CN117978428A - Method, device, processor and storage medium for analyzing WMI client process - Google Patents

Method, device, processor and storage medium for analyzing WMI client process Download PDF

Info

Publication number
CN117978428A
CN117978428A CN202311659800.XA CN202311659800A CN117978428A CN 117978428 A CN117978428 A CN 117978428A CN 202311659800 A CN202311659800 A CN 202311659800A CN 117978428 A CN117978428 A CN 117978428A
Authority
CN
China
Prior art keywords
context
wmi
client
request
interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311659800.XA
Other languages
Chinese (zh)
Inventor
周国华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202311659800.XA priority Critical patent/CN117978428A/en
Publication of CN117978428A publication Critical patent/CN117978428A/en
Pending legal-status Critical Current

Links

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The application provides a method, a device, a processor and a storage medium for analyzing a WMI client process, and belongs to the technical field of network security. The method comprises the following steps: when a WMI framework service process is started, loading a context sealing and transmitting module; before the WMI request is dispatched to the thread pool, extracting the context of the client through a context sealing module, and adding the context of the client into a WMI context parameter of the WMI request; loading a context unpacking module when a WMI provider process is started; and extracting the client context in the WMI context parameters through a context unpacking module, and setting the client context into the current thread context. The method and the system can determine the main body of the resource access triggered by the WMI request as the client side initiating the WMI request, so that the access control and the audit are more accurate, and the malicious code is prevented from bypassing the security detection and the traceability interruption.

