[转帖]2000/xp下读硬盘序列号[汇编]

游侠无极限

我可没这个水平 ; n& T0 V4 V6 L. w1 g.686p M! F$ M7 ?0 g/ L.model flat, stdcall 8 B4 C6 [* }. H9 g3 ^option casemap :none ; case sensitive ; ######################################################################### include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc 0 x5 Q& H7 u2 Q3 hinclude \masm32\include\advapi32.inc 5 c3 x+ f) Q1 ]+ A4 C A' n/ B" w* {; q) {includelib \masm32\lib\user32.lib / t d* d* ~8 _7 a: S: S3 Vincludelib \masm32\lib\kernel32.lib + h8 d' b# A$ v) M9 _# Bincludelib \masm32\lib\advapi32.lib 8 }9 c: @) h i4 g4 `DEBUG = TRUE 5 J4 A) V. W# x2 _ 5 s- l& \& ~2 {/ f8 f/ d* X" L0 R1 sHMODULE typedef dword - {6 N5 j1 J. k- i0 S0 z' i2 j5 FNTSTATUS typedef dword * k9 i8 z4 @1 y$ bPACL typedef dword PSECURITY_DESCRIPTOR typedef dword " H$ F% N, C5 a4 z, u: m: O/ {OBJ_INHERIT=2 ) s; X7 Z8 H( X( iOBJ_PERMANENT=10h OBJ_EXCLUSIVE=20h . T9 U1 J6 d |7 s: M7 Z. o' m5 HOBJ_CASE_INSENSITIVE=40h 1 c; ~ l8 s" dOBJ_OPENIF=80h ' D! X; [( @' n- O4 KOBJ_OPENLINK =100h 8 m& l& i# l8 m) R/ ^3 R( i7 aOBJ_KERNEL_HANDLE=200 OBJ_VALID_ATTRIBUTES=3F2h + E4 t) f( |# w: ~* c3 c) b( QSE_KERNEL_OBJECT = 6 / H4 G: ]: C4 }8 n: ?; z4 vGRANT_ACCESS =1 2 c% B* P" e9 ^2 ]+ KNO_INHERITANCE =0 TRUSTEE_IS_NAME=1 TRUSTEE_IS_USER=1 : Y6 h( I& l7 B% dSTATUS_SUCCESS =0 " K, V: f, j3 r. H1 v% vSTATUS_ACCESS_DENIED =0C0000022h - T9 }0 i1 y0 `# Y/ x+ h) m , N! l$ ~. Z. dSTATUS_ACCESS_VIOLATION equ 0C0000005h ! D. H3 q: O& d8 T" M3 ASTATUS_INFO_LENGTH_MISMATCH equ 0C0000004h ' x& @7 \8 t, D4 q6 c; d- XSystemModuleInformation equ 11 PVOID TYPEDEF DWORD UNLONG TYPEDEF DWORD CHAR TYPEDEF BYTE 6 q- Z$ r. g6 Q" D, o UNICODE_STRING struct ( u" z4 E4 e" Q' o nLength word ? 8 W% q& U! ]1 A2 N$ x MaximumLength word ? Buffer dword ? , T! ^" q- h g- v9 FUNICODE_STRING ends $ I1 y- E' Q# O! W% K OBJECT_ATTRIBUTES struct 9 c4 n0 v0 x' ^ nLength dword ? RootDirectory HANDLE ? ObjectName dword ?UNICODE_STRING Attributes dword ?; SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR 6 R) R4 ?$ ?; k SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE * s/ M' S6 n/ N2 Q( W3 }$ OOBJECT_ATTRIBUTES ends . t0 |5 b( U" D' J5 V' | TRUSTEE struct 4 V( y8 p' v. _8 U y! ^( T pMultipleTrustee dword ?TRUSTEE MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION 4 k1 `1 P+ i" v0 Q& V I1 M i TrusteeForm dword ?;TRUSTEE_FORM " Z! ^+ v& ]( h9 Q5 F0 _) ? TrusteeType dword ?;TRUSTEE_TYPE ptstrName dword ?;LPTSTR ) [, {/ e/ h! u! Y0 F9 GTRUSTEE ends EXPLICIT_ACCESS struct grfAccessPermissions DWORD ? ! Y+ a4 I M; q _, Q9 b grfAccessMode dword ? ;ACCESS_MODE grfInheritance DWORD ? ; , A6 K( z( d, D2 r: o' D* \& Y& E Trustee TRUSTEE <> ; EXPLICIT_ACCESS ends ( x" E) @; }4 h& X4 o6 n 0 ~$ c& R3 _# _" vMyGATE struct ;门结构类型定义 - n e. |% m! v# d, D' p OFFSETL WORD ? ;32位偏移的低16位 / S7 J1 P$ n; q ?% g7 r% v SELECTOR WORd ? ;选择子 DCOUNT BYTE ? ;双字计数字段 * U# P- Y7 {9 O& E- T! `( Y2 d GTYPE BYTE ? ;类型 OFFSETH WORD ? ;32位偏移的高16位 ) _+ D2 n# j$ ]7 O5 |+ q4 CMyGATE ends 3 Q$ q8 c4 }. ]# J8 J IDEINFO struct wGenConfig dw ? wNumCyls dw ?;拄面数 wReserved dw ? wNumHeads dw ?;磁头数 wBytesPerTrack dw ?;每道字节数 5 Q. Q9 Q- L' @7 R' T$ d: ~wBytesPerSector dw ?;每扇区字节数 wSectorsPerTrack dw ?;每道山区数 9 ? y* H* q- Y' _) V* i, ZwVendorUnique dw 3 dup (?) sSerialNumber db 20 dup (?);硬盘序列号 4 x; H' i. T' s' R( z+ ~wBufferType dw ?; " V1 \, N# C- r+ S* iwBufferSize dw ?; ;n * 512 wECCSize dw ? sFirmwareRev db 8 dup (?); 1 X; \9 @+ C2 u, T* d( C* jsModelNumber db 40 dup (?) 2 K! f, M; {, q5 \ A% T: L% r( ^wMoreVendorUnique dw ? 9 K/ O! N0 m; HwDoubleWordIO dw ? : F/ |8 v# d8 AwCapabilities dw ? ' J" h U1 N, _* o9 wwReserved1 dw ? wPIOTiming dw ?; 8 n2 d4 u1 N5 v& Q* l1 e$ swDMATiming dw ?; / g6 Y8 p6 l9 [ [" n- A+ ^- H. ?wBS dw ? # c, X+ J; o) d0 I0 x4 Z" _wNumCurrentCyls dw ?; " o& _, f/ R2 twNumCurrentHeads dw ?; wNumCurrentSectorsPerTrack dw ?; dwCurrentSectorCapacity dd ?; wMultSectorStuff dw ?; & }% M e& l+ |- K# b1 g& M! udwTotalAddressableSectors dd ?; wSingleWordDMA dw ?; 9 M6 C3 y6 a6 C) c* E% pwMultiWordDMA dw ?; bReserved db 128 dup (?) IDEINFO ends 1 P X5 T0 f: r3 ^/ d/ f3 tSetPhyscialMemorySectionCanBeWrited proto :dword % J* p4 |, u- v) f7 HMiniMmGetPhysicalAddress proto :dword ENTERRING0 macro pushad pushfd ! n3 ~7 n& K4 Z2 c' @: [cli mov eax,cr0 ;get rid off readonly protect 2 h8 S& X V; f' Dand eax,0fffeffffh 6 {2 r: W0 N* b8 u, mmov cr0,eax 8 |2 O1 t# m+ y7 c- Hendm LEAVERING0 macro ) h3 u" e7 w0 y, h# M) amov eax,cr0 ;restore readonly protect / t- O: n- \* ?9 k- E2 I0 {or eax,10000h ; \2 o- H; t! I# e6 P+ i8 ~" Omov cr0,eax 8 S7 E& n6 b/ [ z8 ssti popfd % \3 `, K0 Q p3 \, [popad retf endm / Y, j& a! a/ @; A, c UNICODE_STR macro str 6 A4 G/ S$ H: _irpc _c,<str> db '&_c' db 0 endm endm .data? GdtLimit dw ? 0 _& t) L8 k8 b2 ], e; T) R" V2 ?GdtAddr dd ? , K6 s( P# z( ]4 `7 e* emapAddr dd ? % l% y, ~ @1 f/ o' TOldEsp dd ? , a- `/ ~% l! C, W! n, w- H8 a% _5 creaded dw ? : B% Z5 K0 g7 a, \- Abuffer db 512 dup(?) 2 d8 ?3 s: V8 t b' `8 XShowText db 512*3 dup (?) 9 \, H9 S3 I7 y* m- CszBuffer db 1024 dup (?) szModelNumber db 41 dup (?) szSerialNumber db 21 dup (?) szFirmwareRev db 9 dup (?) 7 z+ J: w. F7 p8 Z& s 8 I) M; f1 v" c9 B2 k, q6 G: pstIDEINFO IDEINFO .data align 4 # _7 z F5 C h ?