|
|
我可没这个水平
9 [% h$ S, [ D( K' r.686p
; @! U) L8 o' m4 p.model flat, stdcall0 f. ^: g: c& c) c# ^$ G
option casemap :none ; case sensitive+ h. l; g6 Z. i9 z0 J" m, e/ a
; #########################################################################5 u0 F- r9 {1 A* B7 K2 { o
include \masm32\include\windows.inc, S0 V0 h& z% `8 B2 M
include \masm32\include\user32.inc
8 n, U; p4 T _! ginclude \masm32\include\kernel32.inc
$ R6 C- ~& N7 {& t( \# e( C) e# ?include \masm32\include\advapi32.inc
4 t' q% W+ ^4 {- s# Y0 n" Y
. i+ j% X* @: R4 `9 g3 Uincludelib \masm32\lib\user32.lib
+ b; y; m9 ^/ u) d: Fincludelib \masm32\lib\kernel32.lib/ ^% H/ c- O: J6 T1 z1 I. I
includelib \masm32\lib\advapi32.lib
7 z# N4 R# z9 L6 ]DEBUG = TRUE$ x9 g. j v; F" n: {( e8 a$ r0 E+ Z
9 P& `8 l. S! z
HMODULE typedef dword
; X8 d( W5 i( ?9 gNTSTATUS typedef dword, i5 a0 T5 Q, \$ k3 S. F
PACL typedef dword
- d3 x3 z/ ]* b, z) aPSECURITY_DESCRIPTOR typedef dword9 h) i$ |! s: p" G
5 {+ R6 O9 A! g; b2 `/ ?6 ~3 ]
OBJ_INHERIT=2 , {/ Y& c9 ^9 U; T
OBJ_PERMANENT=10h
: {! p U2 m0 ?) b. P& a+ s# j7 DOBJ_EXCLUSIVE=20h " b+ v) M b; c5 u: I' P; @# _4 K( {
OBJ_CASE_INSENSITIVE=40h
+ y6 n# {* _2 k! G2 b* MOBJ_OPENIF=80h 3 J; C$ O1 S8 ~
OBJ_OPENLINK =100h 5 s; D4 l8 n, P; n) E- M( }3 ^* k
OBJ_KERNEL_HANDLE=200 * R( D7 n1 e0 g2 D: R- P- h. Z% s
OBJ_VALID_ATTRIBUTES=3F2h : \$ f) f' {4 V- ^, B" k
* N$ w' C+ u; ?
SE_KERNEL_OBJECT = 6: l! d: T) U" \: j
GRANT_ACCESS =1 Z1 S! i. |! }3 W' G: V
NO_INHERITANCE =0$ }" h7 K# ~8 Z$ S8 R, k
TRUSTEE_IS_NAME=19 B- Z! \! d1 `1 E0 U. ~; H: N% _7 }9 ~; ~: C
TRUSTEE_IS_USER=1% g+ H; i9 G) d
STATUS_SUCCESS =0 ' s/ V% X( B3 U" P z4 E/ W# V% d
STATUS_ACCESS_DENIED =0C0000022h" }3 { E6 F8 R- b5 e: c' x+ T
$ C: T( _! z4 T9 F" y9 t& n
STATUS_ACCESS_VIOLATION equ 0C0000005h- a$ q0 e" j! }" m5 g! I& _
STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h) x$ n8 [: e! F8 u7 g, r
SystemModuleInformation equ 11
3 f# U7 x& v7 v: M8 U& W) MPVOID TYPEDEF DWORD+ q, o3 u( f3 O- ~4 W+ {6 ?
UNLONG TYPEDEF DWORD/ ^# N- l& f5 L6 o5 V' d* A
CHAR TYPEDEF BYTE
6 J5 A& X* n/ u9 |4 i `& X* ~6 _6 e
UNICODE_STRING struct 6 x' F! M( K& h+ [, G5 Q
nLength word ?
$ ]4 f5 l/ h1 s6 p MaximumLength word ? $ ~0 A; P# h3 ~ n/ T
Buffer dword ?
$ x" s; D1 D" L5 @UNICODE_STRING ends
- V8 m- A* y I! c! [ L0 q! _1 V: K! B. g2 @
OBJECT_ATTRIBUTES struct
1 n6 ]* D% k" U8 i nLength dword ?
