;创建日期:2007年11月14号 ;描写:(原创) 基于驱动在 Ring 0 禁止所有调试工具调试程序 ;作者:朱剑 ;环境:xpsp2,KMD(驱动汇编开发包),Win32汇编 .386 stdcall none include w2k\ntstatus.inc include w2k\ntddk.inc include w2k\ntoskrnl.inc include Strings.mac includelib ntoskrnl.lib .data lpFnOldDebugActiveProcess dd 0 OldDebugActiveProcessAdd dd 0 .code MyDebugActiveProcess DWORD eax ret MyDebugActiveProcess endp DriverUnload proc pDriverObject:PDRIVER_OBJECT cli cr0 not 10000h eax push OldDebugActiveProcessAdd pop [lpFnOldDebugActiveProcess] cr0 eax,10000h eax sti ret DriverUnload endp DriverEntry proc pDriverObject:PDRIVER_OBJECT,pRegistryPath:PUNICODE_STRING eax, pDriverObject PTR DRIVER_OBJECT offset DriverUnload edi,KeServiceDescriptorTable edi] edi+039h*4] pop lpFnOldDebugActiveProcess push [lpFnOldDebugActiveProcess] pop OldDebugActiveProcessAdd nothing cli cr0 ;wp位,内核模式下修改系统内存页而不会引发#GP eax offset MyDebugActiveProcess cr0 eax,10000h eax sti eax,STATUS_SUCCESS ret DriverEntry endp end DriverEntry ;【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!感谢看雪论坛在学习上给与的帮助.
相关文章: