Closed williballenthin closed 6 months ago
there's two via control codes
rules I saw
yeah let me refactor a few things here. i'll make interact with driver via ioctl
the main place that we reference DeviceIoControl
and move the driver load/unload to other rules.
from https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/