Description

Method, device, processor and storage medium for analyzing WMI client process
Technical Field
The application relates to the technical field of network security, in particular to a method, a device, a processor and a storage medium for analyzing a WMI client process.
Background
WMI (Windows Management Instrumentation) is a management and monitoring framework in the microsoft Windows operating system that implements the management functions of the various hardware and software components of the computer system based on the provider/consumer model. WMI allows administrators to query and control various system resources and services on a computer through programming or command line tools.
WMI is an important tool for Windows system management and provides a powerful way for administrators and developers to manage and monitor various resources and services on Windows computers. It is widely used in tasks of automated system management, monitoring performance, and collecting system information. For management object classes under a WMI namespace, WMI supports structured queries (WQL), class instance object enumeration, class method invocation, and registration event notification. However, since WMI adopts DCOM as a communication mechanism, this will cause the above-mentioned actions of querying, enumerating, executing the method, etc. to be performed by the provider, it is difficult to trace back which consumer (client) initiated call. That is, the existing WMI framework has a problem that information of a main process (i.e., a consumer, i.e., a client process) is lost when WMI requests are transferred between processes from a consumer to the WMI framework and then to a WMI provider, etc. The information loss caused by the broken chain can be utilized by malicious software to avoid behavior detection and attack backtracking of the security software. For example, malicious code performs WMI query to gather system information in various ways, circumventing security detection. For another example, malicious code performs WMI methods in various ways, bypassing the security system to destroy the computer operating system.
Disclosure of Invention
In order to solve the above technical problems, an object of an embodiment of the present application is to provide a method, an apparatus, a processor, and a storage medium for resolving WMI client processes.
To achieve the above object, a first aspect of an embodiment of the present application provides a method for parsing a WMI client process, the method including:
when a WMI framework service process is started, loading a context sealing and transmitting module;
Before the WMI request is dispatched to the thread pool, extracting the context of the client through a context sealing module, and adding the context of the client into a WMI context parameter of the WMI request;
loading a context unpacking module when a WMI provider process is started;
And extracting the client context in the WMI context parameters through a context unpacking module, and setting the client context into the current thread context.
In the embodiment of the application, the context of the client is extracted by the context encapsulation module and added into the WMI context parameters of the WMI request, comprising: when a WMI framework service process loads a WMI core dynamic library, positioning a virtual function table of an IWBemServices interface of a WMI naming space class; an interface method for hooking the WMI context parameters in the virtual function table; and acquiring the client context by calling an interface method, and setting the client context into the WMI context parameter.
In the embodiment of the application, the client context is acquired by calling an interface method, and the client context is set in the WMI context parameter, which comprises the following steps: extracting the context of the client through an RPC request corresponding to the WMI request; the client context is set in the WMI context parameters of the WMI request.
In the embodiment of the application, extracting the context of the client through the RPC request corresponding to the WMI request comprises the following steps: when the RPC request passes through the RPC transmission layer, analyzing the protocol type of the transmission layer according to the RPC message data of the RPC request; and analyzing the client context of the RPC request according to the protocol type.
In the embodiment of the application, the client context for analyzing the RPC request according to the protocol type comprises the following steps: extracting a process identifier and a thread identifier of the client from the RPC message data under the condition that the protocol type is a local call protocol so as to combine and form a client context; under the condition that the protocol type is a named pipe protocol, extracting feature data of RPC call, and inquiring an RPC tracing module according to the feature data to acquire a client context; in the case where the protocol type is other network protocol, information of the remote host is extracted from the RPC message data to constitute the client context.
In the embodiment of the present application, setting the client context in the WMI context of the WMI request includes: judging whether the interface method provides a context interface pointer or not; in the case where the interface method provides a context interface pointer, a set value method of the context interface is called, and the client context is set to a named value.
In an embodiment of the present application, the method further includes: under the condition that the interface method does not provide a context interface pointer, creating a context instance object and acquiring the interface pointer of the newly-built context instance; the method for calling the setting value of the context instance interface sets the client context to a named value.
In the embodiment of the application, extracting the client context in the WMI context parameter by the context unpacking module and setting the client context to the current thread context comprises the following steps: when the provider process starts, positioning the virtual function table of the IWBemServices interface for intercepting the request; an interface method for hooking the WMI context parameters in the virtual function table; and extracting the client context in the WMI context by calling an interface method, and setting the client context into the current thread context.
A second aspect of the present application provides a processor configured to perform the above-described method for resolving WMI client processes.
A third aspect of the present application provides an apparatus for resolving WMI client processes, the apparatus comprising: the context sealing and sending module loading unit is used for loading the context sealing and sending module when the WMI framework service process is started; the context sealing and sending module running unit extracts the context of the client through the context sealing and sending module before the WMI request is dispatched to the thread pool, and adds the context of the client into the WMI context parameters of the WMI request; the context unpacking module loading unit loads the context unpacking module when the WMI provider process is started; and the context unpacking module running unit is used for extracting the client context in the WMI context parameters through the context unpacking module and setting the client context into the current thread context.
A fourth aspect of the present application provides a machine-readable storage medium having stored thereon a program or instructions which, when executed by a processor, implement the above-described method for resolving WMI client processes.
According to the technical scheme, the context sealing and sending module is loaded when the WMI framework service process is started, the context sealing and sending module is used for extracting the context of the client before the WMI request is dispatched to the thread pool, the context of the client is added into the WMI context parameters of the WMI request, and the context unsealing module is loaded when the WMI provider process is started, the context of the client in the WMI context parameters is extracted through the context unsealing module, and the context of the client is set to the current thread context. The method and the system can determine the main body of the resource access triggered by the WMI request as the client side initiating the WMI request, so that the access control and the audit are more accurate, and the malicious code is prevented from bypassing the security detection and the traceability interruption.
