diff --git a/packetWin7/npf/npf/Openclos.c b/packetWin7/npf/npf/Openclos.c
index fe72b409..133ba040 100644
--- a/packetWin7/npf/npf/Openclos.c
+++ b/packetWin7/npf/npf/Openclos.c
@@ -82,7 +82,7 @@
 
 #include "stdafx.h"
 
-#include "packet.h"
+#include "Packet.h"
 #include "Loopback.h"
 #include "..\..\..\Common\WpcapNames.h"
 
@@ -242,7 +242,10 @@ NPF_GetFilterModuleByAdapterName(
   \return Pointer to the new open instance.
 
 */
-_Ret_maybenull_
+
+_Must_inspect_result_
+_Success_(return != NULL)
+__drv_allocatesMem(mem)
 POPEN_INSTANCE
 NPF_CreateOpenObject(
 	_In_ NDIS_HANDLE NdisHandle
diff --git a/packetWin7/npf/npf/Packet.h b/packetWin7/npf/npf/Packet.h
index e232672e..59c40e42 100644
--- a/packetWin7/npf/npf/Packet.h
+++ b/packetWin7/npf/npf/Packet.h
@@ -531,15 +531,15 @@ NPF_ResetBufferContents(
 );
 
 VOID NPF_ReturnNBCopies(
-	_In_ _Frees_ptr_ PNPF_NB_COPIES pNBCopy,
+	_In_ PNPF_NB_COPIES pNBCopy,
 	_In_ PDEVICE_EXTENSION pDevExt);
 
 VOID NPF_ReturnNBLCopy(
-	_In_ _Frees_ptr_ PNPF_NBL_COPY pNBLCopy,
+	_In_ PNPF_NBL_COPY pNBLCopy,
 	_In_ PDEVICE_EXTENSION pDevExt);
 
 VOID NPF_ReturnCapData(
-	_In_ _Frees_ptr_ PNPF_CAP_DATA pCapData,
+	_In_ PNPF_CAP_DATA pCapData,
 	_In_ PDEVICE_EXTENSION pDevExt);
 
 /*!
diff --git a/packetWin7/npf/npf/Read.c b/packetWin7/npf/npf/Read.c
index a04f2740..6cc3ce9c 100644
--- a/packetWin7/npf/npf/Read.c
+++ b/packetWin7/npf/npf/Read.c
@@ -612,7 +612,9 @@ NPF_AlignProtocolField(
 
 //-------------------------------------------------------------------
 
-_Ret_maybenull_
+_Must_inspect_result_
+_Success_(return != NULL)
+__drv_allocatesMem(mem)
 PNPF_CAP_DATA NPF_GetCapData(
 		_Inout_ PLOOKASIDE_LIST_EX pPool,
 		_Inout_ PNPF_NB_COPIES pNBCopy,
diff --git a/packetWin7/npf/npf/Write.c b/packetWin7/npf/npf/Write.c
index 73116176..5db14f72 100644
--- a/packetWin7/npf/npf/Write.c
+++ b/packetWin7/npf/npf/Write.c
@@ -89,6 +89,16 @@ extern ULONG g_DltNullMode;
 extern HANDLE g_InjectionHandle_IPv4;
 extern HANDLE g_InjectionHandle_IPv6;
 
+// This function exists only to suppress C6014 regarding memory leak.
+// Be very suspicious of any use of it!
+// MUST be accompanied by a well-researched justification.
+VOID
+#pragma warning(suppress: 28194) // We aren't really aliasing it here, but we know that it's aliased for some other reason.
+NPF_AnalysisAssumeAliased(_In_ __drv_aliasesMem PVOID p)
+{
+	UNREFERENCED_PARAMETER(p);
+	return;
+}
 
 /*!
   \brief Ends a send operation.
@@ -122,6 +132,7 @@ NPF_LoopbackSendNetBufferLists(
 #endif
 
 NTSTATUS
+_At_(*ppNBL, __drv_allocatesMem(mem))
 NPF_AllocateNBL(
 	_In_ PNPCAP_FILTER_MODULE pFiltMod,
 	_In_ __drv_aliasesMem PMDL pMdl,
@@ -422,6 +433,12 @@ NPF_Write(
 						NDIS_DEFAULT_PORT_NUMBER,
 						1,
 						0); // If NDIS_RECEIVE_FLAGS_RESOURCES, would need to free pNetBufferList after this.
+					// WORKAROUND: We are calling NPF_AnalysisAssumeAliased here because the annotations for
+					// NdisFIndicateReceiveNetBufferLists do not use __drv_aliasesMem for the 2nd parameter.
+					// When Flags (5th parameter) do *not* have NDIS_RECEIVE_FLAGS_RESOURCES set, the NBL is
+					// owned by NDIS until it is returned via NPF_ReturnEx (FilterReturnNetBufferLists handler)
+					// Therefore we must not free it, and it is not leaking here.
+					NPF_AnalysisAssumeAliased(pNetBufferList);
 				}
 				else
 #endif
@@ -673,6 +690,11 @@ NPF_BufferedWrite(
 		// Allocate an MDL to map the packet data
 		TmpMdl = NdisAllocateMdl(Open->pFiltMod->AdapterHandle, npBuff, pWinpcapHdr->caplen);
 
+		// WORKAROUND: We are calling NPF_AnalysisAssumeAliased here because the buffer address
+		// is stored in the MDL and we retrieve it (via NdisQueryMdl) in NPF_FreePackets called from NPF_ReturnEx.
+		// Therefore, it is not leaking after this point.
+		NPF_AnalysisAssumeAliased(npBuff);
+
 		if (TmpMdl == NULL)
 		{
 			// Unable to map the memory: packet lost
@@ -764,6 +786,12 @@ NPF_BufferedWrite(
 					NDIS_DEFAULT_PORT_NUMBER,
 					1,
 					0); // If NDIS_RECEIVE_FLAGS_RESOURCES, would need to free pNetBufferList after this.
+				// WORKAROUND: We are calling NPF_AnalysisAssumeAliased here because the annotations for
+				// NdisFIndicateReceiveNetBufferLists do not use __drv_aliasesMem for the 2nd parameter.
+				// When Flags (5th parameter) do *not* have NDIS_RECEIVE_FLAGS_RESOURCES set, the NBL is
+				// owned by NDIS until it is returned via NPF_ReturnEx (FilterReturnNetBufferLists handler)
+				// Therefore we must not free it, and it is not leaking here.
+				NPF_AnalysisAssumeAliased(pNetBufferList);
 			}
 			else
 #endif