import "pe" rule Check_DriveSize { meta: Author = "Nick Hoffman" Description = "Rule tries to catch uses of DeviceIOControl being used to get the drive size" Sample = "de1af0e97e94859d372be7fcf3a5daa5" strings: $physicaldrive = "\\\\.\\PhysicalDrive0" wide ascii nocase $dwIoControlCode = {68 5c 40 07 00 [0-5] FF 15} //push 7405ch ; push esi (handle) then call deviceoiocontrol IOCTL_DISK_GET_LENGTH_INFO condition: pe.imports("kernel32.dll","CreateFileA") and pe.imports("kernel32.dll","DeviceIoControl") and $dwIoControlCode and $physicaldrive }