Additional features and advantages of embodiments of the application will be set forth in the detailed description which follows.
Drawings
The accompanying drawings are included to provide a further understanding of embodiments of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain, without limitation, the embodiments of the application. In the drawings:
fig. 1 is a flow chart of a method for resolving WMI client processes according to an embodiment of the present application;
FIG. 2 is a flow chart of client context injection and deblocking according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a method for resolving WMI client processes according to an embodiment of the present application;
fig. 4 is a block diagram of an apparatus for resolving WMI client processes according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it should be understood that the detailed description described herein is merely for illustrating and explaining the embodiments of the present application, and is not intended to limit the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be noted that, if directional indications (such as up, down, left, right, front, and rear … …) are included in the embodiments of the present application, the directional indications are merely used to explain the relative positional relationship, movement conditions, etc. between the components in a specific posture (as shown in the drawings), and if the specific posture is changed, the directional indications are correspondingly changed.
In addition, if there is a description of "first", "second", etc. in the embodiments of the present application, the description of "first", "second", etc. is for descriptive purposes only and is not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be considered to be absent and not within the scope of protection claimed in the present application.
Fig. 1 is a flowchart of a method for resolving WMI client processes according to an embodiment of the present application. As shown in fig. 1, an embodiment of the present application provides a method for parsing WMI client processes, and the method is applied to a processor for illustration, and the method may include the following steps.
Step S101, loading a context sealing and transmitting module when a WMI framework service process is started;
step S102, before the WMI request is dispatched to a thread pool, extracting a client context through a context sealing module, and adding the client context into a WMI context parameter of the WMI request;
step S103, loading a context unpacking module when a WMI provider process is started;
step S104, extracting the client context in the WMI context parameters through a context unpacking module, and setting the client context to the current thread context.
In the existing WMI method call flow, WMI requests span multiple processes from the client to the final provider, i.e., WMI requests are not directly sent from the client to the server through the RPC, with a WMI service forwarding in between. The WMI service does not directly forward WMI requests to the provider, but encapsulates WMI requests into a structure, schedules them to a thread pool, and forwards the requests to the provider by threads in the thread pool. In this process, the thread of the intermediate link changes, so that the provider cannot trace back to the corresponding consumer after receiving the WMI request. That is, in the process of transferring WMI requests from a consumer to WMI service to a provider, etc., the main process information of WMI requests is lost. In contrast, the embodiment of the application transmits the main process information in the WMI method calling process by introducing the context sealing and sending module and the context unsealing module, thereby solving the problem of main process information loss.
Specifically, when the WMI framework service process starts, the processor may additionally load a context encapsulation module for the WMI framework service process. The context encapsulation module may extract a client context corresponding to the WMI request and set the client context to WMI context parameters of the WMI request before the WMI request is dispatched to the thread pool within the WMI service framework. The client context may include, among other things, a process identification and a thread identification of the client that initiated the WMI request. In one example, when the host process svchost.exe loads wbemcore.dll, the process manager in the kernel layer may determine that the process is a WMI frame service process, and additionally load a context encapsulation module for the WMI frame service process.
It will be appreciated that, when the WMI request is scheduled to the thread pool, the context parameters of the WMI request already include the client context, and at this time, the thread in the thread pool forwards the WMI request to the provider. In order to acquire the main process information, when the WMI provider process is started, a context unpacking module may be additionally injected into the WMI provider process. The context decapsulation module may extract the client context from the WMI context parameters before the provider performs the WMI request, thereby ensuring that the subject process information is dispatched from the WMI request portal (i.e., WMI framework service) to the request executor (i.e., WMI provider). In one example, to make access control and audit more accurate, after the client context is extracted from the WMI context parameters by the context unpacking module, the context unpacking module may also set the client context into the current thread context for the client process to be the main body of access during access control, instead of using the current WMI provider process as the main body of access in the conventional method, so as to improve the accuracy of access control and audit.
According to the technical scheme, the context sealing and sending module is loaded when the WMI framework service process is started, the context sealing and sending module is used for extracting the context of the client before the WMI request is dispatched to the thread pool, the context of the client is added into the WMI context parameters of the WMI request, and the context unsealing module is loaded when the WMI provider process is started, the context of the client in the WMI context parameters is extracted through the context unsealing module, and the context of the client is set to the current thread context. The method and the system can determine the main body of the resource access triggered by the WMI request as the client side initiating the WMI request, so that the access control and the audit are more accurate, and the malicious code is prevented from bypassing the security detection and the traceability interruption.
In the embodiment of the present application, extracting the client context by the context encapsulation module and adding the client context to the WMI context parameter of the WMI request may include: when a WMI framework service process loads a WMI core dynamic library, positioning a virtual function table of an IWBemServices interface of a WMI naming space class; an interface method for hooking the WMI context parameters in the virtual function table; and acquiring the client context by calling an interface method, and setting the client context into the WMI context parameter.
In particular, WMI defines a standardized set of interfaces and namespaces for accessing system information. These interfaces allow developers to write scripts, applications, or management tools to query system states, perform configuration changes, and monitor performance. WMI namespaces classes, i.e., namespaces and classes, WMI organizes system information into a set of namespaces and classes, namespaces typically represent different functional areas, and classes represent types of objects or resources. For example, the Win32_Process class represents a running Process, and the Win32_ LogicalDisk class represents a logical disk.
It can be understood that the WMI core dynamic library, wmbemcore.dll, first locates the virtual function table of the IWbemServices interface of the WMI namespace class when the WMI framework service process loads the WMI core dynamic library. Because the embodiment of the application mainly transmits the main process information through the WMI context parameters, an interface method for hooking the WMI context parameters in the virtual function table is needed. In one example, there are tens of methods in the IWbemServices interface, including a plurality of interface methods including WMI context parameters, and a common feature of interface methods including WMI context parameters is that they all have one specific parameter (i.e., IWbemContext pointers). Further, by calling an interface method containing the WMI context parameters, the client context corresponding to the WMI request is obtained, and the client context is set into the parameters of the WMI context. In one example, the client context may be obtained through a distributed component object model (Distributed Component Object Model, DCOM) call, which is based on remote procedure call (Remote Procedure Call, RPC) technology, as WMI requests are sent through the RPC request.
