From 83034c0b830ce06c02e36e6403dc4f0572ca8788 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dobi=20P=C3=A9ter?= <dobi.peter@proton.me>
Date: Thu, 8 Jan 2026 01:23:58 +0100
Subject: [PATCH] support for win 24h2 build 21200

---
 driver/src/offsets.rs | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/driver/src/offsets.rs b/driver/src/offsets.rs
index c94e66c..f84da83 100644
--- a/driver/src/offsets.rs
+++ b/driver/src/offsets.rs
@@ -108,6 +108,7 @@ pub fn initialize_nt_offsets() -> anyhow::Result<()> {
                 0x01,
                 0x05,
             ),
+
             /* Windows 10 19045.4046 */
             Signature::relative_address(
                 obfstr!("PsGetNextProcess (19045.4046)"),
@@ -166,6 +167,23 @@ pub fn initialize_nt_offsets() -> anyhow::Result<()> {
                 obfstr!("4C 8D A9 ? ? ? ? 33 DB"),
                 0x03,
             ),
+            /* Windows 11 24H2 26100.7462 - ThreadListHead offset 0x370
+             * Pattern from PspGetPreviousProcessThread:
+             *   mov r12, gs:[188h]    ; 65 4C 8B 24 25 88 01 00 00
+             *   lea r14, [rcx+370h]   ; 4C 8D B1 70 03 00 00  <- ThreadListHead
+             *   mov rsi, rdx          ; 48 8B F2
+             */
+            Signature::offset(
+                obfstr!("_EPROCESS.ThreadListHead (26100)"),
+                obfstr!("65 4C 8B 24 25 88 01 00 00 4C 8D B1 ? ? ? ? 48 8B F2"),
+                0x0C,
+            ),
+            /* Windows 11 25H2 26200.7462 */
+            Signature::offset(
+                obfstr!("_EPROCESS.ThreadListHead (26200)"),
+                obfstr!("4C 8D B1 ? ? ? ? 48 8B F2"),
+                0x03,
+            ),
             /* Windows 10 19045.4046 (Actually finds PspGetPreviousProcessThread and PsGetNextProcessThread) */
             Signature::offset(
                 obfstr!("_EPROCESS.ThreadListHead (19045.4046)"),