Merge pull request #183 from re-fox/master

Create read-virtual-disk.yml

host-interaction/file-system/read/read-virtual-disk.yml

@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: read virtual disk
+    namespace: host-interaction/file-system/read
+    author: "@_re_fox"
+    scope: function
+    references:
+      - https://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/src.cpp
+      - https://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/WeaponizingWindowsVirtualization.pdf
+    examples:
+      - 3265b2b0afc6d2ad0bdd55af8edb9b37:0x00410637
+  features:
+    - and:
+      - api: OpenVirtualDisk
+      - api: AttachVirtualDisk
+      - api: GetVirtualDiskPhysicalPath
+      - optional:
+        - and:
+          - number: 0xec984aec
+          - number: 0x47e9a0f9
+          - number: 0x41711f90
+          - number: 0x5b34665a