纠结了，都没有人帮帮我，哪怕一句话提示下呀

Calls to MmProbeAndLockPages must be enclosed in a try/except block. If the pages do not support the specified operation, the routine raises the STATUS_ACCESS_VIOLATION exception. For more information, see Handling Exceptions.

不行，一样蓝屏，我已经蓝怕了

NTSTATUS WriteReadOnlyMemory(PVOID dest, PVOID source, int length)
{
        KIRQL oldirql;
        PMDL mdl;
        PVOID writableAddress;
        KSPIN_LOCK tempSpinLock;

        mdl = IoAllocateMdl((PVOID)dest, length, FALSE, FALSE, NULL);
        if (mdl == NULL) return STATUS_UNSUCCESSFUL;
        MmBuildMdlForNonPagedPool(mdl);
        _try
        {
                MmProbeAndLockPages(mdl, KernelMode, IoWriteAccess);
        }
        __except(STATUS_ACCESS_VIOLATION)
        {
                IoFreeMdl(mdl);
                return STATUS_UNSUCCESSFUL;
        }
        writableAddress = MmMapLockedPages(mdl, KernelMode);
        if (writableAddress == NULL)
        {
                MmUnlockPages(mdl);
                IoFreeMdl(mdl);
                return STATUS_UNSUCCESSFUL;
        }
        KeInitializeSpinLock(&tempSpinLock);
        KeAcquireSpinLock(&tempSpinLock, &oldirql);
        if ( MmIsAddressValid(writableAddress) ) RtlCopyMemory(writableAddress, source, length);
        KeReleaseSpinLock(&tempSpinLock, oldirql);
        MmUnmapLockedPages(writableAddress, mdl);
        MmUnlockPages(mdl);
        IoFreeMdl(mdl);

        return STATUS_SUCCESS;
}

老说蓝蓝蓝，分析dump啊……

你自己仔细看下 指针 变量的操作  就会明白怎么回事了

我本机蓝屏，dump从来没试过，我去查下资料了，谢谢提醒

玩驱动不知道调试，蓝屏不知道dump，无语……

我一般都是根据代码的调整来判断错误的地方
没有分析dump文件，各位见笑了
继续ING

汗一个
其实分析dump没那么难，最简单的：把dump文件拖到windbg里，然后xxxx命令，看到的结果就应该能给你个思路了，比如那个错误代码

另外，那个命令都不用输入，直接点击一下就OK了

DUMP文件用windbg分析结果

Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100216-1514
Machine Name:
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055e720
Debug session time: Tue Jun 22 15:10:20.718 2010 (GMT+8)
System Uptime: 0 days 0:02:58.421
Loading Kernel Symbols
...............................................................
.......................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details
Loading unloaded module list
................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {f633e8b2, 1c, 0, 804f9a2a}

Page 10866 not present in the dump file. Type ".hh dbgerr004" for details
Page 10866 not present in the dump file. Type ".hh dbgerr004" for details
Page 10866 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details
Probably caused by : memory_corruption

Followup: memory_corruption
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: f633e8b2, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000000, bitfield :
        bit 0 : value 0 = read operation, 1 = write operation
        bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804f9a2a, address which referenced memory

Debugging Details:
------------------

Page 10866 not present in the dump file. Type ".hh dbgerr004" for details
Page 10866 not present in the dump file. Type ".hh dbgerr004" for details
Page 10866 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details

READ_ADDRESS:  f633e8b2 Paged pool

CURRENT_IRQL:  1c

FAULTING_IP:
nt!KiAttachProcess+22
804f9a2a 1b8d463c8940    sbb     ecx,dword ptr [ebp+40893C46h]

DEFAULT_BUCKET_ID:  CODE_CORRUPTION

BUGCHECK_STR:  0xA

PROCESS_NAME:  App.exe

TRAP_FRAME:  b5aaabf4 -- (.trap 0xffffffffb5aaabf4)
ErrCode = 00000000
eax=88959a7c ebx=88a61990 ecx=80554882 edx=00000000 esi=88959930 edi=88a61990
eip=804f9a2a esp=b5aaac68 ebp=b5aaac6c iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
nt!KiAttachProcess+0x22:
804f9a2a 1b8d463c8940    sbb     ecx,dword ptr [ebp+40893C46h] ss:0010:f633e8b2=????????
Resetting default scope

MISALIGNED_IP:
nt!KiAttachProcess+22
804f9a2a 1b8d463c8940    sbb     ecx,dword ptr [ebp+40893C46h]

LAST_CONTROL_TRANSFER:  from 804f9a2a to 80545718

STACK_TEXT:  
b5aaabf4 804f9a2a badb0d00 00000000 b5aaac7c nt!KiTrap0E+0x238
b5aaac6c 804f9b78 88959930 88a61990 88a61900 nt!KiAttachProcess+0x22
b5aaac8c bf83ca3b 88a61900 bf8f8bc0 b5aaacb4 nt!KeAttachProcess+0x46
b5aaac9c bf8f8b55 b5aaace0 00000000 00000000 win32k!ATTACHOBJ::ATTACHOBJ+0x26
b5aaacb4 bf8f8b0e e1562730 00000001 322f534f win32k!PDEVOBJ::QueryTrueTypeTable+0x25
b5aaace4 bf8f8a85 e24596c8 322f534f 0000003e win32k!ulGetFontData2+0x5d
b5aaad04 bf8f89fb e180e008 322f534f 0000003e win32k!ulGetFontData+0x48
b5aaad48 8054263c 01010058 322f534f 0000003e win32k!NtGdiGetFontData+0x4d
b5aaad48 7c92e514 01010058 322f534f 0000003e nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012f364 00000000 00000000 00000000 00000000 0x7c92e514

STACK_COMMAND:  kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
    804f9a08-804f9a09  2 bytes - nt!KiAttachProcess
        [ 8b ff:90 90 ]
    804f9a0e-804f9a10  3 bytes - nt!KiAttachProcess+6 (+0x06)
        [ 56 8b 75:8b 5d 0c ]
    80505754-80505757  4 bytes - nt!KiServiceTable+2e8 (+0xbd46)
        [ 6e 52 5b 80:40 94 44 ba ]
    805058c0-805058c3  4 bytes - nt!KiServiceTable+454 (+0x16c)
        [ 78 53 5b 80:a0 94 44 ba ]
13 errors : !nt (804f9a08-805058c3)

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

FOLLOWUP_NAME:  memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MEMORY_CORRUPTOR:  LARGE

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE

BUCKET_ID:  MEMORY_CORRUPTION_LARGE

Followup: memory_corruption
---------

0: kd> uf nt!KiAttachProcess
nt!KiAttachProcess:
804f9a08 90              nop
804f9a09 90              nop
804f9a0a 55              push    ebp
804f9a0b 8bec            mov     ebp,esp
804f9a0d 53              push    ebx
804f9a0e 8b5d0c          mov     ebx,dword ptr [ebp+0Ch]
804f9a11 0857ff          or      byte ptr [edi-1],dl
804f9a14 7514            jne     nt!KiAttachProcess+0x22 (804f9a2a)

nt!KiAttachProcess+0xe:
804f9a16 8b7d0c          mov     edi,dword ptr [ebp+0Ch]
804f9a19 66ff4760        inc     word ptr [edi+60h]
804f9a1d 8d5e34          lea     ebx,[esi+34h]
804f9a20 53              push    ebx
804f9a21 e85afbffff      call    nt!KiMoveApcState (804f9580)
804f9a26 895b04          mov     dword ptr [ebx+4],ebx
804f9a29 891b            mov     dword ptr [ebx],ebx

nt!KiAttachProcess+0x22:
804f9a2a 1b8d463c8940    sbb     ecx,dword ptr [ebp+40893C46h]

nt!KiAttachProcess+0x23:
804f9a2b 8d463c          lea     eax,[esi+3Ch]
804f9a2e 894004          mov     dword ptr [eax+4],eax
804f9a31 8900            mov     dword ptr [eax],eax
804f9a33 8d864c010000    lea     eax,[esi+14Ch]
804f9a39 394514          cmp     dword ptr [ebp+14h],eax
804f9a3c 897e44          mov     dword ptr [esi+44h],edi

nt!KiAttachProcess+0x37:
804f9a3f c6464800        mov     byte ptr [esi+48h],0
804f9a43 c6464900        mov     byte ptr [esi+49h],0
804f9a47 c6464a00        mov     byte ptr [esi+4Ah],0
804f9a4b 7513            jne     nt!KiAttachProcess+0x58 (804f9a60)

nt!KiAttachProcess+0x45:
804f9a4d 898638010000    mov     dword ptr [esi+138h],eax
804f9a53 899e3c010000    mov     dword ptr [esi+13Ch],ebx
804f9a59 c6866501000001  mov     byte ptr [esi+165h],1

nt!KiAttachProcess+0x58:
804f9a60 807f6500        cmp     byte ptr [edi+65h],0
804f9a64 753d            jne     nt!KiAttachProcess+0x9b (804f9aa3)

nt!KiAttachProcess+0x5e:
804f9a66 8d7740          lea     esi,[edi+40h]
804f9a69 eb19            jmp     nt!KiAttachProcess+0x7c (804f9a84)

nt!KiAttachProcess+0x7b:
804f9a83 008b063bc675    add     byte ptr [ebx+75C63B06h],cl

nt!KiAttachProcess+0x7c:
804f9a84 8b06            mov     eax,dword ptr [esi]
804f9a86 3bc6            cmp     eax,esi
804f9a88 75e1            jne     nt!KiAttachProcess+0x63 (804f9a6b)
804f9a8a 8b4514          mov     eax,dword ptr [ebp+14h]

nt!KiAttachProcess+0x83:
804f9a8b 45              inc     ebp
804f9a8c 14ff            adc     al,0FFh
804f9a8e 7010            jo      nt!KiAttachProcess+0x98 (804f9aa0)

