Author: Firewing [CCG]
Organization: [CCG] (China CRACKING Group)
Today, today and night brothers discussed how to read BIOS information under Windows NT / 2000 / XP, now
The result is reported to everyone.
Everyone knows that Windows take over direct access to physical memory, and BIOS information has physical memory.
F000: 0000, the key is how to read physical memory.
After receiving the MSDN's article, find that there are several functions and physical memory access:
NTSTATUS ZWOPENSECTION (Out Phandle SectionHandle, IN Access_mask DesiredAccess, in POBject_Attributes Objecttattributes);
NTSTATUS ZWMAPVIEWOFSECTION (in Handle SectionHandle,
In Handle ProcessHandle,
In Out Pvoid * BaseEaddress,
In Ulong ZeroBITS,
In Ulong Commitsize,
In Out Plarge_integer SectionOffset Optional,
In out psize_t viewsize,
In section_inherit inheritdisposition,
In Ulong AllocationType,
In Ulong Protect
);
NTSTATUS ZWUNMAPVIEWOFSECTION (In Handle ProcessHandle, In Pvoid BaseAddress);
The structure used is defined as follows
Typedef struct _unicate_string {
Ushort length; // length
Ushort maximumlength; // maximum length
PWSTR BUFFER; / / Cache, when accessing physical memory, here point to Unicode string "/ device / physicalmemory"
} Unicode_string, * punicode_string;
Typedef struct _object_attributes {
Ulong length; // length 18h
Handle rootdirectory; // 00000000
Punicode_String ObjectName; // Pointer to the object name
Ulong attributes; // Object property 00000040H
PVOID SecurityDescriptor; // Points to Type Security_Descriptor, 0
Pvoid securityQualityofService; // points to type security_quality_of_service, 0
} Object_attributes;
TYPEDEF Object_attributes * pObject_attributes;
Function description
The first function zwopensection is used to open the section. The first parameter is a pointer to the Handle variable, the second is the access parameter, the third is the pointer to Object_Attributes.
The second function ZWMapViewOfSection is used to establish a physical memory of physical memory and the current process. There are a lot of parameters, and will explain in the routine.
The third function zwunmapViewOfSection is used to disconnect the physical memory and the mapping break connections in the current process. The first parameter is the process handle, and the second function must be used, the second
Is the base address of the map in the current process, returned by ZWMapViewOfSection
These three functions are in NTDLL.DLL, and the help in MSDN say these functions are used on the drive. The routine is as follows
// Structural definition
Typedef struct _unicate_string {
Ushort length; // length
Ushort maximumlength; // maximum length
Pwstr buffer; // caching pointer
} Unicode_string, * punicode_string;
Typedef struct _object_attributes {
Ulong length; // length 18h
Handle rootdirectory; // 00000000
Punicode_String ObjectName; // Pointer to the object name
Ulong attributes; // Object property 00000040H
PVOID SecurityDescriptor; // Points to Type Security_DESCRIPTOR, 0
Pvoid securityQualityofService; // points to type security_quality_of_service, 0
} Object_attributes;
TYPEDEF Object_attributes * pObject_attributes;
// Function Pointer Variable Type Life
Typedef dword (__stdcall * zwos) (PHANDLE, Access_mask, POBJECT_ATTRIBUTES);
Typedef DWORD (__stdcall * zwmv) (Handle, Handle, PVOID, ULONG, ULONG, PLARGE_INTEGER, PSIZE_T, DWORD, ULONG, ULONG)
TypeDef dword (__stdcall * zwumv) (Handle, PVOID);
// The above defines the global variable in the program
// The following in the main function of the program
// Variable declaration
UNICODE_STRING STRUNIPH;
Object_attributes obj_ar;
Zwos Zwopens;
ZWMV ZWMAPV;
Zwumv zwunmapv;
Handle Hsection;
DWORD BA;
Large_integer so;
SIZE_T SSIZE;
SO.LOWPART = 0x000f0000; // The base address of the physical memory is F000: 0000
So.highpart = 0x00000000;
SSIZE = 0xfffff;
Wchar_t strph [30] = l "// device // PhysicalMemory";
// Variable initialization
BA = 0; // The base address will be returned here
Struniph.buffer = strph;
Struniph.Length = 0x2c; // Note size is a word ancillary
Struniph.maximumumlength = 0x2e; // is also byte
Obj_ar.attributes = 64; // Property
Obj_ar.length = 24; // Object_attributes Type The length
Obj_ar.objectname = & struniph; // Pointer to the object
Obj_ar.rootdirectory = 0;
Obj_ar.securityDescriptor = 0;
Obj_ar.securityqualityofservice = 0;
// Read NTDLL.DLL to get the function address
Hinstlib = loadingLibrary ("NTDLL.DLL");
ZWOPENS = (ZwOS) GetProcaddress (Hinstlib, "ZWopense");
ZWMAPV = (ZWMV) GetProcaddress (Hinstlib, "ZWMapViewOfsection); zwunmapv = (zwumv) getProcaddress (Hinstlib," ZwunmapViewOfSection);
// Call the function, mapping physical memory
ZWOPENS (& Hsection, 4, & obj_ar);
ZWMAPV (
(HANDLE) HSECTION, // Open the handle when section
(HANDLE) 0xFffffFFF, // will map the handle of the process,
& ba, // Mapping base address
0, // I haven't seen it, I set it to 0.
