[BUGFIX] In ThreadScanner: change rules for 32-bit systems

hasherezade · Sep 12, 2024 · 216d0e2 · 216d0e2
1 parent e2cad93
commit 216d0e2
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 4 deletions.
diff --git a/scanners/thread_scanner.cpp b/scanners/thread_scanner.cpp
@@ -51,6 +51,7 @@ namespace pesieve {
 		}
 		return true;
 	}
+
 };
 
 bool get_page_details(HANDLE processHandle, LPVOID start_va, MEMORY_BASIC_INFORMATION& page_info)
@@ -178,13 +179,22 @@ bool pesieve::ThreadScanner::checkReturnAddrIntegrity(IN const std::vector<ULONG
 
 	const ULONGLONG lastCalled = *callStack.begin();
 	const std::string lastFuncCalled = symbols->funcNameFromAddr(lastCalled);
-
-	if (SyscallTable::isSameSyscallFunc(syscallFuncName, lastFuncCalled)) {
+	if (callStack.size() == 1) {
+		if (this->info.ext.wait_reason == Suspended && lastFuncCalled == "RtlUserThreadStart" && this->info.last_syscall == 0) {
+			return true; //normal for suspended threads
+		}
+		return false; // otherwise it is an anomaly
+	}
+#ifndef _WIN64
+	static bool isWow64 = util::is_current_wow64();
+	if (!isWow64 && lastFuncCalled == "KiFastSystemCallRet") {
 		return true;
 	}
-	if (this->info.ext.wait_reason == Suspended && callStack.size() == 1 && lastFuncCalled == "RtlUserThreadStart" && this->info.last_syscall == 0) {
-		return true; //normal for suspended threads
+#endif
+	if (SyscallTable::isSameSyscallFunc(syscallFuncName, lastFuncCalled)) {
+		return true;
 	}
+
 	if (this->info.ext.wait_reason == UserRequest && syscallFuncName == "NtWaitForSingleObject") {
 		if (lastFuncCalled.rfind("NtQuery", 0) == 0 || lastFuncCalled.rfind("ZwQuery", 0) == 0) {
 			return true;

diff --git a/utils/process_util.cpp b/utils/process_util.cpp
@@ -70,6 +70,19 @@ bool pesieve::util::is_process_64bit(IN HANDLE process)
 	return true;
 }
 
+bool pesieve::util::is_current_wow64()
+{
+#ifdef _WIN64
+	return false;
+#else
+	BOOL isWow64 = FALSE;
+	if (is_process_wow64(GetCurrentProcess(), &isWow64)) {
+		return false;
+	}
+	return (bool)isWow64;
+#endif
+}
+
 BOOL pesieve::util::wow64_get_thread_context(IN HANDLE hThread, IN OUT PWOW64_CONTEXT lpContext)
 {
 #ifdef _WIN64

diff --git a/utils/process_util.h b/utils/process_util.h
@@ -8,6 +8,8 @@ namespace pesieve {
 		BOOL is_process_wow64(IN HANDLE processHandle, OUT BOOL* isProcWow64);
 		bool is_process_64bit(IN HANDLE process);
 
+		bool is_current_wow64();
+
 		BOOL wow64_disable_fs_redirection(OUT PVOID* OldValue);
 		BOOL wow64_revert_fs_redirection(IN PVOID  OldValue);