nt!KiAttachProcess+0x88:
804f9a90 57              push    edi
804f9a91 e83ad20400      call    nt!KiSwapProcess (80546cd0)
804f9a96 8a4d10          mov     cl,byte ptr [ebp+10h]
804f9a99 e83ace0400      call    nt!KiUnlockDispatcherDatabase (805468d8)
804f9a9e e982000000      jmp     nt!KiAttachProcess+0x11d (804f9b25)

nt!KiAttachProcess+0x98:
804f9aa0 0000            add     byte ptr [eax],al
804f9aa2 00c6            add     dh,al

nt!KiAttachProcess+0x9b:
804f9aa3 c6462d01        mov     byte ptr [esi+2Dh],1
804f9aa7 c6862901000001  mov     byte ptr [esi+129h],1
804f9aae 8d4f40          lea     ecx,[edi+40h]
804f9ab1 8b5104          mov     edx,dword ptr [ecx+4]
804f9ab4 8d4660          lea     eax,[esi+60h]
804f9ab7 8908            mov     dword ptr [eax],ecx
804f9ab9 895004          mov     dword ptr [eax+4],edx
804f9abc 8902            mov     dword ptr [edx],eax
804f9abe 894104          mov     dword ptr [ecx+4],eax
804f9ac1 807f6501        cmp     byte ptr [edi+65h],1
804f9ac5 7526            jne     nt!KiAttachProcess+0xe5 (804f9aed)

nt!KiAttachProcess+0xbf:
804f9ac7 c6476502        mov     byte ptr [edi+65h],2
804f9acb a100d55580      mov     eax,dword ptr [nt!KiProcessInSwapListHead (8055d500)]
804f9ad0 8d4f48          lea     ecx,[edi+48h]

nt!KiAttachProcess+0xcb:
804f9ad3 8901            mov     dword ptr [ecx],eax
804f9ad5 89450c          mov     dword ptr [ebp+0Ch],eax
804f9ad8 8bd1            mov     edx,ecx
804f9ada bb00d55580      mov     ebx,offset nt!KiProcessInSwapListHead (8055d500)
804f9adf f00fb113        lock cmpxchg dword ptr [ebx],edx
804f9ae3 3b450c          cmp     eax,dword ptr [ebp+0Ch]
804f9ae6 75eb            jne     nt!KiAttachProcess+0xcb (804f9ad3)

nt!KiAttachProcess+0xe0:
804f9ae8 e8f1faffff      call    nt!KiSetSwapEvent (804f95de)

nt!KiAttachProcess+0xe5:
804f9aed 33c9            xor     ecx,ecx
804f9aef 41              inc     ecx
804f9af0 ff1588904d80    call    dword ptr [nt!_imp_KeAcquireQueuedSpinLockRaiseToSynch (804d9088)]
804f9af6 8ad0            mov     dl,al
804f9af8 64a120000000    mov     eax,dword ptr fs:[00000020h]
804f9afe 8b4814          mov     ecx,dword ptr [eax+14h]
804f9b01 8b4514          mov     eax,dword ptr [ebp+14h]
804f9b04 8b4010          mov     eax,dword ptr [eax+10h]
804f9b07 8bd9            mov     ebx,ecx
804f9b09 f7d3            not     ebx
804f9b0b 215834          and     dword ptr [eax+34h],ebx
804f9b0e 094f34          or      dword ptr [edi+34h],ecx
804f9b11 33c9            xor     ecx,ecx
804f9b13 41              inc     ecx
804f9b14 ff1530914d80    call    dword ptr [nt!_imp_KeReleaseQueuedSpinLock (804d9130)]
804f9b1a 8a4510          mov     al,byte ptr [ebp+10h]
804f9b1d 884658          mov     byte ptr [esi+58h],al
804f9b20 e8a1ac0000      call    nt!KiSwapThread (805047c6)

nt!KiAttachProcess+0x11d:
804f9b25 5f              pop     edi
804f9b26 5e              pop     esi
804f9b27 5b              pop     ebx
804f9b28 5d              pop     ebp
804f9b29 c21000          ret     10h
====================================================
KiAttachProcess的代码和我虚拟机的代码不一样，一样的XPSP3系统啊？
前两个NOP是我故意填充的，原来是mov edi,edi，这个应该没影响
错误在804f9a2a 1b8d463c8940    sbb     ecx,dword ptr [ebp+40893C46h] ss:0010:f633e8b2=????????
是一个jne跳转过来的，咋代码不一样呢？纠结ING
望大牛们指点

你自己写代码过去，注意了代码的长度吗？你写入的代码长度最好覆盖原代码的几条指令的长度和，不要中间截断某个指令，否则后面的代码就全错了。
你的原意是要恢复这个钩子，分析这个保护Hook了多少字节，然后恢复相应字节即可，最好不要自己随便加东西。

问题解决，我不自己编码了，memcpy读取出来，再修改头两个字节数据为NOP，再写回去，就没问题了
谢谢各位好心人的帮助~~~Thanks