, ~: D6 h k; P" a* w6 v% [ RootDirectory HANDLE ? 0 v5 B2 I( l7 K# V8 x
ObjectName dword ? UNICODE_STRING 8 H2 H: v' r0 t. m
Attributes dword ?; $ ?# y- ]/ W$ r5 J7 m% k+ l. u
SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR
2 v7 h* p& ]+ {- @+ l2 G7 v SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE 0 P) q [2 r4 u% p9 c+ C5 M
OBJECT_ATTRIBUTES ends
/ S/ J& {# S& \$ U2 t4 K1 S! g c" {! i
6 F# H/ q# }9 f" O) K( I* z$ n* f; LTRUSTEE struct
" Y) }3 C& t+ J- r' i, h- K pMultipleTrustee dword ?TRUSTEE 5 i3 S4 ^( g% e; S+ V
MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION ; t% L* a" c, q4 s
TrusteeForm dword ?;TRUSTEE_FORM
+ q7 H- ]! C: q) w7 }2 p TrusteeType dword ?;TRUSTEE_TYPE 5 D/ Z6 h3 x" p& Y8 q
ptstrName dword ?;LPTSTR ( c9 _7 ?6 r( x: m
TRUSTEE ends2 }3 g: p& g3 k" M; g6 d
5 L9 ~% f9 g: Y) @6 H) ]% Y
^( d1 |5 l$ H$ P
EXPLICIT_ACCESS struct) n& g: ?: I& b8 @& O2 K5 ~
grfAccessPermissions DWORD ? ( B, Y& K0 R9 k X
grfAccessMode dword ? ;ACCESS_MODE * j& z4 C" C& {2 I; D
grfInheritance DWORD ? ;4 {) C6 C& D' e
Trustee TRUSTEE <> ;
& _, ^0 V8 n. V: G- }0 ?& BEXPLICIT_ACCESS ends( f# n9 ~. D4 V
( N3 x. _* A/ E7 t* YMyGATE struct ;门结构类型定义
5 B n9 _; Q" k z1 q2 F$ q OFFSETL WORD ? ;32位偏移的低16位
/ l) @$ G& ]! P$ w; v: } SELECTOR WORd ? ;选择子8 Q: q) f) m' r2 O1 r. p
DCOUNT BYTE ? ;双字计数字段
7 j; l. ~& r( \- l% y/ x GTYPE BYTE ? ;类型" b0 s0 D6 `4 @. B
OFFSETH WORD ? ;32位偏移的高16位
' P0 [5 M& {2 v0 E( uMyGATE ends+ ?2 D; |. x5 T) x( @( p
J0 |9 {# w. W2 a0 C
IDEINFO struct
' a r! y/ M& F3 W$ O# S$ J' X3 d+ TwGenConfig dw ?! U m2 x: }9 y5 ?' D
wNumCyls dw ?;拄面数
& q) u8 P4 @# Z' L+ S% GwReserved dw ?
6 }: ?5 }/ l- q" x2 ?# kwNumHeads dw ?;磁头数7 t: q; |0 x8 t) q6 h! K+ f8 T% ]9 O
wBytesPerTrack dw ?;每道字节数5 F5 a; b' a: ?, y: K9 [
wBytesPerSector dw ?;每扇区字节数; A) y: [( }8 u- B( v |( x
wSectorsPerTrack dw ?;每道山区数
! s2 v" ]( `/ d, `: ]& S! v2 fwVendorUnique dw 3 dup (?)7 J. q7 j# m* d
sSerialNumber db 20 dup (?);硬盘序列号$ {4 p$ S* }: W, ]( O
wBufferType dw ?;
) H7 q! } f& ]* j8 S$ _8 uwBufferSize dw ?; ;n * 512
2 E1 U2 S" M' X8 r! D% S9 W* ~wECCSize dw ?. g7 ^; K+ _: i! z2 p
sFirmwareRev db 8 dup (?);
, L# }4 `' J/ R$ E, V- asModelNumber db 40 dup (?)
* t( x9 u: W9 S5 qwMoreVendorUnique dw ?
* |+ x( o0 H- Y, ewDoubleWordIO dw ?
) f9 k! Y9 }- }1 \/ x' A' _wCapabilities dw ?
1 Y& y q' ?% K Z- MwReserved1 dw ?
# R4 y4 d* }1 RwPIOTiming dw ?;! B, d3 ^3 s- i t/ z
wDMATiming dw ?;2 d* q$ e3 W" v) z ]4 X. j
wBS dw ?
' ~8 h7 V% f* Q4 Z, y8 y# OwNumCurrentCyls dw ?;
4 O8 T& O7 g3 K6 P% A. owNumCurrentHeads dw ?;/ b) z/ b. G) r1 K, @, J
wNumCurrentSectorsPerTrack dw ?;/ u3 q" ~4 S# m( f5 _9 G
dwCurrentSectorCapacity dd ?;9 j. \9 k* i0 b
wMultSectorStuff dw ?;- q9 _: X" X2 O$ H( b8 S
dwTotalAddressableSectors dd ?;
4 S0 Y" e" m9 }1 d7 S" S$ O8 T+ D9 KwSingleWordDMA dw ?;
: ~6 v4 z7 {6 ?9 C5 c0 SwMultiWordDMA dw ?;
a( `5 u4 C8 G! J9 H* h( r; E& @8 n- rbReserved db 128 dup (?)
; o- {- O5 I) p9 ~0 p8 OIDEINFO ends
3 I+ O6 M' \ W U- R7 F! \2 C1 I+ d Y
J2 {( x$ W4 a cSetPhyscialMemorySectionCanBeWrited proto :dword
, [2 k( A6 ?. O$ o) @$ v( _9 {MiniMmGetPhysicalAddress proto :dword
. I- M. g/ i+ `. w) w
* ?6 K2 E6 p5 E1 s% [0 A$ ]9 Y( rENTERRING0 macro0 V/ R7 Y/ ^) w" U) r& l: R E
pushad
$ H- e( g# U( V3 W% U5 X; F3 Zpushfd ^* U n$ @7 F# W6 H: F. J' V- u
cli$ d" `6 C$ X8 f! i9 O
mov eax,cr0 ;get rid off readonly protect
$ j1 C* N9 S5 J: Oand eax,0fffeffffh
: d1 ^! \9 [7 F. e8 nmov cr0,eax& D& Z% g6 [6 d9 T3 X
endm
0 ]0 \" t+ h, w$ b! P# H% h# k7 X! E6 R
LEAVERING0 macro
6 K( C) }( e6 |$ @# o4 zmov eax,cr0 ;restore readonly protect
# p8 O+ b* ]8 U6 T1 u; Dor eax,10000h
( a% ~# v* ^3 G" |/ M5 Amov cr0,eax9 L/ X) W4 b$ [; l: k8 I: K
sti
8 g0 @/ `) d( o; D: C7 O& Ppopfd
" }8 ?* J. o0 {' h5 }: p [% g6 tpopad
0 R: V/ S- J4 i# j, }retf1 z: e$ t# X8 K" v
endm. m- ^* M+ ^9 l
) O9 G8 S+ m6 @* ?( r% Y1 k
3 q9 w5 [3 `0 p# x( ]
UNICODE_STR macro str2 M3 l4 e+ V/ d! f: m$ v( O
irpc _c,<str>
6 a4 P. A. K L% k6 j( [& gdb '&_c'( E! Q7 N3 t, {! k* ~4 |. w8 x
db 0+ O R4 D2 L( h i
endm
% r, Y3 F0 K/ i: c$ F: | qendm8 e' _. Q/ \4 S' L( |3 t, ~
, C2 D* E. N1 P+ R( P" h1 O.data?
