利用驱动程序读取硬盘序列号的汇编程序

利用驱动程序读取硬盘序列号的汇编程序2007-11-14这里有个小程序hdsn32.asm,是我2000年写的,在win9x下读取硬盘的序列号,它利用了类似CIH病毒的办法获得ring0权限,在2000下不能运行.
      ;   hdsn32.asm
      .386
      .model flat, stdcall  ; 32 bit memory model
      option casemap :none  ; case sensitive

      include masm32includewindows.inc
      include MASM32INCLUDEshell32.inc
      include MASM32INCLUDEmasm32.inc
      include masm32includeuser32.inc
      include masm32includekernel32.inc

      includelib MASM32LIBshell32.lib
      includelib MASM32LIBmasm32.lib
      includelib masm32libuser32.lib
      includelib masm32libkernel32.lib

.data

IDTR        df 0            ; This will receive the contents of the IDTR
                            ; register

SavedGate   dq 0            ; We save the gate we replace in here

OurGate     dw 0            ; Offset low-order word
            dw 028h         ; Segment selector
            dw 0EE00h       ;
            dw 0            ; Offset high-order word
BUFF1 DW 256 DUP（20H）
hdsn_1 db "硬盘C序列号:",0DH,0AH
hdsn_2 db 256 dup（0）
hdsn_3 db 20 dup（0）
szCaption db "hdsn32 v1.0 for win9x 山东海化集团盛玉增编制 2000.12.21",0
name_buffer db "hdsn.bin",0

.data？
hFile HANDLE ？
SizeReadWrite DWORD ？

.code
Start:
      mov      eax, offset Ring0Proc
      mov      [OurGate], ax              ; Put the offset words
      shr      eax, 16                    ; into our descriptor
      mov      [OurGate+6], ax

      sidt     fword ptr IDTR
      mov      ebx, dword ptr [IDTR+2]    ; load IDT Base Address
      add      ebx, 8*3                   ; Address of int 3 descriptor in ebx

      mov      edi, offset SavedGate
      mov      esi, ebx
      movsd                               ; Save the old descriptor
      movsd                               ; into SavedGate

      mov      edi, ebx
      mov      esi, offset OurGate
      movsd                               ; Replace the old handler
      movsd                               ; with our new one

      int    3h                           ; Trigger the exception, thus
                                          ; passing control to our Ring0
                                          ; procedure

      mov      edi, ebx
      mov      esi, offset SavedGate
      movsd                               ; Restore the old handler
      movsd

      invoke MessageBox,NULL,addr hdsn_1,addr szCaption,MB_OK

   invoke CreateFile,ADDR name_buffer,
             GENERIC_READ or GENERIC_WRITE ,
             FILE_SHARE_READ or FILE_SHARE_WRITE,
             NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,
             NULL
   mov hFile,eax
      push offset hdsn_2
      pop esi
      push offset hdsn_3
      pop edi
      mov ecx,20
jm_1:
      lodsb
      xor al,36h
      stosb
      loop jm_1
   invoke WriteFile,hFile,ADDR hdsn_3,20,
             ADDR SizeReadWrite,NULL
   invoke CloseHandle,hFile
      invoke ExitProcess,eax

Ring0Proc PROC
start_1:
      mov edx,1f7h
      in al,dx
      cmp al,50h
      jnz start_1
      dec dx
      mov al,0a0h
      out dx,al
      mov dx,1f7h
      mov al,0ech
      out dx,al
      mov dx,1f7h
st_1:
      in al,dx
      cmp al,58h
      jnz st_1
      mov dx,1f0h
      mov edi,offset BUFF1
      mov ecx,0
      mov cx,256
st_2:
      in ax,dx
      xchg ah,al
      stosw
      loop st_2
      sti
      push offset BUFF1[20]
      pop esi
      push offset hdsn_2
      pop edi
      mov ecx,20
      rep movsb
      iretd

Ring0Proc ENDP
    end Start