HanDs
NO.2

[Delphi文章] 利用wmi监视程序的启动与退出 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

当然,如果wmi依赖的服务被禁用,就不行了,要真正做到实时监控,还是要进ring0下底层钩子

unit Unit1;

interface

uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, ActiveX, WbemScripting_TLB, ExtCtrls;

type
TForm1 = class(TForm)
    Panel1: TPanel;
    Panel2: TPanel;
    Button1: TButton;
    Button2: TButton;
    Memo1: TMemo;
    procedure Button1Click(Sender: TObject);
    procedure Button2Click(Sender: TObject);
    procedure FormShow(Sender: TObject);
    procedure FormCloseQuery(Sender: TObject; var CanClose: Boolean);
private
    { Private declarations }
    Locator        : SWbemLocator;
    Service        : SWbemServices;
    wmiDateTime    : SWbemDateTime;
    wmiProcesses   : ISWbemEventSource;
    FlagClose      : Boolean;

public
    { Public declarations }
end;


var
Form1: TForm1;

implementation

{$R *.dfm}

procedure TForm1.FormShow(Sender: TObject);
begin
    Button2.Enabled := False;
end;

procedure TForm1.Button1Click(Sender: TObject);
var
    strSever       : WideString;
    strNameSpace   : WideString;
    strUser        : WideString;
    strPassword    : WideString;
    strLocale      : WideString;
    strAuthority   : WideString;
    iSecurityFlags : Integer;
    strQuery       : WideString;
    wmiClass       : WideString;
    iFlags         : Integer;
    Proc           : OleVariant;
    strText        : String;
begin
    strSever       := '.';
    strNameSpace   := 'root\CIMV2';
    strUser        := '';
    strPassword    := '';
    strLocale      := '';
    strAuthority   := '';
    iSecurityFlags := 0;

    try
    Locator := CoSWbemLocator.Create;
    Service := Locator.ConnectServer(strSever,strNameSpace,strUser,strPassword,
                                     strLocale,strAuthority,iSecurityFlags,nil);
    wmiDateTime := CoSWbemDateTime.Create;
    wmiClass := QuotedStr('Win32_Process');
    strQuery := 'SELECT * FROM __InstanceOperationEvent WITHIN 1 '+
               'WHERE TargetInstance ISA '+wmiClass;
    iFlags       := wbemFlagForwardOnly or wbemFlagReturnImmediately;
    //监视开始
    wmiProcesses := Service.ExecNotificationQuery(strQuery,'WQL',iFlags,nil);


    Button1.Enabled := False;
    Button2.Enabled := True;
    FlagClose       := False;
    Memo1.Lines.Clear;
    Panel1.Caption :='';


    while True do begin
     try

       Proc := wmiProcesses.NextEvent(10);

       if Proc.Path_.class='__InstanceCreationEvent' then begin
         strText := Proc.TargetInstance.Caption;
         wmiDateTime.Value := Proc.TargetInstance.CreationDate;
         Memo1.Lines.Add(strText+' '+
                         DateTimeToStr(wmiDateTime.GetVarDate(True))+'  启动');
       end else
       if Proc.Path_.class='__InstanceDeletionEvent' then begin
         strText := Proc.TargetInstance.Caption;
         wmiDateTime.Value := Proc.TargetInstance.CreationDate;
         Memo1.Lines.Add(strText+' '+
                         DateTimeToStr(wmiDateTime.GetVarDate(True))+'  退出');
       end;

     except
     end;

     if FlagClose then break;
     Application.ProcessMessages;
    end;
    except on ex: Exception do
    ShowMessage(ex.Message);
    end;
    Button1.Enabled := True;
    Button2.Enabled := False;

end;


procedure TForm1.Button2Click(Sender: TObject);
begin
   Locator        := nil;
   Service        := nil;
   wmiDateTime    := nil;
   wmiProcesses   := nil;
   Button1.Enabled := True;
   Button2.Enabled := False;
end;

procedure TForm1.FormCloseQuery(Sender: TObject; var CanClose: Boolean);
begin
    FlagClose := True;
end;

end.


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
利用
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组