NtLoadKey (and other similar functions) take in arguments OBJECT_ATTRIBUTES structures, which are currently:
- not probed for invalid user-mode data;
- correctly differentiate user-mode vs. kernel-mode root directory handles (in OBJECT_ATTRIBUTES). Note that most of the Cm* APIs suppose their parameters are kernel-mode.
- if an object file name relative to a Root directory is given, this file name is not resolved, leading to subsequent failure of these API with the STATUS_OBJECT_PATH_SYNTAX_BAD error.
These three points must be fixed.