Alikberov/main.cpp

## main.cpp
#include "stdafx.h"

#define	_At_
#define	_Out_
#define	_In_
#define	_In_opt_
#define	_Out_
#define	_Out_opt_
#define	_Inout_
#define	_Inout_opt_
#define _Inout_updates_opt_(x)
#define MEM_EXTENDED_PARAMETER_TYPE_BITS    8
#define FILE_SEQUENTIAL_ONLY 0x00000004
#define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001

typedef struct MEM_EXTENDED_PARAMETER {
  struct {
    DWORD64 Type : MEM_EXTENDED_PARAMETER_TYPE_BITS;
    DWORD64 Reserved : 64 - MEM_EXTENDED_PARAMETER_TYPE_BITS;
  } DUMMYSTRUCTNAME;
  union {
    DWORD64 ULong64;
    PVOID   Pointer;
    SIZE_T  Size;
    HANDLE  Handle;
    DWORD   ULong;
  } DUMMYUNIONNAME;
} MEM_EXTENDED_PARAMETER, *PMEM_EXTENDED_PARAMETER;

//typedef DWORD NTSTATUS;
typedef DWORD ULONG_PTR;
typedef struct _IO_STATUS_BLOCK {
  union {
    NTSTATUS Status;
    PVOID    Pointer;
  } DUMMYUNIONNAME;
  ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef HANDLE (NTAPI *fpNtCurrentProcess)(void);

//_Must_inspect_result_
//__kernel_entry NTSYSCALLAPI
typedef NTSTATUS (NTAPI *fpNtCreateSection) (
    _Out_ PHANDLE SectionHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
    _In_opt_ PLARGE_INTEGER MaximumSize,
    _In_ ULONG SectionPageProtection,
    _In_ ULONG AllocationAttributes,
    _In_opt_ HANDLE FileHandle
    );

typedef void(NTAPI *fpRtlInitUnicodeString)(
  PUNICODE_STRING DestinationString,
  PCWSTR          SourceString
);
typedef
//NTSYSAPI
NTSTATUS
(NTAPI
*fpNtCreateFile)(
  OUT PHANDLE             FileHandle,
  IN ACCESS_MASK          DesiredAccess,
  IN POBJECT_ATTRIBUTES   ObjectAttributes,
  OUT PIO_STATUS_BLOCK    IoStatusBlock,
  IN PLARGE_INTEGER       AllocationSize OPTIONAL,
  IN ULONG                FileAttributes,
  IN ULONG                ShareAccess,
  IN ULONG                CreateDisposition,
  IN ULONG                CreateOptions,
  IN PVOID                EaBuffer OPTIONAL,
  IN ULONG                EaLength );
//__kernel_entry NTSYSCALLAPI
typedef NTSTATUS (NTAPI *fpNtOpenFile) (
    _Out_ PHANDLE FileHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
    _In_ ULONG ShareAccess,
    _In_ ULONG OpenOptions
    );

typedef NTSYSAPI NTSTATUS (NTAPI *fpNtMapViewOfSection) (
    _In_ HANDLE SectionHandle,
    _In_ HANDLE ProcessHandle,
    _Inout_ _At_ PVOID *BaseAddress,
    _Inout_opt_ PLARGE_INTEGER SectionOffset,
    _Inout_ PSIZE_T ViewSize,
    _In_ ULONG AllocationType,
    _In_ ULONG Win32Protect,
    _Inout_updates_opt_(ParameterCount) MEM_EXTENDED_PARAMETER* Parameters,
    _In_ ULONG ParameterCount
);

typedef NTSTATUS(NTAPI *fpNtCreateProcess)
(
    OUT PHANDLE     ProcessHandle,
    IN ACCESS_MASK  DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes  OPTIONAL,
    IN HANDLE   ParentProcess,
    IN ULONG    Flags,
    IN HANDLE SectionHandle     OPTIONAL,
    IN HANDLE DebugPort     OPTIONAL,
    IN HANDLE ExceptionPort     OPTIONAL
);
fpRtlInitUnicodeString RtlInitUnicodeString;
fpNtCreateFile NtCreateFile;
fpNtCurrentProcess NtCurrentProcess;
fpNtCreateSection NtCreateSection;
fpNtOpenFile NtOpenFile;
fpNtMapViewOfSection NtMapViewOfSection;
fpNtCreateProcess NtCreateProcess;
/*
NTSTATUS NTAPI
 NtCreateProcessEx(OUT PHANDLE ProcessHandle,
                   IN ACCESS_MASK DesiredAccess,
                   IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
                   IN HANDLE ParentProcess,
                   IN ULONG Flags,
                   IN HANDLE SectionHandle OPTIONAL,
                   IN HANDLE DebugPort OPTIONAL,
                   IN HANDLE ExceptionPort OPTIONAL,
                   IN BOOLEAN InJob);
*/
// Macro-Codes of instructions
//////////////////////////////
#define	X86_HLT		0xF4	// hlt
#define	X86_INT		0xCD	// int
#define	X86_CLI		0xFA	// cli
#define	X86_STI		0xFB	// sti
#define	X86_ES		0x26	// es:
#define	X86_CS		0x2E	// cs:
#define	X86_SS		0x36	// ss:
#define	X86_DS		0x3E	// ds:
#define	X86_FS		0x64	// fs:
#define	X86_GS		0x65	// gs:
#define	X86_D16		0x66	// Data Override
#define	X86_LOCK	0xF0	// lock
#define	X86_REPNE	0xF2	// repne
#define	X86_REP		0xF3	// rep/repe
#define	X86_INSB	0x6C	// insb
#define	X86_INSD	0x6D	// insd/insw
#define	X86_OUTSB	0x6E	// outsb
#define	X86_OUTSD	0x6F	// outsd/outsw
#define	X86_IN_ALI	0xE4	// in al,i8
#define	X86_IN_AXI	0xE5	// in (e)ax,i8
#define	X86_OUT_ALI	0xE6	// out i8,al
#define	X86_OUT_AXI	0xE7	// out i8,(e)ax
#define	X86_IN_AL	0xEC	// in al,dx
#define	X86_IN_AX	0xED	// in (e)ax,dx
#define	X86_OUT_AL	0xEE	// out dx,al
#define	X86_OUT_AX	0xEF	// out dx,(e)ax

