Skip to main content

Detect Antivirus installed on Windows 7

In this article, I've tried to show how we can detect antivirus product installed on a Windows system. The code is written is specifically for Windows 7.

The basic idea here is to use WMI from C++. Here are the steps:

1. To Setup WMI consumer, set up COM by calling CoInitializeEx.

2. Initialized COM process security by calling CoInitializeSecurity.

3. Obtained the initial locator to WMI by calling CoCreateInstance.

4. Obtained a pointer to IWbemServices for the root\cimv2 namespace on the local computer by calling IWbemLocator::ConnectServer.

5. Set IWbemServices proxy security so the WMI service can impersonate the client by calling CoSetProxyBlanket.

6.Used the IWbemServices pointer to make requests of WMI. This executes a WQL query for the antivirus product installed by calling IWbemServices::ExecQuery.
The following WQL query is one of the method arguments.
SELECT * FROM AntiVirusProduct

The result of this query is stored in an IEnumWbemClassObject pointer. This allows the data objects from the query to be retrieved semi-synchronously with the IEnumWbemClassObject interface.

7.Get and display the data from the WQL query. The IEnumWbemClassObject pointer is linked to the data objects that the query returned, and the data objects can be retrieved with the IEnumWbemClassObject::Next method. This method links the data objects to an IWbemClassObject pointer that is passed into the method. Used IWbemClassObject::GetObjectText method to get the desired information from the data objects.

The following code reveals Antivirus installed on Windows 7:

#include
using namespace std;
#include
#include

#pragma comment(lib, "wbemuuid.lib")

int main(int iArgCnt, char ** argv)
{
    HRESULT hres;

    // Step 1: --------------------------------------------------
    // Initialize COM. ------------------------------------------

    hres =  CoInitializeEx(0, COINIT_MULTITHREADED);
    if (FAILED(hres))
    {
        cout << "Failed to initialize COM library. Error code = 0x"
             << hex << hres << endl;
        return 1;                  // Program has failed.
    }

    // Step 2: --------------------------------------------------
    // Set general COM security levels --------------------------
    // Note: If you are using Windows 2000, you must specify -
    // the default authentication credentials for a user by using
    // a SOLE_AUTHENTICATION_LIST structure in the pAuthList ----
    // parameter of CoInitializeSecurity ------------------------

    hres =  CoInitializeSecurity(
        NULL,
        -1,                          // COM negotiates service
        NULL,                        // Authentication services
        NULL,                        // Reserved
        RPC_C_AUTHN_LEVEL_DEFAULT,   // Default authentication
        RPC_C_IMP_LEVEL_IMPERSONATE, // Default Impersonation 
        NULL,                        // Authentication info
        EOAC_NONE,                   // Additional capabilities
        NULL                         // Reserved
        );

                     
    if (FAILED(hres))
    {
        cout << "Failed to initialize security. Error code = 0x"
             << hex << hres << endl;
        CoUninitialize();
        return 1;                      // Program has failed.
    }
   
    // Step 3: ---------------------------------------------------
    // Obtain the initial locator to WMI -------------------------

    IWbemLocator *pLoc = NULL;

    hres = CoCreateInstance(
        CLSID_WbemLocator,            
        0,
        CLSCTX_INPROC_SERVER,
        IID_IWbemLocator, (LPVOID *) &pLoc);

    if (FAILED(hres))
    {
        cout << "Failed to create IWbemLocator object. "<< "Err code = 0x" << hex << hres << endl;
        CoUninitialize();
        return 1;
    }

    // Step 4: ---------------------------------------------------
    // Connect to WMI through the IWbemLocator::ConnectServer method

    IWbemServices *pSvc = NULL;
   
    // Connect to the local root\SecurityCenter namespace
    // Please change the root\\SecurityCenter to root\\SecurityCenter2 on Windows 7
    // and obtain pointer pSvc to make IWbemServices calls.
    hres = pLoc->ConnectServer(
        _bstr_t(L"root\\SecurityCenter2"),
        NULL, NULL, 0, NULL, 0, 0, &pSvc
    );
       
    if (FAILED(hres))
    {
        cout << "Could not connect. Error code = 0x" << hex << hres << endl;
        pLoc->Release();    
        CoUninitialize();
        return 1;                // Program has failed.
    }

    cout << "Connected to ROOT\\SecurityCenter2 WMI namespace" << endl;

    hres = CoSetProxyBlanket(
       pSvc,                                                  // Indicates the proxy to set
       RPC_C_AUTHN_WINNT,             // RPC_C_AUTHN_xxx
       RPC_C_AUTHZ_NONE,                // RPC_C_AUTHZ_xxx
       NULL,                                                // Server principal name
       RPC_C_AUTHN_LEVEL_CALL,  // RPC_C_AUTHN_LEVEL_xxx
       RPC_C_IMP_LEVEL_IMPERSONATE, // RPC_C_IMP_LEVEL_xxx
       NULL,                                                // client identity
       EOAC_NONE                                  // proxy capabilities
    );

    if (FAILED(hres))
    {
        cout << "Could not set proxy blanket. Error code = 0x"
            << hex << hres << endl;
        pSvc->Release();
        pLoc->Release();    
        CoUninitialize();
        return 1;               // Program has failed.
    }

