c++ - Using WMI to monitor process creation event -
i using wmi monitor process creation event
according other post(how detect win32 process creation/termination in c++)
i follow register callback function, doesn't work.
nothing happened when run program , open iexplore
please me, thank you
#define _win32_dcom #include <iostream> using namespace std; #include <comdef.h> #include <wbemidl.h> #include <atlcomcli.h> #pragma comment(lib, "wbemuuid.lib") #include "creationevent.h" class eventsink : public iwbemobjectsink { friend void creationevent::registercreationcallback(tnotificationfunc callback); ccomptr<iwbemservices> psvc; ccomptr<iwbemobjectsink> pstubsink; long m_iref; creationevent::tnotificationfunc m_callback; public: eventsink(creationevent::tnotificationfunc callback) :m_iref(0), m_callback(callback){} ~eventsink(){ } virtual ulong stdmethodcalltype addref() { return interlockedincrement(&m_iref); } virtual ulong stdmethodcalltype release() { long iref = interlockeddecrement(&m_iref); if (iref == 0) delete this; return iref; } virtual hresult stdmethodcalltype queryinterface(refiid riid, void** ppv) { if (riid == iid_iunknown || riid == iid_iwbemobjectsink) { *ppv = (iwbemobjectsink*) this; addref(); return wbem_s_no_error; } else return e_nointerface; } virtual hresult stdmethodcalltype indicate( long lobjectcount, iwbemclassobject __rpc_far *__rpc_far *apobjarray ){ m_callback(); /* unregister event sink */ psvc->cancelasynccall(pstubsink); return wbem_s_no_error; } virtual hresult stdmethodcalltype setstatus(long iflags, hresult hresult, bstr strparam, iwbemclassobject __rpc_far *pobjparam) { return wbem_s_no_error; } }; void creationevent::registercreationcallback(tnotificationfunc callback) { ccomptr<iwbemlocator> ploc; coinitialize(null); hresult hres = cocreateinstance(clsid_wbemlocator, 0, clsctx_inproc_server, iid_iwbemlocator, (lpvoid*)&ploc); if (failed(hres)) { cout << "failed create iwbemlocator object." << " err code = 0x" << hex << hres << endl; throw std::exception("creationevent initialization failed"); } ccomptr<eventsink> psink(new eventsink(callback)); hres = ploc->connectserver(_bstr_t(l"root\\cimv2"), null, null, 0, null, 0, 0, &psink->psvc); if (failed(hres)) { cout << "could not connect. error code = 0x" << hex << hres << endl; throw std::exception("creationevent initialization failed"); } hres = cosetproxyblanket(psink->psvc, rpc_c_authn_winnt, rpc_c_authz_none, null, rpc_c_authn_level_call, rpc_c_imp_level_impersonate, null, eoac_none); if (failed(hres)) { cout << "coult not set proxy blanket, error code =0x" << hex << hres << endl; throw std::exception("creationevent initialization failed"); } ccomptr<iunsecuredapartment> punsecapp; hres = cocreateinstance(clsid_unsecuredapartment, null, clsctx_local_server, iid_iunsecuredapartment, (void**)&punsecapp); ccomptr<iunknown> pstubunk; punsecapp->createobjectstub(psink, &pstubunk); pstubunk->queryinterface(iid_iwbemobjectsink, (void**)&psink->pstubsink); char buffer[512]; sprintf_s(buffer, "select * __instancecreationevent within 1 targetinstance isa 'win32_process' , targetinstance.name = 'iexplore.exe'"); hres = psink->psvc->execnotificationqueryasync(_bstr_t("wql"), _bstr_t(buffer), wbem_flag_send_status, null, psink->pstubsink); if (failed(hres)) { cout << "execnotificationqueryasync failed = 0x" << hex << hres << endl; throw std::exception("creationevent initialization failed"); } } void k() { cout << "kkkkk " << endl; } int main() { creationevent::registercreationcallback(k); cin.get(); } creationevent.h
#pragma once #ifndef _creationevent_h__ #define _creationevent_h__ #include <boost/function.hpp> namespace creationevent { typedef boost::function<void(void)> tnotificationfunc; void registercreationcallback(tnotificationfunc callback); } #endif
went , reviewed article example: receiving event notifications through wmi, , spotted apparently important difference.
in method creationevent::registercreationcallback(...), replace:
coinitialize(null); with:
coinitializeex(0, coinit_multithreaded);
Comments
Post a Comment