From 6d25ab0e7bf0a152b523a4e84db8fe7767496db1 Mon Sep 17 00:00:00 2001
From: hasherezade <hasherezade@gmail.com>
Date: Sun, 9 Feb 2025 04:16:39 +0100
Subject: [PATCH] [BUGFIX] In thread_scanner: fixed compatibility with Windows
 7

---
 scanners/thread_scanner.cpp | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/scanners/thread_scanner.cpp b/scanners/thread_scanner.cpp
index b4991264..7be5af16 100644
--- a/scanners/thread_scanner.cpp
+++ b/scanners/thread_scanner.cpp
@@ -229,10 +229,18 @@ bool pesieve::ThreadScanner::checkReturnAddrIntegrity(IN const std::vector<ULONG
 	if (SyscallTable::isSameSyscallFunc(syscallFuncName, lastFuncCalled)) {
 		return true; // valid
 	}
-
+	
 	const ScannedModule* mod = modulesInfo.findModuleContaining(lastCalled);
 	const std::string lastModName = mod ? mod->getModName() : "";
 
+	if (syscallFuncName == "NtCallbackReturn") {
+		if (lastModName == "win32u.dll" 
+			|| lastModName == "user32.dll" || lastModName == "winsrv.dll") // for Windows7
+		{
+			return true;
+		}
+	}
+
 	if (!SyscallTable::isSyscallDll(lastModName)) {
 //#ifdef _DEBUG
 		std::cout << "[@]" << std::dec << info.tid << " : " << "LastSyscall: " << syscallFuncName << " VS LastCalledAddr: " << std::hex << lastCalled 
@@ -242,10 +250,6 @@ bool pesieve::ThreadScanner::checkReturnAddrIntegrity(IN const std::vector<ULONG
 		return false;
 	}
 
-	if (syscallFuncName == "NtCallbackReturn") {
-		if (lastModName == "win32u.dll") return true;
-	}
-
 	if (this->info.ext.wait_reason == WrUserRequest ||
 		this->info.ext.wait_reason == UserRequest)
 	{