _) \8 {5 I' Z ShowText db 512*3 dup (?) : h. |& r7 L/ [! |; `3 i3 F8 p% K3 V1 o! K& \+ L# _ szBuffer db 1024 dup (?) 0 D/ s( s; ]. J9 lszModelNumber db 41 dup (?) 4 c9 y/ J _$ _* J1 l; KszSerialNumber db 21 dup (?) + h+ j% \% D" U JszFirmwareRev db 9 dup (?)2 o: z1 {) A' Z) |8 Z/ Q5 \ / t/ A# i3 w0 _& R1 Y stIDEINFO IDEINFO # T9 m& S% z0 J9 r 2 W7 p2 K+ I2 F9 u' Y .data ' b5 W- m% D7 V2 Falign 4 + {! K$ x3 h( x0 A" fobjname dw objnamestr_size,objnamestr_size+2 1 z4 X- c+ K- A$ o$ Aobjnameptr dd 0! h% m4 w& b6 v* w" b, J/ C0 _" q: V# U objnamestr equ this byte I$ ^, i6 v- e- \' M9 u+ k: C UNICODE_STR <\Device\PhysicalMemory>& Z/ |, y* f c5 O( ]- R% |6 l objnamestr_size equ $-objnamestr # }, o3 c0 r3 q! A3 @ w- w1 I+ E, b6 v5 x: ^+ b$ i szTitle db 'IDE 硬盘信息',0 * _- H( Z) D$ x" V0 k$ V" jszErrInfo db '无法读取硬盘信息',0 * M- U) r+ ^/ E7 y7 [( _- RszIDEInfo db '柱面数 : %d',0dh,0ah 0 ]- B8 j* |2 s db '磁头数 : %d',0dh,0ah- L$ O# }7 }1 y1 [ db '每道扇区数 : %d',0dh,0ah # `& |) I9 j3 |9 `1 A: ~ db '缓冲大小 : %d 扇区',0dh,0ah& b; i! _6 l1 y. K" p8 ~ db '硬盘型号 : %40s',0dh,0ah2 d6 H6 M0 o# y db '序列号 : %20s',0dh,0ah ' |6 D/ t5 H" ?% e2 }9 i5 L" ` db '版本号 : %8s',0 3 x" g, v+ C) R: p( u * Z2 g$ ? n) I( H" }align 4 ; F7 \: B+ ?( ^* K! UObjAttr db 24 dup (0)& g: a' I, R' {- X: |; z, J @0 F$ E ^( W2 }8 m6 f* @1 jCallgt dq 0 ;call gate's selff 9 E/ g! ]# H. M9 \3 k, nCaption db 'Windows XP绝对磁盘读写',0# h6 ~6 W1 B' o: E+ V% c: l# M Digit db '0123456789ABCDEF',0 ) L- B" B% C- b5 e1 m8 p4 i5 K( F.code4 r* |0 ~8 W, O6 E' k: R' N* Q _ShowBuffer proc ;显示所读出的信息* f$ ?4 Y- G; z Z4 ~ ;把数据转换成16进制的形式 : i" q p$ g" Z mov [readed],512" E7 s) O6 X- D8 e O9 w mov esi,offset buffer ;数据 - ]( u% U% F8 Y9 U mov edi,offset ShowText ;转换后的数据! q/ x6 B8 w4 w. G9 q+ J, g mov ebx,offset Digit% ~) H2 F3 o" f" Q* L/ H6 J xor ecx,ecx $ D5 U N7 J% p6 } E5 o2 x xor eax,eax3 `% f0 L$ g) ~" {. v computeAgain:& v( V2 a0 n3 {1 } cmp [readed],0 + H" Y: ^" b% n6 I2 |) d$ g jz endCompute - z5 e9 }! Z. K! d& r) H; g3 Z5 M3 T dec [readed] 0 f% d. F- A7 \) K+ [ lodsb, P+ M9 q& B5 s' V) Y4 A6 @" E push eax$ ~$ U B( Y' m, b W shr eax,4 ;高4位) d4 c( c+ ^+ ]3 a, c$ z8 E xlatb2 d! g& e5 k5 s& X stosb4 V) e" a) ^. T+ C, }5 Q, J( z5 k pop eax % b x9 f8 x% ^- K( A and eax,0fH ;低4位# s4 s0 L/ [( e xlatb 1 H' @% P& {0 D } stosb8 r* K, x. l: U. {+ ~% I) B mov byte ptr[edi],' ' ;空格 ( v3 r* u# F; d& |* q inc edi ' G! D+ A% [1 N: G a inc ecx % I# b. @3 l8 Y' o6 } cmp ecx,164 @" q$ x7 B, a' h jnz computeAgain ' `3 Q% g# ]& ` xor ecx,ecx# r; d! g0 ?8 r6 b! r4 ~ mov byte ptr[edi-1],13 ;回车 $ J, X+ g! J) ]. f3 C jmp computeAgain4 t0 R3 K. Q& j* m+ X* R endCompute:0 F8 Z1 l1 u4 F ;显示. X* B* C% z) r8 I% C invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK$ A; R& O# e% t W+ W5 w$ ]8 V ret . X+ i' l/ Y, ~. h_ShowBuffer endp & \, }& v7 \1 K7 M+ ?