stix_schema_spy 1.0

data/config/1.0.1/stix/cybox/objects/Win_Kernel_Hook_Object.xsd

@@ -0,0 +1,109 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:WinKernelHookObj="http://cybox.mitre.org/objects#WinKernelHookObject-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" targetNamespace="http://cybox.mitre.org/objects#WinKernelHookObject-2" elementFormDefault="qualified" attributeFormDefault="unqualified" version="2.0.1">
+	<xs:annotation>
+		<xs:documentation>This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org. </xs:documentation>
+		<xs:appinfo>
+			<schema>Win_Kernel_Hook_Object</schema>
+			<version>2.0.1</version>
+			<date>09/30/2013 9:00:00 AM</date>
+			<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
+			<terms_of_use>Copyright (c) 2012-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included. </terms_of_use>
+		</xs:appinfo>
+	</xs:annotation>
+	<xs:import namespace="http://cybox.mitre.org/common-2" schemaLocation="../cybox_common.xsd"/>
+	<xs:element name="Windows_Kernel_Hook" type="WinKernelHookObj:WindowsKernelHookObjectType" nillable="true">
+		<xs:annotation>
+			<xs:documentation>The Windows_Kernel_Hook object is intended to characterize Windows kernel function hooks.</xs:documentation>
+		</xs:annotation>
+	</xs:element>
+	<xs:complexType name="WindowsKernelHookObjectType" mixed="false">
+		<xs:annotation>
+			<xs:documentation>The WindowsKernelHookObjectType type is intended to characterize Windows kernel function hooks.</xs:documentation>
+		</xs:annotation>
+		<xs:complexContent>
+			<xs:extension base="cyboxCommon:ObjectPropertiesType">
+				<xs:sequence>
+					<xs:element name="Digital_Signature_Hooking" type="cyboxCommon:DigitalSignatureInfoType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Digital_Signature_Hooked field is optional and specifies the digital signature of the hooking code.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Digital_Signature_Hooked" type="cyboxCommon:DigitalSignatureInfoType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Digital_Signature_Hooked field is optional and specifies the digital signature of the hooked code.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Hooking_Address" type="cyboxCommon:UnsignedLongObjectPropertyType" nillable="true" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Hooking_Address field is optional and specifies the address from where the hooking occurs.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Hook_Description" type="cyboxCommon:StringObjectPropertyType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Hook_Description field is optional and provides a description of the nature of the hook.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Hooked_Function" type="cyboxCommon:StringObjectPropertyType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Hooked_Function field specifies the name of the function that is hooked.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Hooked_Module" type="cyboxCommon:StringObjectPropertyType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Hooked_Module field specifies the name of the module that is hooked.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Hooking_Module" type="cyboxCommon:StringObjectPropertyType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Hooking_Module field specifies the name of the module that is doing the hooking.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Type" type="WinKernelHookObj:KernelHookType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Type field specifies the type of hook being characterized.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+				</xs:sequence>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<xs:complexType name="KernelHookType">
+		<xs:annotation>
+			<xs:documentation>KernelHookType specifies Windows kernel hook types via a union of the KernelHookTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.</xs:documentation>
+		</xs:annotation>
+		<xs:simpleContent>
+			<xs:restriction base="cyboxCommon:BaseObjectPropertyType">
+				<xs:simpleType>
+					<xs:union memberTypes="WinKernelHookObj:KernelHookTypeEnum xs:string"/>
+				</xs:simpleType>
+				<xs:attribute name="datatype" type="cyboxCommon:DatatypeEnum" fixed="string">
+					<xs:annotation>
+						<xs:documentation>This attribute is optional and specifies the expected type for the value of the specified property.</xs:documentation>
+					</xs:annotation>
+				</xs:attribute>
+			</xs:restriction>
+		</xs:simpleContent>
+	</xs:complexType>
+	<xs:simpleType name="KernelHookTypeEnum">
+		<xs:annotation>
+			<xs:documentation>The KernelHookTypeEnum type is a non-exhaustive enumeration of Windows kernel hook types.</xs:documentation>
+		</xs:annotation>
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="IAT_API">
+				<xs:annotation>
+					<xs:documentation>Specifies a kernel hook type of IAT_API.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="Inline_Function">
+				<xs:annotation>
+					<xs:documentation>Specifies an inline function type of kernel hook.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="Instruction_Hooking">
+				<xs:annotation>
+					<xs:documentation>Specifies an instruction hooking type of kernel hook.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+		</xs:restriction>
+	</xs:simpleType>
+</xs:schema>

data/config/1.0.1/stix/cybox/objects/Win_Kernel_Object.xsd

@@ -0,0 +1,128 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:WinKernelObj="http://cybox.mitre.org/objects#WinKernelObject-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" targetNamespace="http://cybox.mitre.org/objects#WinKernelObject-2" elementFormDefault="qualified" attributeFormDefault="unqualified" version="2.0.1">
+	<xs:annotation>
+		<xs:documentation>This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org. </xs:documentation>
+		<xs:appinfo>
+			<schema>Win_Kernel_Object</schema>
+			<version>2.0.1</version>
+			<date>09/30/2013 9:00:00 AM</date>
+			<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
+			<terms_of_use>Copyright (c) 2012-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included. </terms_of_use>
+		</xs:appinfo>
+	</xs:annotation>
+	<xs:import namespace="http://cybox.mitre.org/common-2" schemaLocation="../cybox_common.xsd"/>
+	<xs:element name="Windows_Kernel" type="WinKernelObj:WindowsKernelObjectType">
+		<xs:annotation>
+			<xs:documentation>The Windows_Kernel object is intended to characterize Windows Kernel structures.</xs:documentation>
+		</xs:annotation>
+	</xs:element>
+	<xs:complexType name="WindowsKernelObjectType">
+		<xs:annotation>
+			<xs:documentation>The WindowsKernelObjectType type is intended to characterize Windows Kernel structures.</xs:documentation>
+		</xs:annotation>
+		<xs:complexContent>
+			<xs:extension base="cyboxCommon:ObjectPropertiesType">
+				<xs:sequence>
+					<xs:element name="IDT" type="WinKernelObj:IDTEntryListType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The IDT field characterizes the Windows Interrupt Descriptor Table (IDT).</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="SSDT" type="WinKernelObj:SSDTEntryListType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The SSDT field characterizes the Windows System Service Descriptor Table (SSDT). The SSDT is a structure that kernel uses to dispatch functions. KeServiceDescriptorTable is a table exported by the kernel that contains pointers to four SSDTs, one for the native API, one for user/GDI support, one of IIS SPUD (in Windows 2000), and one unused.See http://www.honeynet.org/node/438; Sven Boris Schreiber, Undocumented Windows 2000 Secrets (http://undocumented.rawol.com/sbs-w2k-2-the-windows-2000-native-api.pdf); Greg Hoglund and James Butler, Rootkits: Subverting the WIndows kernel</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+				</xs:sequence>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<xs:complexType name="SSDTEntryListType">
+		<xs:annotation>
+			<xs:documentation>The SSDTEntryListType type specifies a listing of the entries in the System Service Descriptor Table (SSDT).</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="SSDT_Entry" type="WinKernelObj:SSDTEntryType" maxOccurs="unbounded">
+				<xs:annotation>
+					<xs:documentation>Specifies an entry in the System Service Descriptor Table.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+	<xs:complexType name="SSDTEntryType">
+		<xs:annotation>
+			<xs:documentation>The SSDTEntryType type specifies a single entry in the System Service Descriptor Table (SSDT).</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="Service_Table_Base" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>Pointer to the system service dispatch table, an array of function addresses which is indexed by the system call number.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="Service_Counter_Table_Base" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>Pointer to an array of usage counters.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="Number_Of_Services" type="cyboxCommon:NonNegativeIntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>Number of entries in the system service dispatch table.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="Argument_Table_Base" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>Pointer to an array of bytes, which indicate the number of bytes used by the function's arguments.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+		<xs:attribute name="hooked" type="xs:boolean">
+			<xs:annotation>
+				<xs:documentation>The hooked attribute specifies whether the SSDT entry is hooked.</xs:documentation>
+			</xs:annotation>
+		</xs:attribute>
+	</xs:complexType>
+	<xs:complexType name="IDTEntryListType">
+		<xs:annotation>
+			<xs:documentation>The IDTEntryListType type specifies a listing of the entries in the Interrupt Descriptor Table (IDT). The IDT is specific to the I386 architecture, indicating where the Prtoetcted mode Interrupt Service Routines (ISR) are located. See http://wiki.osdev.org/Interrupt_Descriptor_Table </xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="IDT_Entry" type="WinKernelObj:IDTEntryType" maxOccurs="unbounded">
+				<xs:annotation>
+					<xs:documentation>Specifies an entry in the Interrupt Descriptor Table. </xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+	<xs:complexType name="IDTEntryType">
+		<xs:annotation>
+			<xs:documentation>The IDTEntryType type specifies a single entry in the Interrupt Descriptor Table (IDT). Entries can be interrupt gates, task gates, and trap gates.</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="Type_Attr" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>A byte that encodes the gate type and interrupt attributes (e.g., the Descriptor Privilege Level).</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="Offset_High" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>Higher part of the interrupt function's offset address bits 16-31 in 32-bit, bits 32-63 in 64-bit)</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="Offset_Low" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>Lower part of the interrupt function's offset address (bits 0-15)</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="Offset_Middle" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>In 64-bit architectures, middle part of the interrupt function's offset address (bits 16-31)</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="Selector" type="cyboxCommon:HexBinaryObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>A 16-bit value that points to a code segment selector in the Global Descriptot Table.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+</xs:schema>

data/config/1.0.1/stix/cybox/objects/Win_Mailslot_Object.xsd

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:WinMailslotObj="http://cybox.mitre.org/objects#WinMailslotObject-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:WinHandleObj="http://cybox.mitre.org/objects#WinHandleObject-2" targetNamespace="http://cybox.mitre.org/objects#WinMailslotObject-2" elementFormDefault="qualified" attributeFormDefault="unqualified" version="2.0.1">
+	<xs:annotation>
+		<xs:documentation>This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org. </xs:documentation>
+		<xs:appinfo>
+			<schema>Win_Mailslot_Object</schema>
+			<version>2.0.1</version>
+			<date>09/30/2013 9:00:00 AM</date>
+			<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
+			<terms_of_use>Copyright (c) 2012-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included. </terms_of_use>
+		</xs:appinfo>
+	</xs:annotation>
+	<xs:import namespace="http://cybox.mitre.org/common-2" schemaLocation="../cybox_common.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#WinHandleObject-2" schemaLocation="Win_Handle_Object.xsd"/>
+	<xs:element name="Windows_Mailslot" type="WinMailslotObj:WindowsMailslotObjectType" nillable="true">
+		<xs:annotation>
+			<xs:documentation>The Windows_Mailslot object is intended to characterize Windows mailslot objects. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa365576(v=vs.85).aspx</xs:documentation>
+		</xs:annotation>
+	</xs:element>
+	<xs:complexType name="WindowsMailslotObjectType" mixed="false">
+		<xs:annotation>
+			<xs:documentation>The WindowsMailslotObjectType is intended to characterize Windows mailslot objects.</xs:documentation>
+		</xs:annotation>
+		<xs:complexContent>
+			<xs:extension base="cyboxCommon:ObjectPropertiesType">
+				<xs:sequence>
+					<xs:element name="Handle" type="WinHandleObj:WindowsHandleListType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Handle field specifies the open Windows handle to the mailslot. It imports and uses the WindowsHandleObjectType from the CybOX Windows Handle Object.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Max_Message_Size" type="cyboxCommon:NonNegativeIntegerObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Max_Message_Size field specifies the maximum message size for the mailslot, in bytes.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Name" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Name field specifies the name of the mailslot.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Read_Timeout" type="cyboxCommon:NonNegativeIntegerObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Read_Timeout field specifies the amount of time, in milliseconds, a read operation can wait for a message to be written to the mailslot before a time-out occurs. </xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Security_Attributes" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Security_Attributes field specifies the Windows security attributes for the mailslot.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+				</xs:sequence>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+</xs:schema>

data/config/1.0.1/stix/cybox/objects/Win_Memory_Page_Region_Object.xsd

@@ -0,0 +1,198 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:WinMemoryPageRegionObj="http://cybox.mitre.org/objects#WinMemoryPageRegionObject-2" xmlns:MemoryObj="http://cybox.mitre.org/objects#MemoryObject-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" targetNamespace="http://cybox.mitre.org/objects#WinMemoryPageRegionObject-2" elementFormDefault="qualified" attributeFormDefault="unqualified" version="2.0.1">
+	<xs:annotation>
+		<xs:documentation>This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org. </xs:documentation>
+		<xs:appinfo>
+			<schema>Win_Memory_Page_Region_Object</schema>
+			<version>2.0.1</version>
+			<date>09/30/2013 9:00:00 AM</date>
+			<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
+			<terms_of_use>Copyright (c) 2012-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included. </terms_of_use>
+		</xs:appinfo>
+	</xs:annotation>
+	<xs:import namespace="http://cybox.mitre.org/common-2" schemaLocation="../cybox_common.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#MemoryObject-2" schemaLocation="Memory_Object.xsd"/>
+	<xs:element name="Windows_Memory_Page_Region" type="WinMemoryPageRegionObj:WindowsMemoryPageRegionObjectType">
+		<xs:annotation>
+			<xs:documentation>The Windows_Memory_Page_Region object is intended represent a single Windows memory page region.</xs:documentation>
+		</xs:annotation>
+	</xs:element>
+	<xs:complexType name="WindowsMemoryPageRegionObjectType" mixed="false">
+		<xs:annotation>
+			<xs:documentation>The WindowsMemoryPageRegionObjectType type is intended to characterize Windows memory page regions.</xs:documentation>
+		</xs:annotation>
+		<xs:complexContent>
+			<xs:extension base="MemoryObj:MemoryObjectType">
+				<xs:sequence>
+					<xs:element minOccurs="0" name="Type" type="WinMemoryPageRegionObj:MemoryPageTypeType">
+						<xs:annotation>
+							<xs:documentation>The Type field specifies the type of pages in the memory page region.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="Allocation_Base_Address" type="cyboxCommon:HexBinaryObjectPropertyType">
+						<xs:annotation>
+							<xs:documentation>The Allocation_Base_Address field specifies the base address of the memory page region when the region was first allocated.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="Allocation_Protect" type="WinMemoryPageRegionObj:MemoryPageProtectionType">
+						<xs:annotation>
+							<xs:documentation>The Allocation_Protect field specifies the memory protection option for the memory page region when the region was initially allocated.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="State" type="WinMemoryPageRegionObj:MemoryPageStateType">
+						<xs:annotation>
+							<xs:documentation>The State field specifies the state of the memory pages in the region.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="Protect" type="WinMemoryPageRegionObj:MemoryPageProtectionType">
+						<xs:annotation>
+							<xs:documentation>The Protect field specifies the access protection of the memory pages in the region.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+				</xs:sequence>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<xs:complexType name="MemoryPageProtectionType">
+		<xs:annotation>
+			<xs:documentation>MemoryPageProtectionType specifies memory protection constant types, via a union of the MemoryPageProtectionEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.</xs:documentation>
+		</xs:annotation>
+		<xs:simpleContent>
+			<xs:restriction base="cyboxCommon:BaseObjectPropertyType">
+				<xs:simpleType>
+					<xs:union memberTypes="WinMemoryPageRegionObj:MemoryPageProtectionEnum xs:string"/>
+				</xs:simpleType>
+				<xs:attribute fixed="string" name="datatype" type="cyboxCommon:DatatypeEnum">
+					<xs:annotation>
+						<xs:documentation>This attribute is optional and specifies the expected type for the value of the specified property.</xs:documentation>
+					</xs:annotation>
+				</xs:attribute>
+			</xs:restriction>
+		</xs:simpleContent>
+	</xs:complexType>
+	<xs:simpleType name="MemoryPageProtectionEnum">
+		<xs:annotation>
+			<xs:documentation>The MemoryPageProtectionEnum defines an enumeration of memory page protection constants. As a further reference, please see: http://msdn.microsoft.com/en-us/library/windows/desktop/aa366786(v=vs.85).aspx</xs:documentation>
+		</xs:annotation>
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="PAGE_EXECUTE">
+				<xs:annotation>
+					<xs:documentation>From Microsoft: "Enables execute access to the committed region of pages. An attempt to read from or write to the committed region results in an access violation."</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="PAGE_EXECUTE_READ">
+				<xs:annotation>
+					<xs:documentation>From Microsoft: "Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation."</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="PAGE_EXECUTE_READWRITE">
+				<xs:annotation>
+					<xs:documentation>From Microsoft: "Enables execute, read-only, or read/write access to the committed region of pages."</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="PAGE_EXECUTE_WRITECOPY">
+				<xs:annotation>
+					<xs:documentation>From Microsoft: "Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. An attempt to write to a committed copy-on-write page results in a private copy of the page being made for the process. The private page is marked as PAGE_EXECUTE_READWRITE, and the change is written to the new page."</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="PAGE_NOACCESS">
+				<xs:annotation>
+					<xs:documentation>From Microsoft: "Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation."</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="PAGE_READONLY">
+				<xs:annotation>
+					<xs:documentation>From Microsoft: "Enables read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. If Data Execution Prevention is enabled, an attempt to execute code in the committed region results in an access violation."</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="PAGE_READWRITE">
+				<xs:annotation>
+					<xs:documentation>From Microsoft: "Enables read-only or read/write access to the committed region of pages. If Data Execution Prevention is enabled, attempting to execute code in the committed region results in an access violation."</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="PAGE_WRITECOPY">
+				<xs:annotation>
+					<xs:documentation>From Microsoft: "Enables read-only or copy-on-write access to a mapped view of a file mapping object. An attempt to write to a committed copy-on-write page results in a private copy of the page being made for the process. The private page is marked as PAGE_READWRITE, and the change is written to the new page. If Data Execution Prevention is enabled, attempting to execute code in the committed region results in an access violation."</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+		</xs:restriction>
+	</xs:simpleType>
+	<xs:complexType name="MemoryPageStateType">
+		<xs:annotation>
+			<xs:documentation>MemoryPageStateType specifies memory protection states, via a union of the MemoryPageStateEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.</xs:documentation>
+		</xs:annotation>
+		<xs:simpleContent>
+			<xs:restriction base="cyboxCommon:BaseObjectPropertyType">
+				<xs:simpleType>
+					<xs:union memberTypes="WinMemoryPageRegionObj:MemoryPageStateEnum xs:string"/>
+				</xs:simpleType>
+				<xs:attribute fixed="string" name="datatype" type="cyboxCommon:DatatypeEnum">
+					<xs:annotation>
+						<xs:documentation>This attribute is optional and specifies the expected type for the value of the specified property.</xs:documentation>
+					</xs:annotation>
+				</xs:attribute>
+			</xs:restriction>
+		</xs:simpleContent>
+	</xs:complexType>
+	<xs:simpleType name="MemoryPageStateEnum">
+		<xs:annotation>
+			<xs:documentation>The MemoryPageStateEnum defines an enumeration of memory page states. As a further reference, please see: http://msdn.microsoft.com/en-us/library/windows/desktop/aa366775(v=vs.85).aspx</xs:documentation>
+		</xs:annotation>
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="MEM_COMMIT">
+				<xs:annotation>
+					<xs:documentation>From Microsoft: "Indicates committed pages for which physical storage has been allocated, either in memory or in the paging file on disk."</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="MEM_FREE">
+				<xs:annotation>
+					<xs:documentation>From Microsoft: "Indicates free pages not accessible to the calling process and available to be allocated. For free pages, the information in the AllocationBase, AllocationProtect, Protect, and Type members is undefined."</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="MEM_RESERVE">
+				<xs:annotation>
+					<xs:documentation>From Microsoft: "Indicates reserved pages where a range of the process's virtual address space is reserved without any physical storage being allocated. For reserved pages, the information in the Protect member is undefined."</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+		</xs:restriction>
+	</xs:simpleType>
+	<xs:complexType name="MemoryPageTypeType">
+		<xs:annotation>
+			<xs:documentation>MemoryPageTypeType specifies memory protection type, via a union of the MemoryPageTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.</xs:documentation>
+		</xs:annotation>
+		<xs:simpleContent>
+			<xs:restriction base="cyboxCommon:BaseObjectPropertyType">
+				<xs:simpleType>
+					<xs:union memberTypes="WinMemoryPageRegionObj:MemoryPageTypeEnum xs:string"/>
+				</xs:simpleType>
+				<xs:attribute fixed="string" name="datatype" type="cyboxCommon:DatatypeEnum">
+					<xs:annotation>
+						<xs:documentation>This attribute is optional and specifies the expected type for the value of the specified property.</xs:documentation>
+					</xs:annotation>
+				</xs:attribute>
+			</xs:restriction>
+		</xs:simpleContent>
+	</xs:complexType>
+	<xs:simpleType name="MemoryPageTypeEnum">
+		<xs:annotation>
+			<xs:documentation>The MemoryPageTypeEnum defines an enumeration of memory page types. As a further reference, please see: http://msdn.microsoft.com/en-us/library/windows/desktop/aa366775(v=vs.85).aspx</xs:documentation>
+		</xs:annotation>
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="MEM_IMAGE">
+				<xs:annotation>
+					<xs:documentation>From Microsoft: "Indicates that the memory pages within the region are mapped into the view of an image section."</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="MEM_MAPPED">
+				<xs:annotation>
+					<xs:documentation>From Microsoft: "Indicates that the memory pages within the region are mapped into the view of a section."</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="MEM_PRIVATE">
+				<xs:annotation>
+					<xs:documentation>From Microsoft: "Indicates that the memory pages within the region are private (that is, not shared by other processes)."</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+		</xs:restriction>
+	</xs:simpleType>
+</xs:schema>