rbmm · May 15, 2023 13:09
diff --git a/gistfile1.txt b/gistfile1.txt
 #ifndef OFFSETOFCLASS
 #define OFFSETOFCLASS(base, derived) ((ULONG)((LONG_PTR)(static_cast<base*>((derived*)MINLONG_PTR))-MINLONG_PTR))
 #endif

 __declspec(noinline) NTSTATUS TestQuery(PVOID pv, ULONG cb, ULONG* rcb)
 {
 	ULONG s = GetTickCount() ? 0x64 : 0x20;
 	DbgPrint("API: 0x%p 0x%x | 0x%p << 0x%x\n", pv, cb, RtlOffsetToPointer(pv, cb), s);
 	*rcb = s;
 	if (cb < s)
 	{
 		memset(pv, '3', cb);
 		return STATUS_BUFFER_OVERFLOW;
 	}
 	memset(pv, '3', s);
 	return STATUS_SUCCESS;
 }

 void DoTestQuery()
 {
 	NTSTATUS status;
 	PVOID stack = alloca(guz);
 	ULONG cb = 0, rcb = 0x20;

 	struct PAD_04 
 	{
 		ULONG pad;
 	};

 	struct KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED : PAD_04, KEY_VALUE_PARTIAL_INFORMATION
 	{
 	};

 	union {
 		PVOID buf = 0;
 		KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED* pkvpi;
 	};

 	do 
 	{
 		rcb += OFFSETOFCLASS(KEY_VALUE_PARTIAL_INFORMATION, KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED);

 		if (cb < rcb)
 		{
 			if (cb)
 			{
 				// second - allocate from heap
 				if (buf)
 				{
 					_freea(buf);
 				}
 				if (!(buf = new UCHAR[cb = rcb]))
 				{
 					status = STATUS_NO_MEMORY;
 					break;
 				}
 			}
 			else
 			{
 				// first try allocate in stack
 				cb = RtlPointerToOffset(buf = alloca(rcb), stack);
 			}
 		}

 		DbgPrint("BUF: 0x%p 0x%x | 0x%p\n", pkvpi, cb, RtlOffsetToPointer(pkvpi, cb));

 		status = TestQuery(static_cast<PKEY_VALUE_PARTIAL_INFORMATION>(pkvpi), 
 			cb - OFFSETOFCLASS(KEY_VALUE_PARTIAL_INFORMATION, KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED), 
 			&rcb);

 	} while (status == STATUS_BUFFER_OVERFLOW && rcb < 0x10000);

 	if (buf)
 	{
 		_freea(buf);
 	}
 }

 /*

 BUF: 0x000000FAACF2F8D0 0x30 | 0x000000FAACF2F900
 API: 0x000000FAACF2F8D4 0x2c | 0x000000FAACF2F900 << 0x64
 BUF: 0x0000028D1BE38980 0x68 | 0x0000028D1BE389E8
 API: 0x0000028D1BE38984 0x64 | 0x0000028D1BE389E8 << 0x64

 */
	#ifndef OFFSETOFCLASS
	#define OFFSETOFCLASS(base, derived) ((ULONG)((LONG_PTR)(static_cast<base>((derived)MINLONG_PTR))-MINLONG_PTR))
	#endif

	__declspec(noinline) NTSTATUS TestQuery(PVOID pv, ULONG cb, ULONG* rcb)
	{
	ULONG s = GetTickCount() ? 0x64 : 0x20;
	DbgPrint("API: 0x%p 0x%x \| 0x%p << 0x%x\n", pv, cb, RtlOffsetToPointer(pv, cb), s);
	*rcb = s;
	if (cb < s)
	{
	memset(pv, '3', cb);
	return STATUS_BUFFER_OVERFLOW;
	}
	memset(pv, '3', s);
	return STATUS_SUCCESS;
	}

	void DoTestQuery()
	{
	NTSTATUS status;
	PVOID stack = alloca(guz);
	ULONG cb = 0, rcb = 0x20;

	struct PAD_04
	{
	ULONG pad;
	};

	struct KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED : PAD_04, KEY_VALUE_PARTIAL_INFORMATION
	{
	};

	union {
	PVOID buf = 0;
	KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED* pkvpi;
	};

	do
	{
	rcb += OFFSETOFCLASS(KEY_VALUE_PARTIAL_INFORMATION, KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED);

	if (cb < rcb)
	{
	if (cb)
	{
	// second - allocate from heap
	if (buf)
	{
	_freea(buf);
	}
	if (!(buf = new UCHAR[cb = rcb]))
	{
	status = STATUS_NO_MEMORY;
	break;
	}
	}
	else
	{
	// first try allocate in stack
	cb = RtlPointerToOffset(buf = alloca(rcb), stack);
	}
	}

	DbgPrint("BUF: 0x%p 0x%x \| 0x%p\n", pkvpi, cb, RtlOffsetToPointer(pkvpi, cb));

	status = TestQuery(static_cast<PKEY_VALUE_PARTIAL_INFORMATION>(pkvpi),
	cb - OFFSETOFCLASS(KEY_VALUE_PARTIAL_INFORMATION, KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED),
	&rcb);

	} while (status == STATUS_BUFFER_OVERFLOW && rcb < 0x10000);

	if (buf)
	{
	_freea(buf);
	}
	}

	/*

	BUF: 0x000000FAACF2F8D0 0x30 \| 0x000000FAACF2F900
	API: 0x000000FAACF2F8D4 0x2c \| 0x000000FAACF2F900 << 0x64
	BUF: 0x0000028D1BE38980 0x68 \| 0x0000028D1BE389E8
	API: 0x0000028D1BE38984 0x64 \| 0x0000028D1BE389E8 << 0x64

	*/