Guest User

Build Your own EDR

a guest
Sep 26th, 2017
2,500
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events">
  2.  <instrumentation xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">
  3.   <events>
  4.    <provider name="Microsoft-Windows-Threat-Intelligence" guid="{f4e1897c-bb5d-5668-f1d8-040f4d8dd344}" resourceFileName="Microsoft-Windows-Threat-Intelligence" messageFileName="Microsoft-Windows-Threat-Intelligence" symbol="MicrosoftWindowsThreatIntelligence" source="Xml" >
  5.     <keywords>
  6.      <keyword name="KERNEL_THREATINT_KEYWORD_ALLOCVM" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_ALLOCVM)" mask="0x10"/>
  7.      <keyword name="KERNEL_THREATINT_KEYWORD_PROTECTVM" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_PROTECTVM)" mask="0x20"/>
  8.      <keyword name="KERNEL_THREATINT_KEYWORD_MAPVIEW" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_MAPVIEW)" mask="0x40"/>
  9.      <keyword name="KERNEL_THREATINT_KEYWORD_QUEUEUSERAPC" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_QUEUEUSERAPC)" mask="0x80"/>
  10.      <keyword name="KERNEL_THREATINT_KEYWORD_SETTHREADCONTEXT" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_SETTHREADCONTEXT)" mask="0x100"/>
  11.      <keyword name="KERNEL_THREATINT_KEYWORD_LOCAL_CALLS" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_LOCAL_CALLS)" mask="0x200"/>
  12.      <keyword name="KERNEL_THREATINT_KEYWORD_CONTEXT_PARSE" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_CONTEXT_PARSE)" mask="0x400"/>
  13.      <keyword name="KERNEL_THREATINT_KEYWORD_EXECUTION_ADDRESS_VAD_PROBE" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_EXECUTION_ADDRESS_VAD_PROBE)" mask="0x800"/>
  14.      <keyword name="KERNEL_THREATINT_KEYWORD_EXECUTION_ADDRESS_MMF_NAME_PROBE" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_EXECUTION_ADDRESS_MMF_NAME_PROBE)" mask="0x1000"/>
  15.      <keyword name="KERNEL_THREATINT_KEYWORD_READVM" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_READVM)" mask="0x2000"/>
  16.      <keyword name="KERNEL_THREATINT_KEYWORD_WRITEVM" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_WRITEVM)" mask="0x4000"/>
  17.      <keyword name="KERNEL_THREATINT_KEYWORD_READWRITEVM_NO_SIGNATURE_RESTRICTION" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_READWRITEVM_NO_SIGNATURE_RESTRICTION)" mask="0x8000"/>
  18.     </keywords>
  19.     <tasks>
  20.      <task name="KERNEL_THREATINT_TASK_ALLOCVM_REMOTE" message="$(string.task_KERNEL_THREATINT_TASK_ALLOCVM_REMOTE)" value="1"/>
  21.      <task name="KERNEL_THREATINT_TASK_PROTECTVM_REMOTE" message="$(string.task_KERNEL_THREATINT_TASK_PROTECTVM_REMOTE)" value="2"/>
  22.      <task name="KERNEL_THREATINT_TASK_MAPVIEW_REMOTE" message="$(string.task_KERNEL_THREATINT_TASK_MAPVIEW_REMOTE)" value="3"/>
  23.      <task name="KERNEL_THREATINT_TASK_QUEUEUSERAPC_REMOTE" message="$(string.task_KERNEL_THREATINT_TASK_QUEUEUSERAPC_REMOTE)" value="4"/>
