Closed ghost closed 6 years ago
Nothing I code works for Windows 7 so I'm not surprised tbh lol, that being said I don't see why it shouldn't work.
Offset_KThread__ApcStateFill__Process
shouldn't fail considering the pattern is practically the same
.text:00000001400818B0 public PsGetCurrentProcess
.text:00000001400818B0 PsGetCurrentProcess proc near
.text:00000001400818B0 65 48 8B 04 25 88 01 00 00 mov rax, gs:188h ; IoGetCurrentProcess
.text:00000001400818B9 48 8B 40 70 mov rax, [rax+70h]
.text:00000001400818BD C3 retn
.text:00000001400818BD PsGetCurrentProcess endp
Does Offset_KThread__ApcStateFill__Process
stay 0?
Also what do you mean by the null page allocation? AllocateLockedMemoryForKernel()?
Do you get a bugcheck when you try it?
Discovered the problem while doing something completely unrelated, rdgsbase / wrgsbase is not supported in Windows 7 so this exploit will not work unless you overwrite TEB instead which is not what I'm doing in the PoC.
I did not get a bugcheck ,and yes the Offset_kThread does remain at 0 unfortunately. All good, thanks at least for the response mate, take care @can1357
Good evening! Lovely POc, worked great on a few operating systems. Was curious, though , is there any reasons why it would not work on an Windows 7 SP1 x64 OS despite having any older version then the software update? Appears to fail on allocating a null page, or
Offset_KThread_ApcStateFill_Process
is there anyway I may be able to fix this?
appreciate the response =)