#define FILE_DEVICE_SCSI 0x0000001b
#define IOCTL_SCSI_MINIPORT_IDENTIFY ((FILE_DEVICE_SCSI << 16) + 0x0501)
#define IOCTL_SCSI_MINIPORT 0x0004D008 // see NTDDSCSI.H for definition
// GETVERSIONOUTPARAMS contains the data returned from the
// Get Driver Version function.
typedef struct _GETVERSIONOUTPARAMS
{
BYTE bVersion; // Binary driver version.
BYTE bRevision; // Binary driver revision.
BYTE bReserved; // Not used.
BYTE bIDEDeviceMap; // Bit map of IDE devices.
DWORD fCapabilities; // Bit mask of driver capabilities.
DWORD dwReserved[4]; // For future use.
} GETVERSIONOUTPARAMS, *PGETVERSIONOUTPARAMS, *LPGETVERSIONOUTPARAMS;
// Bits returned in the fCapabilities member of GETVERSIONOUTPARAMS
#define CAP_IDE_ID_FUNCTION 1 // ATA ID command supported
#define CAP_IDE_ATAPI_ID 2 // ATAPI ID command supported
#define CAP_IDE_EXECUTE_SMART_FUNCTION 4 // SMART commannds supported
// IDE registers
typedef struct _IDEREGS
{
BYTE bFeaturesReg; // Used for specifying SMART "commands".
BYTE bSectorCountReg; // IDE sector count register
BYTE bSectorNumberReg; // IDE sector number register
BYTE bCylLowReg; // IDE low order cylinder value
BYTE bCylHighReg; // IDE high order cylinder value
BYTE bDriveHeadReg; // IDE drive/head register
BYTE bCommandReg; // Actual IDE command.
BYTE bReserved; // reserved for future use. Must be zero.
} IDEREGS, *PIDEREGS, *LPIDEREGS;
// SENDCMDINPARAMS contains the input parameters for the
// Send Command to Drive function.
typedef struct _SENDCMDINPARAMS
{
DWORD cBufferSize; // Buffer size in bytes
IDEREGS irDriveRegs; // Structure with drive register values.
BYTE bDriveNumber; // Physical drive number to send
// command to (0,1,2,3).
BYTE bReserved[3]; // Reserved for future expansion.
DWORD dwReserved[4]; // For future use.
BYTE bBuffer[1]; // Input buffer.
} SENDCMDINPARAMS, *PSENDCMDINPARAMS, *LPSENDCMDINPARAMS;
// Valid values for the bCommandReg member of IDEREGS.
#define IDE_ATAPI_IDENTIFY 0xA1 // Returns ID sector for ATAPI.
#define IDE_ATA_IDENTIFY 0xEC // Returns ID sector for ATA.
// Status returned from driver
typedef struct _DRIVERSTATUS
{
BYTE bDriverError; // Error code from driver, or 0 if no error.
BYTE bIDEStatus; // Contents of IDE Error register.
// Only valid when bDriverError is SMART_IDE_ERROR.
BYTE bReserved[2]; // Reserved for future expansion.
DWORD dwReserved[2]; // Reserved for future expansion.
} DRIVERSTATUS, *PDRIVERSTATUS, *LPDRIVERSTATUS;
// Structure returned by PhysicalDrive IOCTL for several commands
typedef struct _SENDCMDOUTPARAMS
{
DWORD cBufferSize; // Size of bBuffer in bytes
DRIVERSTATUS DriverStatus; // Driver status structure.
BYTE bBuffer[1]; // Buffer of arbitrary length in which to store the data read from the // drive.
} SENDCMDOUTPARAMS, *PSENDCMDOUTPARAMS, *LPSENDCMDOUTPARAMS;
// If there is a IDE device at number "i" issue commands
// to the device
if (VersionParams.bIDEDeviceMap > 0)
{
BYTE bIDCmd = 0; // IDE or ATAPI IDENTIFY cmd
SENDCMDINPARAMS scip;
//SENDCMDOUTPARAMS OutCmd;
// Now, get the ID sector for all IDE devices in the system.
