ring3下利用WMI监视进程创建(vc版)
2017-01-23 21:22
423 查看
[cpp] view plain copy
#include "stdafx.h"
#define _WIN32_DCOM
#include <iostream>
using namespace std;
#include <comdef.h>
#include <Wbemidl.h>
# pragma comment(lib, "wbemuuid.lib")
int main(int argc, char **argv)
{
HRESULT hres;
hres = CoInitializeEx(0, COINIT_MULTITHREADED);
if (FAILED(hres))
{
cout << "Failed to initialize COM library. "
<< "Error code = 0x"
<< hex << hres << endl;
return 1;
}
IWbemLocator *pLoc = 0;
HRESULT hr;
hr = CoCreateInstance(CLSID_WbemLocator, 0,
CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID *) &pLoc);
if (FAILED(hr))
{
cout << "Failed to create IWbemLocator object. Err code = 0x"
<< hex << hr << endl;
return hr; // Program has failed.
}
IWbemServices *pSvc = 0;
bstr_t strNetworkResource("ROOT\\CIMV2");
hr = pLoc->ConnectServer(
strNetworkResource,
NULL, NULL, 0, NULL, 0, 0, &pSvc);
if (FAILED(hr))
{
cout << "Could not connect. Error code = 0x"
<< hex << hr << endl;
pLoc->Release();
CoUninitialize();
return hr; // Program has failed.
}
cout << "Connected to WMI" << endl;
// Set the proxy so that impersonation of the client occurs.
hr = CoSetProxyBlanket(pSvc,
RPC_C_AUTHN_WINNT,
RPC_C_AUTHZ_NONE,
NULL,
RPC_C_AUTHN_LEVEL_CALL,
RPC_C_IMP_LEVEL_IMPERSONATE,
NULL,
EOAC_NONE
);
if (FAILED(hr))
{
cout << "Could not set proxy blanket. Error code = 0x"
<< hex << hr << endl;
pSvc->Release();
pLoc->Release();
CoUninitialize();
return hr;
}
bstr_t strLang("WQL");
//监视taskmgr.exe进程创建
bstr_t strQuery("SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'taskmgr.exe'");
IEnumWbemClassObject* pResult = NULL;
hr = pSvc->ExecNotificationQuery(strLang, strQuery, WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pResult);
if(SUCCEEDED(hr))
{
do{
IWbemClassObject* pObject = NULL;
ULONG lCnt = 0;
hr = pResult->Next(WBEM_INFINITE, 1, &pObject, &lCnt);
if(SUCCEEDED(hr) && pObject)
{
cout<<"taskmgr.exe进程已创建"<<endl;
break; //退出
}
}while(true);
}
pSvc->Release();
pLoc->Release();
CoUninitialize();
CoUninitialize();
return 0; // Program successfully completed.
}
http://blog.csdn.net/zwfgdlc/article/details/6613605
#include "stdafx.h"
#define _WIN32_DCOM
#include <iostream>
using namespace std;
#include <comdef.h>
#include <Wbemidl.h>
# pragma comment(lib, "wbemuuid.lib")
int main(int argc, char **argv)
{
HRESULT hres;
hres = CoInitializeEx(0, COINIT_MULTITHREADED);
if (FAILED(hres))
{
cout << "Failed to initialize COM library. "
<< "Error code = 0x"
<< hex << hres << endl;
return 1;
}
IWbemLocator *pLoc = 0;
HRESULT hr;
hr = CoCreateInstance(CLSID_WbemLocator, 0,
CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID *) &pLoc);
if (FAILED(hr))
{
cout << "Failed to create IWbemLocator object. Err code = 0x"
<< hex << hr << endl;
return hr; // Program has failed.
}
IWbemServices *pSvc = 0;
bstr_t strNetworkResource("ROOT\\CIMV2");
hr = pLoc->ConnectServer(
strNetworkResource,
NULL, NULL, 0, NULL, 0, 0, &pSvc);
if (FAILED(hr))
{
cout << "Could not connect. Error code = 0x"
<< hex << hr << endl;
pLoc->Release();
CoUninitialize();
return hr; // Program has failed.
}
cout << "Connected to WMI" << endl;
// Set the proxy so that impersonation of the client occurs.
hr = CoSetProxyBlanket(pSvc,
RPC_C_AUTHN_WINNT,
RPC_C_AUTHZ_NONE,
NULL,
RPC_C_AUTHN_LEVEL_CALL,
RPC_C_IMP_LEVEL_IMPERSONATE,
NULL,
EOAC_NONE
);
if (FAILED(hr))
{
cout << "Could not set proxy blanket. Error code = 0x"
<< hex << hr << endl;
pSvc->Release();
pLoc->Release();
CoUninitialize();
return hr;
}
bstr_t strLang("WQL");
//监视taskmgr.exe进程创建
bstr_t strQuery("SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'taskmgr.exe'");
IEnumWbemClassObject* pResult = NULL;
hr = pSvc->ExecNotificationQuery(strLang, strQuery, WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pResult);
if(SUCCEEDED(hr))
{
do{
IWbemClassObject* pObject = NULL;
ULONG lCnt = 0;
hr = pResult->Next(WBEM_INFINITE, 1, &pObject, &lCnt);
if(SUCCEEDED(hr) && pObject)
{
cout<<"taskmgr.exe进程已创建"<<endl;
break; //退出
}
}while(true);
}
pSvc->Release();
pLoc->Release();
CoUninitialize();
CoUninitialize();
return 0; // Program successfully completed.
}
http://blog.csdn.net/zwfgdlc/article/details/6613605
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- ring3下利用WMI监视进程创建(vc版)
- ring3下利用WMI监视进程创建(vc版)
- 利用WMI实现ring3进程监控 - vc
- 求VC版本如何利用WMI获得磁盘信息 VC/MFC / 进程/线程/DLL - 社区 community.csdn.net
- VB 利用WMI进行进程监视
- 利用勾子监视系统或进程中的各种事件消息,截获发往目标窗口的消息并进行处理
- 利用钩子技术控制进程创建(附源代码)
- VB 利用WMI进行外界设备插入分配盘符监视
- 创建ASP.NET监视服务器进程
- 监视系统中进程的创建和终止
- [导入]VB 利用WMI进行PNP监视
- [导入]VB 利用WMI进行日志监视
- 利用钩子技术控制进程创建
- 利用钩子技术控制进程创建
- C# 利用WMI进行日志监视
- VB 利用WMI进行日志监视
- [导入]VB 利用WMI进行服务监视
- 创建ASP.NET监视服务器进程
- 利用钩子技术控制进程创建
- 使用VC创建进程和执行命令行程序的方法