ring3下利用WMI监视进程创建(vc版)
2011-07-18 11:02
483 查看
#include "stdafx.h" #define _WIN32_DCOM #include <iostream> using namespace std; #include <comdef.h> #include <Wbemidl.h> # pragma comment(lib, "wbemuuid.lib") int main(int argc, char **argv) { HRESULT hres; hres = CoInitializeEx(0, COINIT_MULTITHREADED); if (FAILED(hres)) { cout << "Failed to initialize COM library. " << "Error code = 0x" << hex << hres << endl; return 1; } IWbemLocator *pLoc = 0; HRESULT hr; hr = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID *) &pLoc); if (FAILED(hr)) { cout << "Failed to create IWbemLocator object. Err code = 0x" << hex << hr << endl; return hr; // Program has failed. } IWbemServices *pSvc = 0; bstr_t strNetworkResource("ROOT\\CIMV2"); hr = pLoc->ConnectServer( strNetworkResource, NULL, NULL, 0, NULL, 0, 0, &pSvc); if (FAILED(hr)) { cout << "Could not connect. Error code = 0x" << hex << hr << endl; pLoc->Release(); CoUninitialize(); return hr; // Program has failed. } cout << "Connected to WMI" << endl; // Set the proxy so that impersonation of the client occurs. hr = CoSetProxyBlanket(pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE ); if (FAILED(hr)) { cout << "Could not set proxy blanket. Error code = 0x" << hex << hr << endl; pSvc->Release(); pLoc->Release(); CoUninitialize(); return hr; } bstr_t strLang("WQL"); //监视taskmgr.exe进程创建 bstr_t strQuery("SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'taskmgr.exe'"); IEnumWbemClassObject* pResult = NULL; hr = pSvc->ExecNotificationQuery(strLang, strQuery, WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pResult); if(SUCCEEDED(hr)) { do{ IWbemClassObject* pObject = NULL; ULONG lCnt = 0; hr = pResult->Next(WBEM_INFINITE, 1, &pObject, &lCnt); if(SUCCEEDED(hr) && pObject) { cout<<"taskmgr.exe进程已创建"<<endl; break; //退出 } }while(true); } pSvc->Release(); pLoc->Release(); CoUninitialize(); CoUninitialize(); return 0; // Program successfully completed. }
相关文章推荐
- ring3下利用WMI监视进程创建(vc版)
- ring3下利用WMI监视进程创建(vc版)
- VB 利用WMI进行进程监视
- 利用WMI实现ring3进程监控 - vc
- 小试X64 inline HOOK,hook explorer.exe--->CreateProcessInternalW监视进程创建
- 监视系统中进程的创建和终止
- 利用钩子技术控制进程创建
- 利用cron监视后台进程状态(二)
- 利用CreateProcess API函数来创建相应的进程
- 用VBS实现监视进程创建与删除的代码
- 求VC版本如何利用WMI获得磁盘信息 VC/MFC / 进程/线程/DLL - 社区 community.csdn.net
- linux下利用fork()函数创建进程
- 如何利用Win32服务进程去创建一个GUI用户进程?
- 利用钩子技术控制进程创建
- VB 利用WMI进行USB监视
- 创建ASP.NET监视服务器进程
- 利用Java.lang.Process和ProcessBuilder创建本地应用程序进程
- VB 利用WMI进行PNP监视
- 创建ASP.NET监视服务器进程
- C# 双保险进程监视器 lol 保证被监视的程序"几乎"永远运行. 关键字:进程操作 进程查看 创建进程