|
|
早在XP时代,写驱动代码没什么限制,一些人在调用PsSetCreateProcessNotify之类的函数的时,喜欢把回调函数指向一片可以执行的BUFFER。
但是到了WIN10时代,就没这出戏唱啦。当系统检查到系统回调(类似CreateProcessNotify、CreateThreadNotify)的地址不在代码地址分段的时候,就会引发这个蓝屏。
测试:在任意WIN64系统上,你把『驱动里任意一个函数的地址』、『任意NonPagedPool类型地址』『任意PagedPool类型地址』分别打印一下,你会发现地址的区别是非常明显的,它们不在同一个4GB里。
由于这个变化,导致我教程里一个做法就需要修改了:补充知识:AMD64地址划分(来自MIAMD.H)。- /*++
- Virtual Memory Layout on the AMD64 is:
- +------------------------------------+
- 0000000000000000 | User mode addresses - 8tb minus 64k|
- | |
- | |
- 000007FFFFFEFFFF | | MM_HIGHEST_USER_ADDRESS
- +------------------------------------+
- 000007FFFFFF0000 | 64k No Access Region | MM_USER_PROBE_ADDRESS
- 000007FFFFFFFFFF | |
- +------------------------------------+
- .
- +------------------------------------+
- FFFF080000000000 | Start of System space | MM_SYSTEM_RANGE_START
- +------------------------------------+
- FFFFF68000000000 | 512gb four level page table map. | PTE_BASE
- +------------------------------------+
- FFFFF70000000000 | HyperSpace - working set lists | HYPER_SPACE
- | and per process memory management |
- | structures mapped in this 512gb |
- | region. | HYPER_SPACE_END
- +------------------------------------+ MM_WORKING_SET_END
- FFFFF78000000000 | Shared system page | KI_USER_SHARED_DATA
- +------------------------------------+
- FFFFF78000001000 | The system cache working set | MM_SYSTEM_CACHE_WORKING_SET
- | information resides in this |
- | 512gb-4k region. |
- | |
- +------------------------------------+
- .
- .
- Note the ranges below are sign extended for > 43 bits and therefore
- can be used with interlocked slists. The system address space above is NOT.
- .
- .
- +------------------------------------+
- FFFFF80000000000 | | MM_KSEG0_BASE
- | Mappings initialized by the loader.| MM_KSEG2_BASE
- +------------------------------------+
- FFFFF90000000000 | win32k.sys |
- | |
- | Hydra configurations have session |
- | data structures here. |
- | |
- | This is a 512gb region. |
- +------------------------------------+
- | | MM_SYSTEM_SPACE_START
- FFFFF98000000000 | System cache resides here. | MM_SYSTEM_CACHE_START
- | Kernel mode access only. |
- | 1tb. |
- | | MM_SYSTEM_CACHE_END
- +------------------------------------+
- FFFFFA8000000000 | Start of paged system area. | MM_PAGED_POOL_START
- | Kernel mode access only. |
- | 128gb. |
- +------------------------------------+
- | System mapped views start just |
- | after paged pool. Default is |
- | 104MB, can be registry-overridden. |
- | 8GB maximum. |
- | |
- +------------------------------------+
- FFFFFAA000000000 | System PTE pool. | MM_LOWEST_NONPAGED_SYSTEM_START
- | Kernel mode access only. |
- | 128gb. |
- +------------------------------------+
- FFFFFAC000000000 | NonPaged pool. | MM_NON_PAGED_POOL_START
- | Kernel mode access only. |
- | 128gb. |
- | |
- FFFFFADFFFFFFFFF | NonPaged System area | MM_NONPAGED_POOL_END
- +------------------------------------+
- .
- .
- .
- .
- +------------------------------------+
- FFFFFFFF80000000 | |
- | Reserved for the HAL. 2gb. |
- FFFFFFFFFFFFFFFF | | MM_SYSTEM_SPACE_END
- +------------------------------------+
- --*/
|
|
楼主: Tesla.Angela
发表于 2017-10-31 20:14:18
发表于 2017-10-31 20:19:35
