How can a program get ring0 privilege easily?

[chenayang]

Hi friends, I would like to get PCI configuration address under Win32(XP or 2003).
The sample code shows process to get offset via port cf8h and cfch. But I found the program need to get ring0 privilege to run the command. How can the program get the ring0 privilege easily? Thanks a lot for any help.

Code:

#...
void get_offset(void)
{
	unsigned long config_address;
	__asm
	{
	    pushf
	    mov eax,0x8000fa24
	    mov dx,0xcf8
	    out dx,eax
	    mov dx,0xcfc
	    in eax,dx
	    push eax
	    lea ebx,config_address
                    pop ebx
	    popf
	}
cout<<config_address<<endl;
}

[MacGyver]

"Ring 0" and "easy".... somehow I'm not sure they go together.

[chenayang]

I found some methods by changing GDT/IDT which can get ring0 by assembling codes.
But I would like to know how to use driver to load a program in ring0 privilege:
The program contains driver and can load itself in ring0 privilege...How to get such a program??

[Cawk-Love]

I found some methods by changing GDT/IDT which can get ring0 by assembling codes.
But I would like to know how to use driver to load a program in ring0 privilege:
The program contains driver and can load itself in ring0 privilege...How to get such a program??

In the Windows DDK (which you should have if you are creating anything that resides in kernel mode), you can use a tool called DevCon (http://msdn.microsoft.com/en-us/library/ms792824.aspx) to load drivers.

Alternatively, you can use TDriver (http://www.codeproject.com/KB/system/tdriver.aspx).

[medievalelks]

None of this has anything to do with C++.

[Salem]

Moved.

[matsp]

I found some methods by changing GDT/IDT which can get ring0 by assembling codes.
But I would like to know how to use driver to load a program in ring0 privilege:
The program contains driver and can load itself in ring0 privilege...How to get such a program??

But you can't change GDT/IDT unless you are in RING0 - which is a good thing, because although people complain about Windows security, at least it's only small holes, not ones that an entire army of tanks can drive through all at once without anyone noticing. If you could just trivially modify the GDT then you don't have any security at all -that's zero, nada, none (not sure why you mention IDT, as that's not particularly meaningful for gaining Ring 0 access - at least not without also being able to introduce another piece of Ring0 code).

My other comment would be: Why would you want to read the PCI config space? There's very little you can do with PCI-devices without a driver. To write a driver, you need the DDK, and if you have a driver, you are in Ring0.

--
Mats