[转帖]2000/xp下读硬盘序列号[汇编]

游侠无极限

我可没这个水平 .686p .model flat, stdcall option casemap :none ; case sensitive ! } E/ N. f% r. L; ######################################################################### 5 _9 ~5 }0 W( C/ yinclude \masm32\include\windows.inc 4 f% T. A0 c3 U: t$ ?% binclude \masm32\include\user32.inc # P( Y" N7 [( J; M4 i, pinclude \masm32\include\kernel32.inc include \masm32\include\advapi32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\advapi32.lib 3 T a! {8 I: o" K1 PDEBUG = TRUE HMODULE typedef dword 6 a+ \( t. f. s9 a' H8 W+ cNTSTATUS typedef dword ) d$ H6 }( ?8 E5 I; ]% j: _4 dPACL typedef dword . B4 V1 s! @+ }1 ?: hPSECURITY_DESCRIPTOR typedef dword ! E6 @8 \4 J9 e. r7 iOBJ_INHERIT=2 1 U& ^5 I# ^, o4 }& o7 g% FOBJ_PERMANENT=10h OBJ_EXCLUSIVE=20h OBJ_CASE_INSENSITIVE=40h 4 h: r& a9 \+ J2 N6 Z0 XOBJ_OPENIF=80h & r( u$ K/ R3 Q8 ~0 TOBJ_OPENLINK =100h # D0 S9 m8 h$ I P* W& P& b1 c bOBJ_KERNEL_HANDLE=200 & |" j4 O$ N$ U4 z! y# oOBJ_VALID_ATTRIBUTES=3F2h SE_KERNEL_OBJECT = 6 GRANT_ACCESS =1 NO_INHERITANCE =0 TRUSTEE_IS_NAME=1 # t1 N( S' A8 t% V8 ]$ S( @) KTRUSTEE_IS_USER=1 9 j4 J# r: O% K9 `) c$ ~& tSTATUS_SUCCESS =0 STATUS_ACCESS_DENIED =0C0000022h 7 N; L# N4 v- `3 Z STATUS_ACCESS_VIOLATION equ 0C0000005h STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h / P9 J+ p5 P$ C, ^SystemModuleInformation equ 11 3 w2 t% C: T" J/ z' c. APVOID TYPEDEF DWORD ! Z. F" {! f5 }4 T6 @ ]UNLONG TYPEDEF DWORD CHAR TYPEDEF BYTE ! T( k. `& D, O: z. w ; t1 @5 m. s4 D. wUNICODE_STRING struct + |& g5 I! m/ `7 }3 q2 e5 Q nLength word ? MaximumLength word ? 5 a# L! y9 C1 Q Buffer dword ? 2 y9 L1 n, D! P- E3 \UNICODE_STRING ends OBJECT_ATTRIBUTES struct nLength dword ? 7 K. `' o0 e2 B. _$ j- Z RootDirectory HANDLE ? ObjectName dword ?UNICODE_STRING & H! ?4 [; m: b M Attributes dword ?; SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR # R C% p$ M6 A: q( W) y SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE + _; Z1 H- g7 g! b6 ]OBJECT_ATTRIBUTES ends TRUSTEE struct pMultipleTrustee dword ?TRUSTEE MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION TrusteeForm dword ?;TRUSTEE_FORM 6 ~1 G$ L* y- t+ k# \2 f" } TrusteeType dword ?;TRUSTEE_TYPE $ [2 Y b' f3 f) P3 A ptstrName dword ?;LPTSTR ) r; b8 s9 W+ @$ ^( d2 LTRUSTEE ends 8 o* d! w- v% q- H - ^+ X4 _& W# h4 r# _6 I8 v6 Q* w EXPLICIT_ACCESS struct grfAccessPermissions DWORD ? - b e0 v% J0 |; P* }) A( g" X5 i grfAccessMode dword ? ;ACCESS_MODE grfInheritance DWORD ? ; Trustee TRUSTEE <> ; 9 E4 a1 H% p1 g1 u3 M$ m+ `EXPLICIT_ACCESS ends ! L. M9 z9 _6 y* D MyGATE struct ;门结构类型定义 OFFSETL WORD ? ;32位偏移的低16位 SELECTOR WORd ? ;选择子 % _. V* Q- f" ?: F, { DCOUNT BYTE ? ;双字计数字段 GTYPE BYTE ? ;类型 OFFSETH WORD ? ;32位偏移的高16位 3 j4 z- `- |& c6 UMyGATE ends # V" g7 H+ l" s" m- @+ l G IDEINFO struct , _/ o; w7 ^0 x2 f: m: GwGenConfig dw ? 4 D$ j0 a0 \1 ?6 BwNumCyls dw ?;拄面数 6 n- y9 | q0 pwReserved dw ? + j/ J9 \: W) k1 \wNumHeads dw ?;磁头数 , `; P o& b- u+ twBytesPerTrack dw ?;每道字节数 ; x* n' a. K' O3 h+ t" C, PwBytesPerSector dw ?;每扇区字节数 ; Y/ `, t% b: U+ X/ {wSectorsPerTrack dw ?;每道山区数 wVendorUnique dw 3 dup (?) sSerialNumber db 20 dup (?);硬盘序列号 + U4 ?$ o3 b, x, v/ q. l4 X1 _wBufferType dw ?; wBufferSize dw ?; ;n * 512 0 J6 ^" o) U) t& gwECCSize dw ? sFirmwareRev db 8 dup (?); sModelNumber db 40 dup (?) wMoreVendorUnique dw ? wDoubleWordIO dw ? wCapabilities dw ? wReserved1 dw ? ( V% e/ d& u) q0 _. @2 W4 KwPIOTiming dw ?; wDMATiming dw ?; $ {0 `& A& O8 K% g2 }! w* u7 QwBS dw ? wNumCurrentCyls dw ?; wNumCurrentHeads dw ?; 8 K4 t% ] ^! T3 p' E3 nwNumCurrentSectorsPerTrack dw ?; 9 F- [/ T7 K# c z' A9 gdwCurrentSectorCapacity dd ?; wMultSectorStuff dw ?; 5 q/ J# \! M$ a/ b6 m/ j: k. s- UdwTotalAddressableSectors dd ?; 6 \4 i5 i0 T# R5 C4 O1 ?- nwSingleWordDMA dw ?; , g( S$ g7 U6 z9 xwMultiWordDMA dw ?; bReserved db 128 dup (?) 2 x* J( p- W6 p5 `& h! @9 iIDEINFO ends SetPhyscialMemorySectionCanBeWrited proto :dword MiniMmGetPhysicalAddress proto :dword # ^( \6 w3 L7 M" @. ?7 Q* E ENTERRING0 macro pushad pushfd cli mov eax,cr0 ;get rid off readonly protect 7 ~' O! T9 k5 _" h/ jand eax,0fffeffffh mov cr0,eax endm 4 T+ u/ u9 O1 y LEAVERING0 macro mov eax,cr0 ;restore readonly protect or eax,10000h mov cr0,eax # x6 D( g5 m- `1 `0 H- g- csti 7 i( b( h+ o' S& B( |popfd : F6 D9 {5 Y7 `! ?- v; f# P( Tpopad retf 2 \' W; T3 ?& l! D9 n; Pendm UNICODE_STR macro str ; |/ p* o5 v4 G0 N3 r% @- w% {2 Kirpc _c,<str> db '&_c' % N( `5 s) F, u5 A; f" D0 n8 W! p; h: ydb 0 endm 0 z) { U7 v+ s8 X) m$ c( Kendm ( n9 T" R" q# K7 H$ O( l .data? GdtLimit dw ? . j9 D' s$ g* T( {GdtAddr dd ? mapAddr dd ? * ^- N S$ v9 d6 M3 _8 h+ TOldEsp dd ? " `0 m1 Z! y4 e% F, yreaded dw ? buffer db 512 dup(?) ShowText db 512*3 dup (?) * R, u: y$ L3 o( [ Z* a. K 6 p" s+ e( i; |$ m4 YszBuffer db 1024 dup (?) szModelNumber db 41 dup (?) - G x! Q+ J2 _2 vszSerialNumber db 21 dup (?) szFirmwareRev db 9 dup (?) 7 v/ {% c# @& P 4 E( I( G; ]- y$ g5 S6 @3 ?stIDEINFO IDEINFO - Y0 h8 m* G' Q+ D0 y! T .data align 4 1 p& Q$ W& P) }- T$ a) p. vobjname dw objnamestr_size,objnamestr_size+2 objnameptr dd 0 2 ^6 E$ Q0 ]: Vobjnamestr equ this byte & ^0 a0 o8 _8 U L" dUNICODE_STR <\Device\PhysicalMemory> - Z9 b3 [2 ^' @7 yobjnamestr_size equ $-objnamestr $ o- j6 _- I/ }/ _ s- oszTitle db 'IDE 硬盘信息',0 szErrInfo db '无法读取硬盘信息',0 szIDEInfo db '柱面数 : %d',0dh,0ah 9 A7 b }5 ^0 K# `! |' i db '磁头数 : %d',0dh,0ah 8 F/ d* v" o& }& s! \, c! D db '每道扇区数 : %d',0dh,0ah db '缓冲大小 : %d 扇区',0dh,0ah 9 ?% Y+ N- m! R( q e0 k db '硬盘型号 : %40s',0dh,0ah db '序列号 : %20s',0dh,0ah db '版本号 : %8s',0 8 T# I4 q& N+ D- Aalign 4 ( y$ v8 K5 m) {: R* k: CObjAttr db 24 dup (0) 0 p1 y; W/ P8 l& Y4 ?, i0 J$ e - s6 a, \" s8 e, n1 Y sCallgt dq 0 ;call gate's selff Caption db 'Windows XP绝对磁盘读写',0 Digit db '0123456789ABCDEF',0 3 v/ U& p- N) k* M- C; x. b; }- J.code 5 s) }3 i+ f8 R2 R_ShowBuffer proc ;显示所读出的信息 ;把数据转换成16进制的形式 mov [readed],512 - l/ N+ a5 k1 h mov esi,offset buffer ;数据 mov edi,offset ShowText ;转换后的数据 mov ebx,offset Digit xor ecx,ecx 0 x {- Q N( T* e xor eax,eax , P& ?3 R' z7 M I" j' Z- s: \computeAgain: 7 N4 }, @$ _6 y$ q6 j* Q cmp [readed],0 4 [7 I6 v7 g& U( C9 W/ R* i jz endCompute dec [readed] lodsb 0 s" K; n$ E5 A/ R) r O# Z% e0 ? push eax 5 Z; x# n/ e4 K2 d( `, Z- c* P) U shr eax,4 ;高4位 ! N1 y$ V9 ^7 |) x9 T9 Q xlatb # J- O& w0 U5 P3 q3 ]2 @ stosb pop eax and eax,0fH ;低4位 0 n& M7 y' _8 t% X8 S& ` xlatb stosb 2 K9 A' y, h9 P0 Z H mov byte ptr[edi],' ' ;空格 - Q3 U) x: [+ l$ S7 ]. c& \ inc edi 6 j: g2 p3 t/ C7 B$ q inc ecx cmp ecx,16 jnz computeAgain xor ecx,ecx . n2 m% K5 C- n& k# x. X* w mov byte ptr[edi-1],13 ;回车 2 m9 D6 N }) u( E4 D( E% |# H& J jmp computeAgain + G+ |/ I, u6 r1 q( LendCompute: / N: Z5 J; X& p% _' { ;显示 . }" D8 l" U- r2 n$ O0 J+ N$ F invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK ; m7 w7 g6 l: S! ^3 o' O; W ret _ShowBuffer endp ! I/ w7 ]1 O/ E' w% P/ \$ y' ^ SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE local pDacl: PACL " Z8 R& e! V( glocal pNewDaclACL 4 ? H* b r4 Q* K9 j; alocal pSD SECURITY_DESCRIPTOR + m @4 J2 I4 I. v' {local dwRes:DWORD ; local ea:EXPLICIT_ACCESS ; invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD cmp eax,ERROR_SUCCESS jz @f # A. i. X9 ]. `0 Kjmp OutSet @@: mov dwRes,eax ) ^& o: F7 J4 [0 jmov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2 ; {; ]7 `. ]& Z1 q+ \: w* ymov ea.grfAccessMode ,GRANT_ACCESS;1 " U* k* p# | F! b8 [6 x& pmov ea.grfInheritance,NO_INHERITANCE;0 mov ea.Trustee.pMultipleTrustee,0 mov ea.Trustee.MultipleTrusteeOperation,0 7 q4 g) u' S* P3 a8 R6 \; |/ Vmov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1 mov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1 call @f ) j, p/ c S$ R6 cdb "CURRENT_USER",0 4 `0 V5 U* x% [@@: pop edx I( ]& m+ Z5 e: U1 Cmov ea.Trustee.ptstrName,edx invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl ' f7 z# M0 d* a& P, F5 E/ Y9 Acmp