Last active
October 8, 2024 18:45
-
-
Save EvanMcBroom/99ea88304faec38d3ed1deefd1aba6f9 to your computer and use it in GitHub Desktop.
Examples of using an impersonation token instead of explicit credentials to create a process on a remote host via DCOM and MS-WMI.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Copyright (C) 2024 Evan McBroom | |
#include <Windows.h> | |
#include <iostream> | |
#include <vector> | |
#include <WbemCli.h> | |
#include <atlbase.h> | |
#include <iomanip> | |
// The modified, compiled IDL file from: | |
// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wmi/ | |
#include "ms_wmi_h.h" | |
#include "ms_wmi_i.c" | |
#pragma comment(lib, "WbemUuid.lib") | |
WCHAR domainName[] = L"DOMAIN NAME"; | |
WCHAR userName[] = L"USER NAME"; | |
WCHAR password[] = L"PASSWORD"; | |
WCHAR address[] = L"IP ADDRESS OR HOST NAME"; | |
WCHAR process[] = L"calc.exe"; | |
// An alternative option to set EOAC_STATIC_CLOAKING or EOAC_DYNAMIC_CLOAKING on an individual | |
// interface instead of on the entire process (e.g., CoInitializeSecurity) if desired. | |
bool SetProxyBlanket(IUnknown* iunknown) { | |
return SUCCEEDED(CoSetProxyBlanket(iunknown, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHZ_NONE, nullptr, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, EOAC_STATIC_CLOAKING)); | |
} | |
int main() { | |
// Set an impersonation token that will use explicit credentials | |
// when doing NTLM authentication to a remote host. Kerberos | |
// tickets may also be added to the logon session via PTT while | |
// the token is being impersonated. | |
HANDLE token; | |
size_t result = LogonUserW(userName, domainName, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, &token); | |
(void)ImpersonateLoggedOnUser(token); | |
// Start COM and set it to always use the current impersonation token (e.g., EOAC_STATIC_CLOAKING), | |
// and for COM to choose how to authenticate (e.g., authentication service = -1). NTLM and/or kerberos | |
// can be explicitly set via the authentication list parameter if desired. | |
(void)CoInitialize(nullptr); | |
result = CoInitializeSecurity(nullptr, -1, nullptr, nullptr, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, EOAC_STATIC_CLOAKING, nullptr); | |
// Create an object on a remote host. | |
// For the CLSID_WbemLevel1Login object, this requires you to use Administrative credentials. | |
// CLSID_WbemLevel1Login does not allow you to immediately query IWbemLevel1Login so you | |
// must query for IUnknown first. | |
COSERVERINFO serverInfo = { 0 }; | |
serverInfo.pwszName = address; | |
MULTI_QI interfaces = { 0 }; | |
interfaces.pIID = &IID_IUnknown; | |
if (SUCCEEDED(result = CoCreateInstanceEx(CLSID_WbemLevel1Login, nullptr, CLSCTX_REMOTE_SERVER, &serverInfo, 1, &interfaces))) { | |
// Convert IUnknown to IWbemLevel1Login. | |
// This takes a few seconds to complete the first time you do it on the host, | |
// or if you have not called it in a while and the previous instance has been | |
// destroyed (e.g., due to a timeout). | |
CComPtr<IUnknown> iUnknown{ interfaces.pItf }; | |
CComPtr<IWbemLevel1Login> wbemLevel1Login; | |
if (SUCCEEDED(result = iUnknown.QueryInterface(&wbemLevel1Login))) { | |
WCHAR address[] = L"ROOT\\CIMV2"; | |
CComPtr<IWbemServices> wbemServices; | |
if (SUCCEEDED(result = wbemLevel1Login->NTLMLogin(address, nullptr, 0, nullptr, &wbemServices))) { | |
// Get the WMI object | |
CComPtr<IWbemClassObject> win32Process; | |
wbemServices->GetObjectW(CComBSTR{ L"Win32_Process" }, 0, nullptr, &win32Process, nullptr); | |
// Get the signature (e.g., the definition) of the input parameters. | |
CComPtr<IWbemClassObject> inSignature; | |
win32Process->GetMethod(L"Create", 0, &inSignature, nullptr); | |
CComPtr<IWbemClassObject> inParameters; | |
// Create an instance of the input parameters for use to set them to | |
// actual values. | |
inSignature->SpawnInstance(0, &inParameters); | |
CComVariant variant(process); | |
inParameters->Put(L"CommandLine", 0, &variant, 0); | |
// Execute the Win32_Process:Create and show its output parameters. | |
