1# Copyright (c) 2017, The MITRE Corporation. All rights reserved. 2# See LICENSE.txt for complete terms. 3 4from mixbox import entities 5from mixbox import fields 6 7import cybox.bindings.win_driver_object as win_driver_binding 8from cybox.objects.win_executable_file_object import WinExecutableFile 9from cybox.common import String, HexBinary, UnsignedLong 10 11 12class DeviceObjectStruct(entities.Entity): 13 _binding = win_driver_binding 14 _binding_class = win_driver_binding.DeviceObjectStructType 15 _namespace = "http://cybox.mitre.org/objects#WinDriverObject-3" 16 _XSI_NS = "WinDriverObj" 17 _XSI_TYPE = "DeviceObjectStructType" 18 19 attached_device_name = fields.TypedField("Attached_Device_Name", String) 20 attached_device_object = fields.TypedField("Attached_Device_Object", UnsignedLong) 21 attached_to_device_name = fields.TypedField("Attached_To_Device_Name", String) 22 attached_to_device_object = fields.TypedField("Attached_To_Device_Object", UnsignedLong) 23 attached_to_driver_name = fields.TypedField("Attached_To_Driver_Name", String) 24 attached_to_driver_object = fields.TypedField("Attached_To_Driver_Object", UnsignedLong) 25 device_name = fields.TypedField("Device_Name", String) 26 device_object = fields.TypedField("Device_Object", UnsignedLong) 27 28 29class DeviceObjectList(entities.EntityList): 30 _binding = win_driver_binding 31 _binding_class = win_driver_binding.DeviceObjectListType 32 _namespace = "http://cybox.mitre.org/objects#WinDriverObject-3" 33 _XSI_NS = "WinDriverObj" 34 _XSI_TYPE = "DeviceObjectListType" 35 36 device_object_struct = fields.TypedField("Device_Object_Struct", DeviceObjectStruct, multiple=True) 37 38 39class WinDriver(WinExecutableFile): 40 _binding = win_driver_binding 41 _binding_class = win_driver_binding.WindowsDriverObjectType 42 _namespace = "http://cybox.mitre.org/objects#WinDriverObject-3" 43 _XSI_NS = "WinDriverObj" 44 _XSI_TYPE = "WindowsDriverObjectType" 45 46 driver_init = fields.TypedField("Driver_Init", UnsignedLong) 47 driver_name = fields.TypedField("Driver_Name", String) 48 driver_object_address = fields.TypedField("Driver_Object_Address", HexBinary) 49 driver_start_io = fields.TypedField("Driver_Start_IO", HexBinary) 50 driver_unload = fields.TypedField("Driver_Unload", HexBinary) 51 device_object_list = fields.TypedField("Device_Object_List", DeviceObjectList) 52 53 image_base = fields.TypedField("Image_Base", HexBinary) 54 image_size = fields.TypedField("Image_Size", HexBinary) 55 56 irp_mj_cleanup = fields.TypedField("IRP_MJ_CLEANUP", UnsignedLong) 57 irp_mj_close = fields.TypedField("IRP_MJ_CLOSE", UnsignedLong) 58 irp_mj_create = fields.TypedField("IRP_MJ_CREATE", UnsignedLong) 59 irp_mj_create_mailslot = fields.TypedField("IRP_MJ_CREATE_MAILSLOT", UnsignedLong) 60 irp_mj_create_named_pipe = fields.TypedField("IRP_MJ_CREATE_NAMED_PIPE", UnsignedLong) 61 irp_mj_device_change = fields.TypedField("IRP_MJ_DEVICE_CHANGE", UnsignedLong) 62 irp_mj_device_control = fields.TypedField("IRP_MJ_DEVICE_CONTROL", UnsignedLong) 63 irp_mj_directory_control = fields.TypedField("IRP_MJ_DIRECTORY_CONTROL", UnsignedLong) 64 irp_mj_file_system_control = fields.TypedField("IRP_MJ_FILE_SYSTEM_CONTROL", UnsignedLong) 65 irp_mj_flush_buffers = fields.TypedField("IRP_MJ_FLUSH_BUFFERS", UnsignedLong) 66 irp_mj_internal_device_control = fields.TypedField("IRP_MJ_INTERNAL_DEVICE_CONTROL", UnsignedLong) 67 irp_mj_lock_control = fields.TypedField("IRP_MJ_LOCK_CONTROL", UnsignedLong) 68 irp_mj_pnp = fields.TypedField("IRP_MJ_PNP", UnsignedLong) 69 irp_mj_power = fields.TypedField("IRP_MJ_POWER", UnsignedLong) 70 irp_mj_query_ea = fields.TypedField("IRP_MJ_QUERY_EA", UnsignedLong) 71 irp_mj_query_information = fields.TypedField("IRP_MJ_QUERY_INFORMATION", UnsignedLong) 72 irp_mj_query_quota = fields.TypedField("IRP_MJ_QUERY_QUOTA", UnsignedLong) 73 irp_mj_query_security = fields.TypedField("IRP_MJ_QUERY_SECURITY", UnsignedLong) 74 irp_mj_query_volume_information = fields.TypedField("IRP_MJ_QUERY_VOLUME_INFORMATION", UnsignedLong) 75 irp_mj_read = fields.TypedField("IRP_MJ_READ", UnsignedLong) 76 irp_mj_set_ea = fields.TypedField("IRP_MJ_SET_EA", UnsignedLong) 77 irp_mj_set_information = fields.TypedField("IRP_MJ_SET_INFORMATION", UnsignedLong) 78 irp_mj_set_quota = fields.TypedField("IRP_MJ_SET_QUOTA", UnsignedLong) 79 irp_mj_set_security = fields.TypedField("IRP_MJ_SET_SECURITY", UnsignedLong) 80 irp_mj_set_volume_information = fields.TypedField("IRP_MJ_SET_VOLUME_INFORMATION", UnsignedLong) 81 irp_mj_shutdown = fields.TypedField("IRP_MJ_SHUTDOWN", UnsignedLong) 82 irp_mj_system_control = fields.TypedField("IRP_MJ_SYSTEM_CONTROL", UnsignedLong) 83 irp_mj_write = fields.TypedField("IRP_MJ_WRITE", UnsignedLong) 84