|
|
我可没这个水平
9 y p( {+ d; ~.686p
1 v/ ^7 ]! n* l8 P# O/ H6 K.model flat, stdcall
$ ~3 w: J" h# m, a% yoption casemap :none ; case sensitive9 n3 r$ d$ o5 r. }" b4 h' j/ ^
; #########################################################################8 s& W, y+ W5 S
include \masm32\include\windows.inc0 D+ r% a. r$ s4 a# ^
include \masm32\include\user32.inc
& g2 ?3 X3 y; ^% V( |, C; n% J4 Ainclude \masm32\include\kernel32.inc, \0 ~: t7 B6 m! ?, E3 V) s" g8 _* W
include \masm32\include\advapi32.inc
$ [3 R/ R8 U7 _% V
6 A' v1 ^* Q# f$ s& e6 P3 aincludelib \masm32\lib\user32.lib' m2 M8 i3 g) c
includelib \masm32\lib\kernel32.lib! A% C& v; I( @0 b- i
includelib \masm32\lib\advapi32.lib
3 U; }; q% g! Y- ]' uDEBUG = TRUE @) k9 x! n' P; Z9 f; c0 o, d
3 ?" ?5 Z4 s3 U6 Q8 n. vHMODULE typedef dword
9 v' Y5 o0 `& I' E" {NTSTATUS typedef dword- z8 |) X% q0 ^6 }0 a
PACL typedef dword( S$ @# a! R& w( k/ ~
PSECURITY_DESCRIPTOR typedef dword
, e& C" `. G) ?; j1 O+ e( o
3 ?: k- s8 U; I# U2 O+ }OBJ_INHERIT=2 / P9 t4 X( T# o$ L
OBJ_PERMANENT=10h
: S5 s S# m' U; g+ z9 OOBJ_EXCLUSIVE=20h 6 W8 ~- E& z2 a7 A
OBJ_CASE_INSENSITIVE=40h
; F1 F# ?8 a3 F: Q' |OBJ_OPENIF=80h
* o g5 P0 F" v9 {8 a5 x3 |; @% v8 ~OBJ_OPENLINK =100h + k$ t3 x0 _: U
OBJ_KERNEL_HANDLE=200 1 `- ^0 U, P9 J% h6 A
OBJ_VALID_ATTRIBUTES=3F2h ! y' h; o p+ b; L a3 h# d
: V% G6 o; b0 [. F- a q+ D) X
SE_KERNEL_OBJECT = 6
! j7 k0 Y7 W: P. G2 H% M) @- cGRANT_ACCESS =1# I0 o. U8 @, b* {1 n' C3 D
NO_INHERITANCE =0; N% D/ y7 }+ t6 o6 P
TRUSTEE_IS_NAME=1+ N) J9 [3 L2 F: M7 d9 g# |
TRUSTEE_IS_USER=10 \8 \7 s/ e3 F
STATUS_SUCCESS =0
. t0 d! t0 @ L7 rSTATUS_ACCESS_DENIED =0C0000022h" F) ~7 } ]1 T
# a' t* G& W& _( X) P5 @& Y! ^
STATUS_ACCESS_VIOLATION equ 0C0000005h E/ n+ u7 w1 u* K
STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h8 g& @& l5 F' M! R4 m2 N4 {0 S
SystemModuleInformation equ 11; |. X0 v; A! H9 ^2 i( L
PVOID TYPEDEF DWORD
- P3 g6 _% E+ m6 X0 }6 o2 u! D" zUNLONG TYPEDEF DWORD. {9 z# y1 ?6 a) }* w/ ~! ?+ [; d1 `
CHAR TYPEDEF BYTE
/ Q6 I% A' c$ u$ ~' x) f2 ~* I$ P# t' g/ }+ D5 ^1 q: ~
UNICODE_STRING struct
, O( X" C$ U7 U, t nLength word ?
$ H- _2 X6 U4 U! h1 c MaximumLength word ?
: I9 X& j. h) u# O2 l3 B Buffer dword ?
- R) J4 ?# x6 K4 PUNICODE_STRING ends+ G x3 N' `: D `& ~' E
2 L' T" }, \8 Y4 Q! S& EOBJECT_ATTRIBUTES struct Y& P) k' v: z p( v- N! W) A* e
nLength dword ? ; c, k9 m2 \$ e2 G7 o. {) ~4 w3 J" }
RootDirectory HANDLE ? 5 V4 {" _$ A8 j% V
ObjectName dword ? UNICODE_STRING f! Z9 g" e3 `( n3 \/ U
Attributes dword ?; 1 n; `, b8 b! I e- i- }- k
SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR
& T$ f4 D# D6 o4 v& I* h+ E SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE
) f4 A/ N& Y1 d+ x, n& J( \OBJECT_ATTRIBUTES ends
S( {" |: c; n3 F/ _
( g( s$ F! m& z' B5 `6 R5 \9 j: s; N& }% q
TRUSTEE struct ) o1 B. o( R' p" s5 v. W
pMultipleTrustee dword ?TRUSTEE 9 h' D% b) C3 |2 c( ^! o' C
MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION
9 J' }: Y, Q1 m" X TrusteeForm dword ?;TRUSTEE_FORM3 q0 e' d7 H# Q4 a4 I7 g# s1 G; l
TrusteeType dword ?;TRUSTEE_TYPE # j$ c, O3 F2 R9 @* U/ N
ptstrName dword ?;LPTSTR
s$ U1 ^5 ]- n; h! i# X- VTRUSTEE ends& H% \! V8 M: U9 @5 J: @
! y0 p/ t9 @7 B l& I- i( A0 T
' i" v7 q6 Z! ^5 w z; `EXPLICIT_ACCESS struct$ i6 g7 i6 Q1 T2 K+ e' X* P( X
grfAccessPermissions DWORD ? 9 Z9 N& }+ s! q- C. G( @5 S
grfAccessMode dword ? ;ACCESS_MODE % t5 }# o1 \5 {' f# F/ [3 K& ?
