Basic intro to WMI and WQL queries

Posted on by

WMI is an important component of Windows OS and everyone knows about it so I won’t get into detail about what it is (read the linked wikipedia article if you want to know). I will focus on practical stuff instead which we come across more and more often.

I will begin by saying that nowadays lots of malware is using WMI – either to establish a stealthy persistence mechanism, or query various information from the system. This typically is done using WQL queries which are so popular that even a couple of typical OS commands are implemented as ‘processors’ simply interpreting results of many WQL queries instead of actually using old-school APIs.

A good example is a tasklist.exe. If you ever launched it from a command line and observed a slight delay before it returned the data it is because it has to ‘talk’ to WMI first and sometimes WMI initialization may take a while.

This particular program is actually a good example we can use to show what exactly happens when it ‘talks’ to WMI.

Have a look at the Tasklist.exe log below.

  • First WMI connects to the WMI server – the ‘root\cimv2’ is a namespace used by most WMI classes
  • Then it executes the WQL query
     SELECT 
        __PATH,
        ProcessId, 
        CSName, 
        Caption, 
        SessionId, 
        ThreadCount, 
        WorkingSetSize, 
        KernelModeTime, 
        UserModeTime  
     FROM 
        Win32_Process
  • Then the result returned by the query is processed using the IWbemClassObject::Get method
  • Finally, this obtained data is sent to the the console using a WriteConsoleW function

Apart from tasklist.exe, we can also find WQL in taskkill.exe.

Killing a process requires a different query, one that specifies f.ex. a name of the process:

     SELECT
        __PATH,
        ProcessId,
        CSName,
        Caption,
        SessionId,
        ThreadCount,
        WorkingSetSize,
        KernelModeTime,
        UserModeTime,
        ParentProcessId
     FROM
        Win32_Process
     WHERE
        (  Caption = "notepad.exe")

which is ran when we execute

taskkill.exe /im notepad.exe /f

The WMI is then queried for a method ‘Terminate’ which is supposed to kill the object. All of these queries are ran via COM so it’s a bit of a pain to analyze it, but once you get used to it it’s actually manageable (just a bit mundane).

Refer to a short Taskkill.exe log below.

As I mentioned above, malware often uses WQL queries and the most popular are listed below:

  • select * from antispywareproduct
  • select * from antivirusproduct
  • select * from firewallproduct
  • select * from win32_baseboard
  • select * from win32_bios where manufacturer like ‘%xen%’ or (smbiosbiosversion like ‘%vbox%’) or (smbiosbiosversion like ‘%bochs%’) or (smbiosbiosversion like ‘%qemu%’) or (smbiosbiosversion like ‘%virtualbox%’)
  • select * from win32_bios
  • select * from win32_cdromdrive
  • select * from win32_computersystem
  • select * from win32_computersystemproduct
  • select * from win32_diskdrive
  • select * from win32_networkadapter where (name like ‘%tap%’) and (not pnpdeviceid like ‘%*isatap%’) and (netenabled = true)
  • select * from win32_onboarddevice
  • select * from win32_operatingsystem
  • select * from win32_physicalmedia
  • select * from win32_processor
  • select * from win32_systemenclosure
  • select * from win32_useraccount
  • select * from win32_videocontroller
  • select name, executablepath from win32_process

There are many more which often focus on sandbox detection, but I may cover them in a separate post.

Taskkill.exe log

IWbemLocator::ConnectServer: ‘root\cimv2’
IWbemServices::ExecQuery: (‘SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE (  Caption = “notepad.exe”)’)
IWbemServices::GetObjectA: Win32_Process
IWbemClassObject::GetMethod: Terminate

Tasklist.exe log

WbemLocator::ConnectServer): 'root\cimv2'
IWbemServices::ExecQuery ('SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime  FROM Win32_Process')
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="0"
IWbemClassObject::Get: ProcessId=0
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=System Idle Process
IWbemClassObject::Get: ThreadCount=1
IWbemClassObject::Get: KernelModeTime=649121406250
IWbemClassObject::Get: UserModeTime=0
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=28672
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="4"
IWbemClassObject::Get: ProcessId=4
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=System
IWbemClassObject::Get: ThreadCount=48
IWbemClassObject::Get: KernelModeTime=103437500
IWbemClassObject::Get: UserModeTime=0
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=241664
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="412"
IWbemClassObject::Get: ProcessId=412
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=smss.exe
IWbemClassObject::Get: ThreadCount=3
IWbemClassObject::Get: KernelModeTime=156250
IWbemClassObject::Get: UserModeTime=156250
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=442368
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="628"
IWbemClassObject::Get: ProcessId=628
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=csrss.exe
IWbemClassObject::Get: ThreadCount=11
IWbemClassObject::Get: KernelModeTime=12343750
IWbemClassObject::Get: UserModeTime=5312500
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=4444160
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="720"
IWbemClassObject::Get: ProcessId=720
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=winlogon.exe
IWbemClassObject::Get: ThreadCount=17
IWbemClassObject::Get: KernelModeTime=15156250
IWbemClassObject::Get: UserModeTime=2343750
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=5029888
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="764"
IWbemClassObject::Get: ProcessId=764
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=services.exe
IWbemClassObject::Get: ThreadCount=15
IWbemClassObject::Get: KernelModeTime=8927500000
IWbemClassObject::Get: UserModeTime=901250000
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=3727360
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="776"
IWbemClassObject::Get: ProcessId=776
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=lsass.exe
IWbemClassObject::Get: ThreadCount=20
IWbemClassObject::Get: KernelModeTime=143437500
IWbemClassObject::Get: UserModeTime=28906250
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=1490944
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="932"
IWbemClassObject::Get: ProcessId=932
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=vmacthlp.exe
IWbemClassObject::Get: ThreadCount=1
IWbemClassObject::Get: KernelModeTime=0
IWbemClassObject::Get: UserModeTime=156250
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=2768896
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="948"
IWbemClassObject::Get: ProcessId=948
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=svchost.exe
IWbemClassObject::Get: ThreadCount=17
IWbemClassObject::Get: KernelModeTime=781250
IWbemClassObject::Get: UserModeTime=468750
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=5214208
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1032"
IWbemClassObject::Get: ProcessId=1032
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=svchost.exe
IWbemClassObject::Get: ThreadCount=9
IWbemClassObject::Get: KernelModeTime=625000
IWbemClassObject::Get: UserModeTime=781250
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=4546560
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1152"
IWbemClassObject::Get: ProcessId=1152
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=svchost.exe
IWbemClassObject::Get: ThreadCount=49
IWbemClassObject::Get: KernelModeTime=125937500
IWbemClassObject::Get: UserModeTime=50781250
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=17682432
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1188"
IWbemClassObject::Get: ProcessId=1188
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=svchost.exe
IWbemClassObject::Get: ThreadCount=5
IWbemClassObject::Get: KernelModeTime=781250
IWbemClassObject::Get: UserModeTime=312500
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=3985408
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1224"
IWbemClassObject::Get: ProcessId=1224
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=svchost.exe
IWbemClassObject::Get: ThreadCount=4
IWbemClassObject::Get: KernelModeTime=0
IWbemClassObject::Get: UserModeTime=156250
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=3346432
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1396"
IWbemClassObject::Get: ProcessId=1396
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=spoolsv.exe
IWbemClassObject::Get: ThreadCount=11
IWbemClassObject::Get: KernelModeTime=625000
IWbemClassObject::Get: UserModeTime=156250
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=6545408
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1776"
IWbemClassObject::Get: ProcessId=1776
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=explorer.exe
IWbemClassObject::Get: ThreadCount=10
IWbemClassObject::Get: KernelModeTime=21718750
IWbemClassObject::Get: UserModeTime=6093750
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=19316736
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="2008"
IWbemClassObject::Get: ProcessId=2008
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=vmtoolsd.exe
IWbemClassObject::Get: ThreadCount=5
IWbemClassObject::Get: KernelModeTime=17031250
IWbemClassObject::Get: UserModeTime=8593750
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=12140544
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="2024"
IWbemClassObject::Get: ProcessId=2024
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=ctfmon.exe
IWbemClassObject::Get: ThreadCount=1
IWbemClassObject::Get: KernelModeTime=156250
IWbemClassObject::Get: UserModeTime=312500
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=3600384
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="476"
IWbemClassObject::Get: ProcessId=476
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=PERSFW.exe
IWbemClassObject::Get: ThreadCount=6
IWbemClassObject::Get: KernelModeTime=2187500
IWbemClassObject::Get: UserModeTime=1093750
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=6897664
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="516"
IWbemClassObject::Get: ProcessId=516
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=vmtoolsd.exe
IWbemClassObject::Get: ThreadCount=7
IWbemClassObject::Get: KernelModeTime=124531250
IWbemClassObject::Get: UserModeTime=63281250
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=13619200
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1472"
IWbemClassObject::Get: ProcessId=1472
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=TPAutoConnSvc.exe
IWbemClassObject::Get: ThreadCount=5
IWbemClassObject::Get: KernelModeTime=1093750
IWbemClassObject::Get: UserModeTime=468750
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=4669440
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1796"
IWbemClassObject::Get: ProcessId=1796
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=TPAutoConnect.exe
IWbemClassObject::Get: ThreadCount=1
IWbemClassObject::Get: KernelModeTime=5312500
IWbemClassObject::Get: UserModeTime=2500000
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=5267456
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="2040"
IWbemClassObject::Get: ProcessId=2040
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=cmd.exe
IWbemClassObject::Get: ThreadCount=1
IWbemClassObject::Get: KernelModeTime=156250
IWbemClassObject::Get: UserModeTime=156250
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=2961408
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="588"
IWbemClassObject::Get: ProcessId=588
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=wmiprvse.exe
IWbemClassObject::Get: ThreadCount=7
IWbemClassObject::Get: KernelModeTime=0
IWbemClassObject::Get: UserModeTime=156250
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=6332416
IWbemClassObject::Get: __PATH=\\<hostname>\root\cimv2:Win32_Process.Handle="1592"
IWbemClassObject::Get: ProcessId=1592
IWbemClassObject::Get: CSName=<hostname>
IWbemClassObject::Get: Caption=tasklist.exe
IWbemClassObject::Get: ThreadCount=4
IWbemClassObject::Get: KernelModeTime=2031250
IWbemClassObject::Get: UserModeTime=2187500
IWbemClassObject::Get: SessionId=0
IWbemClassObject::Get: WorkingSetSize=5816320