[转帖]2000/xp下读硬盘序列号[汇编]

游侠无极限

我可没这个水平 .686p * b1 r. t/ j6 F.model flat, stdcall 3 j( N* S9 O( ^# q( Q( \1 ? {. Loption casemap :none ; case sensitive . R5 K: u0 J5 D; ######################################################################### ; [/ l0 v4 R1 l1 w4 |: _2 finclude \masm32\include\windows.inc " \# k6 V2 w# l8 a; G/ A! ~include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\advapi32.inc 5 q! S- c) R8 @. }/ j: M% Aincludelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib ^7 u. Q% v I; r5 Qincludelib \masm32\lib\advapi32.lib DEBUG = TRUE ' k* K- b! T: Y5 G: y# D$ A ) V% {' c% V( Y, H+ R" h* |HMODULE typedef dword NTSTATUS typedef dword PACL typedef dword 3 ?- t* }0 P& X% Y7 L9 iPSECURITY_DESCRIPTOR typedef dword OBJ_INHERIT=2 OBJ_PERMANENT=10h / P5 l3 ]- ~% O; v( {+ IOBJ_EXCLUSIVE=20h 5 @% \# \4 D4 O2 R1 Z2 F, NOBJ_CASE_INSENSITIVE=40h 1 K- |, X/ ^+ Q( a4 vOBJ_OPENIF=80h OBJ_OPENLINK =100h 8 L2 N2 [8 H! @: @OBJ_KERNEL_HANDLE=200 OBJ_VALID_ATTRIBUTES=3F2h : W. q4 D. T5 v+ L# t1 [* g) M8 } SE_KERNEL_OBJECT = 6 GRANT_ACCESS =1 # h, F% c& J' `5 [* [NO_INHERITANCE =0 % `' q5 e: i6 L8 y9 {5 aTRUSTEE_IS_NAME=1 ' T$ |! {6 e' ~% @TRUSTEE_IS_USER=1 7 G+ p1 t2 }4 ]5 |4 I0 F/ R3 l7 k8 WSTATUS_SUCCESS =0 STATUS_ACCESS_DENIED =0C0000022h & t: u8 ?2 O1 ~- u8 O* x% W STATUS_ACCESS_VIOLATION equ 0C0000005h 1 H5 g$ D( R1 i* G" Y; \/ o6 MSTATUS_INFO_LENGTH_MISMATCH equ 0C0000004h ( {3 K$ b1 E% S4 X3 u1 ^SystemModuleInformation equ 11 PVOID TYPEDEF DWORD 1 V" ~4 y& A) K9 R3 O$ H i4 nUNLONG TYPEDEF DWORD CHAR TYPEDEF BYTE UNICODE_STRING struct 0 a9 i6 W" R4 D" e4 f nLength word ? MaximumLength word ? Buffer dword ? 8 o: S& g* B" }- PUNICODE_STRING ends ( d; _1 X# x2 L, f) y2 e( jOBJECT_ATTRIBUTES struct }1 Q9 e0 b2 Y- s& y& K# k nLength dword ? RootDirectory HANDLE ? ObjectName dword ?UNICODE_STRING $ Q9 v% f6 ~, W8 s0 Y+ z$ J! B6 ^ Attributes dword ?; SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR 3 ^4 G! ?# u1 _2 `6 d3 y SecurityQualityOfService dword ?VOID // Points to type SECURITY_QUALITY_OF_SERVICE OBJECT_ATTRIBUTES ends / M- H$ q) l8 O* d9 o) l& `$ e1 _) U% E9 |TRUSTEE struct ( D& _. V4 h3 h. X* w pMultipleTrustee dword ?TRUSTEE 6 z& W, i6 k+ ^8 t& U/ s$ L/ I MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION TrusteeForm dword ?;TRUSTEE_FORM 8 h* p4 X" y; L2 r TrusteeType dword ?;TRUSTEE_TYPE & p0 I/ v( K0 A; H3 t6 [1 I' D ptstrName dword ?;LPTSTR : p& |) [: d! y$ t' ?, f3 u( N% h0 c5 OTRUSTEE ends EXPLICIT_ACCESS struct grfAccessPermissions DWORD ? grfAccessMode dword ? ;ACCESS_MODE % m8 S% T9 m3 v1 s$ V% g' p& j grfInheritance