fix: Windows 11 25H2 26200.7462 ntokrnl.exe offsets #7
Conversation
|
Refer Issue: #6 |
|
Modified Readme Refer PR: #4 |
There was a problem hiding this comment.
Pull request overview
This pull request adds support for Windows 11 25H2 build 26200.7462 by adding a new signature pattern to locate ntokrnl.exe offsets. Additionally, it updates the README to clarify the LLVM requirement and document the build process including the stripping step.
Key changes:
- Adds a new signature pattern for Windows 11 25H2 build 26200.7462 to locate kernel offsets
- Documents LLVM Compiler Infrastructure as a build requirement
- Updates build output path documentation from .sys to .dll and adds information about the Strip-Driver.ps1 step
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| driver/src/offsets.rs | Adds new signature pattern for Windows 11 25H2 26200.7462 ntokrnl.exe offset detection |
| README.MD | Updates build requirements and clarifies the build process including the driver stripping step |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Signature::offset( | ||
| obfstr!("_EPROCESS.ThreadListHead (26200.7462)"), | ||
| obfstr!("4C 8D B1 ? ? ? ? 48 8B F2"), | ||
| 0x03, | ||
| ), |
There was a problem hiding this comment.
This signature appears to be in the wrong array. The signature is labeled as "_EPROCESS.ThreadListHead (26200.7462)" which suggests it should be searching for the ThreadListHead offset, but it's placed in the ps_get_next_process array. This signature should be moved to the eprocess_thread_list_head array (around line 163-187) where other ThreadListHead signatures are located.
| obfstr!("4C 8D B1 ? ? ? ? 48 8B F2"), | ||
| 0x03, | ||
| ), | ||
|
|
There was a problem hiding this comment.
Trailing whitespace detected. Remove the trailing whitespace at the end of this line to maintain code consistency.
|
|
||
| - Visual Studio 2022 | ||
| - Windows Kernel Development Kit | ||
| - LLVM Compiler Infrastructure |
There was a problem hiding this comment.
Trailing whitespace detected. Remove the trailing whitespace at the end of this line to maintain code consistency.
| - LLVM Compiler Infrastructure | |
| - LLVM Compiler Infrastructure |
| # The result will be located at "../target/x86_64-pc-windows-msvc/release/valthrun-driver.dll" | ||
| cargo b -r | ||
| # Now we Strip the driver to get valthrun-driver.sys via Strip-Driver.ps1 linking input to espected realese build "../target/x86_64-pc-windows-msvc/release/valthrun-driver.dll". |
There was a problem hiding this comment.
Spelling error: "espected" should be "expected".
| # Now we Strip the driver to get valthrun-driver.sys via Strip-Driver.ps1 linking input to espected realese build "../target/x86_64-pc-windows-msvc/release/valthrun-driver.dll". | |
| # Now we Strip the driver to get valthrun-driver.sys via Strip-Driver.ps1 linking input to expected realese build "../target/x86_64-pc-windows-msvc/release/valthrun-driver.dll". |
| # The result will be located at "../target/x86_64-pc-windows-msvc/release/valthrun-driver.dll" | ||
| cargo b -r | ||
| # Now we Strip the driver to get valthrun-driver.sys via Strip-Driver.ps1 linking input to espected realese build "../target/x86_64-pc-windows-msvc/release/valthrun-driver.dll". |
There was a problem hiding this comment.
Spelling error: "realese" should be "release".
| # Now we Strip the driver to get valthrun-driver.sys via Strip-Driver.ps1 linking input to espected realese build "../target/x86_64-pc-windows-msvc/release/valthrun-driver.dll". | |
| # Now we Strip the driver to get valthrun-driver.sys via Strip-Driver.ps1 linking input to expected release build "../target/x86_64-pc-windows-msvc/release/valthrun-driver.dll". |
1 participant
No description provided.