我觉得应该是内存访问的问题，好像是和Vstart冲突了，然后就是你的函数返回地址怎么为0了，第一次分析dump文件，也不太会，把dump内容贴上来等大牛们解答，我也学习学习。
Child-SP          RetAddr           Call Site
fffff880`098cb8e0 00000000`00000000 DMProtect64+0x250c

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffffffffffffd0, memory referenced.
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation.
Arg3: fffff800042b70f1, If non-zero, the instruction address which referenced the bad memory
        address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------

Could not read faulting driver name

WRITE_ADDRESS: GetPointerFromAddress: unable to read from fffff800044ff100
ffffffffffffffd0

FAULTING_IP:
nt!ObReferenceObjectByPointerWithTag+31
fffff800`042b70f1 f048830301      lock add qword ptr [rbx],1

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  VStart.exe

CURRENT_IRQL:  0

TRAP_FRAME:  fffff880098cb4b0 -- (.trap 0xfffff880098cb4b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffc3918277cdc1 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800042b70f1 rsp=fffff880098cb640 rbp=00000000746c6644
r8=0000000000000000  r9=0000000000000000 r10=fffff80004251000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
nt!ObReferenceObjectByPointerWithTag+0x31:
fffff800`042b70f1 f048830301      lock add qword ptr [rbx],1 ds:0001:00000000`00000000=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80004344eb0 to fffff800042c5ec0

STACK_TEXT:  
fffff880`098cb348 fffff800`04344eb0 : 00000000`00000050 ffffffff`ffffffd0 00000000`00000001 fffff880`098cb4b0 : nt!KeBugCheckEx
fffff880`098cb350 fffff800`042c3fee : 00000000`00000001 ffffffff`ffffffd0 fffffa80`0c550000 ffffffff`ffffffd0 : nt! ?? ::FNODOBFM::`string'+0x4518f
fffff880`098cb4b0 fffff800`042b70f1 : 00000000`00000000 00000000`00000000 00000000`00000001 00000980`00000000 : nt!KiPageFault+0x16e
fffff880`098cb640 fffff800`045b3de4 : 00000000`c0000037 00000000`00000000 00000000`00000000 00000000`00000000 : nt!ObReferenceObjectByPointerWithTag+0x31
fffff880`098cb670 fffff800`045a57a0 : 00000000`00001200 ffffffff`d646d900 00000000`00000000 fffffa80`0c3a0060 : nt!ObOpenObjectByPointerWithTag+0x64
fffff880`098cb890 fffff880`0578150c : 00000000`00000000 fffff880`054d8159 fffff8a0`02465010 00000000`0000000c : nt!ObOpenObjectByPointer+0x30
fffff880`098cb8e0 00000000`00000000 : fffff880`054d8159 fffff8a0`02465010 00000000`0000000c 00000000`00000000 : DMProtect64+0x250c

STACK_COMMAND:  kb

FOLLOWUP_IP:
DMProtect64+250c
fffff880`0578150c ??              ???

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  DMProtect64+250c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: DMProtect64

IMAGE_NAME:  DMProtect64.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5518a17b

FAILURE_BUCKET_ID:  X64_0x50_DMProtect64+250c

BUCKET_ID:  X64_0x50_DMProtect64+250c

Followup: MachineOwner
---------

0: kd> k
Child-SP          RetAddr           Call Site
fffff880`098cb348 fffff800`04344eb0 nt!KeBugCheckEx
fffff880`098cb350 fffff800`042c3fee nt! ?? ::FNODOBFM::`string'+0x4518f
fffff880`098cb4b0 fffff800`042b70f1 nt!KiPageFault+0x16e
fffff880`098cb640 fffff800`045b3de4 nt!ObReferenceObjectByPointerWithTag+0x31
fffff880`098cb670 fffff800`045a57a0 nt!ObOpenObjectByPointerWithTag+0x64
fffff880`098cb890 fffff880`0578150c nt!ObOpenObjectByPointer+0x30
fffff880`098cb8e0 00000000`00000000 DMProtect64+0x250c