grfInheritance DWORD ? ;
6 v3 U- C+ N: L6 j2 {6 v Trustee TRUSTEE <> ;
7 ]9 T- H, H# ?4 A5 d& {0 FEXPLICIT_ACCESS ends
6 A8 e5 e3 T E- h! Y( O( N% K5 [6 k& q! D& _
MyGATE struct ;门结构类型定义
9 P+ M6 a5 m/ T+ P OFFSETL WORD ? ;32位偏移的低16位
: w& }4 a7 O7 N* r8 Z* n% ?- G) c S SELECTOR WORd ? ;选择子" c# N# E) `* q0 l3 J
DCOUNT BYTE ? ;双字计数字段
5 A, t% X* a2 w# M5 A* @ GTYPE BYTE ? ;类型. v% t1 a+ v7 n5 G4 k/ y
OFFSETH WORD ? ;32位偏移的高16位# {1 e8 |* U/ ]
MyGATE ends9 l( q+ O. g2 U+ |* E# ]$ i
8 r$ s0 d' \9 j5 n3 dIDEINFO struct
) o X6 b& ?7 H# M% OwGenConfig dw ?
0 q3 ]" ?$ z2 d( z* vwNumCyls dw ?;拄面数7 Z1 S3 \- |8 V- E4 m
wReserved dw ?
- t5 q- d& U' S$ ~/ xwNumHeads dw ?;磁头数/ m% A4 V; Z) e! g7 x% o$ L/ Y: L
wBytesPerTrack dw ?;每道字节数, m# O3 q- e+ f5 o: }
wBytesPerSector dw ?;每扇区字节数
* ]" u& H' W( x8 rwSectorsPerTrack dw ?;每道山区数
! ?+ [/ [( h: L* H; j! {wVendorUnique dw 3 dup (?)
; {" v, R7 e& G# ?) r5 NsSerialNumber db 20 dup (?);硬盘序列号& Z$ ^! u; T+ d8 {! `1 e1 g
wBufferType dw ?;( c6 g* D) u* b) q1 {# u% Z; t) i6 H
wBufferSize dw ?; ;n * 512
! r1 `: N( G/ {) l. K, rwECCSize dw ?1 u: T% X- M8 U
sFirmwareRev db 8 dup (?);
6 R7 y' U% E% ~8 PsModelNumber db 40 dup (?)8 z7 w. s( Q s# `
wMoreVendorUnique dw ?% Q* F+ @, i9 O; z# ?* B7 O# m* V* U
wDoubleWordIO dw ?1 s, E+ V) [, I/ p" L* U! ]
wCapabilities dw ?. S4 b4 w& U/ V5 u+ N
wReserved1 dw ?1 b M' \: h I' c
wPIOTiming dw ?;2 D, _+ l8 k( t3 Y8 l; D6 P% ?- c
wDMATiming dw ?;
' \3 F- \6 z/ EwBS dw ?5 z, O' G% r+ ~" H
wNumCurrentCyls dw ?;. k; Y" M0 C# C G
wNumCurrentHeads dw ?;3 t! m- U8 w4 W- x
wNumCurrentSectorsPerTrack dw ?;# l/ S6 W) E. r0 W8 e
dwCurrentSectorCapacity dd ?;
2 h1 a: S0 M: U1 t3 ywMultSectorStuff dw ?;+ S, S) a/ @- l3 _
dwTotalAddressableSectors dd ?;% X- g3 a$ o( {& S, d& S/ O+ v7 | h
wSingleWordDMA dw ?;- `, ]9 e$ o' s7 B) z$ T. `
wMultiWordDMA dw ?;8 g0 T% @# s# L$ v9 U1 n& G! E
bReserved db 128 dup (?)& K# k# E7 G8 Z; a8 {% v& o
IDEINFO ends0 ?# T# H+ w; ~4 `; u& U) N
; h9 |) f& `1 S$ V$ f, {8 f
* ~" N$ T! Q! m/ cSetPhyscialMemorySectionCanBeWrited proto :dword$ s5 K% g- b5 R7 f5 y+ {
MiniMmGetPhysicalAddress proto :dword
9 \1 R, @) m% o" S! C/ z4 k6 g
2 X/ q3 r2 K( I7 l# o& K3 zENTERRING0 macro2 Z- Z0 @1 _" c2 |6 Q/ |) m+ W b0 F
pushad
/ W- {- u- {1 s: X4 E5 `pushfd
2 z8 [2 X$ v4 E) d ? vcli
0 d. k& y/ z" ], Lmov eax,cr0 ;get rid off readonly protect" i8 D2 q4 f, |/ u- V$ V3 C
and eax,0fffeffffh. f9 Y( L% h- M# ]7 V& r
mov cr0,eax
% z$ \8 z/ X6 A/ [$ I5 q6 sendm: P! l: Q, d$ P4 @* J, @2 I
) F; m, I* M, W* U/ a. A
LEAVERING0 macro
( R. o1 Q' e0 j" C! dmov eax,cr0 ;restore readonly protect
# m) M3 e h1 x" Aor eax,10000h
& K8 j! h6 y: y8 N. Mmov cr0,eax
; U& a% j; U9 ?/ Z) Gsti+ t8 }" M% d0 Z M1 E
popfd " ~+ P/ l. ?3 `% n6 E0 g
popad
4 B! i9 m' A6 U# V4 ]# dretf
6 |- m9 e# l8 ?0 Q& g; C: v( rendm2 C" y8 v9 A. D l
3 H% @; X4 e7 y. D
; ?7 n# o' u; \: } DUNICODE_STR macro str
! I3 M9 H) Q& Q; firpc _c,<str>
& x8 G" \3 @8 n ~db '&_c'2 H% L* B8 ^# M# j
db 0
4 m8 ~8 p5 Q) C3 b( _1 eendm, L; c8 h2 S; l+ o* x0 {/ o4 [2 A7 ~
endm$ C( k2 M1 C* t/ ]
, R% D$ M& Q0 d
.data?( t- h3 V: J% v7 {# J8 m
GdtLimit dw ?
