Windows 2000 下通过访问物理地址取主机唯一信息 (阅览 次)

Windows 2000 下通过访问物理地址取主机唯一信息


Author: sinister
Email: sinister@whitecell.org
Homepage:http://www.whitecell.org


在9x下取得主版序列号非常简单，但此方法在NT/2K下行不通。还好NT/2K下
提供了 \Device\PhysicalMemory 设备，通过它可以得到物理地址。在9x下
通过访问地址 FEC71H 可以得到主板序列号。NT/2K下虽不保证是主板序列号，
但经过多台机器反复测试，此地址的值是不变且唯一的。下面是我 DRIVE 中
取主机唯一信息的代码，错误之处还望各位指正。

BOOLEAN MainBoardBiosSerialNo()
{

HANDLE physmem;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
WCHAR physmemName[] = L"\\Device\\PhysicalMemory";

NTSTATUS ntStatus;
DWORD RAdd = 0xFEC71;
DWORD LAdd = 100;
DWORD OAdd;
DWORD i;


RtlInitUnicodeString( &physmemString, physmemName );

InitializeObjectAttributes( &attributes,
&physmemString,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);


ntStatus = ZwOpenSection( &physmem,
SECTION_MAP_READ,
&attributes
);

if( !NT_SUCCESS( ntStatus ))
{
DbgPrint("ZwOpenSection() is error\n");
return FALSE;
}

DbgPrint("ZwOpenSection() is OK\n");

if (!MapView(physmem,&RAdd,&LAdd,&OAdd))
{
DbgPrint("MapView() is error\n");
return FALSE;
}

DbgPrint("MapView() is OK\n");

for ( i = 0; i < LAdd; i ++)
{
DbgPrint("%x",*(PUCHAR)(OAdd + i));

}

ntStatus = ZwUnmapViewOfSection( (HANDLE) -1, (PVOID) OAdd );

if( !NT_SUCCESS(ntStatus))
{
DbgPrint("Unable to unmap view");
return FALSE;
}


return TRUE;
}


BOOLEAN MapView( HANDLE HPMemory,DWORD *dwAddress,DWORD *dwLength,DWORD *dwVAddress )
{
NTSTATUS Status;
PHYSICAL_ADDRESS ViewBaseAddress;

*dwVAddress = 0;
ViewBaseAddress.QuadPart = (ULONGLONG) (*dwAddress);

Status = ZwMapViewOfSection ( HPMemory,
(HANDLE) -1,
(PVOID)dwVAddress,
0,
*dwLength,
&ViewBaseAddress,
dwLength,
ViewShare,
0,
PAGE_READONLY
);

if( !NT_SUCCESS( Status ))
{
return FALSE;
}

return TRUE;
}

返回