Read BIOS information for Windows

Source code description:

As we all know, Windows takes over direct access to physical memory, while BIOS information exists in physical memory.
F000: 0000, the key is how to read the physical memory.
After reading the msdn article, I found that the following functions are related to physical memory access:
Ntstatus zwopensection (Out phandle sectionhandle, in access_mask desiredaccess, in pobject_attributes objectattributes );
Ntstatus zwmapviewofsection (in handle sectionhandle,
In handle processhandle,
In out pvoid * baseaddress,
In ulong zerobits,
In ulong commitsize,
In out plarge_integer sectionoffset optional,
In out psize_t viewsize,
In section_inherit inheritdisposition,
In ulong allocationtype,
In ulong protect
);
Ntstatus zwunmapviewofsection (in handle processhandle, in pvoid baseaddress );

The structure used is defined as follows:

Typedef struct _ unicode_string {
Ushort length; // Length
Ushort maximumlength; // maximum length
Pwstr buffer; // cache pointer. when accessing the physical memory, this point points to the Unicode string "/device/physicalmemory"
} Unicode_string, * punicode_string;

Typedef struct _ object_attributes {
Ulong length; // The length is 18 h.
Handle rootdirectory; // 00000000
Punicode_string objectname; // pointer to Object Name
Ulong attributes; // object attribute 00000040 H
Pvoid securitydescriptor; // points to type security_descriptor, 0
Pvoid securityqualityofservice; // points to type security_quality_of_service, 0
} Object_attributes;
Typedef object_attributes * pobject_attributes;

Function Description
The first function zwopensection is used to open the Section. The first parameter is the pointer to the handle variable, the second is the access parameter, and the third is the pointer to object_attributes.
The second function zwmapviewofsection is used to establish a connection between the physical memory and a piece of physical memory of the current process. There are many parameters, which will be explained in detail in the routine.
The third function zwunmapviewofsection is used to disconnect the ing between the physical memory and the current process. The first parameter is the process handle, which must be the same when the second function is used.
Is the base address mapped in the current process, which is returned by zwmapviewofsection.

All these three functions are in Ntdll. dll. The help in msdn says these functions are used in driver preparation.
The routine is as follows:

// Structure Definition
Typedef struct _ unicode_string {
Ushort length; // Length
Ushort maximumlength; // maximum length
Pwstr buffer; // cache pointer
} Unicode_string, * punicode_string;

Typedef struct _ object_attributes {
Ulong length; // The length is 18 h.
Handle rootdirectory; // 00000000
Punicode_string objectname; // pointer to Object Name
Ulong attributes; // object attribute 00000040 H
Pvoid securitydescriptor; // points to type security_descriptor, 0
Pvoid securityqualityofservice; // points to type security_quality_of_service, 0
} Object_attributes;
Typedef object_attributes * pobject_attributes;

// Function pointer variable type life
Typedef DWORD (_ stdcall * zwos) (phandle, access_mask, pobject_attributes );
Typedef DWORD (_ stdcall * zwmv) (handle, handle, pvoid, ulong, ulong, plarge_integer, psize_t, DWORD, ulong, ulong );
Typedef DWORD (_ stdcall * zwumv) (handle, pvoid );
// The above is defined at the beginning of the program definition of global variables

// The following is in the main function of the program.
// Variable Declaration
Unicode_string struniph;
Object_attributes obj_ar;
Zwos zwopens;
Zwmv zwmapv;
Zwumv zwunmapv;
Handle hsection;
Dword ba;
Large_integer so;
Size_t ssize;
So. lowpart = 0x000f0000; // The base address of the physical memory, that is, f000: 0000.
So. highpart = 0x00000000;
Ssize = 0 xFFFF;
Wchar_t strph [30] = l "// device // physicalmemory ";
// Variable Initialization
BA = 0; // The base address after contact will be returned here
Struniph. Buffer = strph;
Struniph. Length = 0x2c; // note that the size is calculated by byte.
Struniph. maximumlength = 0x2e; // also a byte
Obj_ar.attributes = 64; // attribute
Obj_ar.length = 24; // length of the object_attributes type
Obj_ar.objectname = & struniph; // pointer to the object
Obj_ar.rootdirectory = 0;
Obj_ar.securitydescriptor = 0;
Obj_ar.securityqualityofservice = 0;
// Read NTDLL. DLL to obtain the function address.
Hinstlib = loadlibrary ("NTDLL. dll ");
Zwopens = (zwos) getprocaddress (hinstlib, "zwopensection ");
Zwmapv = (zwmv) getprocaddress (hinstlib, "zwmapviewofsection ");
Zwunmapv = (zwumv) getprocaddress (hinstlib, "zwunmapviewofsection ");
// Call the function to map the physical memory
Zwopens (& hsection, 4, & obj_ar );
Zwmapv (
(Handle) hsection, // handle obtained when the section is opened
(Handle) 0 xffffffff, // handle of the process to be mapped,
& Ba, // ing base address
0, // do not understand it. Set it to 0.
0 xFFFF, // allocated size
& So, // address of the physical memory
& Ssize, // pointer to the size of the READ memory block
1, // sets the inheritance of sub-Processes
0, // allocation type
2 // Protection Type
);
// After execution, a 64 K space will be opened in the space of the current process, and the content from f000: 0000 to f000: FFFF will be mapped here
// The BA ing base address is returned by Ba. If the ing is not useful, use zwunmapviewofsection to disconnect the ing.

 

The above procedures, I can pass, and finally view in bios. mem, but found that it is not understandable garbled code. Please help me solve the problem. From above

Http://www.chinaitpower.com