PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e2e4f010, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: b9c48649, If non-zero, the instruction address which referenced the bad memory
        address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------

Could not read faulting driver name

READ_ADDRESS:  e2e4f010

FAULTING_IP:
KsBinSword!GetUndocumentFunctionAdress+f9 [f:\kb\kbsprocess.c @ 46]
b9c48649 8b510c          mov     edx,dword ptr [ecx+0Ch]

MM_INTERNAL_CODE:  1

CUSTOMER_CRASH_COUNT:  9

DEFAULT_BUCKET_ID:  COMMON_SYSTEM_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  KsBinSword.exe

LAST_CONTROL_TRANSFER:  from b9c48898 to b9c48649

STACK_TEXT:  
a7bab434 b9c48898 00000001 00006654 a7bab470 KsBinSword!GetUndocumentFunctionAdress+0xf9 [f:\kb\kbsprocess.c @ 46]
a7bab890 b9c4ae8b 000001b4 1e7e54f7 890a2528 KsBinSword!KillPro+0x48 [f:\kb\kbsprocess.c @ 161]
a7babb4c 804f019f 88e932e0 8905d9a8 806e8410 KsBinSword!KsBinSwordDispatchDeviceControl+0x31b [f:\kb\ksbinsword.c @ 701]
a7babb5c 8058098e 8905da18 890a2528 8905d9a8 nt!IopfCallDriver+0x31
a7babb70 8058181d 88e932e0 8905d9a8 890a2528 nt!IopSynchronousServiceTail+0x70
a7babc0c 8057a298 00000144 00000000 00000000 nt!IopXxxControlFile+0x5c5
a7babc40 b98bce7d 00000144 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
WARNING: Stack unwind information not available. Following frames may be wrong.
a7babd34 8054267c 00000144 00000000 00000000 Hookport+0x4e7d
a7babd34 7c92e514 00000144 00000000 00000000 nt!KiFastCallEntry+0xfc
001299c8 00000000 00000000 00000000 00000000 0x7c92e514

STACK_COMMAND:  kb

FOLLOWUP_IP:
KsBinSword!GetUndocumentFunctionAdress+f9 [f:\kb\kbsprocess.c @ 46]
b9c48649 8b510c          mov     edx,dword ptr [ecx+0Ch]

FAULTING_SOURCE_CODE:  
    42:         module = (PSYSTEM_MODULE_INFORMATION)(( PULONG )buf + 1);
    43:        
    44:         ntosknlBase=(ULONG)module->Base;       
    45:         ExFreePool(buf);
>   46:         ntosknlBuff = (PULONG)ExAllocatePool(PagedPool, (ULONG)module->Size);
    47:         //ntosknlBuff = (PULONG)ExAllocatePool(PagedPool, 0x200000);
    48:         if(ntosknlBuff == NULL)
    49:         {
    50:               return 0;
    51:         }

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  KsBinSword!GetUndocumentFunctionAdress+f9

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: KsBinSword

IMAGE_NAME:  KsBinSword.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4fb07d20

FAILURE_BUCKET_ID:  0x50_KsBinSword!GetUndocumentFunctionAdress+f9

BUCKET_ID:  0x50_KsBinSword!GetUndocumentFunctionAdress+f9

Followup: MachineOwner
---------

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法