WIN32和Kernel)直接读写硬盘扇区

第一篇写技术的文章哦,以前好少写文章,我的文字表达很差劲,大家不要笑哦.
前几天仙剑4通关了,感觉好惆怅,什么都不想去做.今天看了一下书发现一篇比较好玩的文章,于是自己静静地实践一番.文章是<基于硬盘保留扇区的软件保护方法(作者:熊志勇)>,内容是介绍了怎么读写硬盘保留扇区.以下是我的学习日记.

这里是摘自文章里的一个表:硬盘的总体结构
***********************************************************************
编号       名称                                     备注
1          主引导扇区(含硬盘分区表)            占用一个扇区空间(一个扇区空间为512字节)
2          保留扇区(操作系统不使用的扇区)    占用62个扇区空间
3          第一个分区                              C:盘
4          扩展主引导扇区(含扩展分区表)       一个扇区空间(只有存在扩展分区是才存在)
5          保留扇区                                占用62个扇区空间
6          第2个分区                               D:盘
7          下一个扩展主引导扇区                 只有分区链没结束才存在
8          ......                                    ......
***********************************************************************

通常的软件保护都会向编号为2的保留扇区写一些软件注册信息呀,等等的东西.
而要读写这个没被操作系统利用的部分作者已经给出了代码(幸福呀,不用自己找).

//以下是已经做好的一个函数

BOOL ReadPhysicalSector(unsigned long SectorStart, unsigned long SectorCount, unsigned char *p)

{

unsigned long BytesPerSector = 512;

unsigned long nBytes;

char Drive[] = "////.//PHYSICALDRIVE0";

BOOL result = FALSE;

HANDLE hDeviceHandle = CreateFile(Drive,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,0);

if(hDeviceHandle)

{

long pointer;

long phigh;

pointer = SectorStart;

pointer = pointer*BytesPerSector;

phigh = pointer>>32;

SetFilePointer(hDeviceHandle,(unsigned long)pointer,&phigh,FILE_BEGIN);

if(ReadFile(hDeviceHandle,p,SectorCount*BytesPerSector,&nBytes,NULL))

result = TRUE;

CloseHandle(hDeviceHandle);

}

return result;

}

//调用就这样

int main(int argc, char* argv[])

{

unsigned long SectorStart = 0;//比如我要读的是编号为的那个扇区开始的数据,这里写

//如果读的是从第扇区开始后的数据这里就写

unsigned long SectorCount = 1;//读多少个扇区,这里是个

unsigned char p[512];//一个扇区数据量是字节呀

ReadPhysicalSector(SectorStart, SectorCount, p);

for(int i=0;i<512;i++)//输出的

{

printf("%02X ",p[i]);

if(i%26==0)

printf(" ");

}

return 0;

}

以上的代码都是读的,那如果要写就把ReadFile改成WriteFile呀.要注意的是别乱写了分区表了,很难恢复的.小心用WriteFile呀.

以上的我就实现了,其实也是抄人家的代码,5555555没意思,突然间想把这些功能用驱动来实现.
想就快呀,第一时间上网找ZwWriteFile,ZwReadFile的使用啦,想不到在baidu搜的都是怎么hook ZwWriteFile,ZwReadFile他们的文章,555555那个简单啦,不就改改SSDT然后自己定义函数嘛.
但是......ZwWriteFile,ZwReadFile怎么用的文章几乎没有的.天呀!好惨!

接着我看好久的DDK文档,看了很久ZwWriteFile,ZwReadFile的函数原型,就一步步写出以下的代码出来,经过了n的n次方次的失败后终于......成功读取了第一个扇区的数据了.

#include<ntddk.h>

//--------------------------------------------------------------------

VOID ReadPhysicalSector(unsigned long SectorCount, unsigned char *p)

{

unsigned long BytesPerSector = 512;

WCHAR* name = L"//??//PHYSICALDRIVE0";//这个找了好久呀,原来要这样写的

NTSTATUS ntStatus;

HANDLE hDeviceHandle;

IO_STATUS_BLOCK IoStatusBlock;

IO_STATUS_BLOCK IoStatusBlockR;

OBJECT_ATTRIBUTES ObjectAttributesL;

UNICODE_STRING UniFileNameL;

LARGE_INTEGER ByteOffset;

RtlInitUnicodeString(&UniFileNameL,name);

InitializeObjectAttributes( &ObjectAttributesL,

&UniFileNameL,

OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,

NULL,

NULL);

ntStatus = ZwCreateFile(&hDeviceHandle,

GENERIC_READ,

&ObjectAttributesL,

&IoStatusBlock,

NULL,

0,

FILE_SHARE_READ,

FILE_OPEN,

FILE_SYNCHRONOUS_IO_ALERT,

NULL,

0);

if( NT_SUCCESS(ntStatus) )

{

DbgPrint("Open Success");

ByteOffset.LowPart = FILE_USE_FILE_POINTER_POSITION;

ByteOffset.HighPart = -1;

ntStatus = ZwReadFile(  hDeviceHandle,

NULL,

NULL,

NULL,

&IoStatusBlockR,

p,

SectorCount*BytesPerSector,

&ByteOffset,

NULL);

if( NT_SUCCESS(ntStatus) )