DWORD ? ; Trustee TRUSTEE <> ; & P7 q& n8 i+ w) _' i- o U4 NEXPLICIT_ACCESS ends T' g. W1 g3 T5 \3 HMyGATE struct ;门结构类型定义 ! c" G( G, w, q i5 N$ o OFFSETL WORD ? ;32位偏移的低16位 ! T6 { j5 ^5 R% M3 q' O" t SELECTOR WORd ? ;选择子 DCOUNT BYTE ? ;双字计数字段 9 [* y- ^3 B9 l3 l; ?3 O GTYPE BYTE ? ;类型 $ f8 o4 X! ]1 x! |3 j OFFSETH WORD ? ;32位偏移的高16位 6 Q4 q1 a4 ~- s* m$ a0 X4 {MyGATE ends 5 r" S7 L) E8 C, g IDEINFO struct wGenConfig dw ? wNumCyls dw ?;拄面数 3 t f8 I7 K. K5 w+ v6 H( N2 s7 {1 Z# {wReserved dw ? 0 ?. x2 }( ^ k! swNumHeads dw ?;磁头数 wBytesPerTrack dw ?;每道字节数 wBytesPerSector dw ?;每扇区字节数 $ a2 h/ o& ?; M( ?, R. MwSectorsPerTrack dw ?;每道山区数 + ^: @! \* b+ v4 ?wVendorUnique dw 3 dup (?) sSerialNumber db 20 dup (?);硬盘序列号 ( V& ]6 Y1 f1 d& a+ xwBufferType dw ?; h6 n. K! ~! ]. \1 m0 pwBufferSize dw ?; ;n * 512 6 Y& l) ~6 `4 a, t8 g3 l1 ~' YwECCSize dw ? o% H+ _' _; N" T& `" I, EsFirmwareRev db 8 dup (?); sModelNumber db 40 dup (?) wMoreVendorUnique dw ? , F% {/ p& p$ _3 ?) RwDoubleWordIO dw ? ) s, p) m4 Y. p4 }& iwCapabilities dw ? `/ h! N4 ]/ Z% J3 ]; G, ywReserved1 dw ? wPIOTiming dw ?; ( B# ?+ u& {' l/ r4 E5 d2 ?wDMATiming dw ?; wBS dw ? % q* S/ a6 d- }1 lwNumCurrentCyls dw ?; $ O; I: e- @% @" OwNumCurrentHeads dw ?; }0 L, B, i+ J* q( M% b" h7 iwNumCurrentSectorsPerTrack dw ?; 9 x: \8 Z, q' |* UdwCurrentSectorCapacity dd ?; ) c, z1 m: j r" r0 W3 Z2 X# V5 W8 XwMultSectorStuff dw ?; 6 @/ b* B& n7 F! c" b1 @0 n0 q# NdwTotalAddressableSectors dd ?; e, {% y1 s9 z" ^. KwSingleWordDMA dw ?; ) _4 W( O5 I" V% f4 kwMultiWordDMA dw ?; ) [. ~& N9 O- o; Q# Q8 B! MbReserved db 128 dup (?) 9 Y0 g+ ]2 d$ m: N" TIDEINFO ends 2 _; x% z3 z4 s% [* ^ ; ?5 _! I! p4 e, {6 o9 p ' u& ]0 x% r7 {1 K2 MSetPhyscialMemorySectionCanBeWrited proto :dword 1 z* u# D+ p( t" p. kMiniMmGetPhysicalAddress proto :dword ENTERRING0 macro - [7 x: F9 a7 X# apushad pushfd cli mov eax,cr0 ;get rid off readonly protect and eax,0fffeffffh % o# [* z! n8 _, Vmov cr0,eax 0 H, S7 y: g; G4 y7 b' R5 d1 mendm 3 a+ _. x/ G E$ ?* x7 ? {8 W7 T LEAVERING0 macro & Q' _4 |9 s% r3 G1 Xmov eax,cr0 ;restore readonly protect or eax,10000h mov cr0,eax sti 2 @+ ?* p4 s+ w" X3 Jpopfd popad retf endm 9 e/ _' h7 Y8 d9 ~) p ) |6 K. `( M5 R4 L6 h+ }' hUNICODE_STR macro str irpc _c,<str> db '&_c' * L5 @; ^( k5 e/ U5 r3 ^' h& t. Cdb 0 0 ?* `) ], d4 E1 n9 ^& }1 Bendm endm .data? 0 r0 Y3 A4 D* }! GGdtLimit dw ? GdtAddr dd ? - P3 C$ X& a+ MmapAddr dd ? ) G+ o+ K* j$ t( hOldEsp dd ? ! Q i7 y3 ^; F/ m7 O! Q7 i readed dw ? 