Therefore, the client context of the client initiating the WMI request is extracted and set in the WMI context parameter, so that the transfer of the main process information is realized, the main process information is prevented from being lost, and the safety of the system is further improved.
It should be noted that, the method for resolving WMI client processes provided by the embodiment of the present application is general, and is not related to specific WMI naming space or class.
In the embodiment of the present application, the method for acquiring the client context by calling the interface method and setting the client context into the WMI context parameter may include: extracting the context of the client through an RPC request corresponding to the WMI request; the client context is set in the WMI context parameters of the WMI request.
It is understood that WMI employs DCOM (Distributed Component Object Model ) as the underlying communication mechanism. The DCOM call is realized based on RPC (remote procedure call) technology, and in the process, the WMI request is encapsulated into the DCOM call, and the DCOM call is further encapsulated into the RPC request. Thus, the client context may be extracted by the RPC request further encapsulated by the WMI request. In one example, the corresponding client context may be parsed from RPC message data of the RPC request. Further, in order to transfer the client process information to the WMI provider, the extracted client context may be set to the context of the WMI request to enable transfer of the subject process information from the WMI framework service process to the WMI provider process.
In the embodiment of the application, extracting the context of the client through the RPC request corresponding to the WMI request comprises the following steps: when the RPC request passes through the RPC transmission layer, analyzing the protocol type of the transmission layer according to the RPC message data of the RPC request; and analyzing the client context of the RPC request according to the protocol type.
Specifically, when the RPC request passes through the RPC transport layer, the protocol type of the transport protocol of the transport layer can be resolved according to the RPC message data of the RPC request, and the client context of the RPC request can be further resolved according to the resolved protocol type. In one example, the protocol types of the parsed transport protocols of the transport layer may include a native procedure call protocol, a named pipe protocol, and other network protocols, such as "ncacn _ip_tcp" and "ncacn _ ipx", among others.
In an embodiment of the present application, the client context for parsing the RPC request according to the protocol type may include: extracting a process identifier and a thread identifier of the client from the RPC message data under the condition that the protocol type is a local call protocol so as to combine and form a client context; under the condition that the protocol type is a named pipe protocol, extracting feature data of RPC call, and inquiring an RPC tracing module according to the feature data to acquire a client context; in the case where the protocol type is other network protocol, information of the remote host is extracted from the RPC message data to constitute the client context.
Specifically, according to the RPC message data, the protocol type of the transport layer protocol is resolved, and according to the protocol type, the client context is further resolved, specifically:
If the transport layer protocol is a local procedure call protocol, such as "ncalrpc", the process identification and thread identification of the client are directly extracted from a specific location in the RPC message data, and combined to form the client context.
If the transport layer protocol is a named pipe protocol, such as ncacn _np, extracting feature data of the RPC call, and inquiring a kernel layer RPC tracing module according to the feature data to acquire a client context of the pipe client.
If the transmission protocol is other network protocols, such as 'ncacn _ip_tcp' and 'ncacn _ ipx', the information of the remote host can be extracted from the message data according to the requirement, so as to form the client context.
In this way, the client context of the RPC request is determined in different manners according to different transport layer protocols, so that the accuracy of the subsequent determination of the main body of the access action can be ensured.
In the embodiment of the present application, setting the client context in the WMI context of the WMI request may include: judging whether the interface method provides a context interface pointer or not; in the case where the interface method provides a context interface pointer, a set value method of the context interface is called, and the client context is set to a named value.
In particular, when setting the client context into the WMI context parameters, a specific parameter in the interface method, i.e. IWbemContext pointer, is needed, but in the client initiated WMI request this parameter may be set to NULL. Therefore, in order to smoothly set the client context into the WMI context parameter, when the interface method is called, it is necessary to first determine whether the interface method has increased the context interface pointer. In one example, if the particular parameter setting is not null, it is stated that the interface method provides a context interface pointer. In another example, if the particular parameter is set to null, it is indicated that the interface method does not provide a context interface pointer.
It will be appreciated that where the interface method provides a context interface pointer, the interface method may be invoked directly to set the client context into the WMI context parameters. Specifically, the set value method of the context interface is invoked to set the client context to a named value, thereby completing the setting of the client context into the WMI context parameter.
In the embodiment of the application, when the current process is about to end, namely after the WMI framework service process calls the original IWBem services interface method, the deleting value method of the context interface can be called to delete the named client context value, thereby effectively preventing the waste of the memory.
In an embodiment of the present application, the method may further include: under the condition that the interface method does not provide a context interface pointer, creating a context instance object and acquiring the interface pointer of the newly-built context instance; the method for calling the setting value of the context instance interface sets the client context to a named value.
It will be appreciated that in the case where the interface method does not provide a context interface pointer, then a temporary one needs to be built to enable setting of the client context into the WMI context parameters. Specifically, a context instance object is created first, and an interface pointer of the newly created context instance is obtained. And then calling a setting value method of the newly built context instance interface to set the client context to a named value, thereby completing setting the client context into the WMI context parameter.
In the embodiment of the application, when the current process is about to end, the interface pointer of the newly built context instance can be used as a parameter to call the original IWBEmServices interface method and release the newly built context instance, thereby effectively preventing the waste of the memory.
In the embodiment of the present application, extracting the client context in the WMI context parameter by the context decapsulation module and setting the client context to the current thread context may include: when the provider process starts, positioning the virtual function table of the IWBemServices interface for intercepting the request; an interface method for hooking the WMI context parameters in the virtual function table; and extracting the client context in the WMI context by calling an interface method, and setting the client context into the current thread context.
