Article Directory
1. Technical application background
At present, it is known that in the security confrontation process of anti-virus manufacturers and game manufacturers, it is often necessary to accurately monitor, collect and detect whether the EXE application created and opened by the user is safe. At the same time, this technology can also be applied to security countermeasures for other applications. So how to accurately monitor and collect the EXE application information that the user clicks to open every time? Next, I will implement how to accurately monitor and collect the technology of opening the EXE application program every time the user clicks on it.
2. Effect display
The following figure shows the start of the monitoring program, which is to monitor the computer including the system's self-starting EXE program and the user's initiative to click to start the application.
3. Function code implementation
The following steps are required to monitor all the data created by the user to open the EXE program:
1. Initialize COM by calling the CoInitializeEx function.
2. Obtain the WMI locator by calling the CoCreateInstance function.
3. By calling the IWbemLocator::ConnectServer function and specifying the value of the function's parameter strNetworkResource as "root\cimv2", the connection to the "IWbemServices" server can be achieved.
- Set the proxy of IWbemServices by calling the CoSetProxyBlanket function. The purpose is for the WMI service to simulate the client role.
5. By calling the ExecNotificationQuery function, to query and receive events.
The main purpose of this part of the code in the figure below is to initialize the settings of COM and WMI.
The following code mainly implements query receiving events, that is, through the ExecNotificationQuery query to obtain the data of all EXEs created and opened by the user in a loop.
4. List of knowledge background
Overview: WMI technology can be regarded as a very old technology, it is provided by Microsoft, and it is also a very reliable solution. WMI also has a very big advantage, it can access remote computers. It is the basic module for managing data and operations in the Windows operating system. It provides a unified interface set for managing local or remote computers through the operating system, network, and corporate environment.
WMI technology can be applied to:
1. Query to obtain information about the running process;
2. Query to obtain information about running threads;
3. Query and obtain desktop information;
4. Query and obtain environmental variable information;
5. Query and obtain drive information;
6. Query and obtain folder information;
7. Query and obtain system information and system services;
8. Query and obtain hardware information;
9. Query and obtain disk-related information.
5. WMI related concepts
1. WBEM its full name: Web Based Enterprise Management (web-based enterprise management), it is an industry standard, established in the enterprise network to access and share management information standards.
2. WMI its full name: Windows Management Instrumentation (Windows management tool), it is the Windows implementation of WBEM, that is, it must comply with WBEM rules. Through WMI, we can obtain relevant data about hardware and software, and can also provide data about hardware or software services to WMI.
3. COM Its full name: Component Object Model (Component Object Model), it is a set of interface specifications launched by Microsoft, by setting standards and protocols that need to be observed between different components, it is mainly used for cross-language and cross-process communication. Inter-module communication.
6. WMI related functions
1. Detailed explanation of CoInitializeEx function
- Detailed explanation of CoCreateInstance function
- Detailed ConnectServer function
- Detailed explanation of CoSetProxyBlanket function
5.ExecNotificationQuery function detailed explanation
7. WMI architecture analysis
The WMI architecture diagram in the figure below comes from MSDN. From the architecture diagram, we can clearly see that WMI is mainly divided into three layers.
1. WMI providers and Managed object (WMI providers and managed objects)
The WMI provider is a COM interface that monitors one or more managed objects.
Managed objects refer to logical or physical components, such as hard drives, network adapters, database systems, operating systems, processes, or services.
The WMI provider provides data to the WMI service through the data provided by the managed object, and at the same time passes the request of the WMI service to the managed object.
The WMI provider is composed of a DLL that implements logic and a MOF (Managed Object Format) file that carries classes that describe data and operations. These two files are saved in the \Windows\System32\wbem directory.
2.WMI Infrastructure (WMI Infrastructure)
The basic structure of WMI is the system component of the Windows system. It mainly contains two modules: WMI Service including WMI Core and WMI Repository.
The WMI repository is organized through WMI Namespace. When the system starts, the WMI service will create namespaces such as root\cimv2, root\default, root\subscription, etc.
The WMI service plays the role of the coordinator between the WMi provider, the management application, and the WMI repository. Generally speaking, it is implemented through a shared service process svchost. When the first management application initiates a connection to the WMI namespace, the WMI service will start. When the management application no longer calls WMI, the WMI service will shut down or enter a low memory state.
3.WMI Consumers (WMI users)
It is located at the top of the WMI framework, and it is the carrier used by WMI technology. For implementation using C++ code, we can directly communicate with the lower layer through COM technology. For the .net platform language, it is necessary to use System.Management domain related functions to communicate with the lower layer. WMI users can query, enumerate data, run Provider methods, and subscribe to WMI messages. These data operations must be provided by the corresponding Provider.