PC World 2005 April

home *** CD-ROM | disk | FTP | other *** search

/ PC World 2005 April / PCWorld_2005-04_cd.bin / software / vyzkuste / vcatch / vcsetup.exe / %SYS% / RulesData.xml < prev next >

Wrap

Extensible Markup Language | 2005-02-04 | 95.7 KB | 3,796 lines

<?xml version="1.0"?> <RULES> <RULE> <NAME>Rule_Fake_Entry_Point </NAME> <TYPE>0</TYPE> <ID>0</ID> <RULEITEMS> </RULEITEMS> </RULE> <RULE> <NAME> Rule_Writable_Sections</NAME> <TYPE>1</TYPE> <ID>1</ID> <RULEITEMS> </RULEITEMS> </RULE> <RULE> <NAME> Rule_Executable_Sections</NAME> <TYPE>2</TYPE> <ID>2</ID> <RULEITEMS> </RULEITEMS> </RULE> <RULE> <NAME>Rule_Sections_Size </NAME> <TYPE>3</TYPE> <ID>3</ID> <RULEITEMS> </RULEITEMS> </RULE> <RULE> <NAME> Rule_Sections_name</NAME> <TYPE>4</TYPE> <ID>4</ID> <VALUE>0</VALUE> <RULEITEMS> <RULEITEM><NAME>CODE</NAME> </RULEITEM> <RULEITEM><NAME>DATA</NAME> </RULEITEM> <RULEITEM><NAME>AUTO</NAME> </RULEITEM> <RULEITEM><NAME>BSS</NAME> </RULEITEM> <RULEITEM><NAME>TLS</NAME> </RULEITEM> <RULEITEM><NAME>.bss</NAME></RULEITEM> <RULEITEM><NAME>.tls</NAME> </RULEITEM> <RULEITEM><NAME>.CRT</NAME> </RULEITEM> <RULEITEM><NAME>.INIT</NAME> </RULEITEM> <RULEITEM><NAME>.text</NAME> </RULEITEM> <RULEITEM><NAME>.data</NAME> </RULEITEM> <RULEITEM><NAME>TLS</NAME> </RULEITEM> <RULEITEM><NAME>.rsrc</NAME></RULEITEM> <RULEITEM><NAME>.reloc</NAME> </RULEITEM> <RULEITEM><NAME>.idata</NAME> </RULEITEM> <RULEITEM><NAME>.sdata</NAME> </RULEITEM> <RULEITEM><NAME>.rdata</NAME></RULEITEM> <RULEITEM><NAME>.edata</NAME> </RULEITEM> <RULEITEM><NAME>.debug</NAME></RULEITEM> <RULEITEM><NAME>DGROUP</NAME></RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME> Rule_Sections_name</NAME> <TYPE>4</TYPE> <ID>5</ID> <RULEITEMS> <RULEITEM><NAME>aspack</NAME> </RULEITEM> <RULEITEM><NAME>UPX0</NAME> </RULEITEM> <RULEITEM><NAME>UPX1</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME> Rule_Jump_Non_Code </NAME> <TYPE>5</TYPE> <ID>6</ID> <RULEITEMS> </RULEITEMS> </RULE> <RULE> <NAME>Rule_Data_StartUp </NAME> <TYPE>6</TYPE> <ID>7</ID> <RULEITEMS> <RULEITEM> <NAME>Software\Microsoft\Windows\CurrentVersion\Run</NAME> </RULEITEM> <RULEITEM> <NAME>System\CurrentControlSet\Services</NAME> </RULEITEM> <RULEITEM> <NAME>Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</NAME> </RULEITEM> <RULEITEM> <NAME>Software\Microsoft\Windows\CurrentVersion\RunServices</NAME> </RULEITEM> <RULEITEM> <NAME>Software\Microsoft\Windows\CurrentVersion\RunOnce</NAME> </RULEITEM> <RULEITEM> <NAME>Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</NAME> </RULEITEM> <RULEITEM> <NAME>autoexec.bat</NAME></RULEITEM> <RULEITEM> <NAME>wininit.ini</NAME></RULEITEM> <RULEITEM> <NAME>System.ini</NAME></RULEITEM> <RULEITEM> <NAME>Mirc.ini</NAME></RULEITEM> </RULEITEMS> <RULESEMIITEMS> <RULESEMIITEM> <NAME>Software\Microsoft\Windows\CurrentVersion</NAME></RULESEMIITEM> <RULESEMIITEM> <NAME>Software\Microsoft\WindowsNT\CurrentVersion\WINDOWS</NAME></RULESEMIITEM> </RULESEMIITEMS> </RULE> <RULE> <NAME> Rule_Data_AppName</NAME> <TYPE>6</TYPE> <ID>8</ID> <RULEITEMS> <RULEITEM><NAME>Aplica32.exe</NAME> </RULEITEM> <RULEITEM><NAME>Avconsol.exe</NAME> </RULEITEM> <RULEITEM><NAME>Avp.exe</NAME> </RULEITEM> <RULEITEM><NAME>Avp32.exe</NAME> </RULEITEM> <RULEITEM><NAME>Avpcc.exe</NAME> </RULEITEM> <RULEITEM><NAME>Avpm.exe</NAME> </RULEITEM> <RULEITEM><NAME>Cfiadmin.exe</NAME> </RULEITEM> <RULEITEM><NAME>Cfiaudit.exe</NAME> </RULEITEM> <RULEITEM><NAME>Cfinet32.exe</NAME> </RULEITEM> <RULEITEM><NAME>Esafe.exe</NAME> </RULEITEM> <RULEITEM><NAME>Frw.exe </NAME> </RULEITEM> <RULEITEM><NAME>Icload95.exe</NAME> </RULEITEM> <RULEITEM><NAME>Icloadnt.exe</NAME> </RULEITEM> <RULEITEM><NAME>Icmon.exe</NAME> </RULEITEM> <RULEITEM><NAME>Icsupp95.Exe</NAME> </RULEITEM> <RULEITEM><NAME>Icsuppnt.exe</NAME> </RULEITEM> <RULEITEM><NAME>Lockdown2000.exe</NAME> </RULEITEM> <RULEITEM><NAME>Navapw32.exe</NAME> </RULEITEM> <RULEITEM><NAME>Navw32.exe</NAME> </RULEITEM> <RULEITEM><NAME>Pcfwallicon.exe</NAME> </RULEITEM> <RULEITEM><NAME>Safeweb.exe</NAME> </RULEITEM> <RULEITEM><NAME>Tds2-98.exe</NAME> </RULEITEM> <RULEITEM><NAME>Tds2-Nt.exe</NAME> </RULEITEM> <RULEITEM><NAME>Vsecomr.exe</NAME> </RULEITEM> <RULEITEM><NAME>Vshwin32.exe</NAME> </RULEITEM> <RULEITEM><NAME>Vsstat.exe</NAME> </RULEITEM> <RULEITEM><NAME>Webscanx.exe</NAME> </RULEITEM> <RULEITEM><NAME>Zonealarm.exe</NAME> </RULEITEM> <RULEITEM><NAME>_Avp32.exe</NAME> </RULEITEM> <RULEITEM><NAME>_Avpcc.exe</NAME> </RULEITEM> <RULEITEM><NAME>_Avpm.exe</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <TYPE>7</TYPE> <ID>9</ID> <NAME> Rule_Data_Check_Bytes</NAME> <RULEITEMS> <RULEITEM><DATASIZE>4</DATASIZE><DATA>66ED4D5A</DATA></RULEITEM> <RULEITEM><DATASIZE>16</DATASIZE><DATA>01DF020000000000C000000000000046</DATA></RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_Func_Lib_AntiDebug</NAME> <TYPE>8</TYPE> <ID>10</ID> <RULEITEMS> <RULEITEM><NAME>IsDebuggerPresent</NAME></RULEITEM> <RULEITEM><NAME>ImageHlp.dll</NAME></RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME> Rule_Func_UnRefered</NAME> <TYPE>9</TYPE> <ID>11</ID> <RULEITEMS> </RULEITEMS> </RULE> <RULE> <NAME> Rule_Lib_RT</NAME> <TYPE>8</TYPE> <ID>12</ID> <RULEITEMS> <RULEITEM><NAME>MSVBVM60.DLL</NAME></RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_Func_Lib_COM</NAME> <TYPE>8</TYPE> <ID>13</ID> <RULEITEMS> <RULEITEM><NAME>CoCreateInstance</NAME></RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_File_Name_Size Screen Saver</NAME> <TYPE>10</TYPE> <ID>14</ID> <RULEITEMS> </RULEITEMS> <RULESEMIITEMS> <RULESEMIITEM><NAME>.SCR;</NAME></RULESEMIITEM> </RULESEMIITEMS> </RULE> <RULE> <NAME>Rule_File_Shell_Open</NAME> <TYPE>11</TYPE> <ID>15</ID> <RULEITEMS> <RULEITEM><NAME>wscript.exe</NAME></RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_File_Company</NAME> <TYPE>12</TYPE> <ID>16</ID> <RULEITEMS> <RULEITEM><NAME>CommonSearch</NAME></RULEITEM> <RULEITEM><NAME>Microsoft Corporation</NAME></RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_File_VersionInfo</NAME> <TYPE>13</TYPE> <ID>17</ID> <RULEITEMS> </RULEITEMS> </RULE> <RULE> <NAME>Rule_Func_Win32 File I/O - Modify functions</NAME> <TYPE>8</TYPE> <ID>-19</ID> <RULEITEMS> <RULEITEM><NAME>_hwrite</NAME></RULEITEM> <RULEITEM><NAME>_lwrite</NAME></RULEITEM> <RULEITEM><NAME>_lcreat</NAME></RULEITEM> <RULEITEM><NAME>CopyFileA</NAME></RULEITEM> <RULEITEM><NAME>CopyFileW</NAME></RULEITEM> <RULEITEM><NAME>CreateDirectoryA</NAME></RULEITEM> <RULEITEM><NAME>CreateDirectoryExA</NAME></RULEITEM> <RULEITEM><NAME>CreateDirectoryExW</NAME></RULEITEM> <RULEITEM><NAME>CreateDirectoryW</NAME></RULEITEM> <RULEITEM><NAME>CreateFileA</NAME></RULEITEM> <RULEITEM><NAME>CreateFileW</NAME></RULEITEM> <RULEITEM><NAME>DeleteFileA</NAME></RULEITEM> <RULEITEM><NAME>DeleteFileW</NAME></RULEITEM> <RULEITEM><NAME>MoveFileA</NAME></RULEITEM> <RULEITEM><NAME>MoveFileW</NAME></RULEITEM> <RULEITEM> <NAME>RemoveDirectoryA</NAME> </RULEITEM> <RULEITEM> <NAME>RemoveDirectoryW</NAME> </RULEITEM> <RULEITEM> <NAME>SetFileAttributesA</NAME> </RULEITEM> <RULEITEM> <NAME>SetFileAttributesW</NAME> </RULEITEM> <RULEITEM> <NAME>SetVolumeLabelA</NAME> </RULEITEM> <RULEITEM> <NAME>SetVolumeLabelW</NAME> </RULEITEM> <RULEITEM> <NAME>WriteFile</NAME> </RULEITEM> <RULEITEM> <NAME>WriteFileEx</NAME> </RULEITEM> <RULEITEM> <NAME>DragQueryFileA</NAME> </RULEITEM> <RULEITEM> <NAME>DragQueryFileW</NAME> </RULEITEM> <RULEITEM> <NAME>DragQueryPoint</NAME> </RULEITEM> <RULEITEM> <NAME>DragFinish</NAME> </RULEITEM> <RULEITEM> <NAME>DragAcceptFiles</NAME> </RULEITEM> <RULEITEM> <NAME>SHFileOperationA</NAME> </RULEITEM> <RULEITEM> <NAME>SHFileOperationW</NAME> </RULEITEM> <RULEITEM> <NAME>SHEmptyRecycleBinW</NAME> </RULEITEM> <RULEITEM> <NAME>SHEmptyRecycleBinA</NAME> </RULEITEM> <RULEITEM> <NAME>SHAddToRecentDocs</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_Func_Win32 File I/O - read only functions</NAME> <TYPE>8</TYPE> <ID>19</ID> <RULEITEMS> <RULEITEM><NAME>_hread</NAME></RULEITEM> <RULEITEM><NAME>_lclose</NAME></RULEITEM> <RULEITEM><NAME>_llseek</NAME></RULEITEM> <RULEITEM><NAME>_lopen</NAME></RULEITEM> <RULEITEM><NAME>_lread</NAME></RULEITEM> <RULEITEM><NAME>AreFileApisANSI</NAME></RULEITEM> <RULEITEM><NAME>CancelIo</NAME></RULEITEM> <RULEITEM><NAME>FindClose</NAME></RULEITEM> <RULEITEM><NAME>FindCloseChangeNotification</NAME></RULEITEM> <RULEITEM><NAME>FindFirstChangeNotificationA</NAME></RULEITEM> <RULEITEM><NAME>FindFirstChangeNotificationW</NAME></RULEITEM> <RULEITEM><NAME>FindFirstFileA</NAME></RULEITEM> <RULEITEM><NAME>FindFirstFileW</NAME></RULEITEM> <RULEITEM><NAME>FindNextFileA</NAME></RULEITEM> <RULEITEM><NAME>FindNextFileW</NAME></RULEITEM> <RULEITEM><NAME>FlushFileBuffers</NAME></RULEITEM> <RULEITEM><NAME>GetCurrentDirectoryA</NAME></RULEITEM> <RULEITEM><NAME>GetCurrentDirectoryW</NAME></RULEITEM> <RULEITEM><NAME>GetDiskFreeSpaceA</NAME></RULEITEM> <RULEITEM><NAME>GetDiskFreeSpaceExA</NAME></RULEITEM> <RULEITEM><NAME>GetDiskFreeSpaceExW</NAME></RULEITEM> <RULEITEM><NAME>GetDiskFreeSpaceW</NAME></RULEITEM> <RULEITEM><NAME>GetDriveTypeA</NAME></RULEITEM> <RULEITEM><NAME>GetDriveTypeW</NAME></RULEITEM> <RULEITEM><NAME>GetFileAttributesA</NAME></RULEITEM> <RULEITEM><NAME>GetFileAttributesExA</NAME></RULEITEM> <RULEITEM><NAME>GetFileAttributesExW</NAME></RULEITEM> <RULEITEM><NAME>GetFileAttributesW</NAME></RULEITEM> <RULEITEM><NAME>GetFileInformationByHandle</NAME></RULEITEM> <RULEITEM><NAME>GetFileSize</NAME></RULEITEM> <RULEITEM><NAME>GetFileType</NAME></RULEITEM> <RULEITEM><NAME>GetFullPathNameA</NAME></RULEITEM> <RULEITEM><NAME>GetFullPathNameW</NAME></RULEITEM> <RULEITEM><NAME>GetLogicalDrives</NAME></RULEITEM> <RULEITEM><NAME>GetLogicalDriveStringsA</NAME></RULEITEM> <RULEITEM><NAME>GetLogicalDriveStringsW</NAME></RULEITEM> <RULEITEM><NAME>GetLongPathNameA</NAME></RULEITEM> <RULEITEM><NAME>GetLongPathNameW</NAME></RULEITEM> <RULEITEM><NAME>GetShortPathNameA</NAME></RULEITEM> <RULEITEM><NAME>GetShortPathNameW</NAME></RULEITEM> <RULEITEM><NAME>GetTempFileNameA</NAME></RULEITEM> <RULEITEM><NAME>GetTempFileNameW</NAME></RULEITEM> <RULEITEM><NAME>GetTempPathA</NAME></RULEITEM> <RULEITEM><NAME>GetTempPathW</NAME></RULEITEM> <RULEITEM><NAME>LockFile</NAME></RULEITEM> <RULEITEM><NAME>MulDiv</NAME></RULEITEM> <RULEITEM> <NAME>OpenFile</NAME> </RULEITEM> <RULEITEM> <NAME>QueryDosDeviceA</NAME> </RULEITEM> <RULEITEM> <NAME>QueryDosDeviceW</NAME> </RULEITEM> <RULEITEM> <NAME>ReadFile</NAME> </RULEITEM> <RULEITEM> <NAME>ReadFileEx</NAME> </RULEITEM> <RULEITEM> <NAME>SearchPathA</NAME> </RULEITEM> <RULEITEM> <NAME>SearchPathW</NAME> </RULEITEM> <RULEITEM> <NAME>SetCurrentDirectoryA</NAME> </RULEITEM> <RULEITEM> <NAME>SetCurrentDirectoryW</NAME> </RULEITEM> <RULEITEM> <NAME>SetEndOfFile</NAME> </RULEITEM> <RULEITEM> <NAME>SetFileApisToANSI</NAME> </RULEITEM> <RULEITEM> <NAME>SetFileApisToOEM</NAME> </RULEITEM> <RULEITEM> <NAME>SetFilePointer</NAME> </RULEITEM> <RULEITEM> <NAME>SetHandleCount</NAME> </RULEITEM> <RULEITEM> <NAME>UnlockFile</NAME> </RULEITEM> <RULEITEM> <NAME>PathAddBackslashA</NAME> </RULEITEM> <RULEITEM> <NAME>PathAddBackslashW</NAME> </RULEITEM> <RULEITEM> <NAME>PathAddExtensionA</NAME> </RULEITEM> <RULEITEM> <NAME>PathAddExtensionW</NAME> </RULEITEM> <RULEITEM> <NAME>PathAppendA</NAME> </RULEITEM> <RULEITEM> <NAME>PathAppendW</NAME> </RULEITEM> <RULEITEM> <NAME>PathBuildRootA</NAME> </RULEITEM> <RULEITEM> <NAME>PathBuildRootW</NAME> </RULEITEM> <RULEITEM> <NAME>PathCanonicalizeA</NAME> </RULEITEM> <RULEITEM> <NAME>PathCanonicalizeW</NAME> </RULEITEM> <RULEITEM> <NAME>PathCombineA</NAME> </RULEITEM> <RULEITEM> <NAME>PathCombineW</NAME> </RULEITEM> <RULEITEM> <NAME>PathCompactPathA</NAME> </RULEITEM> <RULEITEM> <NAME>PathCompactPathW</NAME> </RULEITEM> <RULEITEM> <NAME>PathCompactPathExA</NAME> </RULEITEM> <RULEITEM> <NAME>PathCompactPathExW</NAME> </RULEITEM> <RULEITEM> <NAME>PathCommonPrefixA</NAME> </RULEITEM> <RULEITEM> <NAME>PathCommonPrefixW</NAME> </RULEITEM> <RULEITEM> <NAME>PathFileExistsA</NAME> </RULEITEM> <RULEITEM> <NAME>PathFileExistsW</NAME> </RULEITEM> <RULEITEM> <NAME>PathFindExtensionA</NAME> </RULEITEM> <RULEITEM> <NAME>PathFindExtensionW</NAME> </RULEITEM> <RULEITEM> <NAME>PathFindFileNameA</NAME> </RULEITEM> <RULEITEM> <NAME>PathFindFileNameW</NAME> </RULEITEM> <RULEITEM> <NAME>PathFindNextComponentA</NAME> </RULEITEM> <RULEITEM> <NAME>PathFindNextComponentW</NAME> </RULEITEM> <RULEITEM> <NAME>PathFindOnPathA</NAME> </RULEITEM> <RULEITEM> <NAME>PathFindOnPathW</NAME> </RULEITEM> <RULEITEM> <NAME>PathGetArgsA</NAME> </RULEITEM> <RULEITEM> <NAME>PathGetArgsW</NAME> </RULEITEM> <RULEITEM> <NAME>PathGetCharTypeA</NAME> </RULEITEM> <RULEITEM> <NAME>PathGetCharTypeW</NAME> </RULEITEM> <RULEITEM> <NAME>PathGetDriveNumberA</NAME> </RULEITEM> <RULEITEM> <NAME>PathGetDriveNumberW</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsDirectoryA</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsDirectoryW</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsFileSpecA</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsFileSpecW</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsPrefixA</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsPrefixW</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsRelativeA</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsRelativeW</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsRootA</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsRootW</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsSameRootA</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsSameRootW</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsUNCA</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsUNCW</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsUNCServerA</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsUNCServerW</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsUNCServerShareA</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsUNCServerShareW</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsContentTypeA</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsContentTypeW</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsURLA</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsURLW</NAME> </RULEITEM> <RULEITEM> <NAME>PathMakePrettyA</NAME> </RULEITEM> <RULEITEM> <NAME>PathMakePrettyW</NAME> </RULEITEM> <RULEITEM> <NAME>PathMatchSpecA</NAME> </RULEITEM> <RULEITEM> <NAME>PathMatchSpecW</NAME> </RULEITEM> <RULEITEM> <NAME>PathParseIconLocationA</NAME> </RULEITEM> <RULEITEM> <NAME>PathParseIconLocationW</NAME> </RULEITEM> <RULEITEM> <NAME>PathQuoteSpacesA</NAME> </RULEITEM> <RULEITEM> <NAME>PathQuoteSpacesW</NAME> </RULEITEM> <RULEITEM> <NAME>PathRelativePathToA</NAME> </RULEITEM> <RULEITEM> <NAME>PathRelativePathToW</NAME> </RULEITEM> <RULEITEM> <NAME>PathRemoveArgsA</NAME> </RULEITEM> <RULEITEM> <NAME>PathRemoveArgsW</NAME> </RULEITEM> <RULEITEM> <NAME>PathRemoveBackslashA</NAME> </RULEITEM> <RULEITEM> <NAME>PathRemoveBackslashW</NAME> </RULEITEM> <RULEITEM> <NAME>PathRemoveBlanksA</NAME> </RULEITEM> <RULEITEM> <NAME>PathRemoveBlanksW</NAME> </RULEITEM> <RULEITEM> <NAME>PathRemoveExtensionA</NAME> </RULEITEM> <RULEITEM> <NAME>PathRemoveExtensionW</NAME> </RULEITEM> <RULEITEM> <NAME>PathRemoveFileSpecA</NAME> </RULEITEM> <RULEITEM> <NAME>PathRemoveFileSpecW</NAME> </RULEITEM> <RULEITEM> <NAME>PathRenameExtensionA</NAME> </RULEITEM> <RULEITEM> <NAME>PathRenameExtensionW</NAME> </RULEITEM> <RULEITEM> <NAME>PathSearchAndQualifyA</NAME> </RULEITEM> <RULEITEM> <NAME>PathSearchAndQualifyW</NAME> </RULEITEM> <RULEITEM> <NAME>PathSetDlgItemPathA</NAME> </RULEITEM> <RULEITEM> <NAME>PathSetDlgItemPathW</NAME> </RULEITEM> <RULEITEM> <NAME>PathSkipRootA</NAME> </RULEITEM> <RULEITEM> <NAME>PathSkipRootW</NAME> </RULEITEM> <RULEITEM> <NAME>PathStripPathA</NAME> </RULEITEM> <RULEITEM> <NAME>PathStripPathW</NAME> </RULEITEM> <RULEITEM> <NAME>PathStripToRootA</NAME> </RULEITEM> <RULEITEM> <NAME>PathStripToRootW</NAME> </RULEITEM> <RULEITEM> <NAME>PathUnquoteSpacesA</NAME> </RULEITEM> <RULEITEM> <NAME>PathUnquoteSpacesW</NAME> </RULEITEM> <RULEITEM> <NAME>PathMakeSystemFolderA</NAME> </RULEITEM> <RULEITEM> <NAME>PathMakeSystemFolderW</NAME> </RULEITEM> <RULEITEM> <NAME>PathUnmakeSystemFolderA</NAME> </RULEITEM> <RULEITEM> <NAME>PathUnmakeSystemFolderW</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsSystemFolderA</NAME> </RULEITEM> <RULEITEM> <NAME>PathIsSystemFolderW</NAME> </RULEITEM> <RULEITEM> <NAME>SHFreeNameMappings</NAME> </RULEITEM> <RULEITEM> <NAME>SHQueryRecycleBinA</NAME> </RULEITEM> <RULEITEM> <NAME>SHQueryRecycleBinW</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetFileInfoA</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetFileInfoW</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetDiskFreeSpaceA</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetDiskFreeSpaceW</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetNewLinkInfoA</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetNewLinkInfoW</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetSpecialFolderPathA</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetSpecialFolderPathW</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetPathFromIDListW</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetPathFromIDListA</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetSpecialFolderLocation</NAME> </RULEITEM> <RULEITEM> <NAME>SHBrowseForFolderA</NAME> </RULEITEM> <RULEITEM> <NAME>SHBrowseForFolderW</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetDesktopFolder</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetDataFromIDListA</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetDataFromIDListW</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_Func_Win32_Process</NAME> <TYPE>8</TYPE> <ID>18</ID> <RULEITEMS> <RULEITEM> <NAME>AssignProcessToJobObject</NAME> </RULEITEM> <RULEITEM> <NAME>CommandLineToArgvW</NAME> </RULEITEM> <RULEITEM><NAME>ConvertThreadToFiber</NAME> </RULEITEM> <RULEITEM><NAME>CreateFiber</NAME> </RULEITEM> <RULEITEM><NAME>CreateJobObjectA</NAME> </RULEITEM> <RULEITEM><NAME>CreateJobObjectW</NAME> </RULEITEM> <RULEITEM><NAME>CreateProcessA</NAME> </RULEITEM> <RULEITEM><NAME>CreateProcessA</NAME> </RULEITEM> <RULEITEM><NAME>CreateProcessAsUserA</NAME> </RULEITEM> <RULEITEM><NAME>CreateProcessAsUserW</NAME> </RULEITEM> <RULEITEM><NAME>CreateProcessW</NAME> </RULEITEM> <RULEITEM><NAME>CreateProcessW</NAME> </RULEITEM> <RULEITEM><NAME>CreateRemoteThread</NAME> </RULEITEM> <RULEITEM><NAME>CreateThread</NAME> </RULEITEM> <RULEITEM><NAME>DeleteFiber</NAME> </RULEITEM> <RULEITEM><NAME>ExitProcess</NAME> </RULEITEM> <RULEITEM><NAME>ExitThread</NAME> </RULEITEM> <RULEITEM><NAME>FreeEnvironmentStringsA</NAME> </RULEITEM> <RULEITEM><NAME>FreeEnvironmentStringsW</NAME> </RULEITEM> <RULEITEM><NAME>GetCommandLineA</NAME> </RULEITEM> <RULEITEM><NAME>GetCommandLineW</NAME> </RULEITEM> <RULEITEM><NAME>GetCurrentProcess</NAME> </RULEITEM> <RULEITEM><NAME>GetCurrentProcessId</NAME> </RULEITEM> <RULEITEM><NAME>GetCurrentThread</NAME> </RULEITEM> <RULEITEM><NAME>GetCurrentThreadId</NAME> </RULEITEM> <RULEITEM><NAME>GetEnvironmentStringsA</NAME> </RULEITEM> <RULEITEM><NAME>GetEnvironmentStringsW</NAME> </RULEITEM> <RULEITEM><NAME>GetEnvironmentVariableA</NAME> </RULEITEM> <RULEITEM><NAME>GetEnvironmentVariableW</NAME> </RULEITEM> <RULEITEM><NAME>GetExitCodeProcess</NAME> </RULEITEM> <RULEITEM><NAME>GetExitCodeThread</NAME> </RULEITEM> <RULEITEM><NAME>GetGuiResources</NAME> </RULEITEM> <RULEITEM><NAME>GetPriorityClass</NAME> </RULEITEM> <RULEITEM><NAME>GetProcessAffinityMask</NAME> </RULEITEM> <RULEITEM><NAME>GetProcessPriorityBoost</NAME> </RULEITEM> <RULEITEM><NAME>GetProcessShutdownParameters</NAME> </RULEITEM> <RULEITEM><NAME>GetProcessTimes</NAME> </RULEITEM> <RULEITEM><NAME>GetProcessVersion</NAME> </RULEITEM> <RULEITEM><NAME>GetProcessWorkingSetSize</NAME> </RULEITEM> <RULEITEM><NAME>GetStartupInfoA</NAME> </RULEITEM> <RULEITEM> <NAME>GetStartupInfoW</NAME> </RULEITEM> <RULEITEM> <NAME>GetThreadPriority</NAME> </RULEITEM> <RULEITEM> <NAME>GetThreadPriorityBoost</NAME> </RULEITEM> <RULEITEM> <NAME>GetThreadTimes</NAME> </RULEITEM> <RULEITEM> <NAME>OpenJobObjectA</NAME> </RULEITEM> <RULEITEM> <NAME>OpenJobObjectW</NAME> </RULEITEM> <RULEITEM> <NAME>OpenProcess</NAME> </RULEITEM> <RULEITEM> <NAME>QueryInformationJobObject</NAME> </RULEITEM> <RULEITEM> <NAME>ResumeThread</NAME> </RULEITEM> <RULEITEM> <NAME>SetEnvironmentVariableA</NAME> </RULEITEM> <RULEITEM> <NAME>SetEnvironmentVariableW</NAME> </RULEITEM> <RULEITEM> <NAME>SetInformationJobObject</NAME> </RULEITEM> <RULEITEM> <NAME>SetPriorityClass</NAME> </RULEITEM> <RULEITEM> <NAME>SetProcessAffinityMask</NAME> </RULEITEM> <RULEITEM> <NAME>SetProcessPriorityBoost</NAME> </RULEITEM> <RULEITEM> <NAME>SetProcessShutdownParameters</NAME> </RULEITEM> <RULEITEM> <NAME>SetProcessWorkingSetSize</NAME> </RULEITEM> <RULEITEM> <NAME>SetThreadAffinityMask</NAME> </RULEITEM> <RULEITEM> <NAME>SetThreadIdealProcessor</NAME> </RULEITEM> <RULEITEM> <NAME>SetThreadPriority</NAME> </RULEITEM> <RULEITEM> <NAME>SetThreadPriorityBoost</NAME> </RULEITEM> <RULEITEM> <NAME>Sleep</NAME> </RULEITEM> <RULEITEM> <NAME>SleepEx</NAME> </RULEITEM> <RULEITEM> <NAME>SuspendThread</NAME> </RULEITEM> <RULEITEM> <NAME>SwitchToFiber</NAME> </RULEITEM> <RULEITEM> <NAME>SwitchToThread</NAME> </RULEITEM> <RULEITEM> <NAME>TerminateJobObject</NAME> </RULEITEM> <RULEITEM> <NAME>TerminateProcess</NAME> </RULEITEM> <RULEITEM> <NAME>TerminateThread</NAME> </RULEITEM> <RULEITEM> <NAME>WaitForInputIdle</NAME> </RULEITEM> <RULEITEM> <NAME>WinExec</NAME> </RULEITEM> <RULEITEM> <NAME>ShellExecuteA</NAME> </RULEITEM> <RULEITEM> <NAME>ShellExecuteW</NAME> </RULEITEM> <RULEITEM> <NAME>FindExecutableA</NAME> </RULEITEM> <RULEITEM> <NAME>FindExecutableW</NAME> </RULEITEM> <RULEITEM> <NAME>CommandLineToArgvW</NAME> </RULEITEM> <RULEITEM> <NAME>DoEnvironmentSubstA</NAME> </RULEITEM> <RULEITEM> <NAME>DoEnvironmentSubstW</NAME> </RULEITEM> <RULEITEM> <NAME>FindEnvironmentStringA</NAME> </RULEITEM> <RULEITEM> <NAME>FindEnvironmentStringW</NAME> </RULEITEM> <RULEITEM> <NAME>ShellExecuteExA</NAME> </RULEITEM> <RULEITEM> <NAME>ShellExecuteExW</NAME> </RULEITEM> <RULEITEM> <NAME>WinExecErrorW</NAME> </RULEITEM> <RULEITEM> <NAME>WinExecErrorA</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_func_Win32 