WMI queries from c++
WMIC commands may be monitored by defenses like script-block logging and command line logging. Instead, we can achieve the same with WMI queries in c++.
Here is a code sample which gets some information about AV and the ussername of the desktop(Note that it is very poorly coded)
#include <Windows.h>
#include <atlbase.h>
#include <wbemidl.h>
#pragma comment(lib, "wbemuuid.lib")
#include <string>
#include <iostream>
int main()
{
CComPtr<IWbemLocator> pWbemLocator;
CComPtr<IWbemServices> pWbemServices;
CComPtr<IEnumWbemClassObject> pEnum;
CComPtr<IWbemClassObject> pWmiObject;
CComVariant cvtName;
ULONG uObjectCount = 0;
CoInitialize(NULL);
CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_PKT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, 0);
pWbemLocator.CoCreateInstance(CLSID_WbemLocator);
pWbemLocator->ConnectServer(CComBSTR(L"root\\securitycenter2"), NULL, NULL, 0, NULL, 0, NULL, &pWbemServices);
pWbemServices->ExecQuery(CComBSTR("WQL"), CComBSTR(L"SELECT * FROM AntiVirusProduct"), WBEM_FLAG_FORWARD_ONLY, NULL, &pEnum);
pEnum->Next(WBEM_INFINITE, 1, &pWmiObject, &uObjectCount);
pWmiObject->Get(L"displayName", 0, &cvtName, 0, 0);
std::cout << "ANTIVIRUS: " << CW2A(cvtName.bstrVal) << std::endl;
pWbemLocator->ConnectServer(CComBSTR(L"root\\securitycenter2"), NULL, NULL, 0, NULL, 0, NULL, &pWbemServices); pEnum->Next(WBEM_INFINITE, 1, &pWmiObject, &uObjectCount);
pWmiObject->Get(L"pathToSignedReportingExe", 0, &cvtName, 0, 0);
std::cout << "PATH TO AV: " << CW2A(cvtName.bstrVal) << std::endl;
pWbemLocator->ConnectServer(CComBSTR(L"root\\cimv2"), NULL, NULL, 0, NULL, 0, NULL, &pWbemServices);
pWbemServices->ExecQuery(CComBSTR("WQL"), CComBSTR(L"SELECT * FROM Win32_ComputerSystem"), WBEM_FLAG_FORWARD_ONLY, NULL, &pEnum);
pEnum->Next(WBEM_INFINITE, 1, &pWmiObject, &uObjectCount);
pWmiObject->Get(L"Name", 0, &cvtName, 0, 0);
std::cout << "Desktop Name: " << CW2A(cvtName.bstrVal) << std::endl;
system("PAUSE");
return 0;
}
Copy link