// Flags of x86-instructions
//////////////////////////////
#define	X86_USE_IM8	0x0001	// immediate byte
#define	X86_USE_D16	0x0002	// 2 bytes
#define	X86_USE_OUT	0x0004	// out/outs
#define	X86_USE_D8	0x0008	// 8 bits
#define	X86_USE_EAX	0x0010	// accumulator
#define	X86_USE_ECX	0x0020	// ecx as loop conter
#define	X86_USE_EDX	0x0040	// edx as port index
#define	X86_USE_EBX	0x0080	// ebx
#define	X86_USE_ESP	0x0100	// esp
#define	X86_USE_EBP	0x0200	// ebp
#define	X86_USE_ESI	0x0400	// esi as source
#define	X86_USE_EDI	0x0800	// edi as destination
#define	X86_USE_BUS	0x1000	// lock-prefix

DWORD	nPorts = 0;			// Number of accessable ports

///////////////////////////////////////////////////////////////////////
// DisplayError
// Displays the error number and corresponding message.
///////////////////////////////////////////////////////////////////////
void DisplayError(char *pszAPI) {
	LPVOID lpvMessageBuffer;
	CHAR szPrintBuffer[512];
	DWORD nCharsWritten;
	DWORD	idError = GetLastError();

	if(!idError)
		return;

	FormatMessage(
		FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM,
		NULL, idError,
		MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
		(LPTSTR)&lpvMessageBuffer, 0, NULL);

	wsprintf(szPrintBuffer,
		"ERROR:\r\n"
		"\tAPI = %s\r\n"
		"\tCode: %d\r\n"
		"\tHint: %s",
		pszAPI, idError, (char *)lpvMessageBuffer);
	LocalFree(lpvMessageBuffer);

	WriteConsole(GetStdHandle(STD_OUTPUT_HANDLE),szPrintBuffer,
		lstrlen(szPrintBuffer),&nCharsWritten,NULL);
	MessageBox(NULL, szPrintBuffer, "", MB_OK);
	ExitProcess(idError);
}

LONG WINAPI	x86_cmd_show(_EXCEPTION_POINTERS *ep, DWORD sel, int d8, DWORD usage) {
	int		j;
	char	cmd[32][16] = {
		"INSB",
		"INSD",
		"OUTSB",
		"OUTSD",
		"IN AL,%3d",
		"IN EAX,%3d",
		"OUT %3d,AL",
		"OUT %3d,EAX",
		"---",
		"HLT",
		"CLI",
		"STI",
		"IN AL,EDX",
		"IN EAX,EDX",
		"OUT EDX,AL",
		"OUT EDX,EAX",
		"INSB",
		"INSW",
		"OUTSB",
		"OUTSW",
		"IN AL,%3d",
		"IN AX,%3d",
		"OUT %3d,AL",
		"OUT %3d,AX",
		"---",
		"HLT",
		"CLI",
		"STI",
		"IN AL,EDX",
		"IN AX,EDX",
		"OUT EDX,AL",
		"OUT EDX,AX"
	};
	char	str[16][16] = {
		"---",
		"---",
		"CS:",
		"DS:",
		"ES:",
		"FS:",
		"GS:",
		"SS:",
		"---",
		"---",
		"---",
		"---",
		"LOCK ",
		"---",
		"REPE ",
		"REPNE "
	};
	if(sel != 0 || (sel & 0xF) != 8) {
	//if(0xEC == *ic) {
		DWORD port = ep->ContextRecord->Edx;
		DWORD ticks;
		DWORD static delta = 0;
		DWORD static max = 0;
		DWORD static reset = 0;
		DWORD reseter = 100;
		_asm rdtsc;
		_asm mov ticks,eax;
		printf("%08X %08X ", ep->ExceptionRecord->ExceptionAddress, sel);
		if(d8 >= 0)
			printf("%02X|", d8);
		else
			printf("  |");
		j = 4;
		while(((sel >> j) & 0xF) > 0 && j < 32) {
			printf(str[(sel >> j) & 0x0F]);
			j += 4;
		}
		if(usage & X86_USE_ECX)
			printf("(ECX) ");
		if(usage & X86_USE_EAX) {					// port in/out
			if(usage & X86_USE_OUT) {				// port output
				printf("OUT ");
				if(usage & X86_USE_EDX)
					printf("EDX,");
				else
					printf("%02X,", d8);
				if(usage & X86_USE_D8)
					printf("AL");
				else
				if(usage & X86_USE_D16)
					printf("AX");
				else
					printf("EAX");
			} else {								// port input
				printf("IN  ");
				if(usage & X86_USE_D8)
					printf(" AL");
				else
				if(usage & X86_USE_D16)
					printf(" AX");
				else
					printf("EAX");
				if(usage & X86_USE_EDX)
					printf(",EDX");
				else
					printf(",%02X", d8);
			}
		} else
		if(usage & X86_USE_EDX) {
			if(usage & X86_USE_ESI)
				printf("OUTS");
			else
				printf("INS");
			if(usage & X86_USE_D8)
				printf("B");
			else
			if(usage & X86_USE_D16)
				printf("W");
			else
				printf("D");
		} else
			printf(cmd[sel & 0xF]);
		if((sel & 0xF) == 0x9 && !(usage & X86_USE_IM8)) {
			if(reseter < reset ++)
				reset = 0,
				max = 0;
			if(max < ep->ContextRecord->Eax - delta)
				max = ep->ContextRecord->Eax - delta;
			printf("\t %9d > %9d ticks", max, ep->ContextRecord->Eax - delta);
		}
		printf("\r\n\t");
		if(usage & X86_USE_EAX)
			printf("EAX:%08X ", ep->ContextRecord->Eax);
		if(usage & X86_USE_ECX)
			printf("ECX:%08X ", ep->ContextRecord->Ecx);
		if(usage & X86_USE_EDX)
			printf("EDX:%08X ", ep->ContextRecord->Edx);
		if(usage & X86_USE_ESI)
			printf("ESI:%08X ", ep->ContextRecord->Esi);
		if(usage & X86_USE_EDI)
			printf("EDI:%08X ", ep->ContextRecord->Edi);
		printf("\r\n");
		_asm rdtsc;
		_asm sub eax,ticks;
		_asm mov delta,eax;
		//printf("%08X %02X|IN AL,DX ; Port #%04X is bad; Ports available - %d\r", ea, *ic, port, nPorts);
		return EXCEPTION_CONTINUE_EXECUTION;
	}
	return EXCEPTION_EXECUTE_HANDLER;
}

LONG WINAPI TopLevelExceptionFilter(_EXCEPTION_POINTERS *ep) {
	DWORD ea = (DWORD)ep->ExceptionRecord->ExceptionAddress;
	BYTE *ic = (BYTE *)ea;
	DWORD	sel = 0;
	BYTE	cc;
	int		d8 = -1;
	DWORD	i = 0;
	bool	d16 = false;
	DWORD	usage = 0;
	do {
		cc = *(BYTE *)(ea + i ++);
		printf("%02X ", cc);
		switch(cc) {
		// Parse for prefixes
		case X86_D16:
			usage |= X86_USE_D16;
			d16 = true;
			continue;
		case X86_CS:
			sel |= 0x2 << (i << 2);
			continue;
		case X86_DS:
			sel |= 0x3 << (i << 2);
			continue;
		case X86_ES:
			sel |= 0x4 << (i << 2);
			continue;
		case X86_FS:
			sel |= 0x5 << (i << 2);
			continue;
		case X86_GS:
			sel |= 0x6 << (i << 2);
			continue;
		case X86_SS:
			sel |= 0x7 << (i << 2);
			continue;
		case X86_LOCK:
			usage |= X86_USE_BUS;
			sel |= 0xC << (i << 2);
			continue;
		case X86_REPNE:
			usage |= X86_USE_ECX;
			sel |= 0xF << (i << 2);
			continue;
		case X86_REP:
			usage |= X86_USE_ECX;
			sel |= 0xE << (i << 2);
			continue;
		// Parse for  instruction
		case X86_INSB:				// 0x0
			usage |= X86_USE_EDI;
			sel |= (cc & 0x3);
			break;
		case X86_INSD:				// 0x1
			usage |= X86_USE_EDI;
			sel |= (cc & 0x3);
			break;
		case X86_OUTSB:				// 0x2
			usage |= X86_USE_ESI | X86_USE_OUT | X86_USE_D8;
			sel |= (cc & 0x3);
			break;
		case X86_OUTSD:				// 0x3
			usage |= X86_USE_ESI | X86_USE_OUT;
			sel |= (cc & 0x3);
			break;
		case X86_IN_ALI:				// 0x4
			usage |= X86_USE_EAX | X86_USE_IM8 | X86_USE_D8;
			d8 = *(BYTE *)(ea + i ++);
			sel |= (cc & 0xF);
			cc = 0;
			break;
		case X86_IN_AXI:				// 0x5
			usage |= X86_USE_EAX | X86_USE_IM8;
			d8 = *(BYTE *)(ea + i ++);
			sel |= (cc & 0xF);
			cc = 0;
			break;
		case X86_OUT_ALI:			// 0x6
			usage |= X86_USE_EAX | X86_USE_IM8 | X86_USE_OUT | X86_USE_D8;
			d8 = *(BYTE *)(ea + i ++);
			sel |= (cc & 0xF);
			cc = 0;
			break;
		case X86_OUT_AXI:			// 0x7
			usage |= X86_USE_EAX | X86_USE_IM8 | X86_USE_OUT;
			d8 = *(BYTE *)(ea + i ++);
			sel |= (cc & 0xF);
			cc = 0;
			break;
		case X86_CLI:				// 0xA
			sel |= (cc & 0xF);
			cc = 0;
			break;
		case X86_STI:				// 0xB
			sel |= (cc & 0xF);
			cc = 0;
			break;
		case X86_IN_AL:				// 0xC
			usage |= X86_USE_EAX | X86_USE_EDX | X86_USE_D8;
			sel |= (cc & 0xF);
			cc = 0;
			break;
		case X86_IN_AX:				// 0xD
			usage |= X86_USE_EAX | X86_USE_EDX;
			sel |= (cc & 0xF);
			cc = 0;
			break;
		case X86_OUT_AL:			// 0xE
			usage |= X86_USE_EAX | X86_USE_EDX | X86_USE_OUT | X86_USE_D8;
			sel |= (cc & 0xF);
			cc = 0;
			break;
		case X86_OUT_AX:			// 0xF
			usage |= X86_USE_EAX | X86_USE_EDX | X86_USE_OUT;
			sel |= (cc & 0xF);
			cc = 0;
			break;
		case X86_INT:				// 0x9
			usage |= X86_USE_IM8;
			d8 = *(BYTE *)(ea + i ++);
		case X86_HLT:				// 0x9
			sel |= 9;
		default:
			sel |= 8;
			cc = 0;
			break;
		}
	} while(cc);
		ep->ContextRecord->Eip += i;
		ep->ContextRecord->EFlags |= 1 << 11; // Overflow Flags
		ep->ExceptionRecord->ExceptionAddress = (void *)(ea + i);
	return x86_cmd_show(ep, sel, d8, usage);
}

void	LoadApplication(HANDLE File, int h) {
/*	ObjAttr.Length = sizeof OBJECT_ATTRIBUTES;
	ObjAttr.RootDirectory = 0;
	ObjAttr.ObjectName = 0;*/
//	NtOpenFile(&hFile, FILE_ALL_ACCESS, &ofs, &StatusBlock, FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_SEQUENTIAL_ONLY);
//	printf("%08X:hFile\r\n", hFile);
	OBJECT_ATTRIBUTES ObjAttr;
	IO_STATUS_BLOCK StatusBlock;
	HANDLE	hSection;
	HANDLE	hProcess;
	PVOID	ImageBaseAddr;
	SIZE_T	ViewSize;
	HANDLE	hFile;
	OBJECT_ATTRIBUTES ofs;
	UNICODE_STRING dn;
	IO_STATUS_BLOCK State;
	DWORD	Error;
	//
	ZeroMemory(&State,sizeof(IO_STATUS_BLOCK));
	WCHAR	*ch1 = L"\\??\\C:\\test.bat";
	RtlInitUnicodeString(&dn, ch1);
	InitializeObjectAttributes(&ofs, &dn, 0, 0, 0);
	//
	Error = NtCreateFile(&hFile,PAGE_EXECUTE/*|GENERIC_WRITE|GENERIC_READ|GENERIC_EXECUTE*0*/,&ofs, &State,0,FILE_ATTRIBUTE_NORMAL,0,0/*FILE_SUPERSEDE*/,0,0,0);
	printf("%08X %08X:hFile\r\n", Error, hFile);
	Error = NtCreateSection(&hSection, SECTION_ALL_ACCESS, &ofs, NULL, PAGE_EXECUTE_READWRITE, SEC_IMAGE|SEC_FILE|SEC_COMMIT, &hFile);
	printf("%08X %08X:hSection\r\n", Error, hSection);
	Error = NtMapViewOfSection(hSection, (void *)-1, &ImageBaseAddr, NULL, &ViewSize, 0, PAGE_EXECUTE_READWRITE, NULL, 0);
	printf("%08X %08X:ImageBaseAddr\r\n", Error, ImageBaseAddr);
	Error = NtCreateProcess(&hProcess, PROCESS_ALL_ACCESS, NULL, (void *)-1, PROCESS_CREATE_FLAGS_BREAKAWAY, hSection, NULL, NULL);
	printf("%08X %08X:hProcess\r\n", Error, hProcess);
	// NtCreateThread(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, &ClientId, &ThreadContext, &InitialTeb, TRUE);
	// NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, (PUSER_THREAD_START_ROUTINE)Foo, (PVOID)Param1(), THREAD_CREATE_FLAGS_CREATE_SUSPENDED, 0, 0, 0, NULL);
}
void	Loader(void) {
	HMODULE	hNtDll = LoadLibrary("ntdll.dll");
	HMODULE	hKernel = LoadLibrary("kernel.dll");
	RtlInitUnicodeString = (fpRtlInitUnicodeString)GetProcAddress(hNtDll, "RtlInitUnicodeString");
	printf("%08X:RtlInitUnicodeString\r\n", RtlInitUnicodeString);
	NtCreateFile = (fpNtCreateFile)GetProcAddress(hNtDll, "NtCreateFile");
	printf("%08X:NtCreateFile\r\n", NtCreateFile);
	NtOpenFile = (fpNtOpenFile)GetProcAddress(hNtDll, "NtOpenFile");
	printf("%08X:NtOpenFile\r\n", NtOpenFile);
	NtCreateSection = (fpNtCreateSection)GetProcAddress(hNtDll, "NtCreateSection");
	printf("%08X:NtCreateSection\r\n", NtCreateSection);
	NtMapViewOfSection = (fpNtMapViewOfSection)GetProcAddress(hNtDll, "NtMapViewOfSection");
	printf("%08X:NtMapViewOfSection\r\n", NtMapViewOfSection);
	NtCreateProcess = (fpNtCreateProcess)GetProcAddress(hNtDll, "NtCreateProcess");
	printf("%08X:NtCreateProcessEx\r\n", NtCreateProcess);
	NtCurrentProcess = (fpNtCurrentProcess)GetProcAddress(hNtDll, "NtCurrentProcess");
	printf("%08X:NtCurrentProcess\r\n", NtCurrentProcess);
	system("pause");
	LoadApplication(0,//CreateFile("C:/test.bat", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0),
		0);
	system("pause");
}

