驱动分析驱动被vmp保护，因此首先需要dump驱动以完成脱壳，对KeRevertToUserAffinityThread下断点后dump驱动程序并分别修复SectionAlignment，SizeOfHeaders，PointerToRawData以便其能被ida识别。 入口点逻辑脱完壳后首先定位 security_init_cookie找真正的驱动入口点 这里直接用特征码 48 8B 05 ??

Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub. Quick