r0 or eax10000h mov cr0eax sti ////////////////////////////////////////////////////// VOID Unhook ULONG Address Address1 Address ULONGKeServiceDescriptorTable-gtServiceTableBase 0xBA 4//查找SSDT Address1 ULONGKeServiceDescriptorTable-gtServiceTableBase 0x115 4 __asm cli mov eaxcr0 and eaxnot 10000h mov cr0eax ULONGAddress ULONGOldServiceAddress//还原SSDT ULONGAddress1 ULONGOldServiceAddress1//还原SSDT __asm mov eaxcr0 or eax10000h mov cr0eax sti DbgPrintquotUnhookquot 由于它不断对DebugPort清零所以要修改调试相关函数使得所有的访问DebugPort的地方全部访问EPROCESS中的ExitTime字节这样它怎么清零都无效了也检测不到 代码: .386 .model flat stdcall option casemap:none include dnf_hook.inc .const Dspdo_1 equ 80643db6h Dmpp_1 equ 80642d5eh Dmpp_2 equ 80642d64h Dct_1 equ 806445d3h Dqm_1 equ 80643089h Kde_1 equ 804ff5fdh Dfe_1 equ 80644340h Pcp_1 equ 805d1a0dh Mcp_1 equ 805b0c06h Mcp_2 equ 805b0d7fh Dmvos_1 equ 8064497fh Dumvos_1 equ 80644a45h Pet_1 equ 805d32f8h Det_1 equ 8064486ch Dep_1 equ 806448e6h .code 还原自己的Hook DriverUnload proc pDriverObject:PDRIVER_OBJECT ret DriverUnload endp ModifyFuncAboutDbg proc addrOdFunc cmd_1 cmd_2 pushad mov ebx addrOdFunc mov eax cmd_1 mov DWORD ptr ebx eax mov eax cmd_2 mov DWORD ptr ebx 4 eax popad ret ModifyFuncAboutDbg endp DriverEntry proc pDriverObject:PDRIVER_OBJECT pusRegistryPath:PUNICODE_STRING cli mov eax cr0 and eax not 10000h mov cr0 eax invoke ModifyFuncAboutDbg Dspdo_1 90784789h 0fde89090h invoke ModifyFuncAboutDbg Dmpp_1 90787e39h 950f9090h invoke ModifyFuncAboutDbg Dct_1 90785e39h 840f9090h invoke ModifyFuncAboutDbg Dqm_1 9078408bh 45899090h invoke ModifyFuncAboutDbg Kde_1 90787839h 13749090h invoke ModifyFuncAboutDbg Dfe_1 9078418bh 0d2329090h invoke ModifyFuncAboutDbg Pcp_1 90784389h 45f69090h invoke ModifyFuncAboutDbg Mcp_1 90785e39h 950f9090h invoke ModifyFuncAboutDbg Mcp_2 90784a89h 5e399090h invoke ModifyFuncAboutDbg Dmvos_1 9078498bh 0cb3b9090h invoke ModifyFuncAboutDbg Dumvos_1 00787983h 74909090h invoke ModifyFuncAboutDbg Pet_1 00787f83h 74909090h invoke ModifyFuncAboutDbg Det_1 9078498bh 0c9859090h invoke ModifyFuncAboutDbg Dep_1 9078498bh 0c9859090h invoke ModifyFuncAboutDbg Dmpp_2 8bc0950fh 8b90c032h mov eax pDriverObject assume eax : ptr DRIVER_OBJECT mov eax.DriverUnload offset DriverUnload assume eax : nothing mov eax cr0 or eax 10000h mov cr0 eax sti mov eax STATUS_SUCCESS ret DriverEntry endp end DriverEntry 绕过NtOpenProcessNtOpenThreadKiAttachProcess 以及最重要的不能让它检测到有硬件断点所以要对CONTEXT做一些伪装把真实的DR0DR7的数据存放到别的地方OD访问的时候返回正确的数据如果是DNF要获取上下文就稍微做下手脚 代码: .386 .model flat stdcall option casemap:none include dnf_hook.inc .const NtOpenProcessHookAddr equ 805cc626h NtOpenProcessRetAddr equ 805cc631h NtOpenProcessNoChange equ 805cc62ch NtOpenThreadHookAddr equ 805cc8a8h NtOpenThreadRetAddr equ 805cc8b3h NtOpenThreadNoChange equ 805cc8aeh KiAttachProcessAddr equ 804f9a08h KiAttachProcessRetAddr equ 804f9a0fh ObOpenObjectByPointerAddr equ 805bcc78h NtGetContextThreadAddr equ 805d2551h805c76a3h NtGetContextThreadRetAddr equ 805c76a7h805d2555h .data nameOffset dd threadCxtLink dd 0 tmpLink dd .code GetProcessName proc invoke PsGetCurrentProcess mov ebx eax add ebx nameOffset invoke DbgPrint CTA0quotnquot