The issue comes up when I copy the packet and submit the newly created packet descriptor. _ndisMSendCompleteX@12 crashes trying to access something inside the packet, just after referencing _ndisPacketStackSize.
Well, as far as I can see without going deep into the problem the only difference is that original packet was preprocessed by NDIS send handler but your packet was not. You can analyze what fields were exactly referenced and fix it. I would not recommend this because internal NDIS packet processing may change from OS and SP.
Another way is intercepting NdisMSendComplete and checking if it is your packet descriptor passed to it and if yes then releasing your packet resource without passing it to NDIS. Also don’t forget to release packet descriptors for the original packets.