2 m: ]! E* A+ ` ~: S7 d- _GdtLimit dw ?
; }0 c. Q, {& j/ }3 i" F! s! VGdtAddr dd ?
0 e: d) W- o( e' M
: r/ f2 c+ [7 P2 \5 f# a8 bmapAddr dd ?* s5 H4 k. W2 s6 z9 P
OldEsp dd ?. k) j& V. m5 x
, d; Z9 f1 o0 O; y; j" W' y* s/ |
readed dw ?+ x" L! ~4 Y+ X
buffer db 512 dup(?)
- i F! V* Z$ s8 C! B5 y2 aShowText db 512*3 dup (?)
[" v4 \' M6 l% D0 R" i. o
3 c8 |8 g7 }5 I: C/ bszBuffer db 1024 dup (?)8 O8 M6 j& M9 ^7 f
szModelNumber db 41 dup (?)
+ g7 r2 N1 c- I) KszSerialNumber db 21 dup (?)
' s2 X3 h0 a' C5 N& i& X. jszFirmwareRev db 9 dup (?) y6 L9 h8 _3 t, Q0 J, {: l
' i6 |+ D7 D6 \, e0 `- L
stIDEINFO IDEINFO
+ N4 ]! d9 a; `/ W' N
! Z Q0 u4 a) T' m& U5 q# e.data
0 V" S" u9 t, ealign 4
6 O: f# H) {9 l1 xobjname dw objnamestr_size,objnamestr_size+2
+ e+ `7 H) a9 D% {objnameptr dd 0
3 z8 |% H: S+ R; n8 A( j' d2 hobjnamestr equ this byte
0 Y( d# m* p3 j0 Q* v) {UNICODE_STR <\Device\PhysicalMemory>
: O; v! \, ]4 p. wobjnamestr_size equ $-objnamestr
1 C, y( |1 L- P0 K3 O* ?
# @3 n: Z" n" k5 ~5 p3 w7 P6 g3 rszTitle db 'IDE 硬盘信息',0
0 \, T# D! Y: @' _! d+ X. f& e HszErrInfo db '无法读取硬盘信息',0 O4 n: L, l6 w( n3 [
szIDEInfo db '柱面数 : %d',0dh,0ah+ O3 u/ p" D" r5 b! l4 p; M
db '磁头数 : %d',0dh,0ah
. h6 e5 I9 T$ j: e( g. J db '每道扇区数 : %d',0dh,0ah
3 P6 c; w$ ?$ r* f5 O" `% v db '缓冲大小 : %d 扇区',0dh,0ah
( I: v0 I* J1 {! s" L( J, w db '硬盘型号 : %40s',0dh,0ah0 y$ n/ g& A/ ~5 \
db '序列号 : %20s',0dh,0ah" Y# e7 M' K+ o$ e; F1 l
db '版本号 : %8s',0
) m( P: t4 U$ b5 ]+ Z0 H
" g0 k8 h4 ]/ K8 U, ^, a+ Zalign 4
4 E7 H8 q8 t- f) N" D% g/ k: b% t! D# \ObjAttr db 24 dup (0)0 G: H, Z |6 c8 m# O2 f& c& n6 f
' R: i' m: `- E3 f# m) W
Callgt dq 0 ;call gate's sel ff
! {; _1 N. t- L: _6 g6 ^Caption db 'Windows XP绝对磁盘读写',0
" ~" H! k7 |* s S: F- O4 CDigit db '0123456789ABCDEF',0# I8 a H# ^( S1 C; g
.code
. z4 L/ Y! H' w2 U_ShowBuffer proc ;显示所读出的信息
9 O0 O9 z' G. C7 C) U: G ;把数据转换成16进制的形式 x( f+ _) J) [! c D
mov [readed],512+ K, I7 B" I; ]% \7 v
mov esi,offset buffer ;数据) l O9 k K* k4 P Z& d6 M4 G
mov edi,offset ShowText ;转换后的数据
5 F9 O) ]: D6 e/ D' W0 s2 A4 ^ mov ebx,offset Digit4 D. w; e8 x% D4 z5 o2 T, _3 @
xor ecx,ecx
0 ~: l, R7 \$ G* A( A& e xor eax,eax- m) \/ u8 y: v
computeAgain:
8 @/ H& }* G" T' s1 A cmp [readed],0
1 N& q6 z6 d( M9 w& x& J jz endCompute
+ L" i y/ u4 s. r9 F# O& } dec [readed]- c' t& ]+ W3 y! u8 R H8 b
lodsb; w# s1 p0 e6 U% l6 }
push eax
3 l: w" F- C. M" ]' R: G shr eax,4 ;高4位
$ v' i$ v/ C' g8 z% P xlatb( h9 J' [* K. k+ f% Y
stosb
- @; J* ^& D+ K* Y/ ^6 o pop eax
+ x. }, ?8 ^, a" Q7 E' @, c$ W+ M5 R and eax,0fH ;低4位
0 [5 y& C) @7 D xlatb M/ C% D& W- z
stosb
5 y, d6 D8 q& x( | mov byte ptr[edi],' ' ;空格
6 p" W/ {% a- ]' |3 j inc edi
3 M% r7 B9 q: ~) ~& R6 P inc ecx
: V% l$ I k" B1 c- K- O cmp ecx,167 ?, h1 q, E u) c) }$ f/ R8 A, a
jnz computeAgain
. \2 \, ~7 B7 D& P+ ?8 p# L: {. b xor ecx,ecx4 C) V5 ~/ W& ]& D
mov byte ptr[edi-1],13 ;回车& F3 I/ i, ^9 D1 t% n( u
jmp computeAgain9 G9 c; f. @$ \0 N% I7 `4 g
endCompute:6 J9 w2 ` n* Y* l
;显示, z; ? C7 `- z/ [! j- I2 H
invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK/ u* c l* `6 p
ret
* m, t. }! Q _5 [. t W6 O_ShowBuffer endp' ]! }3 D2 r7 ]" k: V7 ?
N/ X( a3 l6 a# Y) k2 bSetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE % x$ {9 F, m+ o; ?6 S
local pDacl: PACL
' u6 G h3 `& _7 h: b* blocal pNewDacl ACL ! h2 n1 F9 r. U8 g! U
local pSD SECURITY_DESCRIPTOR . g2 M, w" a k Y* R
local dwRes:DWORD ;
" W1 A3 M; J" ~( q2 dlocal ea:EXPLICIT_ACCESS ;
( p& i* P$ m- ^4 j4 H7 {5 Iinvoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD! E6 E8 u c3 P4 s
cmp eax,ERROR_SUCCESS
) D7 c- I9 h [9 }jz @f- u) m# X* F i; V3 U) q
jmp OutSet3 T! C4 X3 ?8 p; _. c0 y3 a: D
@@:
n+ b+ K/ b( E1 W, b1 _mov dwRes,eax
( X3 ], y2 r' H8 r( nmov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2
+ s: J) v% u6 H- J0 K1 wmov ea.grfAccessMode ,GRANT_ACCESS;1
, P; _1 n+ F. C. ~: cmov ea.grfInheritance,NO_INHERITANCE;0
" d: H* q& T; Z$ @$ q. X; r" h$ Dmov ea.Trustee.pMultipleTrustee,0
# `. F7 Z3 m$ j3 y7 wmov ea.Trustee.MultipleTrusteeOperation,0
1 @" R: ] }8 x8 ]mov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1
9 S' A/ S' ?+ e- ymov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;19 q0 W& N! n" f' F( b
call @f
* F0 K) k( V) k- X) Ldb "CURRENT_USER",03 M# n0 n% L* ^$ C7 I* j4 k
@@:1 p3 a$ Y0 q/ T6 q
pop edx
# W7 o! n# j6 C7 J( I) imov ea.Trustee.ptstrName,edx
4 t r2 ?, ]* B& n) l7 }+ b9 Rinvoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl
- R {( x j6 v0 kcmp eax,ERROR_SUCCESS
. g1 V1 H" D8 }& E! b0 z t; k; w* tjz @f
" f$ ~! m( @7 ^/ {8 k9 p: ujmp OutSet
2 c! v- S7 R5 |7 X1 Z9 `6 A@@:2 m" F% G; `* ?: Q, M
invoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL2 |9 c# i4 a$ Y$ w& [$ \/ h. N
OutSet:
! M4 E9 i- D5 z5 o3 a* \cmp pSD,0$ ~0 N" b: M* ~
jz @f* F1 \2 F8 j$ O. ]
invoke LocalFree,pSD
6 E5 S+ ~) J* C, ]- g0 J@@:
?$ c) y" q1 k; i' Q8 kcmp pNewDacl,0
4 X7 m: H p3 M! cjz @f
! q. J, N/ F4 F; O( f. L' b" ?; finvoke LocalFree,pNewDacl3 h$ E7 W6 c* w: w1 b9 y
@@:
0 y$ g, C- x# x' Xret1 @. g. ~$ [, S% _
SetPhyscialMemorySectionCanBeWrited endp2 q2 ]* N; O+ L7 o2 f. z
, S& P# N- @0 S/ `" y' B; wMiniMmGetPhysicalAddress proc virtualaddress:dword, e! i+ S" Q. E# b, F# ]# W; C
mov eax,virtualaddress5 N- B m/ G! Q% {
cmp eax,80000000h8 O3 V, A, m, ]4 U
jb @f
8 n# h7 W: Q. e( t( N; K cmp eax,0a0000000h$ d' e$ F! H1 ]3 b' b7 @0 [
jae @f% q. V6 M, C2 t( W. V, ? Y- F
and eax,1FFFF000h
# v0 N) t- v p. w0 H& c- L; M, b. A/ P ret
, P4 i# d' i0 A, k: G+ h& E @@:: W' R; q' T5 `3 p! n* k( {/ Y
mov eax,0
- b R1 n- Q1 S8 V6 d% c1 w$ y ret
5 N; z, A/ M6 T. e* H/ E* x, e' h/ EMiniMmGetPhysicalAddress endp' j: [$ L, M6 `; y% s8 S
Z7 y- c* p, u6 j' X# P$ ^! ~) D
ExecRing0Proc proc
9 D4 ]- D) [1 {& c. Qlocal tmpSel:dword
, }! N. L: t! U9 m: N( Wlocal setcg:dword6 s e1 f; x; x, N1 {+ i) u5 r) W
local BaseAddress:dword* q) g% W# F8 Q' D% e6 J8 U
local NtdllMod :dword
; Q( t( V2 d. Olocal hSection:HANDLE 1 _0 }4 U7 v% Z) Y2 \
local status:NTSTATUS8 x. y* w6 C& e
local objectAttributes:OBJECT_ATTRIBUTES
0 j8 C' k$ o; z% m" vlocal objName:UNICODE_STRING& }3 [& q+ g( M" l
