Zainteresuj się crackingiem i rootkitami :) Poniższy kod wymaga uprawnień administratora.
#include "stdafx.h"
#include "windows.h"
#include "stdio.h"
const IA32_SYSENTER_CS = 0x174;
const IA32_SYSENTER_ESP = 0x175;
const IA32_SYSENTER_EIP = 0x176;
struct MSR_STRUCT {
DWORD MsrNum; // MSR number
DWORD NotUsed; // Never accessed by the kernel
DWORD MsrLo; // IN (write) or OUT (read): Low 32 bits of MSR
DWORD MsrHi; // IN (write) or OUT (read): High 32 bits of MSR
};
typedef enum DEBUG_CONTROL_CODE {
DebugSysReadIoSpace = 14,
DebugSysWriteIoSpace,
DebugSysReadMsr,
DebugSysWriteMsr,
DebugSysReadBusData,
DebugSysWriteBusData
};
typedef int(__stdcall *ZWSC)(
DEBUG_CONTROL_CODE ControlCode,
PVOID InputBuffer,
ULONG InputBufferLength,
PVOID OutputBuffer,
ULONG OutputBufferLength,ULONG* ReturnLength);
ZWSC ZwSystemDebugControl;
int main()
{
TOKEN_PRIVILEGES tp;
HANDLE hToken;
// adjust debug privileges
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);
LookupPrivilegeValue(0, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.PrivilegeCount = 1;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
CloseHandle(hToken);
MSR_STRUCT msr;
ZwSystemDebugControl = (ZWSC)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwSystemDebugControl");
if (!ZwSystemDebugControl)
return printf("ntdll required\n");
msr.MsrNum = IA32_SYSENTER_CS;
if (!ZwSystemDebugControl(DebugSysReadMsr, &msr, sizeof(MSR_STRUCT), 0, 0, 0))
printf("IA32_SYSENTER_CS: %X\n", msr.MsrLo);
msr.MsrNum = IA32_SYSENTER_ESP;
if (!ZwSystemDebugControl(DebugSysReadMsr, &msr, sizeof(MSR_STRUCT), 0, 0, 0))
printf("IA32_SYSENTER_ESP: %X\n", msr.MsrLo);
msr.MsrNum = IA32_SYSENTER_EIP;
if (!ZwSystemDebugControl(DebugSysReadMsr, &msr, sizeof(MSR_STRUCT), 0, 0, 0))
printf("IA32_SYSENTER_EIP: %X\n", msr.MsrLo);
return 0;
}