add rule for driver major function ID (#939)

* add rule
mandiant · Sep 30, 2024 · 109890c · 109890c
1 parent bd3f812
commit 109890c
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/host-interaction/driver/complete-processing-asynchronous-io-request.yml b/host-interaction/driver/complete-processing-asynchronous-io-request.yml
@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: complete processing asynchronous IO request
+    namespace: host-interaction/driver
+    authors:
+      - [email protected]
+    description: signals that driver has finished all processing for a given IRP (part of major function)
+    scopes:
+      static: basic block
+      dynamic: thread
+    examples:
+      - Practical Malware Analysis Lab 10-03.sys_:0x10666
+  features:
+    - or:
+      - api: IoCompleteRequest
+      - api: IofCompleteRequest