mov status,STATUS_SUCCESS;
$ C I i: C9 Z% @1 v* |- M* nsgdt GdtLimit2 E" `% y6 T( a u) \2 P L6 t
invoke MiniMmGetPhysicalAddress,GdtAddr
% z/ `' J5 I6 q3 k- lmov mapAddr,eax
8 P1 i7 v$ `: P* w( vtest eax,eax
5 O7 a& a4 U# b2 K6 g4 Rjz Exit1% ~* k# K( ?8 \
call @f/ {) j2 Y7 {3 \! h& I% n- c, i
db "Ntdll.dll",0- Z* b/ p2 E& ?1 m
@@:: e0 v" ~5 r& D# S# n0 w
call LoadLibraryA5 U9 N Z1 _6 ~5 i/ e; ]* u
mov NtdllMod,eax! p" b( E8 Z9 t% c Z
7 Q0 ] k+ |) M, W7 Klea edx,objnamestr3 z8 j- B' T3 M E7 \6 p
mov objnameptr,edx
; p f# h" |$ X, x/ k; _1 S' P4 \0 N6 `lea edi,ObjAttr' L( g) T2 f" b3 z3 C/ [
and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail
, A. e7 O# h$ S, H Kpush edi ;edi->ObjAttr- w T7 o8 i% R) ]- z
push 24 ;length of <\Device\PhysicalMemory>
! J7 `0 o* j. p( \6 c) f: ppop ecx
, w% b/ s+ N9 g. {6 w# {- V p" rpush ecx
, J, ]1 e; l7 Cxor eax,eax1 N. }+ q' a# [& g- Y& W
rep stosb ;put ObjAttr with 0
0 y9 B/ x4 i* npop ecx! t' Z9 d% g4 l! N- B
pop edi) Q, c$ i) F- b
mov esi,edi: B5 R- _+ [ s {- ^
stosd
5 r. |3 B5 A' F! ~* q6 J8 r5 @" ^- b9 }mov dword ptr[esi],ecx
1 A' ^! W! j! ]% N6 nstosd . x4 ?/ ]/ L$ F# }: V) K
lea eax,[edx-8] ;eax->objname; O. O3 ]' X$ h
stosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0)
. A' A. {3 N' `3 L9 wmov dword ptr [edi],240h# h; l% }3 R) {1 M8 r% Q% h; V
6 N1 [, S9 ]/ ~, H8 P
call @f
7 p% S( w+ `+ F/ t" {2 rdb "ZwOpenSection",06 |! W' ?0 @7 ~
@@:; `2 L* p( ~+ R& f+ `* E
push NtdllMod! f; k* M- C! s! `
call GetProcAddress i7 F4 U7 M, n' u) e
mov ebx,eax ;ebx=ZwOpenSection
: i3 C. r. w: M
. i. H0 p1 B' c U) z& e, Spush esi ;esi->ObjAttr( G4 m* M( n4 {" X! {% z
push SECTION_MAP_READ or SECTION_MAP_WRITE
+ ~% a( B* L: E9 T& e: Nlea edi,hSection
( x1 Z6 p7 X5 m8 S: T5 G! mpush edi ;edi->hSection
, T1 g; w. f0 V# C: Dcall eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)
+ d8 o9 L/ n Z7 R$ E' h1 A9 Y
. q) j- X: P/ e- k- Amov status,eax
1 W4 N l" s6 {cmp status,STATUS_ACCESS_DENIED- ]. ]! H' ~0 T& i5 U: L( K" P% r
jnz AccessPermit
6 \8 i8 w- ~8 Y; `( L3 Emov eax,ebx
2 F/ a4 \" b: H2 u+ {
, w" x( w4 ?# e4 Dpush esi
& d# n# o5 W" T" c3 ipush READ_CONTROL or WRITE_DAC 7 U+ ~1 q f0 Q! X- z
push edi
: n, {. k x* `2 J& \call eax - T5 j) G! G% E2 W% g
9 A+ z3 i; j4 ?$ G) P# U) R8 m' Z
mov status,eax
/ {6 q7 a& ?2 D9 `, zinvoke SetPhyscialMemorySectionCanBeWrited,hSection
( P. {) h3 _! d+ N3 Q \9 `+ K
8 H: ?6 V& z/ o2 k6 Tcall @f5 X% R/ W# Y1 g3 L# |
db "ZwClose",0
6 R) d$ v. w9 S6 l/ W1 y& Q@@:
/ w! k; E8 @! ~; D( Kpush NtdllMod
8 [) B4 g2 e, d9 xcall GetProcAddress$ }* C3 r0 @' K" q) J" |
2 J! E- m. b% O; r, W$ ^push hSection, z) p7 v& e! ?( m6 ]: F
call eax ;zwClose hSection! r3 X0 l5 P [8 q. L. n, n( }; E: G' _
$ V2 b4 ~& X& D& t9 i* q
mov eax,ebx# |% k, H8 T A" r: `& ^
7 R$ B$ m9 Y2 q2 t j( m: n1 E/ P
push esi
/ @$ S* Q* G1 Y3 k9 }/ spush SECTION_MAP_READ or SECTION_MAP_WRITE
1 W8 }# u. u6 a' U; w# rlea edi,hSection
/ K2 x; u: t9 i! D8 Rpush edi " s0 Y. `+ b- z Q2 J
call eax+ `( A* g+ z+ g O- g. C# w
mov status ,eax
+ G& S( o/ \& ^% X5 n. m9 p/ V7 };status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes);
5 ^. N8 r9 Y: H! E" E `0 J( cAccessPermit:
1 a/ q9 w# ^: Hcmp status ,STATUS_SUCCESS O+ P. b: A: m7 v; O. e0 }
jz @f
' g D# C, z4 _! m1 b& k- d;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); 5 s0 B3 Y' Z% w2 u3 s/ B& q
;return 0;
% r: ]0 E9 {' Fmov eax,0/ A2 V& d9 x1 l3 Q
ret8 u5 y/ @( w2 y- U# o7 |/ W
@@:
* \6 d! W3 K6 s1 }! mmovzx eax,word ptr[GdtLimit]
3 l( \3 d0 Y' r, Linc eax
2 Y* J& C3 I2 V7 P. p( ?! [invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax 9 R6 @& W* ^+ t1 D& I; h
mov BaseAddress,eax- |9 ]7 g' D3 q3 ]
cmp BaseAddress,08 k: _. W) W$ B, `0 R
jnz @f
9 h1 U6 j/ j( V5 L5 D- p: ?6 I;printf("Error MapViewOffile:");
# U( ?' {4 P& }1 Z6 f2 krintWin32Error(GetLastError()); return 0; # m* S4 X& I8 s" u) V' b) g) j
mov eax,0
6 H% t* P: n, Gret
$ k7 Z( o! i; d( m5 i! v/ J( f@@: 7 Z1 O2 w& U* ~( \
mov esi,eax ;esi->gdt base
8 W) e9 @% S1 W- f# D) i v1 Nmov ecx,3e0h3 S) T! W2 R+ `; }; p% V! O O; `- Z
mov eax,GdtAddr6 A) d: N2 |) l5 |3 ~0 F' C; B
.if dword ptr [esi+ecx+2]!=0ec0003e8h
( h. \5 e9 L5 V; Z. [& Wmov byte ptr [esi],0c3h
% U( I4 z% u7 D$ Q& n+ U! [+ l$ [/ Q' W. G/ W
mov word ptr [esi+ecx],ax
9 l/ |; e7 N" e' Z# jshr eax,16) r) {5 O" T- @/ I& b
mov word ptr [esi+ecx+6],ax
* [9 ~+ A* X1 m; Q5 p7 L% p$ @mov dword ptr [esi+ecx+2],0ec0003e8h
* ^. K; X/ e$ Q/ w" F _: w! M
2 k* F. i- P% d# [9 R1 D. ]mov dword ptr [esi+ecx+8],0000ffffh1 K! \6 {. L! t0 L" o
mov dword ptr [esi+ecx+12],00cf9a00h
4 r: m& L K3 W+ B.endif$ R1 G8 `, N9 x9 {: T
0 ]0 Z. E) v/ M/ |4 [" t& w
mov setcg,TRUE
1 c; i. H5 D" s) dcmp setcg,0
: Y n% {8 U/ |: u" }4 u/ gjnz ChangeOK
# ?, I: l, m' ]& F0 ^9 c6 Gcall @f
- M$ L7 P. a( b( Ldb "ZwClose",0
5 I7 g% _% n/ z& C; t@@:, {" m& h% y W
push NtdllMod% D. F; V2 D2 K7 y4 O) Y
call GetProcAddress7 l5 n r5 Q- S1 ]0 j) _
push hSection
- F# \3 {8 c& Z& {! H4 Ccall eax3 d/ j: N2 Z! J
xor eax,eax
& n8 P$ V0 b5 r, z# M; m2 ?. Gret' X9 w% q( p V: s8 b& g
ChangeOK:+ w0 X) e" z/ i6 H! }, o
and dword ptr Callgt,0 9 V% H8 n: f3 [; P
xor eax,eax
. O* `; U, v; smov ax,3e0h
% i. u# h$ O+ N' Hor al,3h/ ^. [/ k6 G( y% K+ v
mov word ptr [Callgt+4],ax
. |2 @2 n3 k p. X6 Q6 ^6 M2 f;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate; : L9 z8 D3 w" M1 f
lea eax,_Ring0Proc
+ J8 p' G" }' T( L; E* `+ Q) X;invoke VirtualLock,eax,seglen
: v1 N' W& }# N3 Ytest eax,eax
3 Q# r2 {7 P# y# y: tjnz @f, \0 K K7 \: S8 J3 @: @) t/ j/ l: w
xor eax,eax7 T! L K | M, g
ret. ]$ k8 I' O7 C! a
@@:6 M0 i: C& G( k2 K
invoke GetCurrentThread
# S/ I: {; ?5 Zinvoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL
' C5 P9 ^( J8 D0 Y" ~! S: K0 C; V% ^* I$ s N! t+ N+ R" Y( e
invoke Sleep,0 5 X: n1 e) k u$ q* _
call fword ptr [Callgt] ;use callgate to Ring0!
f, h4 \: |! a% d9 H8 q;_asm call fword ptr [farcall]
. w; c6 S& W) l# h' x1 g& ]6 f_Ring0Proc: ; Ring0 code here..
