Determine the boundaries of the non-paged kernel pool

I answer myself, because I still figured it out. The task was more specific: to find some function by its imprint (do not ask why :)), and I wanted all this not to depend on the current OS, so the following solution came:

1. Using the ExAllocatePoolWithTag function, ExAllocatePoolWithTag allocate memory in the Non-Paged kernel area. The function returns the PVOID type, so we get an address that is guaranteed to be somewhere in the desired area. That is, non-paged pool to both sides of this address.
2. In the loop we run in both directions, according to the condition MmIsAddressValid for the current address and for the текущего + sizeof(ULONG64) (that is why I received the BSOD with driver_irql_not_less_or_equal ), since for each address a coercion to ULONG64 .
3. To speed up the process, I used the KeIpiGenericCall function - it allows you to use all active processors. That is, each processor scans its memory.

Code like this:

 Function1(ULONG_PTR argument) { LONG processorNumber; ULONG processorsCount; KIRQL oldIrql; UNREFERENCED_PARAMETER(argument); processorNumber = KeGetCurrentProcessorNumber(); processorsCount = KeQueryActiveProcessorCount(NULL); KeRaiseIrql(HIGH_LEVEL, &oldIrql); //Вот финт с параллельностью: проверяется со смещением в количество процессоров //а начинается для каждого процессора со своего адреса, тогда для 2-хядерной системы //первое ядро будет сканировать 1,3,5,... а второе - 2,4,6,... Function2(StartSearchAddress + processorNumber, processorsCount); Function2(StartSearchAddress - processorNumber, (-1)*processorsCount); KeLowerIrql(oldIrql); } Function2(PUCHAR startAddress, int offset) { PUCHAR checkingAddress = startAddress; ULONG64 value; while (MmIsAddressValid(checkingAddress) && MmIsAddressValid(checkingAddress + sizeof(ULONG64))) { value = *((PULONG64)checkingAddress); //здесь по необходимости действия с value }