On Mon, 3 Jul 2017 at 05:07, lynnux ***@***.***> wrote: I use KPP Destroyer to disable patchguard on win8 x64, it seem patched nt!MiValidateSectionCreate: orignal: PAGE:000000014038B326 E8 15 FC FF FF call SeValidateImageHeader PAGE:000000014038B32B 8B F8 mov edi, eax PAGE:000000014038B32D 3D 2D 01 00 00 cmp eax, 12Dh PAGE:000000014038B332 0F 84 6F 5B 1A 00 jz loc_140530EA7 PAGE:000000014038B338 PAGE:000000014038B338 loc_14038B338: ; CODE XREF: MiValidateSectionCreate+2BE�j PAGE:000000014038B338 ; MiValidateSectionCreate+560�j ... PAGE:000000014038B338 4C 3B AC 24 80 00 00 00 cmp r13, [rsp+188h+var_108] patched: fffff802`03da2326 e815fcffff call nt!SeValidateImageHeader (fffff802`03da1f40) fffff802`03da232b 90 nop fffff802`03da232c 90 nop fffff802`03da232d 90 nop fffff802`03da232e 90 nop fffff802`03da232f 90 nop fffff802`03da2330 90 nop fffff802`03da2331 90 nop fffff802`03da2332 90 nop fffff802`03da2333 90 nop fffff802`03da2334 90 nop fffff802`03da2335 90 nop fffff802`03da2336 90 nop fffff802`03da2337 90 nop fffff802`03da2338 4c3bac2480000000 cmp r13,qword ptr [rsp+80h] you can see, there are many nops, which count is 13 > 12, the FindCaveAddress will find the address as the CaveAddress. So after hook, BSOD will comes when calling nt!MiValidateSectionCreate. So I suggest FindCaveAddress not use nop area to hook. It's easy to reproduce BSOD when shutdown. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#26>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACWCmX_1pWJYzaoNHn1b-8h55dZZZ_OMks5sKFrcgaJpZM4OLylE> .