ring3下利用WMI监视进程创建(vc版)

zoukankan html css js c++ java

ring3下利用WMI监视进程创建(vc版)
[cpp] view plain copy
1. #include "stdafx.h"
2. #define _WIN32_DCOM
3. #include <iostream>
4. using namespace std;
5. #include <comdef.h>
6. #include <Wbemidl.h>
8. # pragma comment(lib, "wbemuuid.lib")
10. int main(int argc, char **argv)
11. {
12. HRESULT hres;
14. hres = CoInitializeEx(0, COINIT_MULTITHREADED);
15. if (FAILED(hres))
16. {
17. cout << "Failed to initialize COM library. "
18. << "Error code = 0x"
19. << hex << hres << endl;
20. return 1;
21. }
23. IWbemLocator *pLoc = 0;
24. HRESULT hr;
26. hr = CoCreateInstance(CLSID_WbemLocator, 0,
27. CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID *) &pLoc);
29. if (FAILED(hr))
30. {
31. cout << "Failed to create IWbemLocator object. Err code = 0x"
32. << hex << hr << endl;
33. return hr; // Program has failed.
34. }
36. IWbemServices *pSvc = 0;
38. bstr_t strNetworkResource("ROOT\CIMV2");
40. hr = pLoc->ConnectServer(
41. strNetworkResource,
42. NULL, NULL, 0, NULL, 0, 0, &pSvc);
44. if (FAILED(hr))
45. {
46. cout << "Could not connect. Error code = 0x"
47. << hex << hr << endl;
48. pLoc->Release();
49. CoUninitialize();
50. return hr; // Program has failed.
51. }
53. cout << "Connected to WMI" << endl;
55. // Set the proxy so that impersonation of the client occurs.
56. hr = CoSetProxyBlanket(pSvc,
57. RPC_C_AUTHN_WINNT,
58. RPC_C_AUTHZ_NONE,
59. NULL,
60. RPC_C_AUTHN_LEVEL_CALL,
61. RPC_C_IMP_LEVEL_IMPERSONATE,
62. NULL,
63. EOAC_NONE
64. );
66. if (FAILED(hr))
67. {
68. cout << "Could not set proxy blanket. Error code = 0x"
69. << hex << hr << endl;
70. pSvc->Release();
71. pLoc->Release();
72. CoUninitialize();
73. return hr;
74. }
77. bstr_t strLang("WQL");
78. //监视taskmgr.exe进程创建
79. bstr_t strQuery("SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'taskmgr.exe'");
80. IEnumWbemClassObject* pResult = NULL;
82. hr = pSvc->ExecNotificationQuery(strLang, strQuery, WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pResult);
83. if(SUCCEEDED(hr))
84. {
85. do{
86. IWbemClassObject* pObject = NULL;
87. ULONG lCnt = 0;
88. hr = pResult->Next(WBEM_INFINITE, 1, &pObject, &lCnt);
89. if(SUCCEEDED(hr) && pObject)
90. {
91. cout<<"taskmgr.exe进程已创建"<<endl;
92. break; //退出
93. }
94. }while(true);
95. }
99. pSvc->Release();
100. pLoc->Release();
101. CoUninitialize();
102. CoUninitialize();
104. return 0; // Program successfully completed.
105. }
http://blog.csdn.net/zwfgdlc/article/details/6613605
查看全文

相关阅读:
常见http状态码
 通过adb shell命令查看内存，CPU，启动时间，电量等信息
 Jmeter获取数据库数据参数化
 jmeter链接mysql数据库，sql数据库，oracle数据库
 appium 隐藏键盘
 python编码
 python:打印所有文件名字的扩展名
 python中字符串常见操作
 python中的字符串存储及切片介绍
 Ubuntu14.04安装部署bugzilla5.0.3

原文地址：https://www.cnblogs.com/findumars/p/6344965.html