下沙论坛

 找回密码
 注册论坛(EC通行证)

QQ登录

QQ登录

下沙大学生网QQ群8(千人群)
群号:6490324 ,验证:下沙大学生网。
用手机发布本地信息严禁群发,各种宣传贴请发表在下沙信息版块有问必答,欢迎提问 提升会员等级,助你宣传
新会员必读 大学生的论坛下沙新生必读下沙币获得方法及使用
查看: 5563|回复: 6
打印 上一主题 下一主题

[转帖]2000/xp下读硬盘序列号[汇编]

[复制链接]

该用户从未签到

跳转到指定楼层
1
发表于 2003-11-2 18:09:00 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
我可没这个水平 $ q) k4 d, V/ D2 E) i. _+ ^.686p / _1 C: I- k% ], H.model flat, stdcall # Z/ P/ ?0 }% y1 a% W7 ioption casemap :none ; case sensitive3 U6 g* {, O2 k: d2 {" ` ; #########################################################################1 w0 N" h+ o/ \ \ include \masm32\include\windows.inc & V7 _- f$ h4 }" U; Y: @include \masm32\include\user32.inc 0 f% {2 r$ {& Dinclude \masm32\include\kernel32.inc _* ~+ L" ^; i* R. q ?include \masm32\include\advapi32.inc 7 @* ]6 j3 s; L7 R: Z; X - ~4 C8 Y: p: Z+ sincludelib \masm32\lib\user32.lib 5 O4 ^4 j- ~8 u8 u) Y4 Nincludelib \masm32\lib\kernel32.lib 1 W) U! K% w% |3 ^4 H/ p8 H6 [0 sincludelib \masm32\lib\advapi32.lib ( Y- } ?1 V; h' a, A7 j, s- }4 ODEBUG = TRUE 3 @. u# U9 @" t0 o7 l6 H; [7 N o. ]" p; a- W; G% m HMODULE typedef dword 0 }& `& j# r- l. a# ~$ L, m+ GNTSTATUS typedef dword 0 `. g' d* Z1 SPACL typedef dword ' {1 ]7 {: Y$ u! k% s0 tPSECURITY_DESCRIPTOR typedef dword ! V; r6 \: W" C( b# `: Z2 J% T; }* u OBJ_INHERIT=2 6 P/ ?- C' Q5 {( D: k3 J OBJ_PERMANENT=10h4 s) m' R" Q0 P OBJ_EXCLUSIVE=20h 4 T2 V( _- b* b' _5 WOBJ_CASE_INSENSITIVE=40h 9 I1 I7 i8 i! o, F$ \% e) ^ OBJ_OPENIF=80h 4 [* T' X. H% C# P) MOBJ_OPENLINK =100h i- z4 {1 l# i6 }OBJ_KERNEL_HANDLE=200 ) G3 D: E1 i& W1 h$ i% uOBJ_VALID_ATTRIBUTES=3F2h 1 H, v- S f. q' s8 i* U% r- J 3 K3 z6 O$ \6 R) @& ~6 ASE_KERNEL_OBJECT = 6 / |8 Y, m1 d# B$ p0 b$ SGRANT_ACCESS =13 {( I, G! |: B- r; e( Q NO_INHERITANCE =0 & Z2 [5 F/ N. N+ m/ m: c, w6 g* L% `TRUSTEE_IS_NAME=1 4 h' n8 ^2 D0 u! JTRUSTEE_IS_USER=1 0 y' ~" p- c3 c8 q7 b5 ASTATUS_SUCCESS =0 * b" w4 T$ U' {4 ]# j" V8 ASTATUS_ACCESS_DENIED =0C0000022h , ~" \- W T( Y& w" ^+ Y+ |4 V% ?5 a" y/ V/ V- z: h- P2 |, P STATUS_ACCESS_VIOLATION equ 0C0000005h ' m5 N4 D3 x% f7 e; T9 |0 \; USTATUS_INFO_LENGTH_MISMATCH equ 0C0000004h + \6 ~: J( |: H0 U: oSystemModuleInformation equ 11 % @# i# G% y; C! w9 E: y4 Y" t- kPVOID TYPEDEF DWORD. j# d' l/ r& o5 |5 O UNLONG TYPEDEF DWORD / _3 x- ^) I u6 D. N2 _CHAR TYPEDEF BYTE, H6 h( e U8 R" Z5 B 8 }! c" K7 r6 H$ pUNICODE_STRING struct 2 u( {' B) H8 X( f! \ nLength word ? ' z, _+ j4 g2 ` O MaximumLength word ? : Y% v7 `7 e( |, O: l' u Buffer dword ? , O# i( s! }2 m5 P UNICODE_STRING ends5 L: j; C$ R/ ^- S4 _' S- H / q* m2 O5 j+ u% t$ \! U+ j, U- A# VOBJECT_ATTRIBUTES struct , v( N5 Z1 q a2 h nLength dword ? % e( |$ }3 k6 @! h RootDirectory HANDLE ? ; a2 |. h8 j1 T/ L$ l ObjectName dword ?UNICODE_STRING ! A5 V; {% }, l2 {# i- _0 i; [+ r Attributes dword ?; # Z# @3 u" P0 w SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR 7 G8 d$ s x/ f' J SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE * P; v6 A9 Z# k- S9 j" P( F* d" `# p) MOBJECT_ATTRIBUTES ends 0 }+ J2 Z' M/ L% K5 f/ o# m+ l1 C) l ' u1 r; @9 c" o% M1 c( [' ~6 p 6 z) N6 ~- t1 v TRUSTEE struct ! r* U- f$ M. Q) Z, K1 C0 m pMultipleTrustee dword ?TRUSTEE - `7 w" P, h2 a( s n MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION 4 q+ @+ p3 `8 T TrusteeForm dword ?;TRUSTEE_FORM0 ^4 a- Y2 x8 S( W2 s3 W TrusteeType dword ?;TRUSTEE_TYPE # H4 D7 D+ ^; E% |! m! s ptstrName dword ?;LPTSTR . Y6 Q# u8 O- ZTRUSTEE ends" `# d+ b% R0 H4 [ 8 o$ |7 E- [1 Q5 Y4 @3 D3 B * U h+ y* f: v9 VEXPLICIT_ACCESS struct $ w; e8 K) _) o* n grfAccessPermissions DWORD ? 5 @6 X8 E2 R' r3 }" S grfAccessMode dword ? ;ACCESS_MODE Z8 V6 y( C( c8 N7 J7 Y grfInheritance DWORD ? ;- t8 n6 l) q( ^5 i/ _; ~ Trustee TRUSTEE <> ; 5 c' L) i# N' K' A4 x; YEXPLICIT_ACCESS ends 1 L* D) o( V# O: l: z " M D8 X2 F3 K/ S8 YMyGATE struct ;门结构类型定义 8 h \. X4 N9 `; T OFFSETL WORD ? ;32位偏移的低16位 . M4 o/ x# {; J/ C7 t$ c SELECTOR WORd ? ;选择子, V. n! V" `7 L) z i+ D0 Z DCOUNT BYTE ? ;双字计数字段 # S R6 p* _; e" e) X GTYPE BYTE ? ;类型2 }% b7 C. p9 U6 w OFFSETH WORD ? ;32位偏移的高16位# F# l0 j& f7 d0 k5 C0 t MyGATE ends; J5 ~8 x6 M) c. z e % l& y. w; C" G$ C* j7 y; hIDEINFO struct ; O! m: y0 l8 `, E# x$ E$ R K& U) _& kwGenConfig dw ? & J( g2 M1 s* E) g [wNumCyls dw ?;拄面数+ P- {' ]3 q% W+ A( c wReserved dw ? & m" K) t2 