{

DbgPrint("Read Success");

}

}

ZwClose(hDeviceHandle);

}

//--------------------------------------------------------------------

VOID OnUnload(IN PDRIVER_OBJECT DriverObject)

{

DbgPrint("     88  ");

}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)

{

unsigned long SectorCount = 1;

unsigned char p[512];

int i;

DriverObject->DriverUnload = OnUnload;

DbgPrint("Hi");

ReadPhysicalSector(SectorCount, p);

for(i=0;i<512;i++)

DbgPrint("%02X ",p[i]);

return STATUS_SUCCESS;

}

终于读取成功了,写就Read改成Write呀,哎....其实我都是刚刚学什么都不会,看了好久DDK文档才挤出上面几行代码.....但是现在我最不明白的就是ZwReadFile中怎么定位指针的位置呢,比如我想在第2个扇区开始读应该怎么写呢?55555555不想啦,很烦啊.....有高手路过就批一下啦,最好教一下我.

好啦今天一起床,想了想,又看了看DDK终于将以上的问题解决了,可以任意读取某一个扇区了~~~~~~~~~~~心情当然非常激动啦~~~啦~~~啦~

原来错误就在这两句里面,DDK误导人的,还是我的英文差呢~~~~~~好啦~~~其实DDK是这么说的:

ByteOffset

Pointer to a variable that specifies the starting byte offset in the file where the read operation will begin. If an attempt is made to read beyond the end of the file, ZwReadFile returns an error.

If the call to ZwCreateFile set either of the CreateOptions flags FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT, the I/O Manager maintains the current file position. If so, the caller ofZwReadFile can specify that the current file position offset be used instead of an explicit ByteOffset value. This specification can be made by using one of the following methods:

● Specify a pointer to a LARGE_INTEGER value with the HighPart member set to -1 and the LowPartmember set to the system-defined value FILE_USE_FILE_POINTER_POSITION.

● Pass a NULL pointer for ByteOffset.

ZwReadFile updates the current file position by adding the number of bytes read when it completes the read operation, if it is using the current file position maintained by the I/O Manager.

Even when the I/O Manager is maintaining the current file position, the caller can reset this position by passing an explicit ByteOffset value to ZwReadFile. Doing this automatically changes the current file position to that ByteOffset value, performs the read operation, and then updates the position according to the number of bytes actually read. This technique gives the caller atomic seek-and-read service.

//今天不按照它说的来做,

ByteOffset.LowPart = FILE_USE_FILE_POINTER_POSITION;

ByteOffset.HighPart = -1;

//改成:

ByteOffset.QuadPart = //第几个字节;

//终于成功了:

代码如下:

#include<ntddk.h>

//--------------------------------------------------------------------

VOID ReadPhysicalSector(unsigned long SectorStart,unsigned long SectorCount,unsigned char *p)

{

unsigned long BytesPerSector = 512;

WCHAR* name = L"//??//PHYSICALDRIVE0";//这个找了好久呀,原来要这样写的

NTSTATUS ntStatus;

HANDLE hDeviceHandle;

IO_STATUS_BLOCK IoStatusBlock;

IO_STATUS_BLOCK IoStatusBlockR;

OBJECT_ATTRIBUTES ObjectAttributesL;

UNICODE_STRING UniFileNameL;

LARGE_INTEGER ByteOffset;

RtlInitUnicodeString(&UniFileNameL,name);

InitializeObjectAttributes( &ObjectAttributesL,

&UniFileNameL,

OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,

NULL,

NULL);

ntStatus = ZwCreateFile(&hDeviceHandle,

GENERIC_READ,

&ObjectAttributesL,

&IoStatusBlock,

NULL,

0,

FILE_SHARE_READ,

FILE_OPEN,

FILE_SYNCHRONOUS_IO_ALERT,

NULL,

0);

if( NT_SUCCESS(ntStatus) )

{

DbgPrint("Open Success");

//      ByteOffset.LowPart = FILE_USE_FILE_POINTER_POSITION;

//      ByteOffset.HighPart = -1;不要用这两句换成下面一句,DDK误导人啊~~~~~

ByteOffset.QuadPart = SectorStart*BytesPerSector;//是这句了

ntStatus = ZwReadFile(  hDeviceHandle,

NULL,

NULL,

NULL,

&IoStatusBlockR,

p,

SectorCount*BytesPerSector,

&ByteOffset,

NULL);

if( NT_SUCCESS(ntStatus) )

{

DbgPrint("Read Success");

}

}

ZwClose(hDeviceHandle);

}

//--------------------------------------------------------------------

VOID OnUnload(IN PDRIVER_OBJECT DriverObject)

{

DbgPrint("     88  ");

}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)

{

unsigned long SectorStart = 63;//现在是读扇区啦

unsigned long SectorCount = 1;

unsigned char p[512];

int i;

DriverObject->DriverUnload = OnUnload;

DbgPrint("Hi");

ReadPhysicalSector(SectorStart ,SectorCount, p);

for(i=0;i<512;i++)

DbgPrint("%02X ",p[i]);

return STATUS_SUCCESS;

}

http://blog.csdn.net/cooblily/article/details/1737703