看了 http://bbs.pediy.com/showthread.php?t=126802 这篇帖子

参考他的代码 基本的代码都写完了  就是debugport清零这块还是有问题

//首先干掉监视函数
  while (1)
  {
    if ((*(pd-1) == 0xcc) && (*(pd-2) == 0xcc))
    {
      KdPrint(("pd首地址:%0X \n",(ULONG)pd));
      WPOFF();  //清除CR0
      //提升IRQL中断级
      Irql=KeRaiseIrqlToDpcLevel();
      //写入
      RtlCopyMemory(pd,C390,2);
      //恢复Irql
      KeLowerIrql(Irql);
      WPON();    //恢复CR0
      break;
    }
    pd--;
  }
这是那帖子的代码

我按照他的思路 用枚举模块+偏移的方法找到了 他清0的地方
又参考这篇帖子 http://bbs.pediy.com/showthread.php?t=127246&highlight=debugport+%E7%AE%80%E5%8D%95+%E5%8D%95%E5%88%86+%E5%88%86%E6%9E%90+%E6%9E%90%E6%9F%90+%E6%9F%90%E6%B8%B8+%E6%B8%B8%E6%88%8F+%E6%B8%85%E9%9B%B6+%E9%9B%B6
用IDA反汇编 对比了下代码 完全一样
BYTE* TX_TesSafeBase_2638;
  BYTE* TX_TesSafeBase_4F2C;
  DWORD TX_TesSafeBase_41E0; //清0的代码 函数头
  BYTE* TX_TesSafeBase_379E;

  KdPrint(("TX_TesSafeBase:%0X \n",TX_TesSafeBase));

  BYTE  C390[2] = {0xc3,0x90};

  TX_TesSafeBase_41E0=TX_TesSafeBase+0x41E0;
  KdPrint(("TX_TesSafeBase_41E0:%0X \n",(ULONG)TX_TesSafeBase_41E0));

  KIRQL Irql;
  WPOFF();  //清除CR0
  Irql=KeRaiseIrqlToDpcLevel();
  //写入
  RtlCopyMemory((BYTE*)TX_TesSafeBase_41E0,C390,2); //干掉监视
  KeLowerIrql(Irql);
  WPON();    //恢复CR0 

//----------------------------------------------------  
  TX_TesSafeBase_2638=(BYTE*)TX_TesSafeBase+0x2638;
  KdPrint(("TX_TesSafeBase_2638:%0X \n",TX_TesSafeBase_2638));

  WPOFF();  //清除CR0
  Irql=KeRaiseIrqlToDpcLevel();
  //写入
  RtlCopyMemory((BYTE*)TX_TesSafeBase_2638,C390,2); //干掉第1段清零
  KeLowerIrql(Irql);
  WPON();    //恢复CR0

  ////----------------------------------------------------  
  TX_TesSafeBase_4F2C=(BYTE*)TX_TesSafeBase+0x4F2C;
  KdPrint(("TX_TesSafeBase_4F2C:%0X \n",TX_TesSafeBase_4F2C));

  WPOFF();  //清除CR0
  Irql=KeRaiseIrqlToDpcLevel();
  //写入
  RtlCopyMemory((BYTE*)TX_TesSafeBase_4F2C,C390,2); //干掉第2段清零
  KeLowerIrql(Irql);
  WPON();    //恢复CR0

代码应该这样基本就写完了吧 打开OD附加 还是一片空白 过阵子还是被检测到 提示 游戏环境异常 哪位高手帮忙看下啊 研究了10多天了

[招生]系统0day安全班，企业级设备固件漏洞挖掘，Linux平台漏洞挖掘！