使用WMI provider创建进程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
#define _WIN32_DCOM
#include <iostream>
using namespace std;
#include <comdef.h>
#include <wbemidl.h>
#pragma comment(lib, "wbemuuid.lib")
void CreateClass(IWbemServices* pSvc);
int main()
{
	HRESULT hr;
	hr = CoInitializeEx(0, COINIT_MULTITHREADED);
	if (FAILED(hr))
	{
		cout << "Failed to initialize COM library. Error code = 0x"
			<< hex << hr << endl;
		system("pause");
	}
	hr = CoInitializeSecurity(
		NULL,                        // Security descriptor    
		-1,                          // COM negotiates authentication service
		NULL,                        // Authentication services
		NULL,                        // Reserved
		RPC_C_AUTHN_LEVEL_DEFAULT,   // Default authentication level for proxies
		RPC_C_IMP_LEVEL_IMPERSONATE, // Default Impersonation level for proxies
		NULL,                        // Authentication info
		EOAC_NONE,                   // Additional capabilities of the client or server
		NULL);                       // Reserved
	if (FAILED(hr))
	{
		cout << "Failed to initialize security. Error code = 0x"
			<< hex << hr << endl;
		CoUninitialize();
		system("pause");                 // Program has failed.
	}
	/*****************************连接到WMI的第一步是设置对CoInitializeEx和CoInitializeSecurity的COM调用*****************************/



	IWbemLocator* pLoc = 0;
	hr = CoCreateInstance(CLSID_WbemLocator, 0,
		CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&pLoc);
	if (FAILED(hr))
	{
		cout << "Failed to create IWbemLocator object. Err code = 0x"
			<< hex << hr << endl;
		CoUninitialize();
		system("pause");     // Program has failed.
	}
	IWbemServices* pSvc = 0;

	// Connect to the root\cimv2 namespace with the current user.
	hr = pLoc->ConnectServer(
		BSTR(L"root\\cimv2"),  //namespace
		NULL,       // User name 
		NULL,       // User password
		0,         // Locale 
		NULL,     // Security flags
		0,         // Authority 
		0,        // Context object 
		&pSvc);   // IWbemServices proxy
	if (FAILED(hr))
	{
		cout << "Could not connect. Error code = 0x"
			<< hex << hr << endl;
		pLoc->Release();
		CoUninitialize();
		system("pause");      // Program has failed.
	}
	cout << "Connected to WMI" << endl;
	/*****************************调用CoCreateInstance初始化IWbemLocator接口、调用IWbemLocator :: ConnectServer方法连接到WMI*****************************/
	

	 // Set the proxy so that impersonation of the client occurs.
	hr = CoSetProxyBlanket(pSvc,
		RPC_C_AUTHN_WINNT,
		RPC_C_AUTHZ_NONE,
		NULL,
		RPC_C_AUTHN_LEVEL_CALL,
		RPC_C_IMP_LEVEL_IMPERSONATE,
		NULL,
		EOAC_NONE
	);
	if (FAILED(hr))
	{
		cout << "Could not set proxy blanket. Error code = 0x"
			<< hex << hr << endl;
		pSvc->Release();
		pLoc->Release();
		CoUninitialize();
		system("pause");     // Program has failed.
	}
	/********************调用CoSetProxyBlanket来设置IWbemServices代理上的安全级别*****************************/



	BSTR MethodName = SysAllocString(L"Create");
	BSTR ClassName = SysAllocString(L"Win32_Process");

	IWbemClassObject* pClass = NULL;
	hr = pSvc->GetObject(ClassName, 0, NULL, &pClass, NULL);

	IWbemClassObject* pInParamsDefinition = NULL;
	hr = pClass->GetMethod(MethodName, 0,
		&pInParamsDefinition, NULL);

	IWbemClassObject* pClassInstance = NULL;
	hr = pInParamsDefinition->SpawnInstance(0, &pClassInstance);

	// Create the values for the in parameters
	VARIANT varCommand;
	varCommand.vt = VT_BSTR;
	varCommand.bstrVal = _bstr_t(L"calc.exe");

	// Store the value for the in parameters
	hr = pClassInstance->Put(L"CommandLine", 0,
		&varCommand, 0);
	wprintf(L"The command is: %s\n", V_BSTR(&varCommand));

	// Execute Method
	IWbemClassObject* pOutParams = NULL;
	hr = pSvc->ExecMethod(ClassName, MethodName, 0,
		NULL, pClassInstance, &pOutParams, NULL);

	if (FAILED(hr))
	{
		cout << "Could not execute method. Error code = 0x"
			<< hex << hr << endl;
		VariantClear(&varCommand);
		SysFreeString(ClassName);
		SysFreeString(MethodName);
		pClass->Release();
		pClassInstance->Release();
		pInParamsDefinition->Release();
		pOutParams->Release();
		pSvc->Release();
		pLoc->Release();
		CoUninitialize();
		system("pause");     // Program has failed.          
	}
	/****************************************设置为调用Win32_Process::Create方法***********************************************/

	VariantClear(&varCommand);
    SysFreeString(ClassName);
    SysFreeString(MethodName);
    pClass->Release();
    pClassInstance->Release();
    pInParamsDefinition->Release();
    pOutParams->Release();
    pLoc->Release();
    pSvc->Release();
    CoUninitialize();
	return 0;
}