Closed jgajek closed 7 years ago
KillerInstinct
commented
7 years ago Would rather have cuckoomon locate IWbemServices and then hook ExecQuery (perhaps ConnectServer / QueryInterface as well) so that they would show up in API logs instead of output from an analyzer module.
From there you could just add code in behavior.py to make another summary of WMI queries.
keithjjones
commented
7 years ago This may be similar to Issue #349
jgajek
commented
7 years ago @KillerInstinct So here's my understanding of what would be required to do this via your approach:
In cuckoomon's hook for CoCreateInstance()/CoCreateInstanceEx(), detect when a CLSID_WbemLocator instance is being created, and hook the ConnectServer() method of that instance before returning the instance pointer to the calling process.
In the ConnectServer() hook of the WbemLocator instance, hook the ExecQuery() method of the IWbemServices instance before returning the IWbemServices instance pointer to the caller.
Log the query parameters passed in to the ExecQuery() hook.
Is this what you had in mind?
spender-sandbox
commented
7 years ago Yep, though make sure they're done with _NOTAIL hooks -- we don't want these hooks to consume underlying functionality that we want to log.
-Brad
It would be very nice to have a log of the WMI queries that were issued by the processes under analysis. Any ideas on how best to accomplish this? Perhaps a new analyzer module that starts a WMI trace and extracts the appropriate events from the Event Log at the end of the analysis?
https://msdn.microsoft.com/en-us/library/aa826686(v=vs.85).aspx