6 Z, m) A0 i" i& ~( K: TGdtAddr dd ?6 x0 @+ H3 F' q* [1 T5 b
4 o" K3 A; a: b- x
mapAddr dd ?- Z! Z7 A0 J5 l( y/ E' x' B0 S+ x
OldEsp dd ?
6 L) j* w z4 j$ ]0 x
9 c5 E: |" y* f* freaded dw ?
3 b, ]! ~/ V+ }: w+ a2 Ebuffer db 512 dup(?)
5 o% h# Q2 s2 p4 t9 G0 X4 ~; TShowText db 512*3 dup (?)
! N7 s# V2 h X \0 @8 [4 y, k
6 G3 R$ Z3 i* M) J6 o: y) w; Y1 bszBuffer db 1024 dup (?)
2 Q0 U7 u, e3 k0 d, ]+ R) uszModelNumber db 41 dup (?)
! X$ A6 x8 `2 g1 f: [szSerialNumber db 21 dup (?)+ o4 }9 e c- }9 z1 w# W
szFirmwareRev db 9 dup (?)3 l h1 ~3 ~- O! _( A
( y8 L$ G, {: f/ b
stIDEINFO IDEINFO $ ]& f; ]5 [% k6 i+ L- p' ~: v
+ v- y$ \( B4 I7 N$ N0 x/ c2 C
.data
0 J& k! C% i7 R: I( _align 4
: w. w5 ~- F. R0 F" Y3 J- y8 _objname dw objnamestr_size,objnamestr_size+2. r" W1 [( o' ]" f7 h
objnameptr dd 0
6 n0 C' `4 T0 t/ ]objnamestr equ this byte
: W2 e8 Y x( l7 g6 h( wUNICODE_STR <\Device\PhysicalMemory># T: T) D9 Z( H" E7 } ~
objnamestr_size equ $-objnamestr0 m9 c9 F+ E) s/ l7 A% x
% z8 N) x4 ]" H" O; b: q
szTitle db 'IDE 硬盘信息',0
( H2 e4 y# Y& A; BszErrInfo db '无法读取硬盘信息',0
8 o/ r0 t% |; z$ c7 iszIDEInfo db '柱面数 : %d',0dh,0ah
; H- A3 {+ J6 H, G0 f' F; B; D db '磁头数 : %d',0dh,0ah: s ~% M- O! U# R# g6 o
db '每道扇区数 : %d',0dh,0ah, s! V# {3 s: k' n0 N( T
db '缓冲大小 : %d 扇区',0dh,0ah
& x% z# h$ R7 r2 h* V db '硬盘型号 : %40s',0dh,0ah+ R4 O F% c" Q. o: R8 [
db '序列号 : %20s',0dh,0ah* l7 j' b# A8 p8 B9 p) Y& o( H
db '版本号 : %8s',0
6 C3 \( r# R& p9 X( v, l$ H" C4 k+ ^: X% k% P6 S0 e
align 4
1 z e) ~# J/ s5 o% yObjAttr db 24 dup (0)
. {8 Z# W/ p' H! H( V. s
( C3 v9 m. |5 H8 w# l5 y" l4 iCallgt dq 0 ;call gate's sel ff
! N' l* I$ v% k0 l1 `- E* y VCaption db 'Windows XP绝对磁盘读写',04 w9 @" a3 r3 B4 G. P0 m
Digit db '0123456789ABCDEF',0
, x2 `3 ?5 o8 E.code" l, T" C+ h4 R; Y _" G
_ShowBuffer proc ;显示所读出的信息4 o% Y, ~$ P* L6 k7 Y
;把数据转换成16进制的形式/ J, \) p* ?" {4 \0 w
mov [readed],512. x5 h5 n4 `, n; M* l* C9 ^
mov esi,offset buffer ;数据" H8 [7 n( V# ^- c Y7 K% _! K4 O5 Y
mov edi,offset ShowText ;转换后的数据
! K1 v/ G" I% l4 P2 t mov ebx,offset Digit
' d( W2 j0 Y: K0 S, I xor ecx,ecx$ Q( _" O0 ~8 E5 N
xor eax,eax" N) ~: ^+ @: v+ o# n2 C
computeAgain:7 \0 Q1 y! P" d
cmp [readed],0
~9 s& ?+ N T! a$ p# I jz endCompute. Z; q9 o2 D) O: p
dec [readed]
5 N8 g& O. J- `& y* t lodsb! s' ?% @4 q4 m. V1 a
push eax8 \; ~- L$ ~: p8 r5 ]
shr eax,4 ;高4位& Y7 A7 Q, u0 d
xlatb
4 C, E9 e6 |7 c" v stosb' |2 f6 W1 _4 D' i& [
pop eax
& p3 O, d) |3 A. r! f$ O and eax,0fH ;低4位
# z+ A: ~/ y6 ^$ ?6 g- ~4 p" h" l xlatb, `! g2 w$ r- |; U: S* P) D- g: V7 h
stosb
+ d7 z7 j7 E- q. z i mov byte ptr[edi],' ' ;空格
0 m. k U9 ]- x inc edi
0 c( m. e7 Q5 g% M/ L inc ecx9 f0 G$ j( d* F( K' f: V
cmp ecx,16& _/ v2 A. [& ?' E' c. s0 S6 A
jnz computeAgain* B+ q/ i, n3 Z
xor ecx,ecx
{& n) u+ F d5 [' T8 I0 b/ m9 R mov byte ptr[edi-1],13 ;回车
p/ y# i8 j1 ^6 H jmp computeAgain
& Y9 J z4 J7 @) P% HendCompute:6 h3 i1 g ^! _! n- k% t
;显示! T( S- j! c) I0 H0 S6 G
invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK1 \& m. R) Q( b: p
ret8 W+ Y# W- {4 S+ _6 K
_ShowBuffer endp; T8 w Y% M. h) \ X
1 y% X4 F$ u; U }SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE
| ?8 A- `5 slocal pDacl: PACL % ]2 a7 |$ F* @
local pNewDacl ACL 4 L% Z8 @: m. A0 c/ B
local pSD SECURITY_DESCRIPTOR
, r7 e7 w: @$ t% s1 L: E1 n- J' Rlocal dwRes:DWORD ;) G8 K2 W4 i8 c- N