q4 Y; t7 jwNumHeads dw ?;磁头数 $ P8 u: W; t! [0 e$ N! VwBytesPerTrack dw ?;每道字节数 & p: E5 B8 `7 R7 k- |+ G5 JwBytesPerSector dw ?;每扇区字节数 3 i) y1 K w: R% f7 }wSectorsPerTrack dw ?;每道山区数 ' U1 S* d4 q" W6 YwVendorUnique dw 3 dup (?)) `) L4 X4 Z% A0 E6 F% U sSerialNumber db 20 dup (?);硬盘序列号 7 j) L3 {/ f! c! P" w9 V4 ywBufferType dw ?;( y' z! g& X1 a3 n wBufferSize dw ?; ;n * 5128 _- I$ O# _, c2 `- S" X% U; R- @7 P wECCSize dw ?6 R4 M! h0 b+ a# R. m. t' v sFirmwareRev db 8 dup (?); + ?7 Q# k. R" E) \4 j1 t; J5 @sModelNumber db 40 dup (?) $ n N7 `( V1 X( g* ^" swMoreVendorUnique dw ?; ^5 s; y2 B+ U/ y% t* m4 L( W wDoubleWordIO dw ?7 s& r. l T ?$ C wCapabilities dw ?) H1 R( P* q3 B6 a9 {3 [7 ? wReserved1 dw ?0 k9 ]& S9 p' L' w3 k2 _ wPIOTiming dw ?;. E$ m" {; i* G" R5 ~, T6 M wDMATiming dw ?; , y: r* T9 a3 O1 F( f5 E& W$ OwBS dw ?. v# i* m4 N2 \ wNumCurrentCyls dw ?;9 ?* N# |5 y( ? wNumCurrentHeads dw ?;+ }6 n2 ]. e$ H6 U% c8 C; E wNumCurrentSectorsPerTrack dw ?; # e" [8 }0 F6 CdwCurrentSectorCapacity dd ?; ) O |3 H& U% B- a( BwMultSectorStuff dw ?;: }( k9 v! v( S$ C* I: s, s L o dwTotalAddressableSectors dd ?;2 n8 c& e' y' a( ^. Q1 C wSingleWordDMA dw ?;& z# e+ F+ y0 j, v0 W: p: a" B wMultiWordDMA dw ?;- l2 @- y A" y% n bReserved db 128 dup (?) 6 G0 S" J& y) T' ~3 O" FIDEINFO ends. S4 _0 S2 l! x6 Z8 Z" p . j4 V% H* Z# Y7 D 3 b, I! i* S D# k0 u5 }" x/ | ^SetPhyscialMemorySectionCanBeWrited proto :dword 2 J9 ?" }, o7 p4 H m0 h( n0 t$ l3 hMiniMmGetPhysicalAddress proto :dword ' \3 b8 X9 b; y9 J0 r7 ~ ; G# m$ d, j/ y5 ~ENTERRING0 macro( ^" s8 H, @8 W# p9 U: t* z: b pushad ! m2 w( e* P% i0 H; u; O5 M2 Z pushfd ! D$ d3 ^/ v# F* Y- m; n* Fcli k/ A8 L. T4 S V% p+ k mov eax,cr0 ;get rid off readonly protect ; g/ ]( n' T w* Y+ d2 E, C( b- wand eax,0fffeffffh& ~7 ^' k) n4 P/ H4 G7 o mov cr0,eax $ o5 k. B& v$ Bendm9 i9 U; }7 c$ i' W7 I/ d+ J$ ^ 0 p5 q/ g& z) V/ [1 L6 h- YLEAVERING0 macro . j0 |, B8 v Z2 smov eax,cr0 ;restore readonly protect 6 E, V: e. t' s) X8 e$ ^9 V( j# Kor eax,10000h* Y' { i7 t. ^' h6 x9 M$ v mov cr0,eax 4 b" x0 D. E5 g) u+ U psti & H; o4 X; W" f9 Vpopfd ' C b. s; ^# z) tpopad , K5 B, Z0 {2 ^5 V. d, Lretf 0 @ V I# Y1 V& p+ L& eendm: O( O* }4 x- n! {3 v 8 x* q2 x- p6 s2 ^- {, l' U/ K7 a# s UNICODE_STR macro str2 s% @" U/ ^- `# `! ]2 Y irpc _c,<str> 6 o& ^+ \0 U! J/ Udb '&_c'! c# v; z5 A4 ~ db 0, o4 `; \7 ]- s7 R' h' _$ n& M endm8 e1 u2 X4 w. z: ^0 T/ ^ endm - B5 O. C: Z1 Z9 _ ) c% |* S0 Y3 g# M w.data? + y) `: | r0 v0 ZGdtLimit dw ?3 l, \' l4 e/ ?8 U3 n A6 J GdtAddr dd ? % h" U% {0 F+ a2 W" ]9 h* P }$ g$ F. D; Q! U; L2 ZmapAddr dd ?( k' O( B7 ?* |) B1 }+ a. \( s2 N! D OldEsp dd ?. e4 j3 I! S) T( w( m: G5 C: s, ` 7 ^- Y$ U# J2 c! \2 T5 H# W! Zreaded dw ? 1 B+ {# s7 }4 f6 \' c! Ebuffer db 512 dup(?). f# r% c8 @5 b( K( R ShowText db 512*3 dup (?)# |" m _$ @- N/ R( Y # a( l, Q$ O; P% _8 Z) U) J szBuffer db 1024 dup (?)+ o5 C& P: Z T szModelNumber db 41 dup (?)% \8 p; F: R4 k# u szSerialNumber db 21 dup (?)7 O$ @! N D% L3 X9 |2 I szFirmwareRev db 9 dup (?) % v$ v R x1 ]$ y. R, G 1 D5 W* @$ l& [8 `. S' ]7 LstIDEINFO IDEINFO 7 E R) r0 k8 x' c: T" R$ R8 s: ~0 L+ P3 [. J3 G .data 1 x G+ j* A: aalign 41 F' m: K; q3 [& }4 N4 Z" a# b9 D objname dw objnamestr_size,objnamestr_size+2 3 l Y Z6 \$ _: u2 c0 Fobjnameptr dd 0 . _6 n" S B) q" m* q4 Kobjnamestr equ this byte 3 f7 o7 W& Q3 J* o( B% v1 g1 o( X: N/ MUNICODE_STR <\Device\PhysicalMemory> ) R. G! p4 J* @6 I0 Aobjnamestr_size equ $-objnamestr + t4 {: a. x( v! Y5 _( g# _* Z# F" f+ o szTitle db 'IDE 硬盘信息',0 4 w8 P t3 { I. f( v2 mszErrInfo db '无法读取硬盘信息',0 " v9 }8 K7 M: I) V' MszIDEInfo db '柱面数 : %d',0dh,0ah* [) H/ h# K% K7 @( S db '磁头数 : %d',0dh,0ah% ^1 O0 |8 F M9 } db '每道扇区数 : %d',0dh,0ah 9 O* y* s) q% ? b8 q! B db '缓冲大小 : %d 扇区',0dh,0ah" N8 j* ~& Q& L db '硬盘型号 : %40s',0dh,0ah8 f" \5 G1 T9 B! M db '序列号 : %20s',0dh,0ah , h: { @# b0 c a& G db '版本号 : %8s',0: ?& h" H D; O2 q1 K- o - e% S6 @' b" x& q: d( Valign 4 ) e& P4 t# @9 n; D6 ?ObjAttr db 24 dup (0)# \5 g: V; P* J3 ?