利用驅(qū)動程序讀取BIOS.doc

利用驅(qū)動程序讀取BIOS 用BIOS的內(nèi)容作為硬標記進行加密，應(yīng)用程序可以通過檢測bios的特定內(nèi)容，如主板日期、廠家信息等。如果符合要求，就讓程序正常運行；如不符合要求，就判斷為盜版，禁止運行。這樣可以起到一定的加密鎖的作用。 如何得到bios的內(nèi)容呢？我們已經(jīng)通過驅(qū)動程序進入ring0,在ring0中是無所不能的，有一個簡單的函數(shù)，可以幫助我們達到目的。它就是MmMapIoSpace函數(shù)，在DDK文檔中看到該函數(shù)的說明如下:PVOID MmMapIoSpace(IN PHYSICAL_ADDRESS PhysicalAddress,IN ULONG NumberOfBytes,IN MEMORY_CACHING_TYPE CacheType );在Masm32v8中聲明的有4個形參MmMapIoSpaceproto stdcall :DWORD, :DWORD, :DWORD, :DWORD為什么參數(shù)個數(shù)會有不同呢？原因是MmMapIoSpace第一個參數(shù)傳遞的是一個結(jié)構(gòu)而非結(jié)構(gòu)的指針，而該結(jié)構(gòu)實際的大小是 2 個雙字，結(jié)果在masm32中表現(xiàn)為總共4個 dword 參數(shù)。調(diào)用非常簡單，invoke MmMapIoSpace,物理地址低32位,0,長度,MmNonCached若成功該函數(shù)返回影射后的線性地址，否則返回NULL。這樣就可以間接達到讀取物理地址中內(nèi)容的目的。bios開始地址在實模式下是F000:0，也就是0f0000h，長度是64k,也就是10000h這樣我們就可以用一句 invoke MmMapIoSpace,0f0000h,0,64*1024,MmNonCached ;把BIOS的物理地址映射為線性地址，返回值在eax中。然后把eax指向的線性地址中的內(nèi)容復(fù)制到系統(tǒng)的緩沖區(qū)中，讓驅(qū)動程序傳給ring3下的應(yīng)用程序。bios_test.bat是驅(qū)動源碼。bios_test.asm是調(diào)用驅(qū)動的ring3級程序，它把驅(qū)動傳回的bios內(nèi)容寫入文件bios_tst.bin,是16進制的，可以用16進制編輯器來查看。實際使用時，可以傳遞一個隨機的密鑰給驅(qū)動程序，驅(qū)動程序負責把bios內(nèi)容加密后返回，這樣可以一定程度上增加解密的難度。程序中已經(jīng)預(yù)留了接口，實現(xiàn)起來很簡單，有興趣者可以自己實現(xiàn)。 以下是程序源代碼：已在xp和vista下調(diào)試通過。;goto make;文件名bios_test.bat 作者：盛玉增 2009年10月20日用masm32v8和kmdkit1.8在winxp及vista下調(diào)試成功。.386.model flat, stdcalloption casemap:noneinclude masm32includew2kntstatus.incinclude masm32includew2kntddk.incinclude masm32includew2kntoskrnl.incincludelib masm32libw2kntoskrnl.libinclude masm32MacrosStrings.macIOCTL_GET_INFO equ CTL_CODE(FILE_DEVICE_UNKNOWN, 800h, METHOD_BUFFERED, FILE_READ_ACCESS + FILE_WRITE_ACCESS).constCCOUNTED_UNICODE_STRINGDevicebios_test, g_usDeviceName, 4CCOUNTED_UNICODE_STRING?bios_test, g_usSymbolicLinkName, 4.databuff1db 128*512 dup (0f6h) ;key_1db 32 dup (0) ;.code;:; DispatchCreateClose ;:DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP; CreateFile was called, to get driver handle; CloseHandle was called, to close driver handle; In both cases we are in user process context heremov eax, pIrpassume eax:ptr _IRPmov eax.IoStatus.Status, STATUS_SUCCESSand eax.IoStatus.Information, 0assume eax:nothingfastcall IofCompleteRequest, pIrp, IO_NO_INCREMENTmov eax, STATUS_SUCCESSretDispatchCreateClose endp;:; DispatchControl ;:DispatchControl proc uses esi edi pDeviceObject:PDEVICE_OBJECT, pIrp:PIRPlocal status:NTSTATUSlocal dwBytesReturned:DWORD;實際返回的字節(jié)數(shù)and dwBytesReturned, 0mov esi, pIrpassume esi:ptr _IRPIoGetCurrentIrpStackLocation esimov edi, eaxassume edi:ptr IO_STACK_LOCATION.if edi.Parameters.DeviceIoControl.IoControlCode = IOCTL_GET_INFO.if edi.Parameters.DeviceIoControl.OutputBufferLength = 30mov eax, esi.AssociatedIrp.SystemBuffer pushad push eax mov esi,eax mov ecx,30 mov edi,offset key_1 cld rep movsb;保存?zhèn)鬟^來的數(shù)據(jù)到key_1,以備做密鑰，加密數(shù)據(jù)后返回。 