Dynamic-Link Libraries</NAME> <TYPE>8</TYPE> <ID>20</ID> <RULEITEMS> <RULEITEM> <NAME>GetModuleFileNameA</NAME> </RULEITEM> <RULEITEM> <NAME>GetModuleFileNameW</NAME> </RULEITEM> <RULEITEM> <NAME>GetProcAddress</NAME> </RULEITEM> <RULEITEM> <NAME>LoadLibraryA</NAME> </RULEITEM> <RULEITEM> <NAME>LoadLibraryExA</NAME> </RULEITEM> <RULEITEM> <NAME>LoadLibraryExW</NAME> </RULEITEM> <RULEITEM> <NAME>LoadLibraryW</NAME> </RULEITEM> <RULEITEM> <NAME>LoadModule</NAME> </RULEITEM> <RULEITEM> <NAME>GetModuleHandleA</NAME> </RULEITEM> <RULEITEM> <NAME>GetModuleHandleW</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_func Win32 Registry - moodify functions</NAME> <TYPE>8</TYPE> <ID>-21</ID> <RULEITEMS> <RULEITEM> <NAME>RegCreateKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>RegCreateKeyExA</NAME> </RULEITEM> <RULEITEM> <NAME>RegCreateKeyExW</NAME> </RULEITEM> <RULEITEM> <NAME>RegCreateKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>RegDeleteKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>RegDeleteKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>RegDeleteValueA</NAME> </RULEITEM> <RULEITEM> <NAME>RegDeleteValueW</NAME> </RULEITEM> <RULEITEM> <NAME>RegReplaceKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>RegReplaceKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>RegRestoreKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>RegRestoreKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>RegSaveKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>RegSaveKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>RegSetKeySecurity</NAME> </RULEITEM> <RULEITEM> <NAME>RegSetValueA</NAME> </RULEITEM> <RULEITEM> <NAME>RegSetValueExA</NAME> </RULEITEM> <RULEITEM> <NAME>RegSetValueExW</NAME> </RULEITEM> <RULEITEM> <NAME>RegSetValueW</NAME> </RULEITEM> <RULEITEM> <NAME>SHSetValueW</NAME> </RULEITEM> <RULEITEM> <NAME>WritePrivateProfileSectionA</NAME> </RULEITEM> <RULEITEM> <NAME>WritePrivateProfileSectionW</NAME> </RULEITEM> <RULEITEM> <NAME>WritePrivateProfileStringA</NAME> </RULEITEM> <RULEITEM> <NAME>WritePrivateProfileStringW</NAME> </RULEITEM> <RULEITEM> <NAME>WritePrivateProfileStructA</NAME> </RULEITEM> <RULEITEM> <NAME>WritePrivateProfileStructW</NAME> </RULEITEM> <RULEITEM> <NAME>WriteProfileSectionA</NAME> </RULEITEM> <RULEITEM> <NAME>WriteProfileSectionW</NAME> </RULEITEM> <RULEITEM> <NAME>WriteProfileStringA</NAME> </RULEITEM> <RULEITEM> <NAME>WriteProfileStringW</NAME> </RULEITEM> <RULEITEM> <NAME>SHDeleteEmptyKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>SHDeleteKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>SHDeleteValueW</NAME> </RULEITEM> <RULEITEM> <NAME>SHDeleteEmptyKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>SHDeleteKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>SHDeleteValueA</NAME> </RULEITEM> <RULEITEM> <NAME>SHSetValueA</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegCreateUSKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegWriteUSValueW</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegDeleteUSValueW</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegDeleteEmptyUSKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegSetUSValueW</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegCreateUSKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegDeleteUSValueA</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegDeleteEmptyUSKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegSetUSValueA</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegWriteUSValueA</NAME> </RULEITEM> <RULEITEM> <NAME>RegFlushKey</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_func Win32 Registry - read only functions</NAME> <TYPE>8</TYPE> <ID>21</ID> <RULEITEMS> <RULEITEM> <NAME>GetPrivateProfileIntA</NAME> </RULEITEM> <RULEITEM> <NAME>GetPrivateProfileIntW</NAME> </RULEITEM> <RULEITEM> <NAME>GetPrivateProfileSectionA</NAME> </RULEITEM> <RULEITEM> <NAME>GetPrivateProfileSectionNamesA</NAME> </RULEITEM> <RULEITEM> <NAME>GetPrivateProfileSectionNamesW</NAME> </RULEITEM> <RULEITEM> <NAME>GetPrivateProfileSectionW</NAME> </RULEITEM> <RULEITEM> <NAME>GetPrivateProfileStringA</NAME> </RULEITEM> <RULEITEM> <NAME>GetPrivateProfileStringW</NAME> </RULEITEM> <RULEITEM> <NAME>GetPrivateProfileStructA</NAME> </RULEITEM> <RULEITEM> <NAME>GetPrivateProfileStructW</NAME> </RULEITEM> <RULEITEM> <NAME>GetProfileIntA</NAME> </RULEITEM> <RULEITEM> <NAME>GetProfileIntW</NAME> </RULEITEM> <RULEITEM> <NAME>GetProfileSectionA</NAME> </RULEITEM> <RULEITEM> <NAME>GetProfileSectionW</NAME> </RULEITEM> <RULEITEM> <NAME>GetProfileStringA</NAME> </RULEITEM> <RULEITEM> <NAME>GetProfileStringW</NAME> </RULEITEM> <RULEITEM> <NAME>RegCloseKey</NAME> </RULEITEM> <RULEITEM> <NAME>RegConnectRegistryA</NAME> </RULEITEM> <RULEITEM> <NAME>RegConnectRegistryW</NAME> </RULEITEM> <RULEITEM> <NAME>RegEnumKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>RegEnumKeyExA</NAME> </RULEITEM> <RULEITEM> <NAME>RegEnumKeyExW</NAME> </RULEITEM> <RULEITEM> <NAME>RegEnumKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>RegEnumValueA</NAME> </RULEITEM> <RULEITEM> <NAME>RegEnumValueW</NAME> </RULEITEM> <RULEITEM> <NAME>RegGetKeySecurity</NAME> </RULEITEM> <RULEITEM> <NAME>RegLoadKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>RegLoadKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>RegNotifyChangeKeyValue</NAME> </RULEITEM> <RULEITEM> <NAME>RegOpenKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>RegOpenKeyExA</NAME> </RULEITEM> <RULEITEM> <NAME>RegOpenKeyExW</NAME> </RULEITEM> <RULEITEM> <NAME>RegOpenKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>RegOverridePredefKey</NAME> </RULEITEM> <RULEITEM> <NAME>RegQueryInfoKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>RegQueryInfoKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>RegQueryMultipleValuesA</NAME> </RULEITEM> <RULEITEM> <NAME>RegQueryMultipleValuesW</NAME> </RULEITEM> <RULEITEM> <NAME>RegQueryValueA</NAME> </RULEITEM> <RULEITEM> <NAME>RegQueryValueExA</NAME> </RULEITEM> <RULEITEM> <NAME>RegQueryValueExW</NAME> </RULEITEM> <RULEITEM> <NAME>RegQueryValueW</NAME> </RULEITEM> <RULEITEM> <NAME>RegUnLoadKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>RegUnLoadKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetValueW</NAME> </RULEITEM> <RULEITEM> <NAME>SHQueryValueExW</NAME> </RULEITEM> <RULEITEM> <NAME>SHEnumKeyExW</NAME> </RULEITEM> <RULEITEM> <NAME>SHEnumValueW</NAME> </RULEITEM> <RULEITEM> <NAME>SHQueryInfoKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>SHGetValueA</NAME> </RULEITEM> <RULEITEM> <NAME>SHQueryValueExA</NAME> </RULEITEM> <RULEITEM> <NAME>SHEnumKeyExA</NAME> </RULEITEM> <RULEITEM> <NAME>SHEnumValueA</NAME> </RULEITEM> <RULEITEM> <NAME>SHQueryInfoKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegOpenUSKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegQueryUSValueW</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegEnumUSKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegEnumUSValueW</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegQueryInfoUSKeyW</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegGetUSValueW</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegOpenUSKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegQueryUSValueA</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegEnumUSKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegEnumUSValueA</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegQueryInfoUSKeyA</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegGetUSValueA</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegGetBoolUSValueA</NAME> </RULEITEM> <RULEITEM> <NAME>SHRegGetBoolUSValueW</NAME> </RULEITEM> <RULEITEM> <NAME>SHOpenRegStreamA</NAME> </RULEITEM> <RULEITEM> <NAME>SHOpenRegStreamW</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_func Win32 Windows NT