capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard

Published 20 hours ago verified publisher icon mandiant

rule: windows version via RtlGetNtVersionNumbers (need example)

Open Ana06 opened this issue 4 years ago • 1 comments

@mike-hunhoff

Example: b7841b9d5dc1f511a93cc7576672ec0c:1000f0e0

Windows API:

  • ntdll::RtlGetNtVersionNumbers

@mr-tz

dynamically resolved in referenced sample, so not a test candidate

.text:1000F0F5 68 0C 50 02 10    push    offset aRtlgetntversio ; "RtlGetNtVersionNumbers"
.text:1000F0FA 56                push    esi             ; hModule
.text:1000F0FB FF 15 54 C2 01 10 call    ds:GetProcAddress

rule:

api: ntdll.RtlGetNtVersionNumbers

Ana06 avatar Aug 06 '20 17:08 Ana06

It looks like a sample is in capa-testfiles 5f66b82558ca92e54e77f216ef4c066c.exe_

In the following basic block

0x00445817      68c4a14b00             push 0x4ba1c4
0x0044581c      68bca14b00             push 0x4ba1bc
0x00445821      68c0a14b00             push 0x4ba1c0
0x00445826      e8815c0200             call sub.ntdll.dll_RtlGetNtVersionNumbers
0x0044582b      8125c4a14b00ff7f0000   and dword [0x4ba1c4], 0x7fff
0x00445835      6a14                   push 0x14 ; 20
0x00445837      5f                     pop edi
0x00445838      53                     push ebx ; DWORD dwCoInit
0x00445839      53                     push ebx ; LPVOID pvReserved
0x0044583a      ff1550394700           call dword [CoInitializeEx] ; 0x473950 ; HRESULT CoInitializeEx(LPVOID pvReserved, DWORD dwCoInit)
0x00445840      3bc3                   cmp eax, ebx
0x00445842      7d0d                   jge 0x445851

re-fox avatar Oct 07 '20 14:10 re-fox