Memory-Dump mit dem Oldie directnt.sys

Hardware- und Elektronikbasteleien, Ansteuerung von Schnittstellen und Peripherie.
Fragen zu "Consumer"-Problemen kommen in Offtopic.
Benutzeravatar
Helle
Beiträge: 566
Registriert: 11.11.2004 16:13
Wohnort: Magdeburg

Memory-Dump mit dem Oldie directnt.sys

Beitrag von Helle »

Aus der Reihe "Oldie but Goldie" hier ein Beispiel, wie mit der directnt.sys (s. c't 1/97 Matthias Witthopf, Andreas Stiller) der physikalische Speicher ausgelesen werden kann. Mit dieser SYS kann man u.a. auch Control-und Maschinen-Register auslesen, aber das ist mir hier zu gefährlich. Benutzung sowieso auf eigene Gefahr! Für ganz Vorsichtige: Ich habe nur einen BOD erhalten bei Zugriffsversuchen auf physikalisch nicht vorhandenen Speicher (wenn nur 2 GB drin ist kann man nicht bei 3 GB auslesen wollen).

Code: Alles auswählen

;- Physikalisches RAM auslesen (Memory Dump) mit der directnt.sys
;- Benutzung auf eigene Gefahr! Ein BOD kann immer mal auftreten!
;- "Helle" Klaus Helbing, 11.03.2008, PB4.10
;- Für die Dienst-Installation sind Administrator-Rechte notwendig!

Global Buffer.l=AllocateMemory(32)     ;hier Ersatz für Struktur(en)
Global BufferNutz.l
Global DriverStart.l
Global hMgr.l
Global hDrv.l
Global Result.l
Global ResultSize.l = 4
Global ResultLen.l
Global SpeicherAdresse.l 
 
;- Konstanten
#OP_ReadPhysMemDword    = 40           ;ein physikalisches Dword von Speicher-Adresse #Par1# lesen 
#IOCTL_DIRECTNT_CONTROL = 2621464576   ;CTL_CODE_(DIRECTNT_TYPE, $0800, METHOD_BUFFERED,FILE_READ_ACCESS)

;------------------ Überprüfung, ob Registry-Eintrag für directnt existiert
Procedure RegTest()
hReg = RegOpenKeyEx_(#HKEY_LOCAL_MACHINE, "SYSTEM\CurrentControlSet\Services\dev_directnt", 0, #KEY_ALL_ACCESS, @hKey) 
If hReg = 0
  MessageRequester("Statusmeldung von RegTest", "directnt ist im System schon registriert")
 Else
  MessageRequester("Statusmeldung von RegTest", "directnt ist dem System nicht bekannt")
EndIf
RegCloseKey_(hKey) 
EndProcedure 
;------------------  

;------------------ Dienst installieren
Procedure DienstInst()
hMgrC = OpenSCManager_(0, 0, #SC_MANAGER_CREATE_SERVICE) 
SystemDir$ = Space(255) 
FileL = GetSystemDirectory_(SystemDir$, 255) 
DriverDir$ = Left(SystemDir$, FileL) + "\drivers" 
OpenFile(0, DriverDir$ + "\directnt.sys")
If Lof(0) = 0                          ;Datei existierte also noch nicht 
  WriteData(0, ?directnt, 3424)
EndIf 
CloseFile(0)
hInst = CreateService_(hMgrC, "dev_directnt", "dev_directnt", #SERVICE_ALL_ACCESS, #SERVICE_KERNEL_DRIVER, #SERVICE_DEMAND_START, #SERVICE_ERROR_NORMAL, DriverDir$ + "\directnt.sys", #Null, #Null, #Null, #Null, #Null)
If hInst <> 0
  MessageRequester("Statusmeldung von DienstInst", "directnt wurde als Dienst installiert !")
 Else 
  MessageRequester("Statusmeldung von DienstInst", "directnt konnte nicht als Dienst installiert werden ! (ist evtl. schon installiert)")
EndIf   
CloseServiceHandle_(hInst)
CloseServiceHandle_(hMgrC)
EndProcedure 
;------------------

;------------------ DienstStatus ermitteln
Procedure DienstStatus()
hSvc = OpenService_(hMgr, "dev_directnt", #SERVICE_QUERY_STATUS)
QueryServiceStatus_(hSvc, Buffer)      ;normalerweise wird dafür eine Struktur verwendet, aber es wird nur ein Wert benötigt
DriverStart = PeekL(Buffer+4)
If DriverStart = 4
  MessageRequester("Statusmeldung von DienstStatus", "directnt ist gestartet !")
 Else 
  MessageRequester("Statusmeldung von DienstStatus", "directnt ist nicht gestartet !")
EndIf   
CloseServiceHandle_(hSvc)
EndProcedure 
;------------------

;------------------ Dienst starten 
Procedure DienstStart()
hSvc = OpenService_(hMgr, "dev_directnt", #SERVICE_ALL_ACCESS)
IsStart = StartService_(hSvc, 0, #Null)  ;0=war schon gestartet (lässt sich nicht starten)  1=wurde hiermit gestartet
If IsStart = 1
  MessageRequester("Statusmeldung von DienstStart", "directnt wurde gestartet !")
 Else
  MessageRequester("Statusmeldung von DienstStart", "directnt konnte nicht gestartet werden !")
EndIf     
CloseServiceHandle_(hSvc)
EndProcedure 
;------------------