It will be appreciated that upon start-up of a provider process wmibrvse.exe process, the process manager module of the kernel layer may additionally load a context unpacking module for the provider process to extract the client context in the WMI context parameters and set the client context into the current thread context, providing a basis for subsequent access control.
Specifically, when the provider process starts, firstly, the virtual function table of the IWBem services interface for intercepting the request is positioned, and the interface method comprising WMI context parameters in the virtual function table is hooked. In one example, there are tens of methods in the IWbemServices interface, including a plurality of interface methods including WMI context parameters, and a common feature of interface methods including WMI context parameters is that they all have one specific parameter (i.e., IWbemContext pointers). Further, the interface method is called, the client context is extracted from the WMI context parameter through a specific name, the original thread context is saved, and then the extracted client context is set to the current thread context. Where the specific name refers to the name that the client context adopts when setting the client context into the WMI context parameter, the thread context is a specific field in the Windows thread structure. Therefore, the loss of the client process information of the WMI request can be avoided, the access control or audit of the client context process can be utilized, and the accuracy of the access control and audit can be improved.
In the embodiment of the application, under the condition that the provider process calls the original IWBemmServices interface method, the current context can be restored to the original state based on the thread context stored in advance.
Thus, through the processing, the process information and the thread information of the client (consumer) initiating the WMI request can be transferred to the WMI provider through the WMI framework service, and then the WMI provider is set into the thread context of the client, and when access occurs, the responding filtering module can extract the original client process and thread information from the thread context, so that access control is accurately realized.
In a specific embodiment, access control typically occurs at the kernel layer, e.g. at client process c.exe attempts a delete file via WMI request, which is finally done by WMI executor process wmiprvse.exe. In the conventional method, the file system access control uses wmiprvse.exe as a main body, so that the security is low. In a specific embodiment of the present application, in the process of WMI request forwarding, a client context is formed by the process and thread information of the client process (c.exe), and the WMI request is forwarded to the WMI executor together, at this time, the current thread context already includes the client context. Therefore, in the file system filter, the client context may be extracted from the current thread context, and the client process may be used as the main body of access, instead of using the current WMI provider process as the main body in the conventional method, that is, the main body is c.exe instead of wmiprvse.exe. Obviously, the client process information is adopted as the main body of the access action, so that the access control accuracy is improved.
Fig. 2 is a flow chart of client context injection and deblocking according to an embodiment of the present application. As shown in fig. 2, according to the method for resolving WMI client processes provided by the embodiment of the present application, in the WMI method call flow, client context injection and decapsulation are implemented in WMI framework service and WMI provider processes, respectively.
As shown in fig. 2, in the process of implementing client context injection and decapsulation, the WMI framework service process may include the following steps:
s10, starting a WMI framework service process;
s11, a method for hooking an IWBem services interface is adopted;
S12, calling an interface method;
S13, extracting the called client context;
S14, constructing context parameters;
s15, calling an original interface method;
s16, releasing the context parameters;
S17, ending.
As shown in fig. 2, in implementing client context injection and decapsulation, the WMI provider process may include the steps of:
S10, starting a WMI provider process;
s11, hooking an IWBem services interface by an asynchronous method;
S12, calling an interface method;
s13, extracting context parameters;
s14, setting the client context to the current thread;
s15, calling an original interface method;
S16, restoring the thread context;
S17, ending.
Through the above technical solution, the original client (i.e., consumer) context is transferred when the WMI request is forwarded from the WMI framework service to the WMI provider; when the WMI provider process executes the request, the client context is extracted and set to the thread context. Therefore, the problem that when WMI requests are transmitted from a consumer to a WMI framework to a WMI provider and other processes, RPC context is lost due to thread pool scheduling, so that information of a consumer main process is lost can be solved.
Fig. 3 is a schematic diagram of a method for resolving WMI client processes according to an embodiment of the present application. As shown in fig. 3, in an embodiment of the present application, a method for parsing WMI client processes according to the present application is applied to a terminal detection and response product of a platform. The kernel layer of the platform is provided with a process manager which is used for realizing the starting detection and injection of the WMI framework service process and the WMI provider process. It can be understood that the client context is synthesized by two parts of the process identifier and the thread identifier, and because the process identifier and the thread identifier in the Windows system are integer multiples of 4, the synthesis algorithm is to shift the process identifier and the thread identifier to the right by 2 bits respectively and then place the process identifier and the thread identifier to the upper 16 bits and the lower 16 bits of the 32-bit integer.
It can be appreciated that in the practical application process, the WMI framework service process is as follows:
When the host process svchost.exe loads wbemcore.dll, a process manager in the kernel layer of the platform can judge that the process is a WMI framework service process and additionally load a context sealing module for the process. After the context sealing and sending module is loaded, the positioning of the IWBEMServices interface of the WMI name space class and the hooking of the interface method are realized through the following procedures:
1. export function DllGetClassObject for hook wbemcore.dll.
2. In the hook function of DllGetClassObject, when a class factory object of CWbemLevel1Login is created for the first time (CLSID is {4FA18276-912A-11D1-AD9B-00C04FD8FDFF }), its CreateInstanceWbemLevel1Login method is hooked according to the returned IWbemLevel1Login interface pointer.
3. In the hook function of CreateInstanceWbemLevel Login, when the interface pointer of IWbemLevel Login is acquired for the first time, the function pointer of the NTLMLogin method is hooked.
4. In the hook function of NTLMLogin, the IWBEMServices interface pointer returned successfully for the first time, i.e. the interface to be injected, hooks all the methods with IWb emContext x pCtx according to the IWBEMServices interface declaration.
Further, the specific method executed in the hooking function of the IWbemServices interface method of the WMI request portal is as follows:
1. a client context is extracted from the RPC handle, the client context including a process identification and a thread identification of the client.
2. It is determined whether the above interface method provides a context interface pointer.
If the interface method provides a context interface (IWbemContext) pointer, a set value method of the context interface is called to set the client context to a named value. The original IWbemServices interface method is called. And calling a deleting value method of the context interface, and deleting the named client context value.
