get storage device properties

edit on GitHub
search on VirusTotal

# generated using capa explorer for IDA Pro
rule:
  meta:
    name: get storage device properties
    namespace: host-interaction/hardware/storage
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: thread
    references:
      - https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-ioctl_storage_query_property
  features:
    - and:
      - or:
        - characteristic: indirect call
        - match: interact with driver via IOCTL
      - number: 0x2D1400 = IOCTL_STORAGE_QUERY_PROPERTY
      - optional:
        - string: "\\\\.\\PhysicalDrive0"

last edited: 2024-02-14 13:56:47