eax,ERROR_SUCCESS jz @f jmp OutSet @@: invoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL OutSet: cmp pSD,0 jz @f invoke LocalFree,pSD @@: cmp pNewDacl,0 jz @f invoke LocalFree,pNewDacl @@: 9 ^$ `+ x; S; r# V& }2 e& Rret , O& ~ u7 m. m4 \! {% p: a& iSetPhyscialMemorySectionCanBeWrited endp . Y. B" F; i7 j' a) x: m MiniMmGetPhysicalAddress proc virtualaddress:dword mov eax,virtualaddress . Q B9 a' k: h: ? n cmp eax,80000000h jb @f # Y4 U, a4 b1 I! Z: ?# A( q cmp eax,0a0000000h ) }% j# a3 I X6 t# }& c1 K; U jae @f ' A- q- ?' n, m and eax,1FFFF000h ret 3 G- G% {2 h( I0 K @@: mov eax,0 ret MiniMmGetPhysicalAddress endp % v; l4 k1 B2 y) V/ B1 ^ lExecRing0Proc proc local tmpSel:dword local setcg:dword local BaseAddress:dword 2 B$ n+ m0 R) jlocal NtdllMod :dword local hSection:HANDLE local status:NTSTATUS ) C0 F! H4 {3 V6 Slocal objectAttributes:OBJECT_ATTRIBUTES 7 V: Q6 U+ f9 c+ ~local objName:UNICODE_STRING mov status,STATUS_SUCCESS; 8 v( C z0 O n$ ? k B) m9 U5 Psgdt GdtLimit ; U: K4 {+ Y' z, F; x" x, s5 _invoke MiniMmGetPhysicalAddress,GdtAddr $ q! |& k8 I2 d; d* i; zmov mapAddr,eax # t$ e8 l2 z2 e+ Dtest eax,eax y6 J( x6 U+ ^7 \' @, njz Exit1 9 x# m% W: N( V6 r: J# ~6 y/ {( Ncall @f db "Ntdll.dll",0 @@: call LoadLibraryA : V: p0 V; D" l* Y7 ^1 C% U+ @3 hmov NtdllMod,eax + p9 u' ?5 c& L- Y' ?* N# O / a3 `3 [- l; T$ N. d$ l) Ilea edx,objnamestr mov objnameptr,edx 8 R" N7 c8 P4 Z7 J) klea edi,ObjAttr and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail ; {& R: ]% k5 G5 [3 v7 K6 P/ upush edi ;edi->ObjAttr push 24 ;length of <\Device\PhysicalMemory> pop ecx 3 P9 {4 h( t! ipush ecx K; R+ `( ?7 G0 i. Mxor eax,eax 0 d: B* u& Z' x' s* e Zrep stosb ;put ObjAttr with 0 3 n% K6 U# o& c6 `pop ecx 6 a8 m) Y Z5 ]pop edi . o3 ^; e- q6 q% b1 b) ~+ Mmov esi,edi stosd p6 p6 b p4 K" i' W! V Pmov dword ptr[esi],ecx stosd lea eax,[edx-8] ;eax->objname 1 t0 P A' L; q; j6 W4 ]5 v$ c( sstosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0) 8 l7 i* s6 M* |( E! m- d& \5 Ymov dword ptr [edi],240h call @f * h0 a4 j% ^+ S: edb "ZwOpenSection",0 : I1 ~* P! l3 |@@: % r# }" [- M/ Y Z G$ A( ^4 S+ bpush NtdllMod call GetProcAddress $ Z; s5 T$ U9 a( P U3 g4 bmov ebx,eax ;ebx=ZwOpenSection push esi ;esi->ObjAttr push SECTION_MAP_READ or SECTION_MAP_WRITE - ^9 K" J/ t3 S; m2 }$ Ylea edi,hSection , p0 s6 B% ^1 Y7 Q& I5 p- b& }push edi ;edi->hSection call eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr) # q1 Q$ F) L$ C x4 L/ Hmov status,eax cmp status,STATUS_ACCESS_DENIED 1 I: A; e! r7 ^6 U" d0 Ljnz AccessPermit ; b, f9 a' Q1 W) O/ P! X; Smov eax,ebx 7 U, ]$ ~# |& Y- n2 I$ Kpush esi push READ_CONTROL or WRITE_DAC push edi call eax 9 [: Z5 ]' w3 r- [, D + b! o. | j+ pmov status,eax / F4 }: `0 J& q% sinvoke SetPhyscialMemorySectionCanBeWrited,hSection call @f db "ZwClose",0 8 K% ^9 \1 h) h/ x8 T! p- u5 o@@: push NtdllMod call GetProcAddress - O, Z K5 x( U( z+ G& ? 6 j- s7 `$ C! p7 L0 |; kpush hSection & M& Q8 J4 D4 G/ u& u4 ~call eax ;zwClose hSection mov eax,ebx + Z8 A/ Z& P! A4 i- X8 V1 f $ i# p" Z$ Q; D2 E3 |push esi : Q9 ^- H4 u# c. x& l4 ^! _7 J6 qpush SECTION_MAP_READ or SECTION_MAP_WRITE lea edi,hSection push edi call eax mov status ,eax - H9 I' G1 K. A;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); ( h( H+ t. b: M, l3 p% g' eAccessPermit: cmp status ,STATUS_SUCCESS jz @f + G! W, w% Y% J! W: ^5 L6 J0 Q9 K;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); ; O) m+ O# b" x# R. R) d;return 0; ' k4 o; |5 f) p) b1 ~/ N: ymov eax,0 3 r/ b5 e% {# I6 _6 A! e4 n, bret @@: # T' q3 }$ q9 F. W1 B6 [2 vmovzx eax,word ptr[GdtLimit] inc eax invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax ! X) {- G9 W) @4 W9 L$ rmov BaseAddress,eax cmp BaseAddress,0 & @ e, H# q) u- V7 X; J, b) Yjnz @f + J3 h$ O6 y, v$ J! U% j;printf("Error MapViewOffile:"); rintWin32Error(GetLastError()); return 0; mov eax,0 ret 0 ^- h+ k/ A& X4 R- J) T1 [ K0 x@@: mov esi,eax ;esi->gdt base mov ecx,3e0h # p8 m! k: M- N' j" l. pmov eax,GdtAddr 8 T0 O8 W9 h2 u8 V9 b5 T0 x& X$ h' E.if dword ptr [esi+ecx+2]!=0ec0003e8h $ q4 l6 ~* z% v1 \0 v! y7 Xmov byte ptr [esi],0c3h mov word ptr [esi+ecx],ax & H& U: f2 y4 i" _( U( Ishr eax,16 % ~* x" r3 z% D, Omov word ptr [esi+ecx+6],ax * G8 a& o q# i5 ^mov dword ptr [esi+ecx+2],0ec0003e8h mov dword ptr [esi+ecx+8],0000ffffh mov dword ptr [esi+ecx+12],00cf9a00h ; j. ?7 p# s6 F' z2 d6 {.endif + N8 v+ _, P5 O7 ] X6 I. H* W ; j) D! X, c, B, i6 amov setcg,TRUE cmp setcg,0 7 x/ o$ b$ r, R7 ^jnz ChangeOK call @f db "ZwClose",0 ) X; O! E: p, |, H( L0 [* o2 |3 y@@: # V7 ^- l7 A' n' \; p7 e' o* Jpush NtdllMod call GetProcAddress 9 e4 b1 l M" P/ J, G8 fpush hSection % F2 m7 H* N( a7 l5 i: `4 fcall eax 1 [' q, O- H$ ~xor eax,eax % u+ i, ?( A% V. b, ]7 c. yret & L# X. h- H2 U2 R5 LChangeOK: and dword ptr Callgt,0 " `; ^# _% n* v6 \/ D7 uxor eax,eax 3 S- P! M7 h7 e, }* Hmov ax,3e0h ( ?" p7 N+ b' s# x* M1 Q- Oor al,3h 4 t+ u2 h0 W' f1 y- r' c" Umov word ptr [Callgt+4],ax ;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate; lea eax,_Ring0Proc ;invoke VirtualLock,eax,seglen test eax,eax ' Z5 N. H9 e# j) J0 A$ x- A9 Y6 zjnz @f xor eax,eax ret 7 V& d# ~' d9 F; f@@: 5 v0 I/ H$ \* i. R. z0 Kinvoke GetCurrentThread c* w- C$ A# ]$ einvoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL 2 H$ O8 T/ Z' j/ L6 k, Einvoke Sleep,0 + u, |$ g9 E1 T: z4 Xcall fword ptr [Callgt] ;use callgate to Ring0! ) O2 D7 d! n) z' ~1 T;_asm call fword ptr [farcall] 8 O+ C, B: b3 k) q1 @; t4 X_Ring0Proc: ; Ring0 code here.. mov eax,esp ;save ring0 esp * A; `. l) N3 S ?# ^5 z3 @mov esp,[esp+4];->ring3 esp 7 @/ }' R, G7 U3 Y$ F' E$ \5 ]0 ~( wpush eax " S' U3 j4 W, D5 k. _ mov ebx,offset stIDEINFO assume ebx:ptr IDEINFO 3 r: H3 o( {) g/ g9 f- h% |: B;******************************************************************** ; 等待硬盘就绪 ' V% }) m! S; }, M6 |+ X% X! ~;******************************************************************** mov ecx,10000h mov dx,01f7h @@: * r3 S8 A+ Y6 i& P& v" G( i in al,dx # b, X: R0 f" a1 i; z6 z/ \ cmp al,50h jz @F loop @B 7 w8 F) A5 y+ o0 h# W7 f' P/ ?7 S1 A jmp _II_TimeOut @@: ;******************************************************************** ; 发送命令 6 [1 i- n4 I7 x$ `9 | f6 o$ B9 Y! k9 U; 如果向主控制发送命令，则端口为 1f0h-1f7h 0 ~ M. K2 R R8 e3 A6 ?9 H9 v; 如果向副控制发送命令，则端口为 170h-177h ; 1f6h 如果要检测的设备为该IDE接口的主（MASTER）设备， j! W9 m' f2 z7 w2 ?; 那么发送 a0，如果为从那么发送 b0 ; L3 N7 l' Y# s& w; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec ; 如果为 ATAPI 设备那么发送 a1 & @+ x9 S7 b( X- {+ F! z, W. B* t;******************************************************************** 2 ?# S% q+ F- W9 I2 \ mov al,0a0h ;Drive 0,Head 0 mov dx,01f6h ;Drive and head port out dx,al ' Y+ {1 b( H$ [ mov al,0ech 1 `/ U- O; c: u3 ] inc dx ;Command port out dx,al 6 _% a- N, E( T! o+ ~- C;******************************************************************** 7 ]8 N8 [* V; a6 e- m" p; 等待硬盘就绪 7 i' u/ W2 x$ u) w# w% M;******************************************************************** 9 h" M- C4 d3 ]! X* @8 T6 `7 y1 Z mov ecx,10000h @@: in al,dx;1f7 (r-status register) - l& t8 _% p8 k7 W8 D6 z1 M+ G6 N cmp al,58h;(driver is ready ,and seek complete) 7 b/ Q# Q% a- G4 d0 A, X jz @F % A2 E8 r: Z+ [. A a loop @B ) J0 s! W8 {' Q3 O3 h9 ^8 E jmp _II_TimeOut @@: ' {9 N& [- N( v Z# J+ S2 z;******************************************************************** ; 将返回信息读回 ; 注意一定要读满 100h 个字长 0 D' v8 f* i8 g; o- t;******************************************************************** 6 I3 N ]. m* u- m/ w cld 1 @- v' _) T& w% F3 M# f mov edx,01f0h;data port - data comes in and out here ! V5 b% X+ O; j& _% H" L4 C; w; Z ~ mov edi,ebx mov ecx,0100h & ~1 G+ w1 H0 t [# G6 Y9 F rep insw 6 C) O( R/ n) q4 u5 w% P, i- f) Z;******************************************************************** ; 返回的信息中，型号、序列号、版本号为字形式 1 b, s6 |; s! W& |; 需要整理到字符串的形式 8 {# ~" g0 `1 D# E;******************************************************************** lea esi,[ebx].sSerialNumber & u2 o( t8 c% ?% e1 i* @1 k mov edi,esi ! B5 C5 ^/ M! a mov ecx,10 6 a: s7 d( ~3 A9 ? @@: lodsw 5 R8 B+ j) ]$ ^ xchg ah,al 1 `5 ?7 p# q' {$ O; | stosw $ J3 ?) ^4 \6 u+ I4 T0 ~9 u% e loop @B # E6 r" b9 o5 Y9 S lea esi,[ebx].sFirmwareRev 2 n9 s" `% _: e" c; E mov edi,esi ) W* e3 i2 [2 G* g! C, ^: R mov ecx,24 @@: lodsw % G9 X3 h9 `- t3 r) n& ` xchg ah,al stosw loop @B _II_TimeOut: % s# t* }9 j6 H( S) P2 E7 Passume ebx:nothing " [, p) H! U( g+ a1 W4 i- i ! n( G5 U: [7 m# B% }2 M4 q6 Apop esp ;restore ring0 esp push offset Ring3 retf Ring0CodeLen=$-_Ring0Proc Ring3: 8 @( g8 P& o! ^2 q3 B6 U! A* [. qinvoke GetCurrentThread invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL 5 {1 Y* s; V1 w3 [9 ^;invoke VirtualUnlock,Entry,seglen call @f db "ZwClose",0 @@: push NtdllMod , `/ L/ ], f% x1 z3 o& ^call GetProcAddress ( R3 \& c! h) L' ?8 hpush hSection * X0 a6 H3 C, A* j! E* Hcall eax 7 ^& v: S' ^$ H5 Q. r' }mov eax,TRUE 2 k3 Z9 H, n5 X3 J1 dret & J, T. P" w; Q7 d: L/ @3 y" h$ z, _ExecRing0Proc endp 3 K8 |* n$ s9 h% ] . \( ?( k: D, W6 Vmain: % f0 g' H; ]) m: M0 c) @5 f; Aassume fs:nothing push offset MySEH push fs:[0] 0 B+ D* f6 `' `mov fs:[0],esp mov OldEsp,esp mov ax,ds ;if Win9x? + P; e$ N8 s! b3 W" T) Wtest ax,4 ! ~( \ { c) z- ojnz Exit1 invoke ExecRing0Proc .if stIDEINFO.wNumCyls 9 \/ r; Z- O: l) t) Q lea esi,stIDEINFO.sModelNumber mov edi,offset szModelNumber mov ecx,sizeof stIDEINFO.sModelNumber $ D" }1 l5 g @& }% T# n3 E4 Z rep movsb 4 C- c. m1 y* {; S7 l: H& h lea esi,stIDEINFO.sSerialNumber mov edi,offset szSerialNumber / r a8 `" Y% O! H- l mov ecx,sizeof stIDEINFO.sSerialNumber rep movsb 5 Z" Z( J' |: g! O, K ; X- H$ ^/ y% B3 w, P w lea esi,stIDEINFO.sFirmwareRev / `" _/ k# W \' E mov edi,offset szFirmwareRev mov ecx,sizeof stIDEINFO.sFirmwareRev - \2 u( l0 {, E/ `* @' j5 y rep movsb - M0 z$ C I% U P# D8 u3 a7 K- v movzx eax,stIDEINFO.wNumCyls movzx ebx,stIDEINFO.wNumHeads A$ A" f9 T. N9 z) A# N" I& c. h movzx ecx,stIDEINFO.wSectorsPerTrack movzx edx,stIDEINFO.wBufferSize 5 H$ H% R% J# T9 R2 W invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev mov eax,offset szBuffer .else mov eax,offset szErrInfo 0 ?% a6 ~ T( F; r# w.endif 6 B* O, x! A* j; K, [$ \7 y@@: invoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK ( t. w' L6 t) H& r. dExit1: ( e6 o1 [% z/ t1 S9 N6 |0 `pop fs:[0] add esp,4 # ]: a8 T" V. |5 ainvoke ExitProcess,0 : N. t- L2 x/ q MySEH : % o! R/ C- p q$ qmov esp,OldEsp ( n& C: J" K- m7 Z- Dpop fs:[0] y' N: m) o( b% P& [add esp,4 invoke ExitProcess,-1 end main ( n f7 h- `7 `. A( y$ H. G% P

[此贴子已经被作者于2003-11-2 18:14:02编辑过]

呵呵，ExecRing0Proc 这段程序甚妙，先得到gdt，然后构造一个调用门call gate's ,使程序从用户模式(ring 3)进入内核模式(ring 0)。进入内核模式之后，就可以没有限制地对系统干任何勾当。这段程序确实为高手所为，在下佩服得紧。
至于读硬盘序列号之类，只不过是在内核模式下的一个I/O应用罢了。
其实在NT/2000下读取硬盘序列号只要打开\\.\PhysicalDriveX(X:设备号0~26）设备，然后用DeviceIoControl()就可以读取了，不需要绕ring0这么一个大圈子

7 }2 c- h+ p( n这个程序也可以C语言实现，不过中间必须嵌入几条汇编的指令，如sgdt GdtLimit
但还是用c来写更方便，例如：
* [8 {+ M# A4 n( rcall @f
db "ZwOpenSection",0
! N4 Z$ @- W' Q; s@@:
push NtdllMod
call GetProcAddress
; v9 Z6 j8 |; L3 E3 t+ j8 [mov ebx,eax ;ebx=ZwOpenSection
push esi ;esi->ObjAttr
0 ?6 K5 w/ Y0 npush SECTION_MAP_READ or SECTION_MAP_WRITE
lea edi,hSection
  c6 h# A, T  i4 ?% epush edi ;edi->hSection
: }" \4 n0 M" M( r' \: h! Vcall eax ;

2 e4 ?0 b1 Y# J- j5 P6 `用c的话只要一句就可以了
ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)；
因此懂汇编，然后用C/C++编程，是成为高手的捷径
8 W( O; t! ~& l7 `5 }
0 @  c( L! p( ]/ {: C

[此贴子已经被作者于2003-11-3 16:46:50编辑过]

9 w7 c9 P: i- P0 i2 ^1 ?3 t5 o2 m9 a

firelinux

win32位汇编，真的很不错，业余的时间，全都投进去了

唐明

要能有台机器试一下多好，学汇编还从没想过去ring0，也感觉没哪个必要。
2 Z7 _. j, c7 n; h; U% ]现在闲着真相试试。这片文章我在家保存了有快一年了。不用感觉可惜了。一直停着不用，我都快忘了那些曾经那些依稀的记忆了。水能给我一台电脑，我力马高喊：有你这么富的吗？

很久以前的一段代码

游侠无极限

很久以前?
# N) k- `7 \+ i& V2 S# S# n: U不是吧,这个是 轻描淡写 编程论坛的斑竹写的

看到过的。