|
|
我可没这个水平2 a$ E5 N$ s) c7 r C
.686p2 p- B7 ]$ ~! U! ]
.model flat, stdcall# }/ y- h7 K) ^! W
option casemap :none ; case sensitive" R# q! z2 ]) u% l) g5 O& a) l
; #########################################################################8 X9 G/ k2 ^# K% b6 g1 x+ q% g5 R
include \masm32\include\windows.inc7 }, H) A* f1 ?) R4 `( L, C! E4 d- k
include \masm32\include\user32.inc
" \" m% W& r8 S% ]) Uinclude \masm32\include\kernel32.inc
% Z3 J6 s* D6 b' x& i# O* e! ?include \masm32\include\advapi32.inc8 d$ q4 [. _( K' F& j2 L# k
: V& Y8 L# z: Z1 p% D+ F' z8 e
includelib \masm32\lib\user32.lib4 E) t& O3 h3 s4 _# N7 S
includelib \masm32\lib\kernel32.lib, ^3 T4 p% L- @" _4 g+ S6 Z- \
includelib \masm32\lib\advapi32.lib
# _0 e" H/ y, j/ tDEBUG = TRUE# @, k$ [4 B* t: p% I
9 z! e8 d8 ] j. ^" W
HMODULE typedef dword
{/ w6 L2 J; }NTSTATUS typedef dword% d* L" [8 I* i
PACL typedef dword
' {2 _1 ^* Q0 SPSECURITY_DESCRIPTOR typedef dword5 G- S( s, w' w7 M |, h
2 s' J% Y: ?0 _/ V9 VOBJ_INHERIT=2 4 u. j4 o$ c; N# j
OBJ_PERMANENT=10h
) K# j. b' K, F2 }# _. o* OOBJ_EXCLUSIVE=20h
: T& C" g+ v" C' ?$ X. a" bOBJ_CASE_INSENSITIVE=40h ( a! n+ m7 y1 p" ~, u# i7 B
OBJ_OPENIF=80h
3 w0 V, i# L3 ZOBJ_OPENLINK =100h
1 v0 Y2 z, Z* C" ~) t5 |! sOBJ_KERNEL_HANDLE=200
3 h7 W; m4 a2 N! ?OBJ_VALID_ATTRIBUTES=3F2h
) ]/ L' Q- H2 m
F7 i) g( t" F; fSE_KERNEL_OBJECT = 6
; y$ A! f2 n3 J/ JGRANT_ACCESS =1
. d0 W' W' F: WNO_INHERITANCE =0
( ?6 o, L1 E# F( @TRUSTEE_IS_NAME=1( C# T' Q6 i* G. K
TRUSTEE_IS_USER=1
' c7 U* J4 | Q* d" T f/ \$ l* R: eSTATUS_SUCCESS =0
W. T4 h& G% O2 I) WSTATUS_ACCESS_DENIED =0C0000022h) F. {. K6 `1 B3 _1 F- H
0 m, J" }) E& M6 c( g6 n9 \
STATUS_ACCESS_VIOLATION equ 0C0000005h% A1 Q/ g4 }- ~; r, G. l% M+ G
STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h x" v+ k: ~% h
SystemModuleInformation equ 117 J. f2 k/ n% c, |, Z
PVOID TYPEDEF DWORD
5 u7 a% J! c/ V& Y4 Q% cUNLONG TYPEDEF DWORD
4 ~. d! t: f7 hCHAR TYPEDEF BYTE
% k- d* c$ i) E( j
& C. y- }, X$ P3 P3 gUNICODE_STRING struct : ~0 e/ _' X L2 @% b* B6 T
nLength word ? $ ^& \3 q6 C. i/ J g4 I. X
MaximumLength word ?
: b0 j. G6 q9 u7 V- O# D8 ]1 k2 c Buffer dword ? k' @$ }$ _1 z
UNICODE_STRING ends
7 |" ~. e6 x: m; @. O4 [7 |* T8 ^0 f: d: z
OBJECT_ATTRIBUTES struct
7 U& L2 `+ O: y8 y; ?- z, F4 G. f; P' { nLength dword ?
, l+ h$ F& f6 B! ~ RootDirectory HANDLE ?
8 k) G7 V' s3 w. f ObjectName dword ? UNICODE_STRING
4 c; ~$ E, b. n' T" z4 ~ Attributes dword ?;
+ C' k% ~+ J0 M/ g1 [5 x. W SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR
6 g1 H2 \$ @' R. y. I5 O SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE
3 J1 H- Y7 L$ ~9 UOBJECT_ATTRIBUTES ends 6 @- m' k0 R0 e# {+ y
0 @+ g% @; G# D" L4 i+ Y5 ]/ w
8 T2 I8 W9 D% n# {& ~) i$ M# ]7 K( l( @TRUSTEE struct
5 d1 }% G& P% O4 D! K pMultipleTrustee dword ?TRUSTEE 7 r4 i' U4 `: c8 F7 d& m$ Y
MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION ) U$ y; `2 {6 D) H
TrusteeForm dword ?;TRUSTEE_FORM
/ P. N8 _0 i) {0 m TrusteeType dword ?;TRUSTEE_TYPE
* W2 y) l- k7 Y! c; i h) \# r9 |/ j ptstrName dword ?;LPTSTR
) d" H! T2 F. f3 s' w: FTRUSTEE ends, K3 @) }$ b9 J* [. ^8 ^' Q( g
2 y* F0 J" |- c5 N5 O# b- N) l% Z
$ R) L; J6 K kEXPLICIT_ACCESS struct& ~0 H3 i, [. z+ B; ?
grfAccessPermissions DWORD ? , r- z: l6 h( W
grfAccessMode dword ? ;ACCESS_MODE
# a2 o2 T+ X) B. U& Y& I( G, t grfInheritance DWORD ? ;( g6 {. @# H; r4 r$ t! j2 |! ~- S
Trustee TRUSTEE <> ;' d2 S, o1 C" ^" v2 K
EXPLICIT_ACCESS ends
: K% n) [7 K$ e+ ?
