forked from mandiant/capa-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
get-os-version.yml
37 lines (37 loc) · 997 Bytes
/
get-os-version.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
rule:
meta:
name: get OS version
authors:
- "@mr-tz"
lib: true
scopes:
static: function
dynamic: call
examples:
- 493167E85E45363D09495D0841C30648:0x401000
- 5f66b82558ca92e54e77f216ef4c066c:0x44580A
features:
- or:
- api: RtlGetVersion
- api: ntoskrnl.PsGetVersion
- api: GetVersion
- api: GetVersionEx
- api: VerifyVersionInfo
- api: VerSetConditionMask
- api: RtlGetNtVersionNumbers
- api: GetProductInfo
- and:
- match: PEB access
- or:
- and:
- arch: i386
- or:
- offset: 0xA4 = PEB->OSMajorVersion
- offset: 0xA8 = PEB->OSMinorVersion
- offset: 0xAC = PEB->OSBuildNumber
- and:
- arch: amd64
- or:
- offset: 0x118 = PEB->OSMajorVersion
- offset: 0x11C = PEB->OSMinorVersion
- offset: 0x120 = PEB->OSBuildNumber