" c7 U7 P4 X9 hmov eax,esp ;save ring0 esp
, e+ j9 a/ n+ |" ~7 @( A& wmov esp,[esp+4];->ring3 esp. n5 C! K. B1 t
push eax
4 F& G6 M- c- I$ Q2 { mov ebx,offset stIDEINFO( g1 c" \1 \( C2 T- `+ t: u
assume ebx:ptr IDEINFO ' H( e9 N/ g/ ~) t& c, P
;********************************************************************
6 d5 s- }, x! V2 j2 T' f4 K; 等待硬盘就绪. g1 E: ?* e5 m0 \
;********************************************************************. H7 a+ \: w- D$ A9 ~( z
mov ecx,10000h# C5 x/ s" f# o7 X
mov dx,01f7h5 N3 G- v9 I$ W' C) p4 {$ j' _
@@:
; r# ^* o; M: t in al,dx
+ ]9 R% v, Y( R/ J cmp al,50h
6 g4 @- r# y, A6 q* Z/ t jz @F. _# T" m Q6 S: s
loop @B
6 |, d9 @* O. ~2 l0 b' ]( b3 q. ` jmp _II_TimeOut$ S0 W! }# S1 X8 T4 R
@@:0 l7 n9 d+ F" ^, y+ Y) D3 |
;********************************************************************/ v- L3 | U9 r! s3 \! y' P
; 发送命令
c: q7 j$ x( W/ Y' }7 o; 如果向主控制发送命令,则端口为 1f0h-1f7h
6 v2 Z9 s# ]* k; W% b9 Z: e6 I; 如果向副控制发送命令,则端口为 170h-177h
) o2 C& ^: v( I$ T' c; 1f6h 如果要检测的设备为该IDE接口的主(MASTER)设备,
+ S5 v1 Q: s% u ^7 [; 那么发送 a0,如果为从那么发送 b0
2 O! A7 h5 Y2 _$ M; X; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec
D7 O! f5 t% i; 如果为 ATAPI 设备那么发送 a1" [: I! U5 k! E0 f! q8 M
;********************************************************************
- I1 f' w( J3 x& _ mov al,0a0h ;Drive 0,Head 07 P) @6 ~* _% ?4 {8 N
mov dx,01f6h ;Drive and head port
& m/ W Z% ^9 w) x# e" o" k out dx,al$ g, x: U3 w) h0 D! {$ B
+ k0 s+ P- w2 l) K* Y2 V2 M mov al,0ech
n3 ]7 M, N* A1 \6 O inc dx ;Command port9 [8 P1 n' O+ Z" ?
out dx,al! o0 p0 q1 b( E! ~3 x* ^2 \% x
;********************************************************************
/ A- U9 E/ ^) ~, ^1 I0 ?; 等待硬盘就绪5 ~0 @0 t6 J4 V6 L- T) f5 ?6 {
;********************************************************************6 M. f# Q" y* `6 s7 b- f
mov ecx,10000h
$ t7 I: V, I5 S8 _ @@:% m$ ~- [. Z" I
in al,dx;1f7 (r-status register)
& M5 u7 e4 ^. G! v, A; T3 K& i+ p. a cmp al,58h;(driver is ready ,and seek complete)
6 u" e ]7 e9 J. y3 d, p jz @F
6 g4 G* X* C+ ^6 h8 `1 v loop @B3 D3 `5 L# L% m3 G$ u# |
jmp _II_TimeOut: ]# E/ Y7 }( [* }7 |8 D b
@@:+ P8 [9 Y; [" X; ^% ~! [ W* u7 G" u
;********************************************************************
# q. O( C" `) L2 k0 b9 ^9 V; 将返回信息读回" O, X+ W. Y+ \: R' D* }1 |
; 注意一定要读满 100h 个字长
/ z. L8 H% ~5 Q;********************************************************************
; ]' p$ l# b& `* ^* l, X6 r$ |7 h3 z% Z cld
3 {5 ~7 q( t- Q4 m mov edx,01f0h;data port - data comes in and out here3 W) ~ r9 o" M+ P
mov edi,ebx0 D0 i3 @& x. j8 V
mov ecx,0100h
) G: ~' ]( `5 Q+ V! g4 T2 a: H rep insw
& k4 U8 Q- L- r7 L) p- E4 V;********************************************************************
( V; C ?" d, B) I+ B+ s1 O! j; 返回的信息中,型号、序列号、版本号为字形式+ I& w8 G7 e5 y$ o+ v
; 需要整理到字符串的形式; }' m; b+ s' T8 C1 L
;********************************************************************4 x; M$ ?! {2 F" g8 ~4 d: |
lea esi,[ebx].sSerialNumber
3 \! ~* h0 o3 ^9 e4 B+ s1 j mov edi,esi
: ? M' z1 h1 G mov ecx,10
4 V1 \* m. p" v& M6 v6 D" A7 y @@:" R8 P. T: s6 @: N
lodsw
; T3 x% k: t! P4 { xchg ah,al5 l) {* ^" G! A1 t8 i `$ h2 L4 `
stosw' T$ ~; R# m s( `$ J4 _
loop @B
; S V' g/ R$ u8 U. d. ^' G3 h; o- B7 y. [" r& R
lea esi,[ebx].sFirmwareRev
1 v3 y; R% ? A& O" _/ X/ t6 M mov edi,esi: A. Y! A: k" ^) ~
mov ecx,24) b, e* R7 v L; e! w- Q
@@:
+ _6 b" {! w" L. m0 G, [4 p lodsw- U- F+ g c% t6 A% D# ?