7 O5 P0 ?; M* o% qbuffer db 512 dup(?) ShowText db 512*3 dup (?) % z8 X6 I9 U" J8 Z# u* w2 t szBuffer db 1024 dup (?) szModelNumber db 41 dup (?) szSerialNumber db 21 dup (?) ! ]$ Z, L% P) o+ O" U" B' j5 yszFirmwareRev db 9 dup (?) stIDEINFO IDEINFO 4 d5 t5 x, `; B' j.data align 4 & f+ X0 N% |! S% e9 |0 \objname dw objnamestr_size,objnamestr_size+2 objnameptr dd 0 * g! [, A& t; [/ t. j$ J5 \) Bobjnamestr equ this byte 4 p& h1 v, b1 S, C! W' gUNICODE_STR <\Device\PhysicalMemory> objnamestr_size equ $-objnamestr szTitle db 'IDE 硬盘信息',0 szErrInfo db '无法读取硬盘信息',0 $ |) Q$ K2 G; MszIDEInfo db '柱面数 : %d',0dh,0ah db '磁头数 : %d',0dh,0ah ' O h9 W% ^: Q! A/ m db '每道扇区数 : %d',0dh,0ah db '缓冲大小 : %d 扇区',0dh,0ah ( z* h2 g3 s; W4 } db '硬盘型号 : %40s',0dh,0ah 8 b; I: H" H {$ m) l7 C1 D) r db '序列号 : %20s',0dh,0ah ) v# Y7 E% O$ D5 [ db '版本号 : %8s',0 align 4 ObjAttr db 24 dup (0) , r- F+ M2 g5 f$ X, X' o* I+ WCallgt dq 0 ;call gate's selff 9 @! e3 Q1 [' U4 \! m% K: C/ u- bCaption db 'Windows XP绝对磁盘读写',0 2 m7 J/ P- u$ {' ?. W, vDigit db '0123456789ABCDEF',0 ( m" \/ `* P% C. w/ A' `1 G2 N* f.code : I# f1 ~% G( F* g) k# h5 r: c9 K% E_ShowBuffer proc ;显示所读出的信息 ;把数据转换成16进制的形式 mov [readed],512 : K% I& q: q$ g+ L; M" O mov esi,offset buffer ;数据 8 n" m% x, \7 d0 ~ o( o" w' P$ R* L mov edi,offset ShowText ;转换后的数据 mov ebx,offset Digit xor ecx,ecx 5 V5 c1 y( c4 S- H% f xor eax,eax computeAgain: # e1 b' s% k3 |6 n& P cmp [readed],0 ! P" H) q' `) G% N( k# B jz endCompute dec [readed] ' E& o( \( s" x lodsb ' J( B5 p( A) p3 ~: } push eax shr eax,4 ;高4位 xlatb stosb - _% W0 j5 M& g. q1 j) T! \, B pop eax and eax,0fH ;低4位 xlatb ' ^3 X! @' E( S$ h4 T stosb mov byte ptr[edi],' ' ;空格 inc edi ! V* d4 k; A5 m: o5 a- r% X inc ecx cmp ecx,16 jnz computeAgain xor ecx,ecx : _2 c* D0 ~. Z% ? mov byte ptr[edi-1],13 ;回车 jmp computeAgain endCompute: ;显示 3 \ `. Z R6 [5 B' h. h invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK ret _ShowBuffer endp SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE local pDacl: PACL ^* {+ F! G8 j9 mlocal pNewDaclACL local pSD SECURITY_DESCRIPTOR local dwRes:DWORD ; local ea:EXPLICIT_ACCESS ; invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL, addr pDacl,NULL, addr pSD ' [1 ?& ]' @1 y- |0 J* Pcmp eax,ERROR_SUCCESS & S/ F, n6 \' x3 V$ d4 Ajz @f 9 ?, I8 y2 O; L& Mjmp OutSet @@: 7 J6 ^% |# @5 L" ]& a: E% h: Smov dwRes,eax mov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2 * d9 _$ @, W' Kmov ea.grfAccessMode ,GRANT_ACCESS;1 & E% V# }. U: ^* Umov ea.grfInheritance,NO_INHERITANCE;0 mov ea.Trustee.pMultipleTrustee,0 mov ea.Trustee.MultipleTrusteeOperation,0 $ ^: K, w2 i0 y, }& v4 Fmov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1 