$ D* uobjname dw objnamestr_size,objnamestr_size+2 objnameptr dd 0 objnamestr equ this byte UNICODE_STR <\Device\PhysicalMemory> 7 U% u+ z( P2 @" b& fobjnamestr_size equ $-objnamestr : s# O/ X# u" Q0 b, l& x6 F6 I$ \szTitle db 'IDE 硬盘信息',0 9 L7 I/ l1 C6 W; JszErrInfo db '无法读取硬盘信息',0 8 g# d/ c$ Y; A8 u# k" |szIDEInfo db '柱面数 : %d',0dh,0ah db '磁头数 : %d',0dh,0ah db '每道扇区数 : %d',0dh,0ah " _; g/ z: A# b db '缓冲大小 : %d 扇区',0dh,0ah & q* c- F) d' C db '硬盘型号 : %40s',0dh,0ah db '序列号 : %20s',0dh,0ah / |8 s. M' ?! w. [- _3 z1 X: P db '版本号 : %8s',0 7 Y. a9 [6 P# t/ f0 g - q# J* r0 _, A* W% r0 g" balign 4 ObjAttr db 24 dup (0) ! ~3 S- @9 d# @7 D7 ^ Callgt dq 0 ;call gate's selff ( m( ^/ h/ W; i7 b5 `. c4 UCaption db 'Windows XP绝对磁盘读写',0 Digit db '0123456789ABCDEF',0 . S; s3 F1 W2 E$ s4 _.code * u8 G+ h' q1 e" s' x0 x4 E8 G_ShowBuffer proc ;显示所读出的信息 ;把数据转换成16进制的形式 % f: t6 O( F: I& K mov [readed],512 mov esi,offset buffer ;数据 4 E3 T0 A# F+ J( t2 ]5 Z* L mov edi,offset ShowText ;转换后的数据 mov ebx,offset Digit xor ecx,ecx : H" X/ ~& q! d% N; v% t O, p$ u# f+ o xor eax,eax computeAgain: 2 s3 a7 E$ `0 e7 F cmp [readed],0 jz endCompute dec [readed] lodsb push eax shr eax,4 ;高4位 8 w- t7 a6 w9 o- U3 | xlatb stosb 9 w, Q1 X; a& d% r5 t9 X- Z& n pop eax 2 Z8 _; e5 m, J and eax,0fH ;低4位 xlatb - ~4 k# {. e5 @0 Z7 P% d stosb mov byte ptr[edi],' ' ;空格 inc edi inc ecx 5 A5 e; g; B8 w cmp ecx,16 , [2 G, ~' \0 f& Q9 S7 q jnz computeAgain 6 a3 L8 h5 f5 K/ u! ~; \; u/ t xor ecx,ecx mov byte ptr[edi-1],13 ;回车 # ~1 @' W9 i4 M& X6 q jmp computeAgain endCompute: 6 y- a; R. k% m ;显示 invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK 5 a( [7 K8 a1 Z6 F ret _ShowBuffer endp 5 Y- z( F$ S! k% {8 h: L' l+ q) ?SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE local pDacl: PACL local pNewDaclACL local pSD SECURITY_DESCRIPTOR 4 P h/ e# f3 |" {2 X! E& Nlocal dwRes:DWORD ; 6 O Y# V8 w y* G7 i, ]local ea:EXPLICIT_ACCESS ; invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD / v, {4 Q: B; U% n# pcmp eax,ERROR_SUCCESS jz @f $ |/ ?/ g! }" I2 M( _jmp OutSet @@: mov dwRes,eax mov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2 * I0 j* l& k" [+ R2 Dmov ea.grfAccessMode ,GRANT_ACCESS;1 mov ea.grfInheritance,NO_INHERITANCE;0 mov ea.Trustee.pMultipleTrustee,0 1 P0 e* d1 [5 o/ h" omov ea.Trustee.MultipleTrusteeOperation,0 6 y3 N; e7 D: A" i# V3 hmov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1 " j1 Q$ I) o( N2 Rmov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1 ' v5 K8 S9 `7 |# K# \2 Gcall @f db "CURRENT_USER",0 @@: 1 B$ t; G/ B$ o/ V9 mpop edx ) P; u+ {7 k/ E/ Amov ea.Trustee.ptstrName,edx invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl & U, u- u. y( e! O7 u; |% p1 }$ G/ acmp eax,ERROR_SUCCESS 8 E# x3 f8 C# Q' [jz @f * I2 d/ c% I u0 U, ?