& O( Y7 I9 Q; v4 D3 u2 C/ n/ d/ p& p# n3 ]. q0 @+ b0 I SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE % @/ _0 |6 U M3 w& m& R1 ulocal pDacl: PACL G2 u/ M$ R9 k' [local pNewDaclACL . J* X$ R/ u: a+ ~4 K1 z+ b4 x& I4 G1 Y/ Wlocal pSD SECURITY_DESCRIPTOR 7 f/ ]7 h7 e7 q6 j! z1 S# E3 o local dwRes:DWORD ;% c6 F& Z O$ B5 g local ea:EXPLICIT_ACCESS ; ; b9 J$ X. S9 s! R xinvoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD - V: _% r- e/ ]$ h! `( \1 tcmp eax,ERROR_SUCCESS : `! `1 K1 j, l& d; @" ^jz @f " ]+ z* R. F \, Pjmp OutSet 6 t& g7 _3 b/ V; |9 k/ t5 Q@@:4 \& H& Z4 S0 L; F& o) A% }5 g mov dwRes,eax3 q2 \5 O S( \( c2 \ mov ea.grfAccessPermissions ,SECTION_MAP_WRITE;23 A4 r8 {8 |( I6 n: F; }* I mov ea.grfAccessMode ,GRANT_ACCESS;12 N) t) @8 e& O$ w* ^1 c. z mov ea.grfInheritance,NO_INHERITANCE;0* x" @. ]) c: n+ w& x% W8 j3 e7 o mov ea.Trustee.pMultipleTrustee,0 % j. ?' J! t2 } a0 imov ea.Trustee.MultipleTrusteeOperation,0 ; Z1 D& `; J, o3 Zmov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1 5 z; a/ |* u6 _; e6 h& v3 q bmov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;13 J2 J) @* Z1 P call @f : a/ C+ }; D8 G' ~! i0 V! adb "CURRENT_USER",0 $ H6 ]7 b4 v) {7 V: n# l@@: `( w! _' q; n6 }( r0 Y6 npop edx & i1 e! g* m9 _8 Emov ea.Trustee.ptstrName,edx; h2 [$ a7 _7 z; | invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl + P7 w+ \+ W0 [- J6 `+ Icmp eax,ERROR_SUCCESS f0 q2 S" d6 ^; I: T8 J) ] jz @f; I! U7 P$ T h, ]: q jmp OutSet; e* _; a6 h% s6 _. c @@:( G3 T6 n v6 U5 r. r' y1 ^: u invoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL / o0 |9 L( R( WOutSet: 5 I+ j1 P$ e6 \2 b M. ccmp pSD,0 ! l* C5 B0 x0 e" k2 q5 }jz @f% z; c! x( S0 I" x0 V; a invoke LocalFree,pSD7 [1 |! E& n' y" n; |' k2 b @@: & Y4 Z( ]5 A4 [( s" Z% Ycmp pNewDacl,0( o2 n: [5 C1 Y* c6 o& _ jz @f) ]. h6 ?; ^1 [. m. _ invoke LocalFree,pNewDacl + |, Q0 F, p. _ B: x$ j. ?