黑防六期有《打造IceSword也杀不掉的进程》,作者写出了关键代码,但光盘没有提供原始代码.今天兴起,认真阅读文章后把代码基本还原,供大家分享(已通过VC++6.0编译和DDK编译OK!);
在此特别感谢本文作者fOx为大家提供的另类且牛逼手段，不过先声名几点：
1、本文不属于原创，版权归原作者
2、或许怪我写的不好，进程虽然不会被冰刃、任务管理器等截杀，但有时自己也没法结束自己
3、如果出现无法结束自己的情况，使用冰刃进程功能中的线程信息，对线程选强制杀死就行了

驱动代码：

//RING0        START
#include "ntddk.h"
#define NT_DEVICE_NAME                    L"\\Device\\PP"
#define DOS_DEVICE_NAME          L"\\DosDevices\\PP"
#define IOCTL_PROTECT_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define PS_CROSS_THREAD_FLAGS_SYSTEM 0x00000010UL
UNICODE_STRING         DeviceNameString;
UNICODE_STRING         LinkDeviceNameString;
ULONG GetCrossThreadFlagsOffset();

NTSTATUS
PsLookupThreadByThreadId(
        IN         HANDLE          hThreadId,
        OUT PETHREAD *pEthread
);

NTKERNELAPI
BOOLEAN
PsIsSystemThread(IN PETHREAD Thread);

VOID UnloadDriver(IN PDRIVER_OBJECT DriverObject)
{
        PDEVICE_OBJECT deviceObject;
    deviceObject= DriverObject->DeviceObject;
    IoDeleteSymbolicLink(&LinkDeviceNameString);
    ASSERT(!deviceObject->AttachedDevice);
    if ( deviceObject != NULL )
    {
        IoDeleteDevice( deviceObject );
    }
}

NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
                 NTSTATUS                nStatus                 = STATUS_SUCCESS;
                        ULONG                IoControlCode         = 0;
PIO_STACK_LOCATION                IrpStack                 = NULL;
                        PETHREAD         Thread;
                        HANDLE                 ThreadId;
                        PULONG                Flags;
                        
                        

        Irp->IoStatus.Status                = STATUS_SUCCESS;
        Irp->IoStatus.Information        = 0;
        IrpStack        =        IoGetCurrentIrpStackLocation(Irp);

        switch(IrpStack->MajorFunction)
        {
                case IRP_MJ_CREATE:
                        break;
        
                case IRP_MJ_CLOSE :
                        break;

                case IRP_MJ_DEVICE_CONTROL:
                IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
                switch(IoControlCode)
                {
                case IOCTL_PROTECT_CONTROL:
                _try
                {
                        if( IrpStack->Parameters.DeviceIoControl.InputBufferLength < sizeof(HANDLE) )
                        return STATUS_BUFFER_TOO_SMALL;
                        ThreadId = *(PHANDLE)Irp->AssociatedIrp.SystemBuffer;
                        nStatus = PsLookupThreadByThreadId(ThreadId,&Thread);
                        if( NT_SUCCESS(nStatus) )
                        {
                                Flags = (PULONG)( (PUCHAR)Thread + GetCrossThreadFlagsOffset() );
                                *Flags |= PS_CROSS_THREAD_FLAGS_SYSTEM;
                        }
                        else
                        {
                                DbgPrint("Find Ethread Error == 0x%0.8X",nStatus);
                        }
                }
                __except(EXCEPTION_EXECUTE_HANDLER)
                {
                        DbgPrint("Exception On Modify Thread Cross Flags");
                }
                break;

                default:
                break;                
                }
                        break;
                        
                default:                
                break;
        }                
        nStatus = Irp->IoStatus.Status;
        IoCompleteRequest(Irp,IO_NO_INCREMENT);
        return nStatus;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT theDriverObject, PUNICODE_STRING pRegistryString)
{
        NTSTATUS                         status;
        PDEVICE_OBJECT           deviceObject;
        
