How to read BIOS content in a Windows program

Today and night moon Brother discussed how to read BIOS information under Windows NT/2000/XP, now report the results to everyone.

As you know, Windows takes over direct access to physical memory, and BIOS information is f000:0000 the physical memory, and the key is how to read the physical memory.

After reviewing the MSDN article, you find several functions related to physical memory access:

NTSTATUS　ZwOpenSection(OUT PHANDLE　SectionHandle, IN ACCESS_MASK　DesiredAccess,IN POBJECT_ATTRIBUTES　ObjectAttributes);
NTSTATUS　ZwMapViewOfSection(IN HANDLE　SectionHandle,
　　　　　　　　　　　　　　 IN HANDLE　ProcessHandle,
　　　　　　　　　　　　　　 IN OUT PVOID　*BaseAddress,
　　　　　　　　　　　　　　 IN ULONG　ZeroBits,
　　　　　　　　　　　　　　 IN ULONG　CommitSize,
　　　　　　　　　　　　　　 IN OUT PLARGE_INTEGER　SectionOffset　OPTIONAL,
　　　　　　　　　　　　　　 IN OUT PSIZE_T　ViewSize,
　　　　　　　　　　　　　　 IN SECTION_INHERIT　InheritDisposition,
　　　　　　　　　　　　　　 IN ULONG　AllocationType,
　　　　　　　　　　　　　　 IN ULONG　Protect
　　　　　　　　　　　　　　 );
NTSTATUS　ZwUnmapViewOfSection(IN HANDLE　ProcessHandle,IN PVOID　BaseAddress);

The structure used is defined as follows

typedef struct _UNICODE_STRING {
　 USHORT　Length;//长度
　 USHORT　MaximumLength;//最大长度
　 PWSTR　Buffer;//缓存指针，访问物理内存时，此处指向UNICODE字符串"\device\physicalmemory"
} UNICODE_STRING,*PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES {
　　 ULONG Length;//长度 18h
　　 HANDLE RootDirectory;//　00000000
　　 PUNICODE_STRING ObjectName;//指向对象名的指针
　　 ULONG Attributes;//对象属性00000040h
　　 PVOID SecurityDescriptor;　　　　// Points to type SECURITY_DESCRIPTOR，0
　　 PVOID SecurityQualityOfService;　// Points to type SECURITY_QUALITY_OF_SERVICE，0
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;

Function description

The first function zwopensection to open the section, the first argument is the pointer to the handle variable, the second is the access parameter, and the third is the pointer to the Object_attributes

The second function, Zwmapviewofsection, is used to establish a link between physical memory and a physical memory of the current process, with many parameters, which are explained in detail in a routine.

The third function zwunmapviewofsection to disconnect the physical memory from the mappings in the current process, the first parameter is the process handle, and the second function must be dropped, and the second

is the base address of the map in the current process, returned by zwmapviewofsection

These three functions are in Ntdll.dll, and the MSDN help says these functions are used in driver programming.