Good morning/afternoon everyone,
I am currently working on a small Windows kernel driver that would monitor specific WMI operations. I did a some research and found the following combination of APIs in order to register a notification callback: IoWMIOpenBlock
and IoWMISetNotificationCallback
.
At the moment I am trying to get a simple example working with Win32_Process
. I found the GUID for this WMI class with the following PowerShell code:
PS C:\> (Get-CimClass -ClassName Win32_Process | Select-Object *).CimClassQualifiers
Name Value CimType Flags
---- ----- ------- -----
Locale 1033 SInt32 EnableOverride, ToSubclass
UUID {8502C4DC-5FBB-11D2-AAC1-006008C78BC7} String EnableOverride, ToSubclass
CreateBy Create String EnableOverride, Restricted
DeleteBy DeleteInstance String EnableOverride, Restricted
dynamic True Boolean EnableOverride, ToSubclass
provider CIMWin32 String EnableOverride, ToSubclass
SupportsCreate True Boolean EnableOverride, Restricted
SupportsDelete True Boolean EnableOverride, Restricted
Now in my DriverEntry
I am using the following code (some code removed for clarity):
/// <summary>
/// UUID = "{8502C4DC-5FBB-11D2-AAC1-006008C78BC7}" --> Win32_Process
/// </summary>
static const GUID GUID_WMI_WIN32_PROCESS =
{ 0x8502C4DCL, 0x5FBB, 0x11D2, { 0xAA, 0xC1, 0x00, 0x60, 0x08, 0xC7, 0x8B, 0xC7 } };
PVOID Win32Process = NULL;
NTSTATUS Status = IoWMIOpenBlock(&GUID_WMI_WIN32_PROCESS, WMIGUID_NOTIFICATION | SYNCHRONIZE, &Win32Process );
if (!NT_SUCCESS(Status) || Win32Process == NULL) {
// error handling
}
Status = IoWMISetNotificationCallback(Win32Process, MyWmiCallback, NULL);
if (!NT_SUCCESS(Status) ) {
// error handling
}
My callback is for the moment just as follows:
_Use_decl_annotations_
EXTERN_C VOID MyWmiCallback(
_In_ PWNODE_EVENT_ITEM Wnode,
_In_ PVOID Context
) {
UNREFERENCED_PARAMETER(Wnode);
UNREFERENCED_PARAMETER(Context);
KdPrint(("Win32Process: PID(%u) TIB(%u)\r\n",
HandleToULong(PsGetCurrentProcessId()),
HandleToULong(PsGetCurrentThreadId())
));
}
Despite the WMI APIs returning STATUS_SUCCESS
and the pointer to the WMI block being not null the callback is never reached after executing a command line like this one: wmic.exe process call create cmd.exe
. Please note that I also tried with the GUID of the CIM_Process
class as well.
Finally, my driver is not registered via IoWMIRegistrationControl
, so I do not know if this is the reason or something completely unrelated. I am obviously missing something and I was wondering if anyone ever faced this issue.