// INT 0x03,0x04,0x2D, ..4F
int (*NtSetLdtEntries)(DWORD, DWORD, DWORD, DWORD, DWORD, DWORD);
LDT_ENTRY ll;
int main(int argc, char* argv[])
{
	SYSTEM_INFO	si;
	DWORD	base = 0x0490;
	int ret;
	COORD	coord = {0, 0};
	Loader();
	HANDLE	hStdOut = GetStdHandle(STD_OUTPUT_HANDLE);
	GetSystemInfo(&si);
	printf("wProcessorArchitecture:%08X\r\n", si.wProcessorArchitecture);
	printf("dwPageSize:%08X\r\n", si.dwPageSize);
	printf("lpMinimumApplicationAddress:%08X\r\n", si.lpMinimumApplicationAddress);
	printf("lpMaximumApplicationAddress:%08X\r\n", si.lpMaximumApplicationAddress);
	printf("dwActiveProcessorMask:%08X\r\n", si.dwActiveProcessorMask);
	printf("dwNumberOfProcessors:%08X\r\n", si.dwNumberOfProcessors);
	printf("dwAllocationGranularity:%08X\r\n", si.dwAllocationGranularity);
	printf("wProcessorLevel:%08X\r\n", si.wProcessorLevel);
	printf("VirtualAlloc:%08X",
		VirtualAlloc((void*)si.lpMinimumApplicationAddress,
			(DWORD)si.lpMaximumApplicationAddress - (DWORD)si.lpMinimumApplicationAddress - si.dwAllocationGranularity - 0x1000000,
			MEM_COMMIT, PAGE_EXECUTE_READWRITE));
//	DisplayError("VirtualAlloc");
	system("Pause");
	//VirtualAlloc((void*)0x570000, 0x70000000, MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	*(FARPROC*)(&NtSetLdtEntries) = GetProcAddress(LoadLibrary("ntdll.dll"), "NtSetLdtEntries");
        ll.BaseLow = base & 0xFFFF;
        ll.HighWord.Bytes.BaseMid = base >> 16;
        ll.HighWord.Bytes.BaseHi = base >> 24;
        ll.LimitLow = 400;
        ll.HighWord.Bits.LimitHi = 0;
        ll.HighWord.Bits.Granularity = 0;
        ll.HighWord.Bits.Default_Big = 1;
        ll.HighWord.Bits.Reserved_0 = 0;
        ll.HighWord.Bits.Sys = 0;
        ll.HighWord.Bits.Pres = 1;
        ll.HighWord.Bits.Dpl = 3;
        ll.HighWord.Bits.Type = 0x13;
//        ret = NtSetLdtEntries(0x08, *(DWORD*)&ll, *((DWORD*)(&ll)+1),0,*(DWORD*)&ll, *((DWORD*)(&ll)+1));
	//SetUnhandledExceptionFilter(TopLevelExceptionFilter);
	printf("Hello World!\n");
	for(int i = 0x2E00; i <= 0xFFFF; ++ i) {
		SetConsoleCursorPosition(hStdOut, coord);
		_asm {
			rdtsc
				mov esi,esp
				mov edi,esp
				mov ecx,1
			mov	ebx,eax
			mov	edx,i	// Index of IO-Port
			_emit X86_REP
			_emit X86_REP
			_emit X86_SS
			out 54,eax
			movsd
			_emit X86_REP
			_emit X86_DS
			_emit X86_DS
			_emit X86_DS
			_emit X86_DS
			_emit X86_DS
			_emit X86_DS
			_emit X86_DS
			_emit X86_DS
			_emit X86_DS
			_emit X86_DS
			_emit X86_DS
			_emit X86_DS
			_emit X86_DS
			movsd
			_emit X86_REP
			_emit X86_CS
			_emit X86_DS
			_emit X86_ES
			_emit X86_FS
			_emit X86_GS
			_emit X86_SS
			_emit X86_GS
			_emit X86_FS
			_emit X86_ES
			_emit X86_DS
			_emit X86_CS
			_emit X86_DS
			_emit X86_ES
			_emit X86_IN_AL
			repe lock in	al,dx	// Try for port-read
			repne lock out dx,eax;
			repe lock cli
				sti
			/*mov al,0xC3
			shl eax,16
			mov al,0xCD
			mov	ah,dh
			push eax
			call esp
			pop eax*/
			rdtsc
			sub eax,ebx
				hlt

			jo err		// Overflow if unaccessable
			inc nPorts
err:
		}
		//system("pause");
	}
	printf("\nPorts available - %d\r\n", nPorts);
		return 0;
}
	#include "stdafx.h"