$ i ; v7 e$ S. D: M& }Callgt dq 0 ;call gate's selff U+ N' I$ Y7 ^. Q1 W' N& | NCaption db 'Windows XP绝对磁盘读写',0 $ x% j4 }; L6 }" p; vDigit db '0123456789ABCDEF',0; g8 G: S, f9 ~4 O9 ^' v, b .code " k# ]8 z% O2 j9 P+ \ x4 u6 T0 {_ShowBuffer proc ;显示所读出的信息 / d* q( f# f0 F3 [+ `: _ ;把数据转换成16进制的形式 5 p6 E$ ^: A) } mov [readed],512 & q4 s* Y& r5 e* ?8 G; a mov esi,offset buffer ;数据% L+ y& W! H5 T* j mov edi,offset ShowText ;转换后的数据 0 F, T6 o9 V) _( J/ v1 ~2 D mov ebx,offset Digit * W& y, q! j+ L6 |; \- ~+ l6 j4 ^- Y xor ecx,ecx * Z/ {9 U* K3 D$ k* j* t xor eax,eax 5 c3 \, M& S5 n, {3 bcomputeAgain:- F+ L, N; x" m, n cmp [readed],0. g# d; h' c* |. ^ jz endCompute3 a# N: W5 B' U8 z% c# u dec [readed] 1 r( v0 x |3 M0 b& ` lodsb 8 b, O2 O" e- F push eax8 b3 y( x5 s( ] x* h9 t shr eax,4 ;高4位- K1 C4 Z1 Y( P& M; s xlatb) W* O% t: {3 O6 ]' N4 m+ ?, n stosb 0 ^; g. }- e- P8 o. M2 f pop eax 9 ~5 K( A% X: e, O* { and eax,0fH ;低4位1 Q1 Q' q- t. J$ E$ P& y; [+ ~1 N xlatb1 |( M; o) r5 U4 v5 B1 X* B; [ stosb ( a6 i; H# s2 x0 [ mov byte ptr[edi],' ' ;空格) r9 c% k6 K- K) E8 o& v3 U( w: U inc edi5 F g3 E* l3 M' S inc ecx $ n" Z$ ~7 |5 {' e cmp ecx,16! S& {' j# ]2 W jnz computeAgain: b! ^. Z- t" a4 T v) a4 e xor ecx,ecx# \9 i% L1 H% Q% a! c0 K mov byte ptr[edi-1],13 ;回车 / H- K1 Y) V: `( K- m- e7 g jmp computeAgain$ U, t; P& R2 w/ L endCompute:" x2 |" H0 h$ a b! g4 Z/ x ;显示+ M# f% F+ O, ?; u- ` invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK " Z( ]9 M2 w( Y; F/ |- H2 z% b7 @0 N ret 0 x6 v3 N) g1 y( p_ShowBuffer endp # j0 m1 ]. N- J$ o* l% a P3 b1 }* L6 K) d+ r: u SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE ! l& t e# X C/ i0 d+ _$ } local pDacl: PACL ! d, W' f) \8 t" N$ K local pNewDaclACL 3 T# w3 M3 d: T& d0 V: a local pSD SECURITY_DESCRIPTOR 4 z: G+ c2 W0 r+ \0 f8 B7 e9 j local dwRes:DWORD ;5 i: i% J, d; u- p, `& V6 ~- g& ` local ea:EXPLICIT_ACCESS ;1 S( a% ^/ r% J' k$ q! H0 G invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD Q7 n! X4 z" b& g" Y$ n cmp eax,ERROR_SUCCESS H! B9 a" b4 `" T% a jz @f 8 k/ a7 N6 m a( l2 ?jmp OutSet4 \& W6 M _" b3 `& h: q @@:% Z/ e1 U1 W6 ~7 \ mov dwRes,eax ' x3 P& ~. d5 {mov ea.grfAccessPermissions ,SECTION_MAP_WRITE;26 S$ @) \1 Q# l# h, g6 G9 [ mov ea.grfAccessMode ,GRANT_ACCESS;1& ?7 J- @* k0 l2 Y6 W1 n8 K mov ea.grfInheritance,NO_INHERITANCE;0 v2 [/ F6 e8 V* K' rmov ea.Trustee.pMultipleTrustee,0, X* _. i3 D+ _" }9 p; a, p$ c" E/ v mov ea.Trustee.MultipleTrusteeOperation,0 & C, \8 n4 [% i5 w# @mov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;17 Z( C4 V* U+ B1 b mov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1$ Q+ A* y, \ T: i; ]# S call @f q( g. A" ^8 a5 w% e db "CURRENT_USER",01 H& k* m5 w8 J1 }8 @- A, ?3 n" q! x0 S @@: * C6 \5 `8 x* H& B6 S* Qpop edx7 G* ?5 F9 w7 k6 k3 p5 W mov ea.Trustee.ptstrName,edx 4 ]2 z4 {5 p2 }6 W8 Uinvoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl 9 `; d# r- Y/ z7 }2 kcmp eax,ERROR_SUCCESS9 t8 N9 x* X8 U$ ^# H* ~* @ jz @f% ^3 ]8 E9 \1 \: @ jmp OutSet" e) V M1 ?1 c) f7 ?& n9 ] r @@: m7 [) y% O6 c$ H, Ninvoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL , X* N8 C, `5 q7 G$ `) ^1 eOutSet: # |, i5 j$ Q" o" A- D. C; G3 Dcmp pSD,0; O8 u3 \$ Q% G) q, g$ K jz @f * K0 i1 i* j3 P3 y0 N1 finvoke LocalFree,pSD ! u% M5 g8 P/ t) I' X6 v@@: 2 w! r9 _) M: O8 c! S2 Ccmp pNewDacl,0. z3 Y" Q. V% ~- g% s0 ~6 Q. i jz @f " F: R9 ` B; g3 {/ x6 D% Q+ `7 cinvoke LocalFree,pNewDacl. m- Y& D c% y: u5 _- v3 E4 d @@:3 P3 \4 ?" _1 ` ret4 u% Y6 r! `6 v) U6 k% z SetPhyscialMemorySectionCanBeWrited endp ( y& }, i! l" _ 7 v2 a2 U+ d. WMiniMmGetPhysicalAddress proc virtualaddress:dword $ _0 v+ l' _0 o: K2 _/ }8 u4 b9 {0 i mov eax,virtualaddress ( ^& @9 Q! X! Q; y4 r7 N( G7 R cmp eax,80000000h 3 r4 p- `2 W2 J% w3 W jb @f. d5 n+ h+ i# t$ c3 m: X1 p. ? cmp eax,0a0000000h 4 Y- I+ j" |1 x% e/ _8 ~( @6 p- r jae @f9 Q h$ A( O7 u+ q* y% A and eax,1FFFF000h 3 T) D2 i7 q8 Z4 A0 ]0 {5 u: ^& N ret 6 n. _: V0 T$ P* Y( d- K @@: 4 j. C7 h4 i/ e/ Y mov eax,0 ' w h/ ]1 X+ t M1 [8 G- v ret : v- I7 q5 ^( ]0 `* uMiniMmGetPhysicalAddress endp& n ?0 [$ X6 I: a$ S2 s1 e$ O # P! `0 ?; m# g/ k- a+ R5 k: W ExecRing0Proc proc & l# M3 z0 M9 q* O- Z' y Z4 e4 Elocal tmpSel:dword! o# O% h4 N* t local setcg:dword ' G0 e1 G/ I- ?3 ~+ V3 |local BaseAddress:dword- I$ { f' }/ q" p8 Z local NtdllMod :dword 8 n; B2 n* ~8 A- j1 f' Plocal hSection:HANDLE ]/ J& }* n9 e, L7 y: glocal status:NTSTATUS - f9 ?; y2 u" l. |( plocal objectAttributes:OBJECT_ATTRIBUTES , p, _# R2 {9 U2 y. f1 ?