! s0 e' B+ t5 OMyGATE struct ;门结构类型定义/ N( a: s! u* c& M& Y. u: B
OFFSETL WORD ? ;32位偏移的低16位
0 U) B7 z9 `1 W' w SELECTOR WORd ? ;选择子
/ x! v' f7 b4 n! x2 @) E; q* W2 J6 M# C DCOUNT BYTE ? ;双字计数字段
4 \( {! G: g- W- o' p GTYPE BYTE ? ;类型, O( W5 g5 R# |5 V. y
OFFSETH WORD ? ;32位偏移的高16位- k' C; f+ q8 ` y- q! X
MyGATE ends6 Y: @8 x3 M% [% X
! m' Y1 X. y) H/ h j0 e2 e
IDEINFO struct4 K; V; }; |: t& N$ Q
wGenConfig dw ?3 H+ M+ [, t( S* i/ j1 y
wNumCyls dw ?;拄面数8 P. L |2 s7 }# W+ }% ~
wReserved dw ?
3 }- w! @/ A- O% RwNumHeads dw ?;磁头数
. i+ c0 ]1 ~+ m) H( H9 OwBytesPerTrack dw ?;每道字节数
, a* b k0 n$ uwBytesPerSector dw ?;每扇区字节数$ D2 t$ g [$ S H- x5 n
wSectorsPerTrack dw ?;每道山区数
$ f% W* E2 z4 w( n$ F8 TwVendorUnique dw 3 dup (?)3 r4 i, m3 f: P" k
sSerialNumber db 20 dup (?);硬盘序列号- M5 _6 O" p, t! C" _5 {
wBufferType dw ?;
$ ~$ J$ Y% X4 G: v2 b& owBufferSize dw ?; ;n * 512
* t6 a" G5 Q/ U& v3 w B& M9 NwECCSize dw ?9 J8 W% v- ] ]! U: T* p
sFirmwareRev db 8 dup (?);
" c4 K1 U N I2 vsModelNumber db 40 dup (?)
0 a" {+ H, W8 X* jwMoreVendorUnique dw ?" ?) J3 k1 K/ Y5 R/ K2 X
wDoubleWordIO dw ?
* L( J, H, j- a6 J- C7 s& p: p' g+ W# [" |( hwCapabilities dw ?
, w$ ~' o- b* |* ]5 H: twReserved1 dw ?3 G4 ^$ b% N( E2 E, X. F; ]
wPIOTiming dw ?;
0 D7 k4 h% O# c% r9 V P5 O. awDMATiming dw ?;
/ S3 s! Z0 m. i2 \wBS dw ?
3 P$ [0 q0 p9 P- @; o( V8 owNumCurrentCyls dw ?;
5 N0 O$ D2 F: [* C. C$ v" y' p* EwNumCurrentHeads dw ?;3 I1 P4 Y2 Z3 g* G) J
wNumCurrentSectorsPerTrack dw ?;: }" O9 |$ b, i
dwCurrentSectorCapacity dd ?;9 J) Y9 I& v+ j- ^! m7 N
wMultSectorStuff dw ?;
; r5 J% Y# u$ m7 E2 ZdwTotalAddressableSectors dd ?;6 r8 V2 ~4 R u
wSingleWordDMA dw ?;
6 T" Z! x6 H1 S( J/ @wMultiWordDMA dw ?;2 h: y4 L0 Q% d7 K
bReserved db 128 dup (?)" B' Q0 {5 C7 ~9 @
IDEINFO ends
% o; V- N5 N9 o/ R! v6 O2 R$ Z+ c& d% }9 K$ u! M1 M
% D! S% Y) E1 S/ P$ @3 ~2 SSetPhyscialMemorySectionCanBeWrited proto :dword6 G( t% V7 g) y$ T) {
MiniMmGetPhysicalAddress proto :dword/ C4 d; ?+ x6 {4 q
, m, F! M4 q3 e3 b7 @) kENTERRING0 macro8 V% C+ c: y& q0 W+ \
pushad 1 Q7 N1 w/ l9 ]% S: D3 Y W5 m
pushfd * Q% S! U, G* a* T
cli
1 r7 A! h8 z. Z2 E- V1 U' \( X7 {0 Xmov eax,cr0 ;get rid off readonly protect8 E5 l# g. x5 J' E
and eax,0fffeffffh
$ ~! {& e* E# ]$ E! Tmov cr0,eax) D5 ~; d9 j& i3 D# p+ x
endm: ^$ m* j b& y$ Y4 J- }! q
& H7 a8 ^6 O; ~LEAVERING0 macro
5 E5 {$ a7 ~5 E1 h/ m6 `# a f# C# emov eax,cr0 ;restore readonly protect5 u% Q* H; H$ D
or eax,10000h( i8 A5 ^$ j& V, x; v) l, \
mov cr0,eax; U. S, N2 Z( S
sti: k! D8 T' O6 l6 g8 t' A
popfd U9 o3 m& p8 X0 F( N
popad , `) k' r2 g T1 d8 j! J
retf
5 U' n' W- V2 F" Tendm
) U& L% [8 e* L: i& ~# T; E, J$ ~2 z1 o5 \5 L, A( m
, {- N7 p e: i% ]0 u, V
UNICODE_STR macro str
% J3 {6 K2 K6 Pirpc _c,<str>
2 v, b0 E O9 x7 Edb '&_c'
, H+ e3 L a' M! Z% Ndb 0% ]8 L! \; [! k$ l* N9 d
endm4 c8 K3 k' G: L. K+ t. Z# s
endm! V7 K4 s" F* H: H' g5 Q P: M
?3 c/ ?, P; [% |5 }0 I- T.data?
