The currently known malicious attack method of using the arbitrary write vulnerability to dynamically shut down the driver's forced signature in a short period of time has been widely. Attackers can load their own drivers directly in this way. In order to mitigate this threat to data security, the MP can record the initial CI flag when the driver is initialized run, and check before each driver module is loaded whether the CI flag matches the initial CI. If not, the next startup is forced to enter safe mode to display warning information and trigger BSOD.
This situation belongs to what David calls an "edge case", so it's not urgent to be implemented.
This situation belongs to what David calls an "edge case", so it's not urgent to be implemented.