  24.      <task name="KERNEL_THREATINT_TASK_SETTHREADCONTEXT_REMOTE" message="$(string.task_KERNEL_THREATINT_TASK_SETTHREADCONTEXT_REMOTE)" value="5"/>
  25.      <task name="KERNEL_THREATINT_TASK_ALLOCVM_LOCAL" message="$(string.task_KERNEL_THREATINT_TASK_ALLOCVM_LOCAL)" value="6"/>
  26.      <task name="KERNEL_THREATINT_TASK_PROTECTVM_LOCAL" message="$(string.task_KERNEL_THREATINT_TASK_PROTECTVM_LOCAL)" value="7"/>
  27.      <task name="KERNEL_THREATINT_TASK_MAPVIEW_LOCAL" message="$(string.task_KERNEL_THREATINT_TASK_MAPVIEW_LOCAL)" value="8"/>
  28.      <task name="KERNEL_THREATINT_TASK_QUEUEUSERAPC_LOCAL" message="$(string.task_KERNEL_THREATINT_TASK_QUEUEUSERAPC_LOCAL)" value="9"/>
  29.      <task name="KERNEL_THREATINT_TASK_SETTHREADCONTEXT_LOCAL" message="$(string.task_KERNEL_THREATINT_TASK_SETTHREADCONTEXT_LOCAL)" value="10"/>
  30.      <task name="KERNEL_THREATINT_TASK_READVM_LOCAL" message="$(string.task_KERNEL_THREATINT_TASK_READVM_LOCAL)" value="11"/>
  31.      <task name="KERNEL_THREATINT_TASK_WRITEVM_LOCAL" message="$(string.task_KERNEL_THREATINT_TASK_WRITEVM_LOCAL)" value="12"/>
  32.      <task name="KERNEL_THREATINT_TASK_READVM_REMOTE" message="$(string.task_KERNEL_THREATINT_TASK_READVM_REMOTE)" value="13"/>
  33.      <task name="KERNEL_THREATINT_TASK_WRITEVM_REMOTE" message="$(string.task_KERNEL_THREATINT_TASK_WRITEVM_REMOTE)" value="14"/>
  34.     </tasks>
  35.     <events>
  36.      <event value="1" symbol="KERNEL_THREATINT_TASK_ALLOCVM_REMOTE" version="0" task="KERNEL_THREATINT_TASK_ALLOCVM_REMOTE" level="win:Always" template="KERNEL_THREATINT_TASK_ALLOCVM_REMOTEArgs"/>
  37.      <event value="2" symbol="KERNEL_THREATINT_TASK_PROTECTVM_REMOTE" version="0" task="KERNEL_THREATINT_TASK_PROTECTVM_REMOTE" level="win:Always" template="KERNEL_THREATINT_TASK_PROTECTVM_REMOTEArgs"/>
  38.      <event value="3" symbol="KERNEL_THREATINT_TASK_MAPVIEW_REMOTE" version="0" task="KERNEL_THREATINT_TASK_MAPVIEW_REMOTE" level="win:Always" template="KERNEL_THREATINT_TASK_MAPVIEW_REMOTEArgs"/>
  39.      <event value="4" symbol="KERNEL_THREATINT_TASK_QUEUEUSERAPC_REMOTE" version="0" task="KERNEL_THREATINT_TASK_QUEUEUSERAPC_REMOTE" level="win:Always" template="KERNEL_THREATINT_TASK_QUEUEUSERAPC_REMOTEArgs"/>
  40.      <event value="5" symbol="KERNEL_THREATINT_TASK_SETTHREADCONTEXT_REMOTE" version="0" task="KERNEL_THREATINT_TASK_SETTHREADCONTEXT_REMOTE" level="win:Always" template="KERNEL_THREATINT_TASK_SETTHREADCONTEXT_REMOTEArgs"/>
  41.      <event value="6" symbol="KERNEL_THREATINT_TASK_ALLOCVM_LOCAL" version="0" task="KERNEL_THREATINT_TASK_ALLOCVM_LOCAL" level="win:Always" template="KERNEL_THREATINT_TASK_ALLOCVM_REMOTEArgs"/>
  42.      <event value="7" symbol="KERNEL_THREATINT_TASK_PROTECTVM_LOCAL" version="0" task="KERNEL_THREATINT_TASK_PROTECTVM_LOCAL" level="win:Always" template="KERNEL_THREATINT_TASK_PROTECTVM_REMOTEArgs"/>
  43.      <event value="8" symbol="KERNEL_THREATINT_TASK_MAPVIEW_LOCAL" version="0" task="KERNEL_THREATINT_TASK_MAPVIEW_LOCAL" level="win:Always" template="KERNEL_THREATINT_TASK_MAPVIEW_REMOTEArgs"/>
  44.      <event value="9" symbol="KERNEL_THREATINT_TASK_QUEUEUSERAPC_LOCAL" version="0" task="KERNEL_THREATINT_TASK_QUEUEUSERAPC_LOCAL" level="win:Always" template="KERNEL_THREATINT_TASK_QUEUEUSERAPC_REMOTEArgs"/>
  45.      <event value="10" symbol="KERNEL_THREATINT_TASK_SETTHREADCONTEXT_LOCAL" version="0" task="KERNEL_THREATINT_TASK_SETTHREADCONTEXT_LOCAL" level="win:Always" template="KERNEL_THREATINT_TASK_SETTHREADCONTEXT_REMOTEArgs"/>
  46.      <event value="11" symbol="KERNEL_THREATINT_TASK_READVM_LOCAL" version="0" task="KERNEL_THREATINT_TASK_READVM_LOCAL" level="win:Always" template="KERNEL_THREATINT_TASK_READVM_LOCALArgs"/>
  47.      <event value="12" symbol="KERNEL_THREATINT_TASK_WRITEVM_LOCAL" version="0" task="KERNEL_THREATINT_TASK_WRITEVM_LOCAL" level="win:Always" template="KERNEL_THREATINT_TASK_READVM_LOCALArgs"/>
  48.      <event value="13" symbol="KERNEL_THREATINT_TASK_READVM_REMOTE" version="0" task="KERNEL_THREATINT_TASK_READVM_REMOTE" level="win:Always" template="KERNEL_THREATINT_TASK_READVM_LOCALArgs"/>
  49.      <event value="14" symbol="KERNEL_THREATINT_TASK_WRITEVM_REMOTE" version="0" task="KERNEL_THREATINT_TASK_WRITEVM_REMOTE" level="win:Always" template="KERNEL_THREATINT_TASK_READVM_LOCALArgs"/>
  50.     </events>
  51.     <templates>
  52.      <template tid="KERNEL_THREATINT_TASK_ALLOCVM_REMOTEArgs">
  53.       <data name="CallingProcessId" inType="win:UInt32"/>
  54.       <data name="CallingProcessCreateTime" inType="win:FILETIME"/>
  55.       <data name="CallingProcessStartKey" inType="win:UInt64"/>
  56.       <data name="CallingProcessSignatureLevel" inType="win:UInt8"/>
  57.       <data name="CallingProcessSectionSignatureLevel" inType="win:UInt8"/>
  58.       <data name="CallingProcessProtection" inType="win:UInt8"/>
  59.       <data name="CallingThreadId" inType="win:UInt32"/>
  60.       <data name="CallingThreadCreateTime" inType="win:FILETIME"/>
  61.       <data name="TargetProcessId" inType="win:UInt32"/>
  62.       <data name="TargetProcessCreateTime" inType="win:FILETIME"/>
  63.       <data name="TargetProcessStartKey" inType="win:UInt64"/>
  64.       <data name="TargetProcessSignatureLevel" inType="win:UInt8"/>
  65.       <data name="TargetProcessSectionSignatureLevel" inType="win:UInt8"/>
  66.       <data name="TargetProcessProtection" inType="win:UInt8"/>
  67.       <data name="BaseAddress" inType="win:Pointer"/>
  68.       <data name="RegionSize" inType="win:Pointer"/>
  69.       <data name="AllocationType" inType="win:UInt32"/>
  70.       <data name="ProtectionMask" inType="win:UInt32"/>
  71.      </template>
  72.      <template tid="KERNEL_THREATINT_TASK_PROTECTVM_REMOTEArgs">
  73.       <data name="CallingProcessId" inType="win:UInt32"/>
  74.       <data name="CallingProcessCreateTime" inType="win:FILETIME"/>
  75.       <data name="CallingProcessStartKey" inType="win:UInt64"/>
  76.       <data name="CallingProcessSignatureLevel" inType="win:UInt8"/>
  77.       <data name="CallingProcessSectionSignatureLevel" inType="win:UInt8"/>
  78.       <data name="CallingProcessProtection" inType="win:UInt8"/>
  79.       <data name="CallingThreadId" inType="win:UInt32"/>
  80.       <data name="CallingThreadCreateTime" inType="win:FILETIME"/>
  81.       <data name="TargetProcessId" inType="win:UInt32"/>
  82.       <data name="TargetProcessCreateTime" inType="win:FILETIME"/>
  83.       <data name="TargetProcessStartKey" inType="win:UInt64"/>
  84.       <data name="TargetProcessSignatureLevel" inType="win:UInt8"/>
  85.       <data name="TargetProcessSectionSignatureLevel" inType="win:UInt8"/>
  86.       <data name="TargetProcessProtection" inType="win:UInt8"/>
  87.       <data name="BaseAddress" inType="win:Pointer"/>
  88.       <data name="RegionSize" inType="win:Pointer"/>
  89.       <data name="ProtectionMask" inType="win:UInt32"/>
  90.       <data name="LastProtectionMask" inType="win:UInt32"/>
  91.      </template>
  92.      <template tid="KERNEL_THREATINT_TASK_MAPVIEW_REMOTEArgs">
  93.       <data name="CallingProcessId" inType="win:UInt32"/>
  94.       <data name="CallingProcessCreateTime" inType="win:FILETIME"/>
  95.       <data name="CallingProcessStartKey" inType="win:UInt64"/>
  96.       <data name="CallingProcessSignatureLevel" inType="win:UInt8"/>
  97.       <data name="CallingProcessSectionSignatureLevel" inType="win:UInt8"/>
  98.       <data name="CallingProcessProtection" inType="win:UInt8"/>
  99.       <data name="CallingThreadId" inType="win:UInt32"/>
  100.       <data name="CallingThreadCreateTime" inType="win:FILETIME"/>
  101.       <data name="TargetProcessId" inType="win:UInt32"/>
  102.       <data name="TargetProcessCreateTime" inType="win:FILETIME"/>
  103.       <data name="TargetProcessStartKey" inType="win:UInt64"/>
  104.       <data name="TargetProcessSignatureLevel" inType="win:UInt8"/>
  105.       <data name="TargetProcessSectionSignatureLevel" inType="win:UInt8"/>
  106.       <data name="TargetProcessProtection" inType="win:UInt8"/>
  107.       <data name="BaseAddress" inType="win:Pointer"/>
  108.       <data name="ViewSize" inType="win:Pointer"/>
  109.       <data name="AllocationType" inType="win:UInt32"/>
  110.       <data name="ProtectionMask" inType="win:UInt32"/>
  111.      </template>
  112.      <template tid="KERNEL_THREATINT_TASK_QUEUEUSERAPC_REMOTEArgs">
  113.       <data name="OperationStatus" inType="win:UInt32"/>
  114.       <data name="CallingProcessId" inType="win:UInt32"/>
  115.       <data name="CallingProcessCreateTime" inType="win:FILETIME"/>
  116.       <data name="CallingProcessStartKey" inType="win:UInt64"/>
  117.       <data name="CallingProcessSignatureLevel" inType="win:UInt8"/>
  118.       <data name="CallingProcessSectionSignatureLevel" inType="win:UInt8"/>
  119.       <data name="CallingProcessProtection" inType="win:UInt8"/>
  120.       <data name="CallingThreadId" inType="win:UInt32"/>
  121.       <data name="CallingThreadCreateTime" inType="win:FILETIME"/>
