想在ring0下启动ring3的程序，使用插入APC的方法，在xp下程序能够正确执行，但是Win7下老是蓝屏，求各路大神相助.thanks!

其中windbg分析的结果如下：
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000c, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
        bit 0 : value 0 = read operation, 1 = write operation
        bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 846f525b, address which referenced memory

Debugging Details:
------------------

READ_ADDRESS:  0000000c

CURRENT_IRQL:  2

FAULTING_IP:
nt!KiInsertQueueApc+6d
846f525b 8b5104          mov     edx,dword ptr [ecx+4]

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  BCService.exe

TRAP_FRAME:  807cea54 -- (.trap 0xffffffff807cea54)
ErrCode = 00000000
eax=00000000 ebx=8c0da701 ecx=00000008 edx=00000001 esi=8c0da79c edi=8cd082f0
eip=846f525b esp=807ceac8 ebp=807ceaf4 iopl=0         nv up ei pl nz ac po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010212
nt!KiInsertQueueApc+0x6d:
846f525b 8b5104          mov     edx,dword ptr [ecx+4] ds:0023:0000000c=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 84727e71 to 846b6394

STACK_TEXT:  
807ce61c 84727e71 00000003 fec9a7ca 00000065 nt!RtlpBreakWithStatusInstruction
807ce66c 8472896d 00000003 0000000c 846f525b nt!KiBugCheckDebugBreak+0x1c
807cea34 846917eb 0000000a 0000000c 00000002 nt!KeBugCheck2+0x68b
807cea34 846f525b 0000000a 0000000c 00000002 nt!KiTrap0E+0x2cf
807ceaf4 84705943 00000000 906b5dfa 8ccfad48 nt!KiInsertQueueApc+0x6d
807ceb20 94624ba7 8cd082f0 00000000 00000000 nt!KeInsertQueueApc+0x95
807ceba4 946234a5 906b5de0 941d53d8 00ec9edd Sfilter!RunProcess+0x387 [d:\secftp\driver\sfilter_changed\process.c @ 377]
807cec0c 848bcb97 00000208 00000650 00000000 Sfilter!CSSSProcessNotifyRoutine+0x355 [d:\secftp\driver\sfilter_changed\csss.c @ 673]
807cec38 84893c37 00000001 01cfcb90 fec9ad12 nt!PspExitProcess+0xa3
807cecb4 848c8151 00000001 8aec5838 00000001 nt!PspExitThread+0x598
807ceccc 846f3123 8aec5838 807cecf8 807ced04 nt!PsExitSpecialApc+0x22
807ced1c 8468e4e4 00000001 00000000 807ced34 nt!KiDeliverApc+0x28b
807ced1c 778f64f4 00000001 00000000 807ced34 nt!KiServiceExit+0x64
0012fcd8 778f5e6c 75a8179c 000000ac 00000000 ntdll!KiFastSystemCallRet
0012fcdc 75a8179c 000000ac 00000000 00000000 ntdll!NtWaitForSingleObject+0xc
0012fd48 7667f003 000000ac ffffffff 00000000 KERNELBASE!WaitForSingleObjectEx+0x98
0012fd60 7667efb2 000000ac ffffffff 00000000 kernel32!WaitForSingleObjectExImplementation+0x75
0012fd74 779f7be6 000000ac ffffffff 5b324905 kernel32!WaitForSingleObject+0x12
0012fe18 779f8040 00314c00 000000ac 00000000 sechost!ScSendResponseReceiveControls+0xea
0012fecc 779f8553 0012fee0 7ffdf000 00000000 sechost!ScDispatcherLoop+0xc2
0012fee4 004046ee 0012fef0 0041e348 00404020 sechost!StartServiceCtrlDispatcherA+0x68
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ff88 76681174 7ffdf000 0012ffd4 7790b3f5 BCService+0x46ee
0012ff94 7790b3f5 7ffdf000 778a0655 00000000 kernel32!BaseThreadInitThunk+0xe
0012ffd4 7790b3c8 00408311 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70
0012ffec 00000000 00408311 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b

STACK_COMMAND:  kb

FOLLOWUP_IP:
Sfilter!RunProcess+387 [d:\secftp\driver\sfilter_changed\process.c @ 377]
94624ba7 0fb6d0          movzx   edx,al

FAULTING_SOURCE_CODE:  
   373:                         pApcState->UserApcPending = TRUE;
   374:                 }
   375:
   376:                 //...and queue it
>  377:                 if (!KeInsertQueueApc(pApc, NULL, NULL, IO_NO_INCREMENT))
   378:                 {
   379:                         KdPrint(("SFilter:: RunProcess,KernelExec -> Failed to insert APC\r\n"));
   380:                         MmUnlockPages(pMdl);
   381:                         IoFreeMdl (pMdl);
   382:                         ExFreePool (pApc);

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  Sfilter!RunProcess+387

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Sfilter

IMAGE_NAME:  Sfilter.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4d9a8b84

FAILURE_BUCKET_ID:  0xA_Sfilter!RunProcess+387

BUCKET_ID:  0xA_Sfilter!RunProcess+387

Followup: MachineOwner

[课程]Linux pwn 探索篇！