基于驱动在 Ring 0 禁止所有调试工具调试程序

基于驱动在 Ring 0 禁止所有调试工具调试程序 
;创建日期:2007年11月14号 
;描写:(原创) 基于驱动在 Ring 0 禁止所有调试工具调试程序 
;作者:朱剑 
;环境:xpsp2,KMD(驱动汇编开发包),Win32汇编 
.386 
.model flat,stdcall 
option casemap:none 
include w2k\ntstatus.inc 
include w2k\ntddk.inc 
include w2k\ntoskrnl.inc 
include Strings.mac 
includelib ntoskrnl.lib 
.data 
lpFnOldDebugActiveProcess dd  0 
OldDebugActiveProcessAdd dd  0 
.code 
MyDebugActiveProcess proc pid:DWORD 
      xor eax,eax 
      ret 
MyDebugActiveProcess endp 
DriverUnload proc pDriverObject:PDRIVER_OBJECT 
      cli 
      mov eax,cr0 
      and eax,not 10000h 
      mov cr0,eax 
      push OldDebugActiveProcessAdd 
      pop [lpFnOldDebugActiveProcess] 
      mov eax,cr0 
      or eax,10000h 
      mov cr0,eax 
      sti 
      ret 
DriverUnload endp 
DriverEntry proc pDriverObject:PDRIVER_OBJECT,pRegistryPath:PUNICODE_STRING 
      mov eax, pDriverObject 
      assume eax:PTR DRIVER_OBJECT 
      mov [eax].DriverUnload,offset DriverUnload 
      mov edi,KeServiceDescriptorTable 
      mov edi,[edi] 
      push [edi+039h*4] 
      pop lpFnOldDebugActiveProcess 
      push [lpFnOldDebugActiveProcess] 
      pop OldDebugActiveProcessAdd 
      assume  esi:nothing 
      cli 
      mov eax,cr0 
      and eax,not 10000h  ;wp位,内核模式下修改系统内存页而不会引发#GP 
      mov cr0,eax 
      mov [lpFnOldDebugActiveProcess],offset MyDebugActiveProcess 
      mov eax,cr0 
      or eax,10000h 
      mov cr0,eax 
      sti 
      mov eax,STATUS_SUCCESS 
      ret 
DriverEntry endp 
end DriverEntry 
;【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!感谢看雪论坛在学习上给与的帮助.
posted @ 2008-04-26 22:15  debugzhu  阅读(750)  评论(0)    收藏  举报