# WMI - WMI allows admin to create their own objects: create a process, services, ... - WMI provider host process **WmiPrvse.exe**, this executable responsible for executing WMI activity ## Components: 1. WMI Providers: COM servers that monitor managed objects. A WMI provider normally consists of a MOF file, which defines the data and event classes for which the provider returns data, and a DLL file which contains the code that supplies data. These providers are typically DLLs and can be found in `C:\Windows\System32\wbem\*`. 2. Managed objects: processes, services, operating system... 3. WMI infrastructure: WMI service (winmgmt): 3.1. The CIM object manager (CIMON): this component handles the connect between management application and provider. 3.2. WMI/CIMON object repository is organized by WMI namespaces. Holding a collection of provider at `C:\Windows\System32\wbem\Repository\` 4. Management Application (WMI consumer): The client application (exe excutable, vbscript, powershell script,...) interacts with WMI infrastructure. - [WMI service](http://revertservice.com/10/winmgmt/) (winmgmt) is stored within **wmisvc.dll** which is loaded and runs inside of **svchost.exe**. Look at WinMgmt config within registry: ![](https://i.imgur.com/LWpxNcc.png) ![](https://i.imgur.com/MIxrQfG.png) - Another WMI binary on disk called WmiPrvSe (WMI provider Host) is used to load correct COM server (WMI providers), its parent is **svchost.exe** process with commandline: `C:\Windows\system32\svchost.exe -k DcomLaunch -p`. This svchost is launched under **services.exe**. ![](https://i.imgur.com/k0UHMrg.png) ### WMI called in high level: 1. WMI service (wmisvc.dll) is launched within the SVCHOST process via `C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt` 2. Management application (powershell.exe) executes WMI method. 3. WmiPrvSe is launched via `C:\Windows\system32\wbem\wmiprvse.exe -Secured -Embedding`, under the DCOMLaunch svchost process. 4. The WMI services loads the appropriate WMI provider into WmiPrvSe. 5. WmiPrvSe executes the function expressed by the method ### Practice: - 2 different WMI cmdlet via powershell: WMI cmdlets and CIM cmdlets Find WMI class that allows us to create a process ```bash= # PS C:\Users\v13td0x> Get-CimClass -MethodName *Create* NameSpace: ROOT/cimv2 CimClassName CimClassMethods CimClassProperties ------------ --------------- ------------------ Win32_ShadowStorage {Create} {AllocatedSpace, DiffVolume, MaxSpace, UsedSpace...} StdRegProv {CreateKey, Delet... {} Win32_ScheduledJob {Create, Delete} {Caption, Description, InstallDate, Name...} Win32_DfsNode {Create} {Caption, Description, InstallDate, Name...} Win32_BaseService {StartService, St... {Caption, Description, InstallDate, Name...} Win32_SystemDriver {StartService, St... {Caption, Description, InstallDate, Name...} Win32_Service {StartService, St... {Caption, Description, InstallDate, Name...} Win32_Share {Create, SetShare... {Caption, Description, InstallDate, Name...} Win32_ClusterShare {Create, SetShare... {Caption, Description, InstallDate, Name...} Win32_ShadowCopy {Create, Revert} {Caption, Description, InstallDate, Name...} Win32_Process {Create, Terminat... {Caption, Description, InstallDate, Name...} ## <<<------ PS C:\Users\v13td0x> (Get-CimClass -ClassName Win32_Process).CimClassMethods['Create'].Parameters Name CimType Qualifiers ReferenceClassName ---- ------- ---------- ------------------ CommandLine String {ID, In, MappingStrings} CurrentDirectory String {ID, In, MappingStrings} ProcessStartupInformation Instance {EmbeddedInstance, ID, In, MappingStrings} ProcessId UInt32 {ID, MappingStrings, Out} ``` - U can see WMI class called **Win32_Process** that holds a method called `Create`. Next, let's find WMI provider is. As mentioned before, are essentially just COM servers. Which means they are stored in registry behind a CLSID. - And the params we need on **Win32_Prcess.Create** method ```bash= PS C:\Users\v13td0x> (Get-CimInstance __Provider -Filter "Name = '$(([WmiClass] 'Win32_Process').Qualifiers['provider'].Value)'").CLSID {d63a5850-8f16-11cf-9f47-00aa00bf345c} # use that CLSID for find out PS C:\Users\v13td0x> Get-ItemPropertyValue -Path "Registry::HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InprocServer32\" -Name '(default)' C:\Windows\system32\wbem\cimwin32.dll ``` So, what we have? > WMI Class : Win32Process > Method: Create(CommandLine, CurrentDirectory, ProcessStartupInformation, ProcessId) > Provider: cimwin32.dll > Namespace: ROOT/cimv2 ## References: https://jsecurity101.medium.com/wmi-internals-part-1-41bb97e7f5eb
Last changed by  
VietDo
102

Read more

Process injection (P1)

Đây là phương pháp thực thi mã nhằm tránh bị phát hiện dựa vào việc chạy thread dưới process hợp lệ của hệ điều hành.

1/27/2024
AntiSanbox (p1)

Một vài artifacts: files, processes, registry keys, services, network device adapters... A. Delay execution: Evade sandbox by waiting timeout of sandbox: NtDelayExecution (lowest in user mode: Sleep -> SleepEx -> NtDelayExecution ) Sleep, SleepEx, WaitForSingleObject,WaitForSingleObjectE , NtWaitForSingleObject WaitForMultipleObjects WaitForMultipleObjectsEx, NtWaitForMultipleObjects

10/31/2023
Anti-debug.Debug Flags (p1)

1. Using Win32 API: 1.1 kernel32!IsDebuggerPresent(): Xác định xem tiến trình hiện tại có bị debugging bởi trình debugger (ollyDbg, x64dbg) không? Bằng cách kiểm tra cờ BeingDebugged trong PEB. (Tiến trình bị debug sẽ được spawn từ tiến trình debugger). API cũng hoạt động khi process đang bị attached isDebuggerPresent() 32bit 64bit

4/7/2023
Anti-debug.Proces Memory(p4)

NOTE: Các cách phát hiện software breakpoint trong file thực thi sẽ vô dụng khi gặp hardware breakpoint (trong thanh ghi). 1. Tìm Breakpoints 1.1. Software breakpoint (INT3): Tìm byte 0xCC hay (INT 3) bool checkForSpecificByte(BYTE cByte, PVOID pMem, SIZE_T nMemSize=0) { PBYTE pBytes = (PBYTE)pMem; for (SIZE_T i = 0; ; i++) {

4/7/2023
Read more from VietDo
Published on HackMD