    // Step 5: ---------------------------------------------------
    // Query Security Centre for Antivirus Prodict installed------
   
    IEnumWbemClassObject *pEnumerator;

    hres = pSvc->ExecQuery(L"WQL", L"SELECT * FROM AntiVirusProduct",
        WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY,
        NULL, &pEnumerator );

    if (FAILED(hres))
    {
        cout << "Query for operating system name failed."
            << " Error code = 0x" << hex << hres << endl;

        pSvc->Release();
        pLoc->Release();
        CoUninitialize();
        return 1;               // Program has failed.
    }

    ULONG retcnt = 0;
    IWbemClassObject *pAntivirus;
    while(pEnumerator)
    {
        HRESULT hr = pEnumerator->Next( WBEM_INFINITE, 1L, &pAntivirus, &retcnt );

        if(0 == retcnt)
        {
            break;
        }

        BSTR objText;
        pAntivirus->GetObjectText(0, &objText);
        _bstr_t bstrStr(objText);

        LPCSTR str = bstrStr;
        cout << str << endl;

        ::SysFreeString(bstrStr);
    }
   
    pSvc->Release();
    pLoc->Release();
    pEnumerator->Release();
    pAntivirus->Release();
    CoUninitialize();
    return 0;
}

The output:

Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/aa390423(v=vs.85).aspx

Labels:

Comments

Post a Comment

Popular posts from this blog

Variadic template class to add numbers recursively during compilation

 The idea of having a class to add numbers (variable parameters) during compilation time recursively. Also wanted to restrict types to a single type while sending parameters to class member function. That said, if we mix int, float and double types to add function shall result in compilation error. How do we achieve this. The below is the code which actually helps to achieve this: <code> #include < fmt/format.h > template < typename T> class MyVarSumClass{     private :         T _sum = 0 ;     public :         template < typename ... TRest>         T add(T num, TRest... nums){             static_assert (std::conjunction<std::is_same<TRest, T>...>{}); /* Assert fails                if types are different */             _sum += num;             return add(nums...); // Next parameter packs gets picked recursively         }         // Base case         T add(T num){             _sum += num;             return _sum;         } }; int main() {     My
Post a Comment
Read more

A simple approach to generate Fibonacci series via multi-threading

T his is a very simple approach taken to generate the Fibonacci series through multithreading. Here instead of a function, used a function object. The code is very simple and self-explanatory.  #include <iostream> #include <mutex> #include <thread> class Fib { public:     Fib() : _num0(1), _num1(1) {}     unsigned long operator()(); private:     unsigned long _num0, _num1;     std::mutex mu; }; unsigned long Fib::operator()() {     mu.lock(); // critical section, exclusive access to the below code by locking the mutex     unsigned long  temp = _num0;     _num0 = _num1;     _num1 = temp + _num0;     mu.unlock();     return temp; } int main() {     Fib f;          int i = 0;     unsigned long res = 0, res2= 0, res3 = 0;     std::cout << "Fibonacci series: ";     while (i <= 15) {         std::thread t1([&] { res = f(); }); // Capturing result to respective variable via lambda         std::thread t2([&] { res2 = f(); });         std::thread t3(
Post a Comment
Read more

A concept to a product (Kimidori [ 黄緑]) - Part 2

In the previous part , we have seen KIMIDORI [ 黄緑] detect if a URL is malicious. In this part, we will see the details that KIMIDORI [ 黄緑] fetches out of the URL provided. As an example, provided a safe URL, https://www.azuresys.com/, and let's see what it brings out: As we can see, the link is safe and the link is active, which means we can just click on the link to open it on IE.  Now it's time to look into the URL report (still under development):  We have URLs IP, Location, and HTTP Status code. The Report part is a sliding window, the Show Report button shows as well as hides the report. Show / Hide Report is a toggle button. Let's see if we get the same details for any bad (phishing / malicious) URL: Took an URL example from a phishing link and tested it. The tool detected it as not a good link (Screen Shot Below) & link does not activate unlike a safe URL: Now let's see the report part for more details including domain registration details: It looks like it&
Post a Comment
Read more