+ W7 G' `7 T7 Q' f A' KGdtLimit dw ?# E; E# {( B5 v3 u: k4 B
GdtAddr dd ?
. f+ ~% g3 i/ R! V$ z7 @5 F/ m: B$ o6 B# Y2 v; m
mapAddr dd ?
4 k7 w+ }& n1 e( oOldEsp dd ?
4 ]! B( l$ l+ D' k. E# Z$ q$ N! L* i, ]
readed dw ? \) G( Y/ B2 @+ E
buffer db 512 dup(?)( Z. T3 k9 @5 R) e5 l
ShowText db 512*3 dup (?)
+ B j/ F, l- G- [
3 [# t7 P7 A8 Q& P, X# l+ q0 nszBuffer db 1024 dup (?)4 ^& C% ^0 i$ s
szModelNumber db 41 dup (?)
& F( D3 w9 ]5 d* vszSerialNumber db 21 dup (?)4 A; \& }# l, H; _% d
szFirmwareRev db 9 dup (?)
; n O& y0 l( T) H0 p- f2 p& t+ O1 T" f4 z. {: z% A( [
stIDEINFO IDEINFO
8 u2 h8 S+ k5 J$ h: u) X, c: q8 c: E& J3 A
.data
* ~- @' e3 y- F; ~$ k) aalign 4/ ~, L: |- J& ~0 ?! D4 Y
objname dw objnamestr_size,objnamestr_size+2
1 [; o3 I" ]$ i3 Yobjnameptr dd 0
m- N$ T" \* R& W7 n; J) I& t, fobjnamestr equ this byte& l. [% ]7 ~" E1 \% X0 X5 [
UNICODE_STR <\Device\PhysicalMemory>
4 d1 }+ c1 Q* s2 F0 Cobjnamestr_size equ $-objnamestr
4 S8 h- Q# e3 ?' z/ {- r P% I3 `. t5 ~
szTitle db 'IDE 硬盘信息',06 @1 q, W0 l1 ^/ f
szErrInfo db '无法读取硬盘信息',0. G- a+ U1 D y3 @% c P
szIDEInfo db '柱面数 : %d',0dh,0ah
1 F) r H# @& Y5 c db '磁头数 : %d',0dh,0ah6 n+ Z- g+ ?8 O5 a2 b5 ?$ E
db '每道扇区数 : %d',0dh,0ah( f2 K+ O/ ?3 z, \, V: t2 h3 q$ ^
db '缓冲大小 : %d 扇区',0dh,0ah
4 r1 W1 m9 L9 x* C( u db '硬盘型号 : %40s',0dh,0ah( R" z# x% g# `0 G8 s
db '序列号 : %20s',0dh,0ah
8 ^( S' t+ {6 q/ `+ |& H1 B db '版本号 : %8s',0
3 e; n7 H8 n' a4 h/ _' q) h( j1 s0 h7 X- s
align 4* f0 d# C6 _! W; r1 A/ j4 K% @
ObjAttr db 24 dup (0)
( Q) c! o4 I( E! }4 P, Y. W
! E, S7 R$ _8 c3 n3 ]& g% DCallgt dq 0 ;call gate's sel ff9 u9 i3 N3 X% W* V
Caption db 'Windows XP绝对磁盘读写',0
2 W: C, \6 X" Q" v7 WDigit db '0123456789ABCDEF',0
$ O1 `1 X6 Q, v8 m/ F9 j.code
& o0 Q; {$ |8 _+ e/ P0 d_ShowBuffer proc ;显示所读出的信息
& c5 q: _7 V$ S2 ~ ;把数据转换成16进制的形式7 Q" _. j! W5 l7 r0 v+ e& t4 ~
mov [readed],5127 N, G; m$ Y8 q
mov esi,offset buffer ;数据
. A, V+ v2 s( u3 h N2 i mov edi,offset ShowText ;转换后的数据
# v! |4 Y# t/ f0 | mov ebx,offset Digit
7 \( ~* Y* n. m, q xor ecx,ecx+ E# B X( O" W$ Q& u
xor eax,eax# O# f' L8 t' h8 r6 j
computeAgain:
4 ]$ v4 E; [7 G9 z* T cmp [readed],0
1 ~( ^% U) } H jz endCompute( p, B) Z/ z. ^! s" o2 U
dec [readed]
/ M; U6 m+ O2 I* w ?9 M! [ lodsb
: W( p( i0 v- \; n push eax& G$ L& n! O3 j) f( f6 t
shr eax,4 ;高4位. Q$ S6 Y9 l2 q* ^
xlatb6 o7 s$ |( ~; X' T. N5 \
stosb6 S. b; R; {4 |
pop eax
+ I- ^1 P$ v8 ] and eax,0fH ;低4位* e* x7 K6 o# s; p
xlatb
) d8 y0 y7 I1 @0 B; O* k/ ^ stosb6 |7 V" K7 T' U) t6 G6 U" w+ O
