Article Title: How to read the BIOS content of the BIOS in the Windows program: Not detailed: LOOSE_WENT Release Type: Reprint Release Date: 2004-08-04 Today Views: 5 Total View: 935
Everyone knows that Windows takes over direct access to physical memory, and the BIOS information has the physical memory F000: 0000, how is the physical memory. After a review of the msdn article, we find the following a few functions and physical memory access information about: NTSTATUS ZwOpenSection (OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes); NTSTATUS ZwMapViewOfSection (IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID * BaseAddress, iN ULONG ZeroBits, iN ULONG CommitSize, iN OUT PLARGE_INTEGER SectionOffset OPTIONAL, iN OUT PSIZE_T ViewSize, iN SECTION_INHERIT InheritDisposition, iN ULONG AllocationType, iN ULONG Protect); NTSTATUS ZwUnmapViewOfSection (iN HANDLE ProcessHandle, iN PVOID BaseAddress); configuration used defined as typedef struct _UNICODE_STRING {USHORT length; // length USHORT MaximumLength; // maximum length PWSTR buffer; // pointer to the buffer, when accessing physical memory, where point UNICODE string "/ device / physicalmemory"} UNICODE_STRING, * PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES {ULONG length; // length 18h HANDLE RootDirectory; // 00000000 PUNICODE_STRING ObjectName; // pointer pointing object name ULONG attributes; // object property 00000040h PVOID SecurityDescriptor; // points to t ype SECURITY_DESCRIPTOR, 0 PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE, 0} OBJECT_ATTRIBUTES; typedef OBJECT_ATTRIBUTES * POBJECT_ATTRIBUTES; Description of Function ZwOpenSection first function to open sectionTop, the first parameter is a pointer to a pointer variable HANDLE, the second is Access parameters, the third is the second function of Object_Attributes. Disconnect the physical memory and the map disconnection connection in the current process, the first parameter is the process handle, the same, the second function must be used, the second is the base address mapping in the current process, and returned from ZwmapViewOfSection. The functions are in NTDLL.DLL, and the help in the MSDN say these functions are used on the drive.
Structure is defined as follows routine // typedef struct _UNICODE_STRING {USHORT Length; // length USHORT MaximumLength; // maximum length PWSTR Buffer; // Pointer to the buffer} UNICODE_STRING, * PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES {ULONG Length; // length 18h HANDLE RootDirectory ; // 00000000 PUNICODE_STRING ObjectName; // pointer pointing object name ULONG attributes; // object property 00000040h PVOID SecurityDescriptor; // points to type SECURITY_DESCRIPTOR, 0 PVOID SecurityQualityOfService; // points to type SECURITY_QUALITY_OF_SERVICE, 0} OBJECT_ATTRIBUTES; typedef OBJECT_ATTRIBUTES * POBJECT_ATTRIBUTES; // function pointer variable type life typedef DWORD (__stdcall * ZWOS) (pHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES); typedef DWORD (__stdcall * ZWMV) (HANDLE, HANDLE, PVOID, ULONG, ULONG, PLARGE_INTEGER, PSIZE_T, DWORD, ULONG, Ulong); type, pvoid (__stdcall * zwumv) (Handle, PVOID) (// More over the program start definition global variables // below the following in the main function of the program // Variable declaration unicode_string struniph; Object_attributes obj_ar; zwos zwopens; ZWMV ZWMAPV; Zwumv zwunmapv; handle hsection; dword ba; large_integer so; size_t ssize; solitary = 0x000f0000; // physics The base address of the memory is F000: 0000 so.highpart = 0x00000000; SSIZE = 0xfff; wchar_t strphone [30] = L "// device // physicalmemory"; // Variable initialization BA = 0; // After the check-up The struniph.buffer = strphone will be returned here; struniph.Length = 0x2c; // Note size is the word ancillary Struniph.maximumLength = 0x2e; // is also byte obj_ar.attributes = 64; // Property obj_ar.length = 24 ; // OBJECT_ATTRIBUTES type length obj_ar.ObjectName = & struniph; // pointer to the object obj_ar.RootDirectory = 0; obj_ar.SecurityDescriptor = 0; obj_ar.SecurityQualityOfService = 0; // read ntdll.dll, to give the function address hinstLib = LoadLibrary ("NTDLL.DLL"); ZWOPENS = (ZWOS) GetProcaddress (Hinstlib, "ZWOPENSECTION"); ZWMAPV = (ZWMV) GetProcaddress (Hinstlib, "ZWMapViewOfSection);
