Build your own EMET

1. <instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events">
2.  <instrumentation xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">
3.   <events>
4.    <provider name="Microsoft-Windows-Security-Mitigations" guid="{fae10392-f0af-4ac0-b8ff-9f4d920c3cdf}" resourceFileName="Microsoft-Windows-Security-Mitigations" messageFileName="Microsoft-Windows-Security-Mitigations" symbol="MicrosoftWindowsSecurityMitigations" source="Xml" >
5.     <keywords>
6.     </keywords>
7.     <tasks>
8.      <task name="KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODE" message="$(string.task_KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODE)" value="1"/>
9.      <task name="KERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATION" message="$(string.task_KERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATION)" value="2"/>
10.      <task name="KERNEL_MITIGATION_TASK_PROHIBIT_REMOTE_IMAGE_MAP" message="$(string.task_KERNEL_MITIGATION_TASK_PROHIBIT_REMOTE_IMAGE_MAP)" value="3"/>
11.      <task name="KERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAP" message="$(string.task_KERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAP)" value="4"/>
12.      <task name="KERNEL_MITIGATION_TASK_PROHIBIT_WIN32K_SYSTEM_CALLS" message="$(string.task_KERNEL_MITIGATION_TASK_PROHIBIT_WIN32K_SYSTEM_CALLS)" value="5"/>
13.      <task name="KERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIES" message="$(string.task_KERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIES)" value="6"/>
14.      <task name="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER" message="$(string.task_USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER)" value="7"/>
15.      <task name="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER_PLUS" message="$(string.task_USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER_PLUS)" value="8"/>
16.      <task name="USER_MITIGATION_TASK_IMPORT_ADDRESS_FILTER" message="$(string.task_USER_MITIGATION_TASK_IMPORT_ADDRESS_FILTER)" value="9"/>
17.      <task name="USER_MITIGATION_TASK_ROP_STACKPIVOT" message="$(string.task_USER_MITIGATION_TASK_ROP_STACKPIVOT)" value="10"/>
18.      <task name="USER_MITIGATION_TASK_ROP_CALLERCHECK" message="$(string.task_USER_MITIGATION_TASK_ROP_CALLERCHECK)" value="11"/>
19.      <task name="USER_MITIGATION_TASK_ROP_SIMEXEC" message="$(string.task_USER_MITIGATION_TASK_ROP_SIMEXEC)" value="12"/>
20.     </tasks>
21.     <events>
22.      <event value="1" symbol="KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODE" version="0" task="KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODE" level="win:Always" template="KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODEArgs"/>
23.      <event value="2" symbol="KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODE2" version="0" task="KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODE" level="win:Warning" template="KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODEArgs"/>
24.      <event value="3" symbol="KERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATION" version="0" task="KERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATION" level="win:Always" template="KERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATIONArgs"/>
25.      <event value="4" symbol="KERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATION4" version="0" task="KERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATION" level="win:Warning" template="KERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATIONArgs"/>
26.      <event value="5" symbol="KERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAP" version="0" task="KERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAP" level="win:Always" template="KERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAPArgs"/>
27.      <event value="6" symbol="KERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAP6" version="0" task="KERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAP" level="win:Warning" template="KERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAPArgs"/>
