MDL works by accident

[BomboBombone]

MDL allocation, as well as any kernel function call with more than 4 args will work based on pure luck.

Explanation: x64 calling convention will try to pass any parameters after the 4th via stack, which cannot be possible since the syscall will switch the stack pointer, and the function will use as arguments whatever is on the stack at that point in time.

Possible fix: add dynamic assembly generation for stack allocation of arguments and use call/ret instead of jump to be able to restore stack state before returning like this

This could also explain the random BSODs some people experience when using MDL allocations since those require functions with more than 4 args.

[TheCruZ]

This is true and will be glad to accept your pull request if you fix it, mdl was done by another contributor and I didn't see that little mistake on that time

[BomboBombone]

This is true and will be glad to accept your pull request if you fix it, mdl was done by another contributor and I didn't see that little mistake on that time

I would suggest opening a branch for the eventual MDL development, or at the very least implement a small stub like the one showed, to set the first 2-3 stack params to 0, which could help make MDL allocations more deterministic while still being broken for any future development involving functions with lots of arguments. If opening a branch doesn't seem like a good idea at the very least a warning should be printed when a KernelCall is being made with any more than 4 params to warn. If branching is possible disable MDL allocations from master and keep it in the second branch. If for any reason I will ever need to implement this correctly I will submit a push request, until then I'll use the same "patch" I showed in the issue since it's enough for me.

[HackBd1]

auto new_cookie = 0x2B992DDFA232 ^ GetCurrentProcessId() ^ GetCurrentThreadId();   22h2 我该如何修复