[原创]重载内核新方法,避免SEH导致的蓝屏(不hook链表)
xpsp3下
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055e720
lkd> u NtReadVirtualMemory
nt!NtReadVirtualMemory:
805b528a 6a1c push 1Ch
805b528c 68e8ae4d80 push offset nt!MmClaimParameterAdjustDownTime+0x90 (804daee8)
805b5291 e8ea78f8ff call nt!_SEH_prolog (8053cb80)
805b5296 64a124010000 mov eax,dword ptr fs:[00000124h]
805b529c 8bf8 mov edi,eax
805b529e 8a8740010000 mov al,byte ptr [edi+140h]
805b52a4 8845e0 mov byte ptr [ebp-20h],al
805b52a7 8b7514 mov esi,dword ptr [ebp+14h]
lkd> u A43FF000+805b528a-804d8000
a44dc28a ?? ???
^ Memory access error in 'u A43FF000+805b528a-804d8000 '
A43FF000为新加载的驱动基地址
为什么 ?????