API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 13th, 2018
333
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.57 KB | None | 0 0
raw download clone embed print report
  1. char __fastcall MmCreateProcessAddressSpace(__int64 a1, __int64 a2, __int64 a3, char a4)
  2. {
  3. char v4; // r13
  4. int *v5; // rdi
  5. signed __int64 v6; // r15
  6. _QWORD *v7; // rax
  7. __int64 v8; // r12
  8. unsigned __int64 v9; // rbx
  9. __int64 v10; // rdx
  10. __int64 v11; // rdx
  11. __int64 v12; // r13
  12. signed __int64 v13; // r13
  13. __int16 v14; // r12
  14. int v15; // er14
  15. _WORD *v16; // rsi
  16. unsigned int v17; // ebx
  17. __int64 v18; // rax
  18. __int64 v19; // rax
  19. _WORD *v20; // r14
  20. unsigned int v21; // er8
  21. __int64 *v22; // ST18_8
  22. __int64 *v23; // r13
  23. __int64 v24; // rdx
  24. signed __int64 v25; // r11
  25. int v26; // er8
  26. int v27; // er9
  27. unsigned __int64 v28; // rdi
  28. unsigned __int64 v29; // rsi
  29. unsigned int v30; // er15
  30. unsigned __int64 v31; // rdx
  31. unsigned __int64 v32; // r12
  32. unsigned __int64 *v33; // r10
  33. _QWORD *v34; // r8
  34. unsigned __int64 v35; // rcx
  35. __int64 v36; // rbx
  36. unsigned __int64 v37; // rbx
  37. __int64 v38; // r9
  38. __int64 *v39; // r8
  39. __int64 v40; // rax
  40. __int64 v41; // r8
  41. __int64 v42; // rdx
  42. __int64 v43; // rbx
  43. unsigned __int64 v44; // rdx
  44. unsigned __int64 v46; // ST10_8
  45. __int64 v47; // [rsp+8h] [rbp-61h]
  46. __int64 v48; // [rsp+8h] [rbp-61h]
  47. unsigned __int64 v49; // [rsp+10h] [rbp-59h]
  48. unsigned __int64 v50; // [rsp+10h] [rbp-59h]
  49. __int64 v51; // [rsp+18h] [rbp-51h]
  50. unsigned __int64 v52; // [rsp+18h] [rbp-51h]
  51. _WORD *v53; // [rsp+20h] [rbp-49h]
  52. unsigned __int64 *v54; // [rsp+20h] [rbp-49h]
  53. _KPROCESS *v55; // [rsp+28h] [rbp-41h]
  54. __int64 v56; // [rsp+30h] [rbp-39h]
  55. _QWORD *v57; // [rsp+38h] [rbp-31h]
  56. _QWORD *v58; // [rsp+40h] [rbp-29h]
  57. unsigned __int64 v59; // [rsp+48h] [rbp-21h]
  58. __int64 v60; // [rsp+50h] [rbp-19h]
  59. _WORD *v61; // [rsp+58h] [rbp-11h]
  60. __int16 v62; // [rsp+60h] [rbp-9h]
  61. unsigned __int16 v63; // [rsp+62h] [rbp-7h]
  62. unsigned __int64 v64; // [rsp+68h] [rbp-1h]
  63. unsigned __int64 v65; // [rsp+70h] [rbp+7h]
  64. _WORD *retaddr; // [rsp+E8h] [rbp+7Fh]
  65.  
  66. v4 = a4;
  67. v56 = a3;
  68. v53 = retaddr;
  69. v5 = (int *)MiJoinPartition(a1, retaddr);
  70. v6 = 5i64;
  71. if ( (unsigned int)MiChargeCommit(v5, 5i64) )
  72. {
  73. v55 = KeGetCurrentThread()->ApcState.Process;
  74. retaddr[640] = RtlRandomEx(&dword_140321A60);
  75. v7 = retaddr + 956;
  76. v7[1] = v7;
  77. *v7 = v7;
  78. *((_QWORD *)retaddr + 238) = 0i64;
  79. v8 = v56;
  80. if ( v56 != PsGetDefaultWsMaximum() )
  81. {
  82. LODWORD(v53) = 1;
  83. MiCheckWsLimits((char)retaddr);
  84. v8 = v56;
  85. }
  86. v9 = v49;
  87. if ( (unsigned int)MiChargeWsles(retaddr + 640, v49, 1i64) )
  88. {
  89. *((_QWORD *)retaddr + 178) = v8;
  90. *((_QWORD *)retaddr + 173) = v9;
  91. if ( v4 & 1 )
  92. *((_BYTE *)retaddr + 1464) |= 0x40u;
  93. if ( (signed int)PsChargeProcessQuota(retaddr, v10, v9) >= 0 )
  94. {
  95. if ( (unsigned int)MiChargeResident(v5, v9, 0i64) )
  96. {
  97. v12 = MiReservePtes(&qword_140322CB0, 4i64);
  98. if ( v12 )
  99. {
  100. if ( v5 == &MiSystemPartition )
  101. {
  102. _InterlockedExchangeAdd64(&qword_140322868, v9);
  103. v9 = v50;
  104. }
  105. if ( (unsigned int)MiJoinSession(&v60) )
  106. {
  107. _InterlockedExchangeAdd64(&qword_140322D50, 5ui64);
  108. v13 = 0i64;
  109. MiInitializePageColorBase(&v55[1].IdealNode[12], 0i64, &v61);
  110. v14 = v62;
  111. v15 = v63;
  112. v16 = v61;
  113. do
  114. {
  115. v17 = v15 | (unsigned __int16)(v14 & ++*v16);
  116. while ( 1 )
  117. {
  118. v18 = MiGetPage(v5, v17, 194i64);
  119. if ( v18 != -1 )
  120. break;
  121. MiWaitForFreePage(v5);
  122. }
  123. *(_QWORD *)(48 * v18 - 6047313952768i64) = v13;
  124. v13 = 48 * v18 - 6047313952768i64;
  125. --v6;
  126. }
  127. while ( v6 );
  128. v57 = (_QWORD *)(48 * v18 - 6047313952768i64);
  129. v19 = MiGetPteAddress(qword_1403233D0 + 276840816);
  130. v20 = v53;
  131. v21 = 0;
  132. v23 = v22;
  133. do
  134. {
  135. *(&v64 + 4 - v21) = v19;
  136. v19 = MiGetPteAddress(v19);
  137. v21 = v27 + v26;
  138. }
  139. while ( v21 <= 4 );
  140. v28 = 0i64;
  141. v29 = 0i64;
  142. v30 = 0;
  143. v31 = (unsigned __int128)((v24 - v25) * (signed __int128)3074457345618258603i64) >> 64;
  144. v32 = (v31 >> 63) + ((signed __int64)v31 >> 3);
  145. v33 = &v64;
  146. v54 = &v64;
  147. do
  148. {
  149. v34 = v57;
  150. v58 = v57;
  151. v57 = (_QWORD *)*v57;
  152. *v58 = 0i64;
  153. v35 = (signed __int64)((unsigned __int128)((signed __int64)&v34[v25 / 0xFFFFFFFFFFFFFFF8ui64]
  154. * (signed __int128)3074457345618258603i64) >> 64) >> 3;
  155. v59 = *v33;
  156. v36 = MiMakeValidKernelPte((v35 >> 63) + v35, 6i64);
  157. v37 = v47 & (v36 & 0xFFFFFFFFFFFFFEFFui64 | 0x42);
  158. if ( !v30 )
  159. {
  160. *v58 = v20;
  161. v37 = v47 & (v37 | 0x8000000000000000ui64);
  162. v28 = v37;
  163. }
  164. MiInitializePfnForOtherProcess(v51, v59, v32, 0i64);
  165. MiMarkPageActive(v58);
  166. v38 = qword_1403A7350;
  167. v39 = v23;
  168. if ( v30 == 1 )
  169. {
  170. v29 = v37;
  171. }
  172. else
  173. {
  174. v40 = MiMakeValidKernelPte(v32, 4i64);
  175. v38 = v48;
  176. *v39 = v40 | 0x42;
  177. if ( v30 == 4 )
  178. v37 = ~v48 & (v37 | 0x8000000000000000ui64);
  179. }
  180. ++v30;
  181. v33 = v54 + 1;
  182. v41 = (_QWORD)v39 << 25 >> 16;
  183. ++v54;
  184. v25 = -6047313952768i64;
  185. *(_QWORD *)(v41 + 8 * ((v59 >> 3) & 0x1FF)) = v37;
  186. v32 = v52;
  187. }
  188. while ( v30 <= 4 );
  189. v42 = v60;
  190. *((_QWORD *)v20 + 108) = v52;
  191. if ( v42 )
  192. {
  193. *((_QWORD *)v20 + 128) = v42;
  194. _InterlockedOr((volatile signed __int32 *)v20 + 193, 0x10000u);
  195. v42 = v60;
  196. }
  197. MiInsertNewProcess(v20, v42, v41, v38);
  198. v43 = (_QWORD)v23 << 25 >> 16;
  199. MiCopyTopLevelMappings(v20, v43);
  200. v44 = (v64 >> 3) & 0x1FF;
  201. *(_QWORD *)(v43 + 8 * ((v65 >> 3) & 0x1FF)) = v29;
  202. *(_QWORD *)(v43 + 8 * v44) = v28;
  203. *((_QWORD *)v20 + 5) = v28 & 0xFFFFFFFFF000i64;
  204. MiSyncSystemPdes(v20);
  205. MiReleasePtes(&qword_140322CB0, v23, 4i64);
  206. return 1;
  207. }
  208. MiReleasePtes(&qword_140322CB0, v12, 4i64);
  209. }
  210. if ( v5 == &MiSystemPartition )
  211. {
  212. MiReturnResidentAvailable(v9);
  213. _InterlockedExchangeAdd64(&qword_140322870, v9);
  214. v9 = v46;
  215. }
  216. else
  217. {
  218. MiReturnPartitionResidentAvailable(v5, v9);
  219. }
  220. }
  221. PsReturnProcessQuota(retaddr, v11, v9);
  222. }
  223. MiChargeWsles(retaddr + 640, -(signed __int64)v9, 1i64);
  224. }
  225. MiReturnCommit(v5, 5i64);
  226. }
  227. if ( v5 != &MiSystemPartition )
  228. MiDereferencePartition(v5);
  229. return 0;
  230. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!