CComPtr<IWbemClassObject> outParameters; | |
wbemServices->ExecMethod(CComBSTR{ "Win32_Process" }, CComBSTR{ "Create" }, 0, nullptr, inParameters, &outParameters, nullptr); | |
outParameters->Get(L"ProcessId", 0, &variant, nullptr, nullptr); | |
std::cout << "ProcessId: " << variant.uintVal << std::endl; | |
outParameters->Get(L"ReturnValue", 0, &variant, nullptr, nullptr); | |
std::cout << "ReturnValue: " << variant.uintVal << std::endl; | |
} | |
std::cout << result; | |
} | |
} | |
if (result) { | |
std::cout << "Result: " << std::hex << result << std::endl; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Copyright (C) 2024 Evan McBroom | |
// The use of CoInitializeSecurity was previously used to instruct COM to use the executing thread's | |
// current impersonation token when creating COM objects or interacting with their interfaces. That | |
// caused an issue when the code was injected into another process which had already called that API | |
// but with incompatible arguments for this technique. In such cases the code would fail on object | |
// creation with an access denied error due to COM attempting to create the object with the process's | |
// primary token. | |
// | |
// The code has been updated to remove the use of CoInitializeSecurity to avoid this issue. Now | |
// CoCreateInstanceEx and CoSetProxyBlanket are used as needed to instruct COM to use the current | |
// executing thread's current impersonation token when creating COM objects or interacting with their | |
// interfaces. This same approach can be applied to the C++ version of the proof of concept. | |
// | |
// The OleViewDotNet namespaces include modified types from James Forshaw's OleViewDotNet project: | |
// https://github.com/tyranid/oleviewdotnet | |
using OleViewDotNet.Interop; | |
using OleViewDotNet.Marshaling; | |
using System; | |
using System.Runtime.InteropServices; | |
using System.Security.Principal; | |
namespace OleViewDotNet.Interop | |
{ | |
[Flags] | |
public enum CLSCTX : uint | |
{ | |
REMOTE_SERVER = 0x10, | |
ENABLE_CLOAKING = 0x100000 | |
} | |
[Flags] | |
public enum EOLE_AUTHENTICATION_CAPABILITIES | |
{ | |
STATIC_CLOAKING = 0x20, | |
DYNAMIC_CLOAKING = 0x40 | |
} | |
[Flags] | |
public enum RPC_AUTHN_LEVEL | |
{ | |
PKT_PRIVACY = 6 | |
} | |
[Flags] | |
public enum RPC_IMP_LEVEL | |
{ | |
IMPERSONATE = 3 | |
} | |
[Flags] | |
public enum RPC_C_QOS_CAPABILITIES | |
{ | |
None = 0 | |
} | |
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] | |
internal struct COAUTHINFO | |
{ | |
public RpcAuthnService dwAuthnSvc; | |
public int dwAuthzSvc; | |
[MarshalAs(UnmanagedType.LPWStr)] | |
public string pwszServerPrincName; | |
public RPC_AUTHN_LEVEL dwAuthnLevel; | |
public RPC_IMP_LEVEL dwImpersonationLevel; | |
public IntPtr pAuthIdentityData; | |
public RPC_C_QOS_CAPABILITIES dwCapabilities; | |
} | |
[StructLayout(LayoutKind.Sequential)] | |
public struct MULTI_QI : IDisposable | |
{ | |
private IntPtr pIID; | |
public IntPtr pItf; | |
public int hr; | |
void IDisposable.Dispose() | |
{ | |
Marshal.FreeCoTaskMem(pIID); | |
if (pItf != IntPtr.Zero) | |
{ | |
Marshal.Release(pItf); | |
pItf = IntPtr.Zero; | |
} | |
} | |
public MULTI_QI(Guid iid) | |
{ | |
pIID = Marshal.AllocCoTaskMem(16); | |
Marshal.Copy(iid.ToByteArray(), 0, pIID, 16); | |
pItf = IntPtr.Zero; | |
hr = 0; | |
} | |
} | |
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] | |
public sealed class COSERVERINFO | |
{ | |
private readonly int dwReserved1; | |
[MarshalAs(UnmanagedType.LPWStr)] | |
public string pwszName; | |
public IntPtr pAuthInfo; | |
private readonly int dwReserved2; | |
} | |
internal static class NativeMethods | |
{ | |
[DllImport("ole32.dll")] | |
public static extern int CoCreateInstanceEx(in Guid rclsid, IntPtr punkOuter, CLSCTX dwClsCtx, IntPtr pServerInfo, int dwCount, [In, Out] MULTI_QI[] pResults); | |
} | |
} | |
namespace OleViewDotNet.Marshaling | |
{ | |
public enum RpcAuthnService : int | |
{ | |
None = 0, | |
Default = -1, | |
GSS_Negotiate = 9, | |
} | |
} | |
namespace ExecRemoteProcess | |
{ | |
