IWbemServices_ExecMethod api can not be monitored in win7

[qux-bbb]

I make a doc, it calls powershell.exe to do something.
When I submit it to windows XP, the IWbemServices_ExecMethod api can be monitored like this:

{
    "category": "misc",
    "status": 1,
    "stacktrace": [],
    "pid": 1924,
    "api": "IWbemServices_ExecMethod",
    "return_value": 0,
    "arguments": {
        "inargs": {
            "CurrentDirectory": null,
            "CommandLine": "powershell -w hidden -enco IldvcmxkISIgfCBPdXQtRmlsZSBoZWxsby50eHQ=",
            "ProcessStartupInformation": {
                "YSize": null,
                "FillAttribute": null,
                "CreateFlags": null,
                "Title": null,
                "XCountChars": null,
                "EnvironmentVariables": null,
                "X": null,
                "XSize": null,
                "YCountChars": null,
                "ErrorMode": 0,
                "WinstationDesktop": null,
                "Y": null,
                "ShowWindow": null,
                "PriorityClass": null
            }
        },
        "method": "Create",
        "flags": 0,
        "outargs": {
            "ProcessId": 2004,
            "ReturnValue": 0
        },
        "class": "Win32_Process"
    },
    "time": 1578377503.109427,
    "tid": 1928,
    "flags": {},
    "uniqhash": 0,
    "type": "apicall"
},

But IWbemServices_ExecMethod can not be monitored in windows 7.

If you monitor it by apimonitor in windows 7, it can be monitored. Like this,

Maybe monitor has an error.

Here is the file:
test_vb_powershell.zip

Dont worry, that is just a clean file for test.

[doomedraven]

here is the hook if you want to try to fix it https://github.com/cuckoosandbox/monitor/blob/7c5854fae12e1f01f56eab2db4008148c790cc7a/sigs/wmi.rst#iwbemservices_execmethod

[qux-bbb]

I compiled a debug version of monitor and resubmitted the sample. In windows xp, I can find this record:

...
Entered IWbemServices_ExecMethod
...
Leaving IWbemServices_ExecMethod
...

That is normal. But it can not be found in windows 7.
I do not known whether the problem is in wmi.rst's hook. I will try to find the key point.

[baxitaurus]

WMI hooks are explicitly enabled by the CoCreateInstance hook when this api is called passing a CLSID related to the WbemLocator object. Take a look to:

sigs/ole.rst

**CoCreateInstance

Parameters:

** REFCLSID rclsid clsid
*  LPUNKNOWN pUnkOuter
** DWORD dwClsContext class_context
** REFIID riid iid
*  LPVOID *ppv

Interesting:

b sizeof(CLSID), rclsid
i class_context
b sizeof(IID), riid

Post:

ole_enable_hooks(rclsid);

and

src/wmi.c

static CLSID our_CLSID_WbemAdministrativeLocator = {
    0xcb8555cc, 0x9128, 0x11d1, {0xad,0x9b, 0x00,0xc0,0x4f,0xd8,0xfd,0xff},
};

static CLSID our_CLSID_WbemLocator = {
    0x4590f811, 0x1d3a, 0x11d0, {0x89,0x1f, 0x00,0xaa,0x00,0x4b,0x2e,0x24},
};

[...]

void ole_enable_hooks(REFCLSID clsid)
{
    if(memcmp(clsid, &our_CLSID_WbemLocator, sizeof(CLSID)) == 0) {
        hook_library("__wmi__", NULL);
    }

    if(memcmp(clsid, &our_CLSID_WbemAdministrativeLocator,
            sizeof(CLSID)) == 0) {
        hook_library("__wmi__", NULL);
    }
}

The execution flow is:

1. CoCreateInstance(clsid) called and hooked
2. In the Post:: section of the hook you'll find the call ole_enable_hooks(clsid)
3. ole_enabled_hooks compares the clsid argument with the interesting ones
4. Enable __wmi__ hooks if the target clsid is interesting

If you're not finding the IWbemServices_ExecMethod calls you should:

• Ensure that the IWbemLocator related CLSIDs are correct (check the reg key HKCR/WbemScripting.SWbemLocator/CLSID in your VM)
• Ensure that the CoCreateInstance is marked as special in its Signature:: section
• Ensure that the WMI related hooks are marked as special too

The reason for the special marking of the above hooks is that if you're running Office 2010 the call chain should be:

1. vbe6_Invoke
2. CoCreateInstance
3. IWbemServices_ExecMethod

2 and 3 are likely happening as a result of the first call, so if you don't mark them as special the monitor won't hook.
About Special marking the doc says:

Special:

    Mark this API signature as special. Special API signatures are always executed, also when the monitor is already inside another hook. E.g., when executing the system() function we still want to follow the CreateProcessInternalW() function calls in order to catch the process identifier(s) of the child process(es), allowing the monitor to inject into said child process(es).

[qux-bbb]

@baxitaurus Thanks.
This value is for Windows XP:

static CLSID our_CLSID_WbemLocator = {
    0x4590f811, 0x1d3a, 0x11d0, {0x89,0x1f, 0x00,0xaa,0x00,0x4b,0x2e,0x24},
};

In Windows 7 x64, It should be:

static CLSID our_CLSID_WbemLocator = {
    0x76A64158, 0xCB41, 0x11D1, 0x8B02, {0x8B, 0x02, 0x00, 0x60, 0x08, 0x06, 0xD9, 0xB6},
};

I try to change the win7's reg item value to xp's: {76A64158-CB41-11D1-8B02-00600806D9B6} to {4590F811-1D3A-11D0-891F-00AA004B2E24}, but it shows:

Error editing value
Unable to edit: An error occurred while writing the contents of the value

However I'm already an administrator. I'm stuck here.