Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IWbemServices_ExecMethod api can not be monitored in win7 #79

Open
qux-bbb opened this issue Jan 7, 2020 · 4 comments
Open

IWbemServices_ExecMethod api can not be monitored in win7 #79

qux-bbb opened this issue Jan 7, 2020 · 4 comments

Comments

@qux-bbb
Copy link

qux-bbb commented Jan 7, 2020

I make a doc, it calls powershell.exe to do something.
When I submit it to windows XP, the IWbemServices_ExecMethod api can be monitored like this:

{
    "category": "misc",
    "status": 1,
    "stacktrace": [],
    "pid": 1924,
    "api": "IWbemServices_ExecMethod",
    "return_value": 0,
    "arguments": {
        "inargs": {
            "CurrentDirectory": null,
            "CommandLine": "powershell -w hidden -enco IldvcmxkISIgfCBPdXQtRmlsZSBoZWxsby50eHQ=",
            "ProcessStartupInformation": {
                "YSize": null,
                "FillAttribute": null,
                "CreateFlags": null,
                "Title": null,
                "XCountChars": null,
                "EnvironmentVariables": null,
                "X": null,
                "XSize": null,
                "YCountChars": null,
                "ErrorMode": 0,
                "WinstationDesktop": null,
                "Y": null,
                "ShowWindow": null,
                "PriorityClass": null
            }
        },
        "method": "Create",
        "flags": 0,
        "outargs": {
            "ProcessId": 2004,
            "ReturnValue": 0
        },
        "class": "Win32_Process"
    },
    "time": 1578377503.109427,
    "tid": 1928,
    "flags": {},
    "uniqhash": 0,
    "type": "apicall"
},

But IWbemServices_ExecMethod can not be monitored in windows 7.

If you monitor it by apimonitor in windows 7, it can be monitored. Like this,
image

Maybe monitor has an error.

Here is the file:
test_vb_powershell.zip

Dont worry, that is just a clean file for test.

@doomedraven
Copy link

@qux-bbb
Copy link
Author

qux-bbb commented Feb 4, 2020

I compiled a debug version of monitor and resubmitted the sample. In windows xp, I can find this record:

...
Entered IWbemServices_ExecMethod
...
Leaving IWbemServices_ExecMethod
...

That is normal. But it can not be found in windows 7.
I do not known whether the problem is in wmi.rst's hook. I will try to find the key point.

@baxitaurus
Copy link

WMI hooks are explicitly enabled by the CoCreateInstance hook when this api is called passing a CLSID related to the WbemLocator object. Take a look to:

sigs/ole.rst

**CoCreateInstance

Parameters:

** REFCLSID rclsid clsid
*  LPUNKNOWN pUnkOuter
** DWORD dwClsContext class_context
** REFIID riid iid
*  LPVOID *ppv

Interesting:

b sizeof(CLSID), rclsid
i class_context
b sizeof(IID), riid

Post:

ole_enable_hooks(rclsid);

and

src/wmi.c

static CLSID our_CLSID_WbemAdministrativeLocator = {
    0xcb8555cc, 0x9128, 0x11d1, {0xad,0x9b, 0x00,0xc0,0x4f,0xd8,0xfd,0xff},
};

static CLSID our_CLSID_WbemLocator = {
    0x4590f811, 0x1d3a, 0x11d0, {0x89,0x1f, 0x00,0xaa,0x00,0x4b,0x2e,0x24},
};

[...]

void ole_enable_hooks(REFCLSID clsid)
{
    if(memcmp(clsid, &our_CLSID_WbemLocator, sizeof(CLSID)) == 0) {
        hook_library("__wmi__", NULL);
    }

    if(memcmp(clsid, &our_CLSID_WbemAdministrativeLocator,
            sizeof(CLSID)) == 0) {
        hook_library("__wmi__", NULL);
    }
}

The execution flow is:

  1. CoCreateInstance(clsid) called and hooked
  2. In the Post:: section of the hook you'll find the call ole_enable_hooks(clsid)
  3. ole_enabled_hooks compares the clsid argument with the interesting ones
  4. Enable __wmi__ hooks if the target clsid is interesting

If you're not finding the IWbemServices_ExecMethod calls you should:

  • Ensure that the IWbemLocator related CLSIDs are correct (check the reg key HKCR/WbemScripting.SWbemLocator/CLSID in your VM)
  • Ensure that the CoCreateInstance is marked as special in its Signature:: section
  • Ensure that the WMI related hooks are marked as special too

The reason for the special marking of the above hooks is that if you're running Office 2010 the call chain should be:

  1. vbe6_Invoke
  2. CoCreateInstance
  3. IWbemServices_ExecMethod

2 and 3 are likely happening as a result of the first call, so if you don't mark them as special the monitor won't hook.
About Special marking the doc says:

Special:

    Mark this API signature as special. Special API signatures are always executed, also when the monitor is already inside another hook. E.g., when executing the system() function we still want to follow the CreateProcessInternalW() function calls in order to catch the process identifier(s) of the child process(es), allowing the monitor to inject into said child process(es).

@qux-bbb
Copy link
Author

qux-bbb commented Jan 17, 2021

@baxitaurus Thanks.
This value is for Windows XP:

static CLSID our_CLSID_WbemLocator = {
    0x4590f811, 0x1d3a, 0x11d0, {0x89,0x1f, 0x00,0xaa,0x00,0x4b,0x2e,0x24},
};

In Windows 7 x64, It should be:

static CLSID our_CLSID_WbemLocator = {
    0x76A64158, 0xCB41, 0x11D1, 0x8B02, {0x8B, 0x02, 0x00, 0x60, 0x08, 0x06, 0xD9, 0xB6},
};

I try to change the win7's reg item value to xp's: {76A64158-CB41-11D1-8B02-00600806D9B6} to {4590F811-1D3A-11D0-891F-00AA004B2E24}, but it shows:

Error editing value
Unable to edit: An error occurred while writing the contents of the value

However I'm already an administrator. I'm stuck here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants