WMI in asm

Index > Windows > WMI in asm

Author

Thread

krackwar

Joined: 24 May 2008
Posts: 13
Location: Chile

krackwar 01 Jul 2008, 17:16

Hi! I'm trying to get information from HD, the model, etc... I know that it can get with WMI, but the problem is that i must create an object, and it don't exist in asm(Exist in VB and C++). Anyone know some solution?
Thanks

01 Jul 2008, 17:16

LocoDelAssembly
Your code has a bug

Joined: 06 May 2005
Posts: 4624
Location: Argentina

LocoDelAssembly 01 Jul 2008, 18:10

If it can be done in C++ then surely in fasm too. Do you have a link with an example of what you want?

About the existance* of objects in asm note that altough there is no syntax to create them you can still implement object-like code and in fact any language that supports pointers to functions is able to implement objects very near or even in an exact way that an object oriented language would compile. Also, the struct macro already supports fields inheritance so that problem is already managed.

*Look the DDRAW example

01 Jul 2008, 18:10

krackwar

Joined: 24 May 2008
Posts: 13
Location: Chile

krackwar 01 Jul 2008, 23:03

LocoDelAssembly wrote:

If it can be done in C++ then surely in fasm too. Do you have a link with an example of what you want?

About the existance* of objects in asm note that altough there is no syntax to create them you can still implement object-like code and in fact any language that supports pointers to functions is able to implement objects very near or even in an exact way that an object oriented language would compile. Also, the struct macro already supports fields inheritance so that problem is already managed.

*Look the DDRAW example

Hi, thanks for answering, looK, I have an example in VB of what i want to do, its not difficult to understand, so if you dont understand just tell me and I'll rewrite it in c++. LooK:

Code:

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Program:  Anti-VirtualPC 1.0
' Coder:    MadAntrax
' Web:      foro.elhacker.net
' Date:     30/06/08
'
' Programa que detecta si nuestro malware
' se ejecuta en la máquina virtual: Virtual PC
' permitiendo finalizar el proceso de nuestro
' malware 
'
' Usar la función IsVirtualPCPresent() As Boolean
' Detecta el nombre, modelo y driver del HD para determinar
' si nos encontramos en VirtualPC
'
' Original idea: MadAntrax
' Referencias: http://www.microsoft.com/technet/scriptcenter/scripts/storage/disks/drives/stdvvb19.mspx?mfr=true
'
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''
 
Function IsVirtualPCPresent() As Boolean
    Dim DetectVirtualPC As String
 
    Set WMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
    Set HDS = WMI.ExecQuery("Select * from Win32_DiskDrive")
 
    DetectVirtualPC = ""
    For Each objHDS In HDS
        DetectVirtualPC = DetectVirtualPC & objHDS.Caption & objHDS.Model & objHDS.PNPDeviceID
    Next
 
    If InStr(UCase(DetectVirtualPC), "VIRTUAL") <> 0 Then
        IsVirtualPCPresent = True
    Else
        IsVirtualPCPresent = False
    End If
End Function

[/code]

01 Jul 2008, 23:03

LocoDelAssembly
Your code has a bug

Joined: 06 May 2005
Posts: 4624
Location: Argentina

LocoDelAssembly 02 Jul 2008, 03:35

Since seems that you're writting a malware I won't show myself very helpful Smile

Yet, I'll share my findings. After a short debugging of HD Tach (a hard disks benchmark software), I found that it uses something much simpleir to implement in ASM than all that complicated way that VB abstracts.

Code:

004F733D  |. 6A 00          PUSH 0                                   ; /pOverlapped = NULL
004F733F  |. 50             PUSH EAX                                 ; |pBytesReturned
004F7340  |. 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]             ; |
004F7343  |. 8B4A 0C        MOV ECX,DWORD PTR DS:[EDX+C]             ; |
004F7346  |. 51             PUSH ECX                                 ; |OutBufferSize
004F7347  |. 8D4D E4        LEA ECX,DWORD PTR SS:[EBP-1C]            ; |
004F734A  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]             ; |
004F734D  |. 8B90 28080000  MOV EDX,DWORD PTR DS:[EAX+828]           ; |
004F7353  |. 52             PUSH EDX                                 ; |OutBuffer
004F7354  |. 6A 0C          PUSH 0C                                  ; |InBufferSize = C (12.)
004F7356  |. 51             PUSH ECX                                 ; |InBuffer
004F7357  |. 68 00142D00    PUSH 2D1400                              ; |IoControlCode = 2D1400
004F735C  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]             ; |
004F735F  |. 8B90 1C080000  MOV EDX,DWORD PTR DS:[EAX+81C]           ; |
004F7365  |. 52             PUSH EDX                                 ; |hDevice
004F7366  |. E8 09040100    CALL <JMP.&KERNEL32.DeviceIoControl>     ; \DeviceIoControl

And the supplied buffer after DeviceIoControl return:

Code:

00C20000  28 00 00 00 A8 00 00 00 00 00 00 00 00 00 00 00  (...¨...........
00C20010  4C 00 00 00 75 00 00 00 7E 00 00 00 03 00 00 00  L...u...~......
00C20020  24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  $...............
00C20030  57 44 43 20 57 44 32 30 30 30 4A 53 2D 30 30 4D  WDC WD2000JS-00M
00C20040  48 42 30 20 20 20 20 20 30 32 2E 30 57 44 43 20  HB0     02.0WDC
00C20050  57 44 32 30 30 30 4A 53 2D 30 30 4D 48 42 30 00  WD2000JS-00MHB0.

I think that with this information you should be able to Google much easier now (or just look into the SDK's help and headers).

02 Jul 2008, 03:35

krackwar

Joined: 24 May 2008
Posts: 13
Location: Chile

krackwar 05 Jul 2008, 05:10

thanks for answering.

05 Jul 2008, 05:10

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum