physmemworks.asm
来自「用汇编语言编写Windows驱动程序的工具」· 汇编 代码 · 共 123 行
ASM
123 行
;@echo off
;goto make
.386
.model flat, stdcall
option casemap:none
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; I N C L U D E F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include \masm32\include\w2k\ntddk.inc
include \masm32\include\w2k\ntstatus.inc
include \masm32\include\kernel32.inc
include \masm32\include\w2k\ntdll.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\w2k\ntdll.lib
include \masm32\Macros\Strings.mac
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; F U N C T I O N S P R O T O T Y P E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include protos.inc
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; C O N S T A N T S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.const
CCOUNTED_UNICODE_STRING "\\Device\\PhysicalMemory", g_usPhysicalMemory, 4
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.code
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; NtStatusToDosError
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
NtStatusToDosError proc status:NTSTATUS
invoke RtlNtStatusToDosError, status
ret
NtStatusToDosError endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; OpenPhysicalMemory
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
OpenPhysicalMemory proc
local status:NTSTATUS
local hPhysMem:HANDLE
local oa:OBJECT_ATTRIBUTES
and hPhysMem, NULL
lea ecx, oa
InitializeObjectAttributes ecx, offset g_usPhysicalMemory, OBJ_CASE_INSENSITIVE, NULL, NULL
invoke NtOpenSection, addr hPhysMem, SECTION_MAP_READ, ecx
mov eax, hPhysMem
ret
OpenPhysicalMemory endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; MapPhysicalMemory
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
MapPhysicalMemory proc hPhysMem:HANDLE, pdwAddress:PDWORD, pdwLength:PDWORD, pdwBaseAddress:PDWORD
local status:NTSTATUS
local SectionOffset:PHYSICAL_ADDRESS
mov eax, pdwBaseAddress
and dword ptr [eax], 0
and SectionOffset.HighPart, 0
mov eax, pdwAddress
push dword ptr [eax]
pop SectionOffset.LowPart
mov ecx, pdwLength
mov ecx, [ecx]
invoke NtMapViewOfSection, hPhysMem, -1, pdwBaseAddress, 0, ecx, addr SectionOffset, pdwLength, ViewShare, 0, PAGE_READONLY
.if eax == STATUS_SUCCESS
mov ecx, pdwAddress
push SectionOffset.LowPart
pop dword ptr [ecx]
.endif
ret
MapPhysicalMemory endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; UnmapPhysicalMemory
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
UnmapPhysicalMemory proc dwBaseAddress:DWORD
invoke NtUnmapViewOfSection, -1, dwBaseAddress
ret
UnmapPhysicalMemory endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
end
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?