这几天翻看论坛里的精华里,谈到了DebugPort清零。但似乎都是说怎么anti,没讲怎么实现。于是便动手写了一个不知道游戏保护中是不是也这么个思路。。在XP SP3下测试过。有不好的地方请大家指正。。

代码:
#include <ntddk.h>

PETHREAD pThreadObj = NULL;
BOOLEAN bTerminated = FALSE;
UCHAR szProcessName[16] = "TestCrackMe.exe";

VOID DriverUnload(PDRIVER_OBJECT pDriverObject);
VOID AntiDbgThread(PVOID pContext);

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)
{
  OBJECT_ATTRIBUTES ObjAddr = {0};
  HANDLE ThreadHandle = 0;
  NTSTATUS NtStatus = STATUS_SUCCESS;

  KdPrint(("Driver Entry"));

  pDriverObject->DriverUnload = DriverUnload;

  InitializeObjectAttributes(&ObjAddr,NULL,OBJ_KERNEL_HANDLE,0,NULL);

  NtStatus = PsCreateSystemThread(&ThreadHandle,THREAD_ALL_ACCESS,&ObjAddr,NULL,NULL,AntiDbgThread,NULL);

  if(NT_SUCCESS(NtStatus))
  {
    KdPrint(("Thread Created"));

    NtStatus = ObReferenceObjectByHandle(ThreadHandle,THREAD_ALL_ACCESS,*PsThreadType,KernelMode,&pThreadObj,NULL);

    ZwClose(ThreadHandle);

    if(!NT_SUCCESS(NtStatus))
    {
      bTerminated = TRUE;
    }
  }

  return NtStatus;
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
  bTerminated = TRUE;
  KeWaitForSingleObject(pThreadObj,Executive,KernelMode,FALSE,NULL);

  ObDereferenceObject(pThreadObj);
}

VOID AntiDbgThread(PVOID pContext)
{
  PEPROCESS pCurrentProcess = NULL;
  PEPROCESS pFirstProcess = NULL;
  LARGE_INTEGER inteval;

  inteval.QuadPart = -20000000;

  KeSetPriorityThread(KeGetCurrentThread(),LOW_REALTIME_PRIORITY);

  while(1)
  {
    if(bTerminated)
    {
      break;
    }
    
    pCurrentProcess = IoGetCurrentProcess();
    pFirstProcess = pCurrentProcess;

    while(RtlCompareMemory(szProcessName,(PUCHAR)((ULONG)pCurrentProcess + 0x174),16) != 16)
    {
      pCurrentProcess = (PEPROCESS)(*(PULONG)((ULONG)pCurrentProcess + 0x88) - 0x88);

      if(pCurrentProcess == pFirstProcess)
      {
        goto END;
      }
    }
    
    *(PULONG)((ULONG)pCurrentProcess + 0xbc) = 0;
END:
    KeDelayExecutionThread(KernelMode,FALSE,&inteval);
  }
}
上传的附件 TestCrackMe.rar
antidbg.rar