欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

零C++基础,打造Windows事件钩子:对WMI的深入分析

来源:本站整理 作者:佚名 时间:2017-08-08 TAG: 我要投稿
Event Consumer可以执行Windows命令行,并通过VB脚本输出文件。
下面是一个Event Filter的例子:

instance of __EventFilter as $Filt {          Name = "EF";          EventNamespace = "root\\cimv2";          QueryLanguage = "WQL";          Query = "SELECT * FROM __InstanceCreationEvent "                   "WITHIN 2 WHERE TargetInstance ISA 'Win32_Process' "                  "AND TargetInstance.Name = 'notepad.exe'"; };
Event Filter使用了一种名为WQL(WMI查询语言)的语言。这种语言可以用来Hook不同的系统事件。在这种情况下,我们定义了“何时触发”,在发生实例创建事件时,可以被读取。在本例中,我们寻找的是一个名为“notepad.exe”的Wind32_Process类实例创建事件。
这是一个用来Hook Create Process调用的简单方法,攻击者可以查看特定的进程,随后执行某些操作,例如结束进程。
下面,让我们看看如何将执行内容与执行时间相绑定:

instance of __FilterToConsumerBinding {          Filter = $Filt;          Consumer = $Cons; };
最终的MOF脚本是这样的:

#pragma namespace ("\\\\.\\root\\subscription")   instance of ActiveScriptEventConsumer as $Cons {          Name = "ASEC";          ScriptingEngine = "VBScript";          ScriptText =              "Set objShell = CreateObject(\"WScript.Shell\") \n"               "objShell.Exec(\"c:\\windows\\system32\\cmd.exe /c echo MOF Script Output>c:\\mof_output.txt\")\n"; };   instance of __EventFilter as $Filt {          Name = "EF";          EventNamespace = "root\\cimv2";          QueryLanguage = "WQL";          Query = "SELECT * FROM __InstanceCreationEvent "                   "WITHIN 2 WHERE TargetInstance ISA 'Win32_Process' "                  "AND TargetInstance.Name = 'notepad.exe'"; };   instance of __FilterToConsumerBinding {          Filter = $Filt;          Consumer = $Cons; };
要执行这一脚本,我们只需以管理员身份执行mofcomp.exe工具来编译它即可:

$ mofcomp.exe .\mof_script.mof Microsoft (R) MOF Compiler Version 10.0.10586.0 Copyright (c) Microsoft Corp. 1997-2006. All rights reserved. Parsing MOF file: .\mof_script.mof MOF file has been successfully parsed Storing data in the repository... WARNING: File .\mof_script.mof does not contain #PRAGMA AUTORECOVER. If the WMI repository is rebuilt in the future, the contents of this MOF file will not be included in the new WMI repository. To include this MOF file when the WMI Repository is automatically reconstructed, place the #PRAGMA AUTORECOVER statement on the first line of the MOF file. Done!
在此时,如果打开记事本,还可以看到是如何在C:中创建mof_output.txt文件的。
更深入的分析
如果需要在某个特定时间执行,同样非常容易,我们只需要将Event Filter更改为如下内容:

instance of __EventFilter as $Filt {          Name = "EF";          EventNamespace = "root\\cimv2";          QueryLanguage = "WQL";          Query = "SELECT * FROM __InstanceModificationEvent WITHIN 20 WHERE "                  "TargetInstance ISA 'Win32_LocalTime' AND "                  "TargetInstance.Hour = 10 AND "                  "TargetInstance.Minute = 34"; };
现在,Event Consumer被设定为在上午的10:34触发。我们是通过hook系统时间和其变化来实现的定时。其中,WITHIN子句定义了20秒的轮询间隔。

上一页  [1] [2] [3]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载