这里有个小程序hdsn32.asm,是我2000年写的,在win9x下读取硬盘的序列号,它利用了类似CIH病毒的办法获得ring0权限,在win2000下不能运行.
;hdsn32.asm
.386
.modelflat,stdcall;32bitmemorymodel
optioncasemap:none;casesensitive
逆风者
include\masm32\include\windows.inc
include\MASM32\INCLUDE\shell32.inc
include\MASM32\INCLUDE\masm32.inc
include\masm32\include\user32.inc
include\masm32\include\kernel32.inc
includelib\MASM32\LIB\shell32.lib
includelib\MASM32\LIB\masm32.lib
includelib\masm32\lib\user32.lib
includelib\masm32\lib\kernel32.lib
.data
IDTRdf0;ThiswillreceivethecontentsoftheIDTR
;register
SavedGatedq0;Wesavethegatewereplaceinhere
OurGatedw0;Offsetlow-orderword
dw028h;Segmentselector
dw0EE00h;
dw0;Offsethigh-orderword
BUFF1DW256DUP(20H)
hdsn_1db'硬盘C序列号:',0DH,0AH
hdsn_2db256dup(0)
hdsn_3db20dup(0)
szCaptiondb'hdsn32v1.0forwin9x山东海化集团盛玉增编制2000.12.21',0
name_bufferdb'hdsn.bin',0
.data?
hFileHANDLE?
SizeReadWriteDWORD?
.code
Start:
moveax,offsetRing0Proc
mov[OurGate],ax;Puttheoffsetwords
shreax,16;intoourdescriptor
mov[OurGate 6],ax
sidtfwordptrIDTR
movebx,dwordptr[IDTR 2];loadIDTBaseAddress
addebx,8*3;Addressofint3descriptorinebx
movedi,offsetSavedGate
movesi,ebx
movsd;Savetheolddescriptor
movsd;intoSavedGate
movedi,ebx
movesi,offsetOurGate
movsd;Replacetheoldhandler
movsd;withournewone
int3h;Triggertheexception,thus
;passingcontroltoourRing0
;procedure
movedi,ebx
movesi,offsetSavedGate
movsd;Restoretheoldhandler
movsd
invokeMessageBox,NULL,addrhdsn_1,addrszCaption,MB_OK
invokeCreateFile,ADDRname_buffer,\
GENERIC_READorGENERIC_WRITE,\
FILE_SHARE_READorFILE_SHARE_WRITE,\
NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,\
NULL
movhFile,eax
pushoffsethdsn_2
popesi
pushoffsethdsn_3
popedi
movecx,20
jm_1:
lodsb
xoral,36h
stosb
loopjm_1
invokeWriteFile,hFile,ADDRhdsn_3,20,\
ADDRSizeReadWrite,NULL
invokeCloseHandle,hFile
invokeExitProcess,eax
Ring0ProcPROC
start_1:
movedx,1f7h
inal,dx
cmpal,50h
jnzstart_1
decdx
moval,0a0h
outdx,al
movdx,1f7h
moval,0ech
outdx,al
movdx,1f7h
st_1:
inal,dx
cmpal,58h
jnzst_1
movdx,1f0h
movedi,offsetBUFF1
movecx,0
movcx,256
st_2:
inax,dx
xchgah,al
stosw
loopst_2
sti
pushoffsetBUFF1[20]
popesi
pushoffsethdsn_2
popedi
movecx,20
repmovsb
iretd
Ring0ProcENDP
endStart
|
您的位置:逆风者
→ 汇编技术
→ 正文
本文章所属分类:首页
→ 汇编技术