ManagementObject is used to create an instance of the WMI class to interact with the WINDOWS system. By using WMI, we can obtain server hardware information, collect server performance data, operate Windows services, and even remotely shut down or restart the server.
The full name of WMI is Windows Management Instrumentation, that is, Windows Management Specification. In the Windows operating system, with the introduction of WMI technology and then outdated over time, it is a powerful technology, from Windows NT 4.0 and Windows 95 and has always maintained its consistency. It is present in all Windows operating systems and consists of a powerful collection of tools for managing local or remote Windows systems.
Microsoft provides a rich set of WMI objects for communicating operating system-related information. For example: Win32_Process, Win32_Service, AntiVirusProduct, Win32_StartupCommand, etc., all WMI objects use a language similar to a SQL query called WMI query language WQL, WQL can return fine and subtle control to the user The WMI object. The following diagram provides a high-level overview of Microsoft’s implementation of WMI and the relationship between the Microsoft-implemented components and the implemented standards
0X02 WMI query
| WMI provides a simple syntax WQL for querying WMI object instances, there are three categories of WQL queries: | ||
|---|---|---|
| name | purpose | |
| Instance query | Used to query instances of WMI classes | |
| Event Query | A meta-query for a WMI event registration mechanism, such as the creation, deletion or modification of a WMI object | |
| Used to query WMI class structure |
Instance queries are the most common WQL queries used to get WMI object instances. A basic instance query takes the following form:
**SELECT \[Class property name|*\] FROM \[CLASS NAME\] & amp;lt;WHERE \[CONSTRAINT\] & amp;gt;**
The following query will return results for all running processes that contain “Chrome” in their executable name. Specifically, this query will return results for all properties of each instance of the Win32_Process class that contain the string “Chrome” in the Name field.
**SELECT* FROM Win32\_Process WHERE Name LIKE "%chrome%"**
Event query provides an alarm mechanism and a class that triggers an event. Used for common event query triggers when WMI class instances are created. Event queries will take the following form:
**SELECT \[Class property name|*\] FROM \[INTRINSIC CLASS NAME\] WITHIN \[POLLING INTERVAL\] <WHERE \[CONSTRAINT\] & amp;gt;**
**SELECT \[Class property name|*\] FROM \[EXTRINSIC CLASS NAME\] & amp;lt;WHERE \[CONSTRAINT\] & amp;gt;* *
Internal and external events are explained in further detail in the Events chapter.
Below is the event query trigger for interactive user login. According to the MSDN documentation, the LogonType value of interactive logon is 2.
**SELECT* FROM \_\_InstanceCreationEvent WITHIN 15 WHERE TargetInstance ISA 'Win32\_LogonSession' AND TargetInstance.LogonType = 2**
Here is the event query trigger on removable media insertion:
**SELECT* FROM Win32\_VolumeChangeEvent WHERE EventType = 2**
Meta Queries provide a WMI class schema discovery and inspection mechanism. Meta queries take the form:
**SELECT \[Class property name|*\] FROM \[Meta\_Class & amp;lt;WHERE \[CONSTRAINT\] & amp;gt;**
The following query will list all WMI classes starting with the string “Win32”:
**SELECT* FROM Meta\_Class WHERE \_\_Class LIKE "Win32%"**
When executing any WMI query, the default namespace ROOT\CIMV2 is implicitly used unless a namespace is explicitly provided.
0X03 WMI basic usage
The namespace hierarchy for WMI classes is very similar to the namespaces of traditional, object-oriented programming languages. All namespaces are derived from the root namespace. Microsoft uses ROOT\CIMV2 as the default namespace when querying objects in a scripting language without explicitly specifying a namespace. The Windows system provides the tester wbemtest.exe, wbemtest.exe It is a powerful WMI diagnostic tool with a graphical interface. It can enumerate object instances, perform queries, register events, modify WMI objects and classes, and invoke methods locally or remotely. WQL: SELECT * FROM Meta_Class WHERE __Class LIKE “Win32%”
The following WMI classes are available for data collection during the reconnaissance phase of an attack:
- Host/OS information: Win32_OperatingSystem, Win32_ComputerSystem
- File/Directory Enumeration: CIM_DataFile
- Disk volume enumeration: Win32_Volume
- Registry Operations: StdRegProv
- Running process: Win32_Process
- Service enumeration: Win32_Service
- Event Log: Win32_NtLogEvent
- Login account: Win32_LoggedOnUser
- Share: Win32_Share
- Installed Patch: Win32_QuickFixEngineering
The assembly needs to be introduced under .NET: Assembly Name=”System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”, namespace: using System.Management, this namespace provides a set of WMI-compliant Access to management information and management events for infrastructure systems, devices and applications.
| name | Purpose |
| ManagementScope | Connect WMI Namespace |
| ManagementBaseObject | Basic element of management object |
| ManagementObject | Manage WMI instance |
| ManagementObjectCollection | A collection of management objects retrieved through WMI |
| ManagementObjectSearcher | Query to retrieve a collection of management objects |
ManagementObjectSearcher means to retrieve the collection of management objects based on the specified query. The author obtains the current system account name through a piece of code, specifies WMI Key = Win32_UserAccount, and traverses all the included system accounts, as shown in the following code
private static string GetHardWareInfo(string item)
{
if (item == "" || item == null)
{
return null;
}
string hardinfo = null;
string querystr = string.Format("select * from {0}", item);
ManagementObjectSearcher objvide = new ManagementObjectSearcher(querystr);
foreach (ManagementObject obj in objvide. Get())
{
hardinfo + = obj["Name"].ToString() + "\\
";
}
return hardinfo;
}
//Called in the Main method
string v = GetHardWareInfo("Win32_UserAccount");
Console. WriteLine(v);
Commonly used WMI classes also have the following list
| WMI class | Interpretation | Scope of application | |
| Win32_StartupCommand | System automatic startup program | Operating system | |
| Win32_Service | System installed service | td> | Operating System |
| Win32_Group | System Management Group | Operating System | |
| Win32_GroupUser | system group account | operating system | |
| Win32_UserAccount | user account | Operating System | |
| Win32_Process | System Process | Operating System | |
| Win32_Thread | system thread | operating system | |
| Win32_Share | share | Operating System | |
| Win32_SystemDriver | Driver | Operating System | |
| Win32_LogicalDisk | Logical Disk | Operating System | |
| Win32_ComputerSystem | Computer Information Brief | Operating System | |
| Win32_OperatingSystem | Operating System Information | Operating System | |
| Win32_PrintJob | Printer Job | Hardware | |
| Win32_BIOS | BIOS Chip | Hardware | |
| Win32_DiskDrive | Hard Disk Drive | Hardware | |
| Win32_Keyboard | keyboard | hardware | |
| Win32_Processor | CPU processor | hardware |