Doesn't work on Win7 SP1

[ghost]

Good evening! Lovely POc, worked great on a few operating systems. Was curious, though , is there any reasons why it would not work on an Windows 7 SP1 x64 OS despite having any older version then the software update? Appears to fail on allocating a null page, or

Offset_KThread_ApcStateFill_Process

is there anyway I may be able to fix this?

appreciate the response =)

[can1357]

Nothing I code works for Windows 7 so I'm not surprised tbh lol, that being said I don't see why it shouldn't work.

Offset_KThread__ApcStateFill__Process shouldn't fail considering the pattern is practically the same

.text:00000001400818B0                                               public PsGetCurrentProcess
.text:00000001400818B0                               PsGetCurrentProcess proc near
.text:00000001400818B0 65 48 8B 04 25 88 01 00 00                    mov     rax, gs:188h    ; IoGetCurrentProcess
.text:00000001400818B9 48 8B 40 70                                   mov     rax, [rax+70h]
.text:00000001400818BD C3                                            retn
.text:00000001400818BD                               PsGetCurrentProcess endp

Does Offset_KThread__ApcStateFill__Process stay 0?

Also what do you mean by the null page allocation? AllocateLockedMemoryForKernel()?

Do you get a bugcheck when you try it?

[can1357]

Discovered the problem while doing something completely unrelated, rdgsbase / wrgsbase is not supported in Windows 7 so this exploit will not work unless you overwrite TEB instead which is not what I'm doing in the PoC.

[ghost]

I did not get a bugcheck ,and yes the Offset_kThread does remain at 0 unfortunately. All good, thanks at least for the response mate, take care @can1357