If the interface method does not provide the context interface pointer, creating a context instance object, and acquiring the interface pointer of the newly-built context instance; calling a setting value method of a newly built context instance interface, and setting the client context as a named value; calling an original IWBemServices interface method by taking an interface pointer of the newly built context instance as a parameter; releasing the newly created context instance.
It will be appreciated that in the practical application process, the WMI provider process is as follows:
the process manager module of the platform kernel layer additionally loads a context unpacking module for the provider host process when the provider host process wmibrvse. After the context unpacking module is loaded, the IWBEMServices interface method for receiving the request by the provider is positioned and hooked through the following flow:
1. the CoRegisterClassObject of Windows API is hooked.
2. In the hook function of the CoRegisterClassObject, the CreateInstance method of its class factory is hooked according to the incoming interface pointer when registering the provider host class for the first time.
3. In the aforementioned hook function of CreateInstance, the GetObject method is hooked when the provider host class instance object is created for the first time.
4. In the aforementioned GetObject hooking function, the first time a WMI provider host class factory object is successfully acquired, its GetProvider method is hooked.
5. In the hook function of GetProvider described above, the first time a provider object instance is successfully acquired, the methods of its IWbemServices interface are hooked.
Further, the context Jie Fengzi flow is entered, and the context decapsulation sub-flow is as follows:
1. the client context is extracted from the WMI context parameters of the method with a specific name.
2. The original thread context is saved, which is a specific field in the Windows thread structure.
3. The client context is set to the thread context.
4. The original IWbemServices interface method is called. It will be appreciated that access control to the product may be triggered in the process whereby WMI client context may be extracted from the thread context as a subject for access control or auditing in the filtering engine of the product.
5. The thread context is restored.
6. And (5) finishing the processing.
Through the technical scheme, when the WMI framework service process is started, a context sealing and sending module is loaded, client context is extracted at the entrance of the WMI request, and WMI context parameters in the request are added; then, when the WMI provider process starts, a context unpacking module is loaded, and before the WMI request is executed, the client context is extracted from the WMI context parameters, thereby ensuring that the client information is dispatched from the request portal (WMI framework service) to the request executor (WMI provider). In addition, when the provider performs WMI request, the client context is set to the thread context for extraction as a subject at the time of access control. In this way, the main body of the resource access triggered by the WMI request can be determined as the client for initiating the WMI request, instead of determining the WMI provider process as the client for initiating the WMI request by adopting the traditional method, the access control and audit can be more accurate, and bypassing and tracing interruption can be prevented.
The embodiment of the application also provides a processor configured to execute the method for analyzing the WMI client process in the embodiment.
Fig. 4 is a block diagram of an apparatus for resolving WMI client processes according to an embodiment of the present application. As shown in fig. 4, an embodiment of the present application provides an apparatus 400 for parsing a WMI client process, which may include:
The context encapsulation module loading unit 410 is configured to load the context encapsulation module when the WMI framework service process is started;
The context encapsulation module running unit 420 extracts the client context through the context encapsulation module and adds the client context into the WMI context parameters of the WMI request before the WMI request is dispatched to the thread pool;
the context unpacking module loading unit 430 loads the context unpacking module when the WMI provider process is started;
the context decapsulation module operation unit 440 extracts the client context in the WMI context parameter through the context decapsulation module and sets the client context to the current thread context.
The above-mentioned device 400 for parsing WMI client processes is configured to load a context encapsulation module when a WMI framework service process is started, extract a client context through the context encapsulation module before a WMI request is dispatched to a thread pool, and add the client context to WMI context parameters of the WMI request, load a context decapsulation module when a WMI provider process is started, extract the client context in the WMI context parameters through the context decapsulation module, and set the client context to a current thread context. According to the technical scheme, the main body of the resource access triggered by the WMI request can be determined as the client side initiating the WMI request, so that access control and audit are more accurate, and malicious codes are prevented from bypassing the security detection and tracing interruption.
In one embodiment, the context encapsulation module execution unit 420 is further configured to: when a WMI framework service process loads a WMI core dynamic library, positioning a virtual function table of an IWBemServices interface of a WMI naming space class; an interface method for hooking the WMI context parameters in the virtual function table; and acquiring the client context by calling an interface method, and setting the client context into the WMI context parameter.
In one embodiment, the context encapsulation module execution unit 420 is further configured to: extracting the context of the client through an RPC request corresponding to the WMI request; the client context is set in the WMI context parameters of the WMI request.
In one embodiment, the context encapsulation module execution unit 420 is further configured to: when the RPC request passes through the RPC transmission layer, analyzing the protocol type of the transmission layer according to the RPC message data of the RPC request; and analyzing the client context of the RPC request according to the protocol type.
In one embodiment, the context encapsulation module execution unit 420 is further configured to: extracting a process identifier and a thread identifier of the client from the RPC message data under the condition that the protocol type is a local call protocol so as to combine and form a client context; under the condition that the protocol type is a named pipe protocol, extracting feature data of RPC call, and inquiring an RPC tracing module according to the feature data to acquire a client context; in the case where the protocol type is other network protocol, information of the remote host is extracted from the RPC message data to constitute the client context.
In one embodiment, the context encapsulation module execution unit 420 is further configured to: judging whether the interface method provides a context interface pointer or not; in the case where the interface method provides a context interface pointer, a set value method of the context interface is called, and the client context is set to a named value.
In one embodiment, the context encapsulation module execution unit 420 is further configured to: under the condition that the interface method does not provide a context interface pointer, creating a context instance object and acquiring the interface pointer of the newly-built context instance; the method for calling the setting value of the context instance interface sets the client context to a named value.
In one embodiment, the context encapsulation module execution unit 440 is further configured to: when the provider process starts, positioning the virtual function table of the IWBemServices interface for intercepting the request; an interface method for hooking the WMI context parameters in the virtual function table; and extracting the client context in the WMI context by calling an interface method, and setting the client context into the current thread context.
The embodiment of the application also provides a machine-readable storage medium, on which a program or an instruction is stored, which is characterized in that the program or the instruction, when executed by a processor, implements the method for parsing a WMI client process in the above embodiment.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.

