read-bios.rar biossave.cpp

www.pudn.com > read-bios.rar > biossave.cpp
// biossave.cpp : 定义应用程序的入口点。 
// 
#include "stdafx.h" 
#include "biossave.h" 
#define MAX_LOADSTRING 100 
 
typedef struct _UNICODE_STRING { 
  USHORT  Length;//长度 
  USHORT  MaximumLength;//最大长度 
  PWSTR  Buffer;//缓存指针，访问物理内存时，此处指向UNICODE字符串"\device\physicalmemory" 
} UNICODE_STRING,*PUNICODE_STRING; 
 
 
typedef struct _OBJECT_ATTRIBUTES { 
    ULONG Length;//长度 18h 
    HANDLE RootDirectory;//  00000000 
    PUNICODE_STRING ObjectName;//指向对象名的指针 
    ULONG Attributes;//对象属性00000040h 
    PVOID SecurityDescriptor;        // Points to type SECURITY_DESCRIPTOR，0 
    PVOID SecurityQualityOfService;  // Points to type SECURITY_QUALITY_OF_SERVICE，0 
} OBJECT_ATTRIBUTES; 
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES; 
 
typedef DWORD  (__stdcall *ZWOS)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES); 
typedef DWORD  (__stdcall *ZWMV)(HANDLE,HANDLE,PVOID,ULONG,ULONG,PLARGE_INTEGER,PSIZE_T,DWORD,ULONG,ULONG); 
typedef DWORD  (__stdcall *ZWUMV)(HANDLE,PVOID); 
 
 
// 全局变量： 
HINSTANCE hInst;								// 当前实例 
TCHAR szTitle[MAX_LOADSTRING];					// 标题栏文本 
TCHAR szWindowClass[MAX_LOADSTRING];			// 主窗口类名 
 
 
// 此代码模块中包含的函数的前向声明： 
int APIENTRY _tWinMain(HINSTANCE hInstance, 
                     HINSTANCE hPrevInstance, 
                     LPTSTR    lpCmdLine, 
                     int       nCmdShow) 
{ 
 	// TODO: 在此放置代码。 
	MSG msg; 
	HACCEL hAccelTable; 
	UNICODE_STRING struniph; 
	OBJECT_ATTRIBUTES obj_ar; 
	ZWOS ZWopenS; 
	ZWMV ZWmapV; 
	ZWUMV ZWunmapV; 
	HANDLE hSection; 
	HMODULE hinstLib; 
	DWORD ba; 
	LARGE_INTEGER so; 
	SIZE_T ssize; 
	so.LowPart=0x000f0000;//物理内存的基址，就是f000:0000 
	so.HighPart=0x00000000; 
	ssize=0xffff; 
	wchar_t strPH[30]=L"\\device\\physicalmemory"; 
	FILE *f1; 
 
	// 初始化全局字符串 
	//变量初始化 
    ba=0;//联系后的基址将在这里返回 
    struniph.Buffer=strPH; 
	struniph.Length=0x2c;//注意大小是按字节算 
	struniph.MaximumLength =0x2e;//也是字节 
    obj_ar.Attributes =64;//属性 
	obj_ar.Length =24;//OBJECT_ATTRIBUTES类型的长度 
	obj_ar.ObjectName=&struniph;//指向对象的指针 
	obj_ar.RootDirectory=0; 
	obj_ar.SecurityDescriptor=0; 
    obj_ar.SecurityQualityOfService =0; 
//读入ntdll.dll,得到函数地址 
    hinstLib = LoadLibrary("ntdll.dll"); 
	ZWopenS=(ZWOS)GetProcAddress(hinstLib,"ZwOpenSection"); 
    ZWmapV=(ZWMV)GetProcAddress(hinstLib,"ZwMapViewOfSection"); 
	ZWunmapV=(ZWUMV)GetProcAddress(hinstLib,"ZwUnmapViewOfSection"); 
//调用函数，对物理内存进行映射 
    ZWopenS(&hSection,4,&obj_ar); 
	ZWmapV((HANDLE)hSection,(HANDLE)0xffffffff,&ba,0,0xffff,&so,&ssize,1,0,2); 
    f1=fopen("bios.mem","wb+"); 
	fwrite((void*)ba,65536,1,f1); 
	fclose(f1); 
	MessageBox(NULL,"Bios saved to bios.mem!","Save OK",MB_OK); 
	return 0; 
 
}