local ea:EXPLICIT_ACCESS ;
2 n: @( S' O. Q4 p) Qinvoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD7 W5 S% C9 K: q& M- L9 p" O6 s3 `5 C
cmp eax,ERROR_SUCCESS. E+ i8 I% v5 z0 p$ Y) S
jz @f
9 l7 w: j& }& t2 A4 Mjmp OutSet
3 i" Y) O, U3 z3 G8 z+ `@@:0 S6 N6 @5 D# e. g
mov dwRes,eax
- Y2 R p8 B4 l$ e+ a5 p Y- R9 [mov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2
1 R7 h. ^3 U. _2 Q( {6 B* o% Imov ea.grfAccessMode ,GRANT_ACCESS;1
* ]" z; b" ~& J: Imov ea.grfInheritance,NO_INHERITANCE;0
4 H5 u0 c8 w2 K: gmov ea.Trustee.pMultipleTrustee,08 F1 E% k: T; b4 l+ B9 X# N, Y/ G
mov ea.Trustee.MultipleTrusteeOperation,0
% E2 i; d2 K2 wmov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1
- `3 b- p1 Y6 k! E# Q# K% ]mov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1- v. A: F; E1 p5 Z5 \5 P
call @f. [$ w# [( A* @7 y
db "CURRENT_USER",0
1 F, U1 C& u* S7 M2 k( d/ |: }* X@@:
0 {3 Q0 m* k8 y& Gpop edx2 |4 ?0 x/ S7 C* d& ?9 h e
mov ea.Trustee.ptstrName,edx
6 }) f- ?" P! s3 g+ t# ^invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl. w; w& _" b4 d. R7 S( p
cmp eax,ERROR_SUCCESS( ^% z2 E6 p+ B6 \1 J
jz @f
) n/ C# t+ H, G: N- m* V5 tjmp OutSet$ r e) `7 c6 v) | |! d# V
@@:
* I/ ?4 G6 }9 } V yinvoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL
1 \& h) N# ]0 XOutSet:$ j G/ ^5 y2 A6 k, H) H- v
cmp pSD,07 L) H/ b" m: ]" H9 A7 V5 I" d
jz @f* a c5 F G" N; l0 B, `: _8 N# o4 L7 j
invoke LocalFree,pSD
% L+ Q# S! U" _@@:
$ f( j3 F5 u/ W9 }' `% Rcmp pNewDacl,0
& m" m1 x% v) w0 Jjz @f! `# i" }5 l8 }! u
invoke LocalFree,pNewDacl
8 F/ E; V) g3 W9 J0 c! A% `@@:
d5 P) H7 X% O% Y$ i1 dret
" R6 A# C5 u: z' |SetPhyscialMemorySectionCanBeWrited endp0 u$ t+ g6 [2 w2 N! |: E' ?7 w/ N. V
. h% M9 y; }% i1 W
MiniMmGetPhysicalAddress proc virtualaddress:dword% T$ b; J, q2 J2 S( A* c( c6 G/ m% E
mov eax,virtualaddress# q( _1 l) R2 \& r, P
cmp eax,80000000h/ K6 D1 I; r& |- n+ C! e: R
jb @f- h* M6 c* m+ k4 l& O
cmp eax,0a0000000h% t- o: n- \" k
jae @f
' A9 d& i) t4 ^6 N+ c and eax,1FFFF000h8 _. w7 b) d4 g% i) S
ret
* U4 a4 K. k1 g5 g/ F @@:
: b: a0 v7 Q/ }( u5 x) j b mov eax,0" g# r0 m9 b2 O4 R- k) K: j: k
ret2 q( A# S8 S* X" K; ^
MiniMmGetPhysicalAddress endp
- H, Y6 F: D* V" ^ C# O8 W; r: I8 t4 `3 I- n0 }
ExecRing0Proc proc
, G: G9 B r+ p9 Q: Z8 Klocal tmpSel:dword
% B5 q5 a+ W3 D2 R6 mlocal setcg:dword$ O$ Z( B( y% ]2 B/ C8 ~9 t
local BaseAddress:dword( U( w% t) u- g) B7 I' x
local NtdllMod :dword
G& X6 {$ l8 Qlocal hSection:HANDLE
8 `9 f4 G. U( _( _5 V) w7 L5 Flocal status:NTSTATUS% _1 x4 y8 p2 x! o8 c, D: K4 k
local objectAttributes:OBJECT_ATTRIBUTES
( w; a2 s- \) e" S0 m0 \local objName:UNICODE_STRING9 ^3 U, H. z" Q5 L
mov status,STATUS_SUCCESS; 6 m) K& J2 @% a; W
sgdt GdtLimit
% K$ h0 o5 F8 L: Ninvoke MiniMmGetPhysicalAddress,GdtAddr
8 J& D$ L/ H: W' D2 ]mov mapAddr,eax
' m7 `3 [% B9 v. `test eax,eax$ y2 N/ y- L2 o: ~
jz Exit1 [+ x: s3 v6 [0 f3 j
call @f
1 v# R6 D+ H, S# Q/ E2 z1 edb "Ntdll.dll",0
% G7 ^# J8 [& z- L: ]9 K- G@@:
- k- Z8 [3 d: N0 e R X5 hcall LoadLibraryA
2 w% u" G1 V; ?6 V; P' o) Y( ]mov NtdllMod,eax8 N. J+ _8 x, T2 K7 ]7 ^
3 k1 d9 k. h& Z# a+ T
lea edx,objnamestr
: a: W' \ ^ n) v a. K3 r S& imov objnameptr,edx
* o" s8 @0 J8 h/ c2 B9 ulea edi,ObjAttr