Claims (11)

1. A method for resolving WMI client processes, the method comprising:
When a Windows management specification WMI framework service process is started, loading a context sealing and transmitting module;
Before a WMI request is dispatched to a thread pool, extracting a client context through the context encapsulation module, and adding the client context into a WMI context parameter of the WMI request;
loading a context unpacking module when a WMI provider process is started;
And extracting a client context in the WMI context parameter through the context unpacking module, and setting the client context into the current thread context.
2. The method of claim 1, wherein extracting, by the context encapsulation module, a client context and adding the client context to WMI context parameters of the WMI request comprises:
when the WMI framework service process loads a core dynamic library of WMI, positioning a virtual function table of an IWBeServices interface of a WMI naming space class;
hooking an interface method containing WMI context parameters in the virtual function table;
And acquiring the client context by calling the interface method, and setting the client context into the WMI context parameter.
3. The method according to claim 2, wherein the obtaining the client context by calling the interface method and setting the client context into the WMI context parameter comprises:
Extracting the client context through an RPC request corresponding to the WMI request;
And setting the client context in the WMI context parameter of the WMI request.
4. The method of claim 3, wherein the extracting the client context via the RPC request corresponding to the WMI request comprises:
When the RPC request passes through an RPC transmission layer, analyzing the protocol type of the transmission layer according to the RPC message data of the RPC request;
and analyzing the client context of the RPC request according to the protocol type.
5. The method of claim 4, wherein said parsing the client context of the RPC request according to the protocol type comprises:
extracting a process identifier and a thread identifier of a client from the RPC message data under the condition that the protocol type is a local call protocol so as to combine and form the client context;
Extracting the characteristic data of the RPC call under the condition that the protocol type is a named pipe protocol, and inquiring the RPC tracing module according to the characteristic data to acquire the context of the client;
and extracting information of a remote host from the RPC message data to form the client context under the condition that the protocol type is other network protocols.
6. A method according to claim 3, wherein said setting the client context in the WMI context of the WMI request comprises:
Judging whether the interface method provides a context interface pointer or not;
And calling a setting value method of the context interface to set the client context to a named value under the condition that the interface method provides a context interface pointer.
7. The method of claim 6, wherein the method further comprises:
under the condition that the interface method does not provide the context interface pointer, creating a context instance object and acquiring the interface pointer of the newly-built context instance;
and calling a setting value method of the context instance interface, and setting the client context to a named value.
8. The method of claim 1, wherein the extracting, by the context decapsulation module, the client context in the WMI context parameter and setting the client context into a current thread context comprises:
when the provider process starts, positioning a virtual function table of an IWBemServices interface for intercepting a request;
Hooking an interface method of the virtual function table containing the WMI context parameters;
and extracting the client context in the WMI context by calling the interface method, and setting the client context into the current thread context.
9. A processor configured to perform a method for resolving WMI client processes according to any of claims 1 to 8.
10. An apparatus for resolving WMI client processes, said apparatus comprising:
the context sealing and sending module loading unit is used for loading the context sealing and sending module when the WMI framework service process is started;
The context sealing and sending module operation unit is used for extracting the context of the client through the context sealing and sending module before the WMI request is dispatched to the thread pool, and adding the context of the client into the WMI context parameters of the WMI request;
the context unpacking module loading unit loads the context unpacking module when the WMI provider process is started;
And the context unpacking module running unit extracts the client context in the WMI context parameter through the context unpacking module and sets the client context into the current thread context.
11. A machine-readable storage medium having stored thereon a program or instructions, which when executed by a processor, implement a method for resolving WMI client processes according to any of claims 1 to 8.
CN202311659800.XA 2023-12-05 2023-12-05 Method, device, processor and storage medium for analyzing WMI client process Pending CN117978428A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311659800.XA CN117978428A (en) 2023-12-05 2023-12-05 Method, device, processor and storage medium for analyzing WMI client process