- Djmp OutSet ) N$ B; d4 m& J9 U5 R% t' W& a+ S4 I@@: 6 ~' j: K8 Q; \: w% J" Q' R: H5 ^invoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL 3 b) k3 y5 ]3 i } v9 lOutSet: cmp pSD,0 ~+ ^1 ^, v& D, o6 @$ g' Z5 tjz @f invoke LocalFree,pSD @@: , k( v# o# a! D% O0 Y% dcmp pNewDacl,0 jz @f / ]% H& M _9 h: K. @! O$ S7 W- Finvoke LocalFree,pNewDacl 3 F( X) c- T) U$ r L( u7 T@@: $ F% M& X& ~8 }% u# Z8 Qret 5 y% k# p4 ^' @; t# eSetPhyscialMemorySectionCanBeWrited endp % [( V# c4 v6 { m5 O; D( t8 j MiniMmGetPhysicalAddress proc virtualaddress:dword & C3 L" \, z1 q0 Z" @ mov eax,virtualaddress - n5 y3 R0 A8 v" G4 d {/ v cmp eax,80000000h - O* a9 {0 I6 ^, r jb @f " l. ]& x$ o' v5 { w0 P cmp eax,0a0000000h 0 `( N, U+ G7 Q- w. }7 x( @ jae @f 6 Q2 D1 t E* m6 L) U* | and eax,1FFFF000h ret " S, v5 ^" ^ Z# H/ e @@: . \7 f \) i; c& x' {8 y3 h mov eax,0 ret MiniMmGetPhysicalAddress endp $ P( k' ^- B" o; K: w5 x 5 b- T) n, a, g6 F, y& jExecRing0Proc proc local tmpSel:dword local setcg:dword 0 L5 Z1 u7 s; q5 glocal BaseAddress:dword . m7 }$ N6 _/ s* P8 w4 R! L! x2 Dlocal NtdllMod :dword local hSection:HANDLE - Z2 F5 b+ c! T0 D+ llocal status:NTSTATUS local objectAttributes:OBJECT_ATTRIBUTES % n) s* H* Q- h- Z, m/ glocal objName:UNICODE_STRING mov status,STATUS_SUCCESS; ( F; G1 Z) ]- H" X& fsgdt GdtLimit invoke MiniMmGetPhysicalAddress,GdtAddr _0 W, z1 t+ {8 hmov mapAddr,eax test eax,eax 4 w+ R) |$ L& V1 m; q3 d4 njz Exit1 & l* i+ j- M/ Ecall @f db "Ntdll.dll",0 0 K0 g- S% C3 I@@: call LoadLibraryA mov NtdllMod,eax ; y+ Q) ~" `0 z/ Z. {& ?# n lea edx,objnamestr mov objnameptr,edx 0 M# @, O6 K2 M G7 p& Flea edi,ObjAttr and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail push edi ;edi->ObjAttr push 24 ;length of <\Device\PhysicalMemory> pop ecx push ecx xor eax,eax rep stosb ;put ObjAttr with 0 pop ecx pop edi " b# \3 b0 [, v9 b! V) D, M& [mov esi,edi * b& o; U7 L4 ?, g; X0 _stosd mov dword ptr[esi],ecx stosd lea eax,[edx-8] ;eax->objname * q, U: @6 Y3 `9 k. @* [! ustosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0) + y0 K. F) c4 v# v' R. R2 gmov dword ptr [edi],240h 1 s# x3 c9 R: C: Y/ T G. l ( J n( r; u. J! [0 I k* @call @f db "ZwOpenSection",0 @@: push NtdllMod - g% Z5 r2 e, l7 Q Rcall GetProcAddress mov ebx,eax ;ebx=ZwOpenSection push esi ;esi->ObjAttr # Q% b1 @7 |9 _+ p+ H6 }1 zpush SECTION_MAP_READ or SECTION_MAP_WRITE 9 A+ a. P' V. q# J Wlea edi,hSection push edi ;edi->hSection e, n- H1 _# _; K, scall eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr) mov status,eax ) |+ z+ o0 F# @7 y4 Kcmp status,STATUS_ACCESS_DENIED jnz AccessPermit 7 ?) A7 E9 S$ X9 T& omov eax,ebx , C( v- S/ P2 dpush esi push READ_CONTROL or WRITE_DAC push edi 2 n M$ E& `2 }* xcall eax mov status,eax : R1 b% i" b" V8 {invoke SetPhyscialMemorySectionCanBeWrited,hSection ! S$ t" t5 E" x" b) d # P# [; T4 g& b+ F- T7 \call @f db "ZwClose",0 - B: f1 o- ~6 a& t@@: - [+ j# `+ P6 Fpush NtdllMod call GetProcAddress 1 s8 C+ n" `3 h/ O7 E* g push hSection / C' L( M; V' F6 V3 pcall eax ;zwClose hSection " }8 k: p+ U5 I' ^& H mov eax,ebx 1 v6 e" h- O" U/ n push esi push SECTION_MAP_READ or SECTION_MAP_WRITE # G# M7 ?7 \, Q' K. I; a" Ylea edi,hSection , W% k/ S0 y. G( t$ B* M% |push edi & O/ y( b H9 d3 q5 qcall eax , @8 B/ B+ t8 F: L% X5 cmov status ,eax ;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); AccessPermit: cmp status ,STATUS_SUCCESS jz @f ;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); ;return 0; mov eax,0 0 f: v+ O J0 @ret @@: movzx eax,word ptr[GdtLimit] inc eax # \' v) Y& I( `invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax mov BaseAddress,eax cmp BaseAddress,0 # \- u$ F+ Y, W' e: cjnz @f ;printf("Error MapViewOffile:"); 2 |; J! n' N& O; V% brintWin32Error(GetLastError()); return 0; 4 X: x9 E5 `- `; N, n- h6 H! Gmov eax,0 ( W+ U1 r+ S7 k% R$ R# S7 f* }0 Gret @@: 3 s' ^: F$ p' |' I7 ~$ mmov esi,eax ;esi->gdt base mov ecx,3e0h mov eax,GdtAddr .if dword ptr [esi+ecx+2]!=0ec0003e8h 4 I1 V) f5 j/ q4 _/ F2 [3 m zmov byte ptr [esi],0c3h mov word ptr [esi+ecx],ax shr eax,16 6 F5 y6 q; ~; A3 U# j* }7 Hmov word ptr [esi+ecx+6],ax mov dword ptr [esi+ecx+2],0ec0003e8h mov dword ptr [esi+ecx+8],0000ffffh mov dword ptr [esi+ecx+12],00cf9a00h 6 {5 l: ?) k0 p7 _ r$ V" a/ v.endif $ i ] D) \% w+ }mov setcg,TRUE / \" R8 [8 A k5 h0 n6 a# Ucmp setcg,0 $ ^, ~, U9 Q0 a% k3 ?! t; Rjnz ChangeOK call @f db "ZwClose",0 @@: 3 X; t& [, \6 ^4 R0 spush NtdllMod 8 c0 |! \% P9 L0 E# x% B3 I3 i% a: Fcall GetProcAddress 1 t, M: Z3 O% d- ]5 o5 u/ }( Apush hSection call eax 8 O0 L; v! ^, G& _. Yxor eax,eax ' `- e% Z* |* w3 q2 Sret ' J9 T7 b6 Q1 HChangeOK: and dword ptr Callgt,0 / R" Z: D0 G3 m7 exor eax,eax mov ax,3e0h or al,3h mov word ptr [Callgt+4],ax ;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate; lea eax,_Ring0Proc ;invoke VirtualLock,eax,seglen test eax,eax jnz @f xor eax,eax + j8 e$ S+ ~4 T1 ^ret 7 E# k" b' Y2 i@@: invoke GetCurrentThread invoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL ; V; h0 Z" C4 l( R$ ~4 B& { invoke Sleep,0 8 P3 B' k8 A! v1 q9 ^call fword ptr [Callgt] ;use callgate to Ring0! ( D- Z; r7 t4 k8 v" e6 `3 k2 M3 t;_asm call fword ptr [farcall] ' ~. n$ h! o, o_Ring0Proc: ; Ring0 code here.. + E2 ]" m$ l6 mmov eax,esp ;save ring0 esp 6 y$ c* }# D, v' Amov esp,[esp+4];->ring3 esp " o& J" K- p/ b2 ^, p! jpush eax , g0 d) h) m3 N$ z8 D& p/ W- X mov ebx,offset stIDEINFO assume ebx:ptr IDEINFO ;******************************************************************** ! ^8 C% L. p: l9 F; 等待硬盘就绪 ;******************************************************************** + i8 ?$ r, ~8 U5 v. N mov ecx,10000h mov dx,01f7h @@: in al,dx ' {! f6 x9 u; T4 L cmp al,50h 7 B, U' J/ G! q, ?( c/ G jz @F & `, t2 u/ o( d Q! G; `3 b, M loop @B jmp _II_TimeOut 7 v. O( @0 T1 O: [: ~( l% F/ B @@: ;******************************************************************** 4 y1 {! Y) ]5 e$ Z. P; 发送命令 ; 如果向主控制发送命令，则端口为 1f0h-1f7h - |$ u7 Y) C* @; o# V$ o5 n: n2 t5 H# }3 p; 如果向副控制发送命令，则端口为 170h-177h $ D# S: A6 F, H/ W; 1f6h 如果要检测的设备为该IDE接口的主（MASTER）设备， - B0 Z' v. b4 ` o# s; 那么发送 a0，如果为从那么发送 b0 8 u' V( J4 R3 t- K) o; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec ; 如果为 ATAPI 设备那么发送 a1 - I' f8 l2 e2 E9 {: ^4 h y- D;******************************************************************** : |- l9 E" M% x" {+ P mov al,0a0h ;Drive 0,Head 0 * X6 _% f# D" _$ e$ } mov dx,01f6h ;Drive and head port out dx,al ( Q, _# F) h$ a; p! ~2 @4 F" A+ g; m mov al,0ech . r: o& d5 G+ J7 `! t inc dx ;Command port out dx,al 0 A; c8 ^% w# ~7 k0 K* a;******************************************************************** 4 b: S: o5 G1 t9 }' \& k7 p& q* X; 等待硬盘就绪 4 F; h7 n4 ^4 F; N# N2 p& n% n! H;******************************************************************** 2 _! a- E1 |3 y- N mov ecx,10000h @@: in al,dx;1f7 (r-status register) cmp al,58h;(driver is ready ,and seek complete) ; h9 v8 t; |: |+ N( S' Q jz @F loop @B jmp _II_TimeOut : h6 m$ U; U. m* V2 g1 i2 U% Y9 I @@: ;******************************************************************** & q3 k' B6 j- m9 q; 将返回信息读回 # m9 U- l$ c f0 ?* }/ M( v: e; 注意一定要读满 100h 个字长 * z, T* m* C, m: E$ q k/ v;******************************************************************** cld 8 k1 u/ C" `5 I; M( P mov edx,01f0h;data port - data comes in and out here mov edi,ebx ) R8 r) r+ J9 s3 c* V7 n* r6 J mov ecx,0100h : K J. s% i3 }1 O8 h8 `% G rep insw ;******************************************************************** ; 返回的信息中，型号、序列号、版本号为字形式 ; 需要整理到字符串的形式 9 _; J1 M& h6 n;******************************************************************** . d' k2 X) H( L V' ~ lea esi,[ebx].sSerialNumber , T8 z- H7 k* s+ ~ C! B: A3 E mov edi,esi # f3 A: g9 Y) r# ~& j/ y v mov ecx,10 @@: lodsw ) A+ |9 Q; q. S& D xchg ah,al 8 Y1 n+ D3 w2 }+ } stosw ' b& z3 G/ p: n P1 e4 ~6 N1 G: ] O loop @B ; ?