-
Notifications
You must be signed in to change notification settings - Fork 0
Proposal: Add New Windows Hook Object
Status: Closed
Comment Period Closes: 12/19/2013
Affects Backwards Compatibility: No
Relevant Issue: https://github.com/CybOXProject/schemas/issues/146
Windows has a specific type of hook procedure that can be installed for hooking different types of events in a process. Having a standard representation of this hook can be useful for characterizing malware behavior, especially related to such functionality as keylogging.
We propose the creation of a new Object capable of characterizing Windows hook procedures. This Object will contain the fields in the root-level WindowsHookObjectType
:
Field | Type | Description |
---|---|---|
Type | WinHookObj:WinHookObjectType |
The Type field specifies the type (i.e. WH_) of the Windows hook procedure, which refers to the type of event that the hook will intercept. |
Handle | WinHandleObj:WindowsHandleObjectType |
The Handle field specifies the handle associated with the Windows hook procedure. It uses the WindowsHandleObjectType type from the imported CybOX Windows Handle object. |
Hooking_Function_Name | cyboxCommon:StringObjectPropertyType |
The Hooking_Function_Name field specifies the name of the hooking function used by the Windows hook procedure. |
Hooking_Module | LibraryObj:LibraryObjectType |
The Hooking_Module field specifies the properties of the module that contains the hooking function used in the Windows hook procedure that is specified in the Hooking_Function_Name field. It uses the LibraryObjectType from the imported CybOX Library Object. |
Thread_ID | cyboxCommon:NonNegativeIntegerObjectPropertyType |
The Thread_ID field specifies the ID of the thread associated with the Windows procedure, if applicable. |
The WinHookObj:WinHookObjectType
is a union of the base xs:string
type and the WinHookTypeEnum
. The WinHookTypeEnum
is intended to enumerate possible types of Windows hook procedure types and thus contains the following values:
Value | Description |
---|---|
WH_CALLWNDPROC | Specifies a hook procedure that monitors messages before the system sends them to the destination window procedure. |
WH_CALLWNDPROCRET | Specifies a hook procedure that monitors messages after they have been processed by the destination window procedure. |
WH_CBT | Specifies a hook procedure that receives notifications useful to a CBT application. |
WH_DEBUG | Specifies a hook procedure useful for debugging other hook procedures. |
WH_FOREGROUNDIDLE | Specifies a hook procedure that will be called when the application's foreground thread is about to become idle. |
WH_GETMESSAGE | Specifies a hook procedure that monitors messages posted to a message queue. |
WH_JOURNALPLAYBACK | Specifies a hook procedure that posts messages previously recorded by a WH_JOURNALRECORD hook procedure. |
WH_JOURNALRECORD | Specifies a hook procedure that records input messages posted to the system message queue. |
WH_KEYBOARD | Specifies a hook procedure that monitors keystroke messages. |
WH_KEYBOARD_LL | Specifies a hook procedure that monitors low-level keyboard input events. |
WH_MOUSE | Specifies a hook procedure that monitors mouse messages. |
WH_MOUSE_LL | Specifies a hook procedure that monitors low-level mouse input events. |
WH_MSGFILTER | Specifies a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. |
WH_SHELL | Specifies a hook procedure that receives notifications useful to shell applications. |
WH_SYSMSGFILTER | Specifies a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. |
For the full proposed schema, please see: https://github.com/ikiril01/schemas/blob/issue_146/objects/Win_Hook_Object.xsd.
There is no expected compatibility impact.
- Does it make sense to add such an object to CybOX?
- Are there any fields we should add to the
WindowsHookObjectType
? Should we change any of the types used to capture the fields we've defined? - Are there any values we should add to the
WinHookTypeEnum
?