|
|
|
[原创]奇虎360第1题 hook WRITE_PORT_UCHAR
贴个老点的lba48资料: LBA HDD Access via PIO Every operating system will eventually find a need for reliable, long-term storage. There are only a handful of commonly used storage devices: Floppy Flash media CD-ROM Hard drive Hard drives are by far the most widely used mechanism for data storage, and this tutorial will familiarize you with a practical method for accessing them. In the past, a method known as CHS was used. With CHS, you specified the cylinder, head, and sector where your data was located. The problem with this method is that the number of cylinders that could be addressed was rather limited. To solve this problem, a new method for accessing hard drives was created: Linear Block Addressing (LBA). With LBA, you simply specify the address of the block you want to access. Blocks are 512-byte chunks of data, so the first 512 bytes of data on the disk are in block 0, the next 512 bytes are in block 1, etc. This is clearly superior to having to calculate and specify three separate bits of information, as with CHS. However, there is one hitch with LBA. There are two forms of LBA, which are slightly different: LBA28 and LBA48. LBA28 uses 28 bits to specify the block address, and LBA48 uses 48 bits. Most drives support LBA28, but not all drives support LBA48. In particular, the Bochs emulator supports LBA28, and not LBA48. This isn't a serious problem, but something to be aware of. Now that you know how LBA works, it's time to see the actual methods involved. To read a sector using LBA28: Send a NULL byte to port 0x1F1: outb(0x1F1, 0x00); Send a sector count to port 0x1F2: outb(0x1F2, 0x01); Send the low 8 bits of the block address to port 0x1F3: outb(0x1F3, (unsigned char)addr); Send the next 8 bits of the block address to port 0x1F4: outb(0x1F4, (unsigned char)(addr >> 8); Send the next 8 bits of the block address to port 0x1F5: outb(0x1F5, (unsigned char)(addr >> 16); Send the drive indicator, some magic bits, and highest 4 bits of the block address to port 0x1F6: outb(0x1F6, 0xE0 | (drive << 4) | ((addr >> 24) & 0x0F)); Send the command (0x20) to port 0x1F7: outb(0x1F7, 0x20); To write a sector using LBA28: Do all the same as above, but send 0x30 for the command byte instead of 0x20: outb(0x1F7, 0x30); To read a sector using LBA48: Send two NULL bytes to port 0x1F1: outb(0x1F1, 0x00); outb(0x1F1, 0x00); Send a 16-bit sector count to port 0x1F2: outb(0x1F2, 0x00); outb(0x1F2, 0x01); Send bits 24-31 to port 0x1F3: outb(0x1F3, (unsigned char)(addr >> 24)); Send bits 0-7 to port 0x1F3: outb(0x1F3, (unsigned char)addr); Send bits 32-39 to port 0x1F4: outb(0x1F4, (unsigned char)(addr >> 32)); Send bits 8-15 to port 0x1F4: outb(0x1F4, (unsigned char)(addr >> 8)); Send bits 40-47 to port 0x1F5: outb(0x1F5, (unsigned char)(addr >> 40)); Send bits 16-23 to port 0x1F5: outb(0x1F5, (unsigned char)(addr >> 16)); Send the drive indicator and some magic bits to port 0x1F6: outb(0x1F6, 0x40 | (drive << 4)); Send the command (0x24) to port 0x1F7: outb(0x1F7, 0x24); To write a sector using LBA48: Do all the same as above, but send 0x34 for the command byte, instead of 0x24: outb(0x1F7, 0x34); Once you've done all this, you just have to wait for the drive to signal that it's ready: while (!