Security</NAME> <TYPE>8</TYPE> <ID>22</ID> <RULEITEMS> <RULEITEM> <NAME>AccessCheck</NAME> </RULEITEM> <RULEITEM> <NAME>AccessCheckAndAuditAlarmA</NAME> </RULEITEM> <RULEITEM> <NAME>AccessCheckAndAuditAlarmW</NAME> </RULEITEM> <RULEITEM> <NAME>AccessCheckByType</NAME> </RULEITEM> <RULEITEM> <NAME>AccessCheckByTypeAndAuditAlarmA</NAME> </RULEITEM> <RULEITEM> <NAME>AccessCheckByTypeAndAuditAlarmW</NAME> </RULEITEM> <RULEITEM> <NAME>AccessCheckByTypeResultList</NAME> </RULEITEM> <RULEITEM> <NAME>AccessCheckByTypeResultListAndAuditAlarmA</NAME> </RULEITEM> <RULEITEM> <NAME>AccessCheckByTypeResultListAndAuditAlarmW</NAME> </RULEITEM> <RULEITEM> <NAME>AddAccessAllowedAce</NAME> </RULEITEM> <RULEITEM> <NAME>AddAccessAllowedAceEx</NAME> </RULEITEM> <RULEITEM> <NAME>AddAccessAllowedObjectAce</NAME> </RULEITEM> <RULEITEM> <NAME>AddAccessDeniedAce</NAME> </RULEITEM> <RULEITEM> <NAME>AddAccessDeniedAceEx</NAME> </RULEITEM> <RULEITEM> <NAME>AddAccessDeniedObjectAce</NAME> </RULEITEM> <RULEITEM> <NAME>AddAce</NAME> </RULEITEM> <RULEITEM> <NAME>AddAuditAccessAce</NAME> </RULEITEM> <RULEITEM> <NAME>AddAuditAccessAceEx</NAME> </RULEITEM> <RULEITEM> <NAME>AddAuditAccessObjectAce</NAME> </RULEITEM> <RULEITEM> <NAME>AdjustTokenGroups</NAME> </RULEITEM> <RULEITEM> <NAME>AdjustTokenPrivileges</NAME> </RULEITEM> <RULEITEM> <NAME>AllocateAndInitializeSid</NAME> </RULEITEM> <RULEITEM> <NAME>AllocateLocallyUniqueId</NAME> </RULEITEM> <RULEITEM> <NAME>AreAllAccessesGranted</NAME> </RULEITEM> <RULEITEM> <NAME>AreAnyAccessesGranted</NAME> </RULEITEM> <RULEITEM> <NAME>BuildExplicitAccessWithNameA</NAME> </RULEITEM> <RULEITEM> <NAME>BuildExplicitAccessWithNameW</NAME> </RULEITEM> <RULEITEM> <NAME>BuildImpersonateExplicitAccessWithNameA</NAME> </RULEITEM> <RULEITEM> <NAME>BuildImpersonateExplicitAccessWithNameW</NAME> </RULEITEM> <RULEITEM> <NAME>BuildImpersonateTrusteeA</NAME> </RULEITEM> <RULEITEM> <NAME>BuildImpersonateTrusteeW</NAME> </RULEITEM> <RULEITEM> <NAME>BuildSecurityDescriptorA</NAME> </RULEITEM> <RULEITEM> <NAME>BuildSecurityDescriptorW</NAME> </RULEITEM> <RULEITEM> <NAME>BuildTrusteeWithNameA</NAME> </RULEITEM> <RULEITEM> <NAME>BuildTrusteeWithNameW</NAME> </RULEITEM> <RULEITEM> <NAME>BuildTrusteeWithSidA</NAME> </RULEITEM> <RULEITEM> <NAME>BuildTrusteeWithSidW</NAME> </RULEITEM> <RULEITEM> <NAME>ConvertToAutoInheritPrivateObjectSecurity</NAME> </RULEITEM> <RULEITEM> <NAME>CopySid</NAME> </RULEITEM> <RULEITEM> <NAME>CreatePrivateObjectSecurity</NAME> </RULEITEM> <RULEITEM> <NAME>CreatePrivateObjectSecurityEx</NAME> </RULEITEM> <RULEITEM> <NAME>CreateRestrictedToken</NAME> </RULEITEM> <RULEITEM> <NAME>DeleteAce</NAME> </RULEITEM> <RULEITEM> <NAME>DestroyPrivateObjectSecurity</NAME> </RULEITEM> <RULEITEM> <NAME>DuplicateToken</NAME> </RULEITEM> <RULEITEM> <NAME>DuplicateTokenEx</NAME> </RULEITEM> <RULEITEM> <NAME>EqualPrefixSid</NAME> </RULEITEM> <RULEITEM> <NAME>EqualSid</NAME> </RULEITEM> <RULEITEM> <NAME>FindFirstFreeAce</NAME> </RULEITEM> <RULEITEM> <NAME>FreeSid</NAME> </RULEITEM> <RULEITEM> <NAME>GetAce</NAME> </RULEITEM> <RULEITEM> <NAME>GetAclInformation</NAME> </RULEITEM> <RULEITEM> <NAME>GetAuditedPermissionsFromAclA</NAME> </RULEITEM> <RULEITEM> <NAME>GetAuditedPermissionsFromAclW</NAME> </RULEITEM> <RULEITEM> <NAME>GetEffectiveRightsFromAclA</NAME> </RULEITEM> <RULEITEM> <NAME>GetEffectiveRightsFromAclW</NAME> </RULEITEM> <RULEITEM> <NAME>GetExplicitEntriesFromAclA</NAME> </RULEITEM> <RULEITEM> <NAME>GetExplicitEntriesFromAclW</NAME> </RULEITEM> <RULEITEM> <NAME>GetFileSecurityA</NAME> </RULEITEM> <RULEITEM> <NAME>GetFileSecurityW</NAME> </RULEITEM> <RULEITEM> <NAME>GetKernelObjectSecurity</NAME> </RULEITEM> <RULEITEM> <NAME>GetLengthSid</NAME> </RULEITEM> <RULEITEM> <NAME>GetMultipleTrusteeA</NAME> </RULEITEM> <RULEITEM> <NAME>GetMultipleTrusteeOperationA</NAME> </RULEITEM> <RULEITEM> <NAME>GetMultipleTrusteeOperationW</NAME> </RULEITEM> <RULEITEM> <NAME>GetMultipleTrusteeW</NAME> </RULEITEM> <RULEITEM> <NAME>GetNamedSecurityInfoA</NAME> </RULEITEM> <RULEITEM> <NAME>GetNamedSecurityInfoW</NAME> </RULEITEM> <RULEITEM> <NAME>GetPrivateObjectSecurity</NAME> </RULEITEM> <RULEITEM> <NAME>GetSecurityDescriptorControl</NAME> </RULEITEM> <RULEITEM> <NAME>GetSecurityDescriptorDacl</NAME> </RULEITEM> <RULEITEM> <NAME>GetSecurityDescriptorGroup</NAME> </RULEITEM> <RULEITEM> <NAME>GetSecurityDescriptorLength</NAME> </RULEITEM> <RULEITEM> <NAME>GetSecurityDescriptorOwner</NAME> </RULEITEM> <RULEITEM> <NAME>GetSecurityDescriptorSacl</NAME> </RULEITEM> <RULEITEM> <NAME>GetSecurityInfo</NAME> </RULEITEM> <RULEITEM> <NAME>GetSidIdentifierAuthority</NAME> </RULEITEM> <RULEITEM> <NAME>GetSidLengthRequired</NAME> </RULEITEM> <RULEITEM> <NAME>GetSidSubAuthority</NAME> </RULEITEM> <RULEITEM> <NAME>GetSidSubAuthorityCount</NAME> </RULEITEM> <RULEITEM> <NAME>GetTokenInformation</NAME> </RULEITEM> <RULEITEM> <NAME>GetTrusteeFormA</NAME> </RULEITEM> <RULEITEM> <NAME>GetTrusteeFormW</NAME> </RULEITEM> <RULEITEM> <NAME>GetTrusteeNameA</NAME> </RULEITEM> <RULEITEM> <NAME>GetTrusteeNameW</NAME> </RULEITEM> <RULEITEM> <NAME>GetTrusteeTypeA</NAME> </RULEITEM> <RULEITEM> <NAME>GetTrusteeTypeW</NAME> </RULEITEM> <RULEITEM> <NAME>GetUserObjectSecurity</NAME> </RULEITEM> <RULEITEM> <NAME>ImpersonateLoggedOnUser</NAME> </RULEITEM> <RULEITEM> <NAME>ImpersonateNamedPipeClient</NAME> </RULEITEM> <RULEITEM> <NAME>ImpersonateSelf</NAME> </RULEITEM> <RULEITEM> <NAME>InitializeAcl</NAME> </RULEITEM> <RULEITEM> <NAME>InitializeSecurityDescriptor</NAME> </RULEITEM> <RULEITEM> <NAME>InitializeSid</NAME> </RULEITEM> <RULEITEM> <NAME>IsTokenRestricted</NAME> </RULEITEM> <RULEITEM> <NAME>IsValidAcl</NAME> </RULEITEM> <RULEITEM> <NAME>IsValidSecurityDescriptor</NAME> </RULEITEM> <RULEITEM> <NAME>IsValidSid</NAME> </RULEITEM> <RULEITEM> <NAME>LogonUserA</NAME> </RULEITEM> <RULEITEM> <NAME>LogonUserW</NAME> </RULEITEM> <RULEITEM> <NAME>LookupAccountNameA</NAME> </RULEITEM> <RULEITEM> <NAME>LookupAccountNameW</NAME> </RULEITEM> <RULEITEM> <NAME>LookupAccountSidA</NAME> </RULEITEM> <RULEITEM> <NAME>LookupAccountSidW</NAME> </RULEITEM> <RULEITEM> <NAME>LookupPrivilegeDisplayNameA</NAME> </RULEITEM> <RULEITEM> <NAME>LookupPrivilegeDisplayNameW</NAME> </RULEITEM> <RULEITEM> <NAME>LookupPrivilegeNameA</NAME> </RULEITEM> <RULEITEM> <NAME>LookupPrivilegeNameW</NAME> </RULEITEM> <RULEITEM> <NAME>LookupPrivilegeValueA</NAME> </RULEITEM> <RULEITEM> <NAME>LookupPrivilegeValueW</NAME> </RULEITEM> <RULEITEM> <NAME>LookupSecurityDescriptorPartsA</NAME> </RULEITEM> <RULEITEM> <NAME>LookupSecurityDescriptorPartsW</NAME> </RULEITEM> <RULEITEM> <NAME>MakeAbsoluteSD</NAME> </RULEITEM> <RULEITEM> <NAME>MakeSelfRelativeSD</NAME> </RULEITEM> <RULEITEM> <NAME>MapGenericMask</NAME> </RULEITEM> <RULEITEM> <NAME>ObjectCloseAuditAlarmA</NAME> </RULEITEM> <RULEITEM> <NAME>ObjectCloseAuditAlarmW</NAME> </RULEITEM> <RULEITEM> <NAME>ObjectDeleteAuditAlarmA</NAME> </RULEITEM> <RULEITEM> <NAME>ObjectDeleteAuditAlarmW</NAME> </RULEITEM> <RULEITEM> <NAME>ObjectOpenAuditAlarmA</NAME> </RULEITEM> <RULEITEM> <NAME>ObjectOpenAuditAlarmW</NAME> </RULEITEM> <RULEITEM> <NAME>ObjectPrivilegeAuditAlarmA</NAME> </RULEITEM> <RULEITEM> <NAME>ObjectPrivilegeAuditAlarmW</NAME> </RULEITEM> <RULEITEM> <NAME>OpenProcessToken</NAME> </RULEITEM> <RULEITEM> <NAME>OpenThreadToken</NAME> </RULEITEM> <RULEITEM> <NAME>PrivilegeCheck</NAME> </RULEITEM> <RULEITEM> <NAME>PrivilegedServiceAuditAlarmA</NAME> </RULEITEM> <RULEITEM> <NAME>PrivilegedServiceAuditAlarmW</NAME> </RULEITEM> <RULEITEM> <NAME>RevertToSelf</NAME> </RULEITEM> <RULEITEM> <NAME>SetAclInformation</NAME> </RULEITEM> <RULEITEM> <NAME>SetEntriesInAclA</NAME> </RULEITEM> <RULEITEM> <NAME>SetEntriesInAclW</NAME> </RULEITEM> <RULEITEM> <NAME>SetFileSecurityA</NAME> </RULEITEM> <RULEITEM> <NAME>SetFileSecurityW</NAME> </RULEITEM> <RULEITEM> <NAME>SetKernelObjectSecurity</NAME> </RULEITEM> <RULEITEM> <NAME>SetNamedSecurityInfoA</NAME> </RULEITEM> <RULEITEM> <NAME>SetNamedSecurityInfoW</NAME> </RULEITEM> <RULEITEM> <NAME>SetPrivateObjectSecurity</NAME> </RULEITEM> <RULEITEM> <NAME>SetPrivateObjectSecurityEx</NAME> </RULEITEM> <RULEITEM> <NAME>SetSecurityDescriptorControl</NAME> </RULEITEM> <RULEITEM> <NAME>SetSecurityDescriptorDacl</NAME> </RULEITEM> <RULEITEM> <NAME>SetSecurityDescriptorGroup</NAME> </RULEITEM> <RULEITEM> <NAME>SetSecurityDescriptorOwner</NAME> </RULEITEM> <RULEITEM> <NAME>SetSecurityDescriptorSacl</NAME> </RULEITEM> <RULEITEM> <NAME>SetSecurityInfo</NAME> </RULEITEM> <RULEITEM> <NAME>SetThreadToken</NAME> </RULEITEM> <RULEITEM> <NAME>SetTokenInformation</NAME> </RULEITEM> <RULEITEM> <NAME>SetUserObjectSecurity</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_func Win32 Windows NT Services</NAME> <TYPE>8</TYPE> <ID>23</ID> <RULEITEMS> <RULEITEM> <NAME>ChangeServiceConfig2A</NAME> </RULEITEM> <RULEITEM> <NAME>ChangeServiceConfig2W</NAME> </RULEITEM> <RULEITEM> <NAME>ChangeServiceConfigA</NAME> </RULEITEM> <RULEITEM> <NAME>ChangeServiceConfigW</NAME> </RULEITEM> <RULEITEM> <NAME>CloseServiceHandle</NAME> </RULEITEM> <RULEITEM> <NAME>ControlService</NAME> </RULEITEM> <RULEITEM> <NAME>CreateServiceA</NAME> </RULEITEM> <RULEITEM> <NAME>CreateServiceW</NAME> </RULEITEM> <RULEITEM> <NAME>DeleteService</NAME> </RULEITEM> <RULEITEM> <NAME>EnumDependentServicesA</NAME> </RULEITEM> <RULEITEM> <NAME>EnumDependentServicesW</NAME> </RULEITEM> <RULEITEM> <NAME>EnumServicesStatusA</NAME> </RULEITEM> <RULEITEM> <NAME>EnumServicesStatusW</NAME> </RULEITEM> <RULEITEM> <NAME>GetServiceDisplayNameA</NAME> </RULEITEM> <RULEITEM> <NAME>GetServiceDisplayNameW</NAME> </RULEITEM> <RULEITEM> <NAME>GetServiceKeyNameA</NAME> </RULEITEM> <RULEITEM> <NAME>GetServiceKeyNameW</NAME> </RULEITEM> <RULEITEM> <NAME>LockServiceDatabase</NAME> </RULEITEM> <RULEITEM> <NAME>NotifyBootConfigStatus</NAME> </RULEITEM> <RULEITEM> <NAME>OpenSCManagerA</NAME> </RULEITEM> <RULEITEM> <NAME>OpenSCManagerW</NAME> </RULEITEM> <RULEITEM> <NAME>OpenServiceA</NAME> </RULEITEM> <RULEITEM> <NAME>OpenServiceW</NAME> </RULEITEM> <RULEITEM> <NAME>QueryServiceConfig2A</NAME> </RULEITEM> <RULEITEM> <NAME>QueryServiceConfig2W</NAME> </RULEITEM> <RULEITEM> <NAME>QueryServiceConfigA</NAME> </RULEITEM> <RULEITEM> <NAME>QueryServiceConfigW</NAME> </RULEITEM> <RULEITEM> <NAME>QueryServiceLockStatusA</NAME> </RULEITEM> <RULEITEM> <NAME>QueryServiceLockStatusW</NAME> </RULEITEM> <RULEITEM> <NAME>QueryServiceObjectSecurity</NAME> </RULEITEM> <RULEITEM> <NAME>QueryServiceStatus</NAME> </RULEITEM> <RULEITEM> <NAME>RegisterServiceCtrlHandlerA</NAME> </RULEITEM> <RULEITEM> <NAME>RegisterServiceCtrlHandlerW</NAME> </RULEITEM> <RULEITEM> <NAME>SetServiceObjectSecurity</NAME> </RULEITEM> <RULEITEM> <NAME>SetServiceStatus</NAME> </RULEITEM> <RULEITEM> <NAME>StartServiceA</NAME> </RULEITEM> <RULEITEM> <NAME>StartServiceCtrlDispatcherA</NAME> </RULEITEM> <RULEITEM> <NAME>StartServiceCtrlDispatcherW</NAME> </RULEITEM> <RULEITEM> <NAME>StartServiceW</NAME> </RULEITEM> <RULEITEM> <NAME>UnlockServiceDatabase</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_func Win32 Network Management</NAME> <TYPE>8</TYPE> <ID>24</ID> <RULEITEMS> <RULEITEM> <NAME>MultinetGetConnectionPerformanceA</NAME> </RULEITEM> <RULEITEM> <NAME>MultinetGetConnectionPerformanceW</NAME> </RULEITEM> <RULEITEM> <NAME>NetAlertRaise</NAME> </RULEITEM> <RULEITEM> <NAME>NetAlertRaiseEx</NAME> </RULEITEM> <RULEITEM> <NAME>NetApiBufferAllocate</NAME> </RULEITEM> <RULEITEM> <NAME>NetApiBufferFree</NAME> </RULEITEM> <RULEITEM> <NAME>NetApiBufferReallocate</NAME> </RULEITEM> <RULEITEM> <NAME>NetApiBufferSize</NAME> </RULEITEM> <RULEITEM> <NAME>NetConnectionEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetFileClose</NAME> </RULEITEM> <RULEITEM> <NAME>NetFileGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetGetAnyDCName</NAME> </RULEITEM> <RULEITEM> <NAME>NetGetDCName</NAME> </RULEITEM> <RULEITEM> <NAME>NetGetDisplayInformationIndex</NAME> </RULEITEM> <RULEITEM> <NAME>NetGroupAdd</NAME> </RULEITEM> <RULEITEM> <NAME>NetGroupAddUser</NAME> </RULEITEM> <RULEITEM> <NAME>NetGroupDel</NAME> </RULEITEM> <RULEITEM> <NAME>NetGroupDelUser</NAME> </RULEITEM> <RULEITEM> <NAME>NetGroupEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetGroupGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetGroupGetUsers</NAME> </RULEITEM> <RULEITEM> <NAME>NetGroupSetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetGroupSetUsers</NAME> </RULEITEM> <RULEITEM> <NAME>NetLocalGroupAdd</NAME> </RULEITEM> <RULEITEM> <NAME>NetLocalGroupAddMember</NAME> </RULEITEM> <RULEITEM> <NAME>NetLocalGroupAddMembers</NAME> </RULEITEM> <RULEITEM> <NAME>NetLocalGroupDel</NAME> </RULEITEM> <RULEITEM> <NAME>NetLocalGroupDelMember</NAME> </RULEITEM> <RULEITEM> <NAME>NetLocalGroupDelMembers</NAME> </RULEITEM> <RULEITEM> <NAME>NetLocalGroupEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetLocalGroupGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetLocalGroupGetMembers</NAME> </RULEITEM> <RULEITEM> <NAME>NetLocalGroupSetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetLocalGroupSetMembers</NAME> </RULEITEM> <RULEITEM> <NAME>NetMessageBufferSend</NAME> </RULEITEM> <RULEITEM> <NAME>NetMessageNameAdd</NAME> </RULEITEM> <RULEITEM> <NAME>NetMessageNameDel</NAME> </RULEITEM> <RULEITEM> <NAME>NetMessageNameEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetMessageNameGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetQueryDisplayInformation</NAME> </RULEITEM> <RULEITEM> <NAME>NetRemoteComputerSupports</NAME> </RULEITEM> <RULEITEM> <NAME>NetRemoteTOd</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplExportDirAdd</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplExportDirDel</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplExportDirEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplExportDirGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplExportDirLock</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplExportDirSetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplExportDirUnlock</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplImportDirAdd</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplImportDirDel</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplImportDirEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplImportDirGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplImportDirLock</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplImportDirUnlock</NAME> </RULEITEM> <RULEITEM> <NAME>NetReplSetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetScheduleJobAdd</NAME> </RULEITEM> <RULEITEM> <NAME>NetScheduleJobDel</NAME> </RULEITEM> <RULEITEM> <NAME>NetScheduleJobEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetScheduleJobGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetServerComputerNameAdd</NAME> </RULEITEM> <RULEITEM> <NAME>NetServerComputerNameDel</NAME> </RULEITEM> <RULEITEM> <NAME>NetServerDiskEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetServerEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetServerEnumEx</NAME> </RULEITEM> <RULEITEM> <NAME>NetServerGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetServerSetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetServerTransportAdd</NAME> </RULEITEM> <RULEITEM> <NAME>NetServerTransportAddEx</NAME> </RULEITEM> <RULEITEM> <NAME>NetServerTransportDel</NAME> </RULEITEM> <RULEITEM> <NAME>NetServerTransportEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetSessionDel</NAME> </RULEITEM> <RULEITEM> <NAME>NetSessionEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetSessionGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetShareAdd</NAME> </RULEITEM> <RULEITEM> <NAME>NetShareCheck</NAME> </RULEITEM> <RULEITEM> <NAME>NetShareDel</NAME> </RULEITEM> <RULEITEM> <NAME>NetShareEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetShareGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetShareSetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetStatisticsGet</NAME> </RULEITEM> <RULEITEM> <NAME>NetUseAdd</NAME> </RULEITEM> <RULEITEM> <NAME>NetUseDel</NAME> </RULEITEM> <RULEITEM> <NAME>NetUseEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetUseGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetUserAdd</NAME> </RULEITEM> <RULEITEM> <NAME>NetUserChangePassword</NAME> </RULEITEM> <RULEITEM> <NAME>NetUserDel</NAME> </RULEITEM> <RULEITEM> <NAME>NetUserEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetUserGetGroups</NAME> </RULEITEM> <RULEITEM> <NAME>NetUserGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetUserGetLocalGroups</NAME> </RULEITEM> <RULEITEM> <NAME>NetUserModalsGet</NAME> </RULEITEM> <RULEITEM> <NAME>NetUserModalsSet</NAME> </RULEITEM> <RULEITEM> <NAME>NetUserSetGroups</NAME> </RULEITEM> <RULEITEM> <NAME>NetUserSetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetWkstaGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetWkstaSetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetWkstaTransportAdd</NAME> </RULEITEM> <RULEITEM> <NAME>NetWkstaTransportDel</NAME> </RULEITEM> <RULEITEM> <NAME>NetWkstaTransportEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetWkstaUserEnum</NAME> </RULEITEM> <RULEITEM> <NAME>NetWkstaUserGetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>NetWkstaUserSetInfo</NAME> </RULEITEM> <RULEITEM> <NAME>WNetAddConnection2A</NAME> </RULEITEM> <RULEITEM> <NAME>WNetAddConnection2W</NAME> </RULEITEM> <RULEITEM> <NAME>WNetAddConnection3A</NAME> </RULEITEM> <RULEITEM> <NAME>WNetAddConnection3W</NAME> </RULEITEM> <RULEITEM> <NAME>WNetAddConnectionA</NAME> </RULEITEM> <RULEITEM> <NAME>WNetAddConnectionW</NAME> </RULEITEM> <RULEITEM> <NAME>WNetCancelConnection2A</NAME> </RULEITEM> <RULEITEM> <NAME>WNetCancelConnection2W</NAME> </RULEITEM> <RULEITEM> <NAME>WNetCancelConnectionA</NAME> </RULEITEM> <RULEITEM> <NAME>WNetCancelConnectionW</NAME> </RULEITEM> <RULEITEM> <NAME>WNetCloseEnum</NAME> </RULEITEM> <RULEITEM> <NAME>WNetConnectionDialog</NAME> </RULEITEM> <RULEITEM> <NAME>WNetConnectionDialog1A</NAME> </RULEITEM> <RULEITEM> <NAME>WNetConnectionDialog1W</NAME> </RULEITEM> <RULEITEM> <NAME>WNetDisconnectDialog</NAME> </RULEITEM> <RULEITEM> <NAME>WNetDisconnectDialog1A</NAME> </RULEITEM> <RULEITEM> <NAME>WNetDisconnectDialog1W</NAME> </RULEITEM> <RULEITEM> <NAME>WNetEnumResourceA</NAME> </RULEITEM> <RULEITEM> <NAME>WNetEnumResourceW</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetConnectionA</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetConnectionW</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetLastErrorA</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetLastErrorW</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetNetworkInformationA</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetNetworkInformationW</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetProviderNameA</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetProviderNameW</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetResourceInformationA</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetResourceInformationW</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetResourceParentA</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetResourceParentW</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetUniversalNameA</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetUniversalNameW</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetUserA</NAME> </RULEITEM> <RULEITEM> <NAME>WNetGetUserW</NAME> </RULEITEM> <RULEITEM> <NAME>WNetOpenEnumA</NAME> </RULEITEM> <RULEITEM> <NAME>WNetOpenEnumW</NAME> </RULEITEM> <RULEITEM> <NAME>WNetUseConnectionA</NAME> </RULEITEM> <RULEITEM> <NAME>WnetUseConnectionW</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_func Win32 Windows Sockets</NAME> <TYPE>8</TYPE> <ID>25</ID> <RULEITEMS> <RULEITEM> <NAME>accept</NAME> </RULEITEM> <RULEITEM> <NAME>bind</NAME> </RULEITEM> <RULEITEM> <NAME>closesocket</NAME> </RULEITEM> <RULEITEM> <NAME>connect</NAME> </RULEITEM> <RULEITEM> <NAME>gethostbyaddr</NAME> </RULEITEM> <RULEITEM> <NAME>gethostbyname</NAME> </RULEITEM> <RULEITEM> <NAME>gethostname</NAME> </RULEITEM> <RULEITEM> <NAME>getpeername</NAME> </RULEITEM> <RULEITEM> <NAME>getprotobyname</NAME> </RULEITEM> <RULEITEM> <NAME>getprotobynumber</NAME> </RULEITEM> <RULEITEM> <NAME>getservbyname</NAME> </RULEITEM> <RULEITEM> <NAME>getservbyport</NAME> </RULEITEM> <RULEITEM> <NAME>getsockname</NAME> </RULEITEM> <RULEITEM> <NAME>getsockopt</NAME> </RULEITEM> <RULEITEM> <NAME>htonl</NAME> </RULEITEM> <RULEITEM> <NAME>htons</NAME> </RULEITEM> <RULEITEM> <NAME>inet_addr</NAME> </RULEITEM> <RULEITEM> <NAME>inet_ntoa</NAME> </RULEITEM> <RULEITEM> <NAME>ioctlsocket</NAME> </RULEITEM> <RULEITEM> <NAME>listen</NAME> </RULEITEM> <RULEITEM> <NAME>ntohl</NAME> </RULEITEM> <RULEITEM> <NAME>ntohs</NAME> </RULEITEM> <RULEITEM> <NAME>recv</NAME> </RULEITEM> <RULEITEM> <NAME>recvfrom</NAME> </RULEITEM> <RULEITEM> <NAME>select</NAME> </RULEITEM> <RULEITEM> <NAME>send</NAME> </RULEITEM> <RULEITEM> <NAME>sendto</NAME> </RULEITEM> <RULEITEM> <NAME>setsockopt</NAME> </RULEITEM> <RULEITEM> <NAME>shutdown</NAME> </RULEITEM> <RULEITEM> <NAME>socket</NAME> </RULEITEM> <RULEITEM> <NAME>WSAAccept</NAME> </RULEITEM> <RULEITEM> <NAME>WSAAddressToStringA</NAME> </RULEITEM> <RULEITEM> <NAME>WSAAddressToStringW</NAME> </RULEITEM> <RULEITEM> <NAME>WSAAsyncGetHostByAddr</NAME> </RULEITEM> <RULEITEM> <NAME>WSAAsyncGetHostByName</NAME> </RULEITEM> <RULEITEM> <NAME>WSAAsyncGetProtoByName</NAME> </RULEITEM> <RULEITEM> <NAME>WSAAsyncGetProtoByNumber</NAME> </RULEITEM> <RULEITEM> <NAME>WSAAsyncGetServByName</NAME> </RULEITEM> <RULEITEM> <NAME>WSAAsyncGetServByPort</NAME> </RULEITEM> <RULEITEM> <NAME>WSAAsyncSelect</NAME> </RULEITEM> <RULEITEM> <NAME>WSACancelAsyncRequest</NAME> </RULEITEM> <RULEITEM> <NAME>WSACancelBlockingCall</NAME> </RULEITEM> <RULEITEM> <NAME>WSACleanup</NAME> </RULEITEM> <RULEITEM> <NAME>WSACloseEvent</NAME> </RULEITEM> <RULEITEM> <NAME>WSAConnect</NAME> </RULEITEM> <RULEITEM> <NAME>WSACreateEvent</NAME> </RULEITEM> <RULEITEM> <NAME>WSADuplicateSocketA</NAME> </RULEITEM> <RULEITEM> <NAME>WSADuplicateSocketW</NAME> </RULEITEM> <RULEITEM> <NAME>WSAEnumNameSpaceProvidersA</NAME> </RULEITEM> <RULEITEM> <NAME>WSAEnumNameSpaceProvidersW</NAME> </RULEITEM> <RULEITEM> <NAME>WSAEnumNetworkEvents</NAME> </RULEITEM> <RULEITEM> <NAME>WSAEnumProtocolsA</NAME> </RULEITEM> <RULEITEM> <NAME>WSAEnumProtocolsW</NAME> </RULEITEM> <RULEITEM> <NAME>WSAEventSelect</NAME> </RULEITEM> <RULEITEM> <NAME>WSAGetLastError</NAME> </RULEITEM> <RULEITEM> <NAME>WSAGetOverlappedResult</NAME> </RULEITEM> <RULEITEM> <NAME>WSAGetQOSByName</NAME> </RULEITEM> <RULEITEM> <NAME>WSAGetServiceClassInfoA</NAME> </RULEITEM> <RULEITEM> <NAME>WSAGetServiceClassInfoW</NAME> </RULEITEM> <RULEITEM> <NAME>WSAGetServiceClassNameByClassIdA</NAME> </RULEITEM> <RULEITEM> <NAME>WSAGetServiceClassNameByClassIdW</NAME> </RULEITEM> <RULEITEM> <NAME>WSAHtonl</NAME> </RULEITEM> <RULEITEM> <NAME>WSAHtons</NAME> </RULEITEM> <RULEITEM> <NAME>WSAInstallServiceClassA</NAME> </RULEITEM> <RULEITEM> <NAME>WSAInstallServiceClassW</NAME> </RULEITEM> <RULEITEM> <NAME>WSAIoctl</NAME> </RULEITEM> <RULEITEM> <NAME>WSAIsBlocking</NAME> </RULEITEM> <RULEITEM> <NAME>WSAJoinLeaf</NAME> </RULEITEM> <RULEITEM> <NAME>WSALookupServiceBeginA</NAME> </RULEITEM> <RULEITEM> <NAME>WSALookupServiceBeginW</NAME> </RULEITEM> <RULEITEM> <NAME>WSALookupServiceEnd</NAME> </RULEITEM> <RULEITEM> <NAME>WSALookupServiceNextA</NAME> </RULEITEM> <RULEITEM> <NAME>WSALookupServiceNextW</NAME> </RULEITEM> <RULEITEM> <NAME>WSANtohl</NAME> </RULEITEM> <RULEITEM> <NAME>WSANtohs</NAME> </RULEITEM> <RULEITEM> <NAME>WSAProviderConfigChange</NAME> </RULEITEM> <RULEITEM> <NAME>WSARecv</NAME> </RULEITEM> <RULEITEM> <NAME>WSARecvDisconnect</NAME> </RULEITEM> <RULEITEM> <NAME>WSARecvFrom</NAME> </RULEITEM> <RULEITEM> <NAME>WSARemoveServiceClass</NAME> </RULEITEM> <RULEITEM> <NAME>WSAResetEvent</NAME> </RULEITEM> <RULEITEM> <NAME>WSASend</NAME> </RULEITEM> <RULEITEM> <NAME>WSASendDisconnect</NAME> </RULEITEM> <RULEITEM> <NAME>WSASendTo</NAME> </RULEITEM> <RULEITEM> <NAME>WSASetBlockingHook</NAME> </RULEITEM> <RULEITEM> <NAME>WSASetEvent</NAME> </RULEITEM> <RULEITEM> <NAME>WSASetLastError</NAME> </RULEITEM> <RULEITEM> <NAME>WSASetServiceA</NAME> </RULEITEM> <RULEITEM> <NAME>WSASetServiceW</NAME> </RULEITEM> <RULEITEM> <NAME>WSASocketA</NAME> </RULEITEM> <RULEITEM> <NAME>WSASocketW</NAME> </RULEITEM> <RULEITEM> <NAME>WSAStartup</NAME> </RULEITEM> <RULEITEM> <NAME>WSAStringToAddressA</NAME> </RULEITEM> <RULEITEM> <NAME>WSAStringToAddressW</NAME> </RULEITEM> <RULEITEM> <NAME>WSAUnhookBlockingHook</NAME> </RULEITEM> <RULEITEM> <NAME>WSAWaitForMultipleEvents</NAME> </RULEITEM> <RULEITEM> <NAME>WSCDeinstallProvider</NAME> </RULEITEM> <RULEITEM> <NAME>WSCEnableNSProvider</NAME> </RULEITEM> <RULEITEM> <NAME>WSCEnumProtocols</NAME> </RULEITEM> <RULEITEM> <NAME>WSCGetProviderPath</NAME> </RULEITEM> <RULEITEM> <NAME>WSCInstallNameSpace</NAME> </RULEITEM> <RULEITEM> <NAME>WSCInstallProvider</NAME> </RULEITEM> <RULEITEM> <NAME>WSCUnInstallNameSpace</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_func Win32 Debugging</NAME> <TYPE>8</TYPE> <ID>26</ID> <RULEITEMS> <RULEITEM> <NAME>ContinueDebugEvent</NAME> </RULEITEM> <RULEITEM> <NAME>DebugActiveProcess</NAME> </RULEITEM> <RULEITEM> <NAME>DebugBreak</NAME> </RULEITEM> <RULEITEM> <NAME>FatalExit</NAME> </RULEITEM> <RULEITEM> <NAME>FlushInstructionCache</NAME> </RULEITEM> <RULEITEM> <NAME>GetThreadContext</NAME> </RULEITEM> <RULEITEM> <NAME>GetThreadSelectorEntry</NAME> </RULEITEM> <RULEITEM> <NAME>IsDebuggerPresent</NAME> </RULEITEM> <RULEITEM> <NAME>OutputDebugStringA</NAME> </RULEITEM> <RULEITEM> <NAME>OutputDebugStringW</NAME> </RULEITEM> <RULEITEM> <NAME>ReadProcessMemory</NAME> </RULEITEM> <RULEITEM> <NAME>SetDebugErrorLevel</NAME> </RULEITEM> <RULEITEM> <NAME>SetThreadContext</NAME> </RULEITEM> <RULEITEM> <NAME>WaitForDebugEvent</NAME> </RULEITEM> <RULEITEM> <NAME>WriteProcessMemory</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_func Win32 Handles and Objects</NAME> <TYPE>8</TYPE> <ID>27</ID> <RULEITEMS> <RULEITEM> <NAME>CloseHandle</NAME> </RULEITEM> <RULEITEM> <NAME>DuplicateHandle</NAME> </RULEITEM> <RULEITEM> <NAME>GetHandleInformation</NAME> </RULEITEM> <RULEITEM> <NAME>SetHandleInformation</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_func Win32 Windows</NAME> <TYPE>8</TYPE> <ID>28</ID> <RULEITEMS> <RULEITEM> <NAME>AdjustWindowRect</NAME> </RULEITEM> <RULEITEM> <NAME>AdjustWindowRectEx</NAME> </RULEITEM> <RULEITEM> <NAME>AllowSetForegroundWindow</NAME> </RULEITEM> <RULEITEM> <NAME>AnimateWindow</NAME> </RULEITEM> <RULEITEM> <NAME>AnyPopup</NAME> </RULEITEM> <RULEITEM> <NAME>ArrangeIconicWindows</NAME> </RULEITEM> <RULEITEM> <NAME>BeginDeferWindowPos</NAME> </RULEITEM> <RULEITEM> <NAME>BringWindowToTop</NAME> </RULEITEM> <RULEITEM> <NAME>CascadeWindows</NAME> </RULEITEM> <RULEITEM> <NAME>ChildWindowFromPoint</NAME> </RULEITEM> <RULEITEM> <NAME>ChildWindowFromPointEx</NAME> </RULEITEM> <RULEITEM> <NAME>CloseWindow</NAME> </RULEITEM> <RULEITEM> <NAME>CreateWindowExA</NAME> </RULEITEM> <RULEITEM> <NAME>CreateWindowExW</NAME> </RULEITEM> <RULEITEM> <NAME>DeferWindowPos</NAME> </RULEITEM> <RULEITEM> <NAME>DestroyWindow</NAME> </RULEITEM> <RULEITEM> <NAME>EndDeferWindowPos</NAME> </RULEITEM> <RULEITEM> <NAME>EnumChildWindows</NAME> </RULEITEM> <RULEITEM> <NAME>EnumThreadWindows</NAME> </RULEITEM> <RULEITEM> <NAME>EnumWindows</NAME> </RULEITEM> <RULEITEM> <NAME>FindWindowA</NAME> </RULEITEM> <RULEITEM> <NAME>FindWindowExA</NAME> </RULEITEM> <RULEITEM> <NAME>FindWindowExW</NAME> </RULEITEM> <RULEITEM> <NAME>FindWindowW</NAME> </RULEITEM> <RULEITEM> <NAME>GetAltTabInfoA</NAME> </RULEITEM> <RULEITEM> <NAME>GetAltTabInfoW</NAME> </RULEITEM> <RULEITEM> <NAME>GetAncestor</NAME> </RULEITEM> <RULEITEM> <NAME>GetClientRect</NAME> </RULEITEM> <RULEITEM> <NAME>GetDesktopWindow</NAME> </RULEITEM> <RULEITEM> <NAME>GetForegroundWindow</NAME> </RULEITEM> <RULEITEM> <NAME>GetGUIThreadInfo</NAME> </RULEITEM> <RULEITEM> <NAME>GetLastActivePopup</NAME> </RULEITEM> <RULEITEM> <NAME>GetLayout</NAME> </RULEITEM> <RULEITEM> <NAME>GetParent</NAME> </RULEITEM> <RULEITEM> <NAME>GetProcessDefaultLayout</NAME> </RULEITEM> <RULEITEM> <NAME>GetTitleBarInfo</NAME> </RULEITEM> <RULEITEM> <NAME>GetTopWindow</NAME> </RULEITEM> <RULEITEM> <NAME>GetWindow</NAME> </RULEITEM> <RULEITEM> <NAME>GetWindowInfo</NAME> </RULEITEM> <RULEITEM> <NAME>GetWindowModuleFileNameA</NAME> </RULEITEM> <RULEITEM> <NAME>GetWindowModuleFileNameW</NAME> </RULEITEM> <RULEITEM> <NAME>GetWindowPlacement</NAME> </RULEITEM> <RULEITEM> <NAME>GetWindowRect</NAME> </RULEITEM> <RULEITEM> <NAME>GetWindowTextA</NAME> </RULEITEM> <RULEITEM> <NAME>GetWindowTextLengthA</NAME> </RULEITEM> <RULEITEM> <NAME>GetWindowTextLengthW</NAME> </RULEITEM> <RULEITEM> <NAME>GetWindowTextW</NAME> </RULEITEM> <RULEITEM> <NAME>GetWindowThreadProcessId</NAME> </RULEITEM> <RULEITEM> <NAME>IsChild</NAME> </RULEITEM> <RULEITEM> <NAME>IsIconic</NAME> </RULEITEM> <RULEITEM> <NAME>IsWindow</NAME> </RULEITEM> <RULEITEM> <NAME>IsWindowUnicode</NAME> </RULEITEM> <RULEITEM> <NAME>IsWindowVisible</NAME> </RULEITEM> <RULEITEM> <NAME>IsZoomed</NAME> </RULEITEM> <RULEITEM> <NAME>LockSetForegroundWindow</NAME> </RULEITEM> <RULEITEM> <NAME>MoveWindow</NAME> </RULEITEM> <RULEITEM> <NAME>OpenIcon</NAME> </RULEITEM> <RULEITEM> <NAME>RealChildWindowFromPoint</NAME> </RULEITEM> <RULEITEM> <NAME>RealGetWindowClassA</NAME> </RULEITEM> <RULEITEM> <NAME>RealGetWindowClassW</NAME> </RULEITEM> <RULEITEM> <NAME>SetForegroundWindow</NAME> </RULEITEM> <RULEITEM> <NAME>SetLayeredWindowAttributes</NAME> </RULEITEM> <RULEITEM> <NAME>SetLayout</NAME> </RULEITEM> <RULEITEM> <NAME>SetParent</NAME> </RULEITEM> <RULEITEM> <NAME>SetProcessDefaultLayout</NAME> </RULEITEM> <RULEITEM> <NAME>SetWindowPlacement</NAME> </RULEITEM> <RULEITEM> <NAME>SetWindowPos</NAME> </RULEITEM> <RULEITEM> <NAME>SetWindowTextA</NAME> </RULEITEM> <RULEITEM> <NAME>SetWindowTextW</NAME> </RULEITEM> <RULEITEM> <NAME>ShowOwnedPopups</NAME> </RULEITEM> <RULEITEM> <NAME>ShowWindow</NAME> </RULEITEM> <RULEITEM> <NAME>ShowWindowAsync</NAME> </RULEITEM> <RULEITEM> <NAME>TileWindows</NAME> </RULEITEM> <RULEITEM> <NAME>UpdateLayeredWindow</NAME> </RULEITEM> <RULEITEM> <NAME>WindowFromPoint</NAME> </RULEITEM> <RULEITEM> <NAME>DuplicateIcon</NAME> </RULEITEM> <RULEITEM> <NAME>ExtractAssociatedIconA</NAME> </RULEITEM> <RULEITEM> <NAME>ExtractAssociatedIconW</NAME> </RULEITEM> <RULEITEM> <NAME>ExtractIconA</NAME> </RULEITEM> <RULEITEM> <NAME>ExtractIconW</NAME> </RULEITEM> <RULEITEM> <NAME>SHAppBarMessage</NAME> </RULEITEM> <RULEITEM> <NAME>ExtractIconExA</NAME> </RULEITEM> <RULEITEM> <NAME>ExtractIconExW</NAME> </RULEITEM> <RULEITEM> <NAME>Shell_NotifyIconA</NAME> </RULEITEM> <RULEITEM> <NAME>Shell_NotifyIconW</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_func Win32 Dialog Boxes </NAME> <TYPE>8</TYPE> <ID>29</ID> <RULEITEMS> <RULEITEM> <NAME>CreateDialogIndirectParamA</NAME> </RULEITEM> <RULEITEM> <NAME>CreateDialogIndirectParamW</NAME> </RULEITEM> <RULEITEM> <NAME>CreateDialogParamA</NAME> </RULEITEM> <RULEITEM> <NAME>CreateDialogParamW</NAME> </RULEITEM> <RULEITEM> <NAME>DefDlgProcA</NAME> </RULEITEM> <RULEITEM> <NAME>DefDlgProcW</NAME> </RULEITEM> <RULEITEM> <NAME>DialogBoxIndirectParamA</NAME> </RULEITEM> <RULEITEM> <NAME>DialogBoxIndirectParamW</NAME> </RULEITEM> <RULEITEM> <NAME>DialogBoxParamA</NAME> </RULEITEM> <RULEITEM> <NAME>DialogBoxParamW</NAME> </RULEITEM> <RULEITEM> <NAME>EndDialog</NAME> </RULEITEM> <RULEITEM> <NAME>GetDialogBaseUnits</NAME> </RULEITEM> <RULEITEM> <NAME>GetDlgCtrlID</NAME> </RULEITEM> <RULEITEM> <NAME>GetDlgItem</NAME> </RULEITEM> <RULEITEM> <NAME>GetDlgItemInt</NAME> </RULEITEM> <RULEITEM> <NAME>GetDlgItemTextA</NAME> </RULEITEM> <RULEITEM> <NAME>GetDlgItemTextW</NAME> </RULEITEM> <RULEITEM> <NAME>GetNextDlgGroupItem</NAME> </RULEITEM> <RULEITEM> <NAME>GetNextDlgTabItem</NAME> </RULEITEM> <RULEITEM> <NAME>IsDialogMessageA</NAME> </RULEITEM> <RULEITEM> <NAME>IsDialogMessageW</NAME> </RULEITEM> <RULEITEM> <NAME>MapDialogRect</NAME> </RULEITEM> <RULEITEM> <NAME>MessageBoxA</NAME> </RULEITEM> <RULEITEM> <NAME>MessageBoxExA</NAME> </RULEITEM> <RULEITEM> <NAME>MessageBoxExW</NAME> </RULEITEM> <RULEITEM> <NAME>MessageBoxIndirectA</NAME> </RULEITEM> <RULEITEM> <NAME>MessageBoxIndirectW</NAME> </RULEITEM> <RULEITEM> <NAME>MessageBoxW</NAME> </RULEITEM> <RULEITEM> <NAME>SendDlgItemMessageA</NAME> </RULEITEM> <RULEITEM> <NAME>SendDlgItemMessageW</NAME> </RULEITEM> <RULEITEM> <NAME>SetDlgItemInt</NAME> </RULEITEM> <RULEITEM> <NAME>SetDlgItemTextA</NAME> </RULEITEM> <RULEITEM> <NAME>SetDlgItemTextW</NAME> </RULEITEM> <RULEITEM> <NAME>ShellAboutA</NAME> </RULEITEM> <RULEITEM> <NAME>ShellAboutW</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_func Win32 Memory