There are different BSOD codes so I can't mention a single one but the fault is always due to this instruction
ffff95008cc7b2b8 ff1556d90000 call qword ptr [ffff95008cc88c14]
or
ffffaa8842c322b8 ff1556d90000 call qword ptr [ffffaa8842c3fc14]

Could you please take a look and tell me if there's anything I could do? I have attached both BSODs

103019-5437-01.zip

Hi.

The project compiled just fine in VS2017. Also Rebuild.cmd worked just fine. Tested on Hyper-V VM: Win10 Pro 2004/21H2. The result: https://i.imgur.com/KO6FwKM.png and I don't see any output in DebugView. I just tested also on bare metal (Win10 Pro 21H1).

I tried to load the "Shark.sys" also in normal way but the result was weird unlisted NTSTATUS codes. My tool unsigned driver loads just fine:

00000063 215.78669739 EnumPoolBigPageTable size in bytes 370850272
00000064 215.78669739 Mode: Kernel memory
00000065 237.78872681 \Device\PhysicalMemory Bytes copied: 939167744

I even signed the driver but it's not working for me. Any idea? Thanks anyway for your efforts.

EDIT: It's a manually mapped driver. I guess I will have have to update it for 21H2.

i got DRIVER_IQRL_NOT_LESS_OR_EQUAL in windows 10 10586, resolved by replace this code for SpaceAMD64.c :

#define MiGetPxeAddress(va)   \
    ((PMMPTE)PXE_BASE + MiGetPxeOffset(va))

#define MiGetPpeAddress(va)   \
    ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PPI_SHIFT) << PTE_SHIFT) + PPE_BASE))

#define MiGetPdeAddress(va) \
    ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PDI_SHIFT) << PTE_SHIFT) + PDE_BASE))

#define MiGetPteAddress(va) \
    ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PTI_SHIFT) << PTE_SHIFT) + PTE_BASE))
#define MiGetVirtualAddressMappedByPte(PTE) \
    ((PVOID)((LONG_PTR)(((LONG_PTR)(PTE) - PTE_BASE) << (PAGE_SHIFT + VA_SHIFT - PTE_SHIFT)) >> VA_SHIFT))
PMMPTE
NTAPI
GetPxeAddress(
    __in PVOID VirtualAddress
)
{
    return MiGetPxeAddress(VirtualAddress);
}

PMMPTE
NTAPI
GetPpeAddress(
    __in PVOID VirtualAddress
)
{
	return MiGetPpeAddress(VirtualAddress);
}

PMMPTE
NTAPI
GetPdeAddress(
    __in PVOID VirtualAddress
)
{
	return MiGetPdeAddress(VirtualAddress);
}

PMMPTE
NTAPI
GetPteAddress(
    __in PVOID VirtualAddress
)
{
	return MiGetPteAddress(VirtualAddress);
}

PVOID
NTAPI
GetVirtualAddressMappedByPte(
    __in PMMPTE Pte
)
{
    return MiGetVirtualAddressMappedByPte(Pte);
}

牛逼

问题出在KeIpiGenericCall,然后修改代码调用KeSetSystemAffinityThread问题解决

Hello,
i have been trying to use your driver on windows servers(2012 ,2016) and trying to patch the Eprocess struct in the kernel.
Each time i ran the "Shark.sys" with a service it ran(sometimes), but when i run the patcher to the Eprocess, the pc BSODs after an random time with the error code 109.
Does the project suppose to work on windows server? If so does it need any modification?

经过调试，发现是PgClearCallback中,以下这段代码引发的蓝屏

if (PgDoubleEncrypted == Object->Encrypted)
{
Context->Rip = __rdsptr(Context->Rsp); <----这句 说是访问了无效内存
Context->Rsp += sizeof(ptr);
ExInitializeWorkItem(
&Object->Worker, PgBlock->FreeWorker, Object);
PgBlock->ExQueueWorkItem(
&Object->Worker, CriticalWorkQueue);
}

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffffa0012dc38000, memory referenced <--这个就是rsp的值
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: ffffb68e63408ed4, address which referenced memory

C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\V140\Microsoft.MakeFile.Targets(41,5): error MSB3073: 命令“NMAKE /NOLOGO BUILD PLATFORM=x64 PROJ=Shark SLND=D:\Labs\Shark\”已退出，代码为 2。

It doesn't work well in win11 22621
I think the sign may is out of date.

dump file:
101119-15015-01.zip

大神牛逼膜拜一下，顺便问下一下。WinDDK3790.1830我能换成wdk10吗？

Any chance to take a step-by-step tutorial how to disable PG using you tool ?