(inb(0x1F7) & 0x08)) {} And then read/write your data from/to port 0x1F0: // for read: for (idx = 0; idx < 256; idx++) { tmpword = inw(0x1F0); buffer[idx * 2] = (unsigned char)tmpword; buffer[idx * 2 + 1] = (unsigned char)(tmpword >> 8); } // for write: for (idx = 0; idx < 256; idx++) { tmpword = buffer[8 + idx * 2] | (buffer[8 + idx * 2 + 1] << 8); outw(0x1F0, tmpword); } Of course, all of this is useless if you don't know what drives you actually have hooked up. Each IDE controller can handle 2 drives, and most computers have 2 IDE controllers. The primary controller, which is the one I have been dealing with thus-far has its registers located from port 0x1F0 to port 0x1F7. The secondary controller has its registers in ports 0x170-0x177. Detecting whether controllers are present is fairly easy: Write a magic value to the low LBA port for that controller (0x1F3 for the primary controller, 0x173 for the secondary): outb(0x1F3, 0x88); Read back from the same port, and see if what you read is what you wrote. If it is, that controller exists. Now, you have to detect which drives are present on each controller. To do this, you simply select the appropriate drive with the drive/head select register (0x1F6 for the primary controller, 0x176 for the secondary controller), wait a small amount of time (I wait 1/250th of a second), and then read the status register and see if the busy bit is set: outb(0x1F6, 0xA0); // use 0xB0 instead of 0xA0 to test the second drive on the controller sleep(1); // wait 1/250th of a second tmpword = inb(0x1F7); // read the status port if (tmpword & 0x40) // see if the busy bit is set { printf("Primary master exists\n"); } And that about wraps it up. Note that I haven't actually tested my LBA48 code, because I'm stuck with Bochs, which only supports LBA28. It should work, according to the ATA specification. If any of this is inaccurate or unclear, just email me at marsdragon88@gmail.com. |
|
[求助]用ZwQuerySystemInformation枚举进程时遇到的一个小问题,(请教!)
[QUOTE=sudami;557144]有史以来,MJ同学对菜鸟们最温情的话语诞生了[/QUOTE] MJ现在淡定了啊~~ |
|
[公告]看雪软件安全论坛2008年优秀版主
唉!来晚了!!!顶啊 |
|
[求助]看不懂这个#define GET_PTR(ptr, offset) ( *(PVOID*)( (ULONG)ptr + (offset##Offset) ) )
1 PVOID* 表示指向指针的指针,所以是4字节。 2 两个##表示将连接两个参数(offset) |
|
[求助]IRQL=2时怎样获得当前运行程序的全路径名
死机是因为访问了分页内存吧,你还是降回去的好。期待高手给个更好的解答 |
|
[求助]Loadlibrary导入dll后,如何获得该dll的镜像基址?
win ce下好像不是吧 |
|
[求助]请教个问题,除了SSDThook,r0inlinehook,还有哪些可以防止进程被打开的?
你没看仔细吧。单步调试一下。有时候光看是很难看明白的。比如它跳转到某个地址,结果这个跳转到的地址被修改了。你粗看起来以为这是系统正常的跳转。 |
|
[求助]请教个问题,除了SSDThook,r0inlinehook,还有哪些可以防止进程被打开的?
貌似 TesSafe挂了ObOpenObjectByPointer ,和读写虚存的函数。。。。。。 |
|
|
|
[求助]请教个问题,除了SSDThook,r0inlinehook,还有哪些可以防止进程被打开的?
http://bbs.pediy.com/showthread.php?t=67286&tcatid=118 |
|
[求助]请教个问题,除了SSDThook,r0inlinehook,还有哪些可以防止进程被打开的?
[QUOTE=;]...[/QUOTE] 这个倒没试过,估计是可以绕过吧?比如dup法,或者这个函数比较好判断来头是谁?纯属yy。我试验后再看看吧~ |
|
[求助]请教个问题,除了SSDThook,r0inlinehook,还有哪些可以防止进程被打开的?
[QUOTE=;]...[/QUOTE] 我说的不是取地址,是说按这个顺序调用的。要取地址特征码之~ |
|
[求助]请教个问题,除了SSDThook,r0inlinehook,还有哪些可以防止进程被打开的?
[QUOTE=;]...[/QUOTE] MJ看看, 是不是这样的顺序: ObOpenObjectByPointer(name)-> ObpCreateHandle->ObpIncrementHandleCount-> ObCheckObjectAccess? |
|
|
|
|
|
[原创]世界上最小的下载者,qihoocom来鄙视我吧 - 申精
哈哈,我是来看这个贴未来会如何的 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值