  122.       <data name="TargetProcessId" inType="win:UInt32"/>
  123.       <data name="TargetProcessCreateTime" inType="win:FILETIME"/>
  124.       <data name="TargetProcessStartKey" inType="win:UInt64"/>
  125.       <data name="TargetProcessSignatureLevel" inType="win:UInt8"/>
  126.       <data name="TargetProcessSectionSignatureLevel" inType="win:UInt8"/>
  127.       <data name="TargetProcessProtection" inType="win:UInt8"/>
  128.       <data name="TargetThreadId" inType="win:UInt32"/>
  129.       <data name="TargetThreadCreateTime" inType="win:FILETIME"/>
  130.       <data name="ApcRoutine" inType="win:Pointer"/>
  131.       <data name="ApcArgument1" inType="win:Pointer"/>
  132.       <data name="ApcArgument2" inType="win:Pointer"/>
  133.       <data name="ApcArgument3" inType="win:Pointer"/>
  134.       <data name="ApcRoutineVadQueryResult" inType="win:UInt32"/>
  135.       <data name="ApcRoutineVadAllocationBase" inType="win:Pointer"/>
  136.       <data name="ApcRoutineVadAllocationProtect" inType="win:UInt32"/>
  137.       <data name="ApcRoutineVadRegionType" inType="win:UInt32"/>
  138.       <data name="ApcRoutineVadRegionSize" inType="win:Pointer"/>
  139.       <data name="ApcRoutineVadCommitSize" inType="win:Pointer"/>
  140.       <data name="ApcRoutineVadMmfName" inType="win:UnicodeString"/>
  141.       <data name="ApcArgument1VadQueryResult" inType="win:UInt32"/>
  142.       <data name="ApcArgument1VadAllocationBase" inType="win:Pointer"/>
  143.       <data name="ApcArgument1VadAllocationProtect" inType="win:UInt32"/>
  144.       <data name="ApcArgument1VadRegionType" inType="win:UInt32"/>
  145.       <data name="ApcArgument1VadRegionSize" inType="win:Pointer"/>
  146.       <data name="ApcArgument1VadCommitSize" inType="win:Pointer"/>
  147.       <data name="ApcArgument1VadMmfName" inType="win:UnicodeString"/>
  148.      </template>
  149.      <template tid="KERNEL_THREATINT_TASK_SETTHREADCONTEXT_REMOTEArgs">
  150.       <data name="OperationStatus" inType="win:UInt32"/>
  151.       <data name="CallingProcessId" inType="win:UInt32"/>
  152.       <data name="CallingProcessCreateTime" inType="win:FILETIME"/>
  153.       <data name="CallingProcessStartKey" inType="win:UInt64"/>
  154.       <data name="CallingProcessSignatureLevel" inType="win:UInt8"/>
  155.       <data name="CallingProcessSectionSignatureLevel" inType="win:UInt8"/>
  156.       <data name="CallingProcessProtection" inType="win:UInt8"/>
  157.       <data name="CallingThreadId" inType="win:UInt32"/>
  158.       <data name="CallingThreadCreateTime" inType="win:FILETIME"/>
  159.       <data name="TargetProcessId" inType="win:UInt32"/>
  160.       <data name="TargetProcessCreateTime" inType="win:FILETIME"/>
  161.       <data name="TargetProcessStartKey" inType="win:UInt64"/>
  162.       <data name="TargetProcessSignatureLevel" inType="win:UInt8"/>
  163.       <data name="TargetProcessSectionSignatureLevel" inType="win:UInt8"/>
  164.       <data name="TargetProcessProtection" inType="win:UInt8"/>
  165.       <data name="TargetThreadId" inType="win:UInt32"/>
  166.       <data name="TargetThreadCreateTime" inType="win:FILETIME"/>
  167.       <data name="ContextMask" inType="win:UInt16"/>
  168.       <data name="Pc" inType="win:Pointer"/>
  169.       <data name="Sp" inType="win:Pointer"/>
  170.       <data name="Lr" inType="win:Pointer"/>
  171.       <data name="Fp" inType="win:Pointer"/>
  172.       <data name="Reg0" inType="win:Pointer"/>
  173.       <data name="Reg1" inType="win:Pointer"/>
  174.       <data name="Reg2" inType="win:Pointer"/>
  175.       <data name="Reg3" inType="win:Pointer"/>
  176.       <data name="Reg4" inType="win:Pointer"/>
  177.       <data name="Reg5" inType="win:Pointer"/>
  178.       <data name="Reg6" inType="win:Pointer"/>
  179.       <data name="Reg7" inType="win:Pointer"/>
  180.       <data name="PcVadQueryResult" inType="win:UInt32"/>
  181.       <data name="PcVadAllocationBase" inType="win:Pointer"/>
  182.       <data name="PcVadAllocationProtect" inType="win:UInt32"/>
  183.       <data name="PcVadRegionType" inType="win:UInt32"/>
  184.       <data name="PcVadRegionSize" inType="win:Pointer"/>
  185.       <data name="PcVadCommitSize" inType="win:Pointer"/>
  186.       <data name="PcVadMmfName" inType="win:UnicodeString"/>
  187.      </template>
  188.      <template tid="KERNEL_THREATINT_TASK_READVM_LOCALArgs">
  189.       <data name="OperationStatus" inType="win:UInt32"/>
  190.       <data name="CallingProcessId" inType="win:UInt32"/>
  191.       <data name="CallingProcessCreateTime" inType="win:FILETIME"/>
  192.       <data name="CallingProcessStartKey" inType="win:UInt64"/>
  193.       <data name="CallingProcessSignatureLevel" inType="win:UInt8"/>
  194.       <data name="CallingProcessSectionSignatureLevel" inType="win:UInt8"/>
  195.       <data name="CallingProcessProtection" inType="win:UInt8"/>
  196.       <data name="CallingThreadId" inType="win:UInt32"/>
  197.       <data name="CallingThreadCreateTime" inType="win:FILETIME"/>
  198.       <data name="TargetProcessId" inType="win:UInt32"/>
  199.       <data name="TargetProcessCreateTime" inType="win:FILETIME"/>
  200.       <data name="TargetProcessStartKey" inType="win:UInt64"/>
  201.       <data name="TargetProcessSignatureLevel" inType="win:UInt8"/>
  202.       <data name="TargetProcessSectionSignatureLevel" inType="win:UInt8"/>
  203.       <data name="TargetProcessProtection" inType="win:UInt8"/>
  204.       <data name="BaseAddress" inType="win:Pointer"/>
  205.       <data name="BytesCopied" inType="win:Pointer"/>
  206.      </template>
  207.     </templates>
  208.    </provider>
  209.   </events>
  210.  </instrumentation>
  211.  <localization>
  212.   <resources culture="en-US">
  213.    <stringTable>
  214.     <string id="keyword_KERNEL_THREATINT_KEYWORD_ALLOCVM" value="KERNEL_THREATINT_KEYWORD_ALLOCVM"/>
  215.     <string id="keyword_KERNEL_THREATINT_KEYWORD_PROTECTVM" value="KERNEL_THREATINT_KEYWORD_PROTECTVM"/>
  216.     <string id="keyword_KERNEL_THREATINT_KEYWORD_MAPVIEW" value="KERNEL_THREATINT_KEYWORD_MAPVIEW"/>
  217.     <string id="keyword_KERNEL_THREATINT_KEYWORD_QUEUEUSERAPC" value="KERNEL_THREATINT_KEYWORD_QUEUEUSERAPC"/>
  218.     <string id="keyword_KERNEL_THREATINT_KEYWORD_SETTHREADCONTEXT" value="KERNEL_THREATINT_KEYWORD_SETTHREADCONTEXT"/>
  219.     <string id="keyword_KERNEL_THREATINT_KEYWORD_LOCAL_CALLS" value="KERNEL_THREATINT_KEYWORD_LOCAL_CALLS"/>
  220.     <string id="keyword_KERNEL_THREATINT_KEYWORD_CONTEXT_PARSE" value="KERNEL_THREATINT_KEYWORD_CONTEXT_PARSE"/>
  221.     <string id="keyword_KERNEL_THREATINT_KEYWORD_EXECUTION_ADDRESS_VAD_PROBE" value="KERNEL_THREATINT_KEYWORD_EXECUTION_ADDRESS_VAD_PROBE"/>
  222.     <string id="keyword_KERNEL_THREATINT_KEYWORD_EXECUTION_ADDRESS_MMF_NAME_PROBE" value="KERNEL_THREATINT_KEYWORD_EXECUTION_ADDRESS_MMF_NAME_PROBE"/>
  223.     <string id="keyword_KERNEL_THREATINT_KEYWORD_READVM" value="KERNEL_THREATINT_KEYWORD_READVM"/>
  224.     <string id="keyword_KERNEL_THREATINT_KEYWORD_WRITEVM" value="KERNEL_THREATINT_KEYWORD_WRITEVM"/>
  225.     <string id="keyword_KERNEL_THREATINT_KEYWORD_READWRITEVM_NO_SIGNATURE_RESTRICTION" value="KERNEL_THREATINT_KEYWORD_READWRITEVM_NO_SIGNATURE_RESTRICTION"/>
  226.     <string id="task_KERNEL_THREATINT_TASK_ALLOCVM_REMOTE" value="KERNEL_THREATINT_TASK_ALLOCVM_REMOTE"/>
  227.     <string id="task_KERNEL_THREATINT_TASK_PROTECTVM_REMOTE" value="KERNEL_THREATINT_TASK_PROTECTVM_REMOTE"/>
  228.     <string id="task_KERNEL_THREATINT_TASK_MAPVIEW_REMOTE" value="KERNEL_THREATINT_TASK_MAPVIEW_REMOTE"/>
  229.     <string id="task_KERNEL_THREATINT_TASK_QUEUEUSERAPC_REMOTE" value="KERNEL_THREATINT_TASK_QUEUEUSERAPC_REMOTE"/>
  230.     <string id="task_KERNEL_THREATINT_TASK_SETTHREADCONTEXT_REMOTE" value="KERNEL_THREATINT_TASK_SETTHREADCONTEXT_REMOTE"/>
  231.     <string id="task_KERNEL_THREATINT_TASK_ALLOCVM_LOCAL" value="KERNEL_THREATINT_TASK_ALLOCVM_LOCAL"/>
  232.     <string id="task_KERNEL_THREATINT_TASK_PROTECTVM_LOCAL" value="KERNEL_THREATINT_TASK_PROTECTVM_LOCAL"/>
  233.     <string id="task_KERNEL_THREATINT_TASK_MAPVIEW_LOCAL" value="KERNEL_THREATINT_TASK_MAPVIEW_LOCAL"/>
  234.     <string id="task_KERNEL_THREATINT_TASK_QUEUEUSERAPC_LOCAL" value="KERNEL_THREATINT_TASK_QUEUEUSERAPC_LOCAL"/>
  235.     <string id="task_KERNEL_THREATINT_TASK_SETTHREADCONTEXT_LOCAL" value="KERNEL_THREATINT_TASK_SETTHREADCONTEXT_LOCAL"/>
  236.     <string id="task_KERNEL_THREATINT_TASK_READVM_LOCAL" value="KERNEL_THREATINT_TASK_READVM_LOCAL"/>
  237.     <string id="task_KERNEL_THREATINT_TASK_WRITEVM_LOCAL" value="KERNEL_THREATINT_TASK_WRITEVM_LOCAL"/>
  238.     <string id="task_KERNEL_THREATINT_TASK_READVM_REMOTE" value="KERNEL_THREATINT_TASK_READVM_REMOTE"/>
  239.     <string id="task_KERNEL_THREATINT_TASK_WRITEVM_REMOTE" value="KERNEL_THREATINT_TASK_WRITEVM_REMOTE"/>
  240.    </stringTable>
  241.   </resources>
  242.  </localization>
  243. </instrumentationManifest>
RAW Paste Data