看了各位大大的驱动，我也尝试了一下。蓝屏ing，帮忙看一下。谢谢了！！

#include <ntddk.h>

VOID Hook();
VOID Unhook();
NTSTATUS __stdcall MyNtOpenProcess(
        PHANDLE ProcessHandle,
               ACCESS_MASK DesiredAccess,
               POBJECT_ATTRIBUTES ObjectAttributes,
               PCLIENT_ID ClientId) ;
VOID  DriverUnload(PDRIVER_OBJECT driver);         
NTSTATUS DriverEntry(PDRIVER_OBJECT driver,PUNICODE_STRING reg_path);       

typedef struct _SERVICE_DESCRIPTOR_TABLE
{
  PVOID   ServiceTableBase;
  PULONG  ServiceCounterTableBase;
  ULONG   NumberOfService;
  PULONG   ParamTableBase;
}ServiceDescriptorTable,*PServiceDescriptorTable;
ULONG OpenProcessAddress;
ULONG JmpOpenProcessAddress;
extern PServiceDescriptorTable  KeServiceDescriptorTable;

__declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(
               PHANDLE ProcessHandle,
               ACCESS_MASK DesiredAccess,
               POBJECT_ATTRIBUTES ObjectAttributes,
               PCLIENT_ID ClientId)
{
  DbgPrint("NtOpenProcess() called");
  __asm{
    push    0c4h      
    push    804f52d8h
    jmp     JmpOpenProcessAddress   
  }
}

VOID Hook()
{
  ULONG  Address,JmpOpenProcessAddress;
  Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7a * 4;     
  DbgPrint("TableOpenProcessAddress:0x%08X\r\n",Address);
  OpenProcessAddress = *(ULONG*)Address;//保存原来NtOpenProcess的地址
DbgPrint("OpenProcessAddress:0x%08X\r\n",OpenProcessAddress);
  DbgPrint("FunMyNtOpenProcess:0x%08X\r\n",MyNtOpenProcess);
  JmpOpenProcessAddress = (ULONG)OpenProcessAddress + 10;
  DbgPrint("JmpOpenProcessAddress:0x%08X\r\n",JmpOpenProcessAddress);   
  __asm{
    cli
    mov  eax,cr0
    and  eax,not 10000h
    mov  cr0,eax
  }
  *(ULONG*)Address = (ULONG)MyNtOpenProcess;//这句注释掉就不会蓝屏
  __asm{
    mov  eax,cr0
    or   eax,10000h
    mov  cr0,eax
    sti
  }
}

VOID Unhook()
{
  ULONG  Address;
  Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7a * 4;
  __asm{
    cli
          mov  eax,cr0
    and  eax,not 10000h
    mov  cr0,eax
  }

  *((ULONG*)Address) = (ULONG)OpenProcessAddress;//还原SSDT

  __asm{  
         mov  eax,cr0
    or   eax,10000h
    mov  cr0,eax
    sti
  }
  DbgPrint("Unhook");
}

VOID  DriverUnload(PDRIVER_OBJECT driver)
{
        DbgPrint("My driver is unloading.....\r\n");
//        Unhook();
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver,PUNICODE_STRING reg_path)
{
        DbgPrint("My driver is loading.....\r\n");
        driver->DriverUnload = DriverUnload;
        Hook();
        return STATUS_SUCCESS;
}

运行环境是虚拟机winXP SP3
下面是驱动的输出信息：
My driver is loading.....        
TableOpenProcessAddress:0x804E5A88        
OpenProcessAddress:0x8058270A        
FunMyNtOpenProcess:0xF8C5A317        
JmpOpenProcessAddress:0x80582714        
My driver is unloading.....
下面是WinDbg的信息:
lkd> dd KeServiceDescriptorTable
80563520  804e58a0 00000000 0000011c 805120bc
80563530  00000000 00000000 00000000 00000000
80563540  00000000 00000000 00000000 00000000
80563550  00000000 00000000 00000000 00000000
80563560  00000002 00002710 bf80c0b6 00000000
80563570  f8a25a80 f82cfb60 81e140f0 807120c0
80563580  02566e3e 00000000 02566e3e 00000000
80563590  75d367fe 01ca8edc 00000000 00000000
lkd> dd 804e58a0+7a*4
804e5a88  8058270a 80578308 8057825f 8057b8b5
804e5a98  805e81ca 8058b039 805e2939 80574dcb
804e5aa8  80574cc8 80651133 80597c5d 805a53a4
804e5ab8  80597f58 805d98c7 805ce91a 80582891
804e5ac8  805ab4aa 8057d6d3 80650bbb 80650bbb
804e5ad8  804fbb69 805700d0 8058a485 80582e69
804e5ae8  80590a6a 806222f8 8058ae20 80585f1f
804e5af8  805ab812 8057f690 8058ced4 8062c09d
lkd> u 8058270a
ntkrnlmp!NtOpenProcess:
8058270a 68c4000000       push    0xc4
8058270f 68d8524f80       push    0x804f52d8
80582714 e85a17f6ff       call    ntkrnlmp!CIsqrt+0x2d7 (804e3e73)
80582719 33f6             xor     esi,esi
8058271b 8975d4           mov     [ebp-0x2c],esi
8058271e 33c0             xor     eax,eax
80582720 8d7dd8           lea     edi,[ebp-0x28]
80582723 ab               stosd

各位大大帮忙抽出宝贵的时间看一下吧。刚学驱动受打击了。。。检查代码感觉没问题呀。

[课程]Android-CTF解题方法汇总！