% D% B- c) R7 y* [9 } lea esi,[ebx].sFirmwareRev . @1 N8 ?6 W+ _) o/ Z: V mov edi,esi mov ecx,24 9 M% n8 r+ l3 o @@: lodsw xchg ah,al , }! [5 T) C1 J( i7 N9 i W stosw - Y5 [6 A6 I/ B" K' V% M loop @B 4 A/ J7 i- q4 Z, N& T_II_TimeOut: / T" U0 o" X1 f2 \$ n1 n2 j s7 Bassume ebx:nothing $ b6 X4 D) W8 N0 h8 Dpop esp ;restore ring0 esp push offset Ring3 retf ) S- F! Q) r# G7 q* U0 A& H8 ERing0CodeLen=$-_Ring0Proc , |* P* l, s4 z- Z2 |" S1 ]Ring3: 4 \0 a1 k* z' s! `) ainvoke GetCurrentThread invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL : A! C2 S* t! [; \' g 4 ]" H# B! M; n, i, [;invoke VirtualUnlock,Entry,seglen ' W2 I$ U4 E) Y/ l3 R9 A& \6 U* s call @f db "ZwClose",0 @@: . {* R( {& N! V; wpush NtdllMod . B6 J6 `2 j3 x& z3 ucall GetProcAddress 2 ?1 U) N: K2 f* O9 Bpush hSection 5 r, R: U! w4 K* A5 ?4 ccall eax mov eax,TRUE ret ExecRing0Proc endp 1 ]0 p4 f3 g. |" Vmain: 5 `' Y2 h3 Y# {0 ]assume fs:nothing 7 L& m" Z8 M* ]- \0 ]3 Opush offset MySEH push fs:[0] mov fs:[0],esp mov OldEsp,esp mov ax,ds ;if Win9x? , @9 u! d& @) k) E/ q. j, ctest ax,4 ' G! l9 L2 M' e( u# S3 ]% rjnz Exit1 invoke ExecRing0Proc . f8 J' ]% z* k& h8 J : R9 J1 [0 _. P3 ]* I6 P.if stIDEINFO.wNumCyls - r4 e0 B9 \* M, u lea esi,stIDEINFO.sModelNumber mov edi,offset szModelNumber mov ecx,sizeof stIDEINFO.sModelNumber 3 C% Y/ ?6 ?: d, _. o rep movsb ; I# `+ ~' F& @8 @7 H: Q0 t9 p4 R lea esi,stIDEINFO.sSerialNumber 7 F8 `8 R+ d3 R4 v; N+ X1 W7 g mov edi,offset szSerialNumber 5 G! q/ J, h, @* r& k mov ecx,sizeof stIDEINFO.sSerialNumber rep movsb lea esi,stIDEINFO.sFirmwareRev 9 m8 E) B+ _8 V mov edi,offset szFirmwareRev mov ecx,sizeof stIDEINFO.sFirmwareRev rep movsb ) ~6 \- [; d$ B9 F2 Q" d movzx eax,stIDEINFO.wNumCyls movzx ebx,stIDEINFO.wNumHeads 2 J3 i* q% j8 Q. F4 U2 i! I8 Q$ a* E movzx ecx,stIDEINFO.wSectorsPerTrack " p- h% F7 Z5 J4 d( X2 h' h movzx edx,stIDEINFO.wBufferSize invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev mov eax,offset szBuffer .else 0 m" `4 S7 |9 o- I) g- D+ l: G mov eax,offset szErrInfo .endif 7 k+ c/ v9 r1 m! |@@: invoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK 8 g p# k2 k. u& c4 f* HExit1: / f6 X/ ~+ p# F) m0 wpop fs:[0] add esp,4 invoke ExitProcess,0 ! W: h7 M4 v# ^; p% ~ |MySEH : 1 M7 i1 @) q4 G1 _, r7 Gmov esp,OldEsp pop fs:[0] add esp,4 invoke ExitProcess,-1 3 X7 g! F4 H# B! f, E7 Yend main

[此贴子已经被作者于2003-11-2 18:14:02编辑过]

呵呵，ExecRing0Proc 这段程序甚妙，先得到gdt，然后构造一个调用门call gate's ,使程序从用户模式(ring 3)进入内核模式(ring 0)。进入内核模式之后，就可以没有限制地对系统干任何勾当。这段程序确实为高手所为，在下佩服得紧。
0 n# o5 E. Y1 W1 G* v至于读硬盘序列号之类，只不过是在内核模式下的一个I/O应用罢了。
其实在NT/2000下读取硬盘序列号只要打开\\.\PhysicalDriveX(X:设备号0~26）设备，然后用DeviceIoControl()就可以读取了，不需要绕ring0这么一个大圈子

这个程序也可以C语言实现，不过中间必须嵌入几条汇编的指令，如sgdt GdtLimit
但还是用c来写更方便，例如：
; n4 p. b) ~1 d6 T  s; acall @f
; @4 m5 _/ Z7 w) v4 W3 ?* Jdb "ZwOpenSection",0
@@:
) n  f, v: v! I( [3 T. _/ O: jpush NtdllMod
call GetProcAddress
2 {8 q' c6 O0 l) ?( J$ k. qmov ebx,eax ;ebx=ZwOpenSection
! w5 J0 Y" L- h! u  K8 Y# j+ H$ Y0 ]( z9 }push esi ;esi->ObjAttr
* V; j/ e9 l: {# Fpush SECTION_MAP_READ or SECTION_MAP_WRITE
* n  o' k. R1 Nlea edi,hSection
$ i  l) L2 F  O% v5 b: H; e1 x# Epush edi ;edi->hSection
0 ?1 H6 t, b" L* I) D5 {call eax ;

用c的话只要一句就可以了
3 Q( G+ w4 T8 @! Z: eZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)；
9 l  r- Y0 Z5 x; g3 P因此懂汇编，然后用C/C++编程，是成为高手的捷径

$ u  k3 d! L: h6 S, c. ]! A& S

[此贴子已经被作者于2003-11-3 16:46:50编辑过]

firelinux

win32位汇编，真的很不错，业余的时间，全都投进去了

唐明

要能有台机器试一下多好，学汇编还从没想过去ring0，也感觉没哪个必要。
  e/ m& U. \& f; s1 K现在闲着真相试试。这片文章我在家保存了有快一年了。不用感觉可惜了。一直停着不用，我都快忘了那些曾经那些依稀的记忆了。水能给我一台电脑，我力马高喊：有你这么富的吗？

很久以前的一段代码

游侠无极限

很久以前?
2 u7 y- \$ X0 f/ K1 [7 r; }不是吧,这个是 轻描淡写 编程论坛的斑竹写的

看到过的。