C# 从C“returns”调用AuditQuerySystemPolicy()(advapi32.dll);参数不正确";
顺序如下:C# 从C“returns”调用AuditQuerySystemPolicy()(advapi32.dll);参数不正确";,c#,marshalling,unsafe,advapi32,lsa,C#,Marshalling,Unsafe,Advapi32,Lsa,顺序如下: 使用打开策略句柄(未显示) 调用以获取类别的数量 对于每个类别: 调用将枚举值转换为GUID 调用以获取所有子类别的GUID列表 调用以获取子类别的审核策略 所有这些都会工作并返回预期的、合理的值,但最后一个除外。调用AuditQuerySystemPolicy()会得到一个“参数不正确”错误。我想一定有一些微妙的解封问题。我可能误解了AuditEnumerateSubCategories()返回的确切内容,但我被难住了 您将看到(注释)我试图将返回指针作为指针从AuditE
- 使用打开策略句柄(未显示)
- 调用以获取类别的数量李>
- 对于每个类别:
- 调用将枚举值转换为GUID李>
- 调用以获取所有子类别的GUID列表李>
- 调用以获取子类别的审核策略
AuditQuerySystemPolicy()
会得到一个“参数不正确”错误。我想一定有一些微妙的解封问题。我可能误解了AuditEnumerateSubCategories()
返回的确切内容,但我被难住了
您将看到(注释)我试图将返回指针作为指针从AuditEnumerateSubCategories()
取消引用。这样做或不这样做都会得到相同的结果
代码:
#区域LSA类型
公共枚举策略\u信息\u类
{
PolicyAuditLoginInformation=1,
政策审计事件信息,
PolicyPrimaryDomainInformation,
政策和会计信息,
PolicyAccountDomainInformation,
保单服务器角色信息,
政策信息,
保单信息,
政策修改信息,
PolicyAuditFullSetInformation,
政策审计信息,
保单域名信息
}
公共枚举策略\u审核\u事件\u类型
{
审计分类系统,
审计范畴,
AuditCategoryObject访问,
审计类别特权,
审计类别详细跟踪,
审计类别政策变更,
审计类别会计管理,
AuditCategoryDirectoryServiceAccess,
AuditCategoryAccountLogon
}
[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]
公共结构策略\u审核\u事件\u信息
{
公共场所审计模式;
公共IntPtr事件审核选项;
公共UInt32最大审计金额;
}
[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]
公共结构GUID
{
公共UInt32数据1;
公共UInt16数据2;
公共UInt16数据3;
公共字节数据4a;
公共字节数据4b;
公共字节数据4c;
公共字节数据4d;
公共字节数据4e;
公共字节数据4f;
公共字节数据4G;
公共字节数据4h;
公共重写字符串ToString()
{
返回Data1.ToString(“x8”)+“-”+Data2.ToString(“x4”)+“-”+Data3.ToString(“x4”)+“-”
+Data4a.ToString(“x2”)+Data4b.ToString(“x2”)+“-”
+Data4c.ToString(“x2”)+Data4d.ToString(“x2”)+Data4e.ToString(“x2”)+Data4f.ToString(“x2”)+Data4g.ToString(“x2”)+Data4h.ToString(“x2”);
}
}
#端区
#区域LSA进口
[DllImport(“kernel32.dll”)]
外部静态int GetLastError();
[DllImport(“advapi32.dll”,CharSet=CharSet.Unicode,PreserveSig=true)]
公共静态外部UInt32 lsantStatusToInError(
长期状态);
[DllImport(“advapi32.dll”,CharSet=CharSet.Unicode,PreserveSig=true)]
公共静态外部长LsaOpenPolicy(
参考LSA\u UNICODE\u字符串系统名,
参考LSA_对象_属性对象属性,
Int32期望访问,
out IntPtr policy handle);
[DllImport(“advapi32.dll”,CharSet=CharSet.Unicode,PreserveSig=true)]
公共静态外部长LsaClose(IntPtr PolicyHandle);
[DllImport(“advapi32.dll”,CharSet=CharSet.Unicode,PreserveSig=true)]
公共静态外部长LsaFreeMemory(IntPtr缓冲区);
[DllImport(“advapi32.dll”,CharSet=CharSet.Unicode,PreserveSig=true)]
公共静态外部无效审核自由(IntPtr缓冲区);
[DllImport(“advapi32.dll”,SetLastError=true,PreserveSig=true)]
公共静态外部长LsaQueryInformationPolicy(
IntPtr PolicyHandle,策略信息类InformationClass,
输出IntPtr缓冲区);
[DllImport(“advapi32.dll”,SetLastError=true,PreserveSig=true)]
公共静态外部bool AuditLookupCategoryGUID来自CategoryID(
策略\审核\事件\类型AuditCategoryId,
IntPtr pAuditCategoryGuid);
[DllImport(“advapi32.dll”,SetLastError=true,PreserveSig=true)]
公共静态外部布尔子类别(
IntPtr pAuditCategoryGuid,
布尔Bretrieveall子类别,
out IntPtr PPAUDITSUBBCATEGORIES数组,
out ulong(已返回);
[DllImport(“advapi32.dll”,SetLastError=true,PreserveSig=true)]
公共静态外部布尔审核查询系统临时策略(
IntPtr PSUBCATEGORYGUID,
乌隆保险公司,
out IntPtr ppAuditPolicy);
#端区
字典retList=新字典();
长lretVal;
uint-retVal;
IntPtr pAuditEventsInfo;
lretVal=LsaQueryInformationPolicy(policyHandle,POLICY\u INFORMATION\u CLASS.PolicyAuditEventsInformation,out pauditeventInfo);
retVal=LsaNtStatusToWinError(lretVal);
如果(返回值!=0)
{
LsaClose(policyHandle);
抛出新的System.ComponentModel.Win32Exception((int)retVal);
}
策略\审核\事件\信息myAuditEventsInfo=新策略\审核\事件\信息();
myAuditEventsInfo=(POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pauditeventInfo,myAuditEventsInfo.GetType());
IntPtr子类=IntPtr.0;
ulong nSubCats=0;
对于(int audCat=0;audCat#region LSA types
public enum POLICY_INFORMATION_CLASS
{
PolicyAuditLogInformation = 1,
PolicyAuditEventsInformation,
PolicyPrimaryDomainInformation,
PolicyPdAccountInformation,
PolicyAccountDomainInformation,
PolicyLsaServerRoleInformation,
PolicyReplicaSourceInformation,
PolicyDefaultQuotaInformation,
PolicyModificationInformation,
PolicyAuditFullSetInformation,
PolicyAuditFullQueryInformation,
PolicyDnsDomainInformation
}
public enum POLICY_AUDIT_EVENT_TYPE
{
AuditCategorySystem,
AuditCategoryLogon,
AuditCategoryObjectAccess,
AuditCategoryPrivilegeUse,
AuditCategoryDetailedTracking,
AuditCategoryPolicyChange,
AuditCategoryAccountManagement,
AuditCategoryDirectoryServiceAccess,
AuditCategoryAccountLogon
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct POLICY_AUDIT_EVENTS_INFO
{
public bool AuditingMode;
public IntPtr EventAuditingOptions;
public UInt32 MaximumAuditEventCount;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct GUID
{
public UInt32 Data1;
public UInt16 Data2;
public UInt16 Data3;
public Byte Data4a;
public Byte Data4b;
public Byte Data4c;
public Byte Data4d;
public Byte Data4e;
public Byte Data4f;
public Byte Data4g;
public Byte Data4h;
public override string ToString()
{
return Data1.ToString("x8") + "-" + Data2.ToString("x4") + "-" + Data3.ToString("x4") + "-"
+ Data4a.ToString("x2") + Data4b.ToString("x2") + "-"
+ Data4c.ToString("x2") + Data4d.ToString("x2") + Data4e.ToString("x2") + Data4f.ToString("x2") + Data4g.ToString("x2") + Data4h.ToString("x2");
}
}
#endregion
#region LSA Imports
[DllImport("kernel32.dll")]
extern static int GetLastError();
[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern UInt32 LsaNtStatusToWinError(
long Status);
[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern long LsaOpenPolicy(
ref LSA_UNICODE_STRING SystemName,
ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
Int32 DesiredAccess,
out IntPtr PolicyHandle );
[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern long LsaClose(IntPtr PolicyHandle);
[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern long LsaFreeMemory(IntPtr Buffer);
[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern void AuditFree(IntPtr Buffer);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern long LsaQueryInformationPolicy(
IntPtr PolicyHandle, POLICY_INFORMATION_CLASS InformationClass,
out IntPtr Buffer);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern bool AuditLookupCategoryGuidFromCategoryId(
POLICY_AUDIT_EVENT_TYPE AuditCategoryId,
IntPtr pAuditCategoryGuid);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern bool AuditEnumerateSubCategories(
IntPtr pAuditCategoryGuid,
bool bRetrieveAllSubCategories,
out IntPtr ppAuditSubCategoriesArray,
out ulong pCountReturned);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern bool AuditQuerySystemPolicy(
IntPtr pSubCategoryGuids,
ulong PolicyCount,
out IntPtr ppAuditPolicy);
#endregion
Dictionary<string, UInt32> retList = new Dictionary<string, UInt32>();
long lretVal;
uint retVal;
IntPtr pAuditEventsInfo;
lretVal = LsaQueryInformationPolicy(policyHandle, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pAuditEventsInfo);
retVal = LsaNtStatusToWinError(lretVal);
if (retVal != 0)
{
LsaClose(policyHandle);
throw new System.ComponentModel.Win32Exception((int)retVal);
}
POLICY_AUDIT_EVENTS_INFO myAuditEventsInfo = new POLICY_AUDIT_EVENTS_INFO();
myAuditEventsInfo = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pAuditEventsInfo, myAuditEventsInfo.GetType());
IntPtr subCats = IntPtr.Zero;
ulong nSubCats = 0;
for (int audCat = 0; audCat < myAuditEventsInfo.MaximumAuditEventCount; audCat++)
{
GUID audCatGuid = new GUID();
if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)audCat, new IntPtr(&audCatGuid)))
{
int causingError = GetLastError();
LsaFreeMemory(pAuditEventsInfo);
LsaClose(policyHandle);
throw new System.ComponentModel.Win32Exception(causingError);
}
if (!AuditEnumerateSubCategories(new IntPtr(&audCatGuid), true, out subCats, out nSubCats))
{
int causingError = GetLastError();
LsaFreeMemory(pAuditEventsInfo);
LsaClose(policyHandle);
throw new System.ComponentModel.Win32Exception(causingError);
}
// Dereference the first pointer-to-pointer to point to the first subcategory
// subCats = (IntPtr)Marshal.PtrToStructure(subCats, subCats.GetType());
if (nSubCats > 0)
{
IntPtr audPolicies = IntPtr.Zero;
if (!AuditQuerySystemPolicy(subCats, nSubCats, out audPolicies))
{
int causingError = GetLastError();
if (subCats != IntPtr.Zero)
AuditFree(subCats);
LsaFreeMemory(pAuditEventsInfo);
LsaClose(policyHandle);
throw new System.ComponentModel.Win32Exception(causingError);
}
AUDIT_POLICY_INFORMATION myAudPol = new AUDIT_POLICY_INFORMATION();
for (ulong audSubCat = 0; audSubCat < nSubCats; audSubCat++)
{
// Process audPolicies[audSubCat], turn GUIDs into names, fill retList.
// http://msdn.microsoft.com/en-us/library/aa373931%28VS.85%29.aspx
// http://msdn.microsoft.com/en-us/library/bb648638%28VS.85%29.aspx
IntPtr itemAddr = IntPtr.Zero;
IntPtr itemAddrAddr = new IntPtr(audPolicies.ToInt64() + (long)(audSubCat * (ulong)Marshal.SizeOf(itemAddr)));
itemAddr = (IntPtr)Marshal.PtrToStructure(itemAddrAddr, itemAddr.GetType());
myAudPol = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemAddr, myAudPol.GetType());
retList[myAudPol.AuditSubCategoryGuid.ToString()] = myAudPol.AuditingInformation;
}
if (audPolicies != IntPtr.Zero)
AuditFree(audPolicies);
}
if (subCats != IntPtr.Zero)
AuditFree(subCats);
subCats = IntPtr.Zero;
nSubCats = 0;
}
lretVal = LsaFreeMemory(pAuditEventsInfo);
retVal = LsaNtStatusToWinError(lretVal);
if (retVal != 0)
throw new System.ComponentModel.Win32Exception((int)retVal);
lretVal = LsaClose(policyHandle);
retVal = LsaNtStatusToWinError(lretVal);
if (retVal != 0)
throw new System.ComponentModel.Win32Exception((int)retVal);
BOOLEAN WINAPI AuditLookupCategoryGuidFromCategoryId(
__in POLICY_AUDIT_EVENT_TYPE AuditCategoryId,
__out GUID *pAuditCategoryGuid
);
GUID audCatGuid = new GUID();
if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)audCat,
new IntPtr(&audCatGuid)))
// ...
if (!AuditEnumerateSubCategories(new IntPtr(&audCatGuid), true, out subCats,
out nSubCats))
// ...
IntPtr pAuditCatGuid = Marshal.AllocHGlobal (Marshal.SizeOf(GUID));
if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)audCat,
pAuditCatGuid))
// ...
if (!AuditEnumerateSubCategories(pAuditCatGuid, true, out subCats,
out nSubCats))
// ...