Management</NAME> <TYPE>8</TYPE> <ID>30</ID> <RULEITEMS> <RULEITEM> <NAME>GetWriteWatch</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalMemoryStatus</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalMemoryStatusEx</NAME> </RULEITEM> <RULEITEM> <NAME>IsBadCodePtr</NAME> </RULEITEM> <RULEITEM> <NAME>IsBadReadPtr</NAME> </RULEITEM> <RULEITEM> <NAME>IsBadStringPtrA</NAME> </RULEITEM> <RULEITEM> <NAME>IsBadStringPtrW</NAME> </RULEITEM> <RULEITEM> <NAME>IsBadWritePtr</NAME> </RULEITEM> <RULEITEM> <NAME>ResetWriteWatch</NAME> </RULEITEM> <RULEITEM> <NAME>AllocateUserPhysicalPages</NAME> </RULEITEM> <RULEITEM> <NAME>FreeUserPhysicalPages</NAME> </RULEITEM> <RULEITEM> <NAME>MapUserPhysicalPages</NAME> </RULEITEM> <RULEITEM> <NAME>MapUserPhysicalPagesScatter</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalAlloc</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalFlags</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalFree</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalHandle</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalLock</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalReAlloc</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalSize</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalUnlock</NAME> </RULEITEM> <RULEITEM> <NAME>LocalAlloc</NAME> </RULEITEM> <RULEITEM> <NAME>LocalFlags</NAME> </RULEITEM> <RULEITEM> <NAME>LocalFree</NAME> </RULEITEM> <RULEITEM> <NAME>LocalHandle</NAME> </RULEITEM> <RULEITEM> <NAME>LocalLock</NAME> </RULEITEM> <RULEITEM> <NAME>LocalReAlloc</NAME> </RULEITEM> <RULEITEM> <NAME>LocalSize</NAME> </RULEITEM> <RULEITEM> <NAME>LocalUnlock</NAME> </RULEITEM> <RULEITEM> <NAME>GetProcessHeap</NAME> </RULEITEM> <RULEITEM> <NAME>GetProcessHeaps</NAME> </RULEITEM> <RULEITEM> <NAME>HeapAlloc</NAME> </RULEITEM> <RULEITEM> <NAME>HeapCompact</NAME> </RULEITEM> <RULEITEM> <NAME>HeapCreate</NAME> </RULEITEM> <RULEITEM> <NAME>HeapDestroy</NAME> </RULEITEM> <RULEITEM> <NAME>HeapFree</NAME> </RULEITEM> <RULEITEM> <NAME>HeapLock</NAME> </RULEITEM> <RULEITEM> <NAME>HeapReAlloc</NAME> </RULEITEM> <RULEITEM> <NAME>HeapSize</NAME> </RULEITEM> <RULEITEM> <NAME>HeapUnlock</NAME> </RULEITEM> <RULEITEM> <NAME>HeapValidate</NAME> </RULEITEM> <RULEITEM> <NAME>HeapWalk</NAME> </RULEITEM> <RULEITEM> <NAME>VirtualAlloc</NAME> </RULEITEM> <RULEITEM> <NAME>VirtualAllocEx</NAME> </RULEITEM> <RULEITEM> <NAME>VirtualFree</NAME> </RULEITEM> <RULEITEM> <NAME>VirtualFreeEx</NAME> </RULEITEM> <RULEITEM> <NAME>VirtualLock</NAME> </RULEITEM> <RULEITEM> <NAME>VirtualProtect</NAME> </RULEITEM> <RULEITEM> <NAME>VirtualProtectEx</NAME> </RULEITEM> <RULEITEM> <NAME>VirtualQuery</NAME> </RULEITEM> <RULEITEM> <NAME>VirtualQueryEx</NAME> </RULEITEM> <RULEITEM> <NAME>VirtualUnlock</NAME> </RULEITEM> <RULEITEM> <NAME>GetFreeSpace</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalCompact</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalFix</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalUnfix</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalUnWire</NAME> </RULEITEM> <RULEITEM> <NAME>GlobalWire</NAME> </RULEITEM> <RULEITEM> <NAME>IsBadHugeReadPtr</NAME> </RULEITEM> <RULEITEM> <NAME>IsBadHugeWritePtr</NAME> </RULEITEM> <RULEITEM> <NAME>LocalCompact</NAME> </RULEITEM> <RULEITEM> <NAME>LocalShrink</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_func Win32 Window Classes</NAME> <TYPE>8</TYPE> <ID>31</ID> <RULEITEMS> <RULEITEM> <NAME>GetClassInfoA</NAME> </RULEITEM> <RULEITEM> <NAME>GetClassInfoW</NAME> </RULEITEM> <RULEITEM> <NAME>GetClassInfoExA</NAME> </RULEITEM> <RULEITEM> <NAME>GetClassInfoExW</NAME> </RULEITEM> <RULEITEM> <NAME>GetClassLongA</NAME> </RULEITEM> <RULEITEM> <NAME>GetClassLongW</NAME> </RULEITEM> <RULEITEM> <NAME>GetClassLongPtrA</NAME> </RULEITEM> <RULEITEM> <NAME>GetClassLongPtrW</NAME> </RULEITEM> <RULEITEM> <NAME>RegisterClassA</NAME> </RULEITEM> <RULEITEM> <NAME>RegisterClassW</NAME> </RULEITEM> <RULEITEM> <NAME>RegisterClassExA</NAME> </RULEITEM> <RULEITEM> <NAME>RegisterClassExW</NAME> </RULEITEM> <RULEITEM> <NAME>SetClassLongA</NAME> </RULEITEM> <RULEITEM> <NAME>SetClassLongW</NAME> </RULEITEM> <RULEITEM> <NAME>SetClassLongPtrA</NAME> </RULEITEM> <RULEITEM> <NAME>SetClassLongPtrW</NAME> </RULEITEM> <RULEITEM> <NAME>SetWindowLongA</NAME> </RULEITEM> <RULEITEM> <NAME>SetWindowLongW</NAME> </RULEITEM> <RULEITEM> <NAME>SetWindowLongPtrA</NAME> </RULEITEM> <RULEITEM> <NAME>SetWindowLongPtrW</NAME> </RULEITEM> <RULEITEM> <NAME>UnregisterClassA</NAME> </RULEITEM> <RULEITEM> <NAME>UnregisterClassW</NAME> </RULEITEM> <RULEITEM> <NAME>GetClassWord</NAME> </RULEITEM> <RULEITEM> <NAME>GetWindowWord</NAME> </RULEITEM> <RULEITEM> <NAME>SetClassWord</NAME> </RULEITEM> <RULEITEM> <NAME>SetWindowWord</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_Lib_Graphic</NAME> <TYPE>8</TYPE> <ID>32</ID> <RULEITEMS> <RULEITEM><NAME>GDI32.DLL</NAME></RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_Func_Basic</NAME> <TYPE>8</TYPE> <ID>33</ID> <VALUE>0</VALUE> <DESCRIPTION>IF THE FILE CONSISTS ONLY BASIC FUNCTIONS - IT MEANS IT IS HIDING ITS IMPORTED FUNCTION </DESCRIPTION> <RULEITEMS> <RULEITEM><NAME>KERNEL32.DLL</NAME></RULEITEM> <RULEITEM><NAME>GetModuleFileNameA</NAME></RULEITEM> <RULEITEM><NAME>GetModuleFileNameW</NAME></RULEITEM> <RULEITEM><NAME>GetProcAddress</NAME></RULEITEM> <RULEITEM><NAME>LoadLibraryA</NAME></RULEITEM> <RULEITEM><NAME>LoadLibraryExA</NAME></RULEITEM> <RULEITEM><NAME>LoadLibraryExW</NAME></RULEITEM> <RULEITEM><NAME>LoadLibraryW</NAME></RULEITEM> <RULEITEM><NAME>LoadModule</NAME></RULEITEM> <RULEITEM><NAME>GetModuleHandleA</NAME></RULEITEM> <RULEITEM><NAME>GetModuleHandleW</NAME></RULEITEM> <RULEITEM><NAME>ExitProcess</NAME></RULEITEM> <RULEITEM><NAME>USER32.DLL</NAME></RULEITEM> <RULEITEM><NAME>MessageBoxA</NAME></RULEITEM> <RULEITEM><NAME>MessageBoxW</NAME></RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_Func_Unhandled exception</NAME> <TYPE>8</TYPE> <ID>34</ID> <DESCRIPTION>The file includes structured exception handling functions - known method by viruese to avoid crashes during infections</DESCRIPTION> <RULEITEMS> <RULEITEM> <NAME>AbnormalTermination</NAME> </RULEITEM> <RULEITEM> <NAME>AddVectoredExceptionHandler</NAME> </RULEITEM> <RULEITEM> <NAME>GetExceptionCode</NAME> </RULEITEM> <RULEITEM> <NAME>GetExceptionInformation</NAME> </RULEITEM> <RULEITEM> <NAME>RaiseException</NAME> </RULEITEM> <RULEITEM> <NAME>RemoveVectoredExceptionHandler</NAME> </RULEITEM> <RULEITEM> <NAME>SetUnhandledExceptionFilter</NAME> </RULEITEM> <RULEITEM> <NAME>UnhandledExceptionFilter</NAME> </RULEITEM> <RULEITEM> <NAME>VectoredHandler</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_func_Win32 file mapping functions</NAME> <TYPE>8</TYPE> <ID>42</ID> <RULEITEMS> <RULEITEM> <NAME>CreateFileMapping</NAME> </RULEITEM> <RULEITEM> <NAME>FlushViewOfFile</NAME> </RULEITEM> <RULEITEM> <NAME>MapViewOfFile</NAME> </RULEITEM> <RULEITEM> <NAME>MapViewOfFileEx</NAME> </RULEITEM> <RULEITEM> <NAME>OpenFileMapping</NAME> </RULEITEM> <RULEITEM> <NAME>UnmapViewOfFile</NAME> </RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_File_Name_Size pe files</NAME> <TYPE>10</TYPE> <ID>35</ID> <RULEITEMS> </RULEITEMS> <RULESEMIITEMS> <RULESEMIITEM><NAME>.SCR;</NAME></RULESEMIITEM> <RULESEMIITEM><NAME>.exe;</NAME></RULESEMIITEM> <RULESEMIITEM><NAME>.pif;</NAME></RULESEMIITEM> <RULESEMIITEM><NAME>.dll;</NAME></RULESEMIITEM> <RULESEMIITEM><NAME>.com;</NAME></RULESEMIITEM> <RULESEMIITEM><NAME>.bat;</NAME></RULESEMIITEM> </RULESEMIITEMS> </RULE> <RULE> <TYPE>7</TYPE> <ID>36</ID> <NAME> Rule_Data_Check_Bytes for clsid of Mail com objects</NAME> <RULEITEMS> <RULEITEM><DESC>cdo</DESC><DATASIZE>16</DATASIZE><DATA>B3DEA73F6438101BACC100AA00423326</DATA></RULEITEM> <RULEITEM><DESC>outlook</DESC><DATASIZE>16</DATASIZE><DATA>3AF0060000000000C000000000000046</DATA></RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME> Rule_Data_Mail progids or names of simple mapi or cmc functions</NAME> <TYPE>6</TYPE> <ID>37</ID> <RULEITEMS> <RULEITEM><NAME>MAPILogon</NAME></RULEITEM> <RULEITEM><NAME>MAPILogoff</NAME></RULEITEM> <RULEITEM><NAME>MAPISendMail</NAME></RULEITEM> <RULEITEM><NAME>MAPISendDocuments</NAME></RULEITEM> <RULEITEM><NAME>MAPIFindNext</NAME></RULEITEM> <RULEITEM><NAME>MAPIReadMail</NAME></RULEITEM> <RULEITEM><NAME>MAPISaveMail</NAME></RULEITEM> <RULEITEM><NAME>MAPIDeleteMail</NAME></RULEITEM> <RULEITEM><NAME>MAPIFreeBuffer</NAME></RULEITEM> <RULEITEM><NAME>MAPIAddress</NAME></RULEITEM> <RULEITEM><NAME>MAPIDetails</NAME></RULEITEM> <RULEITEM><NAME>MAPIResolveName</NAME></RULEITEM> <RULEITEM><NAME>cmc_act_on</NAME></RULEITEM> <RULEITEM><NAME>cmc_send</NAME></RULEITEM> <RULEITEM><NAME>cmc_send_documents</NAME></RULEITEM> <RULEITEM><NAME>cmc_list</NAME></RULEITEM> <RULEITEM><NAME>cmc_read</NAME></RULEITEM> <RULEITEM><NAME>cmc_look_up</NAME></RULEITEM> <RULEITEM><NAME>cmc_free</NAME></RULEITEM> <RULEITEM><NAME>cmc_logoff</NAME></RULEITEM> <RULEITEM><NAME>cmc_logon</NAME></RULEITEM> <RULEITEM><NAME>cmc_query_configuration</NAME></RULEITEM> </RULEITEMS> <RULESEMIITEMS> <RULESEMIITEM><NAME>Mapi.session</NAME></RULESEMIITEM> <RULESEMIITEM><NAME>outlook.application</NAME></RULESEMIITEM> </RULESEMIITEMS> </RULE> <RULE> <NAME>Rule_Func Simple mapi and cmc functions</NAME> <TYPE>8</TYPE> <ID>38</ID> <RULEITEMS> <RULEITEM><NAME>MAPILogon</NAME></RULEITEM> <RULEITEM><NAME>MAPILogoff</NAME></RULEITEM> <RULEITEM><NAME>MAPISendMail</NAME></RULEITEM> <RULEITEM><NAME>MAPISendDocuments</NAME></RULEITEM> <RULEITEM><NAME>MAPIFindNext</NAME></RULEITEM> <RULEITEM><NAME>MAPIReadMail</NAME></RULEITEM> <RULEITEM><NAME>MAPISaveMail</NAME></RULEITEM> <RULEITEM><NAME>MAPIDeleteMail</NAME></RULEITEM> <RULEITEM><NAME>MAPIFreeBuffer</NAME></RULEITEM> <RULEITEM><NAME>MAPIAddress</NAME></RULEITEM> <RULEITEM><NAME>MAPIDetails</NAME></RULEITEM> <RULEITEM><NAME>MAPIResolveName</NAME></RULEITEM> <RULEITEM><NAME>cmc_act_on</NAME></RULEITEM> <RULEITEM><NAME>cmc_send</NAME></RULEITEM> <RULEITEM><NAME>cmc_send_documents</NAME></RULEITEM> <RULEITEM><NAME>cmc_list</NAME></RULEITEM> <RULEITEM><NAME>cmc_read</NAME></RULEITEM> <RULEITEM><NAME>cmc_look_up</NAME></RULEITEM> <RULEITEM><NAME>cmc_free</NAME></RULEITEM> <RULEITEM><NAME>cmc_logoff</NAME></RULEITEM> <RULEITEM><NAME>cmc_logon</NAME></RULEITEM> <RULEITEM><NAME>cmc_query_configuration</NAME></RULEITEM> <RULEITEM><NAME>MAPILogonEx</NAME></RULEITEM> <RULEITEM><NAME>MAPIAdminProfiles</NAME></RULEITEM> <RULEITEM><NAME>MAPIAllocateMore</NAME></RULEITEM> <RULEITEM><NAME>MAPIAllocateBuffer</NAME></RULEITEM> <RULEITEM><NAME>MAPIInitialize</NAME></RULEITEM> <RULEITEM><NAME>MAPIUninitialize</NAME></RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME> Rule_Data_address book path or registry data</NAME> <TYPE>6</TYPE> <ID>39</ID> <RULEITEMS> </RULEITEMS> <RULESEMIITEMS> <RULESEMIITEM><NAME>Application Data\Microsoft\Address Book</NAME></RULESEMIITEM> <RULESEMIITEM><NAME>SOFTWARE\Microsoft\WAB</NAME></RULESEMIITEM> </RULESEMIITEMS> </RULE> <RULE> <NAME> Rule_Data Outlook express files </NAME> <TYPE>6</TYPE> <ID>40</ID> <RULEITEMS> </RULEITEMS> <RULESEMIITEMS> <RULESEMIITEM><NAME>.dbx</NAME></RULESEMIITEM> </RULESEMIITEMS> </RULE> <RULE> <NAME> Rule_Data internet accounts data (smtp,email) </NAME> <TYPE>6</TYPE> <ID>41</ID> <RULEITEMS> </RULEITEMS> <RULESEMIITEMS> <RULESEMIITEM><NAME>Software\Microsoft\Internet Account Manager\Accounts</NAME></RULESEMIITEM> </RULESEMIITEMS> </RULE> <RULE> <NAME>Rule_Data_internet addresses </NAME> <TYPE>6</TYPE> <ID>44</ID> <RULEITEMS> </RULEITEMS> <RULESEMIITEMS> <RULESEMIITEM><NAME>http://</NAME></RULESEMIITEM> <RULESEMIITEM><NAME>ftp://</NAME></RULESEMIITEM> </RULESEMIITEMS> </RULE> <RULE> <NAME> Meta rule based on functions rules (type 8) for calculating rates between functions groups</NAME> <TYPE>14</TYPE> <ID>43</ID> <RULEITEMS> <RULEITEM><BASERULE>38</BASERULE><BASERULEFACTOR>-2</BASERULEFACTOR><REM>Mail FUNCTIONS</REM></RULEITEM> <RULEITEM><BASERULE>-19</BASERULE><BASERULEFACTOR>-2</BASERULEFACTOR><REM>file i/o FUNCTIONS</REM></RULEITEM> <RULEITEM><BASERULE>-21</BASERULE><BASERULEFACTOR>-2</BASERULEFACTOR><REM>REGISTRY FUNCTIONS</REM></RULEITEM> <RULEITEM><BASERULE>19</BASERULE><BASERULEFACTOR>-1</BASERULEFACTOR><REM>file i/o FUNCTIONS</REM></RULEITEM> <RULEITEM><BASERULE>21</BASERULE><BASERULEFACTOR>-1</BASERULEFACTOR><REM>REGISTRY FUNCTIONS</REM></RULEITEM> <RULEITEM><BASERULE>22</BASERULE><BASERULEFACTOR>-2</BASERULEFACTOR><REM>Security FUNCTIONS</REM></RULEITEM> <RULEITEM><BASERULE>23</BASERULE><BASERULEFACTOR>-1</BASERULEFACTOR><REM>Services FUNCTIONS</REM></RULEITEM> <RULEITEM><BASERULE>24</BASERULE><BASERULEFACTOR>-1</BASERULEFACTOR><REM>Network FUNCTIONS</REM></RULEITEM> <RULEITEM><BASERULE>42</BASERULE><BASERULEFACTOR>-1</BASERULEFACTOR><REM>FILE MAPPING FUNCTIONS</REM></RULEITEM> <RULEITEM><BASERULE>34</BASERULE><BASERULEFACTOR>-2</BASERULEFACTOR><REM>EXCEPTION HANDLING</REM></RULEITEM> <RULEITEM><BASERULE>25</BASERULE><BASERULEFACTOR>-2</BASERULEFACTOR><REM>Win32 Windows Sockets</REM></RULEITEM> <RULEITEM><BASERULE>31</BASERULE><BASERULEFACTOR>1</BASERULEFACTOR><REM>WINDOWS CLASSES FUNCTINOS</REM></RULEITEM> <RULEITEM><BASERULE>28</BASERULE><BASERULEFACTOR>1</BASERULEFACTOR><REM>WINDOWS FUNCTINOS</REM></RULEITEM> <RULEITEM><BASERULE>29</BASERULE><BASERULEFACTOR>1</BASERULEFACTOR><REM>DIALOG BOXES FUNCTINOS</REM></RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_File_Name_Size my file</NAME> <TYPE>10</TYPE> <ID>45</ID> <RULEITEMS> <RULEITEM><NAME>MailCleanerPre.exe;122880</NAME></RULEITEM> <RULEITEM><NAME>vcatch_ezstub.exe;57344</NAME></RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_File_key identical to known innocent apps</NAME> <TYPE>15</TYPE> <ID>47</ID> <RULEITEMS> <RULEITEM><DESC>VCatch</DESC><DATASIZE>256</DATASIZE><DATA>A7E4EC3C00A041006FF700006A00FFFFFFFF04A04100C8B100009046FFFFFFFF08A0410043B00000F046FFFFFFFF0CA041008DF70000FFFFFFFF14A0410020230000FFFFFFFF18A0410043240000FFFFFFFF1CA0410066240000FFFFFFFF24A0410079300000FFFFFFFF2CA04100B8130000CB13FFFFFFFF30A04100A6130000E102EC10FFFFFFFF34A04100031A00006C1165113F00610318001C4B07064B1CE70DB40CA814FFFFFFFF38A04100AB2000009E25FD66FFFFFFFF3CA04100572800000C00FFFFFFFF40A04100ED2800005511E0618429AA7EE8059701FFFFFFFF44A041000D2A00008FB2FFFFFFFF48A04100FF2A0000FFFFFFFFFFFFFFFF0000</DATA></RULEITEM> <RULEITEM><DESC>ComponentSource Download Manager</DESC><DATASIZE>256</DATASIZE><DATA>3F4C553BE47144000D270000FFFFFFFFE871440006270000FFFFFFFFEC714400C7260000FFFFFFFFF0714400A6260000FFFFFFFFF471440071290000FFFFFFFFF87144009E280000FFFFFFFFFC71440031280000FFFFFFFF00724400BF270000FFFFFFFF047244009E310000FFFFFFFF08724400F9310000FFFFFFFF0C724400E9310000FFFFFFFF10724400DB310000FFFFFFFFBC72440002260000FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</DATA></RULEITEM> <RULEITEM><DESC>wise Uninstall</DESC><DATASIZE>256</DATASIZE><DATA>0F12493A00104100F2810000810007156601FFFFFFFF041041007B09000035479E006C03AF1B621135001A03C30C0F05DD001B00FFFFFFFF081041004F090000F046C000AB032330700BED05FFFFFFFF0C1041002B090000EA46C000A903741B5F1151036F0BEA0523011D01FFFFFFFF10104100B34F00003552FFFFFFFF14104100A44F00002752FFFFFFFF181041003A710000FFFFFFFF1C104100607000006F21F105FFFFFFFF20104100D66F0000FFFFFFFF24104100BF810000A215F800FFFFFFFF2810410098810000A715FFFFFFFF2C104100758100002F10FFFFFFFF301041009D980000FFFFFFFF3410410089980000FFFFFFFFFFFFFFFF00000000</DATA></RULEITEM> <RULEITEM><DESC>wise Uninstall</DESC><DATASIZE>256</DATASIZE><DATA>6198733700004100E78000008100BF146601FFFFFFFF04004100045000009E001703A51B621135002203A70CDB04DD001B00FFFFFFFF08004100934F0000C00056032130540BB905FFFFFFFF0C004100694F0000C00054036A1B5F115903530BB60523011D01FFFFFFFF10004100074F00008E51FFFFFFFF14004100F84E00008051FFFFFFFF180041002F700000FFFFFFFF1C004100556F00005B21BD05FFFFFFFF20004100CB6E0000FFFFFFFF24004100B48000005A15F800FFFFFFFF280041008D8000005F15FFFFFFFF2C0041006A8000001B10FFFFFFFF300041004A970000FFFFFFFF3400410036970000FFFFFFFF38004100AFA00000FFFFFFFF0000</DATA></RULEITEM> <RULEITEM><DESC>TopText install</DESC><DATASIZE>256</DATASIZE><DATA>8B3C3B3C00A040006F1300008901D005E6031C12C610FFFFFFFF04A04000A1130000B40115066F26FFFFFFFF08A0400003120000BA01BF017E052D0099010902100E1400570176019C0016000F0028003800460073000E005E10FFFFFFFF0CA04000FA1100007903D51D2B00840EFFFFFFFF10A04000D01100005C1CFFFFFFFF14A04000A41200008C02A61AE101FFFFFFFF18A040003E150000B3052D00A203E60E1C14FFFFFFFF1CA0400006150000982CFFFFFFFF20A0400031310000FFFFFFFF24A04000633400003F00FFFFFFFF28A04000CC340000FFFFFFFF30A04000B51D0000FFFFFFFF38A0400097180000EA30FFFFFFFFFFFFFFFF000000000000</DATA></RULEITEM> <RULEITEM><DESC>Bergain Buddy install</DESC><DATASIZE>256</DATASIZE><DATA>4380103C00704000112D0000F4080E00C927FFFFFFFF047040001F360000FFFFFFFF08704000DC2C00007401AE00B306EF27FFFFFFFF0C704000FE2C0000FFFFFFFF107040003A2F0000FFFFFFFF14704000752D0000FFFFFFFF18704000F62D0000FFFFFFFF1C704000792E0000482FFFFFFFFF20704000232F00009806FFFFFFFF287040007A390000FFFFFFFF30704000761A000003383500B200FFFFFFFF347040006D1A0000693705017704FFFFFFFF38704000601A0000FFFFFFFF3C704000341A0000FFFFFFFF40704000FF1900009C009C262A0F5702D800A501FFFFFFFF4470400082530000FFFFFFFF4870400036530000FFFFFFFFFFFFFFFF0000</DATA></RULEITEM> <RULEITEM><DESC>KaZaA Installation Program</DESC><DATASIZE>256</DATASIZE><DATA>000000000000000002100000FFFFFFFF0000000008100000FFFFFFFF040098020E100000FFFFFFFF3800008014100000FFFFFFFF000050001A100000FFFFFFFF0300000020100000FFFFFFFF0080050026100000FFFFFFFF980000802C100000FFFFFFFF0000C00032100000FFFFFFFF0000000038100000FFFFFFFF0000000002100000FFFFFFFF0000000008100000FFFFFFFF040098020E100000FFFFFFFF3800008014100000FFFFFFFF000050001A100000FFFFFFFF0300000020100000FFFFFFFF0080050026100000FFFFFFFF980000802C100000FFFFFFFF0000C00032100000FFFFFFFF0000000038100000FFFFFFFFFFFFFFFF0000000000000000</DATA></RULEITEM> <RULEITEM><DESC>Outlook Express 5.5 sp1 Patch</DESC><DATASIZE>256</DATASIZE><DATA>A8C4F039001000019F130000B800E00053000301260255008D02FA38FFFFFFFF04100001BC0C0000E600FFFFFFFF08100001BB0D0000FFFFFFFF0C100001490D0000FFFFFFFF10100001380D00004F05FFFFFFFF14100001CA120000FFFFFFFF18100001AB120000FFFFFFFF1C100001D00C00001201FFFFFFFF2010000196130000FFFFFFFF24100001841300004402C402510052023539FFFFFFFF28100001811500000201FFFFFFFF2C1000013D140000B701AF02AF023239FFFFFFFF3010000105140000FFFFFFFF34100001F8180000FFFFFFFF3C1000011D210000FFFFFFFF44100001C63300000E00FFFFFFFF4C1000016C0D0000FFFFFFFF00000000</DATA></RULEITEM> <RULEITEM><DESC>Netscape 6</DESC><DATASIZE>256</DATASIZE><DATA>E594D93C00704000283B0000FFFFFFFF04704000563B0000FFFFFFFF08704000613B0000FFFFFFFF10704000A0380000FFFFFFFF147040003F380000E500FFFFFFFF1C704000393E0000FFFFFFFF20704000F6600000FFFFFFFF24704000DB600000FFFFFFFF28704000EE660000FFFFFFFF2C704000803D0000FFFFFFFF30704000545A0000FFFFFFFF3470400040540000FFFFFFFF38704000F83D0000FFFFFFFF3C704000443D0000F907FFFFFFFF40704000E7350000FFFFFFFF44704000553A0000FFFFFFFF48704000633A0000FFFFFFFF4C70400054390000241B9A12FFFFFFFF50704000DC3700009D03FFFFFFFF54704000E5360000FFFFFFFF0000</DATA></RULEITEM> <RULEITEM><DESC>Netscape 6 File</DESC><DATASIZE>256</DATASIZE><DATA>4C78D93C00204000FA070000FFFFFFFF0420400020080000FFFFFFFF0820400048080000FFFFFFFF0C20400042080000FFFFFFFF102040003C070000FFFFFFFF142040005C040000B800FFFFFFFF18204000D80400007600FFFFFFFF1C204000C904000067004E00150010001000100016006500FFFFFFFF202040005A050000F300FFFFFFFF242040001A080000FFFFFFFF282040005F070000FFFFFFFF2C20400051070000FFFFFFFF30204000DA070000FFFFFFFF34204000C5070000FFFFFFFF3820400026080000FFFFFFFF3C2040008C070000FFFFFFFF402040006C070000FFFFFFFF48204000C4060000FFFFFFFF4C204000D5060000FFFFFFFF0000</DATA></RULEITEM> <RULEITEM><DESC>Netscape 6 File (ren8dot3)</DESC><DATASIZE>256</DATASIZE><DATA>2985D93C006040005F040000FFFFFFFF04604000350500003D00FFFFFFFF08604000D2040000FFFFFFFF0C604000052E0000FFFFFFFF10604000562E0000FFFFFFFF14604000A10700009114FA0356025200FFFFFFFF18604000BC070000122C63012D005C1890008C00FFFFFFFF1C604000B2070000FFFFFFFF206040008B0B00007C0DF40671013023FFFFFFFF24604000A80C00005A01FFFFFFFF286040002E0C0000FFFFFFFF2C604000270C0000FFFFFFFF306040008C0D0000A609FFFFFFFF34604000690D00005921FFFFFFFF386040003E0D0000FFFFFFFF3C604000F00C0000FFFFFFFF406040000918000004137F07FFFFFFFFFFFFFFFF00000000</DATA></RULEITEM> <RULEITEM><DESC>Netscape 6 File (xpicleanup)</DESC><DATASIZE>256</DATASIZE><DATA>3285D93C00D0400072070000FFFFFFFF04D04000C2070000FFFFFFFF08D0400099070000FFFFFFFF10D04000280600002600D300FFFFFFFF14D04000B22800006300FFFFFFFF18D04000B3070000FFFFFFFF1CD0400076060000CBA65E00FFFFFFFF20D040009E060000FFFFFFFF24D04000D4060000124AE8056A03FFFFFFFF28D04000D15D0000B40933008500FFFFFFFF2CD040001B410000DC14FFFFFFFF30D04000F8400000A313FFFFFFFF34D04000CD400000FFFFFFFF38D040007F400000FFFFFFFF3CD04000914100005B02FFFFFFFF40D04000F84100005E1CFA034C055200FFFFFFFF44D04000044300002718F406FFFFFFFFFFFFFFFF00000000</DATA></RULEITEM> </RULEITEMS> </RULE> <RULE> <NAME>Rule_File_Name_Size dll</NAME> <TYPE>10</TYPE> <ID>48</ID> <RULEITEMS> </RULEITEMS> <RULESEMIITEMS> <RULESEMIITEM><NAME>.dll;</NAME></RULESEMIITEM> </RULESEMIITEMS> </RULE> <RULE> <NAME> Rule_Test_Virus_string</NAME> <TYPE>16</TYPE> <ID>49</ID> <RULEITEMS> <RULEITEM><NAME>X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*</NAME></RULEITEM> </RULEITEMS> </RULE> </RULES>