wmi_process_call.cpp

wmi_process_call.cpp

// https://wikileaks.org/ciav7p1/cms/page_11628909.html
#include <iostream>
#include <WbemCli.h>
#pragma comment(lib, "wbemuuid.lib")

int wmain(int argc, wchar_t* argv[])
{
	if (argc != 2) {
		printf("Usage: binary.exe <command>");
		return 0;
	}

	HRESULT hr;
	hr = CoInitializeEx(0, COINIT_MULTITHREADED);

	// IWbemClassObject Interface
	// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wmi/46710c5c-d7ab-4e4c-b4a5-ebff311fdcd1
	REFCLSID rclsid = CLSID_WbemLocator; // Unmarshaler CLSID, 4590F812-1D3A-11D0-891F-00AA004B2E24
	REFIID riid = IID_IWbemLocator ; // Interface UUID, DC12A681-737F-11CF-884D-00AA004B2E24
	IWbemLocator* wbemLocator = NULL;

	hr = CoCreateInstance(rclsid, NULL, 1, riid, (LPVOID*)&wbemLocator); // 1 == CLSCTX_INPROC_SERVER
	if (FAILED(hr)) {
		CoUninitialize();
		printf("failed1\n");
		return 0;
	}

	IWbemServices* wbemServices = NULL;
	hr = wbemLocator->ConnectServer((BSTR)L"ROOT\\CIMV2", NULL, NULL, 0, NULL, 0, 0, &wbemServices);
	if (FAILED(hr)) {
		wbemLocator->Release();
		printf("failed1\n");
		return 0;
	}

	hr = CoSetProxyBlanket(wbemServices,
		RPC_C_AUTHN_WINNT,           // RPC_C_AUTHN_xxx 0xA
		RPC_C_AUTHZ_NONE,            // RPC_C_AUTHZ_xxx 0x0
		NULL,                        // Server principal name 0x0 
		RPC_C_AUTHN_LEVEL_CALL,      // RPC_C_AUTHN_LEVEL_xxx 0x3
		RPC_C_IMP_LEVEL_IMPERSONATE, // RPC_C_IMP_LEVEL_xxx 0x3
		NULL,                        // client identity 0x0
		EOAC_NONE                    // proxy capabilities 0x0
	);
	if (FAILED(hr)) {
		wbemLocator->Release();
		printf("failed1\n");
		return 0;
	}

	// Win32_ProcessStartup
	IWbemClassObject* oWin32ProcessStartup = NULL;
	hr = wbemServices->GetObject((BSTR)L"Win32_ProcessStartup", 0, NULL, &oWin32ProcessStartup, NULL);
	if (FAILED(hr)) {
		oWin32ProcessStartup->Release();
		printf("failed1\n");
		return 0;
	}

	IWbemClassObject* pStartupInstance = NULL;
	hr = oWin32ProcessStartup->SpawnInstance(0, &pStartupInstance);
	if (FAILED(hr)) {
		oWin32ProcessStartup->Release();
		printf("failed1\n");
		return 0;
	}

	// Win32_Process
	IWbemClassObject* oWin32Process = NULL;
	hr = wbemServices->GetObject((BSTR)L"Win32_Process", 0, NULL, &oWin32Process, NULL);
	if (FAILED(hr)) {
		wbemServices->Release();
		printf("failed1\n");
		return 0;
	}

	// Create
	IWbemClassObject* pInParamsDefinition = NULL;
	hr = oWin32Process->GetMethod((BSTR)L"Create", 0, &pInParamsDefinition, NULL);
	if (FAILED(hr)) {
		oWin32Process->Release();
		printf("failed1\n");
		return 0;
	}

	IWbemClassObject* pParamsInstance = NULL;
	hr = pInParamsDefinition->SpawnInstance(0, &pParamsInstance);
	if (FAILED(hr)) {
		pInParamsDefinition->Release();
		printf("failed1\n");
		return 0;
	}

	WCHAR wcCommandExecute[MAX_PATH + 1];
	// swprintf(wcCommandExecute, MAX_PATH, TEXT("%ls"), argv[1]);
	wcscpy_s(wcCommandExecute, argv[1]);
	// wcscpy_s(wcCommandExecute, L"powershell echo 'HelloWorld!'");

	VARIANT varCommand;
	VariantInit(&varCommand);
	varCommand.vt = VT_BSTR;
	varCommand.bstrVal = wcCommandExecute;
	hr = pParamsInstance->Put((BSTR)L"CommandLine", 0, &varCommand, 0);
	if (FAILED(hr)) {
		pParamsInstance->Release();
		printf("failed1\n");
		return 0;
	}

	//instWin32ProcessStartup->Put((BSTR)"CreateFlags", 0, &varCreateFlags, 0);
	
	VARIANT vtDispatch;
	VariantInit(&vtDispatch);
	vtDispatch.vt = VT_DISPATCH;
	vtDispatch.byref = pStartupInstance;
	hr = pParamsInstance->Put((BSTR)L"ProcessStartupInformation", 0, &vtDispatch, 0);
	if (FAILED(hr)) {
		pParamsInstance->Release();
		printf("failed1\n");
		return 0;
	}

	IWbemClassObject* pOutParams = NULL;
	hr = wbemServices->ExecMethod((BSTR)L"Win32_Process", (BSTR)L"Create", 0, NULL, pParamsInstance, &pOutParams, NULL);
	if (FAILED(hr)) {
		wbemServices->Release();
		printf("failed1\n");
		return 0;
	}

	pParamsInstance->Release();
	oWin32Process->Release();
	oWin32ProcessStartup->Release();
	pStartupInstance->Release();
	wbemServices->Release();
	wbemLocator->Release();
	CoUninitialize();
}