本文代码在Win2k下试验乐成.
#include <WinIOCtl.h>
#include <stdio.h>
#pragma inline
//---------------------------------------------------------------------------
// IDE NT/2000/XP专用变量
#define GETVERSIONOUTPARAMS GETVERSIONINPARAMS
#define DFP_GET_VERSION SMART_GET_VERSION
#define DFP_SEND_DRIVE_COMMAND SMART_SEND_DRIVE_COMMAND
#define DFP_RCV_DRIVE_DATA SMART_RCV_DRIVE_DATA
const WORD IDE_ATAPI_IDENTIFY = 0xA1; // 读取ATAPI设备的呼吁
const WORD IDE_ATA_IDENTIFY = 0xEC; // 读取ATA设备的呼吁
const int MAX_IDE_DRIVES = 4;
// SCSI专用变量
const DWORD FILE_DEVICE_SCSI = 0x0000001B;
const DWORD IOCTL_SCSI_MINIPORT_IDENTIFY = ((FILE_DEVICE_SCSI << 16) + 0x0501);
const DWORD IOCTL_SCSI_MINIPORT = 0x0004D008; // see NTDDSCSI.H for definition
const DWORD SENDIDLENGTH = sizeof(SENDCMDOUTPARAMS) + IDENTIFY_BUFFER_SIZE;
typedef struct _SRB_IO_CONTROL
{
ULONG HeaderLength;
UCHAR Signature[8];
ULONG Timeout;
ULONG ControlCode;
ULONG ReturnCode;
ULONG Length;
}SRB_IO_CONTROL, *PSRB_IO_CONTROL;
// 读取的主函数
void __fastcall ReadPhysicalDrive(TStrings *pSerList, TStrings *pModeList);
// 帮助函数
char *__fastcall ConvertToString(DWORD dwDiskData[256], int nFirstIndex, int nLastIndex);
// NT/2000/XP函数
void __fastcall ReadPhysicalDriveOnNT(TStrings *pSerList, TStrings *pModeList);
bool __fastcall DoIdentify(HANDLE hPhysicalDriveIOCTL, PSENDCMDINPARAMS pSCIP,
PSENDCMDOUTPARAMS pSCOP, BYTE btIDCmd,
BYTE btDriveNum, PDWORD lpcbBYTEsReturned);
// Windows 9X函数
void __fastcall ReadPhysicalDriveOnW9X(TStrings *pSerList, TStrings *pModeList);
void __fastcall ReadPhysicalDriveOnW9X_Ring0(bool IsFirst, WORD BaseAddress,
BYTE MoS, bool &IsIDEExist, bool &IsDiskExist, WORD *OutData);
// SCSI读取函数(for NT/2000/XP)
String __fastcall ReadIDEDriveAsScsiDriveOnNT();
//---------------------------------------------------------------------------
// ReadPhysicalDrive
void __fastcall ReadPhysicalDrive(TStrings *pSerList, TStrings *pModeList)
{
switch(Win32Platform)
{
case VER_PLATFORM_WIN32_WINDOWS:
ReadPhysicalDriveOnW9X(pSerList, pModeList);
break;
case VER_PLATFORM_WIN32_NT:
ReadPhysicalDriveOnNT(pSerList, pModeList);
break;
default:
break;
}
}
//---------------------------------------------------------------------------
// ConvertToString
char *__fastcall ConvertToString(DWORD dwDiskData[256], int nFirstIndex, int nLastIndex)
{
static char szResBuf[1024];
int nIndex = 0;
int nPosition = 0;
// Each integer has two characters stored in it backwards
for(nIndex = nFirstIndex; nIndex <= nLastIndex; nIndex++)
{
// Get high BYTE for 1st character
szResBuf[nPosition] = (char)(dwDiskData[nIndex] / 256);
nPosition++;
// Get low BYTE for 2nd character
szResBuf[nPosition] = (char)(dwDiskData[nIndex] % 256);
nPosition++;
}
// End the string
szResBuf[nPosition] = '\0';
// Cut off the trailing blanks
for(nIndex = nPosition - 1; nIndex > 0 && ' ' == szResBuf[nIndex]; nIndex--)
szResBuf[nIndex] = '\0';
return szResBuf;
}
//---------------------------------------------------------------------------
// Winndows NT4/2000/XP 代码
//---------------------------------------------------------------------------
// ReadPhysicalDriveOnNT
void __fastcall ReadPhysicalDriveOnNT(TStrings *pSerList, TStrings *pModeList)
{
// 输出参数
BYTE btIDOutCmd[sizeof(SENDCMDOUTPARAMS) + IDENTIFY_BUFFER_SIZE - 1];
for(int nDrive=0; nDrive < MAX_IDE_DRIVES; nDrive++)
{
HANDLE hPhysicalDriveIOCTL;
char szDriveName[32];
sprintf(szDriveName, "\\\\.\\PhysicalDrive%d", nDrive);
hPhysicalDriveIOCTL = CreateFile(szDriveName,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if(hPhysicalDriveIOCTL != INVALID_HANDLE_VALUE)
{
DWORD dwBytesReturned = 0;
GETVERSIONOUTPARAMS gvopVersionParams;
// Get the version, etc of PhysicalDrive IOCTL
ZeroMemory(&gvopVersionParams, sizeof(GETVERSIONOUTPARAMS));
if(!DeviceIoControl(hPhysicalDriveIOCTL, DFP_GET_VERSION,
NULL, 0, &gvopVersionParams, sizeof(gvopVersionParams),
&dwBytesReturned, NULL))
{
continue;
}
if(gvopVersionParams.bIDEDeviceMap > 0)
{
// IDE or ATAPI IDENTIFY cmd
BYTE btIDCmd = 0;
SENDCMDINPARAMS InParams;
// Now, get the ID sector for all IDE devices in the system.
// If the device is ATAPI use the IDE_ATAPI_IDENTIFY command,
// otherwise use the IDE_ATA_IDENTIFY command
// 详细所得功效请参考头文件中的说明
btIDCmd = (gvopVersionParams.bIDEDeviceMap >> nDrive & 0x10) ?
IDE_ATAPI_IDENTIFY : IDE_ATA_IDENTIFY;
ZeroMemory(&InParams, sizeof(SENDCMDINPARAMS));
ZeroMemory(btIDOutCmd, sizeof(btIDOutCmd));
if(DoIdentify(hPhysicalDriveIOCTL,
&InParams, (PSENDCMDOUTPARAMS)btIDOutCmd,
(BYTE)btIDCmd, (BYTE)nDrive, &dwBytesReturned))
{
DWORD dwDiskData[256];
USHORT *pIDSector; // 对应布局IDSECTOR,见头文件
char szSerialNumber[21];
char szModelNumber[41];
pIDSector = (USHORT*)((SENDCMDOUTPARAMS*)btIDOutCmd)->bBuffer;
for(int i=0; i < 256; i++)
dwDiskData[i] = pIDSector[i];
// 取系列号
ZeroMemory(szSerialNumber, sizeof(szSerialNumber));
strcpy(szSerialNumber, ConvertToString(dwDiskData, 10, 19));
// 取模子号
ZeroMemory(szModelNumber, sizeof(szModelNumber));
strcpy(szModelNumber, ConvertToString(dwDiskData, 27, 46));
pSerList->Add(szSerialNumber);
pModeList->Add(szModelNumber);
}
}
CloseHandle (hPhysicalDriveIOCTL);
}
}
}
//---------------------------------------------------------------------------
// DoIdentify
bool __fastcall DoIdentify(HANDLE hPhysicalDriveIOCTL, PSENDCMDINPARAMS pSCIP,
PSENDCMDOUTPARAMS pSCOP, BYTE btIDCmd, BYTE btDriveNum,
PDWORD pdwBytesReturned)
{
// Set up data structures for IDENTIFY command.
pSCIP->cBufferSize = IDENTIFY_BUFFER_SIZE;
pSCIP->irDriveRegs.bFeaturesReg = 0;
pSCIP->irDriveRegs.bSectorCountReg = 1;
pSCIP->irDriveRegs.bSectorNumberReg = 1;
pSCIP->irDriveRegs.bCylLowReg = 0;
pSCIP->irDriveRegs.bCylHighReg = 0;
// Compute the drive number.(主盘和从盘所对应的值是纷歧样的)
pSCIP->irDriveRegs.bDriveHeadReg = (btDriveNum & 1) ? 0xB0 : 0xA0;
// The command can either be IDE identify or ATAPI identify.
pSCIP->irDriveRegs.bCommandReg = btIDCmd;
pSCIP->bDriveNumber = btDriveNum;
pSCIP->cBufferSize = IDENTIFY_BUFFER_SIZE;
return DeviceIoControl(hPhysicalDriveIOCTL, DFP_RCV_DRIVE_DATA,
(LPVOID)pSCIP,
sizeof(SENDCMDINPARAMS) - 1,
(LPVOID)pSCOP,
sizeof(SENDCMDOUTPARAMS) + IDENTIFY_BUFFER_SIZE - 1,
pdwBytesReturned, NULL);
}
//---------------------------------------------------------------------------
// Windows 95/98/ME 代码
//---------------------------------------------------------------------------
// ReadPhysicalDriveOnW9X
void __fastcall ReadPhysicalDriveOnW9X(TStrings *pSerList, TStrings *pModeList)
{
WORD wOutData[256];
SetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS);
// 颠末测试,发明第一次挪用并且Drive >= 2时会在Ring0代码中呈现错误,导致蓝屏。
// 颠末N(N > 15)次的蓝屏后仍找不到原因:(,不得不在这里增加一段无用代码以
// 制止蓝屏的呈现。(等候高人能指出原因)
for(int nDrive = 0; nDrive < 8; nDrive++)
{
WORD dwBaseAddress;
BYTE btMasterSlave; // Master Or Slave
bool bIsIDEExist;
bool IsDiskExist;
switch(nDrive / 2)
{
case 0: dwBaseAddress = 0x01F0; break;
case 1: dwBaseAddress = 0x0170; break;
case 2: dwBaseAddress = 0x01E8; break;
case 3: dwBaseAddress = 0x0168; break;
}
btMasterSlave = (BYTE)(((nDrive % 2) == 0) ? 0xA0 : 0xB0);
// 进入Ring0
ReadPhysicalDriveOnW9X_Ring0(true, dwBaseAddress, btMasterSlave,
bIsIDEExist, IsDiskExist, wOutData);
}
// 开始读取
for(int nDrive = 0; nDrive < 8; nDrive++)
{
WORD dwBaseAddress;
BYTE btMasterSlave; // Master Or Slave
bool bIsIDEExist;
bool bIsDiskExist;
switch(nDrive / 2)
{
case 0: dwBaseAddress = 0x01F0; break;
case 1: dwBaseAddress = 0x0170; break;
case 2: dwBaseAddress = 0x01E8; break;
case 3: dwBaseAddress = 0x0168; break;
}
btMasterSlave = (BYTE)(((nDrive % 2) == 0) ? 0xA0 : 0xB0);
// 进入Ring0
bIsIDEExist = false;
bIsDiskExist = false;
ZeroMemory(wOutData, sizeof(wOutData));
ReadPhysicalDriveOnW9X_Ring0(false, dwBaseAddress, btMasterSlave,
bIsIDEExist, bIsDiskExist, wOutData);
if(bIsIDEExist && bIsDiskExist)
{
DWORD dwDiskData[256];
char szSerialNumber[21];
char szModelNumber[41];
for(int k=0; k < 256; k++)
dwDiskData[k] = wOutData[k];
// 取系列号
ZeroMemory(szSerialNumber, sizeof(szSerialNumber));
strcpy(szSerialNumber, ConvertToString(dwDiskData, 10, 19));
// 取模子号
ZeroMemory(szModelNumber, sizeof(szModelNumber));
strcpy(szModelNumber, ConvertToString(dwDiskData, 27, 46));
pSerList->Add(szSerialNumber);
pModeList->Add(szModelNumber);
}
}
SetPriorityClass(GetCurrentProcess(), NORMAL_PRIORITY_CLASS);
}
//---------------------------------------------------------------------------
// 为防备不认真任的转载者,在此注明原出处信息,请留情。
// 资料收集整理:ccrun(老妖),接待降临C++Builder研究: http://www.ccrun.com
//---------------------------------------------------------------------------
// ReadPhysicalDriveOnW9X_Ring0()
//
// dwBaseAddress = IDE(0,1,2,3) : 1F0h, 170h, 1E8h, 168h
// btMasterSlave = Master(0xA0) Or Slave(0xB0)
//---------------------------------------------------------------------------
void __fastcall ReadPhysicalDriveOnW9X_Ring0(bool bIsFirst, WORD dwBaseAddress,
BYTE btMasterSlave, bool &bIsIDEExist, bool &bIsDiskExist, WORD *pOutData)