	#define _At_
	#define _Out_
	#define _In_
	#define _In_opt_
	#define _Out_
	#define _Out_opt_
	#define _Inout_
	#define _Inout_opt_
	#define _Inout_updates_opt_(x)
	#define MEM_EXTENDED_PARAMETER_TYPE_BITS 8
	#define FILE_SEQUENTIAL_ONLY 0x00000004
	#define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001

	typedef struct MEM_EXTENDED_PARAMETER {
	struct {
	DWORD64 Type : MEM_EXTENDED_PARAMETER_TYPE_BITS;
	DWORD64 Reserved : 64 - MEM_EXTENDED_PARAMETER_TYPE_BITS;
	} DUMMYSTRUCTNAME;
	union {
	DWORD64 ULong64;
	PVOID Pointer;
	SIZE_T Size;
	HANDLE Handle;
	DWORD ULong;
	} DUMMYUNIONNAME;
	} MEM_EXTENDED_PARAMETER, *PMEM_EXTENDED_PARAMETER;

	//typedef DWORD NTSTATUS;
	typedef DWORD ULONG_PTR;
	typedef struct _IO_STATUS_BLOCK {
	union {
	NTSTATUS Status;
	PVOID Pointer;
	} DUMMYUNIONNAME;
	ULONG_PTR Information;
	} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

	typedef HANDLE (NTAPI *fpNtCurrentProcess)(void);

	//_Must_inspect_result_
	//__kernel_entry NTSYSCALLAPI
	typedef NTSTATUS (NTAPI *fpNtCreateSection) (
	_Out_ PHANDLE SectionHandle,
	_In_ ACCESS_MASK DesiredAccess,
	_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
	_In_opt_ PLARGE_INTEGER MaximumSize,
	_In_ ULONG SectionPageProtection,
	_In_ ULONG AllocationAttributes,
	_In_opt_ HANDLE FileHandle
	);

	typedef void(NTAPI *fpRtlInitUnicodeString)(
	PUNICODE_STRING DestinationString,
	PCWSTR SourceString
	);
	typedef
	//NTSYSAPI
	NTSTATUS
	(NTAPI
	*fpNtCreateFile)(
	OUT PHANDLE FileHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	IN PLARGE_INTEGER AllocationSize OPTIONAL,
	IN ULONG FileAttributes,
	IN ULONG ShareAccess,
	IN ULONG CreateDisposition,
	IN ULONG CreateOptions,
	IN PVOID EaBuffer OPTIONAL,
	IN ULONG EaLength );
	//__kernel_entry NTSYSCALLAPI
	typedef NTSTATUS (NTAPI *fpNtOpenFile) (
	_Out_ PHANDLE FileHandle,
	_In_ ACCESS_MASK DesiredAccess,
	_In_ POBJECT_ATTRIBUTES ObjectAttributes,
	_Out_ PIO_STATUS_BLOCK IoStatusBlock,
	_In_ ULONG ShareAccess,
	_In_ ULONG OpenOptions
	);

	typedef NTSYSAPI NTSTATUS (NTAPI *fpNtMapViewOfSection) (
	_In_ HANDLE SectionHandle,
	_In_ HANDLE ProcessHandle,
	_Inout_ _At_ PVOID *BaseAddress,
	_Inout_opt_ PLARGE_INTEGER SectionOffset,
	_Inout_ PSIZE_T ViewSize,
	_In_ ULONG AllocationType,
	_In_ ULONG Win32Protect,
	_Inout_updates_opt_(ParameterCount) MEM_EXTENDED_PARAMETER* Parameters,
	_In_ ULONG ParameterCount
	);

	typedef NTSTATUS(NTAPI *fpNtCreateProcess)
	(
	OUT PHANDLE ProcessHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
	IN HANDLE ParentProcess,
	IN ULONG Flags,
	IN HANDLE SectionHandle OPTIONAL,
	IN HANDLE DebugPort OPTIONAL,
	IN HANDLE ExceptionPort OPTIONAL
	);
	fpRtlInitUnicodeString RtlInitUnicodeString;
	fpNtCreateFile NtCreateFile;
	fpNtCurrentProcess NtCurrentProcess;
	fpNtCreateSection NtCreateSection;
	fpNtOpenFile NtOpenFile;
	fpNtMapViewOfSection NtMapViewOfSection;
	fpNtCreateProcess NtCreateProcess;
	/*
	NTSTATUS NTAPI
	NtCreateProcessEx(OUT PHANDLE ProcessHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
	IN HANDLE ParentProcess,
	IN ULONG Flags,
	IN HANDLE SectionHandle OPTIONAL,
	IN HANDLE DebugPort OPTIONAL,
	IN HANDLE ExceptionPort OPTIONAL,
	IN BOOLEAN InJob);
	*/
	// Macro-Codes of instructions
	//////////////////////////////
	#define X86_HLT 0xF4 // hlt
	#define X86_INT 0xCD // int
	#define X86_CLI 0xFA // cli
	#define X86_STI 0xFB // sti
	#define X86_ES 0x26 // es:
	#define X86_CS 0x2E // cs:
	#define X86_SS 0x36 // ss:
	#define X86_DS 0x3E // ds:
	#define X86_FS 0x64 // fs:
	#define X86_GS 0x65 // gs:
	#define X86_D16 0x66 // Data Override
	#define X86_LOCK 0xF0 // lock
	#define X86_REPNE 0xF2 // repne
	#define X86_REP 0xF3 // rep/repe
	#define X86_INSB 0x6C // insb
	#define X86_INSD 0x6D // insd/insw
	#define X86_OUTSB 0x6E // outsb
	#define X86_OUTSD 0x6F // outsd/outsw
	#define X86_IN_ALI 0xE4 // in al,i8
	#define X86_IN_AXI 0xE5 // in (e)ax,i8
	#define X86_OUT_ALI 0xE6 // out i8,al
	#define X86_OUT_AXI 0xE7 // out i8,(e)ax
	#define X86_IN_AL 0xEC // in al,dx
	#define X86_IN_AX 0xED // in (e)ax,dx
	#define X86_OUT_AL 0xEE // out dx,al
	#define X86_OUT_AX 0xEF // out dx,(e)ax

	// Flags of x86-instructions
	//////////////////////////////
	#define X86_USE_IM8 0x0001 // immediate byte
	#define X86_USE_D16 0x0002 // 2 bytes
	#define X86_USE_OUT 0x0004 // out/outs
	#define X86_USE_D8 0x0008 // 8 bits
	#define X86_USE_EAX 0x0010 // accumulator
	#define X86_USE_ECX 0x0020 // ecx as loop conter
	#define X86_USE_EDX 0x0040 // edx as port index
	#define X86_USE_EBX 0x0080 // ebx
	#define X86_USE_ESP 0x0100 // esp
	#define X86_USE_EBP 0x0200 // ebp
	#define X86_USE_ESI 0x0400 // esi as source
	#define X86_USE_EDI 0x0800 // edi as destination
	#define X86_USE_BUS 0x1000 // lock-prefix

	DWORD nPorts = 0; // Number of accessable ports

	///////////////////////////////////////////////////////////////////////
	// DisplayError
	// Displays the error number and corresponding message.
	///////////////////////////////////////////////////////////////////////
	void DisplayError(char *pszAPI) {
	LPVOID lpvMessageBuffer;
	CHAR szPrintBuffer[512];
	DWORD nCharsWritten;
	DWORD idError = GetLastError();

	if(!idError)
	return;

	FormatMessage(
	FORMAT_MESSAGE_ALLOCATE_BUFFER\|FORMAT_MESSAGE_FROM_SYSTEM,
	NULL, idError,
	MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
	(LPTSTR)&lpvMessageBuffer, 0, NULL);

	wsprintf(szPrintBuffer,
	"ERROR:\r\n"
	"\tAPI = %s\r\n"
	"\tCode: %d\r\n"
	"\tHint: %s",
	pszAPI, idError, (char *)lpvMessageBuffer);
	LocalFree(lpvMessageBuffer);

	WriteConsole(GetStdHandle(STD_OUTPUT_HANDLE),szPrintBuffer,
	lstrlen(szPrintBuffer),&nCharsWritten,NULL);
	MessageBox(NULL, szPrintBuffer, "", MB_OK);
	ExitProcess(idError);
	}

	LONG WINAPI x86_cmd_show(_EXCEPTION_POINTERS *ep, DWORD sel, int d8, DWORD usage) {
	int j;
	char cmd[32][16] = {
	"INSB",
	"INSD",
	"OUTSB",
	"OUTSD",
	"IN AL,%3d",
	"IN EAX,%3d",
	"OUT %3d,AL",
	"OUT %3d,EAX",
	"---",
	"HLT",
	"CLI",
	"STI",
	"IN AL,EDX",
	"IN EAX,EDX",
	"OUT EDX,AL",
	"OUT EDX,EAX",
	"INSB",
	"INSW",
	"OUTSB",
	"OUTSW",
	"IN AL,%3d",
	"IN AX,%3d",
	"OUT %3d,AL",
	"OUT %3d,AX",
	"---",
	"HLT",
	"CLI",
	"STI",
	"IN AL,EDX",
	"IN AX,EDX",
	"OUT EDX,AL",
	"OUT EDX,AX"
	};
	char str[16][16] = {
	"---",
	"---",
	"CS:",
	"DS:",
	"ES:",
	"FS:",
	"GS:",
	"SS:",
	"---",
	"---",
	"---",
	"---",
	"LOCK ",
	"---",
	"REPE ",
	"REPNE "
	};
	if(sel != 0 \|\| (sel & 0xF) != 8) {
	//if(0xEC == *ic) {
	DWORD port = ep->ContextRecord->Edx;
	DWORD ticks;
	DWORD static delta = 0;
	DWORD static max = 0;
	DWORD static reset = 0;
	DWORD reseter = 100;
	_asm rdtsc;
	_asm mov ticks,eax;
	printf("%08X %08X ", ep->ExceptionRecord->ExceptionAddress, sel);
	if(d8 >= 0)
	printf("%02X\|", d8);
	else
	printf(" \|");
	j = 4;
	while(((sel >> j) & 0xF) > 0 && j < 32) {
	printf(str[(sel >> j) & 0x0F]);
	j += 4;
	}
	if(usage & X86_USE_ECX)
	printf("(ECX) ");
	if(usage & X86_USE_EAX) { // port in/out
	if(usage & X86_USE_OUT) { // port output
	printf("OUT ");
	if(usage & X86_USE_EDX)
	printf("EDX,");
	else
	printf("%02X,", d8);
	if(usage & X86_USE_D8)
	printf("AL");
	else
	if(usage & X86_USE_D16)
	printf("AX");
	else
	printf("EAX");
	} else { // port input
	printf("IN ");
	if(usage & X86_USE_D8)
	printf(" AL");
	else
	if(usage & X86_USE_D16)
	printf(" AX");
	else
	printf("EAX");
	if(usage & X86_USE_EDX)
	printf(",EDX");
	else
	printf(",%02X", d8);
	}
	} else
	if(usage & X86_USE_EDX) {
	if(usage & X86_USE_ESI)
	printf("OUTS");
	else
	printf("INS");
	if(usage & X86_USE_D8)
	printf("B");
	else
	if(usage & X86_USE_D16)
	printf("W");
	else
	printf("D");
	} else
	printf(cmd[sel & 0xF]);
	if((sel & 0xF) == 0x9 && !(usage & X86_USE_IM8)) {
	if(reseter < reset ++)
	reset = 0,
	max = 0;
	if(max < ep->ContextRecord->Eax - delta)
	max = ep->ContextRecord->Eax - delta;
	printf("\t %9d > %9d ticks", max, ep->ContextRecord->Eax - delta);
	}
	printf("\r\n\t");
	if(usage & X86_USE_EAX)
	printf("EAX:%08X ", ep->ContextRecord->Eax);
	if(usage & X86_USE_ECX)
	printf("ECX:%08X ", ep->ContextRecord->Ecx);
	if(usage & X86_USE_EDX)
	printf("EDX:%08X ", ep->ContextRecord->Edx);
	if(usage & X86_USE_ESI)
	printf("ESI:%08X ", ep->ContextRecord->Esi);
	if(usage & X86_USE_EDI)
	printf("EDI:%08X ", ep->ContextRecord->Edi);
	printf("\r\n");
	_asm rdtsc;
	_asm sub eax,ticks;
	_asm mov delta,eax;
	//printf("%08X %02X\|IN AL,DX ; Port #%04X is bad; Ports available - %d\r", ea, *ic, port, nPorts);
	return EXCEPTION_CONTINUE_EXECUTION;
	}
	return EXCEPTION_EXECUTE_HANDLER;
	}

	LONG WINAPI TopLevelExceptionFilter(_EXCEPTION_POINTERS *ep) {
	DWORD ea = (DWORD)ep->ExceptionRecord->ExceptionAddress;
	BYTE ic = (BYTE )ea;
	DWORD sel = 0;
	BYTE cc;
	int d8 = -1;
	DWORD i = 0;
	bool d16 = false;
	DWORD usage = 0;
	do {
	cc = (BYTE )(ea + i ++);
	printf("%02X ", cc);
	switch(cc) {
	// Parse for prefixes
	case X86_D16:
	usage \|= X86_USE_D16;
	d16 = true;
	continue;
	case X86_CS:
	sel \|= 0x2 << (i << 2);
	continue;
	case X86_DS:
	sel \|= 0x3 << (i << 2);
	continue;
	case X86_ES:
	sel \|= 0x4 << (i << 2);
	continue;
	case X86_FS:
	sel \|= 0x5 << (i << 2);
	continue;
	case X86_GS:
	sel \|= 0x6 << (i << 2);
	continue;
	case X86_SS:
	sel \|= 0x7 << (i << 2);
	continue;
	case X86_LOCK:
	usage \|= X86_USE_BUS;
	sel \|= 0xC << (i << 2);
	continue;
	case X86_REPNE:
	usage \|= X86_USE_ECX;
	sel \|= 0xF << (i << 2);
	continue;
	case X86_REP:
	usage \|= X86_USE_ECX;
	sel \|= 0xE << (i << 2);
	continue;
	// Parse for instruction
	case X86_INSB: // 0x0
	usage \|= X86_USE_EDI;
	sel \|= (cc & 0x3);
	break;
	case X86_INSD: // 0x1
	usage \|= X86_USE_EDI;
	sel \|= (cc & 0x3);
	break;
	case X86_OUTSB: // 0x2
	usage \|= X86_USE_ESI \| X86_USE_OUT \| X86_USE_D8;
	sel \|= (cc & 0x3);
	break;
	case X86_OUTSD: // 0x3
	usage \|= X86_USE_ESI \| X86_USE_OUT;
	sel \|= (cc & 0x3);
	break;
	case X86_IN_ALI: // 0x4
	usage \|= X86_USE_EAX \| X86_USE_IM8 \| X86_USE_D8;
	d8 = (BYTE )(ea + i ++);
	sel \|= (cc & 0xF);
	cc = 0;
	break;
	case X86_IN_AXI: // 0x5
	usage \|= X86_USE_EAX \| X86_USE_IM8;
	d8 = (BYTE )(ea + i ++);
	sel \|= (cc & 0xF);
	cc = 0;
	break;
	case X86_OUT_ALI: // 0x6
	usage \|= X86_USE_EAX \| X86_USE_IM8 \| X86_USE_OUT \| X86_USE_D8;
	d8 = (BYTE )(ea + i ++);
	sel \|= (cc & 0xF);
	cc = 0;
	break;
	case X86_OUT_AXI: // 0x7
	usage \|= X86_USE_EAX \| X86_USE_IM8 \| X86_USE_OUT;
	d8 = (BYTE )(ea + i ++);
	sel \|= (cc & 0xF);
	cc = 0;
	break;
	case X86_CLI: // 0xA
	sel \|= (cc & 0xF);
	cc = 0;
	break;
	case X86_STI: // 0xB
	sel \|= (cc & 0xF);
	cc = 0;
	break;
	case X86_IN_AL: // 0xC
	usage \|= X86_USE_EAX \| X86_USE_EDX \| X86_USE_D8;
	sel \|= (cc & 0xF);
	cc = 0;
	break;
	case X86_IN_AX: // 0xD
	usage \|= X86_USE_EAX \| X86_USE_EDX;
	sel \|= (cc & 0xF);
	cc = 0;
	break;
	case X86_OUT_AL: // 0xE
	usage \|= X86_USE_EAX \| X86_USE_EDX \| X86_USE_OUT \| X86_USE_D8;
	sel \|= (cc & 0xF);
	cc = 0;
	break;
	case X86_OUT_AX: // 0xF
	usage \|= X86_USE_EAX \| X86_USE_EDX \| X86_USE_OUT;
	sel \|= (cc & 0xF);
	cc = 0;
	break;
	case X86_INT: // 0x9
	usage \|= X86_USE_IM8;
	d8 = (BYTE )(ea + i ++);
	case X86_HLT: // 0x9
	sel \|= 9;
	default:
	sel \|= 8;
	cc = 0;
	break;
	}
	} while(cc);
	ep->ContextRecord->Eip += i;
	ep->ContextRecord->EFlags \|= 1 << 11; // Overflow Flags
	ep->ExceptionRecord->ExceptionAddress = (void *)(ea + i);
	return x86_cmd_show(ep, sel, d8, usage);
	}

	void LoadApplication(HANDLE File, int h) {
	/* ObjAttr.Length = sizeof OBJECT_ATTRIBUTES;
	ObjAttr.RootDirectory = 0;
	ObjAttr.ObjectName = 0;*/
	// NtOpenFile(&hFile, FILE_ALL_ACCESS, &ofs, &StatusBlock, FILE_SHARE_READ\|FILE_SHARE_WRITE, FILE_SEQUENTIAL_ONLY);
	// printf("%08X:hFile\r\n", hFile);
	OBJECT_ATTRIBUTES ObjAttr;
	IO_STATUS_BLOCK StatusBlock;
	HANDLE hSection;
	HANDLE hProcess;
	PVOID ImageBaseAddr;
	SIZE_T ViewSize;
	HANDLE hFile;
	OBJECT_ATTRIBUTES ofs;
	UNICODE_STRING dn;
	IO_STATUS_BLOCK State;
	DWORD Error;
	//
	ZeroMemory(&State,sizeof(IO_STATUS_BLOCK));
	WCHAR *ch1 = L"\\??\\C:\\test.bat";
	RtlInitUnicodeString(&dn, ch1);
	InitializeObjectAttributes(&ofs, &dn, 0, 0, 0);
	//
	Error = NtCreateFile(&hFile,PAGE_EXECUTE/\|GENERIC_WRITE\|GENERIC_READ\|GENERIC_EXECUTE0/,&ofs, &State,0,FILE_ATTRIBUTE_NORMAL,0,0/FILE_SUPERSEDE*/,0,0,0);
	printf("%08X %08X:hFile\r\n", Error, hFile);
	Error = NtCreateSection(&hSection, SECTION_ALL_ACCESS, &ofs, NULL, PAGE_EXECUTE_READWRITE, SEC_IMAGE\|SEC_FILE\|SEC_COMMIT, &hFile);
	printf("%08X %08X:hSection\r\n", Error, hSection);
	Error = NtMapViewOfSection(hSection, (void *)-1, &ImageBaseAddr, NULL, &ViewSize, 0, PAGE_EXECUTE_READWRITE, NULL, 0);
	printf("%08X %08X:ImageBaseAddr\r\n", Error, ImageBaseAddr);
	Error = NtCreateProcess(&hProcess, PROCESS_ALL_ACCESS, NULL, (void *)-1, PROCESS_CREATE_FLAGS_BREAKAWAY, hSection, NULL, NULL);
	printf("%08X %08X:hProcess\r\n", Error, hProcess);
	// NtCreateThread(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, &ClientId, &ThreadContext, &InitialTeb, TRUE);
	// NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, (PUSER_THREAD_START_ROUTINE)Foo, (PVOID)Param1(), THREAD_CREATE_FLAGS_CREATE_SUSPENDED, 0, 0, 0, NULL);
	}
	void Loader(void) {
	HMODULE hNtDll = LoadLibrary("ntdll.dll");
	HMODULE hKernel = LoadLibrary("kernel.dll");
	RtlInitUnicodeString = (fpRtlInitUnicodeString)GetProcAddress(hNtDll, "RtlInitUnicodeString");
	printf("%08X:RtlInitUnicodeString\r\n", RtlInitUnicodeString);
	NtCreateFile = (fpNtCreateFile)GetProcAddress(hNtDll, "NtCreateFile");
	printf("%08X:NtCreateFile\r\n", NtCreateFile);
	NtOpenFile = (fpNtOpenFile)GetProcAddress(hNtDll, "NtOpenFile");
	printf("%08X:NtOpenFile\r\n", NtOpenFile);
	NtCreateSection = (fpNtCreateSection)GetProcAddress(hNtDll, "NtCreateSection");
	printf("%08X:NtCreateSection\r\n", NtCreateSection);
	NtMapViewOfSection = (fpNtMapViewOfSection)GetProcAddress(hNtDll, "NtMapViewOfSection");
	printf("%08X:NtMapViewOfSection\r\n", NtMapViewOfSection);
	NtCreateProcess = (fpNtCreateProcess)GetProcAddress(hNtDll, "NtCreateProcess");
	printf("%08X:NtCreateProcessEx\r\n", NtCreateProcess);
	NtCurrentProcess = (fpNtCurrentProcess)GetProcAddress(hNtDll, "NtCurrentProcess");
	printf("%08X:NtCurrentProcess\r\n", NtCurrentProcess);
	system("pause");
	LoadApplication(0,//CreateFile("C:/test.bat", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0),
	0);
	system("pause");
	}