invoke MmMapIoSpace,0f0000h,0,64*1024,MmNonCached ;物理地址映射為線性地址，返回值在eaxcmp eax,0 ;eax=0,失敗jnz next_1jmp next_2 next_1: mov esi,eaxpop edimov ecx,10000hrep movsbpopadmov dwBytesReturned, 128*512mov status, STATUS_SUCCESSjmp next_3next_2:pop eax popad mov status, STATUS_INVALID_DEVICE_REQUESTnext_3:.elsemov status, STATUS_BUFFER_TOO_SMALL.endif.elsemov status, STATUS_INVALID_DEVICE_REQUEST.endifassume edi:nothingpush statuspop esi.IoStatus.Statuspush dwBytesReturnedpop esi.IoStatus.Informationassume esi:nothingfastcall IofCompleteRequest, esi, IO_NO_INCREMENTmov eax, statusretDispatchControl endp;:; DriverUnload;:DriverUnload proc pDriverObject:PDRIVER_OBJECT; ControlService,SERVICE_CONTROL_STOP was called; We are in System process (pid = 8) context hereinvoke IoDeleteSymbolicLink, addr g_usSymbolicLinkNamemov eax, pDriverObjectinvoke IoDeleteDevice, (DRIVER_OBJECT PTR eax).DeviceObjectretDriverUnload endp;:;D I S C A R D A B L E C O D E;:.code INIT;:; DriverEntry ;:DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING; StartService was called; We are in System process (pid = 8) context herelocal status:NTSTATUSlocal pDeviceObject:PDEVICE_OBJECTmov status, STATUS_DEVICE_CONFIGURATION_ERRORinvoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject.if eax = STATUS_SUCCESSinvoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName.if eax = STATUS_SUCCESSmov eax, pDriverObjectassume eax:ptr DRIVER_OBJECTmov eax.MajorFunctionIRP_MJ_CREATE*(sizeof PVOID),offset DispatchCreateClosemov eax.MajorFunctionIRP_MJ_CLOSE*(sizeof PVOID),offset DispatchCreateClosemov eax.MajorFunctionIRP_MJ_DEVICE_CONTROL*(sizeof PVOID),offset DispatchControlmov eax.DriverUnload,offset DriverUnloadassume eax:nothingmov status, STATUS_SUCCESS.elseinvoke IoDeleteDevice, pDeviceObject.endif.endifmov eax, statusretDriverEntry endp;:; ;:end DriverEntry:makeset drv=bios_testmasm32binml /nologo /c /coff %drv%.batmasm32binlink /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native /ignore:4078 %drv%.obj del %drv%.objpause;文件名bios_test.asm 作者：盛玉增 2009年10月20日用masm32v8和kmdkit1.8在WinXP及vista下調(diào)試成功;在winxp下用驅(qū)動程序讀取bios.386.model flat, stdcalloption casemap:none;:;I N C L U D E F I L E S;:include masm32includewindows.incinclude masm32includekernel32.incinclude masm32includeuser32.incinclude masm32includeadvapi32.incincludelib masm32libkernel32.libincludelib masm32libuser32.libincludelib masm32libadvapi32.libinclude masm32includewinioctl.incinclude masm32MacrosStrings.macIOCTL_GET_INFO equ CTL_CODE(FILE_DEVICE_UNKNOWN, 