rbmm/gist:95e32370d22a628f83e681493d79e437

## gistfile1.txt
#ifndef OFFSETOFCLASS
#define OFFSETOFCLASS(base, derived) ((ULONG)((LONG_PTR)(static_cast<base*>((derived*)MINLONG_PTR))-MINLONG_PTR))
#endif

__declspec(noinline) NTSTATUS TestQuery(PVOID pv, ULONG cb, ULONG* rcb)
{
	ULONG s = GetTickCount() ? 0x64 : 0x20;
	DbgPrint("API: 0x%p 0x%x | 0x%p << 0x%x\n", pv, cb, RtlOffsetToPointer(pv, cb), s);
	*rcb = s;
	if (cb < s)
	{
		memset(pv, '3', cb);
		return STATUS_BUFFER_OVERFLOW;
	}
	memset(pv, '3', s);
	return STATUS_SUCCESS;
}

void DoTestQuery()
{
	NTSTATUS status;
	PVOID stack = alloca(guz);
	ULONG cb = 0, rcb = 0x20;

	struct PAD_04
	{
		ULONG pad;
	};

	struct KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED : PAD_04, KEY_VALUE_PARTIAL_INFORMATION
	{
	};

	union {
		PVOID buf = 0;
		KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED* pkvpi;
	};

	do
	{
		rcb += OFFSETOFCLASS(KEY_VALUE_PARTIAL_INFORMATION, KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED);

		if (cb < rcb)
		{
			if (cb)
			{
				// second - allocate from heap
				if (buf)
				{
					_freea(buf);
				}
				if (!(buf = new UCHAR[cb = rcb]))
				{
					status = STATUS_NO_MEMORY;
					break;
				}
			}
			else
			{
				// first try allocate in stack
				cb = RtlPointerToOffset(buf = alloca(rcb), stack);
			}
		}

		DbgPrint("BUF: 0x%p 0x%x | 0x%p\n", pkvpi, cb, RtlOffsetToPointer(pkvpi, cb));

		status = TestQuery(static_cast<PKEY_VALUE_PARTIAL_INFORMATION>(pkvpi),
			cb - OFFSETOFCLASS(KEY_VALUE_PARTIAL_INFORMATION, KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED),
			&rcb);

	} while (status == STATUS_BUFFER_OVERFLOW && rcb < 0x10000);

	if (buf)
	{
		_freea(buf);
	}
}

/*

BUF: 0x000000FAACF2F8D0 0x30 | 0x000000FAACF2F900
API: 0x000000FAACF2F8D4 0x2c | 0x000000FAACF2F900 << 0x64
BUF: 0x0000028D1BE38980 0x68 | 0x0000028D1BE389E8
API: 0x0000028D1BE38984 0x64 | 0x0000028D1BE389E8 << 0x64

*/
	#ifndef OFFSETOFCLASS
	#define OFFSETOFCLASS(base, derived) ((ULONG)((LONG_PTR)(static_cast<base>((derived)MINLONG_PTR))-MINLONG_PTR))
	#endif

	__declspec(noinline) NTSTATUS TestQuery(PVOID pv, ULONG cb, ULONG* rcb)
	{
	ULONG s = GetTickCount() ? 0x64 : 0x20;
	DbgPrint("API: 0x%p 0x%x \| 0x%p << 0x%x\n", pv, cb, RtlOffsetToPointer(pv, cb), s);
	*rcb = s;
	if (cb < s)
	{
	memset(pv, '3', cb);
	return STATUS_BUFFER_OVERFLOW;
	}
	memset(pv, '3', s);
	return STATUS_SUCCESS;
	}

	void DoTestQuery()
	{
	NTSTATUS status;
	PVOID stack = alloca(guz);
	ULONG cb = 0, rcb = 0x20;

	struct PAD_04
	{
	ULONG pad;
	};

	struct KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED : PAD_04, KEY_VALUE_PARTIAL_INFORMATION
	{
	};

	union {
	PVOID buf = 0;
	KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED* pkvpi;
	};

	do
	{
	rcb += OFFSETOFCLASS(KEY_VALUE_PARTIAL_INFORMATION, KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED);

	if (cb < rcb)
	{
	if (cb)
	{
	// second - allocate from heap
	if (buf)
	{
	_freea(buf);
	}
	if (!(buf = new UCHAR[cb = rcb]))
	{
	status = STATUS_NO_MEMORY;
	break;
	}
	}
	else
	{
	// first try allocate in stack
	cb = RtlPointerToOffset(buf = alloca(rcb), stack);
	}
	}

	DbgPrint("BUF: 0x%p 0x%x \| 0x%p\n", pkvpi, cb, RtlOffsetToPointer(pkvpi, cb));

	status = TestQuery(static_cast<PKEY_VALUE_PARTIAL_INFORMATION>(pkvpi),
	cb - OFFSETOFCLASS(KEY_VALUE_PARTIAL_INFORMATION, KEY_VALUE_PARTIAL_INFORMATION_DATA_ALIGNED),
	&rcb);

	} while (status == STATUS_BUFFER_OVERFLOW && rcb < 0x10000);

	if (buf)
	{
	_freea(buf);
	}
	}

	/*

	BUF: 0x000000FAACF2F8D0 0x30 \| 0x000000FAACF2F900
	API: 0x000000FAACF2F8D4 0x2c \| 0x000000FAACF2F900 << 0x64
	BUF: 0x0000028D1BE38980 0x68 \| 0x0000028D1BE389E8
	API: 0x0000028D1BE38984 0x64 \| 0x0000028D1BE389E8 << 0x64

	*/