# T@@:' C7 b& {& ~& F. p- A1 u ret 9 P# r8 e( Y" G* o1 YSetPhyscialMemorySectionCanBeWrited endp / `) e2 C, g* R) Q4 ]) _4 G' x - h; N6 u( ?, x( v' xMiniMmGetPhysicalAddress proc virtualaddress:dword- X' {2 q* ?5 u7 D7 n2 s mov eax,virtualaddress$ g0 M# i& V" O' {! I3 c. w cmp eax,80000000h9 @) s' r* [7 \+ {& _7 D jb @f' e( f8 E% I5 A9 V$ e) U' [ cmp eax,0a0000000h9 x: Y+ M# C4 Z$ t jae @f 9 n0 f% B3 T% a+ X& t and eax,1FFFF000h 9 f8 F& g) u1 K) [ ret/ |+ }+ a/ _, }9 Z0 f @@:; ~4 L. \5 m- p3 f4 n1 L; f, G mov eax,0 " F. a; R O% d. t* u( l ret 8 o/ q& Q o6 x Q; ~" xMiniMmGetPhysicalAddress endp 4 U( `4 ~* E6 S4 {: P8 V : v% V( f% e H( m BExecRing0Proc proc , m. r6 @8 ~. n# g8 l; d+ x, R0 u local tmpSel:dword/ \: _9 w% q# {; C9 z: z& h/ z local setcg:dword ' Q, U3 ?5 ^, T, r: y- Blocal BaseAddress:dword , Y( w4 d( h; C+ Tlocal NtdllMod :dword 9 [4 h: ^* e5 c9 _+ Y# Z2 Glocal hSection:HANDLE & N6 ?( w. X8 M5 @local status:NTSTATUS . E0 ]! j! B: [3 H, g" l7 Zlocal objectAttributes:OBJECT_ATTRIBUTES : ~# L% B- F% e c( u0 Q local objName:UNICODE_STRING& |$ f6 b" r" A. u: H7 h0 R mov status,STATUS_SUCCESS; 4 L& W1 _, K9 m0 i \! E" e6 Vsgdt GdtLimit 3 f' Q% D4 h" I+ D& dinvoke MiniMmGetPhysicalAddress,GdtAddr# K0 ], G2 P1 c9 }# m6 ~ mov mapAddr,eax% e3 E! j7 r5 J" I* X% ? test eax,eax! S# s- k- {# w" b jz Exit1 - E- z7 I0 m9 x) U! J& J& acall @f1 i; g% e8 Y k1 D/ C db "Ntdll.dll",0! `' c' c+ E0 f% \ @@:: M2 G- J0 x0 i% L% f: E" u8 p" f call LoadLibraryA5 Q- f# X3 W' U8 M/ ? mov NtdllMod,eax 7 c0 z9 m2 g/ o5 ]# I0 i: n! p- a, h$ a2 l lea edx,objnamestr p& Q1 M9 j# y" ` mov objnameptr,edx & i8 a- c I, ]4 Alea edi,ObjAttr , F% Q: Q. i8 _5 ^- l) kand di,0fffch ;align to 4 bytes,or ZwOpenSection will fail 5 m% l+ k. f$ }1 A' G* vpush edi ;edi->ObjAttr! m. b$ j, q" c8 D push 24 ;length of <\Device\PhysicalMemory> 9 u/ R. G @$ |6 b' F! Ypop ecx ; O [" k( a* k( ]5 |! i- wpush ecx ' l% ~+ c. ^) B. W$ rxor eax,eax $ l& g" R6 l2 Y$ F4 L$ Wrep stosb ;put ObjAttr with 0 8 a% g6 n/ N4 @+ _4 E8 d; [9 b6 V1 @pop ecx: t9 U* q1 k R3 w) _- u pop edi) n4 ~% @" @% l mov esi,edi ! h0 |) r. Z1 E3 f* n7 y$ ustosd 8 Z! q2 E) T" R, M1 ~mov dword ptr[esi],ecx. O# {1 `2 p- Q9 ~' _* @% A stosd % Y$ r( @" O& ]8 X- R9 _* X q( | lea eax,[edx-8] ;eax->objname : o5 x- ^ ^( m9 K$ w. I! }9 J- U% estosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0) 9 W) P3 K3 T# i4 t3 s; k( ~mov dword ptr [edi],240h # L6 @9 Q5 U% r( u/ ~( s9 E" g' C% S7 u5 ?& x3 t$ L call @f& ?" i# V. K2 I( W db "ZwOpenSection",0 ) z2 d( z4 O+ {) @: F; Q, v8 M% l@@: 9 V, Z% h8 k( P# T m) Ypush NtdllMod" L: p4 Z7 d$ {# {5 z* h2 l call GetProcAddress * a J" Z( q- b/ ?, I& {4 c+ j( }mov ebx,eax ;ebx=ZwOpenSection- N* X" I# A" U" u5 P ' P) [' o2 q6 _+ dpush esi ;esi->ObjAttr # T. r# H. X3 Q8 ~2 qpush SECTION_MAP_READ or SECTION_MAP_WRITE ' k" w: g; F7 f- j0 