mov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1 ) @" @/ }3 w( K' Z) Ocall @f ! O- {4 t8 R( z4 _& m1 ]db "CURRENT_USER",0 @@: pop edx O+ t- o8 ]. X; j4 j- m; `. hmov ea.Trustee.ptstrName,edx 1 S6 D$ ~: v) p% d, finvoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl cmp eax,ERROR_SUCCESS jz @f jmp OutSet ! j5 n2 t4 g g# D@@: ' U# C$ p$ J0 q5 a! \5 m/ o8 F* jinvoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL 0 g' q: w7 o: ?! B6 T/ L" ]9 FOutSet: cmp pSD,0 ; S; |6 k* V( p! X) Qjz @f invoke LocalFree,pSD @@: cmp pNewDacl,0 " ?# D& g" T/ F, F" pjz @f invoke LocalFree,pNewDacl 4 x; L9 {0 x8 M9 t3 {; x2 ?3 D@@: ret / u1 Y) s- t* K1 ^SetPhyscialMemorySectionCanBeWrited endp & t7 s3 n1 c4 X# I: h) x MiniMmGetPhysicalAddress proc virtualaddress:dword mov eax,virtualaddress cmp eax,80000000h jb @f - {1 y( ]/ s1 A( \' d cmp eax,0a0000000h jae @f and eax,1FFFF000h + W$ h G/ j+ T, R5 I, b ret ( m9 f" X' H$ y, C. L1 j @@: * c: c2 U1 e( w5 O1 v# I" q mov eax,0 4 G! V, \0 ]3 d ret MiniMmGetPhysicalAddress endp * l j) C/ }8 X- RExecRing0Proc proc local tmpSel:dword + L( y* T0 k, d; e5 [& olocal setcg:dword 7 K: I' {) W& llocal BaseAddress:dword 3 G5 J$ s: D3 w% d; R6 @local NtdllMod :dword 0 x2 x- V6 A$ I/ U/ B; F2 N# C4 Qlocal hSection:HANDLE _6 c0 l4 R# ^3 B7 clocal status:NTSTATUS local objectAttributes:OBJECT_ATTRIBUTES ( D6 t- B- g$ m! ?0 G0 H9 A, ]5 k4 flocal objName:UNICODE_STRING mov status,STATUS_SUCCESS; sgdt GdtLimit 9 e. W7 e! m# Einvoke MiniMmGetPhysicalAddress,GdtAddr mov mapAddr,eax test eax,eax 7 c4 d* K( o- kjz Exit1 * E. \2 l+ ]# ]call @f * d2 G, w# Z$ f0 R$ }, N# Zdb "Ntdll.dll",0 @@: call LoadLibraryA + k N& l2 Z) ]& F" Dmov NtdllMod,eax . Q* S: x7 B7 m0 {$ P" C( ? ) q4 }1 L$ I% b. q: R6 p, slea edx,objnamestr ) ^* n, n# M: o M$ `: A8 \. H2 R$ `mov objnameptr,edx * L* ~+ @( l" f. ^lea edi,ObjAttr and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail Q. e' b3 z! Z9 ]) ]push edi ;edi->ObjAttr push 24 ;length of <\Device\PhysicalMemory> / } K. J0 v8 I: I4 j2 i( Lpop ecx 5 M2 q6 r7 g% C+ ^push ecx - v% b* `$ Y5 b$ n/ oxor eax,eax rep stosb ;put ObjAttr with 0 pop ecx pop edi 7 z1 a J$ O0 l2 _( _ a1 @6 n6 m$ J0 }mov esi,edi & P# H# G+ P! v, ^8 `stosd mov dword ptr[esi],ecx stosd lea eax,[edx-8] ;eax->objname stosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0) mov dword ptr [edi],240h % \% y# ^( `) x* a1 `4 h8 u % B) A l$ |6 j. p. ?