【原创】调用系统函数里面蓝屏例子

IRQL_NOT_LESS_OR_EQUAL (a)

An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 82e9082f, address which referenced memory

eax=a78bb334 ebx=a78bb32c ecx=00000000 edx=00000000 esi=862f6768 edi=862f6828
eip=82e9082f esp=974ff890 ebp=974ff8f4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!KeWaitForSingleObject+0x373:
82e9082f 8939 mov dword ptr [ecx],edi ds:0023:00000000=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 82e9082f to 82e5acdb

STACK_TEXT:
974ff81c 82e9082f badb0d00 00000000 00000001 nt!KiTrap0E+0x2cf
974ff8f4 82e4a739 a78bb32c 00000022 00000000 nt!KeWaitForSingleObject+0x373
974ff91c 82eadc1a 00b11018 00000000 a78b0bde nt!KiAcquireFastMutex+0x56
974ff928 a78b0bde 830971fb 00b11018 974ffbdc nt!ExAcquireFastMutex+0x1e
974ffb54 a78b13b5 000000f0 00b10fc0 974ffc64 mydrv!DeleteElementGenericTable+0x4e

IRQL == DPC时访问内存出问题，在SSDT层IRQL 是不可能达到DPC的，ExAcquireFastMutex 本身会把IRQL提升到APC，这个时候PAGE是允许的，那是谁把IRQL提升到DPC？
先看MSDN怎么说 FastMutex
VOID
ExInitializeFastMutex(
IN PFAST_MUTEX FastMutex
);

Parameters
FastMutex
Pointer to a caller-allocated FAST_MUTEX structure, which represents the fast mutex, in the nonpaged memory pool.

要求 FastMutex 必须从非分页池分配，为啥，进入 KiAcquireFastMutex -> KeWaitForSingleObject 看。

.text:00454477 call ds:[email protected]@4 ; KfLowerIrql(x)
.text:0045447D call ds:[email protected] ; KeRaiseIrqlToDpcLevel()

KeWaitForSingleObject 内部在访问 FastMutex时是会把IRQL提升到DPC的。

回到问题本身，看出错指令
82e9082f 8939 mov dword ptr [ecx],edi ds:0023:00000000=????????

IDA
.text:00454704 loc_454704: ; CODE XREF: KeWaitForSingleObject(x,x,x,x,x)+30Ej
.text:00454704 ; KeWaitForSingleObject(x,x,x,x,x)+35Aj
.text:00454704 lea eax, [ebx+8] ; 参数
.text:00454707 mov ecx, [eax+4]
.text:0045470A mov [edi], eax
.text:0045470C mov [edi+4], ecx
.text:0045470F mov [ecx], edi
.text:00454711 mov [eax+4], edi
.text:00454714 mov eax, 0FFFFFF7Fh

应该是 参数有问题。

不考虑内存破坏，排查代码，最大可能是Mutex没初始化，再看代码，发现钩子生效时，Mutex可能还没初始化，一个典型的同步问题