Author Topic: Postmodern WMI Access  (Read 8754 times)

dedndave

  • Member
  • *****
  • Posts: 8807
  • Still using Abacus 2.0
    • DednDave
Re: Postmodern WMI Access
« Reply #15 on: September 25, 2014, 05:14:36 AM »
i dunno about "expert" - i try not to use that term
generally, when i meet an expert, it tells me how little they actually know

that thread has 6 pages of results that may be used as reference   :t

dedndave

  • Member
  • *****
  • Posts: 8807
  • Still using Abacus 2.0
    • DednDave
Re: Postmodern WMI Access
« Reply #16 on: September 25, 2014, 05:17:02 AM »
as for using WMI - search the old forum contents for posts by Edgar (donkey)
he and Erol have both posted WMI examples, i think
Edgar's examples are probably written for GoAsm, but easy enough to convert or use as reference

Zen

  • Member
  • ****
  • Posts: 962
  • slightly red-shifted
Re: Postmodern WMI Access
« Reply #17 on: September 25, 2014, 05:19:29 AM »
DAVE !!!
Yeah,...EDGAR is what I started with,...his GoAsm code is easily understandable.
THANKS again to everyone for all the excellent advice,...
Zen

Vortex

  • Member
  • *****
  • Posts: 1871
Re: Postmodern WMI Access
« Reply #18 on: September 25, 2014, 05:21:36 AM »
VORTEX,
Yeah,...thanks, good stuff. I'd forgotten about the registry. This key exists with the correct value for all versions of Windows (I assume it does) ???

Yes, it must be valid for all the versions of Windows.

Zen

  • Member
  • ****
  • Posts: 962
  • slightly red-shifted
Re: Postmodern WMI Access
« Reply #19 on: September 25, 2014, 05:25:27 AM »
I wrote this program essentially for novice programmers. COM is much easier to code in C++, and in Visual Studio. Visual Studio has all the header files in it's include section, and the IDE is designed for COM interface invocations. It also has the MIDL compiler included to define your COM components correctly and provide the RPC code.
The Access WMI.exe is designed so that you can expand the code, experiment, and add your own custom WMI queries,...the framework is there, and works correctly.

WMI encompasses a wide range of system capabilities, for example:
Computer System Hardware Classes (WMI)
Operating System Classes (WMI)
Performance Counter Classes
...And, it has the built-in capability to query a remote computer:
Connecting to WMI on a Remote Computer

...And, the one aspect of WMI that I didn't explore in this application (getting data from WMI with PowerShell):
Getting Started with Windows PowerShell
« Last Edit: September 26, 2014, 04:13:01 AM by Zen »
Zen

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 5936
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Postmodern WMI Access
« Reply #20 on: September 25, 2014, 05:51:30 AM »
Zen,

One of the things to do with software that runs on later OS versions is to have both a manifest file and a version control block in the resource section as the crappy end of AV scanners sometimes squark if either are missing.

As far as irritating trojans, a disk image kills all, for my Win7 64 box I paid for Macrium Reflect Professional and it is a good toy to have handy, I can dump a disk image for on another computer and restore it from the Win7 box across the network using Macrium. It has a WinPE boot disk that works fine and is far cleaner to use than the Unix based boot disks that I am used to with the older Acronis versions that I have for my XP machines.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

jj2007

  • Member
  • *****
  • Posts: 8886
  • Assembler is fun ;-)
    • MasmBasic
Re: Postmodern WMI Access
« Reply #21 on: September 25, 2014, 08:31:41 AM »
HKEY_LOCAL_MACHINE\Software\Gen.Variant.Kazy
..
This doesn't really make any sense.

Indeed - no "serious" trojan would create such a key in HKLM 8)

Don't worry, it's a false positive. But still, it would be nice to know what triggered the heuristic scanners of several AV's to brand your code as a trojan.

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 5936
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Postmodern WMI Access
« Reply #22 on: September 25, 2014, 10:59:08 AM »
 :biggrin:

> But still, it would be nice to know what triggered the heuristic scanners of several AV's to brand your code as a trojan.

Thats easy, "We don't know what we are doing so the software will flag it as a trojan."  :P
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

Zen

  • Member
  • ****
  • Posts: 962
  • slightly red-shifted
Re: Postmodern WMI Access
« Reply #23 on: September 26, 2014, 03:47:32 AM »
Quote from: HUTCH
"We don't know what we are doing so the software will flag it as a trojan." :P
...I am inclined to believe that's pretty accurate,...
Zen

Vortex

  • Member
  • *****
  • Posts: 1871
Re: Postmodern WMI Access
« Reply #24 on: September 27, 2014, 04:10:13 AM »
Another tool :

Quote
w32ver.zip - 12.2 KB - compiled 2014-06-04 - Displays the current version number, build number and service pack level for the current Win32 environment. w32verc.exe displays the information in the console window and w32ver.exe displays it in a dialog box making it compatible with Win32s on Windows 3.x.

http://www.ltr-data.se/files/w32ver.zip

http://www.ltr-data.se/opencode.html/


Zen

  • Member
  • ****
  • Posts: 962
  • slightly red-shifted
Re: Postmodern WMI Access
« Reply #25 on: September 27, 2014, 04:20:38 AM »
Probably the best free program for browsing WMI objects is: CIM Studio, which you can download as a part of WMI Tools from Microsoft.

There's also: WBEMTest.exe (WMI Test Tool), which you will find on your computer, in the Directory: C:/Windows/System32/wbem/wbemtest.exe

...And, WMI Explorer, which is commercial software, but, you can download a free 45-day evaluation copy.
Zen