原理：

1. 将进程的所有线程的线程CrossThreadFlags标志位设置成Terminated或者System.

效果：任务管理器，WSYSCheck，ICESWORD无法结束进程。。

但PCHunter 可以结束受保护的进程。但PCHunter无法用普通方法结束受保护的线程，必须使用强制结束线程才可结束线程。。

代码：

VOID SetThreadFlagToTerminatedByThreadID(ULONG dwThreadID)

{

	ULONG ulFlagOffset;

	NTSTATUS status = STATUS_UNSUCCESSFUL;

	PULONG pFlag;

	PETHREAD eThead;

	HANDLE threadHandle;

	__try{

		threadHandle = (HANDLE)dwThreadID;

		ulFlagOffset = GetCrossThreadFlagOffset();

		//dprintf("[ProtectProcess]GetCrossThreadFlagOffset: 0X%08X\r\n", ulFlagOffset);

		status = PsLookupThreadByThreadId(threadHandle, &eThead);

		if(!NT_SUCCESS(status))

		{

			dprintf("PsLookupThreadByThreadId ERRORid:0X%08X, TID: 0X%08X\r\n", status, dwThreadID);

			return status;

		}

		//dprintf("ETHREAD:0X%08X\n", eThead);

		pFlag = (ULONG*)((PUCHAR)eThead + ulFlagOffset);

		//dprintf("ulFlag address:0X%08X value:0x%08X\n", pFlag, *pFlag);

		*pFlag |= PS_CROSS_THREAD_FLAGS_TERMINATED;

		dprintf("new ulFlag address:0X%08X value:0x%08X\n", pFlag, *pFlag);

	}__except(EXCEPTION_EXECUTE_HANDLER)

	{

		dprintf("EXCEPTION ON set thread cross flags!");

		return status;

	}

}

ring3程序与ring0程序下载地址：

http://download.csdn.net/detail/xiaocaiju/8192897

jpg改rar