Skip to content

Proposal: Add New Windows Filemapping Object

Ivan Kirillov edited this page Dec 11, 2013 · 5 revisions

Status: Unreleased
Comment Period Closes:
Affects Backwards Compatibility: No
Relevant Issue: https://github.com/CybOXProject/schemas/issues/102

Background Information

Windows has the capability to create unique entities that represent files that are mapped into memory. Having a standard representation of these entities can be useful for accurately characterizing how malware may interact with files and their memory-mapped images on a Windows system.

Proposal

We propose the creation of a new Object capable of characterizing Windows file mapping objects. This Object will contain the following fields in the root-level WindowsFilemappingObjectType:

Field Type Description
Name cyboxCommon:StringObjectPropertyType The Name field specifies the name of the file mapping.
File_Handle WinHandleObj:WindowsHandleObjectType The File_Handle field specifies the Windows handle to the file from which the file mapping was created. It uses the WindowsHandleObjectType from the imported CybOX Windows Handle Object.
Handle WinHandleObj:WindowsHandleObjectType The Handle field specifies the Windows handle to the file mapping. It uses the WindowsHandleObjectType from the imported CybOX Windows Handle Object.
Page_Protection_Value WinFilemappingObj:PageProtectionValueType The Page_Protection field specifies the page protection value (i.e. PAGE_) specified for the file mapping.
Page_Protection_Attribute WinFilemappingObj:PageProtectionAttributeType The Page_Protection_Attribute field specifies a page protection attribute (i.e. SEC_) to be used in combination with the page protection value captured in the Page_Protection_Value field. One or more such attributes can be specified using this field, thus it has a multiplicity of 0-N.
Maximum_Size cyboxCommon:UnsignedLongObjectPropertyType The Maximum_Size field specifies the maximum allowed size for the file mapping, in bytes. This value is typically initialized upon creation of the file mapping.
Actual_Size cyboxCommon:UnsignedLongObjectPropertyType The Actual_Size field captures the actual size of the file mapping, in bytes.
Security_Attributes cyboxCommon:StringObjectPropertyType The Security_Attributes field specifies the Windows security attributes for the file mapping.

The WinFileMappingObj:PageProtectionValueType is a union of the base xs:string type and the PageProtectionValueEnum. The PageProtectionValueEnum is intended to enumerate Windows file mapping page protection value types and thus contains the following values:

Value Description
PAGE_EXECUTE_READ Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only, copy-on-write, or execute access.
PAGE_EXECUTE_READWRITE Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only, copy-on-write, read/write, or execute access.
PAGE_EXECUTE_WRITECOPY Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only, copy-on-write, or execute access. This value is equivalent to PAGE_EXECUTE_READ.
PAGE_READONLY Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only or copy-on-write access.
PAGE_READWRITE Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only, copy-on-write, or read/write access.
PAGE_WRITECOPY Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only or copy-on-write access. This value is equivalent to PAGE_READONLY.

The WinFileMappingObj:PageProtectionAttributeType is a union of the base xs:string type and the PageProtectionAttributeEnum. The PageProtectionAttributeEnum is intended to enumerate Windows file mapping page protection attribute types and thus contains the following values:

Value Description
SEC_COMMIT Specifies that if the file mapping is backed by the operating system paging file, that when a view of the file is mapped into a process address space, the entire range of pages is committed rather than reserved.
SEC_IMAGE Specifies that the file mapped by the file mapping is an executable image file.
SEC_IMAGE_NO_EXECUTE Specifies that the file mapped by the file mapping is an executable image file that will not be executed and the loaded image file will have no forced integrity checks run.
SEC_LARGE_PAGES Enables large pages to be used for file mapping objects that are backed by the operating system paging file.
SEC_NOCACHE Sets all pages to be non-cachable.
SEC_RESERVE Specifies that when a view of the file is mapped into a process address space, the entire range of pages is reserved for later use by the process rather than committed. Only valid if the file mapping is backed by the operating system paging file.
SEC_WRITECOMBINE Sets all pages to be write-combined.

For the full proposed schema, please see: https://github.com/ikiril01/schemas/blob/issue_146/objects/Win_Hook_Object.xsd.

Impact

There is no expected compatibility impact.

Requested Feedback

  1. Does it make sense to add such an object to CybOX?
  2. Are there any fields we should add to the WindowsFilemappingObjectType? Should we change any of the types used to capture the fields we've defined?
  3. Are there any values we should add to the PageProtectionValueEnum?
  4. Are there any values we should add to the PageProtectionAttributeEnum?
Clone this wiki locally