_: j' |. x2 y) H$ j# Z- `4 Iand di,0fffch ;align to 4 bytes,or ZwOpenSection will fail
% s8 Q# h2 x2 j& Lpush edi ;edi->ObjAttr/ d2 X# ?) l n6 E: l
push 24 ;length of <\Device\PhysicalMemory>' {5 v2 Z6 Q2 s5 D
pop ecx6 B. r4 V) b. z( }. P4 z1 t7 B
push ecx' ]5 d# m& J: {9 Q
xor eax,eax6 |1 m) \9 H+ S/ P/ U% ~
rep stosb ;put ObjAttr with 05 u6 E. q7 D9 z( z0 z
pop ecx
' b* }& Y+ _3 c6 y/ dpop edi
* L8 Z# m6 S! U/ q; l* \mov esi,edi2 B6 s8 J% n6 m
stosd* U6 l* b1 a5 }5 S
mov dword ptr[esi],ecx% h% n9 h! w; S$ ]( Q. O s
stosd $ n( B: i4 b6 [
lea eax,[edx-8] ;eax->objname' A. A. I# o. y6 k! _6 D/ w
stosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0)
" J6 `2 J% Y% C2 K- h! mmov dword ptr [edi],240h
/ Y$ `& g6 ~' |' w: U; u, `, ?
+ p0 T: Q: q" Z6 R& O' Jcall @f
7 R. m, z/ g9 t1 Ddb "ZwOpenSection",09 }6 ]( ^6 ~) L, @7 S9 W
@@:
" I ^3 O: L( Mpush NtdllMod3 p6 _% a- X, m$ C8 H
call GetProcAddress
3 q7 ^; W5 b" F& c4 qmov ebx,eax ;ebx=ZwOpenSection
; T6 K+ [ q, P5 A5 u2 i" C& }% z" ?) w
push esi ;esi->ObjAttr
* |5 Z0 B# V: hpush SECTION_MAP_READ or SECTION_MAP_WRITE ?) J, X1 o. \* W. h( a
lea edi,hSection
; l# w+ y' l# N- `+ G+ qpush edi ;edi->hSection
6 O; P, l8 ^, u2 j$ acall eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)
! {. A9 p) a7 ]! p& E W2 k& \' A7 N3 J& K1 T% I" h0 s# @
mov status,eax
~( P3 F& \# j: y9 y' A. B4 dcmp status,STATUS_ACCESS_DENIED
# t5 i+ M8 s7 D) [$ D9 ~1 R* Pjnz AccessPermit4 }" k! p: t0 ~5 b8 y
mov eax,ebx2 x' A3 T- K# B& T: }3 q2 ^
- A/ C3 y) `4 ]6 V2 Ppush esi
6 M5 Y- Z4 o8 apush READ_CONTROL or WRITE_DAC
/ f0 G* g3 k+ \5 npush edi - e9 P% O) w, D
call eax 1 l) z! r8 o$ d% i; K. l, V
) F. R. T9 d; Q* W
mov status,eax1 Q7 ~: ~8 I/ r) ^6 a4 I7 b
invoke SetPhyscialMemorySectionCanBeWrited,hSection
1 ?: p3 t( Z; ]$ L* X6 Z v7 {7 q+ X }+ ^& F7 p
call @f
E) C2 w1 K+ f; h/ }% @7 {0 c6 S3 Ydb "ZwClose",0
# f0 i7 f0 S6 @' T, S2 x2 ~@@: Z d2 N: g2 m, ^4 E: ]) k9 V4 y& k
push NtdllMod5 Q' K( v3 B3 m& C# L/ r0 G
call GetProcAddress
/ T5 m9 _8 }4 p
# q* k) P2 Z7 H. Y7 Ppush hSection
7 S2 ^- q0 f) b. jcall eax ;zwClose hSection: k0 U/ P- q. k- B+ t
- w3 j v* V1 E' v9 u) Z3 \
mov eax,ebx
6 W+ n/ M* N1 e; h5 E% X6 l9 [' ^7 P/ M/ B
push esi ; E# ?8 t6 P6 m7 q: |- y
push SECTION_MAP_READ or SECTION_MAP_WRITE
& `5 h8 A! p. A9 F- ]lea edi,hSection( N) R3 U6 _. m. E5 e$ b; d& _
push edi
% ?9 Z6 t" c8 ?! L% Dcall eax+ P- l4 N9 J7 N6 A9 B
mov status ,eax
) e% H( S. K' ~+ d;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); 6 s4 s8 x8 Z T
AccessPermit:' v9 n, K3 S( I/ g; R2 _' k& ]
cmp status ,STATUS_SUCCESS
& L# m8 h+ j" [/ |$ D- q. mjz @f# W/ z& y/ c! J+ Q/ \
;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status);
7 U3 C' T/ A9 ] j1 R% n3 [+ ^;return 0;4 W- i$ n8 I; _4 ^5 w
mov eax,0' p T I$ r1 r! L& q4 Z& _9 k i; \
ret8 U0 U- d( d! y* G! f+ e- S' j5 w$ @2 _
@@:
# z# g9 }0 J7 F+ K. bmovzx eax,word ptr[GdtLimit]' Q& H0 M1 V3 p8 l5 x' \ j
inc eax" P% W+ K: e: Z2 s2 p
invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax
O' D0 b1 M U2 ]9 [mov BaseAddress,eax
5 m/ q' j* L( Z h1 ?3 Kcmp BaseAddress,0) c/ k( _0 }) Z: P
jnz @f. E; R, l* j% B2 n. E
;printf("Error MapViewOffile:"); : W. g- k: H4 n/ U3 |9 E6 c; _
rintWin32Error(GetLastError()); return 0; ; J) X A: M, k1 @! I \5 r1 J
mov eax,0. y8 [7 D, P6 G1 T4 s1 ?
ret0 v5 f! S/ Y9 T a& t& n
@@:
- s" C) ? O9 I! [8 Bmov esi,eax ;esi->gdt base5 t0 ?$ T7 t4 ?: ]! Y1 g* |$ w9 Z
mov ecx,3e0h& E j4 E! y1 O/ g; |! g
mov eax,GdtAddr
1 t% Q0 |8 Q, M9 C& S3 j.if dword ptr [esi+ecx+2]!=0ec0003e8h3 L2 Y- K4 X' S
mov byte ptr [esi],0c3h
2 L5 u+ d5 \* B7 N* D0 ]6 ~+ J I* t! V/ {% I( l
mov word ptr [esi+ecx],ax1 V; D+ B) c& K( S4 o3 h0 {
shr eax,16
% O' y5 r9 v" Fmov word ptr [esi+ecx+6],ax1 X' A, i& t+ E) p& X$ u2 [
mov dword ptr [esi+ecx+2],0ec0003e8h
% Q% P5 t+ }- f& s0 p
9 `0 w, c2 S, z6 I7 N# Imov dword ptr [esi+ecx+8],0000ffffh, x; A6 \9 i B9 r" t5 V0 ^
mov dword ptr [esi+ecx+12],00cf9a00h$ B; o4 _& ]1 X p1 {
.endif# u! ^( J! l4 M1 [/ l
# J r/ z& ?$ J: |mov setcg,TRUE q+ B+ b5 K C
cmp setcg,03 ]9 x" T- R/ y5 b* G
jnz ChangeOK
4 p$ |( \. o8 b5 H" c- Vcall @f' X1 P' L5 P: s, X+ x5 w
db "ZwClose",0
. g9 X- |9 k& y$ w" W# ~' \4 U2 X% j@@:# p( R# z9 [8 q4 e. i- q9 v
push NtdllMod# O* |9 o0 }2 I6 }4 Y
call GetProcAddress
- W. ^; r5 @. b2 z$ Y, u0 hpush hSection' ?7 U& I4 ~! E
call eax5 I( O3 J0 S. ^+ `2 u
xor eax,eax
, T4 F& ?3 }# F; s& Fret) |& h3 }; o9 j9 F; a3 ~
ChangeOK:
: S& R% W" K* `4 Y* o2 zand dword ptr Callgt,0 # c, V9 z. z" ?+ Z& \; Z' G
xor eax,eax! N+ M' z% O, }
mov ax,3e0h# U7 e/ {" i6 c2 x9 p1 k9 I- _
or al,3h
, h/ _8 e) O( r7 F; ymov word ptr [Callgt+4],ax 6 g# e2 \4 a. S3 D! ^4 i
;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;
' a; W/ _6 \) j, U- zlea eax,_Ring0Proc
) P5 ?/ v8 j* n# k- r- H) x;invoke VirtualLock,eax,seglen
3 ^" p; O& r- b1 P: qtest eax,eax
" j# O* U6 q; G" o4 T' M8 pjnz @f' W h; j, |( W" f4 f0 ^5 A) C6 B
xor eax,eax* I$ @' Y% C- V! |% P; h
ret% C6 q+ Z7 L& |! Y9 @# N; r
@@:
9 s3 g% }% c/ B7 N5 b4 l& Vinvoke GetCurrentThread
: L( ?" g) i4 f6 cinvoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL
X" F% C9 E7 j! z: i- v$ P: P
2 Y5 i5 J7 d0 t4 Z: C. kinvoke Sleep,0 7 L& m8 d. [* n' Y
call fword ptr [Callgt] ;use callgate to Ring0!
% ^, J s$ L7 l2 {;_asm call fword ptr [farcall]
$ {8 h5 i9 [3 S) S# I_Ring0Proc: ; Ring0 code here..
