Proposal: Add New Windows Hook Object

Status: Closed
Comment Period Closes: 12/19/2013
Affects Backwards Compatibility: No
Relevant Issue: https://github.com/CybOXProject/schemas/issues/146

Background Information

Windows has a specific type of hook procedure that can be installed for hooking different types of events in a process. Having a standard representation of this hook can be useful for characterizing malware behavior, especially related to such functionality as keylogging.

Proposal

We propose the creation of a new Object capable of characterizing Windows hook procedures. This Object will contain the fields in the root-level WindowsHookObjectType:

Field	Type	Description
Type	WinHookObj:WinHookObjectType	The Type field specifies the type (i.e. WH_) of the Windows hook procedure, which refers to the type of event that the hook will intercept.
Handle	WinHandleObj:WindowsHandleObjectType	The Handle field specifies the handle associated with the Windows hook procedure. It uses the WindowsHandleObjectType type from the imported CybOX Windows Handle object.
Hooking_Function_Name	cyboxCommon:StringObjectPropertyType	The Hooking_Function_Name field specifies the name of the hooking function used by the Windows hook procedure.
Hooking_Module	LibraryObj:LibraryObjectType	The Hooking_Module field specifies the properties of the module that contains the hooking function used in the Windows hook procedure that is specified in the Hooking_Function_Name field. It uses the LibraryObjectType from the imported CybOX Library Object.
Thread_ID	cyboxCommon:NonNegativeIntegerObjectPropertyType	The Thread_ID field specifies the ID of the thread associated with the Windows procedure, if applicable.

The WinHookObj:WinHookObjectType is a union of the base xs:string type and the WinHookTypeEnum. The WinHookTypeEnum is intended to enumerate possible types of Windows hook procedure types and thus contains the following values:

Value	Description
WH_CALLWNDPROC	Specifies a hook procedure that monitors messages before the system sends them to the destination window procedure.
WH_CALLWNDPROCRET	Specifies a hook procedure that monitors messages after they have been processed by the destination window procedure.
WH_CBT	Specifies a hook procedure that receives notifications useful to a CBT application.
WH_DEBUG	Specifies a hook procedure useful for debugging other hook procedures.
WH_FOREGROUNDIDLE	Specifies a hook procedure that will be called when the application's foreground thread is about to become idle.
WH_GETMESSAGE	Specifies a hook procedure that monitors messages posted to a message queue.
WH_JOURNALPLAYBACK	Specifies a hook procedure that posts messages previously recorded by a WH_JOURNALRECORD hook procedure.
WH_JOURNALRECORD	Specifies a hook procedure that records input messages posted to the system message queue.
WH_KEYBOARD	Specifies a hook procedure that monitors keystroke messages.
WH_KEYBOARD_LL	Specifies a hook procedure that monitors low-level keyboard input events.
WH_MOUSE	Specifies a hook procedure that monitors mouse messages.
WH_MOUSE_LL	Specifies a hook procedure that monitors low-level mouse input events.
WH_MSGFILTER	Specifies a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar.
WH_SHELL	Specifies a hook procedure that receives notifications useful to shell applications.
WH_SYSMSGFILTER	Specifies a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar.

For the full proposed schema, please see: https://github.com/ikiril01/schemas/blob/issue_146/objects/Win_Hook_Object.xsd.

Impact

There is no expected compatibility impact.

Requested Feedback

1. Does it make sense to add such an object to CybOX?
2. Are there any fields we should add to the WindowsHookObjectType? Should we change any of the types used to capture the fields we've defined?
3. Are there any values we should add to the WinHookTypeEnum?