% ocall @f db "ZwOpenSection",0 @@: push NtdllMod & E% K0 S3 d! X+ c7 A! T& ?call GetProcAddress 6 l$ g- F4 u4 D% pmov ebx,eax ;ebx=ZwOpenSection " z7 k3 ^% y8 b! H, q* t, rpush esi ;esi->ObjAttr push SECTION_MAP_READ or SECTION_MAP_WRITE $ Z* `; r$ c- f) A; plea edi,hSection push edi ;edi->hSection ) ]" c" V6 b3 t0 bcall eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr) 0 [* A2 N" o4 k9 A3 y5 dmov status,eax 7 r8 m# x3 Z1 ^8 K, vcmp status,STATUS_ACCESS_DENIED jnz AccessPermit $ h. O- N, K" w$ x1 Z P1 m) Umov eax,ebx 2 F/ [$ l/ d, w8 Y; T/ X3 A push esi push READ_CONTROL or WRITE_DAC 5 l! t9 S# F' A) p9 \" y1 Vpush edi call eax + {' x" ?) K y4 d! T 6 F: @& |# R2 b) d# U# k, K, b7 omov status,eax , [7 n9 k5 e9 U# b4 I! Kinvoke SetPhyscialMemorySectionCanBeWrited,hSection ~5 t! C* i' Z% F$ ]6 r* ~ 5 [, ~6 Q& @; C$ ucall @f , y: H1 R" E+ y; J Ndb "ZwClose",0 2 q+ S) [* J+ j) I D@@: push NtdllMod * f2 w' J v( Bcall GetProcAddress : k6 h: K3 O# C* F% ] : ]" T3 a4 \; qpush hSection . _7 [- J! p" lcall eax ;zwClose hSection 3 a, S4 q2 {7 I# q/ O' V/ U, bmov eax,ebx " ]' P9 {6 l9 d, t7 n push esi ! |, }* Q4 H- v4 P; n0 Fpush SECTION_MAP_READ or SECTION_MAP_WRITE lea edi,hSection push edi $ b9 C. Y2 M% U l, wcall eax mov status ,eax ;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); AccessPermit: cmp status ,STATUS_SUCCESS jz @f ;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); 3 ~) Q5 R8 f' z+ p$ \- K/ v;return 0; Z9 P# T, n t9 p* X; r! Nmov eax,0 ret 9 {% L4 d" w" Z1 I- {) p \! U@@: movzx eax,word ptr[GdtLimit] inc eax 9 ]9 b% ]' r' k5 Y+ w5 d2 V( Pinvoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, eax mov BaseAddress,eax cmp BaseAddress,0 jnz @f ;printf("Error MapViewOffile:"); + h. f( i3 e- T5 D( frintWin32Error(GetLastError()); return 0; ! G: o" u# {2 Rmov eax,0 ( n7 c, N: a) k- N& eret @@: mov esi,eax ;esi->gdt base mov ecx,3e0h mov eax,GdtAddr # H/ |& `* H: @1 x.if dword ptr [esi+ecx+2]!=0ec0003e8h % y2 a" H4 \. l1 l" xmov byte ptr [esi],0c3h mov word ptr [esi+ecx],ax 2 V Z8 }2 w( B9 Yshr eax,16 & S9 A- D& j4 jmov word ptr [esi+ecx+6],ax mov dword ptr [esi+ecx+2],0ec0003e8h & R# W/ c3 [- {$ T' O$ v+ C% h ( ?( u+ r e9 F2 O8 }mov dword ptr [esi+ecx+8],0000ffffh mov dword ptr [esi+ecx+12],00cf9a00h .endif + ~9 F2 Q' R6 G$ }* O2 b, D mov setcg,TRUE cmp setcg,0 jnz ChangeOK call @f : T9 K( ^$ f7 {. Ddb "ZwClose",0 1 O3 h5 ^2 b, `1 l8 w@@: 1 s. z' ~* _7 j/ M$ X5 I/ wpush NtdllMod call GetProcAddress push hSection call eax $ }( D1 Z8 f4 W U6 t4 Nxor eax,eax ! Y2 G' _1 h" ^+ a! h3 Uret : r2 T$ T1 b: ?1 c5 T7 nChangeOK: and dword ptr Callgt,0 xor eax,eax 4 G5 f2 g# I+ s/ _mov ax,3e0h ' o) n* [ k8 W8 w9 v% H* Uor al,3h ; s* |) z$ P0 ~3 o( _5 \6 M% Dmov word ptr [Callgt+4],ax $ R0 Y: q; ]3 |8 N9 N( L$ W;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate; ) Q$ S# d3 m6 Nlea eax,_Ring0Proc : J1 d$ e/ I: }& B# e# X/ z;invoke VirtualLock,eax,seglen test eax,eax jnz @f " S1 U; U4 l# ~% A2 Sxor eax,eax ret $ g H0 E7 d! N9 a, ]; Y@@: invoke GetCurrentThread invoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL # }, j+ Q0 y* g+ rinvoke Sleep,0 call fword ptr [Callgt] ;use callgate to Ring0! 9 y: j- I" u h6 }# h;_asm call fword ptr [farcall] _Ring0Proc: ; Ring0 code here.. ) Y# q- {) W$ Umov eax,esp ;save ring0 esp mov esp,[esp+4];->ring3 esp " h: o+ \$ o7 m, v, Q) kpush eax ) n- Q) f- z8 ?$ t. P mov ebx,offset stIDEINFO 1 F: z* }1 ^) Z5 I* h assume ebx:ptr IDEINFO ;******************************************************************** ' T& `1 v" _9 N6 A3 i; 等待硬盘就绪 . V, Z5 d8 U& E; O5 R. D;******************************************************************** mov ecx,10000h mov dx,01f7h @@: ( ]$ ^2 f: |& U; C6 L in al,dx cmp al,50h jz @F loop @B ' w8 ~' N) D8 }( y. T jmp _II_TimeOut ' D/ l, D, c/ b9 [$ f @@: ;******************************************************************** ; 发送命令 ; 如果向主控制发送命令，则端口为 1f0h-1f7h ; 如果向副控制发送命令，则端口为 170h-177h + v, s+ A+ P, e" r r& m; 1f6h 如果要检测的设备为该IDE接口的主（MASTER）设备， ; 那么发送 a0，如果为从那么发送 b0 ; 1f7h 如果要检测的设备为 ATA 设备那么发送 ec ; 如果为 ATAPI 设备那么发送 a1 : R. o8 O' u. N;******************************************************************** mov al,0a0h ;Drive 0,Head 0 / H6 D1 K8 v/ j# c mov dx,01f6h ;Drive and head port + V# S% F9 j* ~: \ out dx,al : T8 \6 @6 j3 s' x7 o& n7 l mov al,0ech 9 _2 s X1 ?3 f/ h inc dx ;Command port " c% D) D: Z+ x3 x out dx,al 3 B7 q! N& {4 w [8 l;******************************************************************** 1 _" s- j1 J) Z1 N% d; 等待硬盘就绪 ;******************************************************************** : w, k& k7 d2 D0 c, S& i! y: z" b mov ecx,10000h @@: in al,dx;1f7 (r-status register) * n. }3 Z2 ~. X$ }! t' p cmp al,58h;(driver is ready ,and seek complete) jz @F loop @B jmp _II_TimeOut ' b8 a( s2 _2 r0 k0 K @@: 3 l+ }0 ~- e! N;******************************************************************** ; 将返回信息读回 ; 注意一定要读满 100h 个字长 7 H: {- ^4 X- ~4 P;******************************************************************** & K& A/ j& v: P cld ) M/ ?( T* B& b% \- b mov edx,01f0h;data port - data comes in and out here mov edi,ebx mov ecx,0100h ; k" L* x7 M# j; Z0 z* {8 p rep insw 7 g8 ~2 Y6 _2 ~9 D/ e! w9 _;******************************************************************** ; 返回的信息中，型号、序列号、版本号为字形式 ; 需要整理到字符串的形式 / d: u( W7 B) h;******************************************************************** " z1 h/ J. c) t f% o lea esi,[ebx].sSerialNumber mov edi,esi * g" U6 y1 u: v, N% h mov ecx,10 @@: lodsw xchg ah,al stosw loop @B lea esi,[ebx].sFirmwareRev mov edi,esi mov ecx,24 @@: lodsw xchg ah,al stosw / c1 x& Q" e6 g' A loop @B _II_TimeOut: 9 V: X/ H, u2 e- u( Q ]assume ebx:nothing ( n1 d/ S5 b. Z( W5 ^4 y2 R pop esp ;restore ring0 esp 4 q! ?