;------------------ Dienst beenden 
Procedure DienstEnd()
hSvc = OpenService_(hMgr, "dev_directnt", #SERVICE_ALL_ACCESS)
IsEnd = ControlService_(hSvc, #SERVICE_CONTROL_STOP, Buffer)
If IsEnd = 1
  MessageRequester("Statusmeldung von DienstEnd", "directnt wurde beendet !")      ;1=beendet
 Else
  MessageRequester("Statusmeldung von DienstEnd", "directnt wurde nicht beendet !")
EndIf 
CloseServiceHandle_(hSvc)
EndProcedure 
;------------------

;------------------ Dienst entfernen, wer mag, kann hier auch die Datei directnt.sys löschen
Procedure DienstRemove()
hSvc = OpenService_(hMgr, "dev_directnt", #SERVICE_ALL_ACCESS)
IsDel = DeleteService_(hSvc)
If IsDel = 1
  MessageRequester("Statusmeldung von DienstRemove", "directnt wurde entfernt !")      ;1=entfernt
 Else
  MessageRequester("Statusmeldung von DienstRemove", "directnt wurde nicht entfernt !")
EndIf 
CloseServiceHandle_(hSvc)
EndProcedure 
;------------------

;------------------ "Gerät" öffnen
Procedure DeviceOpen()
hDrv = CreateFile_("\\.\dev_directnt", #GENERIC_READ, 0, #Null, #OPEN_EXISTING, #FILE_ATTRIBUTE_NORMAL, #Null)
If hDrv <> #INVALID_HANDLE_VALUE
  MessageRequester("Statusmeldung von Zugriff", "Zugriff O.K.!")
 Else
  MessageRequester("Statusmeldung von Zugriff", "Kein Zugriff !")
EndIf
EndProcedure 
;------------------

Procedure DrvExec()
If DeviceIoControl_(hDrv, #IOCTL_DIRECTNT_CONTROL, Buffer, BufferNutz, @Result, ResultSize, @ResultLen, #Null)
  MessageRequester("Statusmeldung von DrvExec", "Zugriff O.K.!") 
 Else
  MessageRequester("Statusmeldung von DrvExec", "Kein Zugriff !")
EndIf
CloseHandle_(hDrv)
EndProcedure 
;------------------


;------------------ Programm-Anfang physikalisches RAM auslesen
RegTest()                    ;ob directnt in Registry vorhanden
DienstInst()
hMgr = OpenSCManager_(#Null, #Null, #GENERIC_READ)    ;Handle für Zugriff auf den Dienst-Manager
DienstStatus()               ;bei Programmstart überprüfen
If DriverStart <> 4
  DienstStart()              ;noch nicht gestartet, also jetzt starten
EndIf 

DeviceOpen()

SpeicherAdresse = $100                 ;hier für Test, darf natürlich nicht grösser sein als vorhandener Speicher!
PokeL(Buffer, #OP_ReadPhysMemDword)    ;OpCode für 1 DWord vom phys. Speicher auslesen
PokeL(Buffer+4, SpeicherAdresse)       ;Parameter1 = Speicher-Adresse 
BufferNutz = 8

DrvExec()
Result$ = "DWord-Wert an Adresse $"+Hex(SpeicherAdresse)+" : "+RSet(Hex(Result), 8, "0") + "  (Little-Endian-Format beachten !)"
MessageRequester("Physikalischen Speicher auslesen (Memory Dump)", Result$)

;- Ende
If DriverStart <> 4
  DienstEnd()                ;war vorher nicht gestartet, also jetzt wieder beenden
EndIf 

;DienstRemove()               ;bei Bedarf
 
CloseServiceHandle_(hMgr)    ;hier erst beenden

End 
;==================================================================================================
  
