objects.Win_Kernel_Object.xsd Maven / Gradle / Ivy
The newest version!
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
Win_Kernel_Object
2.1
01/22/2014
The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML.
Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.
The Windows_Kernel object is intended to characterize Windows Kernel structures.
The WindowsKernelObjectType type is intended to characterize Windows Kernel structures.
The IDT field characterizes the Windows Interrupt Descriptor Table (IDT).
The SSDT field characterizes the Windows System Service Descriptor Table (SSDT). The SSDT is a structure that kernel uses to dispatch functions. KeServiceDescriptorTable is a table exported by the kernel that contains pointers to four SSDTs, one for the native API, one for user/GDI support, one of IIS SPUD (in Windows 2000), and one unused.See http://www.honeynet.org/node/438; Sven Boris Schreiber, Undocumented Windows 2000 Secrets (http://undocumented.rawol.com/sbs-w2k-2-the-windows-2000-native-api.pdf); Greg Hoglund and James Butler, Rootkits: Subverting the WIndows kernel.
The SSDTEntryListType type specifies a listing of the entries in the System Service Descriptor Table (SSDT).
Specifies an entry in the System Service Descriptor Table.
The SSDTEntryType type specifies a single entry in the System Service Descriptor Table (SSDT).
Pointer to the system service dispatch table, an array of function addresses which is indexed by the system call number.
Pointer to an array of usage counters.
Number of entries in the system service dispatch table.
Pointer to an array of bytes, which indicate the number of bytes used by the function's arguments.
The hooked attribute specifies whether the SSDT entry is hooked.
The IDTEntryListType type specifies a listing of the entries in the Interrupt Descriptor Table (IDT). The IDT is specific to the I386 architecture, indicating where the Protected mode Interrupt Service Routines (ISR) are located. See http://wiki.osdev.org/Interrupt_Descriptor_Table.
Specifies an entry in the Interrupt Descriptor Table.
The IDTEntryType type specifies a single entry in the Interrupt Descriptor Table (IDT). Entries can be interrupt gates, task gates, and trap gates.
A byte that encodes the gate type and interrupt attributes (e.g., the Descriptor Privilege Level).
Higher part of the interrupt function's offset address bits 16-31 in 32-bit, bits 32-63 in 64-bit).
Lower part of the interrupt function's offset address (bits 0-15).
In 64-bit architectures, middle part of the interrupt function's offset address (bits 16-31).
A 16-bit value that points to a code segment selector in the Global Descriptot Table.