rule:
meta:
name: get OS version
authors:
- "@mr-tz"
lib: true
scopes:
static: function
dynamic: call
examples:
- 493167E85E45363D09495D0841C30648:0x401000
- 5f66b82558ca92e54e77f216ef4c066c:0x44580A
features:
- or:
- api: RtlGetVersion
- api: ntoskrnl.PsGetVersion
- api: GetVersion
- api: GetVersionEx
- api: VerifyVersionInfo
- api: VerSetConditionMask
- api: RtlGetNtVersionNumbers
- api: GetProductInfo
- and:
- match: PEB access
- or:
- and:
- arch: i386
- or:
- offset: 0xA4 = PEB->OSMajorVersion
- offset: 0xA8 = PEB->OSMinorVersion
- offset: 0xAC = PEB->OSBuildNumber
- and:
- arch: amd64
- or:
- offset: 0x118 = PEB->OSMajorVersion
- offset: 0x11C = PEB->OSMinorVersion
- offset: 0x120 = PEB->OSBuildNumber
last edited: 2023-11-24 10:35:00