How to read the BIOS content in a Windows program (physical memory content)

xiaoxiao2021-03-06  79

Author: Firewing [CCG]

Organization: [CCG] (China CRACKING Group)

Today, today and night brothers discussed how to read BIOS information under Windows NT / 2000 / XP, now

The result is reported to everyone.

Everyone knows that Windows take over direct access to physical memory, and BIOS information has physical memory.

F000: 0000, the key is how to read physical memory.

After receiving the MSDN's article, find that there are several functions and physical memory access:

NTSTATUS ZWOPENSECTION (Out Phandle SectionHandle, IN Access_mask DesiredAccess, in POBject_Attributes Objecttattributes);

NTSTATUS ZWMAPVIEWOFSECTION (in Handle SectionHandle,

In Handle ProcessHandle,

In Out Pvoid ​​* BaseEaddress,

In Ulong ZeroBITS,

In Ulong Commitsize,

In Out Plarge_integer SectionOffset Optional,

In out psize_t viewsize,

In section_inherit inheritdisposition,

In Ulong AllocationType,

In Ulong Protect

);

NTSTATUS ZWUNMAPVIEWOFSECTION (In Handle ProcessHandle, In Pvoid ​​BaseAddress);

The structure used is defined as follows

Typedef struct _unicate_string {

Ushort length; // length

Ushort maximumlength; // maximum length

PWSTR BUFFER; / / Cache, when accessing physical memory, here point to Unicode string "/ device / physicalmemory"

} Unicode_string, * punicode_string;

Typedef struct _object_attributes {

Ulong length; // length 18h

Handle rootdirectory; // 00000000

Punicode_String ObjectName; // Pointer to the object name

Ulong attributes; // Object property 00000040H

PVOID SecurityDescriptor; // Points to Type Security_Descriptor, 0

Pvoid ​​securityQualityofService; // points to type security_quality_of_service, 0

} Object_attributes;

TYPEDEF Object_attributes * pObject_attributes;

Function description

The first function zwopensection is used to open the section. The first parameter is a pointer to the Handle variable, the second is the access parameter, the third is the pointer to Object_Attributes.

The second function ZWMapViewOfSection is used to establish a physical memory of physical memory and the current process. There are a lot of parameters, and will explain in the routine.

The third function zwunmapViewOfSection is used to disconnect the physical memory and the mapping break connections in the current process. The first parameter is the process handle, and the second function must be used, the second

Is the base address of the map in the current process, returned by ZWMapViewOfSection

These three functions are in NTDLL.DLL, and the help in MSDN say these functions are used on the drive. The routine is as follows

// Structural definition

Typedef struct _unicate_string {

Ushort length; // length

Ushort maximumlength; // maximum length

Pwstr buffer; // caching pointer

} Unicode_string, * punicode_string;

Typedef struct _object_attributes {

Ulong length; // length 18h

Handle rootdirectory; // 00000000

Punicode_String ObjectName; // Pointer to the object name

Ulong attributes; // Object property 00000040H

PVOID SecurityDescriptor; // Points to Type Security_DESCRIPTOR, 0

Pvoid ​​securityQualityofService; // points to type security_quality_of_service, 0

} Object_attributes;

TYPEDEF Object_attributes * pObject_attributes;

// Function Pointer Variable Type Life

Typedef dword (__stdcall * zwos) (PHANDLE, Access_mask, POBJECT_ATTRIBUTES);

Typedef DWORD (__stdcall * zwmv) (Handle, Handle, PVOID, ULONG, ULONG, PLARGE_INTEGER, PSIZE_T, DWORD, ULONG, ULONG)

TypeDef dword (__stdcall * zwumv) (Handle, PVOID);

// The above defines the global variable in the program

// The following in the main function of the program

// Variable declaration

UNICODE_STRING STRUNIPH;

Object_attributes obj_ar;

Zwos Zwopens;

ZWMV ZWMAPV;

Zwumv zwunmapv;

Handle Hsection;

DWORD BA;

Large_integer so;

SIZE_T SSIZE;

SO.LOWPART = 0x000f0000; // The base address of the physical memory is F000: 0000

So.highpart = 0x00000000;

SSIZE = 0xfffff;

Wchar_t strph [30] = l "// device // PhysicalMemory";

// Variable initialization

BA = 0; // The base address will be returned here

Struniph.buffer = strph;

Struniph.Length = 0x2c; // Note size is a word ancillary

Struniph.maximumumlength = 0x2e; // is also byte

Obj_ar.attributes = 64; // Property

Obj_ar.length = 24; // Object_attributes Type The length

Obj_ar.objectname = & struniph; // Pointer to the object

Obj_ar.rootdirectory = 0;

Obj_ar.securityDescriptor = 0;

Obj_ar.securityqualityofservice = 0;

// Read NTDLL.DLL to get the function address

Hinstlib = loadingLibrary ("NTDLL.DLL");

ZWOPENS = (ZwOS) GetProcaddress (Hinstlib, "ZWopense");

ZWMAPV = (ZWMV) GetProcaddress (Hinstlib, "ZWMapViewOfsection); zwunmapv = (zwumv) getProcaddress (Hinstlib," ZwunmapViewOfSection);

// Call the function, mapping physical memory

ZWOPENS (& Hsection, 4, & obj_ar);

ZWMAPV (

(HANDLE) HSECTION, // Open the handle when section

(HANDLE) 0xFffffFFF, // will map the handle of the process,

& ba, // Mapping base address

0, // I haven't seen it, I set it to 0.

