精品久久看,欧美成人久久一级c片免费,日本加勒比在线精品视频,国产一区二区三区免费大片天美,国产成人精品999在线,97理论三级九七午夜在线观看

東坡下載:內容最豐富最安全的下載站!

當前位置: 首頁IT技術 → 利用驅動程序讀取BIOS

利用驅動程序讀取BIOS

2012/4/13 16:51:18  出處:本站原創(chuàng)   人氣:623次    字號:    

更多
  用BIOS的內容作為硬標記進行加密,應用程序可以通過檢測bios的特定內容,如主板日期、廠家信息等。如果符合要求,就讓程序正常運行;如不符合要求,就判斷為盜版,禁止運行。這樣可以

起到一定的加密鎖的作用。
     如何得到bios的內容呢?我們已經(jīng)通過驅動程序進入ring0,在ring0中是無所不能的,有一個簡單的函數(shù),可以幫助我們達到目的。它就是MmMapIoSpace函數(shù),在DDK文檔中看到該函數(shù)的說明如下

:
PVOID MmMapIoSpace(
IN PHYSICAL_ADDRESS PhysicalAddress,
IN ULONG NumberOfBytes,
IN MEMORY_CACHING_TYPE CacheType );
在Masm32v8中聲明的有4個形參
MmMapIoSpace    proto stdcall :DWORD, :DWORD, :DWORD, :DWORD
為什么參數(shù)個數(shù)會有不同呢?
原因是MmMapIoSpace第一個參數(shù)傳遞的是一個結構而非結構的指針,而該結構實際的大小是 2 個雙字,結果在masm32中表現(xiàn)為總共4個 dword 參數(shù)。
調用非常簡單,invoke MmMapIoSpace,物理地址低32位,0,長度,MmNonCached
若成功該函數(shù)返回影射后的線性地址,否則返回NULL。這樣就可以間接達到讀取物理地址中內容的目的。

bios開始地址在實模式下是F000:0,也就是0f0000h,長度是64k,也就是10000h
這樣我們就可以用一句 invoke MmMapIoSpace,0f0000h,0,64*1024,MmNonCached ;把BIOS的物理地址映射為線性地址,返回值在eax中。
然后把eax指向的線性地址中的內容復制到系統(tǒng)的緩沖區(qū)中,讓驅動程序傳給ring3下的應用程序。
bios_test.bat是驅動源碼。
bios_test.asm是調用驅動的ring3級程序,它把驅動傳回的bios內容寫入文件bios_tst.bin,是16進制的,可以用16進制編輯器來查看。
實際使用時,可以傳遞一個隨機的密鑰給驅動程序,驅動程序負責把bios內容加密后返回,這樣可以一定程度上增加解密的難度。程序中已經(jīng)預留了接口,實現(xiàn)起來很簡單,有興趣者可以自己實現(xiàn)。

以下是程序源代碼:已在xp和vista下調試通過。

;goto make
;文件名bios_test.bat 作者:盛玉增 2009年10月20日用masm32v8和kmdkit1.8在winxp及vista下調試成功。
.386
.model flat, stdcall
option casemap:none
include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc
include \masm32\include\w2k\ntoskrnl.inc
includelib \masm32\lib\w2k\ntoskrnl.lib
include \masm32\Macros\Strings.mac

IOCTL_GET_INFO equ CTL_CODE(FILE_DEVICE_UNKNOWN, 800h, METHOD_BUFFERED, FILE_READ_access + FILE_WRITE_ACCESS)


.const
CCOUNTED_UNICODE_STRING    "\\Device\\bios_test", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING    "\\??\\bios_test", g_usSymbolicLinkName, 4


.data
buff1  db 128*512 dup (0f6h) ;
key_1  db 32 dup (0) ;


.code

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                   DispatchCreateClose                                            
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP

    ; CreateFile was called, to get driver handle
    ; CloseHandle was called, to close driver handle
    ; In both cases we are in user process context here

    mov eax, pIrp
    assume eax:ptr _IRP
    mov [eax].IoStatus.Status, STATUS_SUCCESS
    and [eax].IoStatus.Information, 0
    assume eax:nothing

    fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT

    mov eax, STATUS_SUCCESS
    ret

DispatchCreateClose endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                     DispatchControl                                              
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DispatchControl proc uses esi edi pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP

local status:NTSTATUS
local dwBytesReturned:DWORD    ;實際返回的字節(jié)數(shù)

    and dwBytesReturned, 0

    mov esi, pIrp
    assume esi:ptr _IRP

    IoGetCurrentIrpStackLocation esi
    mov edi, eax
    assume edi:ptr IO_STACK_LOCATION