class Program | |
{ | |
// Argument marshaling taking from: | |
// https://learn.microsoft.com/en-us/dotnet/framework/interop/default-marshalling-for-objects | |
[ComImport] | |
[Guid("F309AD18-D86A-11d0-A075-00C04FB68820")] | |
[InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] | |
public interface IWbemLevel1Login | |
{ | |
[return: MarshalAs(UnmanagedType.Interface)] | |
int EstablishPosition(/* ... */); | |
int RequestChallenge(/* ... */); | |
int WBEMLogin(/* ... */); | |
int NTLMLogin([In, MarshalAs(UnmanagedType.LPWStr)] string wszNetworkResource, [In, MarshalAs(UnmanagedType.LPWStr)] string wszPreferredLocale, [In] long lFlags, [In, MarshalAs(UnmanagedType.IUnknown)] Object pCtx, [MarshalAs(UnmanagedType.IUnknown)] ref Object ppNamespace); | |
} | |
[ComImport] | |
[Guid("9556dc99-828c-11cf-a37e-00aa003240c7")] | |
[InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] | |
public interface IWbemServices | |
{ | |
[return: MarshalAs(UnmanagedType.Interface)] | |
int OpenNamespace(/* ... */); | |
int CancelAsyncCall(/* ... */); | |
int QueryObjectSink(/* ... */); | |
int GetObject([MarshalAs(UnmanagedType.BStr)] string strObjectPath, [In] long lFlags, [In, Optional, MarshalAs(UnmanagedType.IUnknown)] Object pCtx, [In, Out, Optional, MarshalAs(UnmanagedType.IUnknown)] ref Object ppObject, [In, Out, Optional, MarshalAs(UnmanagedType.IUnknown)] ref Object ppCallResult); | |
int GetObjectAsync(/* ... */); | |
int PutClass(/* ... */); | |
int PutClassAsync(/* ... */); | |
int DeleteClass(/* ... */); | |
int DeleteClassAsync(/* ... */); | |
int CreateClassEnum(/* ... */); | |
int CreateClassEnumAsync(/* ... */); | |
int PutInstance(/* ... */); | |
int PutInstanceAsync(/* ... */); | |
int DeleteInstance(/* ... */); | |
int DeleteInstanceAsync(/* ... */); | |
int CreateInstanceEnum(/* ... */); | |
int CreateInstanceEnumAsync(/* ... */); | |
int ExecQuery(/* ... */); | |
int ExecQueryAsync(/* ... */); | |
int ExecNotificationQuery(/* ... */); | |
int ExecNotificationQueryAsync(/* ... */); | |
int ExecMethod([MarshalAs(UnmanagedType.BStr)] string strObjectPath, [MarshalAs(UnmanagedType.BStr)] string strMethodName, [In] long lFlags, [In, Optional, MarshalAs(UnmanagedType.IUnknown)] Object pCtx, [In, Optional, MarshalAs(UnmanagedType.IUnknown)] Object pInParams, [In, Out, Optional, MarshalAs(UnmanagedType.IUnknown)] ref Object ppOutParams, [In, Out, Optional, MarshalAs(UnmanagedType.IUnknown)] ref Object ppCallResult); | |
int ExecMethodAsync(/* ... */); | |
} | |
[ComImport] | |
[Guid("dc12a681-737f-11cf-884d-00aa004b2e24")] | |
[InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] | |
public interface IWbemClassObject | |
{ | |
[return: MarshalAs(UnmanagedType.Interface)] | |
int GetQualifierSet(/* ... */); | |
int Get([In, MarshalAs(UnmanagedType.LPWStr)] string wszName, [In] long lFlags, [In, Out] ref Object pVal, [In, Out, Optional] ref int pType, [In, Out, Optional] ref int plFlavor); | |
int Put([In, MarshalAs(UnmanagedType.LPWStr)] string wszName, [In] long lFlags, [In] ref Object pVal, [In, Optional] int Type); | |
int Delete(/* ... */); | |
int GetNames(/* ... */); | |
int BeginEnumeration(/* ... */); | |
int Next(/* ... */); | |
int EndEnumeration(/* ... */); | |
int GetPropertyQualifierSet(/* ... */); | |
int Clone(/* ... */); | |
int GetObjectText(/* ... */); | |
int SpawnDerivedClass(/* ... */); | |
int SpawnInstance([In] long lFlags, [MarshalAs(UnmanagedType.IUnknown)] ref Object ppNewInstance); | |
int CompareTo(/* ... */); | |
int GetPropertyOrigin(/* ... */); | |
int InheritsFrom(/* ... */); | |
int GetMethod([In, MarshalAs(UnmanagedType.LPWStr)] string wszName, [In] long lFlags, [MarshalAs(UnmanagedType.IUnknown)] ref Object ppInSignature, [MarshalAs(UnmanagedType.IUnknown)] ref Object ppOutSignature); | |
int PutMethod(/* ... */); | |
int DeleteMethod(/* ... */); | |
int BeginMethodEnumeration(/* ... */); | |
int NextMethod(/* ... */); | |
int EndMethodEnumeration(/* ... */); | |
int GetMethodQualifierSet(/* ... */); | |
int GetMethodOrigin(/* ... */); | |
} | |
