A quiz: https://twitter.com/m417z/status/1522190986922897408

heaven's_bug.cpp

#include <windows.h>
#include <stdio.h>
#include <inttypes.h>

DWORD64 getNTDLL64();
DWORD64 getLdrGetProcedureAddress();
DWORD64 X64Call0(DWORD64 func);
DWORD64 X64Call1(DWORD64 func, DWORD64 arg1);
DWORD64 X64Call2(DWORD64 func, DWORD64 arg1, DWORD64 arg2);
DWORD64 X64Call3(DWORD64 func, DWORD64 arg1, DWORD64 arg2, DWORD64 arg3);
DWORD64 X64Call4(DWORD64 func, DWORD64 arg1, DWORD64 arg2, DWORD64 arg3, DWORD64 arg4);

struct UNICODE_STRING_64 {
    union {
        struct {
            WORD Length;
            WORD MaximumLength;
        };
        DWORD64 dummy;
    };
    DWORD64 Buffer;
};

DWORD64 GetProcAddress64(DWORD64 hModule, char* funcName) {
    DWORD64 LdrGetProcedureAddress = getLdrGetProcedureAddress();
    UNICODE_STRING_64 fName = { 0 };
    fName.Buffer = (DWORD64)funcName;
    fName.Length = (WORD)strlen(funcName);
    fName.MaximumLength = fName.Length + 1;
    DWORD64 funcRet = 0;
    X64Call4(LdrGetProcedureAddress, hModule, (DWORD64)&fName, (DWORD64)0, (DWORD64)&funcRet);
    return funcRet;
}

void WhatTheBug() {
    DWORD64 ptr = GetProcAddress64(getNTDLL64(), "NtQueryVirtualMemory");
    printf("%" PRIu64 "\n", ptr);
}