+ x4 g% `; \5 [, Cpush offset Ring3 9 s J# m2 F/ }6 Cretf ! |4 S, p+ G: m& y. Y bRing0CodeLen=$-_Ring0Proc Ring3: 5 B/ l% m5 R3 e9 n' u) Binvoke GetCurrentThread invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL ;invoke VirtualUnlock,Entry,seglen call @f db "ZwClose",0 " {7 ~: B2 v3 ?, o4 C/ z; K@@: push NtdllMod 1 x, d6 w/ a+ t4 H2 B' Vcall GetProcAddress - d! A( t0 y" j' `# E P, Opush hSection 2 X# @7 j/ f$ bcall eax 6 z. ?8 Q4 m. t4 K: D4 k/ \mov eax,TRUE # f/ n7 N8 a' J8 z9 sret $ H4 ?& T; v f6 s4 r! A6 @: N. |ExecRing0Proc endp : S4 h$ v6 {6 u4 ?main: assume fs:nothing push offset MySEH push fs:[0] mov fs:[0],esp mov OldEsp,esp % a7 M. n+ B$ N2 m4 z4 hmov ax,ds ;if Win9x? , |3 \# A( ~$ {! x0 P6 k9 H& Btest ax,4 ; J0 m: O% H5 X3 [& ?jnz Exit1 invoke ExecRing0Proc 9 {* L9 s) w0 z* H) K( H .if stIDEINFO.wNumCyls , \" x+ N' t T lea esi,stIDEINFO.sModelNumber mov edi,offset szModelNumber 0 m" a+ i' m2 p* o- T) q5 m mov ecx,sizeof stIDEINFO.sModelNumber rep movsb lea esi,stIDEINFO.sSerialNumber + f B3 n# {7 f) C) ^; Q: `, Z ~ mov edi,offset szSerialNumber / k2 S. k! t7 Y' E+ |/ M3 H" M0 P mov ecx,sizeof stIDEINFO.sSerialNumber 1 _3 O+ I; \: d( ~+ h$ E+ B rep movsb 3 Q, d1 n- ~( i9 E# v# T lea esi,stIDEINFO.sFirmwareRev mov edi,offset szFirmwareRev 3 i. T+ b) h) W mov ecx,sizeof stIDEINFO.sFirmwareRev ; I! G- S& M( v rep movsb + M7 L- r* s, E movzx eax,stIDEINFO.wNumCyls ) v# G$ l; D6 [4 M3 s3 F& |! q* Y movzx ebx,stIDEINFO.wNumHeads 3 d; Y, i( l% l movzx ecx,stIDEINFO.wSectorsPerTrack . K+ @+ q* a/ S, [: v5 B movzx edx,stIDEINFO.wBufferSize , P( b8 q7 h0 ]) Q& j/ x invoke wsprintf,addr szBuffer,addr szIDEInfo, eax,ebx,ecx,edx, addr szModelNumber, addr szSerialNumber, addr szFirmwareRev mov eax,offset szBuffer - A+ G" m8 d% D+ n& D; `( z6 x0 d.else - a$ g5 M6 U' Z6 e% Q3 M, b3 V mov eax,offset szErrInfo & H3 ]9 D+ X: x8 C.endif 8 t. C+ V4 |, P3 b' M@@: % W) V j5 L4 d0 O2 jinvoke MessageBox,NULL,eax,addr szTitle,MB_ICONINFORMATION or MB_OK Exit1: 3 i: D; _# I' Zpop fs:[0] add esp,4 / l5 c6 |( i4 L; D' N2 C4 `invoke ExitProcess,0 7 U7 x" @! }) h$ R& A. [7 W, {* \MySEH : $ Q) x8 l: L2 w3 zmov esp,OldEsp pop fs:[0] add esp,4 % f% G. N% s, J' `( E' Z4 ]' u( finvoke ExitProcess,-1 % ]* _+ m, U" k0 p. A' _& G4 pend main 5 b9 \& d0 M' S4 A1 Y ' v. l# k' g4 L* O" a

