alexplaskett/ntfs-wnf-6.c Secret

## ntfs-wnf-6.c
if ( !v12 && (*(_QWORD *)(nameinstance + 104) || (_DWORD)Length)
    || (StateData = v12) != 0i64 && v12[1] < (unsigned int)Length ) // If we corrupt header here, we can make sure the old allocation is used.
  {
    if ( (_InterlockedExchangeAdd64(v9, 0xFFFFFFFFFFFFFFFFui64) & 6) == 2 )
      ExfTryToWakePushLock(nameinstance + 80);
    KeAbPostRelease(nameinstance + 80);
    if ( ((*(_DWORD *)(nameinstance + 40) >> 4) & 3) != 3
      || PsInitialSystemProcess == *(PEPROCESS *)(nameinstance + 152) )
    {
      v19 = ExAllocatePoolWithTag(PagedPool, (unsigned int)(Length + 16), 0x20666E57u);
      v23 = v19;
    }
    else
    {
      CreatorProcess = *(_KPROCESS **)(nameinstance + 0x98);
      if ( !CreatorProcess )
        return 3221225524i64;
      if ( CreatorProcess == KeGetCurrentThread()->ApcState.Process )
      {
        v18 = 0;
      }
      else
      {
        v18 = 1;
        KiStackAttachProcess((ULONG_PTR)CreatorProcess);
      }
      v19 = ExAllocatePoolWithQuotaTag((POOL_TYPE)9, (unsigned int)(Length + 16), 0x20666E57u); // This is our controlled allocation on the paged pool
      v23 = v19;
      if ( v18 )
        KiUnstackDetachProcess(v29, 0i64);
      v7 = src;
    }
    if ( !v19 )
      return 3221225626i64;
    *((_QWORD *)v19 + 1) = 0i64;
    *v19 = 1050884;
    v19[1] = Length;
    v20 = KeAbPreAcquire(nameinstance + 80, 0i64, 0);
    v21 = v20;
    if ( _interlockedbittestandset64((volatile signed __int32 *)v9, 0i64) )
      ExfAcquirePushLockExclusiveEx((unsigned __int64 *)(nameinstance + 80), v20, nameinstance + 80);
    if ( v21 )
      *(_BYTE *)(v21 + 26) |= 1u;
    StateData = 0i64;
    if ( *(_QWORD *)(nameinstance + 0x58) != 1i64 )
      StateData = *(_DWORD **)(nameinstance + 0x58);
    if ( !StateData || StateData[1] < (unsigned int)Length )
      StateData = v23;
  }
  for ( i = *(_DWORD *)(nameinstance + 96) + 1; !i; i = 1 )
    ;
  if ( StateData )
  {
    memmove(StateData + 4, v7, Length);
    StateData[2] = Length;                      // Update the DataSize
    StateData[3] = i;                           // Set ChangeStamp
    v15 = *(void **)(nameinstance + 104);
	if ( !v12 && ((_QWORD )(nameinstance + 104) \|\| (_DWORD)Length)
	\|\| (StateData = v12) != 0i64 && v12[1] < (unsigned int)Length ) // If we corrupt header here, we can make sure the old allocation is used.
	{
	if ( (_InterlockedExchangeAdd64(v9, 0xFFFFFFFFFFFFFFFFui64) & 6) == 2 )
	ExfTryToWakePushLock(nameinstance + 80);
	KeAbPostRelease(nameinstance + 80);
	if ( (((_DWORD )(nameinstance + 40) >> 4) & 3) != 3
	\|\| PsInitialSystemProcess == (PEPROCESS )(nameinstance + 152) )
	{
	v19 = ExAllocatePoolWithTag(PagedPool, (unsigned int)(Length + 16), 0x20666E57u);
	v23 = v19;
	}
	else
	{
	CreatorProcess = (_KPROCESS *)(nameinstance + 0x98);
	if ( !CreatorProcess )
	return 3221225524i64;
	if ( CreatorProcess == KeGetCurrentThread()->ApcState.Process )
	{
	v18 = 0;
	}
	else
	{
	v18 = 1;
	KiStackAttachProcess((ULONG_PTR)CreatorProcess);
	}
	v19 = ExAllocatePoolWithQuotaTag((POOL_TYPE)9, (unsigned int)(Length + 16), 0x20666E57u); // This is our controlled allocation on the paged pool
	v23 = v19;
	if ( v18 )
	KiUnstackDetachProcess(v29, 0i64);
	v7 = src;
	}
	if ( !v19 )
	return 3221225626i64;
	((_QWORD )v19 + 1) = 0i64;
	*v19 = 1050884;
	v19[1] = Length;
	v20 = KeAbPreAcquire(nameinstance + 80, 0i64, 0);
	v21 = v20;
	if ( _interlockedbittestandset64((volatile signed __int32 *)v9, 0i64) )
	ExfAcquirePushLockExclusiveEx((unsigned __int64 *)(nameinstance + 80), v20, nameinstance + 80);
	if ( v21 )
	(_BYTE )(v21 + 26) \|= 1u;
	StateData = 0i64;
	if ( (_QWORD )(nameinstance + 0x58) != 1i64 )
	StateData = (_DWORD *)(nameinstance + 0x58);
	if ( !StateData \|\| StateData[1] < (unsigned int)Length )
	StateData = v23;
	}
	for ( i = (_DWORD )(nameinstance + 96) + 1; !i; i = 1 )
	;
	if ( StateData )
	{
	memmove(StateData + 4, v7, Length);
	StateData[2] = Length; // Update the DataSize
	StateData[3] = i; // Set ChangeStamp
	v15 = (void *)(nameinstance + 104);