x% h0 {lea edi,hSection/ |$ W1 Y/ |+ ? push edi ;edi->hSection 8 l2 K* Z' |$ Y5 F) v8 Bcall eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr) 8 \, U; O, U3 W( _$ s, h$ D+ I, g7 I7 Y U8 l" {+ ?2 m2 a mov status,eax r x1 o/ X+ fcmp status,STATUS_ACCESS_DENIED" i9 J8 Q! y0 |" E3 z# W1 U jnz AccessPermit 0 V9 Z) p* @, |" ^$ Gmov eax,ebx * d, k0 Q% ?7 [9 z) P ( @2 O2 l) U5 q9 O& ?1 x! @! Zpush esi ' z. }) }( I# N7 s push READ_CONTROL or WRITE_DAC 6 B# L, P% K) J4 x. G push edi 4 Q7 w# }7 w4 T1 P2 L9 L call eax $ p- k! }* i+ d8 `0 L0 w# v - J. w! h Y' m0 b3 o) w( qmov status,eax$ S5 o; d6 z) [: o" z H9 D invoke SetPhyscialMemorySectionCanBeWrited,hSection $ V/ ~) Z( E) c5 H/ J6 e & G. m }% S+ p- U1 d3 u( xcall @f% ^; Y0 n& O7 V! R: Z1 i8 g0 e db "ZwClose",00 t" r$ F( P( l; V( a @@: 8 R; |& H4 s4 W5 ?+ R! ~- D4 mpush NtdllMod 2 A5 L3 {* b9 B8 m7 O. w# r, Dcall GetProcAddress * P4 h7 S( t3 N5 k. P5 T% z+ z0 ^) E0 s push hSection7 \$ S, Y/ I: m# {" o a: f call eax ;zwClose hSection / b5 f: j$ S8 S+ ^( A8 N% W8 M; i2 Z# _$ S$ z mov eax,ebx . t9 a6 {. j: p( v2 D1 E8 z# W5 h: J% r' a- `! @( c w. { push esi , H% a+ d [2 m4 z* K) s" ]push SECTION_MAP_READ or SECTION_MAP_WRITE " v7 n9 `0 k1 a1 n- nlea edi,hSection ( m. j: o. E K5 J. v( _push edi , j0 t$ X% F% H* X" p j4 q9 l; r1 a call eax4 N' ~6 _, _% x, a* t mov status ,eax! `7 z3 g+ M) K1 s |+ Y ;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); b$ _; v1 A) W; v# z6 X5 LAccessPermit:2 ]% y5 R4 d2 o# d cmp status ,STATUS_SUCCESS % {, ^' w/ `& r- Rjz @f# F, x$ J% i D9 z2 }, u ;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); & M% w0 Q0 k. q;return 0;6 R2 S8 U, ]+ x6 W2 ^6 Q, D: c mov eax,02 O3 s# @) ?* J1 n6 K! D ret ) d7 B4 J1 Z$ K3 @. ~@@: ! {3 J# h5 h( c* w$ i# v7 L movzx eax,word ptr[GdtLimit]! P& g0 x1 ~8 `6 s1 D* L inc eax V3 q4 B! S3 {7 ^- U/ _2 B$ W" u; o2 Qinvoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax ' w. V1 v8 q" j mov BaseAddress,eax ' g& \( K( i& C* o& e6 i& acmp BaseAddress,05 D+ |4 |' q3 m5 x$ [9 i jnz @f / H, k; h2 m+ }+ q;printf("Error MapViewOffile:"); - ]+ E, B3 I/ n1 B( S/ c. w rintWin32Error(GetLastError()); return 0; 4 |8 Q" o5 O2 w; A( Z mov eax,06 s) {3 i4 J! W8 V8 \+ a) S! I, o+ T ret " X: N$ L; j4 N4 x7 Q: C, R@@: - A6 m* X# I0 s5 o; A# _: @. hmov esi,eax ;esi->gdt base0 u! w1 C# M$ k z! u mov ecx,3e0h D: P* Y* Q5 a- z. W mov eax,GdtAddr& r( u8 A0 k, f' L .if dword ptr [esi+ecx+2]!