Thread: Hooking WMI (.NET Application)
View Single Post
  #1  
Old 08-01-2012, 11:29
Ember Ember is offline
Friend
  
Join Date: Feb 2009
Posts: 84
Rept. Given: 68
Rept. Rcvd 25 Times in 15 Posts
Thanks Given: 36
Thanks Rcvd at 79 Times in 33 Posts
Ember Reputation: 25
This is easy. You can do it very easily by using Microsoft Detours and injecting a DLL into the target process.

Code:
#define WIN32_LEAN_AND_MEAN
#define _WIN32_DCOM
#include <Windows.h>
#include <comdef.h>
#include <WbemIdl.h>
#include "detours.h"

typedef HRESULT (__stdcall *PGET) (DWORD junk, LPCWSTR, LONG, VARIANT*, CIMTYPE*, LONG*);
PGET OrigGet;
BOOL bHooked = FALSE;

HRESULT __stdcall NewGet(DWORD junk, LPCWSTR wszName, LONG lFlags, VARIANT *pVal, CIMTYPE *pvtType, LONG *plFlavor)
	if(!wcscmp(wszName, L"ProcessorId")) //CPUID
	{
		pVal->vt = VT_BSTR;
		V_BSTR(pVal) = L"PUT SPOOFED PROCESSOR ID HERE";
	}
	else return OrigGet(junk, wszName, lFlags, pVal, pvtType, plFlavor);
	return 1;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
	if (dwReason == DLL_PROCESS_ATTACH && !bHooked)
	{
		bHooked = TRUE;
		OrigGet = (PGET)DetourFunction((LPBYTE)DetourFindFunction("fastprox.dll", "?Get@CWbemObject@@UAGJPBGJPAUtagVARIANT@@PAJ2@Z"), (LPBYTE)NewGet);
	}
	return TRUE;
}
Reply With Quote
The Following 2 Users Gave Reputation+1 to Ember For This Useful Post:
aldente (08-02-2012), niculaita (08-01-2012)