' E+ w* d P" {& Z9 cmov eax,esp ;save ring0 esp
8 H, N; F) M) |3 z. {8 Dmov esp,[esp+4];->ring3 esp6 V) m, v( Q) C, |' E7 d' Z( k
push eax7 {: M$ L. w: n5 W( L, M
mov ebx,offset stIDEINFO
5 [' O! V, i4 N# v8 z { assume ebx:ptr IDEINFO
, Z! D6 q. [( u;********************************************************************
6 h. ` R' p* `. k2 c8 j/ v; 等待硬盘就绪- H! p. W+ _5 V
;********************************************************************
; @6 T9 ]/ Y( u; b+ a+ w; Z mov ecx,10000h
8 q# }& A, ] h, V2 J: I mov dx,01f7h% B+ A4 k* t5 v" i E' K
@@:
# O9 U4 E; a z6 y3 P in al,dx; v6 u0 \ p; @; A6 C$ o1 u" ?
cmp al,50h8 b* o( J1 X: ~0 O- x; W
jz @F
+ \! R( h4 B7 g. Q+ k# _ loop @B
8 z! t) s0 q7 |- n0 B jmp _II_TimeOut9 x7 _/ _' p6 d* l& k
@@:9 a, `8 U! }8 \5 c# ?% L
;********************************************************************! S" b1 [/ j" n9 W( f. s9 [" E
; 发送命令
: e0 w5 Z' K) v. U9 J; 如果向主控制发送命令,则端口为 1f0h-1f7h
2 U' P4 |; H" ?! M+ x( H) L; 如果向副控制发送命令,则端口为 170h-177h
6 B0 N$ `5 M/ Q! {& G2 ~; 1f6h 如果要检测的设备为该IDE接口的主(MASTER)设备,
* T! _$ M$ O+ A- u( q) E; 那么发送 a0,如果为从那么发送 b0" Z/ }& i3 {8 a+ K, @
; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec
! d; @2 L( F s1 H; 如果为 ATAPI 设备那么发送 a1) s% z0 \. `: q7 N$ }+ m- l
;********************************************************************
1 a5 F% m* D. \- G K2 E mov al,0a0h ;Drive 0,Head 0
9 y( w2 R6 p0 H, }" f: K5 j mov dx,01f6h ;Drive and head port
" i8 E3 V1 z% c out dx,al6 J" _0 Q( |$ q( S6 m& q$ t
) L- v& h1 T. Y+ h+ T mov al,0ech
/ G2 w0 P" Z' o* B8 v+ j* H/ h7 r" J inc dx ;Command port4 i% ]' b/ F: C
out dx,al
' r3 N8 u' r3 X' Q" W; ]5 q3 x: X;********************************************************************9 u0 C& X9 ?, a* a3 Z$ B
; 等待硬盘就绪
! B b+ p* g$ u4 \7 W7 x2 x% V4 e;********************************************************************
. R7 ?! b: A1 h9 y$ P mov ecx,10000h
. b# ^. L3 E4 v2 _ l; f4 ^& W7 C2 U @@:3 y. g7 h% Y1 b( k' w
in al,dx;1f7 (r-status register)9 S' I/ B! L! E3 b- u
cmp al,58h;(driver is ready ,and seek complete)
9 y/ n! M' ~" H y jz @F- @0 B3 W' G0 p: n7 w
loop @B
7 W8 L: }+ h9 }* G( {! \ jmp _II_TimeOut
2 D! C4 a% N) Z, Q! D" N1 o" z @@: \* h7 u& x3 R
;********************************************************************% h; Z1 j' o) [- W* i$ D
; 将返回信息读回
2 Z) J9 o( m0 Z( I+ L" j% f; 注意一定要读满 100h 个字长
' B% C# m* T) ]& ~+ ];********************************************************************6 T) b0 |: L m$ T
cld
$ H- |3 l+ C. B% J- p% J mov edx,01f0h;data port - data comes in and out here# b. G. o. j5 p6 T8 q. {0 w" y
mov edi,ebx
b7 P4 p' U6 s+ l ?& @ mov ecx,0100h& p. o# U" c% l
rep insw6 [& O' r5 J7 T' ?* r
;********************************************************************
* \6 Q5 U4 U$ w" T& t7 Z$ s: P; 返回的信息中,型号、序列号、版本号为字形式* L' K; W( A7 J2 q/ e/ M0 L
; 需要整理到字符串的形式
; U; B: G! g7 N8 Q% ], M$ j;********************************************************************) O- [' J+ V1 y) ]3 j
lea esi,[ebx].sSerialNumber+ u ^+ b; I( S
mov edi,esi/ F0 A4 z" e7 c/ n' q/ ?2 N
mov ecx,10
: g' B* E5 s/ N# }! m' h9 A8 k: ^ @@:* ^ Z3 R( D- w7 r& d3 R, a! g) ^
lodsw
( y/ `6 r' I) m& ?+ H xchg ah,al
" i# |) \' j0 k, t9 j/ g stosw8 f& r! W) I V! {# u
loop @B' h( |& {6 [0 h8 [+ S9 k
8 m3 ]5 ^5 f% h, E# ? lea esi,[ebx].sFirmwareRev$ M/ M8 s' a& h
mov edi,esi5 p$ x: a6 z' A" v
mov ecx,24* _$ D/ k- w6 [' y! ?
@@:
8 P5 U$ o) ?$ ?1 E6 k7 L; | lodsw
" T/ @ o7 {7 v" [( e xchg ah,al
2 e' C' F3 D2 N1 }. I stosw4 L5 ^2 Q% w9 @5 _! S8 A/ `
loop @B
7 v, G* E$ R0 `7 d7 u+ i# ?_II_TimeOut: f4 v2 f \; L( y' \
assume ebx:nothing
8 m& h0 Q0 z/ b% Z, Q! Y
; o0 t' w" N( n% tpop esp ;restore ring0 esp
/ K& d" r7 t. Q3 E% m( r$ l3 v5 cpush offset Ring38 @6 ]. K+ I' M; D3 N( ^+ a
retf- x7 c4 c# |! D. c( s7 P2 w! p" D) K: |
Ring0CodeLen=$-_Ring0Proc7 E* w# u2 I/ d0 n( ^& C3 k
$ m" O8 S1 H! A3 f
Ring3:
4 \6 L. X7 E9 t. Yinvoke GetCurrentThread9 h) C5 |$ P! X1 n! ^& B
invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL
# b: Y- M, h0 ?/ U3 a0 w! T/ j' q
;invoke VirtualUnlock,Entry,seglen
; Z8 j# x* a; A) \8 \- d& N5 c' C9 ?6 X+ c
call @f! a) a: a" H1 _0 H' `% V; t4 P
db "ZwClose",0
. q* i/ S- \" z; t7 c6 h% b@@:$ q+ X( i. S1 L, O, f8 V0 n6 Z
push NtdllMod6 D9 C# Y2 G4 i# _ ~2 O6 h
call GetProcAddress, \ q' E* Y3 q5 o& `
push hSection
5 M5 {* K5 a N- ecall eax; t, a5 q% b/ a% k7 [$ U
mov eax,TRUE
$ k4 T; S: t4 ^ret
+ |0 n8 A5 v6 V5 y' Q3 DExecRing0Proc endp 7 U: Q" J; Z* u9 b, g8 k+ e2 t" {
5 B$ |+ M* m' G' e( w9 lmain:7 |- w& Z8 `1 Q r
assume fs:nothing. s5 u" s7 i: t; `3 V3 A! Y; @
push offset MySEH+ V+ n1 E$ N {
push fs:[0]! G6 ~; I$ G! n
mov fs:[0],esp
* B# x/ K7 f% E% D3 b8 v/ S- ?mov OldEsp,esp
) U- c$ B# ]/ b! {4 I3 E; O# Q: u# ~' amov ax,ds ;if Win9x?% ?4 s1 R$ T4 W6 e. G8 d* v
test ax,4: a" Z. k1 Z* k+ a+ \
jnz Exit1
! L# U* I3 e. y9 s; }( Q! Finvoke ExecRing0Proc
# r6 B3 _7 k& N, i$ c: l {& q5 T( y" x% v: p
.if stIDEINFO.wNumCyls
& v# Q! X5 k) l lea esi,stIDEINFO.sModelNumber6 t6 w& u, R2 U; i& Y1 l% L3 P% F$ C
mov edi,offset szModelNumber
! F' U1 @4 C. L" O mov ecx,sizeof stIDEINFO.sModelNumber1 o. K5 Y! g; S7 D* i- x, i$ N; h) A+ h
rep movsb8 T) F6 `$ x% h/ b
- V# b; `% s) m
lea esi,stIDEINFO.sSerialNumber
6 i+ n/ q& K0 V+ ~4 ]* G mov edi,offset szSerialNumber2 P( h3 ]. B4 S; Z* B/ Q
mov ecx,sizeof stIDEINFO.sSerialNumber
% K) t0 L: }0 w% n rep movsb( k" V* A2 ?0 U: C' |5 r8 A
& M& x/ A8 \ V6 R& ?! u' q
lea esi,stIDEINFO.sFirmwareRev
; K, d2 x; e6 I. V7 N0 m mov edi,offset szFirmwareRev
2 C1 Z% ^9 ^; [- p0 Y mov ecx,sizeof stIDEINFO.sFirmwareRev0 P* J7 W3 d# A/ h! R
rep movsb: s2 Z0 h& D/ j; B% e1 Z
9 q( p0 m+ r7 @4 b. a' F' k6 D- o movzx eax,stIDEINFO.wNumCyls' t3 G) z0 p L- h
movzx ebx,stIDEINFO.wNumHeads! v' q! ?. o0 Y7 Q1 n9 C8 H
movzx ecx,stIDEINFO.wSectorsPerTrack+ i2 o; i6 ~+ ?: ` c: h/ u% `
movzx edx,stIDEINFO.wBufferSize
3 |9 h; L, v( v7 s3 L% E invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev" E5 F+ E5 v9 v4 ] M+ P
mov eax,offset szBuffer/ s3 N# S8 C% s: y8 Y
.else
: \' ^$ K; P: D mov eax,offset szErrInfo% W4 Y, U/ B# P2 c
.endif
* C$ J) K0 E% ~9 {4 `( h@@:* ?- p- _4 c: n5 [+ n3 k) n9 O
invoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK1 @3 J/ r K$ U
Exit1:
0 a" W3 T! m; X! n' y; ~* ]- a: q* ]pop fs:[0]1 x3 f8 O* g6 q
add esp,4
: s) ?+ T* W" |* z. o9 T& T) finvoke ExitProcess,0
# `5 o% _: h2 `. M$ W6 d' ~" T) r3 R2 d0 F% P, R# H
MySEH :
( q- _. }6 \- Cmov esp,OldEsp1 x- @, x5 \( Q' x/ V4 g
pop fs:[0]
% B ]9 @, t7 D. Cadd esp,4
3 J4 f0 }& B4 X( R. c8 g0 c" Dinvoke ExitProcess,-1: f' M I d! y, w; I4 f
end main
% S/ `9 o) X$ R" i' J; M% h6 t3 ^, X, U e
[此贴子已经被作者于2003-11-2 18:14:02编辑过] & c1 y# \4 [: v2 z! W
|
|
/1 
IP卡
狗仔卡
发表于 2003-11-2 18:09:00
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
分享
顶
踩
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡
发表于 2003-11-3 16:22:00
楼主