=0ec0003e8h2 J& ^4 Y% ], {4 A$ V. w5 x mov byte ptr [esi],0c3h . G {1 \3 K" f% P& v( Q3 h 1 |) D/ P B7 S$ A' F( {mov word ptr [esi+ecx],ax - x# C, f5 M3 v; H4 Ushr eax,16 % ]# }6 @' a A ], g: b- _mov word ptr [esi+ecx+6],ax0 A- X: j# d; e8 b mov dword ptr [esi+ecx+2],0ec0003e8h/ t4 @/ Q+ |5 D, B- ]) ` " T4 @. x" f) t0 A/ u3 rmov dword ptr [esi+ecx+8],0000ffffh1 y: d- o# j5 @2 q) n mov dword ptr [esi+ecx+12],00cf9a00h ( @1 `9 K& [( K# W7 \! q+ u9 `.endif 3 O; h T! D$ k / n! ~0 B: A' \4 n5 \mov setcg,TRUE7 Q3 w2 m% X! F' O( v/ K1 u cmp setcg,0- U5 D% r: G( r* h0 B% V/ l8 m jnz ChangeOK 5 D- B% @' j* Tcall @f& n# w+ A) h- G# U db "ZwClose",05 X& g- Q. J( ?' n. h4 o3 h0 t @@: 0 c; G$ ? V1 L: `9 `push NtdllMod / }' r" Z# j6 ocall GetProcAddress 6 n! K2 y/ B! Q- W& spush hSection& o \1 }( @/ }- G1 P9 g call eax3 ]" z. A: m" ^8 L8 B: Z$ g+ w) Y3 j' i xor eax,eax 1 W$ f; ]1 D3 O& xret' c0 A2 b+ a. c' C3 e { ChangeOK:8 p2 t0 _! N% s and dword ptr Callgt,0 . i4 O0 e! [: f& N7 Y( u" ?xor eax,eax + [3 G0 T/ |; i; Cmov ax,3e0h9 j6 q4 Z* N% N$ c/ | or al,3h 1 M% z% u, g/ u8 }/ tmov word ptr [Callgt+4],ax % Y9 z3 K1 P, b6 {. Q4 Z; Q;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate; / m4 G' k6 W! `% D( E* Vlea eax,_Ring0Proc ' e7 G9 d& {2 B Q0 |;invoke VirtualLock,eax,seglen # y6 u7 h# l# {9 j* `9 }test eax,eax ; r5 M, N" g7 ^0 H6 M$ d& m' Yjnz @f 4 M9 F2 Q( p3 J9 U9 C! |xor eax,eax 0 O0 p. p) E+ P4 z% J* }ret . G* a- {- E5 }, W6 I. ?8 s2 ^0 ?9 p@@: 6 z8 M0 G4 g. M' k, [+ _/ T/ h6 Ginvoke GetCurrentThread 6 {- z, M+ r* A& Iinvoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL 5 }& h x9 `' T+ E- Q6 y% I ! E/ A! i" f. D9 r h/ finvoke Sleep,0 ) C2 S2 l& D* P5 o' @ call fword ptr [Callgt] ;use callgate to Ring0!7 p+ {: L4 }$ c' }6 ]8 `1 O ;_asm call fword ptr [farcall]3 u8 ~" |! H; l6 Q$ @! r _Ring0Proc: ; Ring0 code here.. 4 L$ o% G2 P6 Z7 r; Lmov eax,esp ;save ring0 esp+ f& g* X0 P! U! T mov esp,[esp+4];->ring3 esp4 _1 U! ]9 P U5 l3 r' C0 V push eax . ^( s- B9 g0 c& u0 Y/ b mov ebx,offset stIDEINFO1 Z, H4 c/ v8 z( o2 q- u7 v assume ebx:ptr IDEINFO / L8 A9 B6 u$ m7 ]" \9 Q2 Z;********************************************************************" _9 r, V0 \' X" I3 S7 {9 c ; 等待硬盘就绪2 n5 R' `- T8 m! X8 O ;******************************************************************** p: D* E5 W4 t3 @ Y mov ecx,10000h. { g0 R6 e8 f% K3 R1 |% C mov dx,01f7h: ~/ `; w8 p# L @@: / @1 l1 w4 t. M in al,dx " V1 I4 ^+ ~* ? cmp al,50h 1 [: }/ p, ~. P6 S7 C jz @F 5 i" y0 | u, i4 `3 Z5 B) [! }0 w loop @B * `% z& M0 i' \& F% w jmp _II_TimeOut8 w4 @1 g; V( ^! l) z/ ? @@:. e7 l ]- A' C/ ~9 s ;******************************************************************** % U/ o4 ]+ K9 I: h; 发送命令1 b2 J" K# ] L2 B' ?