I Got BSOD in Virtual Box Win7 7600 im using OSRLoader to load it on my VB

found encrypted context 字样的打印没有出现,似乎是没有搜索到,系统版本 win7-7601
dbgview打印:

[Shark] load
[Shark] [PatchGuard] < 0000000000001DB1 > BuildNumber
[Shark] [PatchGuard] < FFFFFA8003CFE040 > PsInitialSystemProcess
[Shark] [PatchGuard] < 0000000000000001 > NumberProcessors
[Shark] [PatchGuard] < FFFFF80003EEA3D0 > KeEnterCriticalRegion
[Shark] [PatchGuard] < FFFFF80003EECDC0 > KeLeaveCriticalRegion
[Shark] [PatchGuard] < FFFFF80003E7048C > ExAcquireSpinLockShared
[Shark] [PatchGuard] < FFFFF80003E7052C > ExReleaseSpinLockShared
[Shark] [PatchGuard] < FFFFF80003F8FCD0 > DbgPrint
[Shark] [PatchGuard] < FFFFF80003EE2610 > RtlCompareMemory
[Shark] [PatchGuard] < FFFFF80003EE0E00 > RtlRestoreContext
[Shark] [PatchGuard] < FFFFF80003EECC10 > ExQueueWorkItem
[Shark] [PatchGuard] < FFFFF8000400BD90 > ExFreePoolWithTag
[Shark] [PatchGuard] < FFFFF80003EE0640 > KeBugCheckEx
[Shark] [PatchGuard] < FFFFF80003ED88D0 > ExInterlockedRemoveHeadList
[Shark] [PatchGuard] < FFFFF80003EFFBF4 > ExAcquireRundownProtection
[Shark] [PatchGuard] < FFFFF80003EFFC14 > ExReleaseRundownProtection
[Shark] [PatchGuard] < FFFFF80003EBB750 > ExWaitForRundownProtectionRelease
[Shark] [PatchGuard] < FFFFFA8003D55560 > PgBlock
[Shark] [PatchGuard] < 00000000000000C0 > SizeCmpAppendDllSection
[Shark] [PatchGuard] < 0000000000000288 > OffsetEntryPoint
[Shark] [PatchGuard] < 0000000000003A00 > SizeINITKDBG
[Shark] [PatchGuard] < FFFFFA8003E30000 > INITKDBG
[Shark] [PatchGuard] < FFFFF80003ED22C0 > ntoskrnl.exe!ExfAcquirePushLockExclusive
[Shark] [PatchGuard] < FFFFF80003E705B0 > ntoskrnl.exe!ExfReleasePushLockExclusive
[Shark] [PatchGuard] < FFFFF80003EEA730 > ntoskrnl.exe!KeAcquireInStackQueuedSpinLockAtDpcLevel
[Shark] [PatchGuard] < FFFFF80003E7048C > ntoskrnl.exe!ExAcquireSpinLockShared
[Shark] [PatchGuard] < FFFFF8000404F470 > PsInvertedFunctionTable
[Shark] [PatchGuard] < FFFFF80003ED1FD0 > KiStartSystemThread
[Shark] [PatchGuard] < FFFFF8000417DC74 > PspSystemThreadStartup
[Shark] [PatchGuard] < FFFFF80003F72AD0 > MmIsNonPagedSystemAddressValid
[Shark] [PatchGuard] < FFFFF8000407E217 > PoolBigPageTable
[Shark] [PatchGuard] < FFFFF8000407E210 > PoolBigPageTableSize
[Shark] [PatchGuard] < 000000000002D000 > NumberOfPtes
[Shark] [PatchGuard] < FFFFF6FC40000000 > BasePte
[Shark] [PatchGuard] < FFFFF80003F0B1C0 > RtlLookupFunctionEntry
[Shark] [PatchGuard] < FFFFF80003E70C5C > RtlVirtualUnwind
[Shark] [PatchGuard] < FFFFF80003EECC10 > ExQueueWorkItem
[Shark] [PatchGuard] < FFFFFA8003D556B0 > CaptureContext
[Shark] [PatchGuard] < FFFFFA8003D55930 > FreeWorker
[Shark] [PatchGuard] < FFFFFA8003D559E0 > ClearCallback
[Shark] [PatchGuard] < 0000000000000000 > BigPool < FFFA8004C9000000 - 00008000 >
[Shark] - unload