28.      <event value="7" symbol="KERNEL_MITIGATION_TASK_PROHIBIT_REMOTE_IMAGE_MAP" version="0" task="KERNEL_MITIGATION_TASK_PROHIBIT_REMOTE_IMAGE_MAP" level="win:Always" template="KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODEArgs"/>
29.      <event value="8" symbol="KERNEL_MITIGATION_TASK_PROHIBIT_REMOTE_IMAGE_MAP8" version="0" task="KERNEL_MITIGATION_TASK_PROHIBIT_REMOTE_IMAGE_MAP" level="win:Warning" template="KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODEArgs"/>
30.      <event value="9" symbol="KERNEL_MITIGATION_TASK_PROHIBIT_WIN32K_SYSTEM_CALLS" version="0" task="KERNEL_MITIGATION_TASK_PROHIBIT_WIN32K_SYSTEM_CALLS" level="win:Always" template="KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODEArgs"/>
31.      <event value="10" symbol="KERNEL_MITIGATION_TASK_PROHIBIT_WIN32K_SYSTEM_CALLS10" version="0" task="KERNEL_MITIGATION_TASK_PROHIBIT_WIN32K_SYSTEM_CALLS" level="win:Warning" template="KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODEArgs"/>
32.      <event value="11" symbol="KERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIES" version="0" task="KERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIES" level="win:Always" template="KERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIESArgs"/>
33.      <event value="12" symbol="KERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIES12" version="0" task="KERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIES" level="win:Warning" template="KERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIESArgs"/>
34.      <event value="13" symbol="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER" version="0" task="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER" level="win:Always" template="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTERArgs"/>
35.      <event value="14" symbol="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER14" version="0" task="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER" level="win:Warning" template="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTERArgs"/>
36.      <event value="15" symbol="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER_PLUS" version="0" task="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER_PLUS" level="win:Always" template="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTERArgs"/>
37.      <event value="16" symbol="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER_PLUS16" version="0" task="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER_PLUS" level="win:Warning" template="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTERArgs"/>
38.      <event value="17" symbol="USER_MITIGATION_TASK_IMPORT_ADDRESS_FILTER" version="0" task="USER_MITIGATION_TASK_IMPORT_ADDRESS_FILTER" level="win:Always" template="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTERArgs"/>
39.      <event value="18" symbol="USER_MITIGATION_TASK_IMPORT_ADDRESS_FILTER18" version="0" task="USER_MITIGATION_TASK_IMPORT_ADDRESS_FILTER" level="win:Warning" template="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTERArgs"/>
40.      <event value="19" symbol="USER_MITIGATION_TASK_ROP_STACKPIVOT" version="0" task="USER_MITIGATION_TASK_ROP_STACKPIVOT" level="win:Always" template="USER_MITIGATION_TASK_ROP_STACKPIVOTArgs"/>
41.      <event value="20" symbol="USER_MITIGATION_TASK_ROP_STACKPIVOT20" version="0" task="USER_MITIGATION_TASK_ROP_STACKPIVOT" level="win:Warning" template="USER_MITIGATION_TASK_ROP_STACKPIVOTArgs"/>
42.      <event value="21" symbol="USER_MITIGATION_TASK_ROP_CALLERCHECK" version="0" task="USER_MITIGATION_TASK_ROP_CALLERCHECK" level="win:Always" template="USER_MITIGATION_TASK_ROP_STACKPIVOTArgs"/>
43.      <event value="22" symbol="USER_MITIGATION_TASK_ROP_CALLERCHECK22" version="0" task="USER_MITIGATION_TASK_ROP_CALLERCHECK" level="win:Warning" template="USER_MITIGATION_TASK_ROP_STACKPIVOTArgs"/>
44.      <event value="23" symbol="USER_MITIGATION_TASK_ROP_SIMEXEC" version="0" task="USER_MITIGATION_TASK_ROP_SIMEXEC" level="win:Always" template="USER_MITIGATION_TASK_ROP_STACKPIVOTArgs"/>
45.      <event value="24" symbol="USER_MITIGATION_TASK_ROP_SIMEXEC24" version="0" task="USER_MITIGATION_TASK_ROP_SIMEXEC" level="win:Warning" template="USER_MITIGATION_TASK_ROP_STACKPIVOTArgs"/>
