Article Title: How to read the contents of the original author bios in windows program: Firewing [CCG] original source: www.chat001.com Publisher: loose_went publication type: Reproduced Release Date: 2004-01-04 Today Views: 9 total views : 1212 Download this article attached to the code
Today, today and night brothers discussed how to read BIOS information under Windows NT / 2000 / XP, now report the results. Everyone knows that Windows takes over direct access to physical memory, and the BIOS information has the physical memory F000: 0000, how is the physical memory.
After a review of the msdn article, we find the following a few functions and physical memory access information about: NTSTATUS ZwOpenSection (OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes); NTSTATUS ZwMapViewOfSection (IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID * BaseAddress, iN ULONG ZeroBits, iN ULONG CommitSize, iN OUT PLARGE_INTEGER SectionOffset OPTIONAL, iN OUT PSIZE_T ViewSize, iN SECTION_INHERIT InheritDisposition, iN ULONG AllocationType, iN ULONG Protect); NTSTATUS ZwUnmapViewOfSection (iN HANDLE ProcessHandle, iN PVOID BaseAddress); configuration used defined as typedef struct _UNICODE_STRING {USHORT length; // length USHORT MaximumLength; // maximum length PWSTR buffer; // pointer to the buffer, when accessing physical memory, where point UNICODE string "/ device / physicalmemory"} UNICODE_STRING, * PUNICODE_STRING; TypedEf struct _object_attributes {ulong length; // length 18h handle rootdirectory; // 00000000 punicode_string objectName; // Pointer to the object name ULONG Attributes; // object property 00000040h PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR, 0 PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE, 0} OBJECT_ATTRIBUTES; typedef OBJECT_ATTRIBUTES * POBJECT_ATTRIBUTES; Description of Function ZwOpenSection function to open a first section, The first parameter is a pointer to the handle variable, the second is the access parameter, the third is the second function of the pointer to Object_Attribute ZWMapViewOfSection is used to establish a physical memory of physical memory and current process, a lot of parameters, one The third function ZwunmapViewOfSection is used in the routine to disconnect the physical memory and the mapping break connections in the current process. The first parameter is the process handle, and the second function must be used, the second It is the base address of the map in the current process, and the three functions returned by ZWMapViewOfSECTION are in NTDLL.DLL, and the help in MSDN say these functions are used on the drive.
Structure is defined as follows routine // typedef struct _UNICODE_STRING {USHORT Length; // length USHORT MaximumLength; // maximum length PWSTR Buffer; // Pointer to the buffer} UNICODE_STRING, * PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES {ULONG Length; // length 18h HANDLE RootDirectory ; // 00000000 PUNICODE_STRING ObjectName; // pointer pointing object name ULONG attributes; // object property 00000040h PVOID SecurityDescriptor; // points to type SECURITY_DESCRIPTOR, 0 PVOID SecurityQualityOfService; // points to type SECURITY_QUALITY_OF_SERVICE, 0} OBJECT_ATTRIBUTES; typedef OBJECT_ATTRIBUTES * POBJECT_ATTRIBUTES; // function pointer variable type life typedef DWORD (__stdcall * ZWOS) (pHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES); typedef DWORD (__stdcall * ZWMV) (HANDLE, HANDLE, PVOID, ULONG, ULONG, PLARGE_INTEGER, PSIZE_T, DWORD, ULONG, Ulong); type, pvoid (__stdcall * zwumv) (Handle, PVOID) (// More over the program start definition global variables // below the following in the main function of the program // Variable declaration unicode_string struniph; Object_attributes obj_ar; zwos zwopens; ZWMV Zwmapv; zwumv zwunmapv; handle hsection; dword ba; large_integer so; size_t ssize; SO.L OWPART = 0x000f0000; // The base address of the physical memory is F000: 0000 so.highpart = 0x00000000; SSIZE = 0xfff; wchar_t strphone [30] = L "// device // PhysicalMemory"; // Variable initialization BA = 0; // The base address will return to struniph.buffer = strphone here; struniph.Length = 0x2c; // Note size is the word ancillary struniph.maximumLength = 0x2e; // is also byte obj_ar.attributes = 64; / / attribute obj_ar.Length = 24; // OBJECT_ATTRIBUTES type length obj_ar.ObjectName = & struniph; // pointer to the object obj_ar.RootDirectory = 0; obj_ar.SecurityDescriptor = 0; obj_ar.SecurityQualityOfService = 0; // read ntdll. DLL, get the function address hinstlib = loadLibrary ("ntdll.dll"); zwopens = (zwos) getProcAddress (Hinstlib, "ZWopents"); zwmapv =
