win10 x64 获取shadow ssdt函数地址时蓝屏

能正确获取shadow ssdt的地址，也能打印出来函数shadow ssdt函数个数，但是运行到dwTemp = *(PLONG)qwTemp;会直接蓝屏

#include <ntddk.h>

typedef struct _SYSTEM_SERVICE_TABLE
{
    PVOID ServiceTableBase; //这个指向系统服务函数地址表

    PVOID ServiceCounterTableBase;

    ULONG64 NumberOfService; //服务函数的个数

    PVOID ParamTableBase;//参数表 

}SYSTEM_SERVICE_TABLE, * PSYSTEM_SERVICE_TABLE;
PSYSTEM_SERVICE_TABLE KeServiceDescriptorTableShadow = NULL;



ULONGLONG GetKeServiceDescriptorTableShadow64()
{
    PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082);
    PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
    PUCHAR i = NULL;
    UCHAR b1 = 0, b2 = 0, b3 = 0;
    ULONG templong = 0;
    ULONGLONG addr = 0;
    for (i = StartSearchAddress; i < EndSearchAddress; i++)
    {
        if (MmIsAddressValid(i) && MmIsAddressValid(i + 1) && MmIsAddressValid(i + 2))
        {
            b1 = *i;
            b2 = *(i + 1);
            b3 = *(i + 2);
            if (b1 == 0x4c && b2 == 0x8d && b3 == 0x1d) //4c8d1d
            {
                memcpy(&templong, i + 3, 4);
                addr = (ULONGLONG)templong + (ULONGLONG)i + 7;
                return addr;
            }
        }
    }
    return 0;
}


ULONGLONG GetSSSDTFuncCurAddr64(ULONG64 Index)
{
    ULONGLONG                W32pServiceTable = 0, qwTemp = 0;
    LONG                 dwTemp = 0;
    PSYSTEM_SERVICE_TABLE    pWin32k;
    //DbgBreakPoint();
    KeServiceDescriptorTableShadow = (PSYSTEM_SERVICE_TABLE)GetKeServiceDescriptorTableShadow64();
    pWin32k = (PSYSTEM_SERVICE_TABLE)((ULONG64)KeServiceDescriptorTableShadow + sizeof(SYSTEM_SERVICE_TABLE));
    DbgPrint("(ULONG64)KeServiceDescriptorTableShadow is %p\n", KeServiceDescriptorTableShadow);
    DbgPrint("pWin32k->ServiceTableBase is %p\n", pWin32k->ServiceTableBase);
    DbgPrint("SSSDT函数个数：%d\n", pWin32k->NumberOfService);
    W32pServiceTable = (ULONGLONG)(pWin32k->ServiceTableBase);
    //ul64W32pServiceTable = W32pServiceTable;
    qwTemp = W32pServiceTable + 4 * (Index - 0x1000);    //这里是获得偏移地址的位置，要HOOK的话修改这里即可
    dwTemp = *(PLONG)qwTemp;
    dwTemp = dwTemp >> 4;
    qwTemp = W32pServiceTable + (LONG64)dwTemp;
    return qwTemp;
}


VOID DrvUnload(PDRIVER_OBJECT pdriver)
{
    DbgPrint("Unload\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
    NTSTATUS status = STATUS_SUCCESS; //定义一个返回值
    //GetSSSDTFuncCurAddr64(0x1011);
    DbgPrint("%p\n", GetSSSDTFuncCurAddr64(1));
    driver->DriverUnload = DrvUnload;

    return status;
}

qwTemp是longlong类型，用PLONG转换不会溢出么？