This is a learning endeavor; as always.
There is a memmove call in sub_15294 that can be manipulated using the argument registers RAX, R9 and RCX.
RDI holds a pointer to DeviceExtentions which holds a pointer to SystemBuffer at offset 0 and the size of the input buffer is at offset 8.
- RAX : From RBX+0x10
- R9 : From RBX
- RCX : From RDI in the major function handler
This means that R9 in sub_15294 is a pointer to the input buffer which gives control of the src/dest and size of the call to memmove.