0xffff, // allocated size
& So, // Physical memory address
& SSIZE, / / Pointer to the size of the memory block
1, // Sub-process can be inherited
0, // allocation type
2 // protection type
);
// will open a 64K space after execution, and map F000: 0000 to F000: FFFF to here
// The base address of the map is returned by BA. If the mapping is not useful, you should disconnect by ZwunmapViewOfSection.
BTW:
The idea is mainly the Lenovo installation verification procedure that came on the previous track, I really want to thank Lenovo's technicians :-).
/ / -------------------------------------------------------------------------------------------- -------------------------------------------------- -
This is the old post to see the snow forum. I used to have an example according to the introduction of the fire!
/ * Test to Read Bios
Author: Jamesjoo (Kobe)
* /
#include
#include
#include
#include
// # include "j: /ntddk/inc/wdm.h"
///
// Structural definition
Typedef struct _unicate_string {
Ushort length; // length
Ushort maximumlength; // maximum length
Pwstr buffer; // caching pointer
} Unicode_string, * punicode_string;
Typedef struct _object_attributes {
Ulong length; // length 18h
Handle rootdirectory; // 00000000
Punicode_String ObjectName; // Pointer to the object name
Ulong attributes; // Object property 00000040H
PVOID SecurityDescriptor; // Points to Type Security_DESCRIPTOR, 0
Pvoid securityQualityofService; // points to type security_quality_of_service, 0
} Object_attributes;
TYPEDEF Object_attributes * pObject_attributes;
// Function Pointer Variable Type Life
Typedef dword (__stdcall * zwos) (PHANDLE, Access_mask, POBJECT_ATTRIBUTES);
Typedef DWORD (__stdcall * zwmv) (Handle, Handle, PVOID, ULONG, ULONG, PLARGE_INTEGER, PSIZE_T, DWORD, ULONG, ULONG)
TypeDef dword (__stdcall * zwumv) (Handle, PVOID);
// The above defines the global variable in the program
/
Void main () {
UNICODE_STRING STRUNIPH;
Object_attributes obj_ar;
Zwos Zwopens;
ZWMV ZWMAPV;
Zwumv zwunmapv;
Handle Hsection;
Hinstance hinstlib;
DWORD BA;
Large_integer so;
SIZE_T SSIZE;
SO.LOWPART = 0x000f0000; // The base address of the physical memory is F000: 0000
So.highpart = 0x00000000;
SSIZE = 0xfffff;
Wchar_t strph [30] = l "// device // PhysicalMemory";
// Variable initialization
BA = 0; // The base address will be returned here
Struniph.buffer = strph;
Struniph.Length = 0x2c; // Note size is a word ancillary
Struniph.maximumumlength = 0x2e; // is also byte
Obj_ar.attributes = 64; // Property
Obj_ar.length = 24; // Object_attributes Type The length
Obj_ar.objectname = & struniph; // Pointer to the object
Obj_ar.rootdirectory = 0;
Obj_ar.securityDescriptor = 0;
Obj_ar.securityqualityofservice = 0;
// Read NTDLL.DLL to get the function address
Hinstlib = loadingLibrary ("NTDLL.DLL");
ZWOPENS = (ZwOS) GetProcaddress (Hinstlib, "ZWopense");
ZWMAPV = (ZWMV) GetProcAddress (Hinstlib, ZwmapViewOfSection);
Zwunmapv = (zwumv) getProcaddress (Hinstlib, ZwunmapViewOfsection);
// Call the function, mapping physical memory
ZWOPENS (& Hsection, 4, & obj_ar);
ZWMAPV (
(HANDLE) HSECTION, // Open the handle when section
(HANDLE) 0xFffffFFF, // will map the handle of the process,
& ba, // Mapping base address
0, // I haven't seen it, I set it to 0.
0xffff, // allocated size
& So, // Physical memory address
& SSIZE, / / Pointer to the size of the memory block
1, // Sub-process can be inherited
0, // allocation type
2 // protection type
);
// will open a 64K space after execution, and map F000: 0000 to F000: FFFF to here
// The base address of the map is returned by BA. If the mapping is not useful, you should disconnect by ZwunmapViewOfSection.
// for (int i = 0; i <64000; i)
// {IF ((i% 8) == 0) Printf ("/ n");
// int Num = (int) * (ba i);
// Printf ("% x", NUM);
//}
// ZwunmapViewOfSection ((Handle) 0xfffffff, BA);
Freelibrary (Hinstlib);
}