这里有个小程序hdsn32.asm,是我2000年写的,在win9x下读取硬盘的序列号,它利用了类似CIH病毒的办法获得ring0权限,在win2000下不能运行.
;hdsn32.asm
.386
.modelflat,stdcall;32bitmemorymodel
optioncasemap:none;casesensitive

includemasm32includewindows.inc
includeMASM32INCLUDEshell32.inc
includeMASM32INCLUDEmasm32.inc
includemasm32includeuser32.inc
includemasm32includekernel32.inc

includelibMASM32LIBshell32.lib
includelibMASM32LIBmasm32.lib
includelibmasm32libuser32.lib
includelibmasm32libkernel32.lib

.data

IDTRdf0;ThiswillreceivethecontentsoftheIDTR
;register

SavedGatedq0;Wesavethegatewereplaceinhere

OurGatedw0;Offsetlow-orderword
dw028h;Segmentselector
dw0EE00h;
dw0;Offsethigh-orderword
BUFF1DW256DUP(20H)
hdsn_1db'硬盘C序列号:',0DH,0AH
hdsn_2db256dup(0)
hdsn_3db20dup(0)
szCaptiondb'hdsn32v1.0forwin9x山东海化集团盛玉增编制2000.12.21',0
name_bufferdb'hdsn.bin',0

.data?
hFileHANDLE?
SizeReadWriteDWORD?

.code
Start:
moveax,offsetRing0Proc
mov[OurGate],ax;Puttheoffsetwords
shreax,16;intoourdescriptor
mov[OurGate+6],ax

sidtfwordptrIDTR
movebx,dwordptr[IDTR+2];loadIDTBaseAddress
addebx,8*3;Addressofint3descriptorinebx

movedi,offsetSavedGate
movesi,ebx
movsd;Savetheolddescriptor
movsd;intoSavedGate

movedi,ebx
movesi,offsetOurGate
movsd;Replacetheoldhandler
movsd;withournewone

int3h;Triggertheexception,thus
;passingcontroltoourRing0
;procedure

movedi,ebx
movesi,offsetSavedGate
movsd
本篇文章来源于 黑基网-中国最大的网络安全站点 原文链接：http://www.hackbase.com/lib/2006-01-03/11360.html