- Dlocal objName:UNICODE_STRING: j. f0 C; G, ` mov status,STATUS_SUCCESS; & c2 a1 m7 J+ c$ @; }, n5 K sgdt GdtLimit {. f5 q$ [8 ninvoke MiniMmGetPhysicalAddress,GdtAddr1 ^6 ~; z Y; X6 h4 F( g/ } mov mapAddr,eax / A, X- r% o3 P8 V: f: I' V" Htest eax,eax$ o1 [- z' d6 L jz Exit1 R {. c' x( q2 `% qcall @f- U# Q7 o8 h$ _ n4 W db "Ntdll.dll",0' b3 d L F& i: h& v @@: * K3 H, [. {2 h- M) R% d& `call LoadLibraryA Y/ [9 }* z9 `6 s, A mov NtdllMod,eax . u( `+ N+ j2 k: j9 o \$ W. y$ C0 I& @/ \1 W! Q' @( w m. g, Y lea edx,objnamestr6 E9 I2 `# x) e" ? mov objnameptr,edx: } J5 z* k, y$ X$ h lea edi,ObjAttr3 p" e, ]3 E; s/ R and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail" K4 e' G8 ~; g( J- G push edi ;edi->ObjAttr: e0 T/ O! y h push 24 ;length of <\Device\PhysicalMemory> 9 C$ A- L/ h. qpop ecx + B" T% u) ~8 L) U4 fpush ecx1 w) b) z" p% @ xor eax,eax! n7 h' J5 M# @4 N' i0 Z5 u. j/ R rep stosb ;put ObjAttr with 0 5 p6 T9 A! @/ zpop ecx3 r2 s2 T1 `3 f5 d pop edi ( _" M* c/ O/ f6 k) ]. |8 B& U( F8 bmov esi,edi8 y+ L2 b& d; Z/ Q; @' G stosd- ^/ s( V( W$ F1 L7 k' i) e) } mov dword ptr[esi],ecx ; e2 Z6 C% }3 I6 Vstosd 5 N/ H& t& @) `" {/ I4 [0 p1 Z: D lea eax,[edx-8] ;eax->objname + f P/ w; n# x5 \) U. C2 Istosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0) $ \7 t. g8 S; j' d- G7 g" e Omov dword ptr [edi],240h2 b7 B$ n' e$ _8 r ; W6 b; P: [! q' p: u$ Q% K7 ~, v call @f8 w' K- Z5 J5 {: f0 } db "ZwOpenSection",0 0 l1 K. o7 q3 J# E: U@@:/ W: ]% i0 y+ P7 q6 r3 f3 q push NtdllMod ! H1 Z+ h5 U+ F0 C$ dcall GetProcAddress / G* P: S. `" [mov ebx,eax ;ebx=ZwOpenSection/ C `' @% j% c9 W1 p" P0 o/ E * W9 \$ o6 r4 l' z push esi ;esi->ObjAttr7 {& G8 B- j: O3 z4 e3 m push SECTION_MAP_READ or SECTION_MAP_WRITE6 u' Z. x4 ]6 Q: g* i lea edi,hSection Z0 s8 t& u) B- Y* Z push edi ;edi->hSection . ]# v) l) \1 z0 h5 m4 hcall eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)+ L& E: J/ R4 r9 c3 h/ m% J / ]% _8 @4 C0 q& `: Y7 V0 c mov status,eax5 A8 S% e* S& g1 v. g; j8 Z; x3 a9 D cmp status,STATUS_ACCESS_DENIED , y* l6 d+ }( s5 djnz AccessPermit# N2 ~* b7 f& i2 n- ~$ F mov eax,ebx1 f& U/ I" a# ?/ l7 @! O! B( C 8 O5 T% P3 r5 _4 a% }/ F1 C push esi ' k4 K r9 b& Y; W9 W* l) W+ |push READ_CONTROL or WRITE_DAC 0 ~3 r1 R, ~4 c a* ]3 J push edi ; |% K. C, D7 t5 P* }9 O' j, bcall eax ) w& n! u3 Q* ~# k! u 2 l1 x* X; ~( R4 l/ o4 c, B6 p4 Emov status,eax* y! B$ a9 y; a. h invoke SetPhyscialMemorySectionCanBeWrited,hSection 5 D0 v4 X1 V( S/ j5 m! o+ e + v& M2 c# f8 ]5 b# K' z* K call @f ) [; U# p/ V) R' r3 h( M: m2 idb "ZwClose",0 $ A+ e2 N; V- O6 w: h@@: , _7 F6 F0 _2 ?0 X. V3 cpush NtdllMod* x! t1 m# q9 q3 Z call GetProcAddress5 }9 X$ M# `/ z$ G9 h+ a2 W0 s ; j+ _' c& s& ~5 K2 X) qpush hSection+ c( F' w- r0 b; y call eax ;zwClose hSection2 E9 s. Z$ N1 b6 C- m0 B6 B ' F& u* h9 j+ B Y4 S2 p mov eax,ebx / N8 O+ a& J# E2 y+ I" K g& T b9 ^- gpush esi 7 u3 o8 x' R, g, d* V+ |. P- Xpush SECTION_MAP_READ or SECTION_MAP_WRITE : d4 N. w& N! ~" P3 _6 X2 ylea edi,hSection , X9 i+ a* F& V2 e; H' L' Y! Kpush edi . B9 t( L! m) B5 |* e Ycall eax 9 Y3 l$ y3 k) Gmov status ,eax! `5 V m e5 m& V1 V# _ K ;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); 0 O, ~) M. i$ K' e0 |' r) M: [AccessPermit: - P$ z, ^, `8 b& `cmp status ,STATUS_SUCCESS 5 j, K' r/ X. L6 X) h) tjz @f / Q! a& {) S7 f;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); - z! N) |& S2 o% O) e1 z;return 0;: W4 c. y2 o1 A D1 ^! d* O% q mov eax,0 9 @1 u+ s# {* v- u0 n( \7 \ret & B* G" `" j$ A+ Y2 D@@: - `* F9 q9 `# ~. W9 Wmovzx eax,word ptr[GdtLimit]% g0 a P! y1 x inc eax ( n9 }' t6 n3 G( d, h8 Ainvoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax $ x( d2 O6 |0 n9 M( emov BaseAddress,eax N5 ]4 ? [7 L9 I. b- v9 h cmp BaseAddress,0 . I" A. b4 Q1 ujnz @f- c- G9 [& X% k4 H8 E" o ;printf("Error MapViewOffile:"); 9 g( i# q! \4 b* d rintWin32Error(GetLastError()); return 0; , {) |6 G" b( n6 c+ L9 s mov eax,0+ V# V: i3 O1 S- v# p/ K ret* {6 d5 J2 t' ~& F9 E" p @@: . q+ r/ c) k) o/ `0 p5 ^mov esi,eax ;esi->gdt base/ o5 P% h6 Q+ [& b- A. m mov ecx,3e0h * B9 ]3 {0 y3 ~3 V( Q3 U# O, A2 Fmov eax,GdtAddr . G2 W, y. N! y* T# r1 l.if dword ptr [esi+ecx+2]!=0ec0003e8h2 |" v+ B* r$ ~2 g! \' z mov byte ptr [esi],0c3h# t9 }" Q- D2 L7 j) f7 ? 5 s+ J7 n1 }7 D& j6 O% l$ Qmov word ptr [esi+ecx],ax " X( ~$ ^2 I* d9 Yshr eax,16/ X6 `, j7 d, h3 E+ s1 k5 t mov word ptr [esi+ecx+6],ax- ]7 Y& W* W; f0 T4 s0 ]% H d mov dword ptr [esi+ecx+2],0ec0003e8h) h" `' r: q" w / Y( m1 n6 V5 `% gmov dword ptr [esi+ecx+8],0000ffffh + _6 r$ d; [1 t L- Vmov dword ptr [esi+ecx+12],00cf9a00h 4 W" z) B* T0 M.endif; \9 }- Q5 z# D4 L. A/ j- W( T ( U7 j& d7 l! q6 f9 ?8 V- i" ] mov setcg,TRUE * Y% j$ E$ F" K* q3 V* z/ N& X3 qcmp setcg,00 G3 g7 o0 i3 [+ @ jnz ChangeOK # ~4 _/ F1 q8 W- h- |+ Tcall @f. W m# M+ z3 |8 ]) k db "ZwClose",0 % V+ M! Z+ f% { M@@:8 s- L4 U, b- k0 P V$ U* j* i; G f push NtdllMod / e% i F- V" u' A% dcall GetProcAddress5 y1 T, I# V8 ~ H! { push hSection - v1 V9 r0 X3 s9 Qcall eax& x; c6 g( H( P& P( Q# _3 U. b xor eax,eax3 t( k# d! I" @$ Z7 ~ ret. q4 L$ `2 x8 h' A5 D ChangeOK: 3 p; H; u. ~. Uand dword ptr Callgt,0 ( Z8 v e, J* e% [" q2 W8 jxor eax,eax! J6 e* n% j3 Q& d: X. t mov ax,3e0h 8 L9 G2 Y9 b6 {or al,3h" v! h* p, [8 b; G7 a) z ?3 n/ K2 N: ` mov word ptr [Callgt+4],ax ( `1 x% A) s: e ;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate; 9 E+ T9 u1 G( b D3 \) Alea eax,_Ring0Proc ; \8 S" ^; ^: K6 |( }: E" R;invoke VirtualLock,eax,seglen # l% l7 L( w( Y6 w& t% n* E) U test eax,eax4 q! ?& j P2 W3 j1 y9 e' C0 ]0 { jnz @f* u" m+ O2 \) O' ^ xor eax,eax6 W, `* N! X- F: B ret) X$ E( K0 G- C; H, |" D: z @@: # q! O& d6 M8 \invoke GetCurrentThread6 w' O% j$ j8 \* Z invoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL 3 l8 b, v/ q) B2 K6 C: R/ G; P8 S2 ] invoke Sleep,0 9 s, U* O* ]) P1 w( ~7 Rcall fword ptr [Callgt] ;use callgate to Ring0! ' ]' ?( |4 s$ ~5 c;_asm call fword ptr [farcall] . f1 t' @; C: h_Ring0Proc: ; Ring0 code here.. 2 L5 Q8 T: ^% h- zmov eax,esp ;save ring0 esp ; ]9 @# a, a; @mov esp,[esp+4];->ring3 esp ! U; o8 [ v4 y/ Vpush eax $ O D) {( q( N- h0 | mov ebx,offset stIDEINFO ) d" b8 m4 n. |' \& j. l assume ebx:ptr IDEINFO 2 c1 r. I) h T3 ?;********************************************************************& _+ f( v( \# \) F ; 等待硬盘就绪! h8 `& r+ }* Z( R0 S: B ;********************************************************************! P/ \" l) w) t9 j- p( m mov ecx,10000h/ r$ I u2 v- z5 E ` mov dx,01f7h5 ?% S g8 e* C0 Q @@:: m& n8 y& o* w5 S in al,dx* A8 h$ w. g# C: |0 R* i cmp al,50h : `+ J! V7 F5 e0 c K# m jz @F# ^1 F. r7 A$ f; Y: R* b loop @B* a5 n5 \: [! r! d jmp _II_TimeOut4 x2 T* U; @2 A, u/ J: h0 J @@:# u$ m$ X" m- g4 n! O: x ;******************************************************************** ]* f2 H7 f0 b4 b! t; 发送命令 : `$ [, \$ d; f' Y1 [/ K; 如果向主控制发送命令,则端口为 1f0h-1f7h2 l3 Y2 G( Y8 R1 y3 K2 } ; 如果向副控制发送命令,则端口为 170h-177h7 ^6 w1 \% Y6 [$ D- b$ Z' m ; 1f6h 如果要检测的设备为该IDE接口的主(MASTER)设备, ' T, H7 H. M% V$ s$ d, T; 那么发送 a0,如果为从那么发送 b0 $ }$ f5 X, F N6 ]7 G$ ?3 v; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec# G" P9 Z4 h- p ; 如果为 ATAPI 设备那么发送 a15 D& P, u1 ], }" i9 P ;********************************************************************6 }" K/ L1 H: m Q: O mov al,0a0h ;Drive 0,Head 0 z* K7 m" m9 O8 `- R$ ~ mov dx,01f6h ;Drive and head port ' m2 J7 d& w9 _/ K, X7 R& S out dx,al1 i" C; ?; p4 @; R 5 _. [. F t! b3 e; h; m6 L, A: F5 ~ mov al,0ech ( { P2 r6 V W8 I3 l9 s inc dx ;Command port' V+ c7 s9 U: L3 G$ Y7 { out dx,al ( B1 K6 T) M4 z8 s7 n;********************************************************************* C6 s, W5 I. Y; k/ W ; 等待硬盘就绪" A7 C/ u+ V$ b7 r ;********************************************************************$ q! W- A% D% Z mov ecx,10000h6 Q- z6 I8 z# Q1 h# I3 m @@: 3 j" @/ b% H3 i$ s in al,dx;1f7 (r-status register)0 @; d, Q5 u0 m cmp al,58h;(driver is ready ,and seek complete)7 F) a0 N$ L+ J4 ?$ y% C jz @F) n; ?0 g. a+ l# | loop @B6 I% x9 J6 q( N9 t* ]; m& w jmp _II_TimeOut* |+ @5 H2 _1 ^* ], X. H* h @@:3 z* s$ e3 s$ P/ h5 E ;******************************************************************** % w$ l. ^* c6 ? z' o, i+ k! {4 @; 将返回信息读回& e. H: d( }1 I3 c! d3 n ; 注意一定要读满 100h 个字长- f1 i" b7 r7 |6 @8 x" ]4 h7 @ ;******************************************************************** & `( Q* \& ?