There seems to me a problem with the implementation of the Write NULL vulnerability.

Currently, it is not writing NULL to the address pointed to by the user buffer, but to the user buffer itself.

To correct this, I think there should be a second dereference operator on multiple lines:

DbgPrint("[+] *(UserBuffer): 0x%p\n", (PVOID *)UserBuffer);

should become:

DbgPrint("[+] *(UserBuffer): 0x%p\n", *(PVOID *)UserBuffer);

And

*(PVOID *)UserBuffer = NULL;

should become:

**(PVOID *)UserBuffer = NULL;

Or am I missing something?