typedef struct _SRVTABLE {
	PVOID           *ServicePointers;
	ULONG           Count;
	ULONG           Limit;
	PVOID           *NumArguments;
} SRVTABLE, *PSRVTABLE;

extern PSRVTABLE KeServiceDescriptorTable;

PVOID* MapServiceTable(
    SERVICE_HOOK_DESCRIPTOR **HookDescriptors
    )
{
           *HookDescriptors = (SERVICE_HOOK_DESCRIPTOR *) ExAllocatePool( NonPagedPool, KeServiceDescriptorTable->Limit *sizeof(SERVICE_HOOK_DESCRIPTOR));
          if( !*HookDescriptors ) 
         {
              return NULL;
          }
          memset( *HookDescriptors, 0, KeServiceDescriptorTable->Limit * sizeof(SERVICE_HOOK_DESCRIPTOR));
	 KeServiceTableMdl = IoAllocateMdl(KeServiceDescriptorTable->ServicePointers, 
									  KeServiceDescriptorTable->Limit*4, FALSE, FALSE, NULL );
	
        if( !KeServiceTableMdl ) 
	{
              return NULL;
        }
	__try
	{

		MmBuildMdlForNonPagedPool( KeServiceTableMdl );
		KeServiceTableMdl->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;
                //执行下面这一句会蓝屏
		lpReturn =  MmMapLockedPagesSpecifyCache( KeServiceTableMdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority);
	}
	__except (EXCEPTION_EXECUTE_HANDLER) {
		return NULL;
	}
	return lpReturn;

If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000b2, MmMapLockedPages called on an MDL having incorrect flags.
For example, calling MmMapLockedPages for an MDL
that is already mapped to a system address is incorrect.
Arg2: fffffa800a4e71b0, MDL address.
Arg3: 0000000000000005, MDL flags.
Arg4: 0000000000000005, Incorrect MDL flags.

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！