以前的版本能正常搜索到,但是偶尔蓝屏,似乎也是 PgCompareFields函数里蓝的

I got recommended this repo by the github; and It's super fascianting!
Thanks for making it!

//Will.

1>LINK : fatal error LNK1123: failure during conversion to COFF: file invalid or corrupt
1>NMAKE : fatal error U1077: 'link.exe' : return code '0x463'

119651372

有些时候 解密PgEntry 写入代码还原后。pg解密后 运行就爆炸了

win7 x64 sp1 运行后一闪而过，驱动还是一样不能被加载，请问这是哪里问题
我希望使用titanhide.sys

i type in build.cmd in prompt but its given 'NMAKE' is not recognized as an internal or external command, operable program or batch file., tried to use the nmake.exe from the wdk repo nothing happend. tried it with vs next but no luck I get an error message, still something about Nmake.... help

File just instantly closes

ms already fix and encrypt compare feilds
PgCompareFields cant find any encrypt pg context on 18362.x
Already test on 18362.30 18362.116 and 18362.145

大佬怎么编译啊 我用的VS2017

当我在虚拟机打开时出现c0000061的错误

The new 18362 version has been confirmed

BSOD at driver startup

Will be updated in April

这个错误，是不是我没安装vbox导致的呢？

hello, i want to donate but do you use any chat app? like skype ?

大佬，打开了没有效果啊

How to solve this bug? I used the following patch and the problem is still there.

#define __ROL64(x, n) (((x) << ((( n & 0xFF) % 64))) | ((x) >> (64 - (( n & 0xFF) % 64))))
#define __ROR64(x, n) (((x) >> ((( n & 0xFF) % 64))) | ((x) << (64 - (( n & 0xFF) % 64))))
=>
#define __ROL64(x, n) (((x) << ((n) & 0x3F)) | ((x) >> (64 - ((n) & 0x3F))))
#define __ROR64(x, n) (((x) >> ((n) & 0x3F)) | ((x) << (64 - ((n) & 0x3F))))

<minidump>
3: kd> k
 # Child-SP          RetAddr           Call Site
00 ffff808e`46246fe8 fffff806`4d41128d nt!KeBugCheckEx
01 ffff808e`46246ff0 fffff806`4d3dfe42 nt!KiDispatchException+0x18a55d
02 ffff808e`462476a0 fffff806`4d3da68e nt!KiExceptionDispatch+0xc2
03 ffff808e`46247880 ffffb00e`aed7286b nt!KiInvalidOpcodeFault+0x30e
04 ffff808e`46247a10 ffffffff`bd3bf7cd 0xffffb00e`aed7286b
05 ffff808e`46247a18 ffffb00e`aed8b13f 0xffffffff`bd3bf7cd
06 ffff808e`46247a20 ffffb00e`b77ca080 0xffffb00e`aed8b13f
07 ffff808e`46247a28 fffff806`4d778240 0xffffb00e`b77ca080
08 ffff808e`46247a30 00000000`00000000 nt!ExNode0

<disassemble ffffb00e`aed72860>
ffffb00e`aed72860 cc              int     3
ffffb00e`aed72861 cc              int     3
ffffb00e`aed72862 cc              int     3
ffffb00e`aed72863 cc              int     3
ffffb00e`aed72864 cc              int     3
ffffb00e`aed72865 cc              int     3
ffffb00e`aed72866 68cdf73bbd      push    0FFFFFFFFBD3BF7CDh
ffffb00e`aed7286b c7              ???
ffffb00e`aed7286c 5c              pop     rsp
ffffb00e`aed7286d 2404            and     al,4
ffffb00e`aed7286f 0e              ???
ffffb00e`aed72870 b0ff            mov     al,0FFh
ffffb00e`aed72872 ffc3            inc     ebx
ffffb00e`aed72874 204889          and     byte ptr [rax-77h],cl
ffffb00e`aed72877 48085541        or      byte ptr [rbp+41h],dl
ffffb00e`aed7287b 54              push    rsp

