Working with WMI

bitcoin · June 24, 2019, 02:44:54 PM

Hello, I don't know how use WMI, because its terrible COM everywhere

This sample https://github.com/Frankie-PellesC/fSDK/tree/master/Samples_and_Tests/WMI/Notifications_WMI

How (and where) I can get new (created) process name and handle?

I want to write some monitoring tool, to track CreateProcess (and suspend it). How to do it? Help please

TimoVJL · June 24, 2019, 06:45:23 PM

for that frankie's example:

Code Select

HRESULT STDMETHODCALLTYPE EventSink_Indicate(IWbemObjectSink *this, long lObjectCount, IWbemClassObject **apObjArray)
{
	for (int i = 0; i < lObjectCount; i++)
	{
		printf("Event occurred %d/%d\n", i, lObjectCount);
		IWbemClassObject *pIWbemClassObject = apObjArray[i];
		//IWbemClassObject *pIWbemClassObject = *apObjArray;
		VARIANT vcn;
		HRESULT hr;
		if (!(hr = pIWbemClassObject->lpVtbl->Get(pIWbemClassObject, L"__Class", 0, &vcn, NULL, NULL)))
		{
			if (vcn.vt == VT_BSTR)
				printf("%ls\n", vcn.bstrVal);
			VariantClear(&vcn);
		}
		else
			printf("error: 0x%Xh\n", hr);
		if (!(hr = pIWbemClassObject->lpVtbl->Get(pIWbemClassObject, L"TargetInstance", 0, &vcn, NULL, NULL)))
		{
			IUnknown *pUnk = vcn.punkVal;
			IWbemClassObject *pIWbemClassObject1;
			if (!(hr = pUnk->lpVtbl->QueryInterface(pUnk, &IID_IWbemClassObject, (void **)&pIWbemClassObject1)))
			{
				VARIANT vcn1;
				if (!(hr = pIWbemClassObject1->lpVtbl->Get(pIWbemClassObject1, L"Name", 0, &vcn1, NULL, NULL)))
				{
					printf("%ls\t", vcn1.bstrVal);
					VariantClear(&vcn1);
				}
				VARIANT vcn2;
				if (!(hr = pIWbemClassObject1->lpVtbl->Get(pIWbemClassObject1, L"Handle", 0, &vcn2, NULL, NULL)))
				{
					printf("%ls\n", vcn2.bstrVal);
					VariantClear(&vcn2);
				}

			}
			VariantClear(&vcn);
		}
		else
			printf("error: 0x%Xh\n", hr);
	}

	return WBEM_S_NO_ERROR;
}

bitcoin · June 24, 2019, 08:03:34 PM

Thank you, it works! Can you tell me - if I want to track process always (forever) , will it be enough to replace Sleep (10000) to Sleep(INFINITE)? Or no?

I want to code service or program , that must works always, with windows startup to shutdown.

TimoVJL · June 24, 2019, 08:25:12 PM

In my test, i used WaitForSingleObject(GetCurrentProcess(), INFINITE);

psapi could be another option for program.

bitcoin · June 24, 2019, 08:57:54 PM

Quote from: TimoVJL on June 24, 2019, 08:25:12 PM
psapi could be another option for program.

In psapi I must call EnumProcesses (or what you mean) every 5 (or more/less ) seconds. So, it may be load processor or skip some process.
In WMI we have events..but COM is terrible hard.

bitcoin · June 25, 2019, 10:11:55 AM

Is call CoSetProxyBlanket required? Or I can skip it? I don't understand this api.

TimoVJL · June 27, 2019, 11:23:47 AM

Maybe that 'blanket' is for RPC ?

An example to avoid notepad.exe running

Code Select

HRESULT STDMETHODCALLTYPE EventSink_Indicate(IWbemObjectSink *this, long lObjectCount, IWbemClassObject **apObjArray)
{
	for (int i = 0; i < lObjectCount; i++)
	{
		printf("Event occurred %d/%d\n", i, lObjectCount);
		IWbemClassObject *pIWbemClassObject = apObjArray[i];
		//IWbemClassObject *pIWbemClassObject = *apObjArray;
		VARIANT vcn;
		HRESULT hr;
		if (!(hr = pIWbemClassObject->lpVtbl->Get(pIWbemClassObject, L"__Class", 0, &vcn, NULL, NULL)))
		{
			if (vcn.vt == VT_BSTR)
				printf("%ls\n", vcn.bstrVal);
			VariantClear(&vcn);
		}
		else
			printf("error: 0x%Xh\n", hr);
		if (!(hr = pIWbemClassObject->lpVtbl->Get(pIWbemClassObject, L"TargetInstance", 0, &vcn, NULL, NULL)))
		{
			IUnknown *pUnk = vcn.punkVal;
			IWbemClassObject *pIWbemClassObject1;
			if (!(hr = pUnk->lpVtbl->QueryInterface(pUnk, &IID_IWbemClassObject, (void **)&pIWbemClassObject1)))
			{
				BOOL bFound = 0;
				UINT pid;
				VARIANT vcn1;
				if (!(hr = pIWbemClassObject1->lpVtbl->Get(pIWbemClassObject1, L"Name", 0, &vcn1, NULL, NULL)))
				{
					printf("%ls\t", vcn1.bstrVal);
					bFound = !wcscmp(vcn1.bstrVal, L"notepad.exe");
					VariantClear(&vcn1);
				}
				VARIANT vcn2;
				if (!(hr = pIWbemClassObject1->lpVtbl->Get(pIWbemClassObject1, L"Handle", 0, &vcn2, NULL, NULL)))
				{
					printf("%ls\n", vcn2.bstrVal);
					pid = wcstoul(vcn2.bstrVal, 0, 10);
					VariantClear(&vcn2);
				}
				if (bFound) {
					printf("found: %d\n", pid);
					HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
					TerminateProcess(hProc, 0);
				}

			}
			VariantClear(&vcn);
		}
		else
			printf("error: 0x%Xh\n", hr);
	}

	return WBEM_S_NO_ERROR;
}

bitcoin · June 27, 2019, 05:23:17 PM

Yes, it works! Thank you!

Yesterday,I tried to do

Code Select


VARIANT vcn3;
if (!(hr = pIWbemClassObject1->lpVtbl->Get(pIWbemClassObject1,L"ProcessId",0,&vcn3,NULL,NULL)))
{
TerminateProcess((void*)vcn3.intVal,0);

This shit don't works (unlike of your code). Thanks!

bitcoin · September 24, 2020, 06:10:17 PM

Hello,
how I can to terminate process without winapi? I saw that Win32_Process have method Terminate , but how to call it?

TimoVJL · September 25, 2020, 07:26:46 AM

https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/terminate-method-in-class-win32-process

News:

Working with WMI