-
Notifications
You must be signed in to change notification settings - Fork 0
Proposal: Add New Windows Filemapping Object
Status: Open
Comment Period Closes: 12/19/2013
Affects Backwards Compatibility: No
Relevant Issue: https://github.com/CybOXProject/schemas/issues/102
Windows has the capability to create unique entities that represent files that are mapped into memory. Having a standard representation of these entities can be useful for accurately characterizing how malware may interact with files and their memory-mapped images on a Windows system.
We propose the creation of a new Object capable of characterizing Windows file mapping objects. This Object will contain the following fields in the root-level WindowsFilemappingObjectType
:
Field | Type | Description |
---|---|---|
Name | cyboxCommon:StringObjectPropertyType |
The Name field specifies the name of the file mapping. |
File_Handle | WinHandleObj:WindowsHandleObjectType |
The File_Handle field specifies the Windows handle to the file from which the file mapping was created. It uses the WindowsHandleObjectType from the imported CybOX Windows Handle Object. |
Handle | WinHandleObj:WindowsHandleObjectType |
The Handle field specifies the Windows handle to the file mapping. It uses the WindowsHandleObjectType from the imported CybOX Windows Handle Object. |
Page_Protection_Value | WinFilemappingObj:PageProtectionValueType |
The Page_Protection field specifies the page protection value (i.e. PAGE_) specified for the file mapping. |
Page_Protection_Attribute | WinFilemappingObj:PageProtectionAttributeType |
The Page_Protection_Attribute field specifies a page protection attribute (i.e. SEC_) to be used in combination with the page protection value captured in the Page_Protection_Value field. One or more such attributes can be specified using this field, thus it has a multiplicity of 0-N. |
Maximum_Size | cyboxCommon:UnsignedLongObjectPropertyType |
The Maximum_Size field specifies the maximum allowed size for the file mapping, in bytes. This value is typically initialized upon creation of the file mapping. |
Actual_Size | cyboxCommon:UnsignedLongObjectPropertyType |
The Actual_Size field captures the actual size of the file mapping, in bytes. |
Security_Attributes | cyboxCommon:StringObjectPropertyType |
The Security_Attributes field specifies the Windows security attributes for the file mapping. |
The WinFileMappingObj:PageProtectionValueType
is a union of the base xs:string
type and the PageProtectionValueEnum
. The PageProtectionValueEnum
is intended to enumerate Windows file mapping page protection value types and thus contains the following values:
Value | Description |
---|---|
PAGE_EXECUTE_READ | Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only, copy-on-write, or execute access. |
PAGE_EXECUTE_READWRITE | Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only, copy-on-write, read/write, or execute access. |
PAGE_EXECUTE_WRITECOPY | Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only, copy-on-write, or execute access. This value is equivalent to PAGE_EXECUTE_READ. |
PAGE_READONLY | Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only or copy-on-write access. |
PAGE_READWRITE | Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only, copy-on-write, or read/write access. |
PAGE_WRITECOPY | Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only or copy-on-write access. This value is equivalent to PAGE_READONLY. |
The WinFileMappingObj:PageProtectionAttributeType
is a union of the base xs:string
type and the PageProtectionAttributeEnum
. The PageProtectionAttributeEnum
is intended to enumerate Windows file mapping page protection attribute types and thus contains the following values:
Value | Description |
---|---|
SEC_COMMIT | Specifies that if the file mapping is backed by the operating system paging file, that when a view of the file is mapped into a process address space, the entire range of pages is committed rather than reserved. |
SEC_IMAGE | Specifies that the file mapped by the file mapping is an executable image file. |
SEC_IMAGE_NO_EXECUTE | Specifies that the file mapped by the file mapping is an executable image file that will not be executed and the loaded image file will have no forced integrity checks run. |
SEC_LARGE_PAGES | Enables large pages to be used for file mapping objects that are backed by the operating system paging file. |
SEC_NOCACHE | Sets all pages to be non-cachable. |
SEC_RESERVE | Specifies that when a view of the file is mapped into a process address space, the entire range of pages is reserved for later use by the process rather than committed. Only valid if the file mapping is backed by the operating system paging file. |
SEC_WRITECOMBINE | Sets all pages to be write-combined. |
For the full proposed schema, please see: https://github.com/ikiril01/schemas/blob/issue_102/objects/Win_Filemapping_Object.xsd.
There is no expected compatibility impact.
- Does it make sense to add such an object to CybOX?
- Are there any fields we should add to the
WindowsFilemappingObjectType
? Should we change any of the types used to capture the fields we've defined? - Are there any values we should add to the
PageProtectionValueEnum
? - Are there any values we should add to the
PageProtectionAttributeEnum
?