get OS information via KUSER_SHARED_DATA

edit on GitHub
search on VirusTotal

# generated using capa explorer for IDA Pro
rule:
  meta:
    name: get OS information via KUSER_SHARED_DATA
    namespace: host-interaction/os/version
    authors:
      - "@mr-tz"
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Discovery::System Information Discovery [T1082]
    references:
      - https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntexapi_x/kuser_shared_data/index.htm
  features:
    - or:
      - number: 0x7FFE0260 = NtBuildNumber
      - number: 0x7FFE026C = NtMajorVersion
      - number: 0x7FFE0270 = NtMinorVersion

last edited: 2023-11-24 10:34:28