    .if [edi].Parameters.DeviceIoControl.IoControlCode == IOCTL_GET_INFO
        .if [edi].Parameters.DeviceIoControl.OutputBufferLength >= 30

            mov eax, [esi].AssociatedIrp.SystemBuffer
                      
                       pushad
                       push eax
                       mov esi,eax
                       mov ecx,30
                       mov edi,offset key_1
                       cld
                       rep movsb  ;保存?zhèn)鬟^來的數(shù)據(jù)到key_1,以備做密鑰,加密數(shù)據(jù)后返回。
                      

                      invoke MmMapIoSpace,0f0000h,0,64*1024,MmNonCached ;物理地址映射為線性地址,返回值在eax
                      cmp eax,0   ;eax==0,失敗
                      jnz   next_1
                      jmp next_2
            next_1:    
                        mov esi,eax
                        pop edi
                        mov ecx,10000h
                        rep movsb
                        popad

            mov dwBytesReturned, 128*512
            mov status, STATUS_SUCCESS
            jmp next_3
            next_2:pop eax
                   popad
                   mov status, STATUS_INVALID_DEVICE_REQUEST
            next_3:
        .else
            mov status, STATUS_BUFFER_TOO_SMALL
        .endif
    .else
        mov status, STATUS_INVALID_DEVICE_REQUEST
    .endif

    assume edi:nothing

    push status
    pop [esi].IoStatus.Status

    push dwBytesReturned
    pop [esi].IoStatus.Information

    assume esi:nothing

    fastcall IofCompleteRequest, esi, IO_NO_INCREMENT

    mov eax, status
    ret

DispatchControl endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                       DriverUnload                                                
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DriverUnload proc pDriverObject:PDRIVER_OBJECT

    ; ControlService,,SERVICE_CONTROL_STOP was called
    ; We are in System process (pid = 8) context here

    invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName

    mov eax, pDriverObject
    invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject

    ret

DriverUnload endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                              D I S C A R D A B L E   C O D E                                      
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.code INIT

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                       DriverEntry                                                
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING

    ; StartService was called
    ; We are in System process (pid = 8) context here

local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT

    mov status, STATUS_DEVICE_CONFIGURATION_ERROR

    invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
    .if eax == STATUS_SUCCESS
        invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName
        .if eax == STATUS_SUCCESS
            mov eax, pDriverObject
            assume eax:ptr DRIVER_OBJECT
            mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)],            offset DispatchCreateClose
            mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)],            offset DispatchCreateClose
            mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)],    offset DispatchControl
            mov [eax].DriverUnload,offset DriverUnload
            assume eax:nothing
            mov status, STATUS_SUCCESS
        .else
            invoke IoDeleteDevice, pDeviceObject
        .endif
    .endif

    mov eax, status
    ret

DriverEntry endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                                                                                  
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

end DriverEntry

:make

set drv=bios_test

\masm32\bin\ml /nologo /c /coff %drv%.bat
\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native /ignore:4078 %drv%.obj

del %drv%.obj

pause




;文件名bios_test.asm 作者:盛玉增 2009年10月20日用masm32v8和kmdkit1.8在WinXP及vista下調試成功

;在winxp下用驅動程序讀取bios
.386
.model flat, stdcall
option casemap:none

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                  I N C L U D E   F I L E S                                        
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

include \masm32\include\windows.inc

include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\advapi32.inc

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\advapi32.lib

include \masm32\include\winioctl.inc

include \masm32\Macros\Strings.mac

IOCTL_GET_INFO equ CTL_CODE(FILE_DEVICE_UNKNOWN, 800h, METHOD_BUFFERED, FILE_READ_ACCESS + FILE_WRITE_ACCESS)
; Macro definition for defining IOCTL and FSCTL function control codes.  Note
; that function codes 0-2047 are reserved for Microsoft Corporation, and
; 2048-4095 are reserved for customers.
;CTL_CODE MACRO DeviceType:=<0>, Function:=<0>, Method:=<0>, Access:=<0>
;    EXITM %(((DeviceType) SHL 16) OR ((Access) SHL 14) OR ((Function) SHL 2) OR (Method))
;ENDM


.const
.data
sysname db "bios_test.sys",0     ;驅動程序名
device db "bios_test",0
driver db "bios_test Driver",0
abyInBuffer db 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,111,128,128,180,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16;傳輸試驗數(shù)據(jù)用
abyOutBuffer db 128*512 dup(0)   ;用于存放驅動傳回的64kbios數(shù)據(jù)
name_buffer db 'bios_tst.bin',0  ;讀取的bios數(shù)據(jù)保存到bios_tst.bin
ok_1 db "讀取成功,請查看bios_tst.bin",0
dwBytesReturned dd 0
.data?
hFile HANDLE ?        ;文件句柄
SizeReadWrite DWORD ? ;文件中實際寫入的字節(jié)數(shù)
.code

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                       start                                                      
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

start proc uses esi edi

local hSCManager:HANDLE
local hService:HANDLE
local acModulePath[MAX_PATH]:CHAR
local _ss:SERVICE_STATUS
local hDevice:HANDLE

local acVersion[16]:CHAR

    ; Open a handle to the SC Manager database
    invoke OpenSCManager, NULL, NULL, SC_MANAGER_ALL_ACCESS
    .if eax != NULL
        mov hSCManager, eax

        ;invoke GetCurrentDirectory, sizeof g_acBuffer, addr g_acBuffer
        push eax
        invoke GetFullPathName, addr sysname, sizeof acModulePath, addr acModulePath, esp
        pop eax

