From 1fb9aff727b85be4ee0337c30bf9049def9ea58a Mon Sep 17 00:00:00 2001
From: re-fox <57954766+re-fox@users.noreply.github.com>
Date: Wed, 18 Nov 2020 11:46:53 -0500
Subject: [PATCH] Create read-virtual-disk.yml

---
 .../file-system/read/read-virtual-disk.yml    | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 host-interaction/file-system/read/read-virtual-disk.yml

diff --git a/host-interaction/file-system/read/read-virtual-disk.yml b/host-interaction/file-system/read/read-virtual-disk.yml
new file mode 100644
index 000000000..94cab29b0
--- /dev/null
+++ b/host-interaction/file-system/read/read-virtual-disk.yml
@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: read virtual disk
+    namespace: host-interaction/file-system/read
+    author: "@_re_fox"
+    scope: function
+    references:
+      - https://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/src.cpp
+      - https://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/WeaponizingWindowsVirtualization.pdf
+    examples:
+      - 3265b2b0afc6d2ad0bdd55af8edb9b37:0x00410637
+  features:
+    - and:
+      - api: OpenVirtualDisk
+      - api: AttachVirtualDisk
+      - api: GetVirtualDiskPhysicalPath
+      - optional:
+        - and:
+          - number: 0xec984aec
+          - number: 0x47e9a0f9
+          - number: 0x41711f90
+          - number: 0x5b34665a