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] | |
internal static extern bool LogonUser(String username, String domain, String password, int logonType, int logonProvider, ref IntPtr token); | |
[DllImport("ole32.dll", CharSet = CharSet.Unicode)] | |
public static extern int CoSetProxyBlanket(IntPtr pProxy, RpcAuthnService dwAuthnSvc, RpcAuthnService dwAuthzSvc, IntPtr pServerPrincName, RPC_AUTHN_LEVEL dwAuthLevel, RPC_IMP_LEVEL dwImpLevel, IntPtr pAuthInfo, EOLE_AUTHENTICATION_CAPABILITIES dwCapabilities); | |
static public string domainName = "DOMAIN NAME"; | |
static public string userName = "USER NAME"; | |
static public string password = "PASSWORD"; | |
static public string address = "IP ADDRESS OR HOST NAME"; | |
static public string process = "calc.exe"; | |
static public string cwd = "C:\\Windows\\System32"; | |
static bool SetProxyBlanket(IntPtr comObject) | |
{ | |
return CoSetProxyBlanket(comObject, RpcAuthnService.Default, RpcAuthnService.Default, IntPtr.Zero, RPC_AUTHN_LEVEL.PKT_PRIVACY, RPC_IMP_LEVEL.IMPERSONATE, IntPtr.Zero, EOLE_AUTHENTICATION_CAPABILITIES.STATIC_CLOAKING) >= 0; | |
} | |
static bool SetProxyBlanket(object comObject, Type interfaceType) | |
{ | |
return SetProxyBlanket(Marshal.GetComInterfaceForObject(comObject, interfaceType)); | |
} | |
static void Main() | |
{ | |
// Set an impersonation token that will use explicit credentials | |
// when doing NTLM authentication to a remote host. Kerberos | |
// tickets may also be added to the logon session via PTT while | |
// the token is being impersonated. | |
var LOGON32_LOGON_NEW_CREDENTIALS = 9; | |
var LOGON32_PROVIDER_WINNT50 = 3; | |
IntPtr token = IntPtr.Zero; | |
LogonUser(userName, domainName, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, ref token); | |
var context = WindowsIdentity.Impersonate(token); | |
// Create an object on a remote host. | |
// For the CLSID_WbemLevel1Login object, this requires you to use Administrative credentials. | |
// CLSID_WbemLevel1Login does not allow you to immediately query IWbemLevel1Login so you | |
// must query for IUnknown first. | |
var CLSID_WbemLevel1Login = new Guid("8BC3F05E-D86B-11D0-A075-00C04FB68820"); | |
var classContext = CLSCTX.REMOTE_SERVER | CLSCTX.ENABLE_CLOAKING; // ENABLE_CLOAKING makes object creation use our impersonation token | |
var authInfoPtr = Marshal.AllocCoTaskMem(0x100); // Buffer is larger than what is needed | |
var authInfo = new COAUTHINFO() | |
{ | |
dwAuthnSvc = RpcAuthnService.Default, | |
dwAuthzSvc = 0, | |
pwszServerPrincName = null, | |
dwAuthnLevel = RPC_AUTHN_LEVEL.PKT_PRIVACY, | |
dwImpersonationLevel = RPC_IMP_LEVEL.IMPERSONATE, | |
pAuthIdentityData = IntPtr.Zero, | |
dwCapabilities = RPC_C_QOS_CAPABILITIES.None | |
}; | |
Marshal.StructureToPtr(authInfo, authInfoPtr, false); | |
var serverInfoPtr = Marshal.AllocCoTaskMem(0x100); // Buffer is larger than what is needed | |
var serverInfo = new COSERVERINFO() | |
{ | |
pwszName = address, | |
pAuthInfo = authInfoPtr | |
}; | |
Marshal.StructureToPtr(serverInfo, serverInfoPtr, false); | |
var IID_IUnknown = new Guid("00000000-0000-0000-C000-000000000046"); // CLSID_WbemLevel1Login requires IUnknown to be the first interface queried | |
var multiQi = new MULTI_QI[1]; | |
multiQi[0] = new MULTI_QI(IID_IUnknown); | |
if (NativeMethods.CoCreateInstanceEx(CLSID_WbemLevel1Login, IntPtr.Zero, classContext, serverInfoPtr, 1, multiQi) == 0 && multiQi[0].hr == 0) | |
{ | |
// We need to set the proxy blanket with either STATIC_CLOAKING or DYNAMIC_CLOAKING on | |
// every interface we acquire to instruct COM to use our current impersonation token | |
SetProxyBlanket(multiQi[0].pItf); | |
var wbemLevel1Login = (IWbemLevel1Login)Marshal.GetObjectForIUnknown(multiQi[0].pItf); | |
SetProxyBlanket(wbemLevel1Login, typeof(IWbemLevel1Login)); | |
// Connect to the required WMI namespace | |
object output = null; | |
var result = wbemLevel1Login.NTLMLogin("ROOT\\CIMV2", null, 0, null, ref output); | |
var wbemServices = (IWbemServices)output; | |
SetProxyBlanket(wbemServices, typeof(IWbemServices)); | |
// Get an instance of Win32_Process | |
result = wbemServices.GetObject("Win32_Process", 0, null, ref output, null); | |
var win32Process = (IWbemClassObject)output; | |
SetProxyBlanket(win32Process, typeof(IWbemClassObject)); | |
// Get the signature (e.g., the definition) of the input parameters. | |
result = win32Process.GetMethod("Create", 0, ref output, null); | |
var inSignature = (IWbemClassObject)output; | |
SetProxyBlanket(inSignature, typeof(IWbemClassObject)); | |
inSignature.SpawnInstance(0, ref output); | |
var inParameters = (IWbemClassObject)output; | |
SetProxyBlanket(inParameters, typeof(IWbemClassObject)); | |
// Get an instance of Win32_ProcessStartup and use it to set the ProcessStartupInformation | |
// input parameter. | |
result = wbemServices.GetObject("Win32_ProcessStartup", 0, null, ref output, null); | |
inSignature = (IWbemClassObject)output; | |
SetProxyBlanket(inSignature, typeof(IWbemClassObject)); | |
inSignature.SpawnInstance(0, ref output); | |
var win32ProcessStartupInstance = (IWbemClassObject)output; | |
SetProxyBlanket(win32ProcessStartupInstance, typeof(IWbemClassObject)); | |
var input = (object)5; // SW_HIDE | |
result = win32ProcessStartupInstance.Put("ShowWindow", 0, ref input); | |
input = 0x01000000; // CREATE_BREAKAWAY_FROM_JOB | |
result = win32ProcessStartupInstance.Put("CreateFlags", 0, ref input); | |
input = (object)win32ProcessStartupInstance; | |
result = inParameters.Put("ProcessStartupInformation", 0, ref input); | |
// Set the CommandLine input parameter | |
input = (object)process; | |
result = inParameters.Put("CommandLine", 0, ref input); | |
input = (object)cwd; | |
result = inParameters.Put("CurrentDirectory", 0, ref input); | |
// Execute the Win32_Process:Create and show its output parameters. | |
result = wbemServices.ExecMethod("Win32_Process", "Create", 0, null, inParameters, ref output, null); | |
Object value = null; | |
var outParameters = (IWbemClassObject)output; | |
SetProxyBlanket(outParameters, typeof(IWbemClassObject)); | |
outParameters.Get("ProcessId", 0, ref value); | |
Console.Out.WriteLine("ProcessId: " + value.ToString()); | |
outParameters.Get("ReturnValue", 0, ref value); | |
Console.Out.WriteLine("ReturnValue: " + value.ToString()); | |
Console.In.ReadLine(); | |
} | |
Marshal.FreeCoTaskMem(authInfoPtr); | |
Marshal.FreeCoTaskMem(serverInfoPtr); | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// The IDL from the following link, modified to compile cleanly. | |
// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wmi/c2ea576a-0a62-4da8-a472-bafde9541f0f | |
import "oaidl.idl"; | |
import "ocidl.idl"; | |
interface IWbemClassObject; | |
interface IWbemServices; | |
interface IWbemObjectSink; | |
interface IEnumWbemClassObject; | |
interface IWbemCallResult; | |
interface IWbemContext; | |
interface IWbemBackupRestore; | |
interface IWbemBackupRestoreEx; | |
interface IWbemLoginClientID; | |
interface IWbemLevel1Login; | |
interface IWbemLoginHelper; | |
[ | |
restricted, | |
uuid(8BC3F05E-D86B-11d0-A075-00C04FB68820) | |
] | |
coclass WbemLevel1Login { | |
interface IWbemLevel1Login; | |
}; | |
[ | |
restricted, | |
uuid(674B6698-EE92-11d0-AD71-00C04FD8FDFF) | |
] | |
coclass WbemContext | |
{ | |
interface IWbemContext; | |
}; | |
[ | |
uuid(9A653086-174F-11d2-B5F9-00104B703EFD) | |
] | |
coclass WbemClassObject | |
{ | |
interface IWbemClassObject; | |
}; | |
[ | |
uuid(C49E32C6-BC8B-11d2-85D4-00105A1F8304) | |
] | |
coclass WbemBackupRestore | |
{ | |
interface IWbemBackupRestoreEx; | |
}; | |
#define OPTIONAL in, unique | |
interface IWbemQualifierSet; | |
[ | |
local, | |
restricted, | |
object, | |
uuid(dc12a681-737f-11cf-884d-00aa004b2e24) | |
] | |
interface IWbemClassObject : IUnknown | |
{ | |
}; | |
interface IWbemServices; | |
[ | |
object, | |
restricted, | |
uuid(7c857801-7381-11cf-884d-00aa004b2e24) | |
] | |
interface IWbemObjectSink : IUnknown | |
{ | |
HRESULT Indicate( | |
[in] long lObjectCount, | |
[in, size_is(lObjectCount)] | |
IWbemClassObject** apObjArray | |
); | |
HRESULT SetStatus( | |
[in] long lFlags, | |
[in] HRESULT hResult, | |
[in] BSTR strParam, | |
[in] IWbemClassObject* pObjParam | |
); | |
}; | |
[ | |
object, | |
restricted, | |
uuid(027947e1-d731-11ce-a357-000000000001) | |
] | |
interface IEnumWbemClassObject : IUnknown | |
{ | |
HRESULT Reset(); | |
HRESULT Next( | |
[in] long lTimeout, | |
[in] ULONG uCount, | |
[out, size_is(uCount), length_is(*puReturned)] | |
IWbemClassObject** apObjects, | |
[out] ULONG* puReturned | |
); | |
HRESULT NextAsync( | |
[in] ULONG uCount, | |
[in] IWbemObjectSink* pSink | |
); | |
HRESULT Clone( | |
[out] IEnumWbemClassObject** ppEnum | |
); | |
HRESULT Skip( | |
[in] long lTimeout, | |
[in] ULONG nCount | |
); | |
}; | |
[ | |
object, | |
restricted, | |
local, | |
uuid(44aca674-e8fc-11d0-a07c-00c04fb68820) | |
] | |
interface IWbemContext : IUnknown | |
{ | |
}; | |
[ | |
object, | |
restricted, | |
uuid(44aca675-e8fc-11d0-a07c-00c04fb68820) | |
] | |
interface IWbemCallResult : IUnknown | |
{ | |
HRESULT GetResultObject( | |
[in] long lTimeout, | |
[out] IWbemClassObject** ppResultObject | |
); | |
HRESULT GetResultString( | |
[in] long lTimeout, | |
[out] BSTR* pstrResultString | |
); | |
HRESULT GetResultServices( | |
[in] long lTimeout, | |
[out] IWbemServices** ppServices | |
); | |
HRESULT GetCallStatus( | |
[in] long lTimeout, | |
[out] long* plStatus | |
); | |
}; | |
[ | |
object, | |
restricted, | |
uuid(9556dc99-828c-11cf-a37e-00aa003240c7), | |
pointer_default(unique) | |
] | |
interface IWbemServices : IUnknown | |
{ | |
HRESULT OpenNamespace( | |
[in] const BSTR strNamespace, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[out, in, unique] IWbemServices** ppWorkingNamespace, | |
[out, in, unique] IWbemCallResult** ppResult | |
); | |
HRESULT CancelAsyncCall( | |
[in] IWbemObjectSink* pSink | |
); | |
HRESULT QueryObjectSink( | |
[in] long lFlags, | |
[out] IWbemObjectSink** ppResponseHandler | |
); | |
HRESULT GetObject( | |
[in] const BSTR strObjectPath, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[out, in, unique] IWbemClassObject** ppObject, | |
[out, in, unique] IWbemCallResult** ppCallResult | |
); | |
HRESULT GetObjectAsync( | |
[in] const BSTR strObjectPath, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[in] IWbemObjectSink* pResponseHandler | |
); | |
HRESULT PutClass( | |
[in] IWbemClassObject* pObject, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[out, in, unique] IWbemCallResult** ppCallResult | |
); | |
HRESULT PutClassAsync( | |
[in] IWbemClassObject* pObject, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[in] IWbemObjectSink* pResponseHandler | |
); | |
HRESULT DeleteClass( | |
[in] const BSTR strClass, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[out, in, unique] IWbemCallResult** ppCallResult | |
); | |
HRESULT DeleteClassAsync( | |
[in] const BSTR strClass, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[in] IWbemObjectSink* pResponseHandler | |
); | |
HRESULT CreateClassEnum( | |
[in] const BSTR strSuperclass, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[out] IEnumWbemClassObject** ppEnum | |
); | |
HRESULT CreateClassEnumAsync( | |
[in] const BSTR strSuperclass, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[in] IWbemObjectSink* pResponseHandler | |
); | |
HRESULT PutInstance( | |
[in] IWbemClassObject* pInst, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[out, in, unique] IWbemCallResult** ppCallResult | |
); | |
HRESULT PutInstanceAsync( | |
[in] IWbemClassObject* pInst, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[in] IWbemObjectSink* pResponseHandler | |
); | |
HRESULT DeleteInstance( | |
[in] const BSTR strObjectPath, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[out, in, unique] IWbemCallResult** ppCallResult | |
); | |
HRESULT DeleteInstanceAsync( | |
[in] const BSTR strObjectPath, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[in] IWbemObjectSink* pResponseHandler | |
); | |
HRESULT CreateInstanceEnum( | |
[in] const BSTR strSuperClass, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[out] IEnumWbemClassObject** ppEnum | |
); | |
HRESULT CreateInstanceEnumAsync( | |
[in] const BSTR strSuperClass, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[in] IWbemObjectSink* pResponseHandler | |
); | |
HRESULT ExecQuery( | |
[in] const BSTR strQueryLanguage, | |
[in] const BSTR strQuery, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[out] IEnumWbemClassObject** ppEnum | |
); | |
HRESULT ExecQueryAsync( | |
[in] const BSTR strQueryLanguage, | |
[in] const BSTR strQuery, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[in] IWbemObjectSink* pResponseHandler | |
); | |
HRESULT ExecNotificationQuery( | |
[in] const BSTR strQueryLanguage, | |
[in] const BSTR strQuery, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[out] IEnumWbemClassObject** ppEnum | |
); | |
HRESULT ExecNotificationQueryAsync( | |
[in] const BSTR strQueryLanguage, | |
[in] const BSTR strQuery, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[in] IWbemObjectSink* pResponseHandler | |
); | |
HRESULT ExecMethod( | |
[in] const BSTR strObjectPath, | |
[in] const BSTR strMethodName, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[in] IWbemClassObject* pInParams, | |
[out, in, unique] IWbemClassObject** ppOutParams, | |
[out, in, unique] IWbemCallResult** ppCallResult | |
); | |
HRESULT ExecMethodAsync( | |
[in] const BSTR strObjectPath, | |
[in] const BSTR strMethodName, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[in] IWbemClassObject* pInParams, | |
[in] IWbemObjectSink* pResponseHandler | |
); | |
}; | |
[ | |
object, | |
restricted, | |
uuid(C49E32C7-BC8B-11d2-85D4-00105A1F8304) | |
] | |
interface IWbemBackupRestore : IUnknown | |
{ | |
HRESULT Backup( | |
[in, string] LPCWSTR strBackupToFile, | |
[in] long lFlags | |
); | |
HRESULT Restore( | |
[in, string] LPCWSTR strRestoreFromFile, | |
[in] long lFlags | |
); | |
}; | |
[ | |
object, | |
restricted, | |
uuid(A359DEC5-E813-4834-8A2A-BA7F1D777D76) | |
] | |
interface IWbemBackupRestoreEx : IWbemBackupRestore | |
{ | |
HRESULT Pause(); | |
HRESULT Resume(); | |
}; | |
typedef enum _WBEM_REFR_VERSION_NUMBER { | |
WBEM_REFRESHER_VERSION = 2 | |
} WBEM_REFR_VERSION_NUMBER; | |
typedef [v1_enum] enum _WBEM_INSTANCE_BLOB_TYPE { | |
WBEM_BLOB_TYPE_ALL = 2, | |
WBEM_BLOB_TYPE_ERROR = 3, | |
WBEM_BLOB_TYPE_ENUM = 4 | |
} WBEM_INSTANCE_BLOB_TYPE; | |
typedef struct _WBEM_REFRESHED_OBJECT { | |
long m_lRequestId; | |
WBEM_INSTANCE_BLOB_TYPE m_lBlobType; | |
long m_lBlobLength; | |
[size_is(m_lBlobLength)] byte* m_pbBlob; | |
} WBEM_REFRESHED_OBJECT; | |
[ | |
restricted, | |
uuid(F1E9C5B2-F59B-11d2-B362-00105A1F8177) | |
] | |
interface IWbemRemoteRefresher : IUnknown { | |
HRESULT RemoteRefresh( | |
[in] long lFlags, | |
[out] long* plNumObjects, | |
[out, size_is(, *plNumObjects)] | |
WBEM_REFRESHED_OBJECT** paObjects | |
); | |
HRESULT StopRefreshing( | |
[in] long lNumIds, | |
[in, size_is(lNumIds)] long* aplIds, | |
[in] long lFlags | |
); | |
HRESULT Opnum5NotUsedOnWire( | |
[in] long lFlags, | |
[out] GUID* pGuid | |
); | |
}; | |
typedef struct { | |
IWbemRemoteRefresher* m_pRefresher; | |
IWbemClassObject* m_pTemplate; | |
GUID m_Guid; | |
} _WBEM_REFRESH_INFO_REMOTE; | |
typedef struct { | |
[string] wchar_t* m_wszNamespace; | |
IWbemClassObject* m_pTemplate; | |
} _WBEM_REFRESH_INFO_NON_HIPERF; | |
typedef enum | |
{ | |
WBEM_REFRESH_TYPE_INVALID = 0, | |
WBEM_REFRESH_TYPE_REMOTE = 3, | |
WBEM_REFRESH_TYPE_NON_HIPERF = 6 | |
}WBEM_REFRESH_TYPE; | |
typedef [switch_type(long)] union { | |
[case (WBEM_REFRESH_TYPE_REMOTE)] | |
_WBEM_REFRESH_INFO_REMOTE m_Remote; | |
[case (WBEM_REFRESH_TYPE_NON_HIPERF)] | |
_WBEM_REFRESH_INFO_NON_HIPERF m_NonHiPerf; | |
[case (WBEM_REFRESH_TYPE_INVALID)] | |
HRESULT m_hres; | |
} WBEM_REFRESH_INFO_UNION; | |
typedef struct { | |
long m_lType; | |
[switch_is(m_lType)] WBEM_REFRESH_INFO_UNION m_Info; | |
long m_lCancelId; | |
} _WBEM_REFRESH_INFO; | |
typedef struct { | |
[string] LPSTR m_szMachineName; | |
DWORD m_dwProcessId; | |
GUID m_guidRefresherId; | |
} _WBEM_REFRESHER_ID; | |
typedef enum { | |
WBEM_RECONNECT_TYPE_OBJECT = 0, | |
WBEM_RECONNECT_TYPE_ENUM = 1, | |
WBEM_RECONNECT_TYPE_LAST = 2 | |
