Skip to content

Commit

Permalink
[FEATURE] Added one more exclusion case to the return integrity check
Browse files Browse the repository at this point in the history
  • Loading branch information
@hasherezade
hasherezade committed Sep 8, 2024
1 parent 7173a46 commit b2ac6af
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions scanners/thread_scanner.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,11 @@ bool pesieve::ThreadScanner::checkReturnAddrIntegrity(IN const std::vector<ULONG
if (this->info.ext.wait_reason == Suspended && callStack.size() == 1 && lastFuncCalled == "RtlUserThreadStart" && this->info.last_syscall == 0) {
return true; //normal for suspended threads
}
if (this->info.ext.wait_reason == UserRequest && syscallFuncName == "NtWaitForSingleObject") {
if (lastFuncCalled.rfind("NtQuery", 0) == 0 || lastFuncCalled.rfind("ZwQuery", 0) == 0) {
return true;
}
}
if (syscallFuncName == "NtCallbackReturn") {
const ScannedModule* mod = modulesInfo.findModuleContaining(lastCalled);
if (mod && mod->getModName() == "win32u.dll") return true;
Expand Down

0 comments on commit b2ac6af

Please sign in to comment.