WMI is an important component of Windows OS and everyone knows about it so I won’t get into detail about what it is (read the linked wikipedia article if you want to know). I will focus on practical stuff instead which we come across more and more often.

I will begin by saying that nowadays lots of malware is using WMI – either to establish a stealthy persistence mechanism, or query various information from the system. This typically is done using WQL queries which are so popular that even a couple of typical OS commands are implemented as ‘processors’ simply interpreting results of many WQL queries instead of actually using old-school APIs.

A good example is a tasklist.exe. If you ever launched it from a command line and observed a slight delay before it returned the data it is because it has to ‘talk’ to WMI first and sometimes WMI initialization may take a while.

This particular program is actually a good example we can use to show what exactly happens when it ‘talks’ to WMI.

Have a look at the Tasklist.exe log below.

First WMI connects to the WMI server – the ‘root\cimv2’ is a namespace used by most WMI classes

Then it executes the WQL query

SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Then the result returned by the query is processed using the IWbemClassObject::Get method

Finally, this obtained data is sent to the the console using a WriteConsoleW function

Apart from tasklist.exe, we can also find WQL in taskkill.exe.

Killing a process requires a different query, one that specifies f.ex. a name of the process:

SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "notepad.exe")

which is ran when we execute

taskkill.exe /im notepad.exe /f

The WMI is then queried for a method ‘Terminate’ which is supposed to kill the object. All of these queries are ran via COM so it’s a bit of a pain to analyze it, but once you get used to it it’s actually manageable (just a bit mundane).

Refer to a short Taskkill.exe log below.

As I mentioned above, malware often uses WQL queries and the most popular are listed below:

select * from antispywareproduct

select * from antivirusproduct

select * from firewallproduct

select * from win32_baseboard

select * from win32_bios where manufacturer like ‘%xen%’ or (smbiosbiosversion like ‘%vbox%’) or (smbiosbiosversion like ‘%bochs%’) or (smbiosbiosversion like ‘%qemu%’) or (smbiosbiosversion like ‘%virtualbox%’)

select * from win32_bios

select * from win32_cdromdrive

select * from win32_computersystem

select * from win32_computersystemproduct

select * from win32_diskdrive

select * from win32_networkadapter where (name like ‘%tap%’) and (not pnpdeviceid like ‘%*isatap%’) and (netenabled = true)

select * from win32_onboarddevice

select * from win32_operatingsystem

select * from win32_physicalmedia

select * from win32_processor

select * from win32_systemenclosure

select * from win32_useraccount

select * from win32_videocontroller

select name, executablepath from win32_process

There are many more which often focus on sandbox detection, but I may cover them in a separate post.

Taskkill.exe log

IWbemLocator::ConnectServer: ‘root\cimv2’

IWbemServices::ExecQuery: (‘SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = “notepad.exe”)’)

IWbemServices::GetObjectA: Win32_Process

IWbemClassObject::GetMethod: Terminate

Tasklist.exe log

WbemLocator::ConnectServer): 'root\cimv2' IWbemServices::ExecQuery ('SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process') IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="0" IWbemClassObject::Get: ProcessId=0 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=System Idle Process IWbemClassObject::Get: ThreadCount=1 IWbemClassObject::Get: KernelModeTime=649121406250 IWbemClassObject::Get: UserModeTime=0 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=28672 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="4" IWbemClassObject::Get: ProcessId=4 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=System IWbemClassObject::Get: ThreadCount=48 IWbemClassObject::Get: KernelModeTime=103437500 IWbemClassObject::Get: UserModeTime=0 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=241664 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="412" IWbemClassObject::Get: ProcessId=412 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=smss.exe IWbemClassObject::Get: ThreadCount=3 IWbemClassObject::Get: KernelModeTime=156250 IWbemClassObject::Get: UserModeTime=156250 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=442368 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="628" IWbemClassObject::Get: ProcessId=628 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=csrss.exe IWbemClassObject::Get: ThreadCount=11 IWbemClassObject::Get: KernelModeTime=12343750 IWbemClassObject::Get: UserModeTime=5312500 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=4444160 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="720" IWbemClassObject::Get: ProcessId=720 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=winlogon.exe IWbemClassObject::Get: ThreadCount=17 IWbemClassObject::Get: KernelModeTime=15156250 IWbemClassObject::Get: UserModeTime=2343750 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=5029888 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="764" IWbemClassObject::Get: ProcessId=764 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=services.exe IWbemClassObject::Get: ThreadCount=15 IWbemClassObject::Get: KernelModeTime=8927500000 IWbemClassObject::Get: UserModeTime=901250000 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=3727360 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="776" IWbemClassObject::Get: ProcessId=776 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=lsass.exe IWbemClassObject::Get: ThreadCount=20 IWbemClassObject::Get: KernelModeTime=143437500 IWbemClassObject::Get: UserModeTime=28906250 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=1490944 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="932" IWbemClassObject::Get: ProcessId=932 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=vmacthlp.exe IWbemClassObject::Get: ThreadCount=1 IWbemClassObject::Get: KernelModeTime=0 IWbemClassObject::Get: UserModeTime=156250 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=2768896 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="948" IWbemClassObject::Get: ProcessId=948 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=svchost.exe IWbemClassObject::Get: ThreadCount=17 IWbemClassObject::Get: KernelModeTime=781250 IWbemClassObject::Get: UserModeTime=468750 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=5214208 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1032" IWbemClassObject::Get: ProcessId=1032 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=svchost.exe IWbemClassObject::Get: ThreadCount=9 IWbemClassObject::Get: KernelModeTime=625000 IWbemClassObject::Get: UserModeTime=781250 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=4546560 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1152" IWbemClassObject::Get: ProcessId=1152 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=svchost.exe IWbemClassObject::Get: ThreadCount=49 IWbemClassObject::Get: KernelModeTime=125937500 IWbemClassObject::Get: UserModeTime=50781250 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=17682432 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1188" IWbemClassObject::Get: ProcessId=1188 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=svchost.exe IWbemClassObject::Get: ThreadCount=5 IWbemClassObject::Get: KernelModeTime=781250 IWbemClassObject::Get: UserModeTime=312500 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=3985408 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1224" IWbemClassObject::Get: ProcessId=1224 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=svchost.exe IWbemClassObject::Get: ThreadCount=4 IWbemClassObject::Get: KernelModeTime=0 IWbemClassObject::Get: UserModeTime=156250 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=3346432 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1396" IWbemClassObject::Get: ProcessId=1396 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=spoolsv.exe IWbemClassObject::Get: ThreadCount=11 IWbemClassObject::Get: KernelModeTime=625000 IWbemClassObject::Get: UserModeTime=156250 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=6545408 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1776" IWbemClassObject::Get: ProcessId=1776 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=explorer.exe IWbemClassObject::Get: ThreadCount=10 IWbemClassObject::Get: KernelModeTime=21718750 IWbemClassObject::Get: UserModeTime=6093750 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=19316736 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="2008" IWbemClassObject::Get: ProcessId=2008 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=vmtoolsd.exe IWbemClassObject::Get: ThreadCount=5 IWbemClassObject::Get: KernelModeTime=17031250 IWbemClassObject::Get: UserModeTime=8593750 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=12140544 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="2024" IWbemClassObject::Get: ProcessId=2024 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=ctfmon.exe IWbemClassObject::Get: ThreadCount=1 IWbemClassObject::Get: KernelModeTime=156250 IWbemClassObject::Get: UserModeTime=312500 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=3600384 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="476" IWbemClassObject::Get: ProcessId=476 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=PERSFW.exe IWbemClassObject::Get: ThreadCount=6 IWbemClassObject::Get: KernelModeTime=2187500 IWbemClassObject::Get: UserModeTime=1093750 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=6897664 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="516" IWbemClassObject::Get: ProcessId=516 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=vmtoolsd.exe IWbemClassObject::Get: ThreadCount=7 IWbemClassObject::Get: KernelModeTime=124531250 IWbemClassObject::Get: UserModeTime=63281250 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=13619200 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1472" IWbemClassObject::Get: ProcessId=1472 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=TPAutoConnSvc.exe IWbemClassObject::Get: ThreadCount=5 IWbemClassObject::Get: KernelModeTime=1093750 IWbemClassObject::Get: UserModeTime=468750 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=4669440 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1796" IWbemClassObject::Get: ProcessId=1796 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=TPAutoConnect.exe IWbemClassObject::Get: ThreadCount=1 IWbemClassObject::Get: KernelModeTime=5312500 IWbemClassObject::Get: UserModeTime=2500000 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=5267456 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="2040" IWbemClassObject::Get: ProcessId=2040 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=cmd.exe IWbemClassObject::Get: ThreadCount=1 IWbemClassObject::Get: KernelModeTime=156250 IWbemClassObject::Get: UserModeTime=156250 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=2961408 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="588" IWbemClassObject::Get: ProcessId=588 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=wmiprvse.exe IWbemClassObject::Get: ThreadCount=7 IWbemClassObject::Get: KernelModeTime=0 IWbemClassObject::Get: UserModeTime=156250 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=6332416 IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1592" IWbemClassObject::Get: ProcessId=1592 IWbemClassObject::Get: CSName=<hostname> IWbemClassObject::Get: Caption=tasklist.exe IWbemClassObject::Get: ThreadCount=4 IWbemClassObject::Get: KernelModeTime=2031250 IWbemClassObject::Get: UserModeTime=2187500 IWbemClassObject::Get: SessionId=0 IWbemClassObject::Get: WorkingSetSize=5816320