[此贴子已经被作者于2003-11-2 18:14:02编辑过]

8 j' q% k6 O8 e2 \7 o" i

呵呵，ExecRing0Proc 这段程序甚妙，先得到gdt，然后构造一个调用门call gate's ,使程序从用户模式(ring 3)进入内核模式(ring 0)。进入内核模式之后，就可以没有限制地对系统干任何勾当。这段程序确实为高手所为，在下佩服得紧。
9 c7 Q- M& R  Q# w; s6 I至于读硬盘序列号之类，只不过是在内核模式下的一个I/O应用罢了。
其实在NT/2000下读取硬盘序列号只要打开\\.\PhysicalDriveX(X:设备号0~26）设备，然后用DeviceIoControl()就可以读取了，不需要绕ring0这么一个大圈子
4 d5 f. E+ d- s0 ^
* A( L7 l, X- o4 p7 r这个程序也可以C语言实现，不过中间必须嵌入几条汇编的指令，如sgdt GdtLimit
但还是用c来写更方便，例如：
$ v; I% U1 t% D/ ]: E4 Y, R' d5 _call @f
db "ZwOpenSection",0
' e8 l% Y/ A& x1 e, `@@:
, ?$ l. x5 B! C) tpush NtdllMod
1 H) b. F% W6 ~call GetProcAddress
/ p5 s+ t1 {7 S0 D: _mov ebx,eax ;ebx=ZwOpenSection
push esi ;esi->ObjAttr
push SECTION_MAP_READ or SECTION_MAP_WRITE
9 Z2 p% b4 u6 I. flea edi,hSection
push edi ;edi->hSection
" g3 w5 a& s9 P: ~0 _; ycall eax ;

2 B2 b. C7 g1 o* @0 R3 I( T5 Q用c的话只要一句就可以了
ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)；
因此懂汇编，然后用C/C++编程，是成为高手的捷径

- d4 u) K& g- V( m  f

[此贴子已经被作者于2003-11-3 16:46:50编辑过]

firelinux

win32位汇编，真的很不错，业余的时间，全都投进去了

唐明

要能有台机器试一下多好，学汇编还从没想过去ring0，也感觉没哪个必要。
; `2 D5 D# U& z8 I$ d, Q8 d: D现在闲着真相试试。这片文章我在家保存了有快一年了。不用感觉可惜了。一直停着不用，我都快忘了那些曾经那些依稀的记忆了。水能给我一台电脑，我力马高喊：有你这么富的吗？

很久以前的一段代码

游侠无极限

很久以前?
不是吧,这个是 轻描淡写 编程论坛的斑竹写的

看到过的。