;--------------------------------------------------------------------------------------------------  
DataSection                  ;directnt.sys hat eine Länge von 3424 Bytes
directnt:                    ;mal auf Long oder Quad umstellen  
  Data.b $4D, $5A, $90, $00, $03, $00, $00, $00, $04, $00, $00, $00, $FF, $FF, $00, $00
  Data.b $B8, $00, $00, $00, $00, $00, $00, $00, $40, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $80, $00, $00, $00
  Data.b $0E, $1F, $BA, $0E, $00, $B4, $09, $CD, $21, $B8, $01, $4C, $CD, $21, $54, $68
  Data.b $69, $73, $20, $70, $72, $6F, $67, $72, $61, $6D, $20, $63, $61, $6E, $6E, $6F
  Data.b $74, $20, $62, $65, $20, $72, $75, $6E, $20, $69, $6E, $20, $44, $4F, $53, $20
  Data.b $6D, $6F, $64, $65, $2E, $0D, $0D, $0A, $24, $00, $00, $00, $00, $00, $00, $00
  Data.b $50, $45, $00, $00, $4C, $01, $05, $00, $35, $FD, $A5, $32, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $E0, $00, $0E, $01, $0B, $01, $02, $32, $20, $05, $00, $00
  Data.b $00, $06, $00, $00, $00, $00, $00, $00, $F9, $06, $00, $00, $40, $02, $00, $00
  Data.b $60, $07, $00, $00, $00, $00, $01, $00, $20, $00, $00, $00, $20, $00, $00, $00
  Data.b $04, $00, $00, $00, $01, $00, $00, $00, $04, $00, $00, $00, $00, $00, $00, $00
  Data.b $60, $0D, $00, $00, $40, $02, $00, $00, $D1, $B2, $00, $00, $01, $00, $00, $00
  Data.b $00, $00, $10, $00, $00, $10, $00, $00, $00, $00, $10, $00, $00, $10, $00, $00
  Data.b $00, $00, $00, $00, $10, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $C0, $07, $00, $00, $16, $02, $00, $00, $E0, $09, $00, $00, $0C, $03, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $0D, $00, $00, $38, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $2E, $74, $65, $78, $74, $00, $00, $00
  Data.b $02, $05, $00, $00, $40, $02, $00, $00, $20, $05, $00, $00, $40, $02, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $20, $00, $00, $60
  Data.b $2E, $64, $61, $74, $61, $00, $00, $00, $56, $00, $00, $00, $60, $07, $00, $00
  Data.b $60, $00, $00, $00, $60, $07, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $40, $00, $00, $C0, $2E, $69, $64, $61, $74, $61, $00, $00
  Data.b $16, $02, $00, $00, $C0, $07, $00, $00, $20, $02, $00, $00, $C0, $07, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $40, $00, $00, $C0
  Data.b $2E, $72, $73, $72, $63, $00, $00, $00, $0C, $03, $00, $00, $E0, $09, $00, $00
  Data.b $20, $03, $00, $00, $E0, $09, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $40, $00, $00, $42, $2E, $72, $65, $6C, $6F, $63, $00, $00
  Data.b $50, $00, $00, $00, $00, $0D, $00, $00, $60, $00, $00, $00, $00, $0D, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $40, $00, $00, $42
  Data.b $55, $8B, $EC, $83, $EC, $10, $53, $8D, $4D, $F8, $56, $8B, $1D, $60, $08, $01
  Data.b $00, $57, $FF, $75, $08, $51, $FF, $D3, $8B, $75, $14, $8D, $4D, $F8, $56, $6A
  Data.b $00, $6A, $00, $FF, $75, $0C, $51, $68, $04, $20, $00, $00, $FF, $75, $10, $FF
  Data.b $15, $4C, $08, $01, $00, $85, $C0, $7C, $37, $8B, $06, $B9, $01, $08, $00, $00
  Data.b $68, $60, $07, $01, $00, $8B, $78, $28, $33, $C0, $F3, $AB, $8D, $4D, $F0, $51
  Data.b $FF, $D3, $8D, $4D, $F8, $8D, $55, $F0, $51, $52, $FF, $15, $5C, $08, $01, $00
  Data.b $8B, $F8, $85, $FF, $7D, $08, $FF, $36, $FF, $15, $78, $08, $01, $00, $8B, $C7
  Data.b $5F, $5E, $5B, $8B, $E5, $5D, $C2, $10, $00, $53, $56, $8B, $74, $24, $18, $57
  Data.b $55, $56, $6A, $01, $E8, $73, $04, $00, $00, $8B, $7C, $24, $18, $39, $7C, $24
  Data.b $1C, $7C, $2E, $8B, $C7, $B3, $01, $99, $83, $E2, $07, $03, $C2, $C1, $F8, $03
  Data.b $8D, $2C, $06, $8B, $C7, $99, $33, $C2, $47, $2B, $C2, $83, $E0, $07, $33, $C2
  Data.b $2B, $C2, $8A, $C8, $D2, $E3, $F6, $D3, $20, $5D, $00, $3B, $7C, $24, $1C, $7E
  Data.b $D2, $FF, $74, $24, $14, $FF, $15, $58, $08, $01, $00, $50, $E8, $25, $04, $00
  Data.b $00, $56, $6A, $01, $E8, $17, $04, $00, $00, $5D, $5F, $5E, $5B, $C2, $10, $00
  Data.b $53, $56, $8B, $74, $24, $18, $57, $55, $56, $6A, $01, $E8, $0C, $04, $00, $00
  Data.b $8B, $7C, $24, $18, $39, $7C, $24, $1C, $7C, $2C, $8B, $C7, $B3, $01, $99, $83
  Data.b $E2, $07, $03, $C2, $C1, $F8, $03, $8D, $2C, $06, $8B, $C7, $99, $33, $C2, $47
  Data.b $2B, $C2, $83, $E0, $07, $33, $C2, $2B, $C2, $8A, $C8, $D2, $E3, $08, $5D, $00
  Data.b $3B, $7C, $24, $1C, $7E, $D4, $FF, $74, $24, $14, $FF, $15, $58, $08, $01, $00
  Data.b $50, $E8, $C0, $03, $00, $00, $56, $6A, $01, $E8, $B2, $03, $00, $00, $5D, $5F
  Data.b $5E, $5B, $C2, $10, $00, $55, $8B, $EC, $83, $EC, $30, $53, $56, $57, $8B, $5D
  Data.b $0C, $8B, $73, $0C, $8B, $FE, $8B, $06, $83, $F8, $0A, $77, $23, $0F, $84, $D9
  Data.b $00, $00, $00, $83, $F8, $01, $0F, $84, $89, $00, $00, $00, $83, $F8, $02, $0F
  Data.b $84, $94, $00, $00, $00, $83, $F8, $03, $0F, $84, $A4, $00, $00, $00, $EB, $6B
  Data.b $83, $F8, $14, $77, $11, $0F, $84, $E0, $00, $00, $00, $83, $F8, $0B, $0F, $84
  Data.b $BF, $00, $00, $00, $EB, $55, $83, $F8, $1E, $77, $11, $0F, $84, $23, $01, $00
  Data.b $00, $83, $F8, $15, $0F, $84, $ED, $00, $00, $00, $EB, $3F, $83, $F8, $28, $0F
  Data.b $84, $3E, $01, $00, $00, $83, $F8, $32, $0F, $84, $67, $01, $00, $00, $83, $F8
  Data.b $33, $0F, $84, $7E, $01, $00, $00, $83, $F8, $34, $0F, $84, $89, $01, $00, $00
  Data.b $83, $F8, $3C, $0F, $84, $A0, $01, $00, $00, $83, $F8, $3D, $0F, $84, $E7, $01
  Data.b $00, $00, $83, $F8, $63, $0F, $84, $2A, $02, $00, $00, $B8, $0D, $00, $00, $C0
  Data.b $E9, $2E, $02, $00, $00, $33, $C0, $C7, $07, $78, $56, $34, $12, $C7, $43, $1C
  Data.b $04, $00, $00, $00, $E9, $1A, $02, $00, $00, $0F, $20, $C0, $89, $45, $DC, $8B
  Data.b $45, $DC, $89, $07, $33, $C0, $C7, $43, $1C, $04, $00, $00, $00, $E9, $01, $02
  Data.b $00, $00, $8B, $46, $04, $89, $45, $E0, $8B, $45, $E0, $0F, $09, $0F, $22, $C0
  Data.b $C7, $43, $1C, $00, $00, $00, $00, $E9, $E5, $01, $00, $00, $FF, $76, $04, $FF
  Data.b $15, $40, $08, $01, $00, $88, $07, $C7, $43, $1C, $01, $00, $00, $00, $E9, $CE
  Data.b $01, $00, $00, $FF, $76, $08, $FF, $76, $04, $FF, $15, $44, $08, $01, $00, $C7
  Data.b $43, $1C, $00, $00, $00, $00, $E9, $B6, $01, $00, $00, $8B, $46, $04, $89, $45
  Data.b $E4, $51, $52, $8B, $4D, $E4, $0F, $32, $89, $45, $E8, $89, $55, $EC, $59, $5A
  Data.b $8B, $45, $E8, $89, $07, $8B, $4D, $EC, $89, $4E, $04, $C7, $43, $1C, $08, $00
  Data.b $00, $00, $E9, $8A, $01, $00, $00, $8B, $46, $04, $89, $45, $F0, $8B, $4E, $08
  Data.b $89, $4D, $F4, $8B, $56, $0C, $89, $55, $F8, $51, $52, $8B, $4D, $F0, $8B, $45
  Data.b $F4, $8B, $55, $F8, $0F, $30, $5A, $59, $C7, $43, $1C, $00, $00, $00, $00, $E9
  Data.b $5D, $01, $00, $00, $83, $3D, $68, $08, $01, $00, $00, $74, $15, $8B, $46, $04
  Data.b $8B, $08, $33, $C0, $89, $0F, $C7, $43, $1C, $04, $00, $00, $00, $E9, $41, $01
  Data.b $00, $00, $C7, $43, $1C, $00, $00, $00, $00, $B8, $05, $00, $00, $C0, $E9, $30
  Data.b $01, $00, $00, $C7, $45, $D4, $00, $00, $00, $00, $6A, $00, $6A, $04, $FF, $75
  Data.b $D4, $FF, $76, $04, $FF, $15, $64, $08, $01, $00, $8B, $08, $6A, $04, $50, $89
  Data.b $0F, $FF, $15, $7C, $08, $01, $00, $C7, $43, $1C, $04, $00, $00, $00, $33, $C0
  Data.b $E9, $FE, $00, $00, $00, $8B, $45, $08, $83, $C0, $04, $50, $FF, $76, $08, $FF
  Data.b $76, $04, $6A, $01, $E8, $40, $FD, $FF, $FF, $C7, $43, $1C, $00, $00, $00, $00
  Data.b $E9, $DC, $00, $00, $00, $57, $6A, $01, $E8, $AF, $01, $00, $00, $C7, $43, $1C
  Data.b $00, $20, $00, $00, $E9, $C8, $00, $00, $00, $8B, $45, $08, $83, $C0, $04, $50
  Data.b $FF, $76, $08, $FF, $76, $04, $6A, $01, $E8, $73, $FD, $FF, $FF, $C7, $43, $1C
  Data.b $00, $00, $00, $00, $E9, $A8, $00, $00, $00, $BA, $FB, $0C, $00, $00, $EC, $0F
  Data.b $B6, $C8, $8B, $46, $08, $0D, $00, $00, $E0, $FF, $C1, $E0, $0A, $0B, $46, $04
  Data.b $89, $45, $FC, $66, $9C, $FA, $8A, $C1, $0C, $01, $EE, $BA, $FA, $0C, $00, $00
  Data.b $32, $C0, $EE, $BA, $F8, $0C, $00, $00, $8B, $45, $FC, $EF, $BA, $FC, $0C, $00
  Data.b $00, $ED, $BA, $FB, $0C, $00, $00, $89, $07, $8A, $C1, $EE, $66, $9D, $C7, $43
  Data.b $1C, $04, $00, $00, $00, $33, $C0, $EB, $5A, $BA, $FB, $0C, $00, $00, $8B, $7E
  Data.b $08, $EC, $0F, $B6, $C8, $81, $CF, $00, $00, $E0, $FF, $C1, $E7, $0A, $0B, $7E
  Data.b $04, $66, $9C, $FA, $8A, $C1, $0C, $01, $EE, $BA, $FA, $0C, $00, $00, $32, $C0
  Data.b $EE, $BA, $F8, $0C, $00, $00, $8B, $C7, $EF, $BA, $FC, $0C, $00, $00, $8B, $46
  Data.b $0C, $EF, $BA, $FB, $0C, $00, $00, $8A, $C1, $EE, $66, $9D, $C7, $43, $1C, $00
  Data.b $00, $00, $00, $EB, $0C, $9C, $58, $89, $45, $D8, $C7, $43, $1C, $04, $00, $00
  Data.b $00, $33, $C0, $5F, $5E, $5B, $8B, $E5, $5D, $C2, $10, $00, $8B, $44, $24, $04
  Data.b $56, $8B, $74, $24, $0C, $57, $BF, $02, $00, $00, $C0, $8B, $56, $60, $C7, $46
  Data.b $1C, $00, $00, $00, $00, $8B, $48, $28, $0F, $B6, $02, $85, $C0, $74, $0C, $83
  Data.b $F8, $02, $74, $07, $83, $F8, $0E, $74, $06, $EB, $19, $33, $FF, $EB, $15, $8B
  Data.b $42, $0C, $3D, $00, $60, $40, $9C, $75, $0B, $50, $52, $56, $51, $E8, $D3, $FC
  Data.b $FF, $FF, $8B, $F8, $33, $D2, $8B, $CE, $89, $7E, $18, $FF, $15, $6C, $08, $01
