这几天翻看论坛里的精华里,谈到了DebugPort清零。但似乎都是说怎么anti,没讲怎么实现。于是便动手写了一个不知道游戏保护中是不是也这么个思路。。在XP SP3下测试过。有不好的地方请大家指正。。
代码:
#include <ntddk.h> PETHREAD pThreadObj = NULL; BOOLEAN bTerminated = FALSE; UCHAR szProcessName[16] = "TestCrackMe.exe"; VOID DriverUnload(PDRIVER_OBJECT pDriverObject); VOID AntiDbgThread(PVOID pContext); NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath) { OBJECT_ATTRIBUTES ObjAddr = {0}; HANDLE ThreadHandle = 0; NTSTATUS NtStatus = STATUS_SUCCESS; KdPrint(("Driver Entry")); pDriverObject->DriverUnload = DriverUnload; InitializeObjectAttributes(&ObjAddr,NULL,OBJ_KERNEL_HANDLE,0,NULL); NtStatus = PsCreateSystemThread(&ThreadHandle,THREAD_ALL_ACCESS,&ObjAddr,NULL,NULL,AntiDbgThread,NULL); if(NT_SUCCESS(NtStatus)) { KdPrint(("Thread Created")); NtStatus = ObReferenceObjectByHandle(ThreadHandle,THREAD_ALL_ACCESS,*PsThreadType,KernelMode,&pThreadObj,NULL); ZwClose(ThreadHandle); if(!NT_SUCCESS(NtStatus)) { bTerminated = TRUE; } } return NtStatus; } VOID DriverUnload(PDRIVER_OBJECT pDriverObject) { bTerminated = TRUE; KeWaitForSingleObject(pThreadObj,Executive,KernelMode,FALSE,NULL); ObDereferenceObject(pThreadObj); } VOID AntiDbgThread(PVOID pContext) { PEPROCESS pCurrentProcess = NULL; PEPROCESS pFirstProcess = NULL; LARGE_INTEGER inteval; inteval.QuadPart = -20000000; KeSetPriorityThread(KeGetCurrentThread(),LOW_REALTIME_PRIORITY); while(1) { if(bTerminated) { break; } pCurrentProcess = IoGetCurrentProcess(); pFirstProcess = pCurrentProcess; while(RtlCompareMemory(szProcessName,(PUCHAR)((ULONG)pCurrentProcess + 0x174),16) != 16) { pCurrentProcess = (PEPROCESS)(*(PULONG)((ULONG)pCurrentProcess + 0x88) - 0x88); if(pCurrentProcess == pFirstProcess) { goto END; } } *(PULONG)((ULONG)pCurrentProcess + 0xbc) = 0; END: KeDelayExecutionThread(KernelMode,FALSE,&inteval); } }