Open rafaelscheel opened 2 months ago
Hello Rafael, This is correct, a wrong assumption that patchAddr==mem_NtProtectVirtualMemory was made, my bad. At first read, your approach seems sound and your code correct; have you something to test the code against? I do not really have access to EDRs anymore 😁
Thank you for your contribution !
PS: I should have commented the code 😅
In the function getSafeVirtualProtectUsingTrampoline, the method UNHOOK_WITH_INHOUSE_NTPROTECTVIRTUALMEMORY_TRAMPOLINE creates the trampoline from function start to (function start + patchsize). This does not work, if the patch does not start at the beginning of the function. In my opinion, instead of using patchSize, "sizeFromFunctionStart" should be used. E.g. like this:
Did I missunderstand something? If not I will gladlay create a pull request.
Thanks!