__int64 spoof_disk() { // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND] v29.m128i_i32[0] = 2097182; Object = 0i64; v29.m128i_i64[1] = (__int64)L"\\Driver\\partmgr"; OutputBufferLengtha = 0; if ( (int)ObReferenceObjectByName(&v29, 64i64, 0i64, 0i64, IoDriverObjectType, OutputBufferLengtha, 0i64, &Object) >= 0 ) { _RCX = sub_140001BA0; v1 = v29; v2 = 32i64 * (unsigned int)dword_1400091B0++; _RAX = (char *)Object + 224; *(_QWORD *)((char *)&unk_1400071D0 + v2 + 16) = (char *)Object + 224; __asm { xchg rcx, [rax] } *(_QWORD *)((char *)&unk_1400071D0 + v2 + 24) = _RCX; qword_1400071A8 = _RCX; v5 = Object; _mm_storeu_si128((__m128i *)((char *)&unk_1400071D0 + v2), v1); ObfDereferenceObject(v5); } v30.m128i_i32[0] = 1703960; v30.m128i_i64[1] = (__int64)L"\\Driver\\Disk"; v33 = 0i64; LOBYTE(OutputBufferLength) = 0; result = (unsigned int)ObReferenceObjectByName( &v30, 64i64, 0i64, 0i64, IoDriverObjectType, OutputBufferLength, 0i64, &v33); if ( (int)result >= 0 ) { _RCX = sub_140001650; v8 = v30; v9 = (unsigned int)dword_1400091B0++; v9 *= 32i64; _RAX = (char *)v33 + 224; *(_QWORD *)((char *)&unk_1400071D0 + v9 + 16) = (char *)v33 + 224; __asm { xchg rcx, [rax] } *(_QWORD *)((char *)&unk_1400071D0 + v9 + 24) = _RCX; qword_140007198 = _RCX; v12 = v33; _mm_storeu_si128((__m128i *)((char *)&unk_1400071D0 + v9), v8); v13 = (void (__fastcall *)(__int64, _QWORD, char *))sig_scan_function( v12[3], (__int64)qword_140003150, (__int64)"xx?xxxxxxxxxxxxx"); if ( v13 ) { v32 = 0; if ( (unsigned int)IoEnumerateDeviceObjectList(v33, 0i64, 0i64, &v32) == -1073741789 ) { if ( v32 ) { v14 = 8 * v32; v15 = ExAllocatePoolWithTag(NonPagedPool, 8 * v32, 0x6E556353u); v16 = v15; if ( v15 ) { if ( (int)IoEnumerateDeviceObjectList(v33, v15, v14, &v32) >= 0 && v32 ) { v17 = 0; do { v18 = (_QWORD *)v16[v17]; v19 = IoGetAttachedDeviceReference((PDEVICE_OBJECT)v16[v17]); if ( v19 ) { Event.Header.WaitListHead.Blink = 0i64; *(_OWORD *)&Event.Header.Type = 0i64; KeInitializeEvent(&Event, NotificationEvent, 0); v20 = IoBuildDeviceIoControlRequest(0x70140u, v19, 0i64, 0, 0i64, 0, 0, &Event, 0i64); if ( v20 && IofCallDriver(v19, v20) == 259 ) KeWaitForSingleObject(&Event, Executive, 0, 0, 0i64); ObfDereferenceObject(v19); } v21 = v18[8]; if ( v21 ) { v22 = asc_140006000; v23 = (_BYTE *)(*(_QWORD *)(v21 + 520) + *(unsigned int *)(*(_QWORD *)(v21 + 520) + 24i64)); do { v24 = *v22++; *v23++ = v24; } while ( v24 ); v13(v21, 0i64, v22); } ObfDereferenceObject(v18); ++v17; } while ( v17 < v32 ); } ExFreePoolWithTag(v16, 0); } } } } ObfDereferenceObject(v33); result = sub_140002A94("storport.sys", 0i64); v25 = result; if ( result ) { result = sig_scan_function(result, (__int64)qword_1400031A0, (__int64)"xxxx????xxxx????xx"); v26 = result; if ( result ) { result = sig_scan_function(v25, (__int64)"f9,A", (__int64)"xxxx"); if ( result ) { result = sub_140002984(result, 32, (__int64)qword_1400031F0, (__int64)qword_1400031E0); if ( result ) result = sub_1400024FC( (void (__fastcall *)(_QWORD, _BYTE *))(v26 + *(int *)(v26 + 4) + 8i64), *(_BYTE *)(result + 3)); } } } } return result; }