  Data.b $00, $8B, $C7, $5F, $5E, $C2, $08, $00, $83, $EC, $08, $8D, $44, $24, $00, $68
  Data.b $60, $07, $01, $00, $50, $FF, $15, $60, $08, $01, $00, $8D, $4C, $24, $00, $51
  Data.b $FF, $15, $70, $08, $01, $00, $8B, $4C, $24, $0C, $FF, $71, $04, $FF, $15, $78
  Data.b $08, $01, $00, $83, $C4, $08, $C2, $04, $00, $8B, $4C, $24, $04, $83, $EC, $04
  Data.b $B8, $6C, $06, $01, $00, $8D, $54, $24, $00, $52, $89, $41, $38, $51, $89, $41
  Data.b $40, $68, $40, $9C, $00, $00, $89, $41, $70, $C7, $41, $34, $C8, $06, $01, $00
  Data.b $68, $94, $07, $01, $00, $E8, $16, $FB, $FF, $FF, $83, $C4, $04, $C2, $08, $00
  Data.b $FF, $25, $50, $08, $01, $00, $FF, $25, $54, $08, $01, $00, $FF, $25, $74, $08
  Data.b $01, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $5C, $00, $44, $00, $6F, $00, $73, $00, $44, $00, $65, $00, $76, $00, $69, $00
  Data.b $63, $00, $65, $00, $73, $00, $5C, $00, $44, $00, $65, $00, $76, $00, $5F, $00
  Data.b $44, $00, $69, $00, $72, $00, $65, $00, $63, $00, $74, $00, $4E, $00, $54, $00
  Data.b $00, $00, $00, $00, $5C, $00, $44, $00, $65, $00, $76, $00, $69, $00, $63, $00
  Data.b $65, $00, $5C, $00, $44, $00, $69, $00, $72, $00, $65, $00, $63, $00, $74, $00
  Data.b $4E, $00, $54, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $08, $08, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $9A, $09, $00, $00
  Data.b $4C, $08, $00, $00, $FC, $07, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $CE, $09, $00, $00, $40, $08, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $BC, $09, $00, $00
  Data.b $A8, $09, $00, $00, $00, $00, $00, $00, $AE, $08, $00, $00, $D8, $08, $00, $00
  Data.b $EE, $08, $00, $00, $08, $09, $00, $00, $96, $08, $00, $00, $C0, $08, $00, $00
  Data.b $48, $09, $00, $00, $58, $09, $00, $00, $6C, $09, $00, $00, $82, $09, $00, $00
  Data.b $1E, $09, $00, $00, $84, $08, $00, $00, $36, $09, $00, $00, $00, $00, $00, $00
  Data.b $BC, $09, $00, $00, $A8, $09, $00, $00, $00, $00, $00, $00, $AE, $08, $00, $00
  Data.b $D8, $08, $00, $00, $EE, $08, $00, $00, $08, $09, $00, $00, $96, $08, $00, $00
  Data.b $C0, $08, $00, $00, $48, $09, $00, $00, $58, $09, $00, $00, $6C, $09, $00, $00
  Data.b $82, $09, $00, $00, $1E, $09, $00, $00, $84, $08, $00, $00, $36, $09, $00, $00
  Data.b $00, $00, $00, $00, $FB, $00, $49, $6F, $44, $65, $6C, $65, $74, $65, $44, $65
  Data.b $76, $69, $63, $65, $00, $00, $F7, $00, $49, $6F, $43, $72, $65, $61, $74, $65
  Data.b $53, $79, $6D, $62, $6F, $6C, $69, $63, $4C, $69, $6E, $6B, $00, $00, $F3, $00
  Data.b $49, $6F, $43, $72, $65, $61, $74, $65, $44, $65, $76, $69, $63, $65, $00, $00
  Data.b $D0, $02, $52, $74, $6C, $49, $6E, $69, $74, $55, $6E, $69, $63, $6F, $64, $65
  Data.b $53, $74, $72, $69, $6E, $67, $00, $00, $4C, $01, $4B, $65, $33, $38, $36, $53
  Data.b $65, $74, $49, $6F, $41, $63, $63, $65, $73, $73, $4D, $61, $70, $00, $4A, $01
  Data.b $4B, $65, $33, $38, $36, $49, $6F, $53, $65, $74, $41, $63, $63, $65, $73, $73
  Data.b $50, $72, $6F, $63, $65, $73, $73, $00, $0C, $01, $49, $6F, $47, $65, $74, $43
  Data.b $75, $72, $72, $65, $6E, $74, $50, $72, $6F, $63, $65, $73, $73, $00, $4B, $01
  Data.b $4B, $65, $33, $38, $36, $51, $75, $65, $72, $79, $49, $6F, $41, $63, $63, $65
  Data.b $73, $73, $4D, $61, $70, $00, $F7, $01, $4D, $6D, $55, $6E, $6D, $61, $70, $49
  Data.b $6F, $53, $70, $61, $63, $65, $00, $00, $E6, $01, $4D, $6D, $4D, $61, $70, $49
  Data.b $6F, $53, $70, $61, $63, $65, $00, $00, $DF, $01, $4D, $6D, $49, $73, $41, $64
  Data.b $64, $72, $65, $73, $73, $56, $61, $6C, $69, $64, $00, $00, $45, $01, $49, $6F
  Data.b $66, $43, $6F, $6D, $70, $6C, $65, $74, $65, $52, $65, $71, $75, $65, $73, $74
  Data.b $00, $00, $FC, $00, $49, $6F, $44, $65, $6C, $65, $74, $65, $53, $79, $6D, $62
  Data.b $6F, $6C, $69, $63, $4C, $69, $6E, $6B, $00, $00, $6E, $74, $6F, $73, $6B, $72
  Data.b $6E, $6C, $2E, $65, $78, $65, $00, $00, $57, $00, $57, $52, $49, $54, $45, $5F
  Data.b $50, $4F, $52, $54, $5F, $55, $43, $48, $41, $52, $00, $00, $51, $00, $52, $45
  Data.b $41, $44, $5F, $50, $4F, $52, $54, $5F, $55, $43, $48, $41, $52, $00, $48, $41
  Data.b $4C, $2E, $64, $6C, $6C, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $35, $FD, $A5, $32, $00, $00, $00, $00, $00, $00, $01, $00
  Data.b $10, $00, $00, $00, $18, $00, $00, $80, $00, $00, $00, $00, $35, $FD, $A5, $32
  Data.b $00, $00, $00, $00, $00, $00, $01, $00, $01, $00, $00, $00, $30, $00, $00, $80
  Data.b $00, $00, $00, $00, $35, $FD, $A5, $32, $00, $00, $00, $00, $00, $00, $01, $00
  Data.b $09, $04, $00, $00, $48, $00, $00, $00, $40, $0A, $00, $00, $AC, $02, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $AC, $02, $34, $00, $00, $00, $56, $00, $53, $00, $5F, $00, $56, $00, $45, $00
  Data.b $52, $00, $53, $00, $49, $00, $4F, $00, $4E, $00, $5F, $00, $49, $00, $4E, $00
  Data.b $46, $00, $4F, $00, $00, $00, $00, $00, $BD, $04, $EF, $FE, $00, $00, $01, $00
  Data.b $00, $00, $01, $00, $01, $00, $00, $00, $00, $00, $01, $00, $01, $00, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $04, $00, $04, $00, $03, $00, $00, $00
  Data.b $07, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $0A, $02, $00, $00
  Data.b $01, $00, $53, $00, $74, $00, $72, $00, $69, $00, $6E, $00, $67, $00, $46, $00
  Data.b $69, $00, $6C, $00, $65, $00, $49, $00, $6E, $00, $66, $00, $6F, $00, $00, $00
  Data.b $E6, $01, $00, $00, $01, $00, $30, $00, $34, $00, $30, $00, $39, $00, $30, $00
  Data.b $34, $00, $42, $00, $30, $00, $00, $00, $28, $00, $04, $00, $01, $00, $43, $00
  Data.b $6F, $00, $6D, $00, $70, $00, $61, $00, $6E, $00, $79, $00, $4E, $00, $61, $00
  Data.b $6D, $00, $65, $00, $00, $00, $00, $00, $63, $00, $27, $00, $74, $00, $00, $00
  Data.b $32, $00, $05, $00, $01, $00, $46, $00, $69, $00, $6C, $00, $65, $00, $44, $00
  Data.b $65, $00, $73, $00, $63, $00, $72, $00, $69, $00, $70, $00, $74, $00, $69, $00
  Data.b $6F, $00, $6E, $00, $00, $00, $00, $00, $31, $00, $2E, $00, $30, $00, $30, $00
  Data.b $00, $00, $00, $00, $2A, $00, $05, $00, $01, $00, $46, $00, $69, $00, $6C, $00
  Data.b $65, $00, $56, $00, $65, $00, $72, $00, $73, $00, $69, $00, $6F, $00, $6E, $00
  Data.b $00, $00, $00, $00, $31, $00, $2E, $00, $30, $00, $30, $00, $00, $00, $00, $00
  Data.b $3A, $00, $0D, $00, $01, $00, $49, $00, $6E, $00, $74, $00, $65, $00, $72, $00
  Data.b $6E, $00, $61, $00, $6C, $00, $4E, $00, $61, $00, $6D, $00, $65, $00, $00, $00
  Data.b $44, $00, $69, $00, $72, $00, $65, $00, $63, $00, $74, $00, $4E, $00, $54, $00
  Data.b $2E, $00, $73, $00, $79, $00, $73, $00, $00, $00, $00, $00, $58, $00, $1A, $00
  Data.b $01, $00, $4C, $00, $65, $00, $67, $00, $61, $00, $6C, $00, $43, $00, $6F, $00
  Data.b $70, $00, $79, $00, $72, $00, $69, $00, $67, $00, $68, $00, $74, $00, $00, $00
  Data.b $43, $00, $6F, $00, $70, $00, $79, $00, $72, $00, $69, $00, $67, $00, $68, $00
  Data.b $74, $00, $20, $00, $28, $00, $43, $00, $29, $00, $20, $00, $31, $00, $39, $00
  Data.b $39, $00, $36, $00, $20, $00, $62, $00, $79, $00, $20, $00, $63, $00, $27, $00
  Data.b $74, $00, $00, $00, $42, $00, $0D, $00, $01, $00, $4F, $00, $72, $00, $69, $00
  Data.b $67, $00, $69, $00, $6E, $00, $61, $00, $6C, $00, $46, $00, $69, $00, $6C, $00
  Data.b $65, $00, $6E, $00, $61, $00, $6D, $00, $65, $00, $00, $00, $44, $00, $69, $00
  Data.b $72, $00, $65, $00, $63, $00, $74, $00, $4E, $00, $54, $00, $2E, $00, $73, $00
  Data.b $79, $00, $73, $00, $00, $00, $00, $00, $40, $00, $10, $00, $01, $00, $50, $00
  Data.b $72, $00, $6F, $00, $64, $00, $75, $00, $63, $00, $74, $00, $4E, $00, $61, $00
  Data.b $6D, $00, $65, $00, $00, $00, $00, $00, $44, $00, $69, $00, $72, $00, $65, $00
  Data.b $63, $00, $74, $00, $4E, $00, $54, $00, $20, $00, $64, $00, $72, $00, $69, $00
  Data.b $76, $00, $65, $00, $72, $00, $00, $00, $2E, $00, $05, $00, $01, $00, $50, $00
  Data.b $72, $00, $6F, $00, $64, $00, $75, $00, $63, $00, $74, $00, $56, $00, $65, $00
  Data.b $72, $00, $73, $00, $69, $00, $6F, $00, $6E, $00, $00, $00, $31, $00, $2E, $00
  Data.b $30, $00, $30, $00, $00, $00, $00, $00, $44, $00, $00, $00, $01, $00, $56, $00
  Data.b $61, $00, $72, $00, $46, $00, $69, $00, $6C, $00, $65, $00, $49, $00, $6E, $00
  Data.b $66, $00, $6F, $00, $00, $00, $00, $00, $24, $00, $04, $00, $00, $00, $54, $00
  Data.b $72, $00, $61, $00, $6E, $00, $73, $00, $6C, $00, $61, $00, $74, $00, $69, $00
  Data.b $6F, $00, $6E, $00, $00, $00, $00, $00, $09, $04, $B0, $04, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $38, $00, $00, $00, $4D, $32, $71, $32, $81, $32, $9C, $32
  Data.b $AA, $32, $07, $33, $6C, $33, $81, $34, $9B, $34, $06, $35, $46, $35, $53, $35
  Data.b $BD, $36, $D0, $36, $D7, $36, $E2, $36, $EF, $36, $01, $37, $1C, $37, $21, $37
  Data.b $32, $37, $38, $37, $3E, $37, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
  Data.b $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00
EndDataSection 
Gruß
Helle
Benutzeravatar
Rings
Beiträge: 971
Registriert: 29.08.2004 08:48

Beitrag von Rings »

ne andere möglichkeit ohne externe treiber wäre dieses beispiel
(Geht nur fürs memory, nich für ports)

Code: Alles auswählen

;Physically Memory
Procedure msg(Instring.s)
 MessageRequester("Info",Instring,0)
EndProcedure
#OBJ_INHERIT = $2
#OBJ_PERMANENT = $10
#OBJ_EXCLUSIVE = $20
#OBJ_CASE_INSENSITIVE = $40
#OBJ_OPENIF = $80
#OBJ_OPENLINK = $100
#OBJ_KERNEL_HANDLE = $200
#OBJ_VALID_ATTRIBUTES = $3F2

#SECTION_QUERY = $1
#SECTION_MAP_WRITE = $2
#SECTION_MAP_READ = $4
#SECTION_MAP_EXECUTE = $8

#PAGE_READONLY = 2
#PAGE_READWRITE=4
#VIEW_SHARE = 1

Structure UNICODE_STRING
  usLength.w
  usMaximumLength.w
  usBuffer.s
EndStructure
Structure UNICODE_lSTRING
  usLength.w
  usMaximumLength.w
  usBuffer.l
EndStructure
Structure OBJECT_ATTRIBUTES
    Length.l
    RootDirectory.l
    ObjectName.l
    Attributes.l
    SecurityDescriptor.l
    SecurityQualityOfService.l
EndStructure
Structure PHYSICAL_ADDRESS
    lowpart.l
    highpart.l
EndStructure

   status.l
   ia.OBJECT_ATTRIBUTES
   hdlPhysMem.l
   
;    usDevName.UNICODE_STRING
;    usDevName\usBuffer = "\device\physicalmemory"
;    usDevName\usMaximumLength = Len(usDevName\usBuffer) * 2
;    usDevName\usLength = usDevName\usMaximumLength - 2
;

mydevice.s="\device\physicalmemory" + Chr(0) 

