Index: misc/copy.c
===================================================================
--- win32ss/user/ntuser/misc/copy.c	(revision 62928)
+++ win32ss/user/ntuser/misc/copy.c	(working copy)
@@ -1,12 +1,22 @@
 #include "win32k.h"
 
-NTSTATUS _MmCopyFromCaller( PVOID Target, PVOID Source, UINT Bytes ) {
-    NTSTATUS Status = STATUS_SUCCESS;
+_IRQL_requires_max_(APC_LEVEL)
+NTSTATUS
+_MmCopyFromCaller(
+    _Out_writes_bytes_all_(Bytes) PVOID Target,
+    _In_reads_bytes_(Bytes) PVOID Source,
+    _In_ UINT Bytes)
+{
+    NTSTATUS Status;
 
+    PAGED_CODE();
+    ASSERT(ExGetPreviousMode() == UserMode);
+
+    Status = STATUS_SUCCESS;
     _SEH2_TRY
     {
-        ProbeForRead(Source,Bytes,1);
-        RtlCopyMemory(Target,Source,Bytes);
+        ProbeForRead(Source, Bytes, 1);
+        RtlCopyMemory(Target, Source, Bytes);
     }
     _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
     {
@@ -17,13 +27,23 @@
     return Status;
 }
 
-NTSTATUS _MmCopyToCaller( PVOID Target, PVOID Source, UINT Bytes ) {
-    NTSTATUS Status = STATUS_SUCCESS;
+_IRQL_requires_max_(APC_LEVEL)
+NTSTATUS
+_MmCopyToCaller(
+    _Out_writes_bytes_all_(Bytes) PVOID Target,
+    _In_reads_bytes_(Bytes) PVOID Source,
+    _In_ UINT Bytes)
+{
+    NTSTATUS Status;
 
+    PAGED_CODE();
+    ASSERT(ExGetPreviousMode() == UserMode);
+
+    Status = STATUS_SUCCESS;
     _SEH2_TRY
     {
-        /* ProbeForWrite(Target,Bytes,1); */
-        RtlCopyMemory(Target,Source,Bytes);
+        ProbeForWrite(Target, Bytes, 1);
+        RtlCopyMemory(Target, Source, Bytes);
     }
     _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
     {
Index: mmcopy.h
===================================================================
--- win32ss/user/ntuser/mmcopy.h	(revision 62928)
+++ win32ss/user/ntuser/mmcopy.h	(working copy)
@@ -1,8 +1,19 @@
 #pragma once
 
 
-NTSTATUS _MmCopyFromCaller( PVOID Target, PVOID Source, UINT Bytes );
-NTSTATUS _MmCopyToCaller( PVOID Target, PVOID Source, UINT Bytes );
+_IRQL_requires_max_(APC_LEVEL)
+NTSTATUS
+_MmCopyFromCaller(
+    _Out_writes_bytes_all_(Bytes) PVOID Target,
+    _In_reads_bytes_(Bytes) PVOID Source,
+    _In_ UINT Bytes);
 
+_IRQL_requires_max_(APC_LEVEL)
+NTSTATUS
+_MmCopyToCaller(
+    _Out_writes_bytes_all_(Bytes) PVOID Target,
+    _In_reads_bytes_(Bytes) PVOID Source,
+    _In_ UINT Bytes);
+
 #define MmCopyFromCaller(x,y,z) _MmCopyFromCaller((PCHAR)(x),(PCHAR)(y),(UINT)(z))
 #define MmCopyToCaller(x,y,z) _MmCopyToCaller((PCHAR)(x),(PCHAR)(y),(UINT)(z))