BSOD on calling Utils::GetModuleBase

[giaanthunder]

The AC does not let me to get base address from user mode so I have to do that in kernel mode. But every time I call the GetModuleBase in Utils.cpp my os crashes. I've tried other method from other working driver but it got crashed too. I am really feeling stuck now. Could you give me hints?

PLDR_DATA_TABLE_ENTRY GetModuleByName(PEPROCESS process, PWCHAR moduleName) {
    UNICODE_STRING moduleNameStr = { 0 };
    RtlInitUnicodeString((PUNICODE_STRING)&moduleNameStr, (PCWSTR)moduleName);

    PLIST_ENTRY list = &((PsGetProcessPeb)(process)->Ldr->InLoadOrderModuleList);
    for (PLIST_ENTRY entry = list->Flink; entry != list; ) {
        PLDR_DATA_TABLE_ENTRY module = CONTAINING_RECORD(entry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);

        if ((RtlCompareUnicodeString)(&module->BaseDllName, &moduleNameStr, TRUE) == 0) {
            return module;
        }
        entry = module->InLoadOrderLinks.Flink;
    }
    return NULL;
}

void HandleGetModuleBase(const SVM::PVIRTUAL_PROCESSOR_DATA vpData, const SVM::PGUEST_CONTEXT guestContext) {
    UNREFERENCED_PARAMETER(vpData);
    PWCHAR Module = (PWCHAR)guestContext->VpRegs->R8;
    ULONG64 ProcessId = guestContext->VpRegs->R9;

    PVOID base = NULL;
    PEPROCESS process = NULL;
    NTSTATUS status = (PsLookupProcessByProcessId)((HANDLE)ProcessId, &process);
    if (NT_SUCCESS(status)) {
        (KeAttachProcess)(process);
        PLDR_DATA_TABLE_ENTRY module = GetModuleByName(process, Module);
        if (module) {
            base = module->DllBase;
        }
        (KeDetachProcess)();
        (ObfDereferenceObject)(process);
    }

    guestContext->VpRegs->Rax = reinterpret_cast<ULONG64>(base);
}

[poopoosdd]

you could try using PsGetSectionBaseAddress that works fine