 
            
            
        rule:
  meta:
    name: get OS version
    authors:
      - "@mr-tz"
    lib: true
    scopes:
      static: function
      dynamic: call
    examples:
      - 493167E85E45363D09495D0841C30648:0x401000
      - 5f66b82558ca92e54e77f216ef4c066c:0x44580A
  features:
    - or:
      - api: RtlGetVersion
      - api: ntoskrnl.PsGetVersion
      - api: GetVersion
      - api: GetVersionEx
      - api: VerifyVersionInfo
      - api: VerSetConditionMask
      - api: RtlGetNtVersionNumbers
      - api: GetProductInfo
      - and:
        - match: PEB access
        - or:
          - and:
            - arch: i386
            - or:
              - offset: 0xA4 = PEB->OSMajorVersion
              - offset: 0xA8 = PEB->OSMinorVersion
              - offset: 0xAC = PEB->OSBuildNumber
          - and:
            - arch: amd64
            - or:
              - offset: 0x118 = PEB->OSMajorVersion
              - offset: 0x11C = PEB->OSMinorVersion
              - offset: 0x120 = PEB->OSBuildNumber
last edited: 2023-11-24 10:35:00