// If the device is ATAPI use the IDE_ATAPI_IDENTIFY command,
// otherwise use the IDE_ATA_IDENTIFY command
bIDCmd = (VersionParams.bIDEDeviceMap >> drive & 0x10) ? IDE_ATAPI_IDENTIFY : IDE_ATA_IDENTIFY;
// The command can either be IDE identify or ATAPI identify.
pSCIP -> irDriveRegs.bCommandReg = bIDCmd;
pSCIP -> bDriveNumber = bDriveNum;
pSCIP -> cBufferSize = IDENTIFY_BUFFER_SIZE;
// These are our ring 0 functions responsible for tinkering with the hardware ports.
// They have a similar privilege to a Windows VxD and are therefore free to access
// protected system resources (such as the page tables) and even place calls to
// exported VxD services.
__declspec(naked) void Ring0GetPortVal()
{
_asm
{
Cmp CL, 1
Je ByteVal
Cmp CL, 2
Je WordVal
Cmp CL, 4
Je DWordVal
ByteVal:
In AL, DX
Mov [EBX], AL
Retf
WordVal:
In AX, DX
Mov [EBX], AX
Retf
DWordVal:
In EAX, DX
Mov [EBX], EAX
Retf
}
}
__declspec(naked) void Ring0SetPortVal()
{
_asm
{
Cmp CL, 1
Je ByteVal
Cmp CL, 2
Je WordVal
Cmp CL, 4
Je DWordVal
ByteVal:
Mov AL, [EBX]
Out DX, AL
Retf
WordVal:
Mov AX, [EBX]
Out DX, AX
Retf
DWordVal:
Mov EAX, [EBX]
Out DX, EAX
Retf
}
}
// This function makes it possible to call ring 0 code from a ring 3
// application.
bool CallRing0(PVOID pvRing0FuncAddr, WORD wPortAddr, PDWORD pdwPortVal, BYTE bSize)
{
struct GDT_DESCRIPTOR *pGDTDescriptor;
struct GDTR gdtr;
WORD CallgateAddr[3];
WORD wGDTIndex = 1;
for (wGDTIndex = 1; wGDTIndex < (gdtr.wGDTLimit / 8); wGDTIndex++)
{
if (pGDTDescriptor->Type == 0 &&
pGDTDescriptor->System == 0 &&
pGDTDescriptor->DPL == 0 &&
pGDTDescriptor->Present == 0)
{
// Found one !
// Now we need to transform this descriptor into a callgate.
// Note that we're using selector 0x28 since it corresponds
// to a ring 0 segment which spans the entire linear address
// space of the processor (0-4GB).
int ReadDrivePortsInWin9X (void)
{
int done = FALSE;
int drive = 0;
InitializeWinIo ();
// Get IDE Drive info from the hardware ports
// loop thru all possible drives
for (drive = 0; drive < 8; drive++)
{
DWORD diskdata [256];
WORD baseAddress = 0; // Base address of drive controller
DWORD portValue = 0;
int waitLoop = 0;
int index = 0;
switch (drive / 2)
{
case 0: baseAddress = 0x1f0; break;
case 1: baseAddress = 0x170; break;
case 2: baseAddress = 0x1e8; break;
case 3: baseAddress = 0x168; break;
}
// Wait for controller not busy
waitLoop = 100000;
while (--waitLoop > 0)
{
GetPortVal ((WORD) (baseAddress + 7), &portValue, (BYTE) 1);
// drive is ready
if ((portValue & 0x40) == 0x40) break;
// previous drive command ended in error
if ((portValue & 0x01) == 0x01) break;
}
if (waitLoop < 1) continue;
// Set Master or Slave drive
if ((drive % 2) == 0)
SetPortVal ((WORD) (baseAddress + 6), 0xA0, 1);
else
SetPortVal ((WORD) (baseAddress + 6), 0xB0, 1);
// Get drive info data
SetPortVal ((WORD) (baseAddress + 7), 0xEC, 1);
// Wait for data ready
waitLoop = 100000;
while (--waitLoop > 0)
{
GetPortVal ((WORD) (baseAddress + 7), &portValue, 1);
// see if the drive is ready and has it's info ready for us
if ((portValue & 0x48) == 0x48) break;
// see if there is a drive error
if ((portValue & 0x01) == 0x01) break;
}
// check for time out or other error
if (waitLoop < 1 || portValue & 0x01) continue;
// read drive id information
for (index = 0; index < 256; index++)
{
diskdata [index] = 0; // init the space
GetPortVal (baseAddress, &(diskdata [index]), 2);
}
// Try to get a handle to PhysicalDrive IOCTL, report failure
// and exit if can't.
sprintf (driveName, "\\\\.\\Scsi%d:", controller);
// Windows NT, Windows 2000, any rights should do
hScsiDriveIOCTL = CreateFile (driveName,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
// if (hScsiDriveIOCTL == INVALID_HANDLE_VALUE)
// printf ("Unable to open SCSI controller %d, error code: 0x%lX\n",
// controller, GetLastError ());
if (hScsiDriveIOCTL != INVALID_HANDLE_VALUE)
{
int drive = 0;
void PrintIdeInfo (int drive, DWORD diskdata [256])
{
// copy the hard driver serial number to the buffer
strcpy (HardDriveSerialNumber, ConvertToString (diskdata, 10, 19));
#ifdef PRINTING_TO_CONSOLE_ALLOWED
switch (drive / 2)
{
case 0: printf ("\nPrimary Controller - ");
break;
case 1: printf ("\nSecondary Controller - ");
break;
case 2: printf ("\nTertiary Controller - ");
break;
case 3: printf ("\nQuaternary Controller - ");
break;
}
switch (drive % 2)
{
case 0: printf ("Master drive\n\n");
break;
case 1: printf ("Slave drive\n\n");
break;
}
char *ConvertToString (DWORD diskdata [256], int firstIndex, int lastIndex)
{
static char string [1024];
int index = 0;
int position = 0;
// each integer has two characters stored in it backwards
for (index = firstIndex; index <= lastIndex; index++)
{
// get high byte for 1st character
string [position] = (char) (diskdata [index] / 256);
position++;
// get low byte for 2nd character
string [position] = (char) (diskdata [index] % 256);
position++;
}
// end the string
string [position] = '\0';
// cut off the trailing blanks
for (index = position - 1; index > 0 && ' ' == string [index]; index--)
string [index] = '\0';
return string;
}
long getHardDriveComputerID ()
{
int done = FALSE;
//char string [1024];
__int64 id = 0;
strcpy (HardDriveSerialNumber, "");
// this works under WinNT4 or Win2K if you have admin rights
printf("read from ide NT\n");
done = ReadPhysicalDriveInNT ();
// this should work in WinNT or Win2K if previous did not work
// this is kind of a backdoor via the SCSI mini port driver into
// the IDE drives
if ( ! done)
{
printf("read from scsi NT\n");
done = ReadIdeDriveAsScsiDriveInNT ();
}
// this works under Win9X and calls WINIO.DLL
if ( ! done)
{
printf("read from 9x\n");
done = ReadDrivePortsInWin9X ();
}
// ignore first 5 characters from western digital hard drives if
// the first four characters are WD-W
if ( ! strncmp (HardDriveSerialNumber, "WD-W", 4)) p += 5;
for ( ; p && *p; p++)
{
if ('-' == *p) continue;
id *= 10;
switch (*p)
{
case '0': id += 0; break;
case '1': id += 1; break;
case '2': id += 2; break;
case '3': id += 3; break;
case '4': id += 4; break;
case '5': id += 5; break;
case '6': id += 6; break;
case '7': id += 7; break;
case '8': id += 8; break;
case '9': id += 9; break;
case 'a': case 'A': id += 10; break;
case 'b': case 'B': id += 11; break;
case 'c': case 'C': id += 12; break;
case 'd': case 'D': id += 13; break;
case 'e': case 'E': id += 14; break;
case 'f': case 'F': id += 15; break;
case 'g': case 'G': id += 16; break;
case 'h': case 'H': id += 17; break;
case 'i': case 'I': id += 18; break;
case 'j': case 'J': id += 19; break;
case 'k': case 'K': id += 20; break;
case 'l': case 'L': id += 21; break;
case 'm': case 'M': id += 22; break;
case 'n': case 'N': id += 23; break;
case 'o': case 'O': id += 24; break;
case 'p': case 'P': id += 25; break;
case 'q': case 'Q': id += 26; break;
case 'r': case 'R': id += 27; break;
case 's': case 'S': id += 28; break;
case 't': case 'T': id += 29; break;
case 'u': case 'U': id += 30; break;
case 'v': case 'V': id += 31; break;
case 'w': case 'W': id += 32; break;
case 'x': case 'X': id += 33; break;
case 'y': case 'Y': id += 34; break;
case 'z': case 'Z': id += 35; break;
}
}
}
// make sure no bigger than 16^7
if (id > 268435455) id %= 268435456;