API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 28th, 2015
173
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.21 KB | None | 0 0
raw download clone embed print report
  1. Collapse | Copy Code
  2. #include <span class="code-keyword"><windows.h></span>
  3. #include <span class="code-keyword"><stdio.h></span>
  4.  
  5. #pragma pack(1)
  6.  
  7. struct CALL_GATE { WORD addrlo; WORD seg; BYTE arg:5; BYTE u:3; BYTE typ:5; BYTE dpl:2; BYTE pres:1; WORD addrhi; } ;
  8.  
  9. #define Virtual(a,b,c,d) { struct VIRTUAL{void* A;void* B;DWORD C;}; VIRTUAL v={(void*)(a),b,c}; hr=NtSystemDebugControl(d,&v,sizeof(v),0,0,0); }
  10.  
  11.  
  12. void Ring0( DWORD cs, char*& text ) {
  13. text = "Hello World from Ring 0 \n";
  14. __asm mov eax,cr0
  15. __asm leave
  16. __asm retf 4
  17. }
  18.  
  19. int main() {
  20.  
  21. LONG (NTAPI *NtSystemDebugControl) (int,void*,DWORD,void*,DWORD,DWORD*);
  22. *(DWORD*) &NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl");
  23.  
  24. TOKEN_PRIVILEGES pv={1},po; pv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED ; HANDLE t; int hr; DWORD no;
  25.  
  26. // This will enable NtSystemDebugControl usage
  27. hr = LookupPrivilegeValue( 0, SE_DEBUG_NAME, &pv.Privileges[0].Luid );
  28. hr = OpenProcessToken( GetCurrentProcess(), TOKEN_ALL_ACCESS,&t);
  29. hr = AdjustTokenPrivileges( t,0,&pv,sizeof(po),&po, &no);
  30.  
  31. // This ensures that on multi cpu/core systems we patch the right GDT for right cpu
  32. hr = SetThreadAffinityMask (GetCurrentThread(),1); Sleep(100);
  33.  
  34. // We read GDT table
  35. LDT_ENTRY gdt[1000]={0}; struct {WORD limit;DWORD base;} gdtr; __asm sgdt gdtr
  36.  
  37. // Find free spot
  38. Virtual(gdtr.base, &gdt,gdtr.limit,8); for(int gate=1;gate<100;gate++) { if(!gdt[gate].HighWord.Bits.Pres) break; }
  39.  
  40. // Construct Call Gate pointing to Ring0 proc and write it there
  41. DWORD addr=(DWORD)Ring0; CALL_GATE g={addr&0xffff,8,1,0,12,3,1,addr>>16}; Virtual(gdtr.base+gate*8, &g,8,9);
  42.  
  43. // Quite ugly way to do far call
  44. WORD farcall[3]={0,0,(gate<<3)}; char* param=0,**p=&param; long result=0;
  45.  
  46. // Switch from Ring 3 to Ring 0 is just normal call ;)
  47. __asm push p
  48. __asm call fword ptr [farcall]
  49. __asm mov result, eax
  50.  
  51. // Cleanup Call Gate from GDT
  52. __int64 c=0; Virtual(gdtr.base+gate*8, &c,8,9);
  53.  
  54. printf("\n %s\n CR0 = %X ",param,result); getchar();
  55.  
  56. return 0;
  57. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!