一旦加载,它就会与错误检查KERNEL_Security_CHECK_FAILURE,第一个参数6崩溃,这意味着“堆栈cookie安全cookie没有被加载器正确初始化”.

这可能是由于构建驱动程序仅在Windows 8上运行并尝试在早期版本的Windows上加载驱动程序映像引起的.要避免此问题,您必须构建驱动程序以在早期版本的Windows上运行“.当我以Windows 7为目标时,不会发生此错误.

我能够找到这个错误发生的确切位置.它发生在由GsDriverEntry调用的__security_init_cookie函数中.

INIT:000000014000C1B4 __security_init_cookie proc near        ; CODE XREF: GsDriverEntry+10p
INIT:000000014000C1B4                 mov     rax,cs:__security_cookie
INIT:000000014000C1BB                 test    rax,rax
INIT:000000014000C1BE                 jz      short loc_14000C1DA
INIT:000000014000C1C0                 mov     rcx,2B992DDFA232h
INIT:000000014000C1CA                 cmp     rax,rcx
INIT:000000014000C1CD                 jz      short loc_14000C1DA
INIT:000000014000C1CF                 not     rax
INIT:000000014000C1D2                 mov     cs:__security_cookie_complement,rax
INIT:000000014000C1D9                 retn
INIT:000000014000C1DA ; ---------------------------------------------------------------------------
INIT:000000014000C1DA
INIT:000000014000C1DA loc_14000C1DA:                          ; CODE XREF: __security_init_cookie+Aj
INIT:000000014000C1DA                                         ; __security_init_cookie+19j
INIT:000000014000C1DA                 mov     ecx,6
INIT:000000014000C1DF                 int     29h             ; Win8: RtlFailFast(ecx)

从这个反汇编中我们可以看到它执行了2次检查.

The first check checks if rax (__security_cookie) is zero and the 
second check compares it to 2B992DDFA232h.

但是,__ security_cookie在我的二进制文件中声明为2B992DDFA232h,因此永远不应该调用中断,但不知怎的.