WMI

[donkey]

I'm increasingly frustrated with trying to use WMI to extract information about a given process. I thought it would be fairly easy to get it up and running and it wasn't that bad using an example from MSDN. But for some reason any class that I use has the same result IDProcess, VirtualBytes, HandleCount doesn't make any difference always returns 1245064 in dwVirtualBytes. Has anyone successfully used WMI before and if so, where would you suggest I look for an error...

Link to MSDN example

My code:

Code:

TestWMI FRAME
LOCAL hres :D
LOCAL pNameSpace :D
LOCAL pWbemLocator :D
LOCAL bstrNameSpace :D
LOCAL pUnk :D
LOCAL pObj :D
LOCAL pAcc :D
LOCAL variant :D
LOCAL pRefresher :D
LOCAL pConfig :D
LOCAL lVirtualBytesHandle :D
LOCAL dwVirtualBytes :Q

invoke CoInitializeSecurity, 0,-1,0,0,RPC_C_AUTHN_LEVEL_DEFAULT, \
RPC_C_IMP_LEVEL_IMPERSONATE,0,EOAC_NONE,0
mov [hres],eax

invoke CoCreateInstance,offset CLSID_WbemLocator,NULL,CLSCTX_INPROC_SERVER, \
offset IID_IWbemLocator, offset pWbemLocator
test eax,eax
jnz >>.EXIT

// Connect to the desired namespace
invoke SysAllocString,L"\\.\root\cimv2"
mov [bstrNameSpace], eax

CoInvoke(pWbemLocator,IWbemLocator.ConnectServer,[bstrNameSpace],0,0,0,0,0,0,offset pNameSpace)
test eax,eax
jnz >>.FREELOCATOR
CoInvoke(pNameSpace,IWbemServices.IUnknown.QueryInterface,offset IID_IUnknown,offset pUnk)
test eax,eax
jnz >>.FREENAMESPACE

invoke CoSetProxyBlanket,[pNameSpace],RPC_C_AUTHN_WINNT,RPC_C_AUTHZ_NONE,0, \
RPC_C_AUTHN_LEVEL_DEFAULT,RPC_C_IMP_LEVEL_IMPERSONATE,EOAC_NONE
invoke CoSetProxyBlanket,[pUnk],RPC_C_AUTHN_WINNT,RPC_C_AUTHZ_NONE,0, \
RPC_C_AUTHN_LEVEL_DEFAULT,RPC_C_IMP_LEVEL_IMPERSONATE,EOAC_NONE
CoInvoke(pUnk,Unknown.Release)

invoke CoCreateInstance,offset CLSID_WbemRefresher, 0, CLSCTX_INPROC_SERVER, \
offset IID_IWbemRefresher, offset pRefresher
test eax,eax
jnz >>.FREENAMESPACE

CoInvoke(pRefresher,IWbemRefresher.IUnknown.QueryInterface, \
offset IID_IWbemConfigureRefresher, offset pConfig)
test eax,eax
jnz >>.FREEREFRESHER

CoInvoke(pConfig,IWbemConfigureRefresher.AddObjectByPath,[pNameSpace], \
L'Win32_PerfRawData_PerfProc_Process.Name="firefox.exe"',0,0,offset pObj,0)
test eax,eax
jnz >>.FREECONFIG

CoInvoke(pObj,Unknown.QueryInterface,offset IID_IWbemObjectAccess,offset pAcc)
test eax,eax
jnz >>.FREEOBJ

CoInvoke(pAcc,IWbemObjectAccess.GetPropertyHandle, \
L"VirtualBytes",offset variant,offset lVirtualBytesHandle)
test eax,eax
jnz >>.FREEACCESS

mov ebx,10
:
CoInvoke(pRefresher,IWbemRefresher.Refresh,0)
test eax,eax
jnz >>.FREEACCESS
CoInvoke(pAcc,IWbemObjectAccess.ReadDWORD,[lVirtualBytesHandle], offset dwVirtualBytes)
PrintDec([dwVirtualBytes])
test eax,eax
jnz >>.FREEACCESS
invoke Sleep,1000
dec ebx
jns <

.FREEACCESS
CoInvoke(pAcc,Unknown.Release)

.FREEOBJ
CoInvoke(pObj,Unknown.Release)

.FREECONFIG
CoInvoke(pConfig,Unknown.Release)

.FREEREFRESHER
CoInvoke(pRefresher,Unknown.Release)

.FREENAMESPACE
CoInvoke(pNameSpace,Unknown.Release)

.FREELOCATOR
invoke SysFreeString,[bstrNameSpace]
CoInvoke(pWbemLocator,Unknown.Release)
.EXIT
RET
ENDF

[PBrennick]

Nothing about COM is easy, at least for me!

Paul

[GregL]

Donkey,

Regarding WMI

There is this topic at WinAsm Community:
http://win.asmcommunity.net/board/index.php?topic=22674

That led me to this post by Kernel_Gaddafi:
http://www.masmforum.com/simple/index.php?topic=2594.0

I tried the program by Kernel_Gaddafi and it works. I have been trying to come up with ways of simplifying it. WMI can be very handy.
 

 

[donkey]

Thanks Greg,

I will look at the examples a little closer, unfortunately the weekend is now pretty much over with and I have to compress my projects into smaller time windows during the week. I really like the fact that unicode is so easy in GoAsm ie L"Unicode string" as opposed to DW "U","n","i"..., makes the code look much neater.

Kernel_Gaddafi queries the object while I want to open an access interface to it, it makes access the data cleaner IMHO but if SQL is the only way to get it working so be it :)

Edgar

[donkey]

Nothing about COM is easy, at least for me!

Paul

Hi Paul,

The basics of COM are simple, create an instance that returns a pointer to a structure filled with pointers to methods (functions), in practice it is easy to use with the right macros. In reality it is exceedingly complex because of marshalling data between applications, but that is generally handled below the API level though you can marshal your own data if you like (tried it once using the shared heap and failed miserably - many crashes before I gave up even a rare Win2K BSOD)

Edgar

[akane]

Hello, a week ago i've finished a small multithreaded wmi browser alpha - it enumerates all classes, and all methods and properties for selected class.
The code is written in unicode version of nasm (changes attached-added extra string handler if it begins with \L ).

One system class - CIM_Action - is very unconfortable while enumerating - waiting for results up to 20min with high cpu usage.
Displayed classes and methods can be saved to text file
Sorry for bad layout in main source, this was only a small wmi test

[attachment deleted by admin]

[donkey]

Thanks very much akane, I will put it to good use. Your layout is no worse than some of mine, the horrendous state of some of my projects is embarrassing at times :) I plan on allowing much more information to be available through properties on WinExplorer, it's gotten to be a kind of pet project of mine and I want to have it end up being a complete explorer for ASM programmers that will provide a number of useful tools. Among them a hardware list is one of my goals and for that I really need the WMI, I've been thinking about a simple disassembler for imports and exports as well, perhaps using an engine (by Roticv I think) that I once saw kicking around.