利用驱动程序读取硬盘序列号的汇编程序
2007-11-13 09:32:30 来源:WEB开发网核心提示:这里有个小程序hdsn32.asm,是我2000年写的,在win9x下读取硬盘的序列号,它利用了类似CIH病毒的办法获得ring0权限,在win2000下不能运行.; hdsn32.asm.386.model flat, stdcall; 32 bit memory modeloption casemap :none;
这里有个小程序hdsn32.asm,是我2000年写的,在win9x下读取硬盘的序列号,它利用了类似CIH病毒的办法获得ring0权限,在win2000下不能运行.
; hdsn32.asm
.386
.model flat, stdcall ; 32 bit memory model
option casemap :none ; case sensitive
include \masm32\include\windows.inc
include \MASM32\INCLUDE\shell32.inc
include \MASM32\INCLUDE\masm32.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \MASM32\LIB\shell32.lib
includelib \MASM32\LIB\masm32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
IDTR df 0 ; This will receive the contents of the IDTR
; register
SavedGate dq 0 ; We save the gate we replace in here
OurGate dw 0 ; Offset low-order word
dw 028h ; Segment selector
dw 0EE00h ;
dw 0 ; Offset high-order word
BUFF1 DW 256 DUP(20H)
hdsn_1 db '硬盘C序列号:',0DH,0AH
hdsn_2 db 256 dup(0)
hdsn_3 db 20 dup(0)
szCaption db 'hdsn32 v1.0 for win9x 山东海化集团 盛玉增 编制 2000.12.21',0
name_buffer db 'hdsn.bin',0
.data?
hFile HANDLE ?
SizeReadWrite DWORD ?
.code
Start:
mov eax, offset Ring0Proc
mov [OurGate], ax ; Put the offset words
shr eax, 16 ; into our descriptor
mov [OurGate+6], ax
sidt fword ptr IDTR
mov ebx, dword ptr [IDTR+2] ; load IDT Base Address
add ebx, 8*3 ; Address of int 3 descriptor in ebx
mov edi, offset SavedGate
mov esi, ebx
movsd ; Save the old descriptor
movsd ; into SavedGate
mov edi, ebx
mov esi, offset OurGate
movsd ; Replace the old handler
movsd ; with our new one
int 3h ; Trigger the exception, thus
; passing control to our Ring0
; procedure
mov edi, ebx
mov esi, offset SavedGate
movsd ; Restore the old handler
movsd
invoke MessageBox,NULL,addr hdsn_1,addr szCaption,MB_OK
invoke CreateFile,ADDR name_buffer,\
GENERIC_READ or GENERIC_WRITE ,\
FILE_SHARE_READ or FILE_SHARE_WRITE,\
NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,\
NULL
mov hFile,eax
push offset hdsn_2
pop esi
push offset hdsn_3
pop edi
mov ecx,20
jm_1:
lodsb
xor al,36h
stosb
loop jm_1
invoke WriteFile,hFile,ADDR hdsn_3,20,\
ADDR SizeReadWrite,NULL
invoke CloseHandle,hFile
invoke ExitProcess,eax
Ring0Proc PROC
start_1:
mov edx,1f7h
in al,dx
cmp al,50h
jnz start_1
dec dx
mov al,0a0h
out dx,al
mov dx,1f7h
mov al,0ech
out dx,al
mov dx,1f7h
st_1:
in al,dx
cmp al,58h
jnz st_1
mov dx,1f0h
mov edi,offset BUFF1
mov ecx,0
mov cx,256
st_2:
in ax,dx
xchg ah,al
stosw
loop st_2
sti
push offset BUFF1[20]
pop esi
push offset hdsn_2
pop edi
mov ecx,20
rep movsb
iretd
Ring0Proc ENDP
end Start
; hdsn32.asm
.386
.model flat, stdcall ; 32 bit memory model
option casemap :none ; case sensitive
include \masm32\include\windows.inc
include \MASM32\INCLUDE\shell32.inc
include \MASM32\INCLUDE\masm32.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \MASM32\LIB\shell32.lib
includelib \MASM32\LIB\masm32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
IDTR df 0 ; This will receive the contents of the IDTR
; register
SavedGate dq 0 ; We save the gate we replace in here
OurGate dw 0 ; Offset low-order word
dw 028h ; Segment selector
dw 0EE00h ;
dw 0 ; Offset high-order word
BUFF1 DW 256 DUP(20H)
hdsn_1 db '硬盘C序列号:',0DH,0AH
hdsn_2 db 256 dup(0)
hdsn_3 db 20 dup(0)
szCaption db 'hdsn32 v1.0 for win9x 山东海化集团 盛玉增 编制 2000.12.21',0
name_buffer db 'hdsn.bin',0
.data?
hFile HANDLE ?
SizeReadWrite DWORD ?
.code
Start:
mov eax, offset Ring0Proc
mov [OurGate], ax ; Put the offset words
shr eax, 16 ; into our descriptor
mov [OurGate+6], ax
sidt fword ptr IDTR
mov ebx, dword ptr [IDTR+2] ; load IDT Base Address
add ebx, 8*3 ; Address of int 3 descriptor in ebx
mov edi, offset SavedGate
mov esi, ebx
movsd ; Save the old descriptor
movsd ; into SavedGate
mov edi, ebx
mov esi, offset OurGate
movsd ; Replace the old handler
movsd ; with our new one
int 3h ; Trigger the exception, thus
; passing control to our Ring0
; procedure
mov edi, ebx
mov esi, offset SavedGate
movsd ; Restore the old handler
movsd
invoke MessageBox,NULL,addr hdsn_1,addr szCaption,MB_OK
invoke CreateFile,ADDR name_buffer,\
GENERIC_READ or GENERIC_WRITE ,\
FILE_SHARE_READ or FILE_SHARE_WRITE,\
NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,\
NULL
mov hFile,eax
push offset hdsn_2
pop esi
push offset hdsn_3
pop edi
mov ecx,20
jm_1:
lodsb
xor al,36h
stosb
loop jm_1
invoke WriteFile,hFile,ADDR hdsn_3,20,\
ADDR SizeReadWrite,NULL
invoke CloseHandle,hFile
invoke ExitProcess,eax
Ring0Proc PROC
start_1:
mov edx,1f7h
in al,dx
cmp al,50h
jnz start_1
dec dx
mov al,0a0h
out dx,al
mov dx,1f7h
mov al,0ech
out dx,al
mov dx,1f7h
st_1:
in al,dx
cmp al,58h
jnz st_1
mov dx,1f0h
mov edi,offset BUFF1
mov ecx,0
mov cx,256
st_2:
in ax,dx
xchg ah,al
stosw
loop st_2
sti
push offset BUFF1[20]
pop esi
push offset hdsn_2
pop edi
mov ecx,20
rep movsb
iretd
Ring0Proc ENDP
end Start
中查找“利用驱动程序读取硬盘序列号的汇编程序”更多相关内容
中查找“利用驱动程序读取硬盘序列号的汇编程序”更多相关内容更多精彩
赞助商链接