    RtlInitUnicodeString( &DeviceNameString,    NT_DEVICE_NAME );
    RtlInitUnicodeString( &LinkDeviceNameString,DOS_DEVICE_NAME );
    
    status = IoCreateDevice(
                                theDriverObject,
                                0,                      
                                &DeviceNameString,
                                FILE_DEVICE_DISK_FILE_SYSTEM,
                                FILE_DEVICE_SECURE_OPEN,
                                FALSE,
                                &deviceObject );
                                
        if (!NT_SUCCESS( status ))
    {
        KdPrint(("DriverEntry: Error creating control device object, status=%08x\n", status));
        return status;
    }
    
    theDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchDeviceControl;
        theDriverObject->MajorFunction[IRP_MJ_CLOSE]  = DispatchDeviceControl;
        theDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;         
        theDriverObject->DriverUnload = UnloadDriver;
  
    status = IoCreateSymbolicLink(
                                (PUNICODE_STRING) &LinkDeviceNameString,
                (PUNICODE_STRING) &DeviceNameString
                                                                 );
        if (!NT_SUCCESS(status))
        {
                IoDeleteDevice(deviceObject);
                return status;
        }
        return STATUS_SUCCESS;
}

ULONG GetCrossThreadFlagsOffset()
{
        static ULONG Offset = 0;
        PUCHAR pProc;
        if(Offset == 0)
                pProc = (PUCHAR)PsIsSystemThread;
        while( *pProc!=0x8B || *(pProc+1)!=0x80 )
                pProc++;
        DbgPrint("Instruction found in address == 0x%0.8X",pProc);
        Offset = *(PULONG)(pProc+2);
        DbgPrint("Offset == 0x%0.8X",Offset);
        return Offset;
}
//RING0        END

用户程序代码( 注意:(1)被保护进程是自己,(2)加载驱动使用专门工具 )
//RING3 START
// PP.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#include <string.h>
#include <winioctl.h>
#include <conio.h>
#include "psapi.h"        //这个头文件编进程相关程序的人都有吧。。。

#pragma comment( lib, "psapi" )

#define IOCTL_PROTECT_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS)

int main(int argc, char* argv[])
{
        HANDLE        hDevice;
        char OpenName[MAX_PATH] = "\\\\.\\PP";
        hDevice = CreateFileA(OpenName,
                        GENERIC_READ|GENERIC_WRITE,
                        FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
                        NULL, OPEN_EXISTING,
                        0, NULL );
        if(hDevice==INVALID_HANDLE_VALUE)
        {
                printf("Error GetLastError() is %d",GetLastError());
                return 0;
        }
        DWORD dwProcessId = GetCurrentProcessId();
        HANDLE hThreadSnap = INVALID_HANDLE_VALUE;
        THREADENTRY32        te32;
        hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);
        if(hThreadSnap==INVALID_HANDLE_VALUE)
                return 0;
        te32.dwSize = sizeof(THREADENTRY32);
        if(!Thread32First(hThreadSnap,&te32))
        {
                printf("Error Thread32First");
                CloseHandle(hThreadSnap);
                return 0;
        }
        do
        {
                if( te32.th32OwnerProcessID == dwProcessId )
                {
                printf("THREAD ID = 0x%08X\n",te32.th32ThreadID);
                PVOID pBuffer = &(te32.th32ThreadID);
                DWORD dwReturned;
                BOOL bSuc = DeviceIoControl(hDevice,
                        IOCTL_PROTECT_CONTROL,pBuffer,sizeof(te32.th32ThreadID),
                        NULL,NULL,
                        &dwReturned,NULL);
                if(!bSuc)
                        printf("Error Code is %d",GetLastError());
                }
        }while(Thread32Next(hThreadSnap,&te32));
        CloseHandle(hThreadSnap);
        CloseHandle(hDevice);
        getch();//不能不写，否则程序加载后就退出了
        return 0;
}
//RING3 END

貌似没人跟贴,那就自己鼓励下吧!顺便提下,这种方法防杀,还做有点过分,至少得可以还原进程守护(本文用的是修改标字,比HOOK难些).改改程序可能行:
1.驱动中添加一句话返回原来的标字到Ring3存起来,与原来线程归个类.
2.然后再不想保护的时候,根据现在线程情况(对应的标字)在输入修改过的传入驱动还原标字.
3.因为线程会变,只能还原你曾改过的,但是其他就不好说了,这就是即使我修改了程序,也不是每次都成.改的代码旧部在这里献丑了

普通用户中的牛人啊！呵呵！共同进步

好东西啊 谢谢

好东西，谢谢分享

高手高手高高手

俺也要学习语言，呵呵 黑方的杂志真不错呀

嘿嘿 static ULONG Offset = 0;
我就是来盯这句的。
杂志上用的NULL 那是编译通不过的。。。

高手呀，给我们指明了 一条道路，支持中

niubility