46.     </events>
47.     <templates>
48.      <template tid="KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODEArgs">
49.       <data name="ProcessPathLength" inType="win:UInt16"/>
50.       <data name="ProcessPath" inType="win:UnicodeString" length="ProcessPathLength"/>
51.       <data name="ProcessCommandLineLength" inType="win:UInt16"/>
52.       <data name="ProcessCommandLine" inType="win:UnicodeString" length="ProcessCommandLineLength"/>
53.       <data name="CallingProcessId" inType="win:UInt32"/>
54.       <data name="CallingProcessCreateTime" inType="win:FILETIME"/>
55.       <data name="CallingProcessStartKey" inType="win:UInt64"/>
56.       <data name="CallingProcessSignatureLevel" inType="win:UInt8"/>
57.       <data name="CallingProcessSectionSignatureLevel" inType="win:UInt8"/>
58.       <data name="CallingProcessProtection" inType="win:UInt8"/>
59.       <data name="CallingThreadId" inType="win:UInt32"/>
60.       <data name="CallingThreadCreateTime" inType="win:FILETIME"/>
61.      </template>
62.      <template tid="KERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATIONArgs">
63.       <data name="ProcessPathLength" inType="win:UInt16"/>
64.       <data name="ProcessPath" inType="win:UnicodeString" length="ProcessPathLength"/>
65.       <data name="ProcessCommandLineLength" inType="win:UInt16"/>
66.       <data name="ProcessCommandLine" inType="win:UnicodeString" length="ProcessCommandLineLength"/>
67.       <data name="CallingProcessId" inType="win:UInt32"/>
68.       <data name="CallingProcessCreateTime" inType="win:FILETIME"/>
69.       <data name="CallingProcessStartKey" inType="win:UInt64"/>
70.       <data name="CallingProcessSignatureLevel" inType="win:UInt8"/>
71.       <data name="CallingProcessSectionSignatureLevel" inType="win:UInt8"/>
72.       <data name="CallingProcessProtection" inType="win:UInt8"/>
73.       <data name="CallingThreadId" inType="win:UInt32"/>
74.       <data name="CallingThreadCreateTime" inType="win:FILETIME"/>
75.       <data name="ChildImagePathNameLength" inType="win:UInt16"/>
76.       <data name="ChildImagePathName" inType="win:UnicodeString" length="ChildImagePathNameLength"/>
77.       <data name="ChildCommandLineLength" inType="win:UInt16"/>
78.       <data name="ChildCommandLine" inType="win:UnicodeString" length="ChildCommandLineLength"/>
79.      </template>
80.      <template tid="KERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAPArgs">
81.       <data name="ProcessPathLength" inType="win:UInt16"/>
82.       <data name="ProcessPath" inType="win:UnicodeString" length="ProcessPathLength"/>
83.       <data name="ProcessCommandLineLength" inType="win:UInt16"/>
84.       <data name="ProcessCommandLine" inType="win:UnicodeString" length="ProcessCommandLineLength"/>
85.       <data name="ProcessId" inType="win:UInt32"/>
86.       <data name="ProcessCreateTime" inType="win:FILETIME"/>
87.       <data name="ProcessStartKey" inType="win:UInt64"/>
88.       <data name="ProcessSignatureLevel" inType="win:UInt8"/>
89.       <data name="ProcessSectionSignatureLevel" inType="win:UInt8"/>
90.       <data name="ProcessProtection" inType="win:UInt8"/>
91.       <data name="TargetThreadId" inType="win:UInt32"/>
92.       <data name="TargetThreadCreateTime" inType="win:FILETIME"/>
93.       <data name="ImageNameLength" inType="win:UInt16"/>
94.       <data name="ImageName" inType="win:UnicodeString" length="ImageNameLength"/>
95.      </template>
96.      <template tid="KERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIESArgs">
97.       <data name="ProcessPathLength" inType="win:UInt16"/>
98.       <data name="ProcessPath" inType="win:UnicodeString" length="ProcessPathLength"/>
99.       <data name="ProcessCommandLineLength" inType="win:UInt16"/>
100.       <data name="ProcessCommandLine" inType="win:UnicodeString" length="ProcessCommandLineLength"/>
101.       <data name="ProcessId" inType="win:UInt32"/>
102.       <data name="ProcessCreateTime" inType="win:FILETIME"/>
103.       <data name="ProcessStartKey" inType="win:UInt64"/>
104.       <data name="ProcessSignatureLevel" inType="win:UInt8"/>
