MASM32编程通过WMI获取Windows计划任务

最新推荐文章于 2022-10-21 09:37:32 发布
最新推荐文章于 2022-10-21 09:37:32 发布
阅读量366 收藏
点赞数
文章标签: c# c/c++

  上回MASM32编程使用了Windows系统提供的API函数:NetScheduleJobEnum()来枚举Windows计划任务(详见 MASM32编程枚举Windows计划任务,http://blog.csdn.net/Purpleendurer/archive/2009/11/05/4774148.aspx),这次通过WMI来实现。

  需要注意的是:不管是通过WMI,还是使用API函数NetScheduleJobEnum(),都只能枚举使用Win32_ScheduledJob类别或At.exe实用程序创建的计划任务。

  所以 pe_xscan 在扫描计划任务时使用的是另外一种方法:-D

  完整的代码如下:

(源代码+EXE下载:

1、http://download.csdn.net/source/2260122

2、http://purpleendurer.ys168.com

;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
;文件名:WmiScheduleJob.asm(控制台程序)
;功能:通过WMI获取计划任务
;注意:通过WMI只能枚举使用Win32_ScheduledJob类别
;或At.exe实用程序创建的计划任务。
;开发环境:WinXPPROSP3+MASM32v8
;作者:PurpleEndurer,2010-04-19,广西河池
;
;log
;--------------------------------------------------
;2010-04-18完成
;2010-04-09开始编写
;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

.586
.MODELFLAT,STDCALL
OPTIONCASEMAP:NONE
INCLUDE/masm32/include/windows.inc
INCLUDE/masm32/include/kernel32.inc
INCLUDELIB/masm32/lib/kernel32.lib
INCLUDE/masm32/include/ole32.inc
INCLUDELIB/masm32/lib/ole32.lib
INCLUDE/masm32/include/user32.inc
INCLUDELIB/masm32/lib/user32.lib
INCLUDE/masm32/include/masm32.inc
INCLUDELIB/masm32/lib/masm32.lib

EnumScheduleJobproto


;ssssssssssssssssssssssss
;.const
;ssssssssssssssssssssssss

EOAC_NONEEQU0
COINIT_MULTITHREADEDequ00h

;locatedinRpcDce.h
RPC_C_AUTHN_LEVEL_DEFAULTEQU0
RPC_C_IMP_LEVEL_DEFAULTEQU0
RPC_C_IMP_LEVEL_IMPERSONATEEQU3

GUID2STRUC
dd1DWORD?
dw1WORD?
dw2WORD?
db1BYTE?
db2BYTE?
db3BYTE?
db4BYTE?
db5BYTE?
db6BYTE?
db7BYTE?
db8BYTE?
GUID2ENDS

IWbemLocatorSTRUCT
lpVtblDWORD?
IWbemLocatorENDS

IWbemLocatorVtblSTRUCT
QueryInterfaceDWORD?
AddRefDWORD?
ReleaseDWORD?
ConnectServerDWORD?
IWbemLocatorVtblENDS

IWbemServicesSTRUCT
lpVtblDWORD?
IWbemServicesENDS

IWbemServicesVtblSTRUCT
QueryInterfaceDWORD?
AddRefDWORD?
ReleaseDWORD?
OpenNamespaceDWORD?
CancelAsyncCallDWORD?
QueryObjectSinkDWORD?
GetObjectDWORD?
GetObjectAsyncDWORD?
PutClassDWORD?
PutClassAsyncDWORD?
DeleteClassDWORD?
DeleteClassAsyncDWORD?
CreateClassEnumDWORD?
CreateClassEnumAsyncDWORD?
PutInstanceDWORD?
PutInstanceAsyncDWORD?
DeleteInstanceDWORD?
DeleteInstanceAsyncDWORD?
CreateInstanceEnumDWORD?
CreateInstanceEnumAsyncDWORD?
ExecQueryDWORD?
ExecQueryAsyncDWORD?
ExecNotificationQueryDWORD?
ExecNotificationQueryAsyncDWORD?
ExecMethodDWORD?
ExecMethodAsyncDWORD?
IWbemServicesVtblENDS

IEnumWbemClassObjectSTRUCT
lpVtblDWORD?
IEnumWbemClassObjectENDS

IEnumWbemClassObjectVtblSTRUCT
QueryInterfaceDWORD?
AddRefDWORD?
ReleaseDWORD?
ResetDWORD?
NextDWORD?
NextAsyncDWORD?
CloneDWORD?
SkipDWORD?
IEnumWbemClassObjectVtblENDS

IWbemClassObjectSTRUCT
lpVtblDWORD?
IWbemClassObjectENDS

IWbemClassObjectVtblSTRUCT
QueryInterfaceDWORD?
AddRefDWORD?
ReleaseDWORD?
GetQualifierSetDWORD?
GetDWORD?
PutDWORD?
DeleteDWORD?
GetNamesDWORD?
BeginEnumerationDWORD?
NextDWORD?
EndEnumerationDWORD?
GetPropertyQualifierSetDWORD?
GetObjectTextDWORD?
SpawnDerivedClassDWORD?
SpawnInstanceDWORD?
CompareToDWORD?
GetPropertyOriginDWORD?
InheritsFromDWORD?
GetMethodDWORD?
PutMethodDWORD?
DeleteMethodDWORD?
BeginMethodEnumerationDWORD?
NextMethodDWORD?
EndMethodEnumerationDWORD?
GetMethodQualifierSetDWORD?
GetMethodOriginDWORD?
IWbemClassObjectVtblENDS



;ssssssssssssssssssssssss
.DATA
;ssssssssssssssssssssssss
g_wszNameSpaceword"r","o","o","t","/","c","i","m","v","2",0
g_wszQueryLanguageword"W","Q","L",0

WBEM_FLAG_CONNECT_USE_MAX_WAITEQU80h
WBEM_FLAG_FORWARD_ONLYEQU20h
WBEM_FLAG_RETURN_IMMEDIATELYEQU10h
WBEM_INFINITEEQU-1
WBEM_E_INVALID_QUERYEQU80041017h
WBEM_E_INVALID_QUERY_TYPEEQU80041018h

IID_IWbemLocatorGUID2<0dc12a687h,0737fh,011cfh,088h,04dh,000h,0aah,000h,04bh,02eh,024h>

IID_IEnumWbemClassObjectGUID2<027947e1h,0d731h,011ceh,0a3h,057h,000h,000h,000h,000h,000h,001h>

IID_IWbemClassObjectGUID2<0dc12a681h,0737fh,011cfh,088h,04dh,000h,0aah,000h,04bh,02eh,024h>

;locatedinWbemProv.h

CLSID_WbemAdministrativeLocatorGUID2<0cb8555cch,09128h,011d1h,0adh,09bh,000h,0c0h,04fh,0d8h,0fdh,0ffh>

locatorIWbemLocator<>
serviceIWbemServices<>
enumeratorIEnumWbemClassObject<>
processorIWbemClassObject<>

retCountDWORD?

var_valDWORD?
DWORD?
DWORD?
DWORD?

g_szAppInfodb"通过WMI获取计划任务信息",0dh,0ah
db"作者:PurpleEndurer,2010-04-19,广西河池",0dh,0ah,0

g_wszSelectWin32_ScheduledJobWORD"S","E","L","E","C","T","","*","","F","R","O","M",""
g_wszWin32_ScheduledJobWORD"W","i","n","3","2","_","S","c","h","e","d","u","l","e","d","J","o","b",0

g_szJobIDdb0dh,0ah,"JobID:",0
g_wszJobIDword"J","o","b","I","D",0

g_szCommanddb"Command:",0
g_wszCommandword"C","o","m","m","a","n","d",0

g_szJobStatusdb"JobStatus:",0;Success
g_wszJobStatusword"J","o","b","S","t","a","t","u","s",0

g_szStartTimedb"StartTime:",0;********215000.000000+480
;时间前有八个星号是WMIC的特性,其显示时间的方式是YYYYMMDDHHMMSS.MMMMMM+时区,
;但我们并不需要指定年月日,所以用*星号来替代
g_wszStartTimeword"S","t","a","r","t","T","i","m","e",0

g_szPerSCrdb"%S"
g_szCrLfdb0dh,0ah,0
g_szPerXCrdb"%x",0dh,0ah,0
g_szFaildb"Fail",0dh,0ah,0

;ssssssssssssssssssssssss
.CODE
;ssssssssssssssssssssssss
start:

invokeCoInitializeEx,NULL,COINIT_MULTITHREADED

invokeCoInitializeSecurity,NULL,-1,NULL,NULL,RPC_C_AUTHN_LEVEL_DEFAULT,/
RPC_C_IMP_LEVEL_IMPERSONATE,NULL,EOAC_NONE,NULL

invokeCoCreateInstance,ADDRCLSID_WbemAdministrativeLocator,NULL,/
CLSCTX_INPROC_SERVER,ADDRIID_IWbemLocator,ADDRlocator

invokeStdOut,ADDRg_szAppInfo

invokeEnumScheduleJob

invokeCoUninitialize
invokeExitProcess,0


;======================================================
wmiConnectServerproc
;======================================================
movesi,locator
lodsd
pushOFFSETservice
pushNULL
pushNULL
pushWBEM_FLAG_CONNECT_USE_MAX_WAIT
pushNULL
pushNULL
pushNULL
pushOFFSETg_wszNameSpace
pushDWORDPTR[locator]
callDWORDPTR[eax][IWbemLocatorVtbl.ConnectServer]

ret
wmiConnectServerendp


;======================================================
wmiExecQueryproclpwszSQL:LPWSTR
;======================================================
movesi,service
lodsd
pushOFFSETenumerator
pushNULL
pushWBEM_FLAG_FORWARD_ONLYorWBEM_FLAG_RETURN_IMMEDIATELY
pushlpwszSQL
pushOFFSETg_wszQueryLanguage
pushDWORDPTR[service]
callDWORDPTR[eax][IWbemServicesVtbl.ExecQuery]

ret
wmiExecQueryendp


;======================================================
wmiNextproc
;======================================================
movesi,enumerator
lodsd
pushOFFSETretCount
pushOFFSETprocessor
pushTRUE
pushWBEM_INFINITE
pushDWORDPTR[enumerator]
callDWORDPTR[eax][IEnumWbemClassObjectVtbl.Next]

ret
wmiNextendp


;======================================================
wmiGetproclpwszItem:LPWSTR
;======================================================
movesi,processor
lodsd
pushNULL
pushNULL
pushOFFSETvar_val
push0
pushlpwszItem
pushDWORDPTR[processor]
callDWORDPTR[eax][IWbemClassObjectVtbl.Get]

ret
wmiGetendp


;======================================================
writeWmiStrproclpszItem:LPSTR,lpwszItem:LPWSTR,lpszFmt:LPSTR
;======================================================
LOCALszbuf[256]:byte

invokeStdOut,lpszItem
invokewmiGet,lpwszItem
testeax,eax
.ifZERO?
invokewsprintf,ADDRszbuf,lpszFmt,[var_val+8]
invokeStdOut,ADDRszbuf
.else
invokeStdOut,ADDRg_szFail
.endif

ret
writeWmiStrendp


;======================================================
EnumScheduleJobproc
;======================================================
invokewmiConnectServer
testeax,eax
jnz@EnumScheduleJobRet

invokewmiExecQuery,OFFSETg_wszSelectWin32_ScheduledJob
testeax,eax
jnz@EnumScheduleJobRet

@EnumScheduleJobNext1:

invokewmiNext
testeax,eax
jnz@EnumScheduleJobRet

;.ifretCount==0
;jmp@EnumScheduleJobRet
;.endif

invokewriteWmiStr,ADDRg_szJobID,ADDRg_wszJobID,ADDRg_szPerXCr
invokewriteWmiStr,ADDRg_szCommand,ADDRg_wszCommand,ADDRg_szPerSCr
invokewriteWmiStr,ADDRg_szJobStatus,ADDRg_wszJobStatus,ADDRg_szPerSCr
invokewriteWmiStr,ADDRg_szStartTime,ADDRg_wszStartTime,ADDRg_szPerSCr
jmp@EnumScheduleJobNext1

