上回MASM32编程使用了Windows系统提供的API函数:NetScheduleJobEnum()来枚举Windows计划任务(详见 MASM32编程枚举Windows计划任务,http://blog.csdn.net/Purpleendurer/archive/2009/11/05/4774148.aspx),这次通过WMI来实现。
需要注意的是:不管是通过WMI,还是使用API函数NetScheduleJobEnum(),都只能枚举使用Win32_ScheduledJob类别或At.exe实用程序创建的计划任务。
所以 pe_xscan 在扫描计划任务时使用的是另外一种方法:-D
完整的代码如下:
(源代码+EXE下载:
1、http://download.csdn.net/source/2260122
2、http://purpleendurer.ys168.com)
;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
;文件名:WmiScheduleJob.asm(控制台程序)
;功能:通过WMI获取计划任务
;注意:通过WMI只能枚举使用Win32_ScheduledJob类别
;或At.exe实用程序创建的计划任务。
;开发环境:WinXPPROSP3+MASM32v8
;作者:PurpleEndurer,2010-04-19,广西河池
;
;log
;--------------------------------------------------
;2010-04-18完成
;2010-04-09开始编写
;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
.586
.MODELFLAT,STDCALL
OPTIONCASEMAP:NONE
INCLUDE\masm32\include\windows.inc
INCLUDE\masm32\include\kernel32.inc
INCLUDELIB\masm32\lib\kernel32.lib
INCLUDE\masm32\include\ole32.inc
INCLUDELIB\masm32\lib\ole32.lib
INCLUDE\masm32\include\user32.inc
INCLUDELIB\masm32\lib\user32.lib
INCLUDE\masm32\include\masm32.inc
INCLUDELIB\masm32\lib\masm32.lib
EnumScheduleJobproto
;ssssssssssssssssssssssss
;.const
;ssssssssssssssssssssssss
EOAC_NONEEQU0
COINIT_MULTITHREADEDequ00h
;locatedinRpcDce.h
RPC_C_AUTHN_LEVEL_DEFAULTEQU0
RPC_C_IMP_LEVEL_DEFAULTEQU0
RPC_C_IMP_LEVEL_IMPERSONATEEQU3
GUID2STRUC
dd1DWORD?
dw1WORD?
dw2WORD?
db1BYTE?
db2BYTE?
db3BYTE?
db4BYTE?
db5BYTE?
db6BYTE?
db7BYTE?
db8BYTE?
GUID2ENDS
IWbemLocatorSTRUCT
lpVtblDWORD?
IWbemLocatorENDS
IWbemLocatorVtblSTRUCT
QueryInterfaceDWORD?
AddRefDWORD?
ReleaseDWORD?
ConnectServerDWORD?
IWbemLocatorVtblENDS
IWbemServicesSTRUCT
lpVtblDWORD?
IWbemServicesENDS
IWbemServicesVtblSTRUCT
QueryInterfaceDWORD?
AddRefDWORD?
ReleaseDWORD?
OpenNamespaceDWORD?
CancelAsyncCallDWORD?
QueryObjectSinkDWORD?
GetObjectDWORD?
GetObjectAsyncDWORD?
PutClassDWORD?
PutClassAsyncDWORD?
DeleteClassDWORD?
DeleteClassAsyncDWORD?
CreateClassEnumDWORD?
CreateClassEnumAsyncDWORD?
PutInstanceDWORD?
PutInstanceAsyncDWORD?
DeleteInstanceDWORD?
DeleteInstanceAsyncDWORD?
CreateInstanceEnumDWORD?
CreateInstanceEnumAsyncDWORD?
ExecQueryDWORD?
ExecQueryAsyncDWORD?
ExecNotificationQueryDWORD?
ExecNotificationQueryAsyncDWORD?
ExecMethodDWORD?
ExecMethodAsyncDWORD?
IWbemServicesVtblENDS
IEnumWbemClassObjectSTRUCT
lpVtblDWORD?
IEnumWbemClassObjectENDS
IEnumWbemClassObjectVtblSTRUCT
QueryInterfaceDWORD?