系统版本 win10 18362.30 (1903 专业版) (根据issues来说似乎目前支持的最高系统是 这个版本.)
直接下载最新源码,编译,扔到虚拟机测试,
跑了shark后提示 success,加载成功，
自写了个测试inline hook ntopenprocess ,初期工作正常,一段时间后蓝了(5-10分钟?) 代码 109 PG，驱动只写了一个测试hook,没有其他的功能.

NTSTATUS NTAPI Hooked_NtOpenProcess(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId
)
{
mydbg("use here \r\n"); //可以正常打印
return ((fn_NtOpenProcess)ori_NtOpenProcess)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
}

reload /i Shark.sys=FFFF858BBA535000 < FFFF858BBA535000 - 00020000 >
[SHARK] < 00000000000047BA > BuildNumber
[SHARK] < FFFF858BBAA7C380 > PsInitialSystemProcess
[SHARK] < 0000000000000002 > NumberProcessors
[SHARK] < FFFFF80405AECC80 > KeEnterCriticalRegion
[SHARK] < FFFFF80405AE78F0 > KeLeaveCriticalRegion
[SHARK] < FFFFF80405AEDDF0 > ExAcquireSpinLockShared
[SHARK] < FFFFF80405BC1760 > ExReleaseSpinLockShared
[SHARK] < FFFFF80405BDDF30 > DbgPrint
[SHARK] < FFFFF80405AE94A0 > KeWaitForSingleObject
[SHARK] < FFFFF80405C7DE00 > RtlCompareMemory
[SHARK] < FFFFF80405C7D9D0 > RtlRestoreContext
[SHARK] < FFFFF80405B69060 > ExQueueWorkItem
[SHARK] < FFFFF80405E230A0 > ExFreePoolWithTag
[SHARK] < FFFFF80405C75810 > KeBugCheckEx
[SHARK] < FFFFF80405BC8790 > ExInterlockedRemoveHeadList
[SHARK] < FFFFF80405BBBE30 > ExAcquireRundownProtection
[SHARK] < FFFFF80405BC3D50 > ExReleaseRundownProtection
[SHARK] < FFFFF80405B0D550 > ExWaitForRundownProtectionRelease
[SHARK] < FFFF858BBA5515C0 > Block
[SHARK] < 00000000000000C0 > SizeCmpAppendDllSection
[SHARK] < 0000000000000001 > BtcEnable
[SHARK] < FFFF858BBA551F48 > OriginalCmpAppendDllSection
[SHARK] < 00000000000007E8 > OffsetEntryPoint
[SHARK] < 0000000000019000 > SizeINITKDBG
[SHARK] < FFFF858BBA555000 > INITKDBG
[SHARK] < FFFFF80405E230A0 > ntoskrnl.exe!ExGetPreviousMode
[SHARK] < FFFFF804060E29E0 > ntoskrnl.exe!ObDereferenceSecurityDescriptor + 140
[SHARK] < FFFFF80405B69060 > ntoskrnl.exe!ExReInitializeRundownProtectionCacheAware
[SHARK] < FFFFF80405AE52A0 > ntoskrnl.exe!ExReleaseSpinLockSharedFromDpcLevel
[SHARK] < FFFFF80405BB9E90 > MmAllocateIndependentPages
[SHARK] < FFFFF80405BD34A0 > MmFreeIndependentPages
[SHARK] < FFFFF80405BE58F0 > MmSetPageProtection
[SHARK] < FFFFC44E00E74D20 > test independent page < FFFF9C01CE9A4000 - 00001000 >
[SHARK] < FFFFF80405C5E770 > KiScbQueueScanWorker
[SHARK] < FFFFF80405C5E7C0 > KiScbQueueScanWorker end
[SHARK] < FFFFF8040603F010 > PsInvertedFunctionTable
[SHARK] < 0000000059006860 > BranchKey[10]
[SHARK] < 00000000E0006CF1 > BranchKey[0]
[SHARK] < 0000000020006B15 > BranchKey[1]
[SHARK] < 0000000060006938 > BranchKey[2]
[SHARK] < 00000000160068D0 > BranchKey[3]
[SHARK] < 000000007E006894 > BranchKey[4]
[SHARK] < 0000000000007730 > BranchKey[5]
[SHARK] < 0000000000000000 > BranchKey[6]
[SHARK] < 0000000080007376 > BranchKey[7]
[SHARK] < 00000000280069EB > BranchKey[8]
[SHARK] < 0000000000006FBD > BranchKey[9]
[SHARK] < 0000000000095486 > BranchKey[11]
[SHARK] < FFFFF80405C7CD3E > KiStartSystemThread
[SHARK] < FFFFF80405BE98D0 > PspSystemThreadStartup
[SHARK] < FFFFF804060286F8 > KiWaitNever
[SHARK] < FFFFF804060288E0 > KiWaitAlways
[SHARK] < FFFFF80405D7B310 > MmIsNonPagedSystemAddressValid
[SHARK] < FFFFF80405EE5410 > PoolBigPageTable
[SHARK] < FFFFF80405EE7C28 > PoolBigPageTableSize
[SHARK] < 0000000000E95000 > NumberOfPtes
[SHARK] < FFFFC44E00000000 > BasePte
[SHARK] < FFFFF80405D7B2F0 > MmIsAddressValid
[SHARK] < FFFFF80405B70450 > RtlLookupFunctionEntry
[SHARK] < FFFFF80405BEEB20 > RtlVirtualUnwind
[SHARK] < FFFFF80405B69060 > ExQueueWorkItem
[SHARK] < FFFF858BBA547B10 > CaptureContext
[SHARK] < FFFF858BBA53D0B0 > FreeWorker
[SHARK] < FFFF858BBA53AEA0 > ClearCallback
[SHARK] < 00000000000006E4 > OffsetSameThreadPassive
[SHARK] < 0000000000000001 > BigPool < FFFF858BBC010000 - 00008000 >
[SHARK] < 0000000000000001 > scan < FFFF858BBA555000 - 00019000 > < CCCCCCCCCCCCCCCC, CCCCCCCCCCCCCCCC, 56535508244C8948, 4156415541544157...>
[SHARK] < 0000000000000001 > SystemPtes < FFFFC44E00000000 - FFFFC44E074A8000 >
[SHARK] < FFFF858BBA534000 > shark load success