- r- Q ; 如果向主控制发送命令,则端口为 1f0h-1f7h; c- |; u0 ~& G9 R; n ; 如果向副控制发送命令,则端口为 170h-177h ' V( x3 Y2 I( d* z' Y( }2 [; 1f6h 如果要检测的设备为该IDE接口的主(MASTER)设备, 6 n- K/ \3 b( o8 @8 |$ b; 那么发送 a0,如果为从那么发送 b0! j2 y3 b# X; w, \ ; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec - d5 }" c9 i/ J0 d) m4 o1 M4 T/ r; 如果为 ATAPI 设备那么发送 a18 M4 I8 h" D/ D ;********************************************************************" G, L/ E* t8 `0 s$ C mov al,0a0h ;Drive 0,Head 09 _" v" ?+ V2 f" q0 f mov dx,01f6h ;Drive and head port. n$ B2 ?2 R8 n2 ^ out dx,al7 U& Q e0 S. ^/ s: e1 l5 U' ?( v % A7 r3 r6 s& t& [0 d5 K! d mov al,0ech ) G5 R. Y& {# u inc dx ;Command port, c% Z, v3 `- N6 T" l out dx,al , X3 Q: V4 S. H* D: B;********************************************************************7 Z' L' V4 l! A1 M ; 等待硬盘就绪" [8 y5 ]. i. `- O) T, h( q5 Q ;********************************************************************# M- Q8 C' C( k6 d: H: k% | mov ecx,10000h0 J* k& A- M i- H @@: . R, `) d4 g3 w0 g% y0 p. z1 d, W in al,dx;1f7 (r-status register) 7 M. ]2 q4 X' |! D7 f8 S cmp al,58h;(driver is ready ,and seek complete): t, w& \- V4 g2 ]9 e jz @F. g0 X) ]0 ^! [4 o. }) Z% S* N6 B loop @B0 J3 ~! R. H2 Y7 G$ p9 F jmp _II_TimeOut ; Y3 D- z2 e! O& _9 {% @* `2 ^ @@:! T$ S; l; S# l ;********************************************************************* F0 s- X8 W8 f, s8 e ; 将返回信息读回$ Q2 W! n& Z7 Z v: o! N ; 注意一定要读满 100h 个字长1 U1 M7 [4 |- {8 a; r" e ;******************************************************************** : F. X; x% d$ A' m/ U cld; h, F$ A& }: ^ L mov edx,01f0h;data port - data comes in and out here. `5 b0 ~) s& x8 X/ _ mov edi,ebx* x8 U$ P: I: E' I mov ecx,0100h6 y. H8 g7 W0 {! N- q rep insw: F" k6 G( t8 ^/ x3 A: M ;******************************************************************** / C$ Q8 l1 P+ ^; 返回的信息中,型号、序列号、版本号为字形式7 E" A5 \5 q7 P) ] ; 需要整理到字符串的形式( l; I+ o8 m; W0 f4 W ;********************************************************************' l/ ]* U1 {7 K lea esi,[ebx].sSerialNumber 3 \/ f6 H* X- }4 m! Q mov edi,esi1 S4 t9 @! H1 C1 m0 `% t mov ecx,10+ T* e; b, t" J# j8 ? @@: / o7 y9 G4 s! |: V lodsw # j) E1 s, O/ g+ U$ l g' j xchg ah,al4 [! h) W/ p, G7 y$ p stosw + o3 ^: H" h) Y5 O loop @B " l! G, E' C7 R5 U1 ~( w% Y" R: E( i: J; ~# D lea esi,[ebx].sFirmwareRev" A( w$ N0 G. A; f: s mov edi,esi . O, b5 o: o, ~( v mov ecx,24 $ k" d3 F1 ]; e+ d1 A/ Q7 z @@: 1 H @6 @* }1 y' l7 g# ] lodsw 9 n) ]* ~# E8 e+ [* M& P xchg ah,al 4 ]- w4 ?