- 注册时间
- 2010-8-21
- 最后登录
- 2017-5-30
- 在线时间
- 4 小时
编程入门
- 魔鬼币
- 638
|
这几天翻看论坛里的精华里,谈到了DebugPort清零。但似乎都是说怎么anti,没讲怎么实现。于是便动手写了一个不知道游戏保护中是不是也这么个思路。。在XP SP3下测试过。有不好的地方请大家指正。。- #include <ntddk.h>
- PETHREAD pThreadObj = NULL;
- BOOLEAN bTerminated = FALSE;
- UCHAR szProcessName[16] = "TestCrackMe.exe";
- VOID DriverUnload(PDRIVER_OBJECT pDriverObject);
- VOID AntiDbgThread(PVOID pContext);
- NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)
- {
- OBJECT_ATTRIBUTES ObjAddr = {0};
- HANDLE ThreadHandle = 0;
- NTSTATUS NtStatus = STATUS_SUCCESS;
- KdPrint(("Driver Entry"));
- pDriverObject->DriverUnload = DriverUnload;
- InitializeObjectAttributes(&ObjAddr,NULL,OBJ_KERNEL_HANDLE,0,NULL);
- NtStatus = PsCreateSystemThread(&ThreadHandle,THREAD_ALL_ACCESS,&ObjAddr,NULL,NULL,AntiDbgThread,NULL);
- if(NT_SUCCESS(NtStatus))
- {
- KdPrint(("Thread Created"));
- NtStatus = ObReferenceObjectByHandle(ThreadHandle,THREAD_ALL_ACCESS,*PsThreadType,KernelMode,&pThreadObj,NULL);
- ZwClose(ThreadHandle);
- if(!NT_SUCCESS(NtStatus))
- {
- bTerminated = TRUE;
- }
- }
- return NtStatus;
- }
- VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
- {
- bTerminated = TRUE;
- KeWaitForSingleObject(pThreadObj,Executive,KernelMode,FALSE,NULL);
- ObDereferenceObject(pThreadObj);
- }
- VOID AntiDbgThread(PVOID pContext)
- {
- PEPROCESS pCurrentProcess = NULL;
- PEPROCESS pFirstProcess = NULL;
- LARGE_INTEGER inteval;
- inteval.QuadPart = -20000000;
- KeSetPriorityThread(KeGetCurrentThread(),LOW_REALTIME_PRIORITY);
- while(1)
- {
- if(bTerminated)
- {
- break;
- }
-
- pCurrentProcess = IoGetCurrentProcess();
- pFirstProcess = pCurrentProcess;
- while(RtlCompareMemory(szProcessName,(PUCHAR)((ULONG)pCurrentProcess + 0x174),16) != 16)
- {
- pCurrentProcess = (PEPROCESS)(*(PULONG)((ULONG)pCurrentProcess + 0x88) - 0x88);
- if(pCurrentProcess == pFirstProcess)
- {
- goto END;
- }
- }
-
- *(PULONG)((ULONG)pCurrentProcess + 0xbc) = 0;
- END:
- KeDelayExecutionThread(KernelMode,FALSE,&inteval);
- }
- }
|
|
发表于 2011-4-29 15:20:43