105.       <data name="ProcessSectionSignatureLevel" inType="win:UInt8"/>
106.       <data name="ProcessProtection" inType="win:UInt8"/>
107.       <data name="TargetThreadId" inType="win:UInt32"/>
108.       <data name="TargetThreadCreateTime" inType="win:FILETIME"/>
109.       <data name="RequiredSignatureLevel" inType="win:UInt8"/>
110.       <data name="SignatureLevel" inType="win:UInt8"/>
111.       <data name="ImageNameLength" inType="win:UInt16"/>
112.       <data name="ImageName" inType="win:UnicodeString" length="ImageNameLength"/>
113.      </template>
114.      <template tid="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTERArgs">
115.       <data name="Subcode" inType="win:UInt32"/>
116.       <data name="ProcessPath" inType="win:UnicodeString"/>
117.       <data name="ProcessId" inType="win:UInt32"/>
118.       <data name="ModuleFullPath" inType="win:UnicodeString"/>
119.       <data name="ModuleBase" inType="win:Pointer"/>
120.       <data name="ModuleAddress" inType="win:Pointer"/>
121.       <data name="MemAddress" inType="win:Pointer"/>
122.       <data name="MemModuleFullPath" inType="win:UnicodeString"/>
123.       <data name="MemModuleBase" inType="win:Pointer"/>
124.       <data name="APIName" inType="win:UnicodeString"/>
125.       <data name="ProcessStartTime" inType="win:FILETIME"/>
126.       <data name="ThreadId" inType="win:UInt32"/>
127.      </template>
128.      <template tid="USER_MITIGATION_TASK_ROP_STACKPIVOTArgs">
129.       <data name="Subcode" inType="win:UInt32"/>
130.       <data name="ProcessPath" inType="win:UnicodeString"/>
131.       <data name="ProcessId" inType="win:UInt32"/>
132.       <data name="HookedAPI" inType="win:UnicodeString"/>
133.       <data name="ReturnAddress" inType="win:Pointer"/>
134.       <data name="CalledAddress" inType="win:Pointer"/>
135.       <data name="TargetAddress" inType="win:Pointer"/>
136.       <data name="StackAddress" inType="win:Pointer"/>
137.       <data name="FrameAddress" inType="win:Pointer"/>
138.       <data name="ReturnAddressModuleFullPath" inType="win:UnicodeString"/>
139.       <data name="ProcessStartTime" inType="win:FILETIME"/>
140.       <data name="ThreadId" inType="win:UInt32"/>
141.      </template>
142.     </templates>
143.    </provider>
144.   </events>
145.  </instrumentation>
146.  <localization>
147.   <resources culture="en-US">
148.    <stringTable>
149.     <string id="task_KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODE" value="KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODE"/>
150.     <string id="task_KERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATION" value="KERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATION"/>
151.     <string id="task_KERNEL_MITIGATION_TASK_PROHIBIT_REMOTE_IMAGE_MAP" value="KERNEL_MITIGATION_TASK_PROHIBIT_REMOTE_IMAGE_MAP"/>
152.     <string id="task_KERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAP" value="KERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAP"/>
153.     <string id="task_KERNEL_MITIGATION_TASK_PROHIBIT_WIN32K_SYSTEM_CALLS" value="KERNEL_MITIGATION_TASK_PROHIBIT_WIN32K_SYSTEM_CALLS"/>
154.     <string id="task_KERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIES" value="KERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIES"/>
155.     <string id="task_USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER" value="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER"/>
156.     <string id="task_USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER_PLUS" value="USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER_PLUS"/>
157.     <string id="task_USER_MITIGATION_TASK_IMPORT_ADDRESS_FILTER" value="USER_MITIGATION_TASK_IMPORT_ADDRESS_FILTER"/>
158.     <string id="task_USER_MITIGATION_TASK_ROP_STACKPIVOT" value="USER_MITIGATION_TASK_ROP_STACKPIVOT"/>
159.     <string id="task_USER_MITIGATION_TASK_ROP_CALLERCHECK" value="USER_MITIGATION_TASK_ROP_CALLERCHECK"/>
160.     <string id="task_USER_MITIGATION_TASK_ROP_SIMEXEC" value="USER_MITIGATION_TASK_ROP_SIMEXEC"/>
161.    </stringTable>
162.   </resources>
163.  </localization>
164. </instrumentationManifest>