-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IWbemServices_ExecMethod api can not be monitored in win7 #79
Comments
here is the hook if you want to try to fix it https://github.com/cuckoosandbox/monitor/blob/7c5854fae12e1f01f56eab2db4008148c790cc7a/sigs/wmi.rst#iwbemservices_execmethod |
I compiled a debug version of monitor and resubmitted the sample. In windows xp, I can find this record:
That is normal. But it can not be found in windows 7. |
WMI hooks are explicitly enabled by the
and
The execution flow is:
If you're not finding the
The reason for the special marking of the above hooks is that if you're running Office 2010 the call chain should be:
2 and 3 are likely happening as a result of the first call, so if you don't mark them as special the monitor won't hook.
|
@baxitaurus Thanks.
In Windows 7 x64, It should be:
I try to change the win7's reg item value to xp's:
However I'm already an administrator. I'm stuck here. |
I make a doc, it calls powershell.exe to do something.
When I submit it to windows XP, the IWbemServices_ExecMethod api can be monitored like this:
But IWbemServices_ExecMethod can not be monitored in windows 7.
If you monitor it by apimonitor in windows 7, it can be monitored. Like this,
Maybe monitor has an error.
Here is the file:
test_vb_powershell.zip
Dont worry, that is just a clean file for test.
The text was updated successfully, but these errors were encountered: