Just want to note for the archives that, despite the name, the “Args to
Child” are not really the arguments to the function. The first four
arguments are passed in registers and the “Args to Child” are the
Home/Spill/Shadow Space on the stack that’s part of the x64 ABI.
The Debug build functions will “home” the register arguments onto the stack
and thus these will be the arguments. Release build can use the Home Space
for whatever it wants. Looks like you got lucky in this case, though it’s
not the rule.
-scott
OSR
@OSRDrivers
Next Seminar: Windows Internals and Software Driver Development
9-13 April 2018, Sterling, VA
https://www.osr.com/seminars/software-drivers/