[求助]WMI拦截失败？-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]WMI拦截失败？ 0.00雪花

发表于: 2016-3-6 21:00 2194

[旧帖] [求助]WMI拦截失败？ 0.00雪花

MClint

2016-3-6 21:00

2194

原贴：
【原创】关于拦截“通过WMI读取硬件序列号”的一些心得
http://bbs.pediy.com/showthread.php?t=127176

根据如上，做了一个过淲驱动, 部分代码如下：

//	找过滤目标驱动
		UNICODE_STRING FilterToDriverName;
		RtlInitUnicodeString(&FilterToDriverName, L"\\Device\\WMIDataDevice");
		PFILE_OBJECT FilterToFileObject;
		PDEVICE_OBJECT FilterToDevice;

		status = IoGetDeviceObjectPointer(&FilterToDriverName, FILE_ALL_ACCESS, &FilterToFileObject, &FilterToDevice);
		if (!NT_SUCCESS(status))
		{
			DbgPrint("IoGetDeviceObjectPointer ERR: %wZ, %p", FilterToDriverName, status);
			return 0-__LINE__;
		}
		ObDereferenceObject(FilterToFileObject);
//....
// 一系列初始化
		for (int i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
			DriverObject->MajorFunction[i] = DriverWMIFilterDefaultHandler;
//....

NTSTATUS DriverWMIFilterDefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{

	FilterDriverExtension* fltEx = (FilterDriverExtension*)DeviceObject->DeviceExtension;
	KdPrint(("DriverWMIFilterDefaultHandler: %p %lx, %d", fltEx, Irp->CurrentLocation, fltEx->IrpPenddingCount));
	if (!fltEx || !fltEx->NextDevice)
		return 0-__LINE__;

	IoSkipCurrentIrpStackLocation(Irp);

	return IoCallDriver(fltEx->NextDevice, Irp);
}

当直接createfile 时，能够成拦截：

HANDLE hDev = CreateFile(L"\\\\.\\WMIDataDevice",
		GENERIC_READ | GENERIC_WRITE,
		0,		// share mode none
		NULL,	// no security
		OPEN_EXISTING,
		FILE_ATTRIBUTE_NORMAL,
		NULL );		// no template
	TRACERlsn(L"hDev: %p\r\n", hDev);

	BYTE rd[10];
	ULONG rdsize =0;
	OVERLAPPED vp;
	BOOL bRd = ReadFile(hDev,  rd, 10, &rdsize, &vp);
	TRACERlsn(L"ReadFile: %d, %d\r\n", bRd, rdsize);

	CloseHandle(hDev);

而当使用wmi获取硬件序列号时, 并不能成功拦截. 部分代码如下：

// WQL查询语句
const T_WQL_QUERY szWQLQuery[] = {
	// 网卡原生MAC地址
	"SELECT * FROM Win32_NetworkAdapter WHERE (MACAddress IS NOT NULL) AND (NOT (PNPDeviceID LIKE 'ROOT%'))",
	L"PNPDeviceID",

	// 硬盘序列号
	"SELECT * FROM Win32_DiskDrive WHERE (SerialNumber IS NOT NULL) AND (MediaType LIKE 'Fixed hard disk%')",
	L"SerialNumber",

	// 主板序列号
	"SELECT * FROM Win32_BaseBoard WHERE (SerialNumber IS NOT NULL)",
	L"SerialNumber",	

	// 处理器ID
	"SELECT * FROM Win32_Processor WHERE (ProcessorId IS NOT NULL)",
	L"ProcessorId",

	// BIOS序列号
	"SELECT * FROM Win32_BIOS WHERE (SerialNumber IS NOT NULL)",
	L"SerialNumber",

	// 主板型号
	"SELECT * FROM Win32_BaseBoard WHERE (Product IS NOT NULL)",
	L"Product",

	// 网卡当前MAC地址
	"SELECT * FROM Win32_NetworkAdapter WHERE (MACAddress IS NOT NULL) AND (NOT (PNPDeviceID LIKE 'ROOT%'))",
	L"MACAddress",
};

// 基于Windows Management Instrumentation（Windows管理规范）
INT WMI_DeviceQuery( INT iQueryType, T_DEVICE_PROPERTY *properties, INT iSize )
{
	HRESULT hres;
	INT	iTotal = 0;

	// 判断查询类型是否支持
	if( (iQueryType < 0) || (iQueryType >= sizeof(szWQLQuery)/sizeof(T_WQL_QUERY)) )
	{
		return -1;	// 查询类型不支持
	}

	// 初始化COM
	hres = CoInitializeEx( NULL, COINIT_MULTITHREADED ); 
	if( FAILED(hres) )
	{
		return -2;
	}

	// 设置COM的安全认证级别
	hres = CoInitializeSecurity( 
		NULL, 
		-1, 
		NULL, 
		NULL, 
		RPC_C_AUTHN_LEVEL_DEFAULT, 
		RPC_C_IMP_LEVEL_IMPERSONATE,
		NULL,
		EOAC_NONE,
		NULL
		);
	if( FAILED(hres) )
	{
		CoUninitialize();
		return -2;
	}

	// 获得WMI连接COM接口
	IWbemLocator *pLoc = NULL;
	hres = CoCreateInstance( 
		CLSID_WbemLocator,             
		NULL, 
		CLSCTX_INPROC_SERVER, 
		IID_IWbemLocator,
		reinterpret_cast<LPVOID*>(&pLoc)
		); 
	if( FAILED(hres) )
	{
		CoUninitialize();
		return -2;
	}

	// 通过连接接口连接WMI的内核对象名"ROOT//CIMV2"
	IWbemServices *pSvc = NULL;
	hres = pLoc->ConnectServer(
		_bstr_t( L"ROOT\\CIMV2" ),
		NULL,
		NULL,
		NULL,
		0,
		NULL,
		NULL,
		&pSvc
		);    
	if( FAILED(hres) )
	{
		pLoc->Release(); 
		CoUninitialize();
		return -2;
	}

	// 设置请求代理的安全级别
	hres = CoSetProxyBlanket(
		pSvc,
		RPC_C_AUTHN_WINNT,
		RPC_C_AUTHZ_NONE,
		NULL,
		RPC_C_AUTHN_LEVEL_CALL,
		RPC_C_IMP_LEVEL_IMPERSONATE,
		NULL,
		EOAC_NONE
		);
	if( FAILED(hres) )
	{
		pSvc->Release();
		pLoc->Release();     
		CoUninitialize();
		return -2;
	}

	// 通过请求代理来向WMI发送请求
	IEnumWbemClassObject *pEnumerator = NULL;
	hres = pSvc->ExecQuery(
		bstr_t("WQL"), 
		bstr_t( szWQLQuery[iQueryType].szSelect ),
		WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, 
		NULL,
		&pEnumerator
		);
	if( FAILED(hres) )
	{
		pSvc->Release();
		pLoc->Release();
		CoUninitialize();
		return -3;
	}

	// 循环枚举所有的结果对象  
	while( pEnumerator )
	{
		IWbemClassObject *pclsObj = NULL;
		ULONG uReturn = 0;

		if( (properties != NULL) && (iTotal >= iSize) )
		{
			break;
		}

		pEnumerator->Next(
			WBEM_INFINITE,
			1, 
			&pclsObj,
			&uReturn
			);

		if( uReturn == 0 )
		{
			break;
		}

		if( properties != NULL )
		{	// 获取属性值
			VARIANT vtProperty;

			VariantInit( &vtProperty );	
			pclsObj->Get( szWQLQuery[iQueryType].szProperty, 0, &vtProperty, NULL, NULL );
			StringCchCopy( properties[iTotal].szProperty, PROPERTY_MAX_LEN, W2T(vtProperty.bstrVal) );
			VariantClear( &vtProperty );

			// 对属性值做进一步的处理
			if( WMI_DoWithProperty( iQueryType, properties[iTotal].szProperty, PROPERTY_MAX_LEN ) )
			{
				iTotal++;
			}
		}
		else
		{
			iTotal++;
		}

		pclsObj->Release();
	} // End While

	// 释放资源
	pEnumerator->Release();
	pSvc->Release();
	pLoc->Release();    
	CoUninitialize();

	return iTotal;
}

请教：这是因为WIN7不适用，
还是WMIDataDevice这个驱动名称不对，
还是上面的获取序列号的方法不是WMI，不能用这种拦截方法？？