ring3下利用WMI监视进程创建(vc版)
2011-07-18 11:02
483 查看
#include "stdafx.h"
#define _WIN32_DCOM
#include <iostream>
using namespace std;
#include <comdef.h>
#include <Wbemidl.h>
# pragma comment(lib, "wbemuuid.lib")
int main(int argc, char **argv)
{
HRESULT hres;
hres = CoInitializeEx(0, COINIT_MULTITHREADED);
if (FAILED(hres))
{
cout << "Failed to initialize COM library. "
<< "Error code = 0x"
<< hex << hres << endl;
return 1;
}
IWbemLocator *pLoc = 0;
HRESULT hr;
hr = CoCreateInstance(CLSID_WbemLocator, 0,
CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID *) &pLoc);
if (FAILED(hr))
{
cout << "Failed to create IWbemLocator object. Err code = 0x"
<< hex << hr << endl;
return hr; // Program has failed.
}
IWbemServices *pSvc = 0;
bstr_t strNetworkResource("ROOT\\CIMV2");
hr = pLoc->ConnectServer(
strNetworkResource,
NULL, NULL, 0, NULL, 0, 0, &pSvc);
if (FAILED(hr))
{
cout << "Could not connect. Error code = 0x"
<< hex << hr << endl;
pLoc->Release();
CoUninitialize();
return hr; // Program has failed.
}
cout << "Connected to WMI" << endl;
// Set the proxy so that impersonation of the client occurs.
hr = CoSetProxyBlanket(pSvc,
RPC_C_AUTHN_WINNT,
RPC_C_AUTHZ_NONE,
NULL,
RPC_C_AUTHN_LEVEL_CALL,
RPC_C_IMP_LEVEL_IMPERSONATE,
NULL,
EOAC_NONE
);
if (FAILED(hr))
{
cout << "Could not set proxy blanket. Error code = 0x"
<< hex << hr << endl;
pSvc->Release();
pLoc->Release();
CoUninitialize();
return hr;
}
bstr_t strLang("WQL");
//监视taskmgr.exe进程创建
bstr_t strQuery("SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'taskmgr.exe'");
IEnumWbemClassObject* pResult = NULL;
hr = pSvc->ExecNotificationQuery(strLang, strQuery, WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pResult);
if(SUCCEEDED(hr))
{
do{
IWbemClassObject* pObject = NULL;
ULONG lCnt = 0;
hr = pResult->Next(WBEM_INFINITE, 1, &pObject, &lCnt);
if(SUCCEEDED(hr) && pObject)
{
cout<<"taskmgr.exe进程已创建"<<endl;
break; //退出
}
}while(true);
}
pSvc->Release();
pLoc->Release();
CoUninitialize();
CoUninitialize();
return 0; // Program successfully completed.
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- ring3下利用WMI监视进程创建(vc版)
- ring3下利用WMI监视进程创建(vc版)
- VB 利用WMI进行进程监视
- 利用WMI实现ring3进程监控 - vc
- 小试X64 inline HOOK,hook explorer.exe--->CreateProcessInternalW监视进程创建
- 监视系统中进程的创建和终止
- 利用钩子技术控制进程创建
- 利用cron监视后台进程状态(二)
- 利用CreateProcess API函数来创建相应的进程
- 用VBS实现监视进程创建与删除的代码
- 求VC版本如何利用WMI获得磁盘信息 VC/MFC / 进程/线程/DLL - 社区 community.csdn.net
- linux下利用fork()函数创建进程
- 如何利用Win32服务进程去创建一个GUI用户进程?
- 利用钩子技术控制进程创建
- VB 利用WMI进行USB监视
- 创建ASP.NET监视服务器进程
- 利用Java.lang.Process和ProcessBuilder创建本地应用程序进程
- VB 利用WMI进行PNP监视
- 创建ASP.NET监视服务器进程
- C# 双保险进程监视器 lol 保证被监视的程序"几乎"永远运行. 关键字:进程操作 进程查看 创建进程