OBJECT_ATTRIBUTES ends
TRUSTEE struct
pMultipleTrustee dword ?;PTRUSTEE
MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION
TrusteeForm dword ?;TRUSTEE_FORM
TrusteeType dword ?;TRUSTEE_TYPE
ptstrName dword ?;LPTSTR
TRUSTEE ends
EXPLICIT_ACCESS struct
grfAccessPermissions DWORD ?
grfAccessMode dword ? ;ACCESS_MODE
grfInheritance DWORD ? ;
Trustee TRUSTEE <> ;
EXPLICIT_ACCESS ends
MyGATE struct ;门结构类型定义
OFFSETL WORD ? ;32位偏移的低16位
SELECTOR WORd ? ;选择子
DCOUNT BYTE ? ;双字计数字段
GTYPE BYTE ? ;类型
OFFSETH WORD ? ;32位偏移的高16位
MyGATE ends
SetPhyscialMemorySectionCanBeWrited proto :dword
MiniMmGetPhysicalAddress proto :dword
ENTERRING0 macro
pushad
pushfd
cli
mov eax,cr0 ;get rid off readonly protect
and eax,0fffeffffh
mov cr0,eax
endm
LEAVERING0 macro
mov eax,cr0 ;restore readonly protect
or eax,10000h
mov cr0,eax
sti
popfd
popad
retf
endm
UNICODE_STR macro str
irpc _c,
db ’&_c’
db 0
endm
endm
.data?
GdtLimit dw ?
GdtAddr dd ?
mapAddr dd ?
OldEsp dd ?
readed dw ?
Buffer db 512 dup(?)
.data
FileName db ’\\.\PHYSICALDRIVE0’,0
align 4 ;双字对齐
readed1 dd 0
hFile dd 0
ErrCreate db ’请在NT下运行该程序!’,0
ErrRead db ’读盘错误!’,0
align 4
objname dw objnamestr_size,objnamestr_size+2
objnameptr dd 0
objnamestr equ this byte
UNICODE_STR <\Device\PhysicalMemory>
objnamestr_size equ $-objnamestr
align 4
ObjAttr db 24 dup (0)
IsIdtFlag dd 0
Callgt dq 0 ;call gate’s sel:off
Caption db ’天龙还原精灵卸载器2.0 FOR:WINXP’,0
ShowText db ’该程序用来卸载还原类软件 by:风般的男人(www.lsky.net www.hacksoft.com)’,0
.code
_Ring0Proc PROC ; Ring0 code here..
ENTERRING0
mov dx,1f6h ;Drive and head port
上一篇:一种可以穿透还原卡和还原软件的代码
下一篇:扩展int13h调用详解(修正) |