% c8 \, ]/ {# X cld# ^- g5 B) O$ e0 _1 q H mov edx,01f0h;data port - data comes in and out here - I" t0 |5 {2 E# I- @) b, k& z mov edi,ebx ; h2 X+ Z& P. t, `) @3 t. V mov ecx,0100h ' p9 x" S+ z% A: a2 I! B t rep insw3 p$ }; q- u: [( A# e/ }+ R ;******************************************************************** * Z* L8 `) d; q; 返回的信息中,型号、序列号、版本号为字形式/ K: I! Q, k' M. m8 W' U1 f ; 需要整理到字符串的形式 6 }% t& |+ R' T* c# Y;********************************************************************( V: k( K. ]% i# r+ b2 c lea esi,[ebx].sSerialNumber9 K0 s. ?; e+ n0 p r4 l0 o2 [ mov edi,esi . p, j3 t3 M/ T# m- ~8 W3 _- x7 k mov ecx,10 - ]0 h( w+ H9 h/ h' D7 \5 W0 n @@: ' ^* B( l; W8 h1 Z4 V! u lodsw 2 ]5 s8 g& b) z1 E" R0 ?" [; @5 } xchg ah,al% U7 W4 J5 C* t stosw % w- L9 o, s0 F4 x0 F6 H- P8 ?$ K loop @B 9 @3 b! t! P! K/ L) K% E4 r2 N! U0 ?! y0 [, n' n! Y; g& ? lea esi,[ebx].sFirmwareRev% H7 w' y; I+ I( G [ mov edi,esi6 x( m( K2 S% z7 b mov ecx,24 4 Z7 j, l+ [1 S @@: 3 c S$ S" z& q) w& | lodsw$ c/ f4 k; `8 _( o4 Z- p7 d xchg ah,al : T* b @6 i: D stosw8 D6 K9 F- m0 e4 i( o1 `* r loop @B% C$ S( |# _4 v _II_TimeOut: 1 x* @3 E& n! @0 E, X+ Sassume ebx:nothing . l+ h! _8 Z* X7 d3 b2 ?: ]( m% \9 N9 J / K) A7 b) U2 j* x! o( \/ c pop esp ;restore ring0 esp/ z' V: c% o5 L1 M# Q9 N2 C push offset Ring3 ; t8 y* e- i" gretf; z3 \% ]8 |) z, I1 v, ` Ring0CodeLen=$-_Ring0Proc # B% x% C% Y( w% [8 j( r1 d- I6 }% `$ F" J6 q Ring3: . [$ I e; L: e' Rinvoke GetCurrentThread ! C# c# n5 Z% @7 y# C4 Ainvoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL ) [- \- J; j2 V: B$ J: n 5 i2 P6 ]* F1 K* ^- I$ a;invoke VirtualUnlock,Entry,seglen , t+ ^( L: T& ^4 A/ U5 C ! J% U! j. U: B7 N E9 I. fcall @f + \( Z! O: I+ w2 H5 q2 Ndb "ZwClose",05 [4 n& ~1 s: ~4 v3 o: M @@:2 }6 E9 c/ o* s; Y, N3 S+ \( D: N! b push NtdllMod - k8 o$ f6 f2 S7 j9 E4 y! gcall GetProcAddress0 }" J" ~& k8 ? push hSection/ L/ E% M ~7 o$ X call eax % p, E+ k S% _mov eax,TRUE& V$ k/ q/ p: |$ k$ O$ q F ret + K, v! [ a+ f$ _ExecRing0Proc endp / e9 u2 U: m: F1 T1 g" x 3 [& n/ D6 h4 o7 X main:3 m) z5 ^1 z. H+ ~; B6 C u assume fs:nothing 0 h; S! Q& a g8 qpush offset MySEH. M7 j% `3 I* F9 ~! E, q' [ push fs:[0]* O; M7 o1 j# Q mov fs:[0],esp% M0 m& t6 _/ p- l mov OldEsp,esp 1 R3 z* f H+ W9 @mov ax,ds ;if Win9x? " ^- o- Z$ `- c5 d' ?5 xtest ax,4 , x. f/ Z5 I9 ~3 X, bjnz Exit1 ( W0 X% P' h. ninvoke ExecRing0Proc & Q( I" a2 Z: {5 h4 G# Z) U/ [; q& Y7 n1 I5 P; w' ^- v& h" q .if stIDEINFO.wNumCyls " r* R# S% D* X X* s lea esi,stIDEINFO.sModelNumber 6 Q7 |! ^, V! C mov edi,offset szModelNumber4 r) A* } z' W# {' b( M mov ecx,sizeof stIDEINFO.sModelNumber0 W+ U* p1 {! p) d5 T( |# j rep movsb # V5 {4 W6 {7 J* V3 E d0 j+ H9 R1 R& l( w& c9 a: |+ t6 P, Y5 R e: K lea esi,stIDEINFO.sSerialNumber 1 L+ o5 Z- |9 x mov edi,offset szSerialNumber ' V$ r; \7 p$ D% @) Y mov ecx,sizeof stIDEINFO.sSerialNumber " w% B- k6 n3 U% w: c5 _ rep movsb : P0 w. Q! S; l! ]/ v 2 G/ `/ Y& X& Y& v$ X6 Y lea esi,stIDEINFO.sFirmwareRev7 u& i/ O/ Z: ?' H mov edi,offset szFirmwareRev % \; y( L8 e1 x( F& M mov ecx,sizeof stIDEINFO.sFirmwareRev" K. A# X+ q: `& R$ T rep movsb3 H0 J# N; K# W / n5 }5 @- A4 N movzx eax,stIDEINFO.wNumCyls ) x s* K: ~8 w% S movzx ebx,stIDEINFO.wNumHeads ) S3 z, y/ P$ f1 @3 ` movzx ecx,stIDEINFO.wSectorsPerTrack 4 X2 h6 x4 @5 Q: g; D+ l7 y movzx edx,stIDEINFO.wBufferSize ) Y6 ^& |- f. {1 ~; r6 l6 n# k. Z invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev + p& c) }' W H3 P. `) |* T. n5 L mov eax,offset szBuffer! Y" T! V, f1 T/ w1 u$ H; [8 G .else' t( v+ q2 i' S mov eax,offset szErrInfo5 ^. [2 a- k2 ~$ \. y4 T .endif, g1 b' A4 E' U5 y9 Q5 W1 l @@:/ [/ b7 o) @, ?. M0 _8 d invoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK 8 z' h2 {& a; I# c, o. tExit1: # L" Y9 l! P5 h* N5 N* Lpop fs:[0]9 G- e8 e A6 u' D# u add esp,4) a7 v6 U0 v- X1 G5 ] invoke ExitProcess,0 8 C5 v: j2 b: I( B: i " ?4 T+ R% ^2 s. q2 oMySEH :( s9 X8 ]! K1 e. W mov esp,OldEsp ( E3 g7 t6 `0 v2 [( q4 Cpop fs:[0]: N n0 I) g- R9 x add esp,4# G, L" F5 N0 h) Y# N% F' W3 \ invoke ExitProcess,-1 ' L9 Y0 V/ C+ xend main & S. u, W) F [* a2 {- y ) s, i4 T4 A" s6 X
[此贴子已经被作者于2003-11-2 18:14:02编辑过]
& r7 P. |. n/ O [9 j
分享到:  QQ好友和群QQ好友和群 QQ空间QQ空间 腾讯微博腾讯微博 腾讯朋友腾讯朋友
收藏收藏 分享分享 顶 踩
bigfoot 该用户已被删除
2
发表于 2003-11-3 16:22:00 | 只看该作者
呵呵,ExecRing0Proc 这段程序甚妙,先得到gdt,然后构造一个调用门call gate's ,使程序从用户模式(ring 3)进入内核模式(ring 0)。进入内核模式之后,就可以没有限制地对系统干任何勾当。这段程序确实为高手所为,在下佩服得紧。
  h+ ?5 b1 Y9 n至于读硬盘序列号之类,只不过是在内核模式下的一个I/O应用罢了。
4 L! t) M3 j# T* |其实在NT/2000下读取硬盘序列号只要打开\\.\PhysicalDriveX(X:设备号0~26)设备,然后用DeviceIoControl()就可以读取了,不需要绕ring0这么一个大圈子# b2 H4 ]# Z. L) p: J2 a

