WMI/CIM

WMI: windows management instrumentation.

https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx

CIM: common information model.

https://msdn.microsoft.com/en-us/library/aa389234(v=vs.85).aspx

DCOM: distributed COM.

wmi通过DCOM远程连接,但是DCOM不能绕过防火墙。

命名空间:

1
2
3
root\cimv2
root\microsoftdns
root\securitycenter

WMI工具: 1. windows自带wmi测试工具wbemtest. 2. WMI Explorer用于查找wmi和cim的Class和Properties.

http://www.ks-soft.net/hostmon.eng/wmi/index.htm#SysReq

windows怎样设置wmi:

135 (Microsoft RPC), 137-139 (NetBIOS) and 445 (Microsoft DS). These are TCP ports.

设置的用户需要是管理员组。

https://technet.microsoft.com/en-us/library/cc771551(v=ws.11).aspx

给wmi设置fix port(server in DMZ):

使用过程中不需要指定端口。

https://msdn.microsoft.com/zh-cn/library/bb219447(v=vs.85).aspx

wmic

wmic是wmi的客户端命令。

windows的wmic:

1
2
3
4
5
>wmic # 进入wmi的交互模式
>wmic -? # 查看帮助
>wmic /? # 查看帮助
>wmic ... # 非交互模式运行命令
>wmic process call create shutdown.exe # 本地关机

linux的wmic:

Linux需要自己创建wmic命令,可以通过samba获取,也可以安装openvas的安装包。

1
2
$man wmic
$wmic -U [domain/]adminuser%password //host "select * from Win32_ComputerSystem"

https://mikepalmer.net/debianubuntu-wmi-client-package-with-openvas-libwmiclient1-patches/

WMI的Class

https://msdn.microsoft.com/zh-cn/library/aa394554(v=vs.85).aspx

  1. wmi system class

    https://msdn.microsoft.com/zh-cn/library/aa394583(v=vs.85).aspx

    1
    2
    
    __Win32Provider
    ...
  2. MSFT class

    policy provider classes

    1
    2
    3
    
    MSFT_Providers
    MSFT_Rule
    MSFT_SomFilter

    WMI Troubleshooting classes

    1
    2
    
    MSFT_WmiProvider_Counters
    MSTF_WmiSelfEvent
  3. CIM class

    https://msdn.microsoft.com/zh-cn/library/aa386179(v=vs.85).aspx

    1
    2
    
    CIM_Action
    ...
  4. Standard Consumer class

    1
    2
    3
    4
    5
    6
    
    ActiveScriptEventConsumer
    CommandLineEventConsumer
    LogFileEventConsumer
    NTEventLogEventConsumer
    ScriptingStandardConsumerSetting
    SMTPEventConsumer

WMI的Provider

https://msdn.microsoft.com/zh-cn/library/aa394570(v=vs.85).aspx

  1. Win32 Provider

    Computer System Hardware Classes

    https://msdn.microsoft.com/zh-cn/library/aa389273(v=vs.85).aspx

    1
    2
    
    Win32_Fan
    ...

    Operating System Classes

    https://msdn.microsoft.com/zh-cn/library/dn792258(v=vs.85).aspx

    1
    2
    
    Win32_ClassicCOMApplicationClasses
    ...

    Performance Counter Classes

    https://msdn.microsoft.com/zh-cn/library/aa392738(v=vs.85).aspx

    1
    2
    3
    
    Win32_Perf
    Win32_PerfFormattedData
    Win32_PerfRawData

    WMI Service Management Classes

    https://msdn.microsoft.com/zh-cn/library/dn792273(v=vs.85).aspx

    1
    2
    3
    
    Win32_MethodParameterClass
    Win32_WMISetting
    Wim32_WMIElementSetting

wql

https://msdn.microsoft.com/zh-cn/library/aa394606(v=vs.85).aspx

wql关键字:

1
2
SELECT, FROM, WHERE, AND, OR, NOT, NULL, IS, TRUE, FALSE, WITHIN, LIKE, HAVING
REFERENCES OF, KEYSONLY, ISA, ASSOCIATORS OF, __CLASS, GROUP Clause

常用WQL:

1
2
3
4
5
6
7
8
9
select * from meta_class where __class like '%win32%' # 查询wmi的类
select * from meta_class where __class like '%cim%' # 查询cim的类

select * from cim_datafile where drive="c:" and path="\\path\\" and filename like "%%" and extension like '%%'
select * from cim_directory where drive="c:" and path="\\path\\"
select * from cim_logicaldisk
select * from win32_operationsystem
select * from win32_service
select * from win32_process