@EnumScheduleJobRet:
ret
EnumScheduleJobendp


ENDstart

iteye_6637
关注
MASM32编程通过WMI获取Windows计划任务(源代码+EXE下载)
04-19
  上回用MASM32编程使用了Windows系统提供的API函数:NetScheduleJobEnum()来枚举Windows计划任务(详见 MASM32编程枚举Windows计划任务,http://blog.csdn.net/Purpleendurer/archive/2009/11/05/4774148.aspx),这次通过WMI来实现。   需要注意的是:不管是通过WMI,还是使用API函数NetScheduleJobEnum(),都只能枚举使用Win32_ScheduledJob类别或at.exe实用程序创建的计划任务。   所以 pe_xscan 在扫描计划任务时使用的是另外一种方法:-D
MASM32编程通过WMI获取Windows用户帐户信息的控制台程序,小巧精炼,适合bat调用,重定向输出
最新发布
09-03
文件说明符 : F:\masm32\works\wmi\wmiUser\WmiUser.exe 属性 : A--- 数字签名:否 语言 : 中文(简体,中国) 文件版本 : 0.0.0001 beta1 说明 : 通过WMI获取Windows用户帐户信息 版权 : PurpleEndurer 大小 : 5120 ...
MASM32编程枚举Windows计划任务(Schedule Job)
Purpleendurer@CSDN
11-05 3058
   Windows提供了API函数:NetScheduleJobEnum可以用于枚举Windows计划任务(Schedule Job)。其C++原形为: NET_API_STATUS NetScheduleJobEnum( __in_opt LPCWSTR Servername, __out LPBYTE *PointerToBuffer, __in DW
windows计划任务工具 schtasks
heiyitian的专栏
07-18 674
schtasks /? schtasks create /? ..... 非常好用.比linux更方便
MASM32编程通过WMI获取杀毒软件信息(源代码+exe)
05-24
标题中的“MASM32编程通过WMI获取杀毒软件信息”表明我们将探讨如何使用Microsoft Macro Assembler (MASM32) 来访问Windows Management Instrumentation (WMI) API,从而查询系统的杀毒软件信息。这涉及到底层编程、...
MASM32编程WMI获取BIOS、主板、硬盘、CPU、网卡的信息(源代码+exe)
10-21
标题中的“MASM32编程WMI获取BIOS、主板、硬盘、CPU、网卡的信息(源代码+exe)”表明这是一个使用MASM32汇编语言编写的程序,该程序利用Windows Management Instrumentation(WMI)技术来获取计算机系统的硬件信息...
MASM32.rar_masm_masm win32_masm32_masm32 text.r_masm32编程指南
09-21
MASM32编程指南》是一份专注于Win32汇编语言编程的资源包,它包含了一套完整的MASM32开发环境,旨在帮助开发者深入理解和掌握汇编语言在Windows平台上的应用。MASM(Microsoft Macro Assembler)是微软公司提供的...
[Windows]查看运行进程的参数【wmic】
weixin_30505043的博客
11-22 349
参考https://www.cnblogs.com/top5/p/3143827.html 和https://blog.csdn.net/swazer_z/article/details/60100596 .Net Framework 如何静默安装 参考https://blog.csdn.net/xytme/article/details/6067376 ...
MASM32编程枚举Windows计划任务(Schedule Job) 源代码+EXE
11-05
MASM32编程枚举通过At命令创建的Windows计划任务,输出任务信息
WMIC实例应用
03-18
WMIC功能很是强大,可以查看和修改Windows的设置信息。这个文档给你几个例子帮助你熟悉WMIC。
VC++ 任务计划自启动 for XP only
饭特稀 的专栏
05-11 332
/*vc6++ sdk环境编译,建立控制台程序,复制到classview代码里。XP里可以自动运行。 【This code is Task schedul 1.0 for Win XP】整理来自官网示例http://msdn.microsoft.com/en-us/library/windows/desktop/aa383581(v=vs.85).aspx*/ #include "stdafx...
远程启动程序
weixin_33713503的博客
06-22 2447
背景 昨天遇到一个问题:本地电脑(Win7 x64)想要远程启动另一台电脑(Windows Server 2012 R2)上的一个程序(为*.exe程序),要求是:在不改变远程电脑配置的前提下,被启动的程序能弹出console界面,并有run as administrator的效果(类似于右击某个程序->Run as administrator) 注意:当以Domain Admins g...
Windows留后门--教程(二)——Windows计划任务后门
W小哥
03-15 4602
一、Windows计划任务后门介绍 计划任务是经常被攻击者拿来利用的控制点,计划任务可以让目标主机在特定的时间执行我们预先准备的后门程序从而帮助我们进行权限维持。 二、Windows计划任务后门-教程 前提条件: 假设在攻击的过程中通过利用各种getshell,已经拿到目标服务器administrator权限 环境: windows Server2012 IP: 192.168.226.128 2.1 利用MSF生成一个EXE类型的后门木马 2.2 创建计划任务 2.3 监听返回的shell 三、Win
WMI使用学习笔记
crowsec
10-21 3978
本文大量参考了师傅们的文章,感谢各位师傅的帮助! WMI的全名为"Windows Management Instrumentation"。 从win98开始,Windows操作系统都支持WMIWMI可以在本地或者远程管理计算机系统。比如:重启,关机,关闭进程,创建进程等。
windows创建计划任务
freezeriver的博客
08-20 552
schtasks /create /tn “定时任务名” /tr D:\daka\run1.bat /sc weekly /d MON,TUE,WED,THU,FRI /st 16:00 代码意思是创建一个计划任务在每周的周一至周五16点运行 其他具体的指令和用法可以百度schtasks学习...
Windows环境下构建MASM32 SDK编程环境与Bootloader设计
"构建编程环境-飞思卡尔芯片mc9s...而在Windows下学习Win32汇编,除了理解API接口,还需要熟练掌握如MASM32 SDK这样的开发工具,或者选择更适合个人习惯的命令行环境。通过阅读专业书籍和实践,可以逐步精通这一领域。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值