dump:
022823-13078-01.zip

The driver gives a bsod when searching for Branchkey[1] and also the offsets to actual keys are outdated in win 11 22H2

目前确认到的是可以成功Pass一部分，但是有一些长时间的PG没有PASS掉 大概会在6个小时以后得到 BugCheck 109

minidump

正常解密后执行应该为
ffffbc87`a61047d3 68cde35aad push 0FFFFFFFFAD5AE3CDh

ffffbc87`a61047d8 c744240487bcffff mov dword ptr [rsp+4], 0FFFFBC87h

ffffbc87`a61047e0 c3 ret

但是触发BugCheck后看到Dump执行代码为
ffffbc87`a61047d3 68cde35aad push 0FFFFFFFFAD5AE3CDh

ffffbc87`a61047d8 c7 ???

ffffbc87`a61047d9 5c pop rsp

ffffbc87`a61047da 2404 and al, 4

ffffbc87`a61047dc 87bcffffc32048 xchg edi, dword ptr [rdi+rdi*8+4820C3FFh]

ffffbc87`a61047e3 894808 mov dword ptr [rax+8], ecx

ffffbc87`a61047e6 55 push rbp

ffffbc87`a61047e7 4154 push r12

ffffbc87`a61047e9 4155 push r13

ffffbc87`a61047eb 4156 push r14

ffffbc87`a61047ed 4157 push r15

解出的代码不对 44被解成5C

I cant find where ClearCallback code is, Could you share ClearCallback source code, please.

I want to clear PG when DriverEntry called, but got BSOD.

ErrorCode: IRQL_NOT_LESS_OR_EQUAL

What is the problem？

I would like to know if after loading the driver I can disable it? or is this necessary to maintain the patchguard effect? and is it also compatible with Windows 11?

1> Creating library D:\PGPG\Shark\Build\Bins\AMD64\Shark.lib and object D:\PGPG\Shark\Build\Bins\AMD64\Shark.exp
1>LINK : fatal error LNK1123: failure during conversion to COFF: file invalid or corrupt
1>NMAKE : fatal error U1077: 'link.exe' : return code '0x463'

类似微软detous.lib
我使用中发现DetourAttach等函数根本没有编译进detours.lib...

我用的VS2017,不会编译你的文件,可以可以上传支持1903最新版本的release吗?

fix:
Symbol->String = (PCHAR)Symbol->DataTableEntry->DllBase + NameTable[NameIndex];

hello, sometime i got BSOD with SYSTEM_THREAD_EXCEPTION_NOT_HANDLED code, same with windows 7 and windows 10 64 bit, here the log :

`*******************************************************************************

•                                                                         *
  

•                    Bugcheck Analysis                                    *
  

•                                                                         *
  

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc000001d, The exception code that was not handled
Arg2: ffffa981810a2a54, The address that the exception occurred at
Arg3: ffff8c095bacf7a8, Exception Record Address
Arg4: ffff8c095baceff0, Context Record Address

Debugging Details:

KEY_VALUES_STRING: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 17763.1.amd64fre.rs5_release.180914-1434

SYSTEM_MANUFACTURER: Razer

SYSTEM_PRODUCT_NAME: Blade Stealth

SYSTEM_SKU: RZ09-02393E31

SYSTEM_VERSION: 4.06

BIOS_VENDOR: Razer

BIOS_VERSION: 3.02

BIOS_DATE: 02/22/2018

BASEBOARD_MANUFACTURER: Razer

BASEBOARD_PRODUCT: Blade Stealth

DUMP_TYPE: 1

BUGCHECK_P1: ffffffffc000001d

BUGCHECK_P2: ffffa981810a2a54

BUGCHECK_P3: ffff8c095bacf7a8

BUGCHECK_P4: ffff8c095baceff0

EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.

FAULTING_IP:
+0
ffffa981`810a2a54 c7 ???

EXCEPTION_RECORD: ffff8c095bacf7a8 -- (.exr 0xffff8c095bacf7a8)
ExceptionAddress: ffffa981810a2a54
ExceptionCode: c000001d (Illegal instruction)
ExceptionFlags: 00000000
NumberParameters: 0

CONTEXT: ffff8c095baceff0 -- (.cxr 0xffff8c095baceff0)
rax=ffffa981810bb31f rbx=ffffa981810bb31f rcx=ffffa981810a02d9
rdx=0000000000000000 rsi=ffffa981810a0a59 rdi=ffffa981810a02d9
rip=ffffa981810a2a54 rsp=ffff8c095bacf9e0 rbp=fffff801419af7d0
r8=0000000000000023 r9=0000000000000000 r10=fffff801419af7d0
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=ffffa9817ec7fc1a r15=fffff80141d72240
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286
ffffa981`810a2a54 c7 ???
Resetting default scope

CPU_COUNT: 8

CPU_MHZ: 7c8

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 8e

CPU_STEPPING: a

CPU_MICROCODE: 6,8e,a,0 (F,M,S,R) SIG: 84'00000000 (cache) 84'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXPNP: 1 (!blackboxpnp)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.

EXCEPTION_CODE_STR: c000001d

ANALYSIS_SESSION_HOST: DESKTOP-QPBMC3H

ANALYSIS_SESSION_TIME: 04-22-2019 22:26:49.0234

ANALYSIS_VERSION: 10.0.17763.132 amd64fre

LAST_CONTROL_TRANSFER: from 000000007e7cf03d to ffffa981810a2a54

FAILED_INSTRUCTION_ADDRESS:
+0
ffffa981`810a2a54 c7 ???

STACK_TEXT:
ffff8c095bace788 fffff801419e01b1 : 000000000000007e ffffffffc000001d ffffa981810a2a54 ffff8c095bacf7a8 : nt!KeBugCheckEx
ffff8c095bace790 fffff801419a346f : 0000000000000003 ffff8c095bacfb10 ffff8c095bac9000 ffff8c095bad0000 : nt!PspSystemThreadStartup$filt$0+0x44
ffff8c095bace7d0 fffff801419d121f : ffff8c095bacfb10 ffff8c095bacedb0 ffff8c095bacee90 000000000010001f : nt!_C_specific_handler+0x9f
ffff8c095bace840 fffff8014192a240 : ffff8c095bacee90 0000000000000000 ffff8c095bacedb0 0000000000000000 : nt!RtlpExecuteHandlerForException+0xf
ffff8c095bace870 fffff80141837ac4 : ffff8c095bacf7a8 ffff8c095bacf4f0 ffff8c095bacf7a8 ffffa981810a02d9 : nt!RtlDispatchException+0x430
ffff8c095bacefc0 fffff801419d9f42 : 0000000000000000 0000000000000000 0000000000000000 fffff80141817e22 : nt!KiDispatchException+0x144
ffff8c095bacf670 fffff801419d478e : ffffbe002b9d8200 0000000000000001 ffffa9818c5e33c0 0000000000000000 : nt!KiExceptionDispatch+0xc2
ffff8c095bacf850 ffffa981810a2a54 : 000000007e7cf03d ffffa981810bb328 ffffa98100000000 ffffa9817eca8680 : nt!KiInvalidOpcodeFault+0x30e
ffff8c095bacf9e0 000000007e7cf03d : ffffa981810bb328 ffffa98100000000 ffffa9817eca8680 ffffe78c00000000 : 0xffffa981810a2a54 ffff8c095bacf9e8 ffffa981810bb328 : ffffa98100000000 ffffa9817eca8680 ffffe78c00000000 0000000000000000 : 0x7e7cf03d ffff8c095bacf9f0 ffffa98100000000 : ffffa9817eca8680 ffffe78c00000000 0000000000000000 ffffa9817eca8680 : 0xffffa981810bb328
ffff8c095bacf9f8 ffffa9817eca8680 : ffffe78c00000000 0000000000000000 ffffa9817eca8680 fffff801558fd50c : 0xffffa98100000000 ffff8c095bacfa00 ffffe78c00000000 : 0000000000000000 ffffa9817eca8680 fffff801558fd50c ffffa9818fe2f640 : 0xffffa9817eca8680
ffff8c095bacfa08 0000000000000000 : ffffa9817eca8680 fffff801558fd50c ffffa9818fe2f640 fffff80141d72240 : 0xffffe78c`00000000

THREAD_SHA1_HASH_MOD_FUNC: 0305f1688681aebed0adad04f2a1f9bbfa632561

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: d02f21f1f7e352aab835030d8af9e02e0e8a177a

THREAD_SHA1_HASH_MOD: cb5f414824c2521bcc505eaa03e92fa10922dad8

FOLLOWUP_IP:
nt!PspSystemThreadStartup$filt$0+44
fffff801`419e01b1 90 nop

FAULT_INSTR_CODE: c4834890

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!PspSystemThreadStartup$filt$0+44

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 438ffec3

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 44

FAILURE_BUCKET_ID: AV_BAD_IP_nt!PspSystemThreadStartup$filt$0

BUCKET_ID: AV_BAD_IP_nt!PspSystemThreadStartup$filt$0

PRIMARY_PROBLEM_CLASS: AV_BAD_IP_nt!PspSystemThreadStartup$filt$0

TARGET_TIME: 2019-04-22T15:08:01.000Z

OSBUILD: 17763

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 784

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2005-12-02 14:58:59

BUILDDATESTAMP_STR: 180914-1434

BUILDLAB_STR: rs5_release

BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434

ANALYSIS_SESSION_ELAPSED_TIME: 4e6

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:av_bad_ip_nt!pspsystemthreadstartup$filt$0

FAILURE_ID_HASH: {32e528d8-24a5-3b2e-58ad-3857d4ab6660}

Followup: MachineOwner
---------`

109 there are many. I hope you can give me some advice

dump.zip

Not sure what's going wrong. Error code c0000034.
Running W10 build 17763.805, driver signature is off.

I still can't load other unsigned driver

https://cdn.discordapp.com/attachments/607343061022015489/993180920507011083/unknown.png