driver

  用DDDK编写驱动,修改SSDT表HOOK NTDebugActiveProcess函数 钩子函数中可以判断PID号,决定是否放行,放行则在钩子函数中调用原来的NTDebugActiveProcess函数.否则直接返回False.HOOK成功后所有调用DebugActiveProcess的程序将会失效.当然可以按照你的需要HOOK更多的系统服务函数.同一服务函数的服务号在每个操作系统版本中是不同的.下面附件中编译完成的驱动请在WinXP SP2的环境下测试.否则可能会导致直接重启(Used to prepare DDDK drive, modify SSDT Table HOOK NTDebugActiveProcess function hook function can determine the PID number, decide whether to release, release in the hook function to call the original function NTDebugActiveProcess. False.HOOK Otherwise, after the success of a direct return all calls DebugActiveProcess procedures will be failure. You can, of course, in accordance with the needs of more system services HOOK function. the same service function of the service in each of the operating system versions are different. following the completion of the annex to compile drivers in WinXP SP2 test environment. or else may lead to the resumption of direct)