}WBEM_RECONNECT_TYPE; | |
typedef struct { | |
long m_lType; | |
[string] LPCWSTR m_pwcsPath; | |
} _WBEM_RECONNECT_INFO; | |
typedef struct { | |
long m_lId; | |
HRESULT m_hr; | |
} _WBEM_RECONNECT_RESULTS; | |
[ | |
restricted, | |
uuid(2C9273E0-1DC3-11d3-B364-00105A1F8177) | |
] | |
interface IWbemRefreshingServices : IUnknown | |
{ | |
HRESULT AddObjectToRefresher( | |
[in] _WBEM_REFRESHER_ID* pRefresherId, | |
[in, string] LPCWSTR wszPath, | |
[in] long lFlags, | |
[in] IWbemContext* pContext, | |
[in] DWORD dwClientRefrVersion, | |
[out] _WBEM_REFRESH_INFO* pInfo, | |
[out] DWORD* pdwSvrRefrVersion | |
); | |
HRESULT AddObjectToRefresherByTemplate( | |
[in] _WBEM_REFRESHER_ID* pRefresherId, | |
[in] IWbemClassObject* pTemplate, | |
[in] long lFlags, | |
[in] IWbemContext* pContext, | |
[in] DWORD dwClientRefrVersion, | |
[out] _WBEM_REFRESH_INFO* pInfo, | |
[out] DWORD* pdwSvrRefrVersion | |
); | |
HRESULT AddEnumToRefresher( | |
[in] _WBEM_REFRESHER_ID* pRefresherId, | |
[in, string] LPCWSTR wszClass, | |
[in] long lFlags, | |
[in] IWbemContext* pContext, | |
[in] DWORD dwClientRefrVersion, | |
[out] _WBEM_REFRESH_INFO* pInfo, | |
[out] DWORD* pdwSvrRefrVersion | |
); | |
HRESULT RemoveObjectFromRefresher( | |
[in] _WBEM_REFRESHER_ID* pRefresherId, | |
[in] long lId, | |
[in] long lFlags, | |
[in] DWORD dwClientRefrVersion, | |
[out] DWORD* pdwSvrRefrVersion | |
); | |
HRESULT GetRemoteRefresher( | |
[in] _WBEM_REFRESHER_ID* pRefresherId, | |
[in] long lFlags, | |
[in] DWORD dwClientRefrVersion, | |
[out] IWbemRemoteRefresher** ppRemRefresher, | |
[out] GUID* pGuid, | |
[out] DWORD* pdwSvrRefrVersion | |
); | |
HRESULT ReconnectRemoteRefresher( | |
[in] _WBEM_REFRESHER_ID* pRefresherId, | |
[in] long lFlags, | |
[in] long lNumObjects, | |
[in] DWORD dwClientRefrVersion, | |
[in, size_is(lNumObjects)] | |
_WBEM_RECONNECT_INFO* apReconnectInfo, | |
[in, out, size_is(lNumObjects)] | |
_WBEM_RECONNECT_RESULTS* apReconnectResults, | |
[out] DWORD* pdwSvrRefrVersion | |
); | |
}; | |
[ | |
restricted, | |
object, | |
uuid(423EC01E-2E35-11d2-B604-00104B703EFD) | |
] | |
interface IWbemWCOSmartEnum : IUnknown | |
{ | |
HRESULT Next( | |
[in] REFGUID proxyGUID, | |
[in] long lTimeout, | |
[in] ULONG uCount, | |
[out] ULONG* puReturned, | |
[out] ULONG* pdwBuffSize, | |
[out, size_is(, *pdwBuffSize)] byte** pBuffer | |
); | |
}; | |
[ | |
restricted, | |
object, | |
uuid(1C1C45EE-4395-11d2-B60B-00104B703EFD) | |
] | |
interface IWbemFetchSmartEnum : IUnknown | |
{ | |
HRESULT GetSmartEnum( | |
[out] IWbemWCOSmartEnum** ppSmartEnum | |
); | |
}; | |
[ | |
restricted, | |
object, | |
uuid(d4781cd6-e5d3-44df-ad94-930efe48a887) | |
] | |
interface IWbemLoginClientID : IUnknown | |
{ | |
HRESULT SetClientInfo( | |
[in, unique, string] LPWSTR wszClientMachine, | |
[in] long lClientProcId, | |
[in] long lReserved | |
); | |
}; | |
[ | |
object, | |
restricted, | |
uuid(F309AD18-D86A-11d0-A075-00C04FB68820), | |
pointer_default(unique) | |
] | |
interface IWbemLevel1Login : IUnknown | |
{ | |
HRESULT EstablishPosition( | |
[in, unique, string] wchar_t* reserved1, | |
[in] DWORD reserved2, | |
[out] DWORD* LocaleVersion | |
); | |
HRESULT RequestChallenge( | |
[in, unique, string] wchar_t* reserved1, | |
[in, unique, string] wchar_t* reserved2, | |
[out, size_is(16), length_is(16)] unsigned char* reserved3 | |
); | |
HRESULT WBEMLogin( | |
[in, unique, string] wchar_t* reserved1, | |
[in, size_is(16), length_is(16), unique] | |
unsigned char* reserved2, | |
[in] long reserved3, | |
[in] IWbemContext* reserved4, | |
[out] IWbemServices** reserved5 | |
); | |
HRESULT NTLMLogin( | |
[in, unique, string] LPWSTR wszNetworkResource, | |
[in, unique, string] LPWSTR wszPreferredLocale, | |
[in] long lFlags, | |
[in] IWbemContext* pCtx, | |
[out] IWbemServices** ppNamespace | |
); | |
}; | |
[ | |
restricted, | |
object, | |
uuid(541679AB-2E5F-11d3-B34E-00104BCC4B4A) | |
] | |
interface IWbemLoginHelper : IUnknown | |
{ | |
HRESULT SetEvent( | |
[in] LPCSTR sEventToSet | |
); | |
}; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment