[BUGFIX] In thread_scanner: fixed compatibility with Windows 7

hasherezade · Feb 9, 2025 · 6d25ab0 · 6d25ab0
1 parent c75e840
commit 6d25ab0
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/scanners/thread_scanner.cpp b/scanners/thread_scanner.cpp
@@ -229,10 +229,18 @@ bool pesieve::ThreadScanner::checkReturnAddrIntegrity(IN const std::vector<ULONG
 	if (SyscallTable::isSameSyscallFunc(syscallFuncName, lastFuncCalled)) {
 		return true; // valid
 	}
-
+	
 	const ScannedModule* mod = modulesInfo.findModuleContaining(lastCalled);
 	const std::string lastModName = mod ? mod->getModName() : "";
 
+	if (syscallFuncName == "NtCallbackReturn") {
+		if (lastModName == "win32u.dll" 
+			|| lastModName == "user32.dll" || lastModName == "winsrv.dll") // for Windows7
+		{
+			return true;
+		}
+	}
+
 	if (!SyscallTable::isSyscallDll(lastModName)) {
 //#ifdef _DEBUG
 		std::cout << "[@]" << std::dec << info.tid << " : " << "LastSyscall: " << syscallFuncName << " VS LastCalledAddr: " << std::hex << lastCalled 
@@ -242,10 +250,6 @@ bool pesieve::ThreadScanner::checkReturnAddrIntegrity(IN const std::vector<ULONG
 		return false;
 	}
 
-	if (syscallFuncName == "NtCallbackReturn") {
-		if (lastModName == "win32u.dll") return true;
-	}
-
 	if (this->info.ext.wait_reason == WrUserRequest ||
 		this->info.ext.wait_reason == UserRequest)
 	{