xchg ah,al) \4 O1 u$ O2 j+ V
stosw
$ [+ ]% x: c, e* K loop @B
' {, x ^. `1 Y6 U* N_II_TimeOut:* P9 U: X% D7 _/ I
assume ebx:nothing
; n. ~1 A: E2 h8 [% |- c6 j2 f: r 2 [0 Q6 w$ x/ N9 a5 X
pop esp ;restore ring0 esp+ a: q9 K$ T6 f! {$ v5 k
push offset Ring3/ y7 Z$ t0 T9 u/ b- h# u" z
retf
2 F/ c- h$ C5 j- _Ring0CodeLen=$-_Ring0Proc
& o5 D1 _5 g$ h; `2 D: U6 ?+ F8 L0 j- P- Z9 b# ` o7 C S: a5 ]
Ring3:7 U2 Y: ^" `9 y% I! J/ ?( B
invoke GetCurrentThread
& D5 b/ l( E8 C1 O9 ?invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL
$ C+ r# h' P# [" B3 M1 P, h' b9 D% |: U4 W
;invoke VirtualUnlock,Entry,seglen ! `, Q! I) b0 p) [6 A3 e* w- c7 a
; r% {' ~1 _5 B) dcall @f/ n1 }8 C" s: C! ?1 G5 I, E$ t
db "ZwClose",0
4 b& j8 @- E, C: n: K! V@@:
2 k5 H+ x# Y7 ~# o4 y; R1 cpush NtdllMod- R) o' _4 b/ X6 B% @
call GetProcAddress6 n+ f. n+ C( `/ H
push hSection
' R) t0 q- S7 v6 H( qcall eax# \, K2 J7 L" p4 ]$ x: `
mov eax,TRUE) \/ R- |- s. d
ret
' v/ l# a' S3 {1 q! G, U6 ]ExecRing0Proc endp
. K8 q1 _6 E" n8 ?2 T; W+ \, Q5 V9 s
; @/ E% u' d$ B' amain:' y; o5 e" a# z- q) Q
assume fs:nothing
1 K- }! @3 P. R5 H" S- \push offset MySEH3 U I: s& X! q) C- z7 m3 _
push fs:[0]
+ f+ {; Y6 M- V, Rmov fs:[0],esp8 w6 G; C, Q8 l G4 k
mov OldEsp,esp
p! W# G, ^% k6 emov ax,ds ;if Win9x?
: K# K7 {3 x7 k, Gtest ax,48 d* X9 B6 \: I! a" V5 b
jnz Exit1* M% ?3 T* i8 z
invoke ExecRing0Proc
# s% X1 Z$ m( Q" ?9 G# E: h8 D$ R! K5 _! P, P* q2 q: G
.if stIDEINFO.wNumCyls
8 L" P& G L4 C7 N& R7 f lea esi,stIDEINFO.sModelNumber
3 ]/ r' M& q8 T; K mov edi,offset szModelNumber4 l/ I o! q, K2 S
mov ecx,sizeof stIDEINFO.sModelNumber6 o) e) a& E+ k2 Z+ X+ S# Q
rep movsb
) \/ h; W3 n7 W6 `. |. U- P o& N1 f1 w9 r, g7 F. v
lea esi,stIDEINFO.sSerialNumber
f1 Z0 W q6 g: e mov edi,offset szSerialNumber0 A, O% n! i6 M- D
mov ecx,sizeof stIDEINFO.sSerialNumber
! I9 F. M0 k4 X& y/ ~! [ rep movsb
9 P# D: Z5 ?& I, i$ k. U# a1 ]) t4 V% @3 N' N
lea esi,stIDEINFO.sFirmwareRev
+ A0 z0 V9 s7 P& v mov edi,offset szFirmwareRev
5 e( c4 u5 f C% ^) g. r mov ecx,sizeof stIDEINFO.sFirmwareRev8 d1 P C7 E0 H( S! R
rep movsb8 P! Y2 T S! b7 O! o. O1 S# o& N
/ d; [, E3 _! p2 Y
movzx eax,stIDEINFO.wNumCyls
& e, h) C$ Y/ e5 I" E; i movzx ebx,stIDEINFO.wNumHeads1 ?% [3 `4 O" t9 t3 D4 ?% p
movzx ecx,stIDEINFO.wSectorsPerTrack
" o5 [" d Z% P! M% X& r movzx edx,stIDEINFO.wBufferSize
% J f5 P. F4 M/ q invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev
; X3 e& m$ S4 }5 ]; K* A mov eax,offset szBuffer$ p3 o" X j& B+ d' r8 m: ?
.else" @( z6 L- i( g1 y1 X; s/ z/ r1 h
mov eax,offset szErrInfo
1 Q ?! x2 N6 X7 R9 X. S.endif# c5 M( J. Z1 h
@@:3 s! j0 H. X" \" C
invoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK$ R0 w) Y3 c6 B
Exit1:
' Y4 [# S% z% ~: rpop fs:[0]
- w* C+ h3 p& ]$ q. Hadd esp,4
a" t0 E0 |( t8 w4 V" Finvoke ExitProcess,0
. W4 @/ O$ v8 e# [ S7 Q8 E2 i6 p- c
MySEH :& o/ O" J, j: N
mov esp,OldEsp
$ b) i+ m( | m) {, F" v/ R5 Npop fs:[0]& H5 Z$ C9 K- o: ~4 j0 h5 L' |
add esp,4
) r6 ?/ F# K8 B$ e- _# `invoke ExitProcess,-1
, K0 F# G/ _" P1 mend main% t1 o; p1 e( F! \9 N
' Q* d3 F1 J3 p/ a" t
[此贴子已经被作者于2003-11-2 18:14:02编辑过] ) `3 {7 Q* J1 J
|
|
/1 
IP卡
狗仔卡
发表于 2003-11-2 18:09:00
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
分享
顶
踩
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡
发表于 2003-11-3 16:22:00
楼主