这几天翻看论坛里的精华里,谈到了DebugPort清零。但似乎都是说怎么anti,没讲怎么实现。于是便动手写了一个
不知道游戏保护中是不是也这么个思路。。在XP SP3下测试过。有不好的地方请大家指正。。
代码:
#include <ntddk.h>
PETHREAD pThreadObj = NULL;
BOOLEAN bTerminated = FALSE;
UCHAR szProcessName[16] = "TestCrackMe.exe";
VOID DriverUnload(PDRIVER_OBJECT pDriverObject);
VOID AntiDbgThread(PVOID pContext);
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)
{
OBJECT_ATTRIBUTES ObjAddr = {0};
HANDLE ThreadHandle = 0;
NTSTATUS NtStatus = STATUS_SUCCESS;
KdPrint(("Driver Entry"));
pDriverObject->DriverUnload = DriverUnload;
InitializeObjectAttributes(&ObjAddr,NULL,OBJ_KERNEL_HANDLE,0,NULL);
NtStatus = PsCreateSystemThread(&ThreadHandle,THREAD_ALL_ACCESS,&ObjAddr,NULL,NULL,AntiDbgThread,NULL);
if(NT_SUCCESS(NtStatus))
{
KdPrint(("Thread Created"));
NtStatus = ObReferenceObjectByHandle(ThreadHandle,THREAD_ALL_ACCESS,*PsThreadType,KernelMode,&pThreadObj,NULL);
ZwClose(ThreadHandle);
if(!NT_SUCCESS(NtStatus))
{
bTerminated = TRUE;
}
}
return NtStatus;
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
bTerminated = TRUE;
KeWaitForSingleObject(pThreadObj,Executive,KernelMode,FALSE,NULL);
ObDereferenceObject(pThreadObj);
}
VOID AntiDbgThread(PVOID pContext)
{
PEPROCESS pCurrentProcess = NULL;
PEPROCESS pFirstProcess = NULL;
LARGE_INTEGER inteval;
inteval.QuadPart = -20000000;
KeSetPriorityThread(KeGetCurrentThread(),LOW_REALTIME_PRIORITY);
while(1)
{
if(bTerminated)
{
break;
}
pCurrentProcess = IoGetCurrentProcess();
pFirstProcess = pCurrentProcess;
while(RtlCompareMemory(szProcessName,(PUCHAR)((ULONG)pCurrentProcess + 0x174),16) != 16)
{
pCurrentProcess = (PEPROCESS)(*(PULONG)((ULONG)pCurrentProcess + 0x88) - 0x88);
if(pCurrentProcess == pFirstProcess)
{
goto END;
}
}
*(PULONG)((ULONG)pCurrentProcess + 0xbc) = 0;
END:
KeDelayExecutionThread(KernelMode,FALSE,&inteval);
}
}