Fix rule logic for get-ntoskrnl-base-address-via-x86-assembly.yml

akh7177 · akh7177 · commit 62bc59e71332 · 2025-03-01T13:01:59.000+05:30
diff --git a/nursery/get-ntoskrnl-base-address-via-x86-assembly.yml b/nursery/get-ntoskrnl-base-address-via-x86-assembly.yml
@@ -4,6 +4,7 @@ rule:
     namespace: linking/runtime-linking
     authors:
       - "@mr-tz"
+			- "@akh7177"
     scopes:
       static: function
       dynamic: unsupported  # requires offset features
@@ -15,13 +16,13 @@ rule:
   features:
     - and:
       - basic block:
+        - description: returns RTL_PROCESS_MODULES structure
+        - number: 0xB = SystemModuleInformation
+        - match: get system information on Windows
+      - or:
         - and:
-          - description: returns RTL_PROCESS_MODULES structure
-          - number: 0xB = SystemModuleInformation
-          - match: get system information on Windows
-      - and:
-        - arch: i386
-        - offset: 0xC = RTL_PROCESS_MODULES.Modules[0].ImageBase
-      - and:
-        - arch: amd64
-        - offset: 0x18 = RTL_PROCESS_MODULES.Modules[0].ImageBase
+          - arch: i386
+          - offset: 0xC = RTL_PROCESS_MODULES.Modules[0].ImageBase
+        - and:
+          - arch: amd64
+          - offset: 0x18 = RTL_PROCESS_MODULES.Modules[0].ImageBase