. s' D+ t. l( W* y  [+ R3 j这个程序也可以C语言实现,不过中间必须嵌入几条汇编的指令,如sgdt GdtLimit
8 n; S" B( ?+ ^* u但还是用c来写更方便,例如:) ~, _% |( Z! v8 P
call @f
! i. W% h  i# K3 I, Zdb "ZwOpenSection",03 \; E- ~9 X! F( A% L
@@:0 \! _* @" o5 ~1 a1 F5 Z- }7 S
push NtdllMod
" F( E: _  ]; A( M/ Ocall GetProcAddress
& k9 C0 z2 n. I0 _4 Z* G. \mov ebx,eax ;ebx=ZwOpenSection
* z7 |- a: ^9 O  v: ?6 Jpush esi ;esi->ObjAttr3 c. {! w1 U9 o4 O1 y9 v( Z7 m1 B
push SECTION_MAP_READ or SECTION_MAP_WRITE7 t' [' F# D+ H& @. o3 r
lea edi,hSection" v, p1 q5 h$ P8 t- U' O8 t
push edi ;edi->hSection
7 G, E) i+ L$ M! m: E) c! \1 ?call eax ;: m3 e1 [+ n2 `& d
$ q1 G$ p0 |, Y# w6 ?
用c的话只要一句就可以了
! i: U% `& P' TZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr);- b' \  g+ T+ k: Q0 c. U
因此懂汇编,然后用C/C++编程,是成为高手的捷径' g3 l; g1 N; m

