我抄用了以下的文章內容:
http://delphi.ktop.com.tw/topic.php?topic_Id=26405
並試著改寫為 BCB, 可是編譯沒有辦法通過, 不知為何, 可否請那位大大賜教.
程式碼如下:
#include "aclapi.h"
#include "ntddk.h" #include
#pragma hdrstop #include "Unit1.h"
//--------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
TForm1 *Form1;
//--------------------------------------------------------------------
__fastcall TForm1::TForm1(TComponent* Owner)
: TForm(Owner)
{
}
//--------------------------------------------------------------------
typedef struct{
unsigned short offset_0_15;
unsigned short selector;
unsigned char param_count : 4;
unsigned char some_bits : 4;
unsigned char type : 4;
unsigned char app_system : 1;
unsigned char dpl : 2;
unsigned char present : 1;
unsigned short offset_16_31;
} CALLGATE_DESCRIPTOR; typedef struct gdtr {
short Limit;
short BaseLow;
short BaseHigh;
} Gdtr_t, *PGdtr_t; void SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl=NULL;
PACL pNewDacl=NULL;
PSECURITY_DESCRIPTOR pSD=NULL;
DWORD dwRes;
EXPLICIT_ACCESS ea; if((dwRes=GetSecurityInfo(hSection, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, NULL, NULL, &pDacl,
NULL, &pSD))!=ERROR_SUCCESS)
{
ShowMessage("GetSecurityInfo error " IntToStr(dwRes));
goto CleanUp;
}
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions=SECTION_MAP_WRITE;
ea.grfAccessMode=GRANT_ACCESS;
ea.grfInheritance=NO_INHERITANCE;
ea.Trustee.TrusteeForm=TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType=TRUSTEE_IS_USER;
ea.Trustee.ptstrName="CURRENT_USER";
if((dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl))!=ERROR_SUCCESS)
{
ShowMessage("SetEntriesInAcl error " IntToStr(dwRes));
goto CleanUp;
}
if((dwRes=SetSecurityInfo(hSection, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, NULL, NULL,
pNewDacl, NULL))!=ERROR_SUCCESS)
{
ShowMessage("SetSecurityInfo error " IntToStr(dwRes));
goto CleanUp;
}
CleanUp:
if(pSD) LocalFree(pSD);
if(pNewDacl) LocalFree(pSD);
} ULONG MiniMmGetPhysicalAddress(ULONG virtualaddress)
{
if(virtualaddress<0x80000000||virtualaddress>=0xA0000000)
return 0;
return virtualaddress&0x1FFFF000;
} bool ExecRing0Proc(ULONG Entry, ULONG seglen)
{
Gdtr_t gdt;
ULONG mapAddr;
HANDLE hSection=NULL;
NTSTATUS status=STATUS_SUCCESS;
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING objName;
CALLGATE_DESCRIPTOR *cg;
PVOID BaseAddress;
BOOL setcg=FALSE;
short farcall[3]; __asm sgdt gdt;
mapAddr=MiniMmGetPhysicalAddress(gdt.BaseHigh<<16U|gdt.BaseLow);
if(!mapAddr) return false;
RtlInitUnicodeString(&objName,L"\\Device\\PhysicalMemory");
InitializeObjectAttributes(&objectAttributes, &objName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL,
(PSECURITY_DESCRIPTOR) NULL);
status=ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,
&objectAttributes);
if(status==TATUS_ACCESS_DENIED)
{
status=ZwOpenSection(&hSection, READ_CONTROL|WRITE_DAC,
&objectAttributes);
SetPhyscialMemorySectionCanBeWrited(hSection);
ZwClose(hSection);
status=ZwOpenSection(&hSection, SECTION_MAP_WRITE|SECTION_MAP_WRITE,
&objectAttributes);
}
if(status!=STATUS_SUCCESS)
{
ShowMessage("Error Open Physical Memory Section Object, Status: "
IntToHex(status, 8));
return 0;
}
BaseAddress=MapViewOfFile(hSection, FILE_MAP_READ|FILE_MAP_WRITE,
0, mapAddr, (gdt.Limit 1));
if(!BaseAddress)
{
ShowMessage("Error MapViewOfFile:"
IntToStr(GetLastError()));
return 0;
}
for(cg=(CALLGATE_DESCRIPTOR *)((ULONG)BaseAddress (gdt.Limit&0xFFF8));
(ULONG)cg>(ULONG)BaseAddress; cg--)
if(cg->type==0)
{
cg->offset_0_15=LOWORD(Entry);
cg->selector=8;
cg->param_count=0;
cg->some_bits=0;
cg->type=0xC; // 386 call gate
cg->app_system=0; // A system descriptor
cg->dpl=3; // Ring 3 code can call
cg->present=1;
cg->offset_16_31=HIWORD(Entry);
setcg=TRUE;
break;
}
if(!setcg)
{
ZwClose(hSection);
return 0;
}
farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;
if(!VirtualLock((PVOID)Entry,seglen))
{
ShowMessage("Error VirtualLock:"
IntToStr(GetLastError()));
return 0;
}
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
Sleep(0);
_asm call fword ptr [farcall]
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_NORMAL);
VirtualUnlock((PVOID)Entry, seglen);
//Clear callgate
*(ULONG *)cg=0;
*((ULONG *)cg 1)=0;
ZwClose(hSection);
return TRUE;
}