# _% c0 ~1 ^. Y/ I- F stosw + V6 |" r, ^0 ~ H" r3 ~% C& u loop @B4 _$ ~$ g: ^6 d2 I G* R _II_TimeOut: 4 ?) \- p8 z; M$ Eassume ebx:nothing 0 {( d4 h- D: |* }! G& r & F5 K/ B) N" @- ypop esp ;restore ring0 esp; z( l6 E) g$ `0 _/ A& A6 O/ i push offset Ring3' R$ A! h. ^; O* Z7 j* H! W retf* o E5 s- h7 U# r! x Ring0CodeLen=$-_Ring0Proc5 ]2 B- r$ o% P6 w5 @) f i % ~1 n9 T0 o2 Y1 z8 c. @1 `; z# D Ring3:3 Y) y8 G9 w* B6 ?5 ` invoke GetCurrentThread1 N/ W* T; J/ X- u1 W' v invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL $ W3 z6 G: m$ Q! b7 i( V) K4 O9 D. [1 F' s8 D5 m# H ;invoke VirtualUnlock,Entry,seglen , c* T: V# W3 i q: X0 d9 H5 S W& w! D call @f0 M+ n9 Q r! | db "ZwClose",0 ) [' R* M, O2 [@@: 2 ] Q6 y O2 J7 Ypush NtdllMod" ]* Y/ ]+ c: G1 J0 H# q7 M call GetProcAddress1 O. e3 p0 ]5 ~. q# u) m push hSection : V! C! y! ]* P0 a/ T( Jcall eax " K5 t# u7 z/ ]9 q. fmov eax,TRUE1 \" T) z1 `: h/ R ret . E. D$ [. { g* p% y( gExecRing0Proc endp 5 T. v: N! Q+ r% b- f, t, F) c1 D, u, N) c! p main: 4 E4 O- o% o1 k8 Y/ O0 Eassume fs:nothing8 J6 ]6 q& y* n/ o push offset MySEH' b R. F8 ?) z push fs:[0]# t* z& L r5 F. K# Q* D+ q" s mov fs:[0],esp8 C0 t+ K, m4 L8 g) u8 y( G mov OldEsp,esp* Z9 P* q+ a& l0 p ~6 U mov ax,ds ;if Win9x? 3 T% [& o- X; B9 G, G6 r; Stest ax,4 + v) a& a8 `7 V* y4 l* U# v( n2 Hjnz Exit1 Z! \! M1 D! \- [$ E" x$ w( uinvoke ExecRing0Proc* a T" v& {- |7 h3 z- ? $ q1 ]$ r2 ?+ V6 X3 m .if stIDEINFO.wNumCyls( t" H- y8 u1 W+ X6 l lea esi,stIDEINFO.sModelNumber & E- j' d F; O! T8 a B7 r mov edi,offset szModelNumber 3 p! X$ U% [+ L. t mov ecx,sizeof stIDEINFO.sModelNumber 7 _- \2 H2 M* t3 r/ Q$ D% S9 @- Z rep movsb) _# j( g$ K! K 2 u* w* h% _- J n/ b lea esi,stIDEINFO.sSerialNumber # @; S: U) ]5 V& V5 S, M- {0 Y mov edi,offset szSerialNumber / u6 P3 R5 H- Q, K: i mov ecx,sizeof stIDEINFO.sSerialNumber * s8 i# z+ k" r' q$ O rep movsb8 r8 s+ [2 i7 P 2 f- y9 [5 _( [/ q- ]# m) z$ S lea esi,stIDEINFO.sFirmwareRev + h7 r. Y3 O6 _" s: z' Z; c mov edi,offset szFirmwareRev; H6 ~- M- n2 n6 _9 X1 q: [% S8 H7 L) x; S3 P mov ecx,sizeof stIDEINFO.sFirmwareRev : B( c5 Z- N$ I- g$ K rep movsb 1 _, x- N7 K0 r; H. R0 ~. _* f2 c& ]$ o movzx eax,stIDEINFO.wNumCyls ! [$ h3 ~2 Y; M9 E7 g movzx ebx,stIDEINFO.wNumHeads+ n$ U6 q4 O. a( T" g1 b8 p$ u movzx ecx,stIDEINFO.wSectorsPerTrack 9 q6 L# j: r" Q6 v2 t movzx edx,stIDEINFO.wBufferSize5 u$ B; J0 Y! m7 \3 W invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev# Y$ q4 _- k1 Q: [ mov eax,offset szBuffer - P/ d9 @8 ]7 ?