到底ZwSetSystemInformation加载驱动怎么样才不会蓝，我用工具加载都没事。。。。偶尔有几个没蓝的，在我打开icesword后也蓝了，windbg跟踪看到驱动是加载了，该干的事也都干了，但是不知道为什么后面就蓝了，目前能不蓝的只能是驱动里面只有一句DbgPrint的，其他的基本都蓝，并且一般都报下面错误：
Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
268053d8 ??              ???
求大大帮助
附ZwSetSystemInformation加载驱动代码，网上搜的
#include <windows.h>
#include <stdio.h>
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define SystemLoadAndCallImage 38

typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PVOID Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef unsigned long NTSTATUS;

typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE
{
    UNICODE_STRING ModuleName;
} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;

typedef DWORD (CALLBACK* ZWSETSYSTEMINFORMATION)(DWORD, PVOID, ULONG);
ZWSETSYSTEMINFORMATION ZwSetSystemInformation;
typedef DWORD (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR );
RTLINITUNICODESTRING RtlInitUnicodeString;
typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;

int main(int argc, char *argv[])
{
    SYSTEM_LOAD_AND_CALL_IMAGE GregsImage;
    UNICODE_STRING TmpBuff;
    char    szDrvFullPath[256],szTmp[256];
    int iBuffLen;
   
    printf("Load driver with ZwSetSystemInformation( )\r\n");
    printf("Date: 8th May 2007\r\n");
    printf("Modifed by: GaRY <wofeiwo_at_gmail_dot_com>\r\n\r\n");
    if(argc != 2 || stricmp(argv[1], "-h") ==0 || stricmp(argv[1], "-?") ==0 || stricmp(argv[1], "/?") ==0)
    {
        printf("Usage: %s <DriverPath>\r\n", argv[0]);
        exit(-1);
    }

    // 从ntll.dll获取函数
    if( !(RtlInitUnicodeString = (RTLINITUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlInitUnicodeString" )) )
    {
        printf( "GetProcAddress(\"RtlInitUnicodeString\") Error:%d\n", GetLastError() );
        exit(1);
    }
    if( !(ZwSetSystemInformation = (ZWSETSYSTEMINFORMATION) GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwSetSystemInformation" )) )
    {
        printf( "GetProcAddress(\"ZwSetSystemInformation\") Error:%d\n", GetLastError() );
        exit(1);
    }
    if( !(RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlAnsiStringToUnicodeString" )) )
    {
        printf( "GetProcAddress(\"ZwSetSystemInformation\") Error:%d\n", GetLastError() );
        exit(1);
    }

    GetFullPathName(argv[1], 256, szTmp, NULL);
    printf("Loading driver: %s\r\n", szTmp);
    iBuffLen = sprintf(szDrvFullPath, "\\??\\%s", szTmp);
    szDrvFullPath[iBuffLen]=0;
    TmpBuff.Buffer = (PVOID)szDrvFullPath;
    TmpBuff.Length = iBuffLen;
    RtlAnsiStringToUnicodeString(&(GregsImage.ModuleName),&TmpBuff,1);

    if( NT_SUCCESS( ZwSetSystemInformation( SystemLoadAndCallImage, &GregsImage, sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)) ))    //加载进内核空间
    {
        printf("Driver: %s loaded.\r\n", szDrvFullPath);
    }
    else
    {
        printf("Driver: %s not loaded.\r\n", szDrvFullPath);
    }
    return true;
}

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)