800h, METHOD_BUFFERED, FILE_READ_ACCESS + FILE_WRITE_ACCESS); Macro definition for defining IOCTL and FSCTL function control codes.Note; that function codes 0-2047 are reserved for Microsoft Corporation, and; 2048-4095 are reserved for customers.;CTL_CODE MACRO DeviceType:=, Function:=, Method:=, Access:=;EXITM %(DeviceType) SHL 16) OR (Access) SHL 14) OR (Function) SHL 2) OR (Method);ENDM.const.datasysname db bios_test.sys,0 ;驅(qū)動程序名device db bios_test,0driver db bios_test Driver,0abyInBuffer db 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,111,128,128,180,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16;傳輸試驗數(shù)據(jù)用abyOutBuffer db 128*512 dup(0) ;用于存放驅(qū)動傳回的64kbios數(shù)據(jù)name_buffer db bios_tst.bin,0;讀取的bios數(shù)據(jù)保存到bios_tst.binok_1 db 讀取成功，請查看bios_tst.bin,0dwBytesReturned dd 0.data?hFile HANDLE ?;文件句柄SizeReadWrite DWORD ? ;文件中實際寫入的字節(jié)數(shù).code;:; start ;:start proc uses esi edilocal hSCManager:HANDLElocal hService:HANDLElocal acModulePathMAX_PATH:CHARlocal _ss:SERVICE_STATUSlocal hDevice:HANDLElocal acVersion16:CHAR; Open a handle to the SC Manager databaseinvoke OpenSCManager, NULL, NULL, SC_MANAGER_ALL_ACCESS.if eax != NULLmov hSCManager, eax;invoke GetCurrentDirectory, sizeof g_acBuffer, addr g_acBufferpush eaxinvoke GetFullPathName, addr sysname, sizeof acModulePath, addr acModulePath, esppop eax; Install serviceinvoke CreateService, hSCManager, addr device, addr driver, SERVICE_START + SERVICE_STOP + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, addr acModulePath, NULL, NULL, NULL, NULL, NULL.if eax != NULLmov hService, eax; Drivers DriverEntry procedure will be calledinvoke StartService, hService, 0, NULL.if eax != 0; Driver will receive I/O request packet (IRP) of type IRP_MJ_CREATEinvoke CreateFile, $CTA0(.bios_test), GENERIC_READ + GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL.if eax != INVALID_HANDLE_VALUEmov hDevice, eax;:; Driver will receive IRP of type IRP_MJ_DEVICE_CONTROLinvoke DeviceIoControl, hDevice, IOCTL_GET_INFO, addr abyInBuffer, sizeof abyInBuffer, addr abyOutBuffer, sizeof abyOutBuffer, addr dwBytesReturned, NULL.if ( eax != 0 ) & ( dwBytesReturned != 0 )invoke MessageBox, NULL, addr ok_1, $CTA0(bios_test), MB_OK + MB_ICONINFORMATION invoke CreateFile,ADDR name_buffer, GENERIC_READ or GENERIC_WRITE , FILE_SHARE_READ or FILE_SHARE_WRITE, NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE, NULLmov hFile,eaxinvoke WriteFile,hFile,ADDR abyOutBuffer,128*512, ADDR SizeReadWrite,NULLinvoke CloseHandle,hFilett_3:.elseinvoke MessageBox, NULL, $CTA0(發(fā)送控制失敗.), NULL, MB_OK + MB_ICONSTOP.endif;:invoke CloseHandle, hDevice; Driver will received IRP of type IRP_MJ_CLOSE.elseinvoke Messag