{
BYTE btIDTR1[6];
DWORD dwOldExceptionHook;
const int nHookExceptionNo = 5;
BYTE btIsIDEExist = 0;
BYTE btIsDiskExist = 0;
WORD wOutDataBuf[256];
BYTE btIsFirst = (BYTE)bIsFirst;
const BYTE btBit00 = 0x01;
// const BYTE btBit02 = 0x04;
const BYTE btBit06 = 0x40;
const BYTE btBit07 = 0x80;
// const BYTE btERR = btBit00;
const BYTE btBusy = btBit07;
const BYTE btAtaCmd = 0xEC;
const BYTE btAtapiCmd = 0xA1;
__asm
{
// 必需先执行这条语句
JMP EnterRing0
// 界说进程
// 期待IDE设备直到其不为忙为止
WaitWhileBusy proc
MOV EBX, 100000
MOV DX, dwBaseAddress
ADD DX, 7
LoopWhileBusy:
DEC EBX
CMP EBX, 0
JZ Timeout
in AL, DX
TEST AL, btBusy
JNZ LoopWhileBusy
JMP DriveReady
// 超时,直接退出
Timeout:
JMP LeaveRing0
DriveReady:
RET
ENDP // End of WaitWhileBusy Procedure
// 配置主盘和从盘符号
SelectDevice proc
MOV DX, dwBaseAddress
ADD DX, 6
MOV AL, btMasterSlave
out DX, AL
RET
ENDP // End of SelectDevice Procedure
// 向IDE设备发送存取指令
SendCmd proc
MOV DX, dwBaseAddress
ADD DX, 7
MOV AL, BL // BL是主从盘标识,在进程外配置
out DX, AL
RET
ENDP // End of SendCmd Procedure
// Ring0代码
Ring0Proc:
PUSHAD
// 查询IDE设备是否存在
MOV DX, dwBaseAddress
ADD DX, 7
in AL,DX
// 当AL的值是0xFF可能0x7F时,IDE设备不存在,这时候直接返回
CMP AL,0xFF
JZ LeaveRing0
CMP AL, 0x7F
JZ LeaveRing0
// 配置IDE设备存在符号
MOV btIsIDEExist, 1
// 查询IDE设备上的驱动器是否存在(有IDE插槽在主板上,可是却不必然有硬盘插在上面)
CALL WaitWhileBusy
CALL SelectDevice
// 假如是第一次挪用,则直接返回,不然执行下行语句时会呈现蓝屏
CMP btIsFirst, 1
JZ LeaveRing0
// 第一次挪用时,假如执行这行语句会导致蓝屏,Why???
CALL WaitWhileBusy
// AL的值便是cBit06时,不存在驱动器,直接返回
TEST AL, btBit06
JZ LeaveRing0
// 配置驱动器存在符号
MOV btIsDiskExist, 1
// 发送存取端口呼吁
// 无法像NT/2000/XP那样可以通过查询VERSION的值获得驱动器的范例,
// 所以只能一步一步地测试,假如不是ATA设备,再实验利用ATAPI设备呼吁
CALL WaitWhileBusy
CALL SelectDevice // 配置主从盘标识
MOV BL, btAtaCmd // 发送读取呼吁
CALL SendCmd
CALL WaitWhileBusy
// 查抄是否堕落
MOV DX, dwBaseAddress
ADD DX, 7
in AL, DX
TEST AL, btBit00
JZ RetrieveInfo // 没有错误时则读数据
// 假如堕落,则进一步实验利用ATAPI设备呼吁
CALL WaitWhileBusy
CALL SelectDevice
MOV BL, btAtapiCmd
CALL SendCmd
CALL WaitWhileBusy
// 查抄是否还堕落
MOV DX, dwBaseAddress
ADD DX, 7
in AL, DX
TEST AL, btBit00
JZ RetrieveInfo // 没有错误时则读数据
JMP LeaveRing0 // 假如照旧堕落,直接返回
// 读取数据
RetrieveInfo:
LEA EDI, wOutDataBuf
MOV ECX, 256
MOV DX, dwBaseAddress
CLD
REP INSW
// 退出Ring0代码
LeaveRing0:
POPAD
IRETD
// 激活Ring0代码
EnterRing0:
// 修改间断门
SIDT FWORD PTR btIDTR1
MOV EAX, DWORD PTR btIDTR1 + 02h
ADD EAX, nHookExceptionNo * 08h + 04h
CLI
// 生存原异常处理惩罚例程进口
MOV ECX, DWORD PTR [EAX] MOV CX, WORD PTR [EAX-04h] MOV dwOldExceptionHook, ECX
// 指定新进口
LEA EBX, Ring0Proc
MOV WORD PTR [EAX-04h],BX
SHR EBX, 10h
MOV WORD PTR[EAX+02h], BX
// 激活Ring0代码
INT nHookExceptionNo
// 复兴进口
MOV ECX,dwOldExceptionHook
MOV WORD PTR[EAX-04h], CX
SHR ECX,10h
MOV WORD PTR[EAX+02h], CX
STI
}
if(!bIsFirst)
{
bIsIDEExist = (bool)btIsIDEExist;
bIsDiskExist = (bool)btIsDiskExist;
CopyMemory(pOutData, wOutDataBuf, sizeof(wOutDataBuf));
}
}
//---------------------------------------------------------------------------
// 挪用要领:
void __fastcall TForm1::Button1Click(TObject *Sender)
{
ReadPhysicalDrive(Memo1->Lines, Memo2->Lines);
}