Determines whether a disk drive is a removable, fixed, CD-ROM, RAM disk, or network drive.

To determine whether a drive is a USB-type drive, call SetupDiGetDeviceRegistryProperty and specify theSPDRP_REMOVAL_POLICY property.

Syntax

UINT WINAPI GetDriveType(
  _In_opt_ LPCTSTR lpRootPathName
);

Parameters

lpRootPathName [in, optional]

The root directory for the drive.

A trailing backslash is required. If this parameter is NULL, the function uses the root of the current directory.

Return value

The return value specifies the type of drive, which can be one of the following values.

GetDriveType 

 - Return 값에 따른 드라이브 Type을 결정짓고, 이에 따른 악성 행위를 분기할 수 있음

 - 최근 말레이시아에서 존재했던 Mumblehard ELF 악성 코드도 분석된 결과에 따르면 Removable Device를 찾아 그에 따른 악성 행위를 진행했다고 하는데, 위와 같이 특정 API를 사용했을 것이라 추측해본다.

Retrieves the context of the specified thread.

A 64-bit application can retrieve the context of a WOW64 thread using the Wow64GetThreadContextfunction.

Syntax

BOOL WINAPI GetThreadContext(
  _In_    HANDLE    hThread,
  _Inout_ LPCONTEXT lpContext
);

Parameters

hThread [in]

A handle to the thread whose context is to be retrieved. The handle must haveTHREAD_GET_CONTEXT access to the thread. For more information, see Thread Security and Access Rights.

WOW64:  The handle must also have THREAD_QUERY_INFORMATION access.

lpContext [in, out]

A pointer to a CONTEXT structure that receives the appropriate context of the specified thread. The value of the ContextFlags member of this structure specifies which portions of a thread's context are retrieved. The CONTEXT structure is highly processor specific. Refer to the WinNT.h header file for processor-specific definitions of this structures and any alignment requirements.

Return value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.