利用驱动程序读取硬盘序列号_51自学网汇编语言教程

首页 > 汇编语言

利用驱动程序读取硬盘序列号

51自学网 http://www.wanshiok.com

这里有个小程序hdsn32.asm,是我2000年写的,在win9x下读取硬盘的序列号,它利用了类似CIH病毒的办法获得ring0权限,在win2000下不能运行.
      ;   hdsn32.asm
      .386
      .model flat, stdcall  ; 32 bit memory model
      option casemap :none  ; case sensitive

      include /masm32/include/windows.inc
      include /MASM32/INCLUDE/shell32.inc
      include /MASM32/INCLUDE/masm32.inc
      include /masm32/include/user32.inc
      include /masm32/include/kernel32.inc



      includelib /MASM32/LIB/shell32.lib
      includelib /MASM32/LIB/masm32.lib
      includelib /masm32/lib/user32.lib
      includelib /masm32/lib/kernel32.lib


.data

IDTR        df 0            ; This will receive the contents of the IDTR
                            ; register

SavedGate   dq 0            ; We save the gate we replace in here

OurGate     dw 0            ; Offset low-order word
            dw 028h         ; Segment selector
            dw 0EE00h       ;
            dw 0            ; Offset high-order word
BUFF1 DW 256 DUP(20H)
hdsn_1 db '硬盘C序列号:',0DH,0AH
hdsn_2 db 256 dup(0)
hdsn_3 db 20 dup(0)
szCaption db 'hdsn32 v1.0 for win9x 山东海化集团盛玉增编制 2000.12.21',0
name_buffer db 'hdsn.bin',0

.data?
hFile HANDLE ?
SizeReadWrite DWORD ?

.code
Start:
      mov      eax, offset Ring0Proc
      mov      [OurGate], ax              ; Put the offset words
      shr      eax, 16                    ; into our descriptor
      mov      [OurGate+6], ax

      sidt     fword ptr IDTR
      mov      ebx, dword ptr [IDTR+2]    ; load IDT Base Address
      add      ebx, 8*3                   ; Address of int 3 descriptor in ebx

      mov      edi, offset SavedGate
      mov      esi, ebx
      movsd                               ; Save the old descriptor
      movsd                               ; into SavedGate

      mov      edi, ebx
      mov      esi, offset OurGate
      movsd                               ; Replace the old handler
      movsd                               ; with our new one

      int    3h                           ; Trigger the exception, thus
                                          ; passing control to our Ring0
                                          ; procedure

      mov      edi, ebx
      mov      esi, offset SavedGate
      movsd                               ; Restore the old handler
      movsd

      invoke MessageBox,NULL,addr hdsn_1,addr szCaption,MB_OK

   invoke CreateFile,ADDR name_buffer,/
             GENERIC_READ or GENERIC_WRITE ,/
             FILE_SHARE_READ or FILE_SHARE_WRITE,/
             NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,/
             NULL
   mov hFile,eax
      push offset hdsn_2
      pop esi
      push offset hdsn_3
      pop edi
      mov ecx,20
jm_1:
      lodsb
      xor al,36h
      stosb
      loop jm_1
   invoke WriteFile,hFile,ADDR hdsn_3,20,/
             ADDR SizeReadWrite,NULL
   invoke CloseHandle,hFile
      invoke ExitProcess,eax

Ring0Proc PROC
start_1:
      mov edx,1f7h
      in al,dx
      cmp al,50h
      jnz start_1
      dec dx
      mov al,0a0h
      out dx,al
      mov dx,1f7h
      mov al,0ech
      out dx,al
      mov dx,1f7h
st_1:
      in al,dx
      cmp al,58h
      jnz st_1
      mov dx,1f0h
      mov edi,offset BUFF1
      mov ecx,0
      mov cx,256
st_2:
      in ax,dx
      xchg ah,al
      stosw
      loop st_2
      sti
      push offset BUFF1[20]
      pop esi
      push offset hdsn_2
      pop edi
      mov ecx,20
      rep movsb
      iretd

Ring0Proc ENDP
    end Start

上一篇：图形显示方式屏幕的保存和恢复下一篇：驱动程序的动态加载