0xffff, // allocated size

& So, // Physical memory address

& SSIZE, / / ​​Pointer to the size of the memory block

1, // Sub-process can be inherited

0, // allocation type

2 // protection type

);

// will open a 64K space after execution, and map F000: 0000 to F000: FFFF to here

// The base address of the map is returned by BA. If the mapping is not useful, you should disconnect by ZwunmapViewOfSection.

BTW:

The idea is mainly the Lenovo installation verification procedure that came on the previous track, I really want to thank Lenovo's technicians :-).

/ / -------------------------------------------------------------------------------------------- -------------------------------------------------- -

This is the old post to see the snow forum. I used to have an example according to the introduction of the fire!

/ * Test to Read Bios

Author: Jamesjoo (Kobe)

* /

#include

#include

#include

#include

// # include "j: /ntddk/inc/wdm.h"

///

// Structural definition

Typedef struct _unicate_string {

Ushort length; // length

Ushort maximumlength; // maximum length

Pwstr buffer; // caching pointer

} Unicode_string, * punicode_string;

Typedef struct _object_attributes {

Ulong length; // length 18h

Handle rootdirectory; // 00000000

Punicode_String ObjectName; // Pointer to the object name

Ulong attributes; // Object property 00000040H

PVOID SecurityDescriptor; // Points to Type Security_DESCRIPTOR, 0

Pvoid ​​securityQualityofService; // points to type security_quality_of_service, 0

} Object_attributes;

TYPEDEF Object_attributes * pObject_attributes;

// Function Pointer Variable Type Life

Typedef dword (__stdcall * zwos) (PHANDLE, Access_mask, POBJECT_ATTRIBUTES);

Typedef DWORD (__stdcall * zwmv) (Handle, Handle, PVOID, ULONG, ULONG, PLARGE_INTEGER, PSIZE_T, DWORD, ULONG, ULONG)

TypeDef dword (__stdcall * zwumv) (Handle, PVOID);

// The above defines the global variable in the program

/

Void main () {

UNICODE_STRING STRUNIPH;

Object_attributes obj_ar;

Zwos Zwopens;

ZWMV ZWMAPV;

Zwumv zwunmapv;

Handle Hsection;

Hinstance hinstlib;

DWORD BA;

Large_integer so;

SIZE_T SSIZE;

SO.LOWPART = 0x000f0000; // The base address of the physical memory is F000: 0000

So.highpart = 0x00000000;

SSIZE = 0xfffff;

Wchar_t strph [30] = l "// device // PhysicalMemory";

// Variable initialization

BA = 0; // The base address will be returned here

Struniph.buffer = strph;

Struniph.Length = 0x2c; // Note size is a word ancillary

Struniph.maximumumlength = 0x2e; // is also byte

Obj_ar.attributes = 64; // Property

Obj_ar.length = 24; // Object_attributes Type The length

Obj_ar.objectname = & struniph; // Pointer to the object

Obj_ar.rootdirectory = 0;

Obj_ar.securityDescriptor = 0;

Obj_ar.securityqualityofservice = 0;

// Read NTDLL.DLL to get the function address

Hinstlib = loadingLibrary ("NTDLL.DLL");

ZWOPENS = (ZwOS) GetProcaddress (Hinstlib, "ZWopense");

ZWMAPV = (ZWMV) GetProcAddress (Hinstlib, ZwmapViewOfSection);

Zwunmapv = (zwumv) getProcaddress (Hinstlib, ZwunmapViewOfsection);

// Call the function, mapping physical memory

ZWOPENS (& Hsection, 4, & obj_ar);

ZWMAPV (

(HANDLE) HSECTION, // Open the handle when section

(HANDLE) 0xFffffFFF, // will map the handle of the process,

& ba, // Mapping base address

0, // I haven't seen it, I set it to 0.

0xffff, // allocated size

& So, // Physical memory address

& SSIZE, / / ​​Pointer to the size of the memory block

1, // Sub-process can be inherited

0, // allocation type

2 // protection type

);

// will open a 64K space after execution, and map F000: 0000 to F000: FFFF to here

// The base address of the map is returned by BA. If the mapping is not useful, you should disconnect by ZwunmapViewOfSection.

// for (int i = 0; i <64000; i)

// {IF ((i% 8) == 0) Printf ("/ n");

// int Num = (int) * (ba i);

// Printf ("% x", NUM);

//}

// ZwunmapViewOfSection ((Handle) 0xfffffff, BA);

Freelibrary (Hinstlib);

}

转载请注明原文地址:https://www.9cbs.com/read-121608.html

New Post(0)