From dfdd5d8fc034ace8f96327f9f999e48ec1a73c5f Mon Sep 17 00:00:00 2001
From: jtothej <jakubjozwiak@google.com>
Date: Sat, 22 Jul 2023 19:33:09 +0800
Subject: [PATCH] Update get-os-version.yml

---
 lib/get-os-version.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/lib/get-os-version.yml b/lib/get-os-version.yml
index f6460d574..4ef45d0c1 100644
--- a/lib/get-os-version.yml
+++ b/lib/get-os-version.yml
@@ -18,3 +18,18 @@ rule:
       - api: VerSetConditionMask
       - api: RtlGetNtVersionNumbers
       - api: GetProductInfo
+      - and:
+        - match: PEB access
+        - or:
+          - and:
+            - arch: i386
+            - or:
+              - offset: 0xA4 = PEB->OSMajorVersion
+              - offset: 0xA8 = PEB->OSMinorVersion
+              - offset: 0xAC = PEB->OSBuildNumber
+          - and:
+            - arch: amd64
+            - or:
+              - offset: 0x118 = PEB->OSMajorVersion
+              - offset: 0x11C = PEB->OSMinorVersion
+              - offset: 0x120 = PEB->OSBuildNumber