* f7 Z.else ! x* D; K% u+ W8 z7 d" D4 g mov eax,offset szErrInfo . k& S+ ] {) B* r.endif " s& @' J5 \ ]) H@@: 4 t1 F% `* m' p- \invoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK- w! p/ [! L+ u; I. H Exit1: Y" L' g1 E1 e. l pop fs:[0]7 v# n1 q5 y) W, S' B add esp,4, p- U# w" d8 S" I* J& q: d* n7 |5 z invoke ExitProcess,0# @) _( ?/ ?, c }6 K8 f8 T+ Z( c# j; ZMySEH :- n5 H7 G5 z! R1 g; O+ Z+ Z mov esp,OldEsp 0 m) J1 h/ U v9 gpop fs:[0]" T5 B4 V& S! Y" X( M. q8 r add esp,4- b7 J2 m1 [8 v. A invoke ExitProcess,-1# A D5 y0 S$ E2 } end main 1 X G9 _ m% q0 U# A3 \1 F/ b5 \0 y2 L! L: M
[此贴子已经被作者于2003-11-2 18:14:02编辑过]
% y$ x* a4 J8 L# Z2 Y
分享到:  QQ好友和群QQ好友和群 QQ空间QQ空间 腾讯微博腾讯微博 腾讯朋友腾讯朋友
收藏收藏 分享分享 顶 踩
bigfoot 该用户已被删除
2
发表于 2003-11-3 16:22:00 | 只看该作者
呵呵,ExecRing0Proc 这段程序甚妙,先得到gdt,然后构造一个调用门call gate's ,使程序从用户模式(ring 3)进入内核模式(ring 0)。进入内核模式之后,就可以没有限制地对系统干任何勾当。这段程序确实为高手所为,在下佩服得紧。
& [+ c8 `: A9 t6 U至于读硬盘序列号之类,只不过是在内核模式下的一个I/O应用罢了。
; T6 d0 t, M# Y其实在NT/2000下读取硬盘序列号只要打开\\.\PhysicalDriveX(X:设备号0~26)设备,然后用DeviceIoControl()就可以读取了,不需要绕ring0这么一个大圈子
, f2 @* C" p4 [
. H1 z/ }* X' f' x& X这个程序也可以C语言实现,不过中间必须嵌入几条汇编的指令,如sgdt GdtLimit
) q# N1 V1 Y0 ~3 k7 A1 I但还是用c来写更方便,例如:
5 n5 p7 o* V, j. zcall @f
* d9 v6 j; {7 ~  a6 Y) C; R8 n" Jdb "ZwOpenSection",0
. X/ H# }7 R1 X. X3 f; T$ [@@:
( H/ D2 X7 }5 G5 u1 ^3 u6 hpush NtdllMod" |0 r  C) Z- X
call GetProcAddress
7 H1 i7 Y1 T, F! a/ H' ?$ Kmov ebx,eax ;ebx=ZwOpenSection
+ {2 |& G5 R6 Q+ }push esi ;esi->ObjAttr
8 ^" U) U* P+ W9 Opush SECTION_MAP_READ or SECTION_MAP_WRITE2 k) K4 D9 R' [1 m
lea edi,hSection
: O$ s* h, [9 @' d7 |8 Mpush edi ;edi->hSection
, |# Q1 j9 ]6 ~& u! H# D/ D. Ycall eax ;) A3 Y" {! j- B- i$ L. G

7 ~0 P, k/ B. y3 k用c的话只要一句就可以了" g- o" F) t. r1 a4 a
ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr);
1 d9 ^5 v$ U6 W5 C( T4 a0 {因此懂汇编,然后用C/C++编程,是成为高手的捷径  x; b: b/ y5 ^* n8 b
" j5 x& K3 [0 J6 `4 \+ }; u
[此贴子已经被作者于2003-11-3 16:46:50编辑过]

$ `  {0 i2 ~2 I9 A

该用户从未签到

3
发表于 2003-11-19 00:12:00 | 只看该作者
win32位汇编,真的很不错,业余的时间,全都投进去了

该用户从未签到

4
发表于 2003-11-26 19:36:00 | 只看该作者
要能有台机器试一下多好,学汇编还从没想过去ring0,也感觉没哪个必要。' m. a9 a) H& q7 Z$ b1 O* \1 |/ [
现在闲着真相试试。这片文章我在家保存了有快一年了。不用感觉可惜了。一直停着不用,我都快忘了那些曾经那些依稀的记忆了。水能给我一台电脑,我力马高喊:有你这么富的吗?
fyer 该用户已被删除
5
发表于 2003-12-3 03:31:00 | 只看该作者
很久以前的一段代码

该用户从未签到

6
 楼主| 发表于 2003-12-3 15:33:00 | 只看该作者
很久以前?5 p1 t! {( D4 ~' J
不是吧,这个是 轻描淡写 编程论坛的斑竹写的
fyer 该用户已被删除
7
发表于 2003-12-24 19:21:00 | 只看该作者
看到过的。

本版积分规则

关闭

下沙大学生网推荐上一条 /1 下一条

快速回复 返回顶部 返回列表