add rules for volume interaction via IOCTLs

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs

https://github.com/mandiant/capa/

Apache License 2.0

514 stars 157 forks source link

add rules for volume interaction via IOCTLs #879

Closed williballenthin closed 6 months ago

williballenthin commented 6 months ago

from https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/

mr-tz commented 6 months ago

there's two via control codes rules I saw

williballenthin commented 6 months ago

yeah let me refactor a few things here. i'll make interact with driver via ioctl the main place that we reference DeviceIoControl and move the driver load/unload to other rules.