" ]; a6 x$ `- c5 v, H% m
[此贴子已经被作者于2003-11-3 16:46:50编辑过]
; U" N6 M9 C2 p- c

该用户从未签到

3
发表于 2003-11-19 00:12:00 | 只看该作者
win32位汇编,真的很不错,业余的时间,全都投进去了

该用户从未签到

4
发表于 2003-11-26 19:36:00 | 只看该作者
要能有台机器试一下多好,学汇编还从没想过去ring0,也感觉没哪个必要。% S5 d& x$ v5 c
现在闲着真相试试。这片文章我在家保存了有快一年了。不用感觉可惜了。一直停着不用,我都快忘了那些曾经那些依稀的记忆了。水能给我一台电脑,我力马高喊:有你这么富的吗?
fyer 该用户已被删除
5
发表于 2003-12-3 03:31:00 | 只看该作者
很久以前的一段代码

该用户从未签到

6
 楼主| 发表于 2003-12-3 15:33:00 | 只看该作者
很久以前?/ \8 J0 f. M" f3 _
不是吧,这个是 轻描淡写 编程论坛的斑竹写的
fyer 该用户已被删除
7
发表于 2003-12-24 19:21:00 | 只看该作者
看到过的。

本版积分规则

关闭

下沙大学生网推荐上一条 /1 下一条

快速回复 返回顶部 返回列表