- Not all the wcscpy() / swprintf() calls have been converted to their
string-safe equivalents. Instead I used the string-safe functions only
for places where strings of unknown length were copied into fixed-size
internal buffers. On the contrary, for known-fixed-length strings being
copied or numbers being converted to string representations in large
enough buffers, I kept the original function calls.
- Verify the registry data that has been returned by NtQueryValueKey():
* When expecting (not multi) strings, check whether the data type is
either REG_SZ or REG_EXPAND_SZ.
* When expecting DWORD values, check whether the data type is
REG_DWORD and whether the data length is (greater or) equal to
sizeof(ULONG).
64 MB used to be enough to at least finish 2nd stage, but that does not
always seem to be the case anymore. Leaving this little free space does
not make for a good user experience either way.
256 MB is still not much, but at least provides slightly more usability.
The PROCESS_DEVICEMAP_INFORMATION union has 2 fields, one is a handle, the other one is a structure of 36 bytes (independent of architecture). The handle forces 64 bit alignment on 64 bit builds, making the structure 4 bytes bigger than on 32 bit builds. The site is checked in NtQueryInformationProcess (case ProcessDeviceMap). The expected size on x64 is the size of the Query structure without alignment. autocheck correctly passes the site of the Query union member, while smss passes the full size of PROCESS_DEVICEMAP_INFORMATION. Packing the structure is not an option, since it is defined in public headers without packing. Using the original headers sizeof(PROCESS_DEVICEMAP_INFORMATION) is 0x28, sizeof(PROCESS_DEVICEMAP_INFORMATION::Query) is 0x24.
