LdrpHandleTlsData pattern only works for Windows 10 19H1 or later

[lewisclark]

No description provided.

[apexile]

Yes, I have already caught many different errors using manual map in windows 7. Is it true that LdrpHandleTlsData is not present in Windows 7, or is there still a solution?

[lewisclark]

It's present in Windows 7 but the pattern and offset is different. Blackbone has the pattern here.

[apexile]

I wanted to say this, I changed the offsets, but it looks like the matter is in the read_memory function. Error: https://i.imgur.com/Nzv7ifi.png . The point is most likely in this line: process.read_memory(&mut buf, ntdll_info.lpBaseOfDll as usize)?; Also, I will say that I had to change IsWow64Process2 to IsWow64Process, since Windows 7 does not support this function.

[apexile]

In general, when executing the read_memory function, my ret variable is equal to 0 instead of 1; The funny thing is that if I change the ntdll.dll file to another, the read_memory function is executed normally. I checked it even on the old version of windows 7, the same thing. Everything works well on Windows 10. And ret = 0 because & mut num_bytes_read = 0. This only happens with this DLL. Everything is fine with the rest =)

[apexile]

Hi, can you tell me how to write this line correctly?
OffsetData{ PatternSearch( "\x41\xb8\x09\x00\x00\x00\x48\x8d\x44\x24\x38", 11 )

[lewisclark]

The pattern is 41 b8 9 0 0 0 48 8d 44 24 38. The 11 is the length of the pattern in bytes, not the offset. You've removed the offset portion of that line which is at the end. The offset is dynamically calculated based on the Windows revision.