在网上找了个代码，是hook openprocess的驱动，在xp+sp3下用debug view查看，发现没有输出OpenProcess，请大家帮忙看一下为什么啊

    .386
    .model flat, stdcall
    option casemap:none

include E:\RadASM\masm32\include\w2k\ntstatus.inc
include E:\RadASM\masm32\include\w2k\ntddk.inc
include E:\RadASM\masm32\include\w2k\ntoskrnl.inc
include E:\RadASM\masm32\include\w2k\w2kundoc.inc
includelib E:\RadASM\masm32\lib\w2k\ntoskrnl.lib
include E:\RadASM\masm32\Macros\Strings.mac
   
    .data
realaddr dd 0
CR0Reg dd 0
Messaga1 db "OpenProcess",0
Messaga2 db "Driver loaded", 0

    .code
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local pDeviceObject:PVOID

    pushad
    invoke DbgPrint, addr Messaga2
      mov edi, KeServiceDescriptorTable
    mov edi, [edi]
    mov eax, [edi+(07ah*4)] ;edi+07ah*4 - NtOpenProcess
    mov realaddr, eax
   
    cli
    mov eax, CR0
    mov CR0Reg, eax
    and eax, -1
    mov cr0, eax
   
    mov [edi+(07ah*4)], dword ptr offset hookproc

    mov eax, CR0Reg
    mov CR0, eax
    sti
   
    mov eax, pDriverObject
    assume eax:PTR DRIVER_OBJECT
    mov [eax].DriverUnload, offset DriverUnload
    assume eax:nothing

    popad
    mov eax, STATUS_SUCCESS
    ret
DriverEntry endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverUnload proc pDriverObject:PDRIVER_OBJECT
    pushad
    mov edi, KeServiceDescriptorTable
    mov edi, [edi]

    cli
    mov eax, CR0
    mov CR0Reg, eax
    and eax, -1
    mov cr0, eax
   
    mov eax, dword ptr realaddr
    mov [edi+(07ah*4)], eax
   
    mov eax, CR0Reg
    mov CR0, eax
    sti
    popad
      
    ret
DriverUnload endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
hookproc proc

     invoke DbgPrint, addr Messaga1
      jmp dword ptr realaddr
     ；ret
     
hookproc endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
end DriverEntry

不胜感激。

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！