今天和夜月兄討論了一下在windows nt/2000/xp下如何讀取bios資訊,現在把結果向大家彙報一下。
大家都知道,windows接管了對實體記憶體的直接存取,而bios資訊存在實體記憶體的f000:0000處,關鍵就是如何讀取實體記憶體。
查閱了msdn的文章後,發現以下有幾個函數和實體記憶體訪問有關:
NTSTATUS ZwOpenSection(OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes);
NTSTATUS ZwMapViewOfSection(IN HANDLE SectionHandle,
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN ULONG CommitSize,
IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
IN OUT PSIZE_T ViewSize,
IN SECTION_INHERIT InheritDisposition,
IN ULONG AllocationType,
IN ULONG Protect
);
NTSTATUS ZwUnmapViewOfSection(IN HANDLE ProcessHandle,IN PVOID BaseAddress);
用到的結構定義如下
typedef struct _UNICODE_STRING {
USHORT Length;//長度
USHORT MaximumLength;//最大長度
PWSTR Buffer;//緩衝指標,訪問實體記憶體時,此處指向UNICODE字串"\device\physicalmemory"
} UNICODE_STRING,*PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;//長度 18h
HANDLE RootDirectory;// 00000000
PUNICODE_STRING ObjectName;//指向對象名的指標
ULONG Attributes;//對象屬性00000040h
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR,0
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE,0
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
函數說明
第一個函數ZwOpenSection用來開啟section,第一個參數是指向HANDLE變數的指標,第二個是訪問參數,第三個是指向OBJECT_ATTRIBUTES的指標
第二個函數ZwMapViewOfSection用來建立實體記憶體和當前進程的一段實體記憶體的聯絡,參數很多,一會在常式裡再詳細解釋
第三個函數ZwUnmapViewOfSection用來斷開實體記憶體和當前進程中的映射斷開聯絡,第一個參數是進程控制代碼,必須掉用第二個函數時一樣,第二
個是當前進程中映射的基址,由ZwMapViewOfSection返回
這三個函數都在ntdll.dll中,msdn裡的協助說這幾個函數用在驅動編製上。
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