	// INT 0x03,0x04,0x2D, ..4F
	int (*NtSetLdtEntries)(DWORD, DWORD, DWORD, DWORD, DWORD, DWORD);
	LDT_ENTRY ll;
	int main(int argc, char* argv[])
	{
	SYSTEM_INFO si;
	DWORD base = 0x0490;
	int ret;
	COORD coord = {0, 0};
	Loader();
	HANDLE hStdOut = GetStdHandle(STD_OUTPUT_HANDLE);
	GetSystemInfo(&si);
	printf("wProcessorArchitecture:%08X\r\n", si.wProcessorArchitecture);
	printf("dwPageSize:%08X\r\n", si.dwPageSize);
	printf("lpMinimumApplicationAddress:%08X\r\n", si.lpMinimumApplicationAddress);
	printf("lpMaximumApplicationAddress:%08X\r\n", si.lpMaximumApplicationAddress);
	printf("dwActiveProcessorMask:%08X\r\n", si.dwActiveProcessorMask);
	printf("dwNumberOfProcessors:%08X\r\n", si.dwNumberOfProcessors);
	printf("dwAllocationGranularity:%08X\r\n", si.dwAllocationGranularity);
	printf("wProcessorLevel:%08X\r\n", si.wProcessorLevel);
	printf("VirtualAlloc:%08X",
	VirtualAlloc((void*)si.lpMinimumApplicationAddress,
	(DWORD)si.lpMaximumApplicationAddress - (DWORD)si.lpMinimumApplicationAddress - si.dwAllocationGranularity - 0x1000000,
	MEM_COMMIT, PAGE_EXECUTE_READWRITE));
	// DisplayError("VirtualAlloc");
	system("Pause");
	//VirtualAlloc((void*)0x570000, 0x70000000, MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	(FARPROC)(&NtSetLdtEntries) = GetProcAddress(LoadLibrary("ntdll.dll"), "NtSetLdtEntries");
	ll.BaseLow = base & 0xFFFF;
	ll.HighWord.Bytes.BaseMid = base >> 16;
	ll.HighWord.Bytes.BaseHi = base >> 24;
	ll.LimitLow = 400;
	ll.HighWord.Bits.LimitHi = 0;
	ll.HighWord.Bits.Granularity = 0;
	ll.HighWord.Bits.Default_Big = 1;
	ll.HighWord.Bits.Reserved_0 = 0;
	ll.HighWord.Bits.Sys = 0;
	ll.HighWord.Bits.Pres = 1;
	ll.HighWord.Bits.Dpl = 3;
	ll.HighWord.Bits.Type = 0x13;
	// ret = NtSetLdtEntries(0x08, (DWORD)&ll, ((DWORD)(&ll)+1),0,(DWORD)&ll, ((DWORD)(&ll)+1));
	//SetUnhandledExceptionFilter(TopLevelExceptionFilter);
	printf("Hello World!\n");
	for(int i = 0x2E00; i <= 0xFFFF; ++ i) {
	SetConsoleCursorPosition(hStdOut, coord);
	_asm {
	rdtsc
	mov esi,esp
	mov edi,esp
	mov ecx,1
	mov ebx,eax
	mov edx,i // Index of IO-Port
	_emit X86_REP
	_emit X86_REP
	_emit X86_SS
	out 54,eax
	movsd
	_emit X86_REP
	_emit X86_DS
	_emit X86_DS
	_emit X86_DS
	_emit X86_DS
	_emit X86_DS
	_emit X86_DS
	_emit X86_DS
	_emit X86_DS
	_emit X86_DS
	_emit X86_DS
	_emit X86_DS
	_emit X86_DS
	_emit X86_DS
	movsd
	_emit X86_REP
	_emit X86_CS
	_emit X86_DS
	_emit X86_ES
	_emit X86_FS
	_emit X86_GS
	_emit X86_SS
	_emit X86_GS
	_emit X86_FS
	_emit X86_ES
	_emit X86_DS
	_emit X86_CS
	_emit X86_DS
	_emit X86_ES
	_emit X86_IN_AL
	repe lock in al,dx // Try for port-read
	repne lock out dx,eax;
	repe lock cli
	sti
	/*mov al,0xC3
	shl eax,16
	mov al,0xCD
	mov ah,dh
	push eax
	call esp
	pop eax*/
	rdtsc
	sub eax,ebx
	hlt

	jo err // Overflow if unaccessable
	inc nPorts
	err:
	}
	//system("pause");
	}
	printf("\nPorts available - %d\r\n", nPorts);
	return 0;
	}