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311659800.XA CN117978428A (en) 2023-12-05 2023-12-05 Method, device, processor and storage medium for analyzing WMI client process

Publications (1)

Publication Number Publication Date
CN117978428A true CN117978428A (en) 2024-05-03

Family

ID=90856933

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311659800.XA Pending CN117978428A (en) 2023-12-05 2023-12-05 Method, device, processor and storage medium for analyzing WMI client process

Country Status (1)

Country Link
CN (1) CN117978428A (en)

Similar Documents

Publication Publication Date Title
CN112491604B (en) Remote management implementation method, device and system of Internet of things equipment
WO2019024674A1 (en) Smart contract processing method and apparatus
US8001429B2 (en) Method and system for automated handling of errors in execution of system management flows consisting of system management tasks
EP3203406A1 (en) Sensitive information security protection method and device
CN110489310B (en) Method and device for recording user operation, storage medium and computer equipment
CN108399120B (en) Asynchronous message monitoring method and device
CN107908488B (en) Message request interface interaction method and device, computer equipment and storage medium
US11381638B1 (en) System and method for parallel execution of activites in an integration flow
CN114579194B (en) Exception handling method and system based on Spring remote call
CN113050984A (en) Resource calling method and device, electronic equipment and storage medium
CN111831365A (en) Interface route forwarding method, system, computer equipment and readable storage medium
CN113448655B (en) C standard dynamic library calling method and device
EP2097848A2 (en) Method, system and computer program for monitoring components in a service framework
US20060149817A1 (en) Using collaborative annotations to specify real-time process flows and system constraints
CN117978428A (en) Method, device, processor and storage medium for analyzing WMI client process
CN112130900B (en) User information management method, system, equipment and medium for BMC
CN112039749B (en) Node js-based Internet of things equipment management method, system and storage medium
US9672083B2 (en) Operating a program code object in conjunction with an application context
CN112738181A (en) Method, device and server for cluster external IP access
CN113032100A (en) Exception handling method, device, equipment and storage medium
CN112765246B (en) Task processing method, device, electronic equipment and storage medium
US11882007B2 (en) Service data management method and apparatus for SBB, device and storage medium
CN114553930B (en) System integration method, device, computer equipment and storage medium
CN113448742B (en) Interface data acquisition method and device
CN110879747B (en) Resource management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination