-
-
Save alexplaskett/b1be207604e3e4b6c74c2f75ec907688 to your computer and use it in GitHub Desktop.
ExpWnfReadStateData
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| __int64 __fastcall ExpWnfReadStateData(__int64 nameinstance, _DWORD *CurrentChangeStamp, void *dest, unsigned int BufferSize, _DWORD *outbufsize) | |
| { | |
| volatile signed __int64 *v9; // rbx | |
| __int64 v10; // rdi | |
| _DWORD *StateData; // rdx | |
| unsigned int DataSize; // eax | |
| unsigned int v14; // [rsp+20h] [rbp-48h] | |
| v14 = 0; | |
| v9 = (volatile signed __int64 *)(nameinstance + 0x50); | |
| v10 = KeAbPreAcquire(nameinstance + 0x50, 0i64, 0); | |
| if ( _InterlockedCompareExchange64(v9, 17i64, 0i64) ) | |
| ExfAcquirePushLockSharedEx(v9, v10, v9); | |
| if ( v10 ) | |
| *(_BYTE *)(v10 + 26) |= 1u; | |
| StateData = *(_DWORD **)(nameinstance + 0x58);// StateData | |
| if ( !StateData ) | |
| { | |
| *CurrentChangeStamp = 0; | |
| goto LABEL_11; | |
| } | |
| if ( StateData == (_DWORD *)1 ) | |
| { | |
| *CurrentChangeStamp = *(_DWORD *)(nameinstance + 0x60); | |
| LABEL_11: | |
| *outbufsize = 0; | |
| goto LABEL_13; | |
| } | |
| *CurrentChangeStamp = StateData[3]; | |
| *outbufsize = StateData[2]; | |
| DataSize = StateData[2]; | |
| if ( BufferSize < DataSize ) | |
| { // length check on size here | |
| v14 = -1073741789; // STATUS_BUFFER_TOO_SMALL | |
| } | |
| else | |
| { | |
| memmove(dest, StateData + 4, DataSize); | |
| v14 = 0; | |
| } | |
| LABEL_13: | |
| if ( _InterlockedCompareExchange64(v9, 0i64, 17i64) != 17 ) | |
| ExfReleasePushLockShared((signed __int64 *)v9); | |
| KeAbPostRelease((ULONG_PTR)v9); | |
| return v14; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment