Showing:

Annotations
Attributes
Diagrams
Source
Used by
Main schema Win_Kernel_Object.xsd
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
Element WinKernelObj:Windows_Kernel
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
The Windows_Kernel object is intended to characterize Windows Kernel structures.
Diagram
Diagram Win_Kernel_Object_xsd.tmp#WindowsKernelObjectType_IDT Win_Kernel_Object_xsd.tmp#WindowsKernelObjectType_SSDT Win_Kernel_Object_xsd.tmp#WindowsKernelObjectType
Type WinKernelObj:WindowsKernelObjectType
Type hierarchy
Children WinKernelObj:IDT, WinKernelObj:SSDT
Source
 
<xs:element name="Windows_Kernel" type="WinKernelObj:WindowsKernelObjectType">
  <xs:annotation>
    <xs:documentation>The Windows_Kernel object is intended to characterize Windows Kernel structures.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinKernelObj:WindowsKernelObjectType / WinKernelObj:IDT
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
The IDT field characterizes the Windows Interrupt Descriptor Table (IDT).
Diagram
Diagram Win_Kernel_Object_xsd.tmp#IDTEntryListType_IDT_Entry Win_Kernel_Object_xsd.tmp#IDTEntryListType
Type WinKernelObj:IDTEntryListType
Children WinKernelObj:IDT_Entry
Source
 
<xs:element name="IDT" type="WinKernelObj:IDTEntryListType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The IDT field characterizes the Windows Interrupt Descriptor Table (IDT).</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinKernelObj:IDTEntryListType / WinKernelObj:IDT_Entry
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
Specifies an entry in the Interrupt Descriptor Table.
Diagram
Diagram Win_Kernel_Object_xsd.tmp#IDTEntryType_Type_Attr Win_Kernel_Object_xsd.tmp#IDTEntryType_Offset_High Win_Kernel_Object_xsd.tmp#IDTEntryType_Offset_Low Win_Kernel_Object_xsd.tmp#IDTEntryType_Offset_Middle Win_Kernel_Object_xsd.tmp#IDTEntryType_Selector Win_Kernel_Object_xsd.tmp#IDTEntryType
Type WinKernelObj:IDTEntryType
Children WinKernelObj:Offset_High, WinKernelObj:Offset_Low, WinKernelObj:Offset_Middle, WinKernelObj:Selector, WinKernelObj:Type_Attr
Source
 
<xs:element name="IDT_Entry" type="WinKernelObj:IDTEntryType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Specifies an entry in the Interrupt Descriptor Table.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinKernelObj:IDTEntryType / WinKernelObj:Type_Attr
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
A byte that encodes the gate type and interrupt attributes (e.g., the Descriptor Privilege Level).
Diagram
Diagram
Type HexBinaryObjectPropertyType
Source
 
<xs:element name="Type_Attr" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>A byte that encodes the gate type and interrupt attributes (e.g., the Descriptor Privilege Level).</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinKernelObj:IDTEntryType / WinKernelObj:Offset_High
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
Higher part of the interrupt function's offset address bits 16-31 in 32-bit, bits 32-63 in 64-bit).
Diagram
Diagram
Type HexBinaryObjectPropertyType
Source
 
<xs:element name="Offset_High" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Higher part of the interrupt function's offset address bits 16-31 in 32-bit, bits 32-63 in 64-bit).</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinKernelObj:IDTEntryType / WinKernelObj:Offset_Low
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
Lower part of the interrupt function's offset address (bits 0-15).
Diagram
Diagram
Type HexBinaryObjectPropertyType
Source
 
<xs:element name="Offset_Low" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Lower part of the interrupt function's offset address (bits 0-15).</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinKernelObj:IDTEntryType / WinKernelObj:Offset_Middle
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
In 64-bit architectures, middle part of the interrupt function's offset address (bits 16-31).
Diagram
Diagram
Type HexBinaryObjectPropertyType
Source
 
<xs:element name="Offset_Middle" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>In 64-bit architectures, middle part of the interrupt function's offset address (bits 16-31).</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinKernelObj:IDTEntryType / WinKernelObj:Selector
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
A 16-bit value that points to a code segment selector in the Global Descriptot Table.
Diagram
Diagram
Type HexBinaryObjectPropertyType
Source
 
<xs:element name="Selector" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>A 16-bit value that points to a code segment selector in the Global Descriptot Table.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinKernelObj:WindowsKernelObjectType / WinKernelObj:SSDT
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
The SSDT field characterizes the Windows System Service Descriptor Table (SSDT). The SSDT is a structure that kernel uses to dispatch functions. KeServiceDescriptorTable is a table exported by the kernel that contains pointers to four SSDTs, one for the native API, one for user/GDI support, one of IIS SPUD (in Windows 2000), and one unused.See http://www.honeynet.org/node/438; Sven Boris Schreiber, Undocumented Windows 2000 Secrets (http://undocumented.rawol.com/sbs-w2k-2-the-windows-2000-native-api.pdf); Greg Hoglund and James Butler, Rootkits: Subverting the WIndows kernel.
Diagram
Diagram Win_Kernel_Object_xsd.tmp#SSDTEntryListType_SSDT_Entry Win_Kernel_Object_xsd.tmp#SSDTEntryListType
Type WinKernelObj:SSDTEntryListType
Children WinKernelObj:SSDT_Entry
Source
 
<xs:element name="SSDT" type="WinKernelObj:SSDTEntryListType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The SSDT field characterizes the Windows System Service Descriptor Table (SSDT). The SSDT is a structure that kernel uses to dispatch functions. KeServiceDescriptorTable is a table exported by the kernel that contains pointers to four SSDTs, one for the native API, one for user/GDI support, one of IIS SPUD (in Windows 2000), and one unused.See http://www.honeynet.org/node/438; Sven Boris Schreiber, Undocumented Windows 2000 Secrets (http://undocumented.rawol.com/sbs-w2k-2-the-windows-2000-native-api.pdf); Greg Hoglund and James Butler, Rootkits: Subverting the WIndows kernel.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinKernelObj:SSDTEntryListType / WinKernelObj:SSDT_Entry
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
Specifies an entry in the System Service Descriptor Table.
Diagram
Diagram Win_Kernel_Object_xsd.tmp#SSDTEntryType_hooked Win_Kernel_Object_xsd.tmp#SSDTEntryType_Service_Table_Base Win_Kernel_Object_xsd.tmp#SSDTEntryType_Service_Counter_Table_Base Win_Kernel_Object_xsd.tmp#SSDTEntryType_Number_Of_Services Win_Kernel_Object_xsd.tmp#SSDTEntryType_Argument_Table_Base Win_Kernel_Object_xsd.tmp#SSDTEntryType
Type WinKernelObj:SSDTEntryType
Children WinKernelObj:Argument_Table_Base, WinKernelObj:Number_Of_Services, WinKernelObj:Service_Counter_Table_Base, WinKernelObj:Service_Table_Base
Attributes
QName Type Use Annotation
hooked xs:boolean optional 
The hooked attribute specifies whether the SSDT entry is hooked.
Source
 
<xs:element name="SSDT_Entry" type="WinKernelObj:SSDTEntryType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Specifies an entry in the System Service Descriptor Table.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinKernelObj:SSDTEntryType / WinKernelObj:Service_Table_Base
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
Pointer to the system service dispatch table, an array of function addresses which is indexed by the system call number.
Diagram
Diagram
Type HexBinaryObjectPropertyType
Source
 
<xs:element name="Service_Table_Base" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Pointer to the system service dispatch table, an array of function addresses which is indexed by the system call number.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinKernelObj:SSDTEntryType / WinKernelObj:Service_Counter_Table_Base
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
Pointer to an array of usage counters.
Diagram
Diagram
Type HexBinaryObjectPropertyType
Source
 
<xs:element name="Service_Counter_Table_Base" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Pointer to an array of usage counters.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinKernelObj:SSDTEntryType / WinKernelObj:Number_Of_Services
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
Number of entries in the system service dispatch table.
Diagram
Diagram
Type NonNegativeIntegerObjectPropertyType
Source
 
<xs:element name="Number_Of_Services" type="cyboxCommon:NonNegativeIntegerObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Number of entries in the system service dispatch table.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinKernelObj:SSDTEntryType / WinKernelObj:Argument_Table_Base
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
Pointer to an array of bytes, which indicate the number of bytes used by the function's arguments.
Diagram
Diagram
Type HexBinaryObjectPropertyType
Source
 
<xs:element name="Argument_Table_Base" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Pointer to an array of bytes, which indicate the number of bytes used by the function's arguments.</xs:documentation>
  </xs:annotation>
</xs:element>
Complex Type WinKernelObj:WindowsKernelObjectType
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
The WindowsKernelObjectType type is intended to characterize Windows Kernel structures.
Diagram
Diagram Win_Kernel_Object_xsd.tmp#WindowsKernelObjectType_IDT Win_Kernel_Object_xsd.tmp#WindowsKernelObjectType_SSDT
Type extension of ObjectPropertiesType
Type hierarchy
Used by
Children WinKernelObj:IDT, WinKernelObj:SSDT
Source
 
<xs:complexType name="WindowsKernelObjectType">
  <xs:annotation>
    <xs:documentation>The WindowsKernelObjectType type is intended to characterize Windows Kernel structures.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="cyboxCommon:ObjectPropertiesType">
      <xs:sequence>
        <xs:element name="IDT" type="WinKernelObj:IDTEntryListType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The IDT field characterizes the Windows Interrupt Descriptor Table (IDT).</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="SSDT" type="WinKernelObj:SSDTEntryListType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The SSDT field characterizes the Windows System Service Descriptor Table (SSDT). The SSDT is a structure that kernel uses to dispatch functions. KeServiceDescriptorTable is a table exported by the kernel that contains pointers to four SSDTs, one for the native API, one for user/GDI support, one of IIS SPUD (in Windows 2000), and one unused.See http://www.honeynet.org/node/438; Sven Boris Schreiber, Undocumented Windows 2000 Secrets (http://undocumented.rawol.com/sbs-w2k-2-the-windows-2000-native-api.pdf); Greg Hoglund and James Butler, Rootkits: Subverting the WIndows kernel.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type WinKernelObj:IDTEntryListType
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
The IDTEntryListType type specifies a listing of the entries in the Interrupt Descriptor Table (IDT). The IDT is specific to the I386 architecture, indicating where the Protected mode Interrupt Service Routines (ISR) are located. See http://wiki.osdev.org/Interrupt_Descriptor_Table.
Diagram
Diagram Win_Kernel_Object_xsd.tmp#IDTEntryListType_IDT_Entry
Used by
Children WinKernelObj:IDT_Entry
Source
 
<xs:complexType name="IDTEntryListType">
  <xs:annotation>
    <xs:documentation>The IDTEntryListType type specifies a listing of the entries in the Interrupt Descriptor Table (IDT). The IDT is specific to the I386 architecture, indicating where the Protected mode Interrupt Service Routines (ISR) are located. See http://wiki.osdev.org/Interrupt_Descriptor_Table.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="IDT_Entry" type="WinKernelObj:IDTEntryType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Specifies an entry in the Interrupt Descriptor Table.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type WinKernelObj:IDTEntryType
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
The IDTEntryType type specifies a single entry in the Interrupt Descriptor Table (IDT). Entries can be interrupt gates, task gates, and trap gates.
Diagram
Diagram Win_Kernel_Object_xsd.tmp#IDTEntryType_Type_Attr Win_Kernel_Object_xsd.tmp#IDTEntryType_Offset_High Win_Kernel_Object_xsd.tmp#IDTEntryType_Offset_Low Win_Kernel_Object_xsd.tmp#IDTEntryType_Offset_Middle Win_Kernel_Object_xsd.tmp#IDTEntryType_Selector
Used by
Children WinKernelObj:Offset_High, WinKernelObj:Offset_Low, WinKernelObj:Offset_Middle, WinKernelObj:Selector, WinKernelObj:Type_Attr
Source
 
<xs:complexType name="IDTEntryType">
  <xs:annotation>
    <xs:documentation>The IDTEntryType type specifies a single entry in the Interrupt Descriptor Table (IDT). Entries can be interrupt gates, task gates, and trap gates.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Type_Attr" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>A byte that encodes the gate type and interrupt attributes (e.g., the Descriptor Privilege Level).</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Offset_High" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Higher part of the interrupt function's offset address bits 16-31 in 32-bit, bits 32-63 in 64-bit).</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Offset_Low" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Lower part of the interrupt function's offset address (bits 0-15).</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Offset_Middle" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>In 64-bit architectures, middle part of the interrupt function's offset address (bits 16-31).</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Selector" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>A 16-bit value that points to a code segment selector in the Global Descriptot Table.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type WinKernelObj:SSDTEntryListType
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
The SSDTEntryListType type specifies a listing of the entries in the System Service Descriptor Table (SSDT).
Diagram
Diagram Win_Kernel_Object_xsd.tmp#SSDTEntryListType_SSDT_Entry
Used by
Children WinKernelObj:SSDT_Entry
Source
 
<xs:complexType name="SSDTEntryListType">
  <xs:annotation>
    <xs:documentation>The SSDTEntryListType type specifies a listing of the entries in the System Service Descriptor Table (SSDT).</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="SSDT_Entry" type="WinKernelObj:SSDTEntryType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Specifies an entry in the System Service Descriptor Table.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type WinKernelObj:SSDTEntryType
Namespace http://cybox.mitre.org/objects#WinKernelObject-2
Annotations
 
The SSDTEntryType type specifies a single entry in the System Service Descriptor Table (SSDT).
Diagram
Diagram Win_Kernel_Object_xsd.tmp#SSDTEntryType_hooked Win_Kernel_Object_xsd.tmp#SSDTEntryType_Service_Table_Base Win_Kernel_Object_xsd.tmp#SSDTEntryType_Service_Counter_Table_Base Win_Kernel_Object_xsd.tmp#SSDTEntryType_Number_Of_Services Win_Kernel_Object_xsd.tmp#SSDTEntryType_Argument_Table_Base
Used by
Children WinKernelObj:Argument_Table_Base, WinKernelObj:Number_Of_Services, WinKernelObj:Service_Counter_Table_Base, WinKernelObj:Service_Table_Base
Attributes
QName Type Use Annotation
hooked xs:boolean optional 
The hooked attribute specifies whether the SSDT entry is hooked.
Source
 
<xs:complexType name="SSDTEntryType">
  <xs:annotation>
    <xs:documentation>The SSDTEntryType type specifies a single entry in the System Service Descriptor Table (SSDT).</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Service_Table_Base" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Pointer to the system service dispatch table, an array of function addresses which is indexed by the system call number.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Service_Counter_Table_Base" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Pointer to an array of usage counters.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Number_Of_Services" type="cyboxCommon:NonNegativeIntegerObjectPropertyType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Number of entries in the system service dispatch table.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Argument_Table_Base" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Pointer to an array of bytes, which indicate the number of bytes used by the function's arguments.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="hooked" type="xs:boolean">
    <xs:annotation>
      <xs:documentation>The hooked attribute specifies whether the SSDT entry is hooked.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Attribute WinKernelObj:SSDTEntryType / @hooked
Namespace No namespace
Annotations
 
The hooked attribute specifies whether the SSDT entry is hooked.
Type xs:boolean
Used by
Source
 
<xs:attribute name="hooked" type="xs:boolean">
  <xs:annotation>
    <xs:documentation>The hooked attribute specifies whether the SSDT entry is hooked.</xs:documentation>
  </xs:annotation>
</xs:attribute>
XML Schema documentation generated by ® XML Editor.