        ; Install service
        invoke CreateService, hSCManager, addr device, addr driver, \
            SERVICE_START + SERVICE_STOP + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
            SERVICE_ERROR_IGNORE, addr acModulePath, NULL, NULL, NULL, NULL, NULL

        .if eax != NULL
            mov hService, eax

            ; Driver's DriverEntry procedure will be called
            invoke StartService, hService, 0, NULL
            .if eax != 0

                ; Driver will receive I/O request packet (IRP) of type IRP_MJ_CREATE
                invoke CreateFile, $CTA0("\\\\.\\bios_test"), GENERIC_READ + GENERIC_WRITE, \
                                0, NULL, OPEN_EXISTING, 0, NULL

                .if eax != INVALID_HANDLE_VALUE
                    mov hDevice, eax

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

                    ; Driver will receive IRP of type IRP_MJ_DEVICE_CONTROL
                    invoke DeviceIoControl, hDevice, IOCTL_GET_INFO, addr abyInBuffer, sizeof abyInBuffer, addr abyOutBuffer, sizeof abyOutBuffer, addr dwBytesReturned, NULL

                    .if ( eax != 0 ) && ( dwBytesReturned != 0 )

                      
                        invoke MessageBox, NULL, addr ok_1, $CTA0("bios_test"), MB_OK + MB_ICONINFORMATION

                       invoke CreateFile,ADDR name_buffer,\
             GENERIC_READ or GENERIC_WRITE ,\
             FILE_SHARE_READ or FILE_SHARE_WRITE,\
             NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,\
             NULL
    mov hFile,eax
    invoke WriteFile,hFile,ADDR abyOutBuffer,128*512,\
             ADDR SizeReadWrite,NULL
    invoke CloseHandle,hFile

                    tt_3:    
                    .else
                        invoke MessageBox, NULL, $CTA0("發(fā)送控制失敗."), NULL, MB_OK + MB_ICONSTOP
                    .endif

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

                    
                    invoke CloseHandle, hDevice  ; Driver will received IRP of type IRP_MJ_CLOSE
                .else
                    invoke MessageBox, NULL, $CTA0("Device is not present."), NULL, MB_ICONSTOP
                .endif
                
                invoke ControlService, hService, SERVICE_CONTROL_STOP, addr _ss
                                        ; DriverUnload proc in our driver will be called
            .else
                invoke MessageBox, NULL, $CTA0("Can't start driver."), NULL, MB_OK + MB_ICONSTOP
            .endif

            invoke DeleteService, hService
            invoke CloseServiceHandle, hService
        .else
            invoke MessageBox, NULL, $CTA0("Can't register driver."), NULL, MB_OK + MB_ICONSTOP
        .endif
        invoke CloseServiceHandle, hSCManager
    .else
        invoke MessageBox, NULL, $CTA0("Can't connect to Service Control Manager."), NULL, MB_OK + MB_ICONSTOP
    .endif

    invoke ExitProcess, 0

start endp

end start

這里讀取的bios是經(jīng)過啟動過程初始化后的內容,并不是主板上的bios閃存芯片內的內容,芯片內一般是壓縮的,啟動過程中自己解壓。

通過查看得到的bios_tst.bin,發(fā)現(xiàn)有的機器用本程序讀出的bios里面有本機的硬盤和光驅型號,這說明bios在啟動的過程中,被寫入了當前機器的一些信息。機器配置變了,這部分內容也會相應變化,使用bios加密時盡量不要用可變的部分,防止用戶換個光驅后被判為盜版軟件。
熱門評論
最新評論
發(fā)表評論 查看所有評論(0)
昵稱:
表情: 高興 可 汗 我不要 害羞 好 下下下 送花 屎 親親
字數(shù): 0/500 (您的評論需要經(jīng)過審核才能顯示)
主站蜘蛛池模板: 免费福利资源站在线视频 | 五月花综合 | 国产亚洲精品高清在线 | 激情综合五月婷婷 | 日韩高清第一页 | 天天爽天天狼久久久综合 | 国产欧美精品午夜在线播放 | 五月天丁香六月欧美综合 | 日本久久久久久久久久 | 日韩综合久久 | 国产自在线观看 | 国产成人毛片亚洲精品不卡 | 国产高清视频免费最新在线 | gogogo高清在线观看视频 | 国产黄色免费观看 | 国产日韩一区 | 欧美日韩亚洲区久久综合 | 中文精品久久久久中文 | 偷拍福利视频 | 国产高清在线视频一区二区三区 | 国产91九色刺激露脸对白 | 久久久久亚洲日日精品 | 日本欧美视频 | 久久婷婷五色综合夜啪 | 五月天婷婷激情网 | 精品亚洲欧美高清不卡高清 | 四虎最新永久免费网址 | 国产精品久久久久… | 国产精品久久久久久一区二区三区 | 国产高清毛片 | 色视频免费在线观看 | 爱瑟瑟精品视频在线播放 | 成人网在线| 久久这里只有精品免费看青草 | 国产成人精品久久综合 | 免费特黄一区二区三区视频一 | 日本欧美国产精品第一页久久 | 激情五月婷婷综合网 | 久色99 | 男女羞羞视频在线观看 | 1000部精品久久久久久久久 |