Buffer1 = AllocateMemory( Len(mydevice)*2 + 8)
;Dim Bytefeld.b(255)
;Buffer1.l=@Bytefeld(0)
Result=MultiByteToWideChar_(#CP_ACP ,0,@mydevice.s,-1,Buffer1,Len(mydevice.s)*2)
;msg(PeekS(Buffer1) )
;PeekS(Buffer1+2)
;Debug Hex(Buffer1)


usDevName.UNICODE_lSTRING
usDevName\usBuffer = Buffer1
usDevName\usMaximumLength = (Len(mydevice.s) * 2) +2
usDevName\usLength = Len(mydevice.s) * 2

   ia\Length = 24;SizeOf(OBJECT_ATTRIBUTES)
   ia\ObjectName = @usDevName
   ia\Attributes  = #OBJ_CASE_INSENSITIVE
   ia\SecurityDescriptor = 0
   ia\RootDirectory = 0
   ia\SecurityQualityOfService = 0
 
   
   status = NtOpenSection_(@hdlPhysMem, #SECTION_MAP_READ, @ia)

   If status<>0
    msg("NtOpenSection: "+ Hex(status))
    sBuffer.s=Space(256)
    Result=GetLastError_()
    FormatMessage_(#FORMAT_MESSAGE_FROM_SYSTEM,0,Result,0,@sBuffer,255,0)
    MessageRequester("Info NtOpenSection!",Hex(Result)+Chr(13)+sBuffer,0)
    End
   EndIf
   
   memVirtualAddress.l
   memLen.l
   memVirtualAddress.l = 0

;Goto weiter
   viewBase.PHYSICAL_ADDRESS
   viewBase\highpart = 0
   viewBase\lowpart = $400
   memLen = $10

   status = NtMapViewOfSection_(hdlPhysMem, -1, @memVirtualAddress,0, memLen, @viewBase, @memLen, #VIEW_SHARE, 0, #PAGE_READONLY)
   ;msg("NtMapViewOfSection: "+ Hex(status))
   
   If status<>0
    sBuffer.s=Space(256)
    Result=GetLastError_()
    FormatMessage_(#FORMAT_MESSAGE_FROM_SYSTEM,0,Result,0,@sBuffer,255,0)
    MessageRequester("Info NtMapViewOfSection!",Hex(Result)+Chr(13)+ sBuffer,0)
    End
   EndIf
   
   i=0
   MyInfo.s=MyInfo.s + "COM1="+Hex(PeekW(memVirtualAddress - viewBase\lowpart + $400 + i)) + Chr(13)
   i=2
   MyInfo.s=MyInfo.s + "COM2="+Hex(PeekW(memVirtualAddress - viewBase\lowpart + $400 + i)) + Chr(13)
   i=4
   MyInfo.s=MyInfo.s + "COM3="+Hex(PeekW(memVirtualAddress - viewBase\lowpart + $400 + i)) + Chr(13)
   i=8
   MyInfo.s=MyInfo.s + "LPT1="+Hex(PeekW(memVirtualAddress - viewBase\lowpart + $400 + i)) + Chr(13)
   adrLPT1.l=PeekW(memVirtualAddress - viewBase\lowpart + $400 + i)
   i=10
   MyInfo.s=MyInfo.s +"LPT2="+ Hex(PeekW(memVirtualAddress - viewBase\lowpart + $400 + i)) + Chr(13)
   i=12
   MyInfo.s=MyInfo.s +"LPT3="+ Hex(PeekW(memVirtualAddress - viewBase\lowpart + $400 + i)) + Chr(13)

   MessageRequester("Info",MyInfo.s,0)

   status = NtUnmapViewOfSection_(-1, memVirtualAddress)

weiter: 

   Offset=$378
   viewBase.PHYSICAL_ADDRESS
   viewBase\highpart = 0
   viewBase\lowpart = Offset
   memLen = $10 ;16 Bytes
   
   memVirtualAddress=1
   
   status = NtMapViewOfSection_(hdlPhysMem, -1, @memVirtualAddress,0, memLen, @viewBase, @memLen, #VIEW_SHARE, 0, #PAGE_READONLY)
   
   If status<>0
    sBuffer.s=Space(256)
    Result=GetLastError_()
    FormatMessage_(#FORMAT_MESSAGE_FROM_SYSTEM,0,Result,0,@sBuffer,255,0)
    MessageRequester("Info NtMapViewOfSection!",Hex(Result)+Chr(13)+ sBuffer,0)
    End
   
   EndIf
;    i=0
;    Repeat
;     Event = WindowEvent()
;     Delay(50)
;     MyInfo=""
;     For i=0 To 9;memLen -1
;      MyInfo=Myinfo +Bin(PeekB(memVirtualAddress - viewBase\lowpart + Offset  + i)) +";"; Chr(13)
;      ;MyInfo=Myinfo +Right("00"+Hex(PeekB(memVirtualAddress - viewBase\lowpart + Offset  + i)),2) +";"; Chr(13)
;     Next i
;     If MyInfo.s<>Oldinfo.s
;      SetGadgetText(#Gadget_1,MyInfo.s)
;      OldInfo=MyInfo
;     EndIf
;    Until Event = #PB_EventCloseWindow
;   MessageRequester("Info",Hex(viewBase\lowpart)+ MyInfo.s,0)

 
   status = NtUnmapViewOfSection_(-1, memVirtualAddress)
   status = CloseHandle_(hdlPhysMem)
 
End
Rings hat geschrieben:ziert sich nich beim zitieren
Antworten