biossave.cpp

读BIOS的好代码.很有价值

// biossave.cpp : 定义应用程序的入口点。
//
#include "stdafx.h"
#include "biossave.h"
#define MAX_LOADSTRING 100

typedef struct _UNICODE_STRING {
  USHORT  Length;//长度
  USHORT  MaximumLength;//最大长度
  PWSTR  Buffer;//缓存指针，访问物理内存时，此处指向UNICODE字符串"\device\physicalmemory"
} UNICODE_STRING,*PUNICODE_STRING;


typedef struct _OBJECT_ATTRIBUTES {
    ULONG Length;//长度 18h
    HANDLE RootDirectory;//  00000000
    PUNICODE_STRING ObjectName;//指向对象名的指针
    ULONG Attributes;//对象属性00000040h
    PVOID SecurityDescriptor;        // Points to type SECURITY_DESCRIPTOR，0
    PVOID SecurityQualityOfService;  // Points to type SECURITY_QUALITY_OF_SERVICE，0
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;

typedef DWORD  (__stdcall *ZWOS)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES);
typedef DWORD  (__stdcall *ZWMV)(HANDLE,HANDLE,PVOID,ULONG,ULONG,PLARGE_INTEGER,PSIZE_T,DWORD,ULONG,ULONG);
typedef DWORD  (__stdcall *ZWUMV)(HANDLE,PVOID);


// 全局变量：
HINSTANCE hInst;								// 当前实例
TCHAR szTitle[MAX_LOADSTRING];					// 标题栏文本
TCHAR szWindowClass[MAX_LOADSTRING];			// 主窗口类名


// 此代码模块中包含的函数的前向声明：
int APIENTRY _tWinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPTSTR    lpCmdLine,
                     int       nCmdShow)
{
 	// TODO: 在此放置代码。
	MSG msg;
	HACCEL hAccelTable;
	UNICODE_STRING struniph;
	OBJECT_ATTRIBUTES obj_ar;
	ZWOS ZWopenS;
	ZWMV ZWmapV;
	ZWUMV ZWunmapV;
	HANDLE hSection;
	HMODULE hinstLib;
	DWORD ba;
	LARGE_INTEGER so;
	SIZE_T ssize;
	so.LowPart=0x000f0000;//物理内存的基址，就是f000:0000
	so.HighPart=0x00000000;
	ssize=0xffff;
	wchar_t strPH[30]=L"\\device\\physicalmemory";
	FILE *f1;

	// 初始化全局字符串
	//变量初始化
    ba=0;//联系后的基址将在这里返回
    struniph.Buffer=strPH;
	struniph.Length=0x2c;//注意大小是按字节算
	struniph.MaximumLength =0x2e;//也是字节
    obj_ar.Attributes =64;//属性
	obj_ar.Length =24;//OBJECT_ATTRIBUTES类型的长度
	obj_ar.ObjectName=&struniph;//指向对象的指针
	obj_ar.RootDirectory=0;
	obj_ar.SecurityDescriptor=0;
    obj_ar.SecurityQualityOfService =0;
//读入ntdll.dll,得到函数地址
    hinstLib = LoadLibrary("ntdll.dll");
	ZWopenS=(ZWOS)GetProcAddress(hinstLib,"ZwOpenSection");
    ZWmapV=(ZWMV)GetProcAddress(hinstLib,"ZwMapViewOfSection");
	ZWunmapV=(ZWUMV)GetProcAddress(hinstLib,"ZwUnmapViewOfSection");
//调用函数，对物理内存进行映射
    ZWopenS(&hSection,4,&obj_ar);
	ZWmapV((HANDLE)hSection,(HANDLE)0xffffffff,&ba,0,0xffff,&so,&ssize,1,0,2);
    f1=fopen("bios.mem","wb+");
	fwrite((void*)ba,65536,1,f1);
	fclose(f1);
	MessageBox(NULL,"Bios saved to bios.mem!","Save OK",MB_OK);
	return 0;

}