AddRefDWORD?
ReleaseDWORD?
ResetDWORD?
NextDWORD?
NextAsyncDWORD?
CloneDWORD?
SkipDWORD?
IEnumWbemClassObjectVtblENDS
IWbemClassObjectSTRUCT
lpVtblDWORD?
IWbemClassObjectENDS
IWbemClassObjectVtblSTRUCT
QueryInterfaceDWORD?
AddRefDWORD?
ReleaseDWORD?
GetQualifierSetDWORD?
GetDWORD?
PutDWORD?
DeleteDWORD?
GetNamesDWORD?
BeginEnumerationDWORD?
NextDWORD?
EndEnumerationDWORD?
GetPropertyQualifierSetDWORD?
GetObjectTextDWORD?
SpawnDerivedClassDWORD?
SpawnInstanceDWORD?
CompareToDWORD?
GetPropertyOriginDWORD?
InheritsFromDWORD?
GetMethodDWORD?
PutMethodDWORD?
DeleteMethodDWORD?
BeginMethodEnumerationDWORD?
NextMethodDWORD?
EndMethodEnumerationDWORD?
GetMethodQualifierSetDWORD?
GetMethodOriginDWORD?
IWbemClassObjectVtblENDS
;ssssssssssssssssssssssss
.DATA
;ssssssssssssssssssssssss
g_wszNameSpaceword"r","o","o","t","\","c","i","m","v","2",0
g_wszQueryLanguageword"W","Q","L",0
WBEM_FLAG_CONNECT_USE_MAX_WAITEQU80h
WBEM_FLAG_FORWARD_ONLYEQU20h
WBEM_FLAG_RETURN_IMMEDIATELYEQU10h
WBEM_INFINITEEQU-1
WBEM_E_INVALID_QUERYEQU80041017h
WBEM_E_INVALID_QUERY_TYPEEQU80041018h
IID_IWbemLocatorGUID2<0dc12a687h,0737fh,011cfh,088h,04dh,000h,0aah,000h,04bh,02eh,024h>
IID_IEnumWbemClassObjectGUID2<027947e1h,0d731h,011ceh,0a3h,057h,000h,000h,000h,000h,000h,001h>
IID_IWbemClassObjectGUID2<0dc12a681h,0737fh,011cfh,088h,04dh,000h,0aah,000h,04bh,02eh,024h>
;locatedinWbemProv.h
CLSID_WbemAdministrativeLocatorGUID2<0cb8555cch,09128h,011d1h,0adh,09bh,000h,0c0h,04fh,0d8h,0fdh,0ffh>
locatorIWbemLocator<>
serviceIWbemServices<>
enumeratorIEnumWbemClassObject<>
processorIWbemClassObject<>
retCountDWORD?
var_valDWORD?
DWORD?
DWORD?
DWORD?
g_szAppInfodb"通过WMI获取计划任务信息",0dh,0ah
db"作者:PurpleEndurer,2010-04-19,广西河池",0dh,0ah,0
g_wszSelectWin32_ScheduledJobWORD"S","E","L","E","C","T","","*","","F","R","O","M",""
g_wszWin32_ScheduledJobWORD"W","i","n","3","2","_","S","c","h","e","d","u","l","e","d","J","o","b",0
g_szJobIDdb0dh,0ah,"JobID:",0
g_wszJobIDword"J","o","b","I","D",0
g_szCommanddb"Command:",0
g_wszCommandword"C","o","m","m","a","n","d",0
g_szJobStatusdb"JobStatus:",0;Success
g_wszJobStatusword"J","o","b","S","t","a","t","u","s",0
g_szStartTimedb"StartTime:",0;********215000.000000+480
;时间前有八个星号是WMIC的特性,其显示时间的方式是YYYYMMDDHHMMSS.MMMMMM+时区,
;但我们并不需要指定年月日,所以用*星号来替代
g_wszStartTimeword"S","t","a","r","t","T","i","m","e",0
g_szPerSCrdb"%S"
g_szCrLfdb0dh,0ah,0
g_szPerXCrdb"%x",0dh,0ah,0
g_szFaildb"Fail",0dh,0ah,0
;ssssssssssssssssssssssss
.CODE
;ssssssssssssssssssssssss
start:
invokeCoInitializeEx,NULL,COINIT_MULTITHREADED
invokeCoInitializeSecurity,NULL,-1,NULL,NULL,RPC_C_AUTHN_LEVEL_DEFAULT,\
RPC_C_IMP_LEVEL_IMPERSONATE,NULL,EOAC_NONE,NULL
invokeCoCreateInstance,ADDRCLSID_WbemAdministrativeLocator,NULL,\
CLSCTX_INPROC_SERVER,ADDRIID_IWbemLocator,ADDRlocator
invokeStdOut,ADDRg_szAppInfo
invokeEnumScheduleJob
invokeCoUninitialize
invokeExitProcess,0
;======================================================
wmiConnectServerproc
;======================================================
movesi,locator
lodsd
pushOFFSETservice
pushNULL
pushNULL
pushWBEM_FLAG_CONNECT_USE_MAX_WAIT
pushNULL
pushNULL
pushNULL
pushOFFSETg_wszNameSpace
pushDWORDPTR[locator]
callDWORDPTR[eax][IWbemLocatorVtbl.ConnectServer]
ret
wmiConnectServerendp
;======================================================
wmiExecQueryproclpwszSQL:LPWSTR
;======================================================
movesi,service
lodsd
pushOFFSETenumerator
pushNULL
pushWBEM_FLAG_FORWARD_ONLYorWBEM_FLAG_RETURN_IMMEDIATELY
pushlpwszSQL
pushOFFSETg_wszQueryLanguage
pushDWORDPTR[service]
callDWORDPTR[eax][IWbemServicesVtbl.ExecQuery]
ret
wmiExecQueryendp
;======================================================
wmiNextproc
;======================================================
movesi,enumerator
lodsd
pushOFFSETretCount
pushOFFSETprocessor
pushTRUE
pushWBEM_INFINITE
pushDWORDPTR[enumerator]
callDWORDPTR[eax][IEnumWbemClassObjectVtbl.Next]
ret
wmiNextendp
;======================================================
wmiGetproclpwszItem:LPWSTR
;======================================================
movesi,processor
lodsd
pushNULL
pushNULL
pushOFFSETvar_val
push0
pushlpwszItem
pushDWORDPTR[processor]
callDWORDPTR[eax][IWbemClassObjectVtbl.Get]
ret
wmiGetendp
;======================================================
writeWmiStrproclpszItem:LPSTR,lpwszItem:LPWSTR,lpszFmt:LPSTR
;======================================================
LOCALszbuf[256]:byte
invokeStdOut,lpszItem
invokewmiGet,lpwszItem
testeax,eax
.ifZERO?
invokewsprintf,ADDRszbuf,lpszFmt,[var_val+8]
invokeStdOut,ADDRszbuf
.else
invokeStdOut,ADDRg_szFail
.endif
ret
writeWmiStrendp
;======================================================
EnumScheduleJobproc
;======================================================
invokewmiConnectServer
testeax,eax
jnz@EnumScheduleJobRet
invokewmiExecQuery,OFFSETg_wszSelectWin32_ScheduledJob
testeax,eax
jnz@EnumScheduleJobRet
@EnumScheduleJobNext1:
invokewmiNext
testeax,eax
jnz@EnumScheduleJobRet
;.ifretCount==0
;jmp@EnumScheduleJobRet
;.endif
invokewriteWmiStr,ADDRg_szJobID,ADDRg_wszJobID,ADDRg_szPerXCr
invokewriteWmiStr,ADDRg_szCommand,ADDRg_wszCommand,ADDRg_szPerSCr
invokewriteWmiStr,ADDRg_szJobStatus,ADDRg_wszJobStatus,ADDRg_szPerSCr
invokewriteWmiStr,ADDRg_szStartTime,ADDRg_wszStartTime,ADDRg_szPerSCr
jmp@EnumScheduleJobNext1
@EnumScheduleJobRet:
ret
EnumScheduleJobendp
ENDstart