mov byte ptr[edi],' ' ;空格2 `3 v8 J. V( @3 z" ~
inc edi
6 f8 y; `! I0 K" P2 n# Y inc ecx
' b* c7 @7 d$ Y( B( R' }/ G) z' U" l& @ cmp ecx,16, y6 R4 {; L _* y1 W
jnz computeAgain
4 K% o ?- _: B# t( U1 d2 } xor ecx,ecx4 s: { w+ A6 P! @# B
mov byte ptr[edi-1],13 ;回车* g) A' i! a9 A/ s/ [
jmp computeAgain0 X5 ~3 P. X! @9 ?1 p$ X1 X5 m
endCompute:
. J' R4 W6 r w; O ;显示; v8 s" c6 ]8 Q: F6 S
invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK( v: D' X! `3 m) H: |' ?# d* T
ret
! p/ ~3 a2 R7 Y+ M3 u, E_ShowBuffer endp
- ~ \8 | c; e. E. {1 z% M7 b' D1 d2 O
# U/ v4 Z& {- I! g9 o- ZSetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE
: E7 `* A$ A2 K0 f' x% G% x' k! wlocal pDacl: PACL
% j# W0 f$ w( {1 N* Q2 M% vlocal pNewDacl ACL
# T$ p. o; h" c$ {! G9 rlocal pSD SECURITY_DESCRIPTOR 4 W( @. `0 c1 S8 U1 ?* Y n5 c* L3 N# V, H# N
local dwRes:DWORD ;
8 j+ C# O5 J4 u1 q& J% m: P, E5 P: @local ea:EXPLICIT_ACCESS ;
' x0 B. D9 W; M3 }invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD
5 R% Z: h. Z0 Q3 m5 G [cmp eax,ERROR_SUCCESS
# @! R6 E2 v9 U7 K. c1 y" ujz @f
' a4 ?! ?+ p3 J- y6 Q' Kjmp OutSet" {2 |% V+ T' Y8 x/ q8 T/ Y
@@:
5 y& J& n; ]# j& w C6 Hmov dwRes,eax) ?4 ]+ d. Y; q( O& C
mov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2
* Y% d" M. M" K, U* z/ X2 Emov ea.grfAccessMode ,GRANT_ACCESS;1
& w1 H; e. r7 |6 E1 p' i1 p9 Smov ea.grfInheritance,NO_INHERITANCE;00 V J4 w8 U0 [& U3 @
mov ea.Trustee.pMultipleTrustee,0( o7 S% C& Z4 M/ X2 x8 u
mov ea.Trustee.MultipleTrusteeOperation,0) w* d* {" ?! e6 _3 r( ~
mov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1
8 r( _7 _6 y3 p6 I. S" jmov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1# c: s! i+ f( [, R/ v! ]! O/ v
call @f5 b5 @% ?( c$ }
db "CURRENT_USER",08 n. C& r; T v7 Z" j
@@:% I* ]" ?3 B+ T N, s- ~
pop edx2 ^( Q4 ?+ J& L
mov ea.Trustee.ptstrName,edx# x$ z# k3 O9 \5 h8 n, A
invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl/ u H! g" `: M0 d0 `6 b
cmp eax,ERROR_SUCCESS) Z; d5 m" f# e9 l0 c& H
jz @f7 b9 T, }: [8 p
jmp OutSet
* C( k% s1 T% k@@:
9 f D3 a! p, E- K9 C ^' I" Yinvoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL
# U+ E" `2 ?. T" q0 i1 N0 i/ N- FOutSet:
# \3 l3 D$ r% s( }! a% k L4 ?) G! ]cmp pSD,0% }! G" W7 ~5 E
jz @f6 S7 Y$ E' w1 T0 f3 i
invoke LocalFree,pSD, k$ f! P$ ^0 U. w" Q, u
@@: q, d' Y: n+ Y, I$ l/ G
cmp pNewDacl,0
0 j* }" J I+ s9 `" t& Ojz @f9 e; E7 i( b/ C) m- ^
invoke LocalFree,pNewDacl
. @. p1 L+ g T' v@@:+ A0 ~" Y$ H5 z* l" w6 ~1 ]2 b" N) M
ret5 b# u5 ~5 x: S9 K9 ?
SetPhyscialMemorySectionCanBeWrited endp
+ a0 _ c4 `# F( m0 }
( B, ?7 b+ A+ B* s7 t2 uMiniMmGetPhysicalAddress proc virtualaddress:dword
5 B8 ^ _% m. T5 o mov eax,virtualaddress1 E* J# e5 ^* y4 o% M% U
cmp eax,80000000h; ~ A; s( @; K8 {* o
jb @f) D" I- O# @! N) G* ?" g: J
cmp eax,0a0000000h
0 A2 ~1 ]! ?# p1 o* @) P* k jae @f
! p! z( K x( l% f and eax,1FFFF000h& l/ T: {" @! H
ret* y ^* e+ ?" A6 |- h5 k
@@:
: p$ J# e- Y N9 B) L( e mov eax,0
% m/ B/ A9 x1 K2 z, } x9 e# K" N- b ret
. L0 u- ^& ]- O! j- }, u/ |) f2 |MiniMmGetPhysicalAddress endp
3 J: k( ?" h8 {( Z+ L7 p, g9 J. ]& T+ E: |) ]4 L" w
ExecRing0Proc proc , V+ m c/ }; ?( v
local tmpSel:dword
) L& A* Y! \* D# r& V( x K' P: blocal setcg:dword
1 u6 D. D0 {' Q- S/ c( j2 mlocal BaseAddress:dword
9 C% E% K* n3 h* Mlocal NtdllMod :dword
! I0 S8 P/ i# u1 olocal hSection:HANDLE
. x( {$ K: Z. q8 \local status:NTSTATUS
0 L$ Y9 |+ l) b3 M# w' {local objectAttributes:OBJECT_ATTRIBUTES
, g' M q$ E1 b1 [local objName:UNICODE_STRING$ u& T# o( {% t
mov status,STATUS_SUCCESS;
: [4 B( ?8 U9 z4 J" N' K- Tsgdt GdtLimit2 Y* n4 _, F2 s* G ?5 }0 Q0 {4 R
invoke MiniMmGetPhysicalAddress,GdtAddr
' e6 s% G8 r" ~8 B% g3 x& Wmov mapAddr,eax! A( ` ]* ~8 p8 [
test eax,eax8 f7 T; k5 ^6 g0 Y
jz Exit1 L& d* I' E: h3 O
call @f( U1 z- b) K7 C' X
db "Ntdll.dll",0; C9 n& e m; y- ^
@@:; _$ o+ T* r5 Z
call LoadLibraryA0 r6 N: G, W6 H6 o2 E H5 j
mov NtdllMod,eax
- w% r B( W6 Y9 N" |# \! t
$ b1 F) y0 ^9 K% g* Blea edx,objnamestr
2 M& D+ x4 d/ K9 s4 rmov objnameptr,edx
, k( @( A! M7 i: F- S ~5 Xlea edi,ObjAttr$ R$ [& H' f# S9 m5 m: L
and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail$ c, m6 s& r7 O* a6 o( | G
push edi ;edi->ObjAttr, a3 M$ U) K- E6 N) T
push 24 ;length of <\Device\PhysicalMemory>! `! T, t! G( L$ h' |
pop ecx
j' k; Z! f. U3 ~" g2 G* }. Spush ecx3 m1 J1 T5 R, Y; s& ]
xor eax,eax2 U; J8 d* H7 U5 M. H' D
rep stosb ;put ObjAttr with 06 K0 V) z1 D, h3 V3 S' ^8 i ]7 I
pop ecx2 r* b) K. R8 d- M4 E6 l/ Z \
pop edi
/ G" V6 o1 m6 M. q- B( ^0 Emov esi,edi
2 A. E1 W' o! {$ j; G% B+ V `stosd2 C% S, K0 b% o- b, b3 X" S/ u3 w) G
mov dword ptr[esi],ecx' L) V1 N$ i) e8 C* ? x
stosd
$ t; Y) c c; Q; J# s+ m: _0 Hlea eax,[edx-8] ;eax->objname
0 z1 Q( Z" S4 ystosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0)$ }) b( I. Z: B
mov dword ptr [edi],240h9 q6 {! H$ B" K1 h2 c
( c$ x+ u0 F9 D7 W7 Q9 @, c
call @f
+ A1 d7 k0 c& |" c% T O9 u/ p. fdb "ZwOpenSection",0' D& M1 P0 V# `0 ]) J
@@:
7 B3 H- p$ K f7 f& R8 V. a, s8 epush NtdllMod1 I3 C" w3 V8 m' \' I
call GetProcAddress9 F+ r& b7 Y. w, m" P7 S. ~6 f
mov ebx,eax ;ebx=ZwOpenSection
+ R3 ~6 k# l+ z r4 X! M7 m. c, q1 `* H; a) U) \
push esi ;esi->ObjAttr
$ p9 M$ f% g, z% ?+ v2 Z; Z- Zpush SECTION_MAP_READ or SECTION_MAP_WRITE
* m y* r% f* v; J* ~lea edi,hSection& w6 ?4 R: V. A
push edi ;edi->hSection; Q* R+ v# g2 @
call eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)2 \! G, t% A8 i1 q# W* Q. v
+ H7 R0 w, ]8 u! P2 Y1 T w' Rmov status,eax
) j& t+ N- t9 U1 t4 Z- J1 N, d( U/ ucmp status,STATUS_ACCESS_DENIED
, y; A! B2 {. Djnz AccessPermit8 b/ P& U# S# ?: K4 ^
mov eax,ebx
# i2 v& R9 ^0 K+ a" h! Z. W. _$ @, E) b& x" p& M1 V7 t
push esi 4 O5 A; d9 K6 x7 F
push READ_CONTROL or WRITE_DAC # F9 e9 I, d. O" i) N, \* p+ z: a
push edi
6 |! _+ P/ K4 k9 ^# b4 ~) ~call eax Z% G/ _, r3 R; i5 \! `* l6 v
- c9 ^8 B& |# smov status,eax
0 ?& Y) _6 E9 }- @6 c" qinvoke SetPhyscialMemorySectionCanBeWrited,hSection 1 I: a' K4 f! u7 h
( ^( w9 a* N* d1 p& {1 T; ncall @f5 a7 J( ^) [4 s# b5 i
db "ZwClose",0
+ |! D8 B7 K4 X$ c }4 q! k@@:8 f# y8 i8 F0 Z( V) u9 _/ x* D0 A
push NtdllMod2 ?' _: n% t' I+ i' J+ K- P1 ^/ W
call GetProcAddress
5 V" O1 Z* W2 {% d6 ~2 u" ^/ Z& y2 t
push hSection
- ~; [, }& X3 }, P0 ~call eax ;zwClose hSection1 O/ }: p& e+ t+ [3 F! Q
, X+ u. m" E4 e/ K0 r) Cmov eax,ebx
0 A* f% x T* N, p7 N4 W0 p; L: i2 b. L N B$ q8 r3 I2 V
push esi 3 b" u% W& C* z1 J8 _& r* y
push SECTION_MAP_READ or SECTION_MAP_WRITE 7 h) |( L4 k; d8 X4 ~% I! j
lea edi,hSection
/ o3 L! Q) {' h2 |2 s9 Y) z, G+ L% y* dpush edi 6 q: w+ p+ A& p$ i& E+ w
call eax
* {1 `! C3 r3 `) Nmov status ,eax
( G! q4 F/ `+ b, P, F0 E; [;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes);
' O" S4 |& D* SAccessPermit:
4 a: f) ], f0 Z6 |( T9 l! X' ]cmp status ,STATUS_SUCCESS
& v" D$ D" \$ w, X. M) m, _# zjz @f
- T* F0 L$ s% I V* a;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); ' Q) Y* p' [9 Y9 T
;return 0;
- O! M' E9 h& M/ {. b) amov eax,0; ?" F4 x7 Y; y* Z# t
ret
: `0 O9 X/ ? @/ M6 Z. C; h@@:
/ M7 ?9 y5 |+ ~4 x1 c' tmovzx eax,word ptr[GdtLimit]
2 k# r3 G. F+ n# k/ W( |9 y! H+ z1 j* q( |inc eax
" d% Q' v# }, \' E& I! \# o r% f8 Tinvoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax % B: U6 ]; g2 R7 ~/ m
mov BaseAddress,eax1 L6 x8 H+ z/ ~, G" o: _. |7 k
cmp BaseAddress,01 K+ I; q" J; T+ e6 h _4 h: x5 B
jnz @f5 j# Q% O+ s" [+ J
;printf("Error MapViewOffile:"); 1 k5 H; N+ C3 [+ u0 D9 E
rintWin32Error(GetLastError()); return 0; : d6 k; q1 K- B# J, B) z6 i
mov eax,0
+ C: u* v: G9 r% t1 Gret
" \& N! V' Q7 S0 D& v+ Q3 Z@@: / g1 T) I2 F, o! u& U
mov esi,eax ;esi->gdt base
- v, C2 T/ h7 |* p. Emov ecx,3e0h( a7 ]+ m! b5 B! S
mov eax,GdtAddr
) G/ A& u8 ^4 ~5 c.if dword ptr [esi+ecx+2]!=0ec0003e8h
2 P4 m# S) t! g# cmov byte ptr [esi],0c3h
, \/ j( J: W/ Q9 T6 W- X' u/ f
1 X1 q P9 { m4 x2 G) W0 |& Jmov word ptr [esi+ecx],ax
5 ]! o8 Y+ c* ?2 ~! Z- ]0 Gshr eax,169 c, ~2 u; E6 i! `7 ? _4 h
mov word ptr [esi+ecx+6],ax0 o; j) `# h' m
mov dword ptr [esi+ecx+2],0ec0003e8h
9 } x$ w6 w+ P% y8 ^# R/ q- A1 l. V/ a' g
mov dword ptr [esi+ecx+8],0000ffffh
9 _, y5 ~2 ]/ r/ v8 y$ D1 s( |mov dword ptr [esi+ecx+12],00cf9a00h# x3 k3 d: `! Q/ O# |
.endif
. e2 b2 w: ?7 Z1 m- b+ ^5 D( C6 q
$ B- g9 w3 u( H8 J6 E% X0 J3 ~& Nmov setcg,TRUE; u* f9 N5 f' T# Z( E# `
cmp setcg,07 C; ?/ v) D: J$ m }- }0 l
jnz ChangeOK
5 G( B3 n3 \5 A4 q8 ~call @f$ k/ X- a" L: \ f8 h7 T7 N% f
db "ZwClose",0
' W( u" {7 E% j6 _% x* E@@:
' [0 b6 |& j* R0 N4 B; Epush NtdllMod+ e1 o! f2 @# ]/ u" I
call GetProcAddress d; w0 h$ _& k
push hSection
( y0 l' H: |0 P+ C; S1 W# T1 gcall eax9 A3 }$ e0 T5 z# ?8 M; A
xor eax,eax
& E, M- i( a b% i% D6 {' O% I5 Hret% q9 y2 I9 \, c) P" g7 P8 Y% `
ChangeOK:
8 o2 g" O7 |" c- rand dword ptr Callgt,0 % f! Q. P6 `4 Q
xor eax,eax0 f( a6 c5 `$ z# L& R( D; w
mov ax,3e0h
& y6 i5 K( M* U% V: k& {or al,3h8 N+ ?7 \1 ] }- I' W3 F
mov word ptr [Callgt+4],ax , Z: |* t+ E: p" v& x9 ~
;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;
8 G$ i4 ?0 f! m+ llea eax,_Ring0Proc
5 n/ C- O2 ]6 V+ a4 s: a+ K;invoke VirtualLock,eax,seglen ' [3 o. W. t3 \- y
test eax,eax
8 E- W. g6 v; K; W( P9 ^jnz @f. W, v/ c) e+ F; ]. f+ J l
xor eax,eax
7 A) ?+ `/ c2 C+ V! i4 h8 P5 Q/ g! `/ Mret
* Z b: V1 F, o@@:
- S# y6 I; X7 t( ?) h" v0 [invoke GetCurrentThread
- x8 y3 i9 A& oinvoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL
: G4 x4 b9 O* w& X2 G! @# y7 f7 D) j6 F" d) {6 x4 M0 U1 p
invoke Sleep,0 : W7 z. Z( C" U' h8 C% B7 c
call fword ptr [Callgt] ;use callgate to Ring0!
8 A Y, I# t+ [# l;_asm call fword ptr [farcall]
! U* S1 z9 z9 W_Ring0Proc: ; Ring0 code here.. @6 m% a1 H; s+ M9 S- d' r1 e
mov eax,esp ;save ring0 esp
5 q* y* K7 C+ p/ c* G$ Xmov esp,[esp+4];->ring3 esp
6 A9 M1 S U! [push eax# H: S) s0 s! H$ O! F( l0 P
mov ebx,offset stIDEINFO# E. L$ b7 T, T: R# J) g
assume ebx:ptr IDEINFO
: C) @0 [- ?8 I: F9 P+ };********************************************************************
! t# M$ H% @$ l+ [' P; 等待硬盘就绪. e: {' E" f( p, x/ F' V0 o
;********************************************************************: |! x; k, H$ Y1 z" D
mov ecx,10000h
& }9 R d% Z2 c% Q, q* R mov dx,01f7h
, F& b7 ~ @; i9 J$ j @@:
% J4 r: r, q, `. `0 F2 V1 d5 y in al,dx
n r$ I; A# ^, Q9 }0 g cmp al,50h, e6 ?5 W! h" H) P% p0 C% X
jz @F0 A" ^8 c, c/ a* i2 f( W& |
loop @B' q: C; c& F/ U& r& d& B
jmp _II_TimeOut
/ @! x ~! U+ o7 G2 g @@: T' t7 d3 Q1 q L
;********************************************************************: B8 z& q' p6 p
; 发送命令
6 S+ f: |* T$ z3 m, y/ r4 t/ }+ c; 如果向主控制发送命令,则端口为 1f0h-1f7h1 X6 G k# S9 e/ a; K4 L2 f Y
; 如果向副控制发送命令,则端口为 170h-177h" a1 Y) { _% A. b& I' @. _
; 1f6h 如果要检测的设备为该IDE接口的主(MASTER)设备,
+ K) T% a6 ^2 p' H' y; 那么发送 a0,如果为从那么发送 b0
0 ~' e& L3 f. g! X8 M/ ]! t; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec
! v# F% R% X+ Z" G5 |$ N' S; 如果为 ATAPI 设备那么发送 a1
Y- p4 y D h& t0 O;********************************************************************8 ~9 B* S/ O8 P4 J3 L6 R
mov al,0a0h ;Drive 0,Head 0* C1 Z6 U; @0 C/ V& o1 u
mov dx,01f6h ;Drive and head port
. N% c7 I6 J) o. n% F* ]0 l* f2 P out dx,al2 i# |4 ^' I' n( Q) N
2 U% K4 W. _% t$ _$ X mov al,0ech
1 _* k& C& c/ t1 R# m0 _ inc dx ;Command port
9 R Q1 o5 l/ e5 \ out dx,al
8 z" h2 ^- {' g- ?8 T;********************************************************************
$ Q3 t4 A) v1 U+ [5 n7 i+ g; 等待硬盘就绪
$ K8 {" b' U+ ^ I& s) h;********************************************************************
" a+ g6 f$ V G4 w4 T mov ecx,10000h" B9 D8 Z) A' l8 s6 ?& j$ X |8 U
@@:
6 j+ H( \6 z/ z9 X/ | in al,dx;1f7 (r-status register)* Q3 G/ E4 }% @( X' B7 l
cmp al,58h;(driver is ready ,and seek complete)
, s8 d3 r2 Y5 v- d" e jz @F! }( p- g/ p# }
loop @B4 D0 O0 G7 r7 E
jmp _II_TimeOut
2 b, i" k; A. v* J @@:# `% i5 ]6 k% L8 {4 l7 m0 b
;********************************************************************
9 d+ Q4 d. J( m) Y, x; 将返回信息读回
' _, m6 P# Y7 V5 ?1 h5 Z! X& A+ L/ b; 注意一定要读满 100h 个字长* e/ k& N) V3 c; E' H
;********************************************************************1 s7 t: g# l* _$ V
cld5 k/ d( u5 M O. w
mov edx,01f0h;data port - data comes in and out here( e, F* ?# a( _- k/ N8 f
mov edi,ebx
5 j$ M. B: y9 P mov ecx,0100h3 H' q c1 n; R' K! ~
rep insw, d" Z. @! ?7 i2 @% [2 Q. u
;********************************************************************
2 _1 ]" ]" @/ P/ Q; d) T# T5 Z; 返回的信息中,型号、序列号、版本号为字形式* A; b3 h |, p. ^6 f$ N0 x1 M
; 需要整理到字符串的形式
3 S( w/ }: F8 b* z;********************************************************************
9 R8 d: f$ y3 T3 B9 w lea esi,[ebx].sSerialNumber
1 p) I' K$ _' S3 s* e3 i mov edi,esi, o* T Y8 n) T( l% i7 ]4 i4 d
mov ecx,10
4 c3 h$ f* O* }# q2 s* e @@:! h$ u8 x1 W% H- i- P
lodsw) K! ~. v: m# N
xchg ah,al! \7 o' }" Y& D: H
stosw
( o3 X' k) U9 T" G loop @B
" g/ Z' a+ w9 j8 f! N/ V0 s6 L8 X: X6 |
lea esi,[ebx].sFirmwareRev
1 s# o& ?8 a& b mov edi,esi
5 p7 x+ z% B1 @. q mov ecx,247 g# H N5 B0 ?7 Y- e/ l5 w9 K
@@:; U. R7 b. U! K7 B& R
lodsw
- f4 a3 w4 P! p- Y xchg ah,al# o0 [& t% s8 d# R, c8 W- Y# w
stosw) L, }" ]$ R+ T. b( T
loop @B
. u+ |2 l5 b. m0 {_II_TimeOut:
& i' p( f4 ?8 B: B2 }assume ebx:nothing
, ^3 }+ e0 H7 o$ Y
. h/ ~$ {3 l9 o: L8 C5 Q$ wpop esp ;restore ring0 esp" T: }3 F; I+ x5 M! h% o2 g
push offset Ring3$ J) T! @- ^. C( ^) r
retf! ~6 s6 W4 r$ Y! F. o9 r( B# V% G
Ring0CodeLen=$-_Ring0Proc. p! ]$ a( j4 q. H. N& }. p
4 d( m$ V O9 A" K5 X# y- [
Ring3:: [# J) Y! D3 M4 [# S, z
invoke GetCurrentThread
: z' N6 P! @6 t* b, m0 S! Hinvoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL 5 }1 Y, Y8 S2 |' t! G3 O
y# z% u, F- L$ a. N$ a;invoke VirtualUnlock,Entry,seglen
" j5 `. A/ Q9 w: ]" J$ s. v4 z6 _ W. [
call @f
) e# v0 D/ |) }+ V9 d( U3 qdb "ZwClose",09 d! S, u( Y2 d( ~$ ^
@@:0 I; r3 I7 g# ^
push NtdllMod" j4 x) |; h: N" {& }' c5 Y
call GetProcAddress5 T5 N( x- F8 J* v5 i( J
push hSection- K! Q+ t8 ~$ J+ l
call eax. x, g, k4 T2 b' a5 c
mov eax,TRUE1 c$ L$ ?% E$ }+ D0 z+ C- @) o( i
ret' S9 y* u% Z9 q% t% i
ExecRing0Proc endp
, [/ p0 [1 R: s Z" w
' O8 t6 \: G% ?$ b3 d! hmain:
" J; S" f+ U% k. Yassume fs:nothing! a# R+ i) j: J4 ?! z5 x
push offset MySEH( Q- f/ k4 L/ s
push fs:[0]4 B1 {& B+ ^' P: r. M
mov fs:[0],esp1 f2 w3 K& x6 l/ o6 W* s/ B. e
mov OldEsp,esp& b+ D. p( Y& Q, u) }& `
mov ax,ds ;if Win9x?. t5 ^8 P$ K6 u) ~
test ax,44 N& S s" |( O5 R* L) [
jnz Exit1
# i. Y" Y0 Z2 [8 tinvoke ExecRing0Proc! G6 @: v6 ?3 F5 m! M6 T& K) R
; K$ {+ \/ w) b; v7 b4 k5 Z.if stIDEINFO.wNumCyls, a( e" ~3 Q l" B% Q) \3 e
lea esi,stIDEINFO.sModelNumber, S5 E8 h. k* n6 z$ S* m
mov edi,offset szModelNumber7 T- [ d0 H% @$ h, ]8 O5 P O
mov ecx,sizeof stIDEINFO.sModelNumber- l, h& R) m0 U" X
rep movsb! h0 z- c1 _1 t8 N+ |, \- h$ X) `* P
) k2 w2 W, C! a9 x8 ]+ n6 p lea esi,stIDEINFO.sSerialNumber
; w7 o( ~. u3 d/ A- A b mov edi,offset szSerialNumber/ |3 d" h" e0 y7 M' g3 ?7 m5 d1 T
mov ecx,sizeof stIDEINFO.sSerialNumber
" V. r. }# y3 j& |8 u rep movsb
* _3 M$ `7 s. y! c; O* i; U g* s$ K- R+ T/ R3 v1 o; f% E( j, N! j
lea esi,stIDEINFO.sFirmwareRev
+ P& M$ g: S9 S mov edi,offset szFirmwareRev9 b. l) [4 p; V1 A
mov ecx,sizeof stIDEINFO.sFirmwareRev( P' n* A7 A8 U& U) C4 m0 R
rep movsb( v% ~7 `% W0 V) x
1 G8 D$ Z) \# W2 Z' a V9 E
movzx eax,stIDEINFO.wNumCyls
+ f! x2 l5 z! @6 I' `, w movzx ebx,stIDEINFO.wNumHeads8 C; U* ?" R4 M8 a% |$ s. ^
movzx ecx,stIDEINFO.wSectorsPerTrack
. v' O; p( l# D9 T% \1 p$ I movzx edx,stIDEINFO.wBufferSize
! Y8 G9 c+ |4 p' L$ \- Q4 A invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev
9 J$ ~' X( t0 `2 D$ I* ?5 H0 w mov eax,offset szBuffer- `7 n) W# o# P0 Z5 l
.else
1 G" s$ S) i, U3 C& ^: P: n mov eax,offset szErrInfo' o# s" o, l4 w/ |' k7 c) s
.endif& F r. K2 n6 D( A) Y" K
@@:
3 T. O# A- ^4 j: t+ F% ninvoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK
7 S: ~: E2 [0 cExit1:
# r. L' g$ m2 ~# A1 `3 T5 L$ Z3 epop fs:[0]
0 [( I b2 m5 L, m7 }* l& `, Zadd esp,4
: c& d0 v/ a2 f" rinvoke ExitProcess,0
# |' I- {1 M# W; ?' Q9 O3 P8 i# l$ r0 p
MySEH :: i4 A t; W$ s
mov esp,OldEsp, ]3 H% r+ p- x3 @- x# Y+ Y4 P
pop fs:[0]2 g) e/ c9 m4 R, \
add esp,4/ P* J; h- D8 x3 [
invoke ExitProcess,-1
% U- m& K: j( D$ j" Nend main$ T- B) Q: |/ \& m# k7 K
' M4 ^& T5 M+ n- G: ?3 F2 C
[此贴子已经被作者于2003-11-2 18:14:02编辑过] ; J. M5 @+ M- f; c
|
|
/1 
IP卡
狗仔卡
发表于 2003-11-2 18:09:00
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
分享
顶
踩
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡
发表于 2003-11-3 16:22:00
楼主