Skip to content

Instantly share code, notes, and snippets.

@alexplaskett

alexplaskett/ntfs-wnf-6.c Secret

Created Jul 15, 2021
Embed
What would you like to do?
if ( !v12 && (*(_QWORD *)(nameinstance + 104) || (_DWORD)Length)
|| (StateData = v12) != 0i64 && v12[1] < (unsigned int)Length ) // If we corrupt header here, we can make sure the old allocation is used.
{
if ( (_InterlockedExchangeAdd64(v9, 0xFFFFFFFFFFFFFFFFui64) & 6) == 2 )
ExfTryToWakePushLock(nameinstance + 80);
KeAbPostRelease(nameinstance + 80);
if ( ((*(_DWORD *)(nameinstance + 40) >> 4) & 3) != 3
|| PsInitialSystemProcess == *(PEPROCESS *)(nameinstance + 152) )
{
v19 = ExAllocatePoolWithTag(PagedPool, (unsigned int)(Length + 16), 0x20666E57u);
v23 = v19;
}
else
{
CreatorProcess = *(_KPROCESS **)(nameinstance + 0x98);
if ( !CreatorProcess )
return 3221225524i64;
if ( CreatorProcess == KeGetCurrentThread()->ApcState.Process )
{
v18 = 0;
}
else
{
v18 = 1;
KiStackAttachProcess((ULONG_PTR)CreatorProcess);
}
v19 = ExAllocatePoolWithQuotaTag((POOL_TYPE)9, (unsigned int)(Length + 16), 0x20666E57u); // This is our controlled allocation on the paged pool
v23 = v19;
if ( v18 )
KiUnstackDetachProcess(v29, 0i64);
v7 = src;
}
if ( !v19 )
return 3221225626i64;
*((_QWORD *)v19 + 1) = 0i64;
*v19 = 1050884;
v19[1] = Length;
v20 = KeAbPreAcquire(nameinstance + 80, 0i64, 0);
v21 = v20;
if ( _interlockedbittestandset64((volatile signed __int32 *)v9, 0i64) )
ExfAcquirePushLockExclusiveEx((unsigned __int64 *)(nameinstance + 80), v20, nameinstance + 80);
if ( v21 )
*(_BYTE *)(v21 + 26) |= 1u;
StateData = 0i64;
if ( *(_QWORD *)(nameinstance + 0x58) != 1i64 )
StateData = *(_DWORD **)(nameinstance + 0x58);
if ( !StateData || StateData[1] < (unsigned int)Length )
StateData = v23;
}
for ( i = *(_DWORD *)(nameinstance + 96) + 1; !i; i = 1 )
;
if ( StateData )
{
memmove(StateData + 4, v7, Length);
StateData[2] = Length; // Update the DataSize
StateData[3] = i; // Set ChangeStamp
v15 = *(void **)(nameinstance + 104);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment