[easy]

Hello, I want scan all loaded kernel modules.
The problem is I dont know how to safely read unknown kernel memory.
So i enumerating modules list, and reading each section regarding pe header, excluding discardable.
For some modules (such as win32k) read operation causes reboot without bsod, but i can bypass it with attach to any gui process.
But for some other (for example, cdd.dll) it falls on RtlImageHeader with PAGE_FAULT.
I tried IoAllocateMdl + MMProbeAndLockPages and it also causes bsod.
Any idea to accomplish that ?

[easy]

while topic was approved, solved it checking address with MMGetPhysicalAddress

[Vrtule]

MmGetPhysicalAddress does not recognize memory that is currently stored in the page file only. Also, the documentation suggests you should not use this function for memory used for DMA operations.

As far as I know, there is no general way how to safe read a block of kernel memory.

[tangptr]

Did you enclose an SEH block for your MmProbeAndLockPages invoking? This is essential for invoking it.
In addition, result of MmGetPhysicalAddress is only valid for system-session addresses. Result for memories of DMA, win32-subsystem, user-mode, etc. from MmGetPhysicalAddress are invalid.