从C#调用Advapi32.dll本机EventWrite函数?
我正在尝试使用C#Net来触发窗口的 具体来说,我正试图触发此事件,以便WebClient服务从一个未经授权的帐户启动从C#调用Advapi32.dll本机EventWrite函数?,c#,c++,.net,interop,advapi32,C#,C++,.net,Interop,Advapi32,我正在尝试使用C#Net来触发窗口的 具体来说,我正试图触发此事件,以便WebClient服务从一个未经授权的帐户启动 C:\>sc qtriggerinfo WebClient [SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: WebClient START SERVICE CUSTOM : 22b6d684-fa63-4578-87c9-effcbe6643c
C:\>sc qtriggerinfo WebClient
[SC] QueryServiceConfig2 SUCCESS
SERVICE_NAME: WebClient
START SERVICE
CUSTOM : 22b6d684-fa63-4578-87c9-effcbe6643c7 [ETW PROVIDER UUID]
<>我在C++中发现了服务,但是不确定如何在C ^中实现同样的特性:
以下是我正在使用的代码:
[StructLayout(LayoutKind.Explicit, Size=12)]
public class EVENT_DESCRIPTOR
{
[FieldOffset(0)]ushort Id = 1;
[FieldOffset(2)]byte Version = 0;
[FieldOffset(3)]byte Channel = 0;
[FieldOffset(4)]byte Level = 4;
[FieldOffset(5)]byte Opcode = 0;
[FieldOffset(6)]ushort Task = 0;
[FieldOffset(8)]ulong Keyword = 0;
}
//...
void startService()
{
Guid webCleintTrigger = new Guid(0x22B6D684, 0xFA63, 0x4578, 0x87, 0xC9, 0xEF, 0xFC, 0xBE, 0x66, 0x43, 0xC7);
IntPtr handle;
uint output = EventRegister(ref webCleintTrigger, IntPtr.Zero, IntPtr.Zero, out handle);
//This is what is returned:
//output = 0 <- Good
//handle = 65537 <- Good handle?
bool success = false;
if (output == 0)
{
//Create event descriptor
EVENT_DESCRIPTOR desc = new EVENT_DESCRIPTOR();
//Write the event
uint writeOutput = EventWrite(handle, ref desc, 0, IntPtr.Zero); //Throws PInvokeStackImbalance
success = writeOutput == 0;
EventUnregister(handle);
}
}
[DllImport("Advapi32.dll", SetLastError = true)]
public static extern uint EventRegister(ref Guid guid, [Optional] IntPtr EnableCallback, [Optional] IntPtr CallbackContext, out IntPtr RegHandle);
[DllImport("Advapi32.dll", SetLastError = true)]
public static extern uint EventWrite(IntPtr RegHandle, ref EVENT_DESCRIPTOR EventDescriptor, uint UserDataCount, [Optional] IntPtr UserData);
[DllImport("Advapi32.dll", SetLastError = true)]
public static extern uint EventUnregister(IntPtr RegHandle);
这是我的C#结构:
[StructLayout(LayoutKind.Explicit, Size=16)]
public class EVENT_DESCRIPTOR
{
[FieldOffset(0)]ushort Id = 1;
[FieldOffset(2)]byte Version = 0;
[FieldOffset(3)]byte Channel = 0;
[FieldOffset(4)]byte Level = 4;
[FieldOffset(5)]byte Opcode = 0;
[FieldOffset(6)]ushort Task = 0;
[FieldOffset(8)]ulong Keyword = 0;
}
这是本机函数的结构:
ULONG EventWrite(
_In_ REGHANDLE RegHandle,
_In_ PCEVENT_DESCRIPTOR EventDescriptor,
_In_ ULONG UserDataCount,
_In_opt_ PEVENT_DATA_DESCRIPTOR UserData
);
这是我对事件写入的PInvoke调用:
[DllImport("Advapi32.dll", SetLastError = true)]
public static extern uint EventWrite(IntPtr RegHandle, ref EVENT_DESCRIPTOR EventDescriptor, uint UserDataCount, [Optional] IntPtr UserData);
下面是我正在进行的调用,该调用引发PinvokesTack异常:
EVENT_DESCRIPTOR desc = new EVENT_DESCRIPTOR();
uint writeOutput = EventWrite(handle, ref desc, 0, IntPtr.Zero); //Throws PInvokeStackImbalance
感谢BenVoigt为我指出他们已经在哪里实施了PInvoke呼叫 这就是解决方案:
[StructLayout(LayoutKind.Explicit, Size=16)]
public class EVENT_DESCRIPTOR
{
[FieldOffset(0)]ushort Id = 1;
[FieldOffset(2)]byte Version = 0;
[FieldOffset(3)]byte Channel = 0;
[FieldOffset(4)]byte Level = 4;
[FieldOffset(5)]byte Opcode = 0;
[FieldOffset(6)]ushort Task = 0;
[FieldOffset(8)]long Keyword = 0;
}
[StructLayout(LayoutKind.Explicit, Size = 16)]
public struct EventData
{
[FieldOffset(0)]
internal UInt64 DataPointer;
[FieldOffset(8)]
internal uint Size;
[FieldOffset(12)]
internal int Reserved;
}
//...
void startService()
{
Guid webCleintTrigger = new Guid(0x22B6D684, 0xFA63, 0x4578, 0x87, 0xC9, 0xEF, 0xFC, 0xBE, 0x66, 0x43, 0xC7);
long handle = 0;
uint output = EventRegister(ref webCleintTrigger, IntPtr.Zero, IntPtr.Zero, ref handle);
//This is what is returned:
//output = 0 <- Good
//handle = 65537 <- Good handle?
bool success = false;
if (output == 0)
{
//Create event descriptor
EVENT_DESCRIPTOR desc = new EVENT_DESCRIPTOR();
//Write the event
unsafe
{
uint writeOutput = EventWrite(handle, ref desc, 0, null);
success = writeOutput == 0;
EventUnregister(handle);
}
}
}
[DllImport("Advapi32.dll", SetLastError = true)]
public static extern uint EventRegister(ref Guid guid, [Optional] IntPtr EnableCallback, [Optional] IntPtr CallbackContext, [In][Out] ref long RegHandle);
[DllImport("Advapi32.dll", SetLastError = true)]
public static extern unsafe uint EventWrite(long RegHandle, ref EVENT_DESCRIPTOR EventDescriptor, uint UserDataCount, EventData* UserData);
[DllImport("Advapi32.dll", SetLastError = true)]
public static extern uint EventUnregister(long RegHandle);
[StructLayout(LayoutKind.Explicit,Size=16)]
公共类事件描述符
{
[FieldOffset(0)]ushort Id=1;
[FieldOffset(2)]字节版本=0;
[FieldOffset(3)]字节通道=0;
[FieldOffset(4)]字节级别=4;
[FieldOffset(5)]字节操作码=0;
[FieldOffset(6)]ushort任务=0;
[FieldOffset(8)]长关键字=0;
}
[StructLayout(LayoutKind.Explicit,Size=16)]
公共结构EventData
{
[字段偏移量(0)]
内部UInt64数据指针;
[现场偏移(8)]
内部单元尺寸;
[附件(12)]
保留内部int;
}
//...
void startService()
{
Guid webCleintTrigger=新Guid(0x22B6D684、0xFA63、0x4578、0x87、0xC9、0xEF、0xFC、0xBE、0x66、0x43、0xC7);
长柄=0;
uint输出=事件寄存器(参考webCleintTrigger、IntPtr.Zero、IntPtr.Zero、参考句柄);
//这是返回的内容:
//output=0第一个参数必须是ref Guid
@HansPassant,它允许函数调用通过,但仍然失败(返回最大值),知道为什么吗?返回值类型是uint,而不是ulong。本机代码中的ulong是32位类型。句柄包含某些数据结构中的偏移量。在某些情况下,数据结构都是虚拟内存,句柄值是指针。在其他情况下,它是数组索引,在这种情况下,进程中的第一个调用总是返回1
一点也不奇怪。句柄的某些位也可能用于标志…这使得一致地查看0x10001
完全可行,也不令人惊讶。REGHANDLE
应该是Int64
,而不是IntPtr
。实际上,您可以在
EVENT_DESCRIPTOR desc = new EVENT_DESCRIPTOR();
uint writeOutput = EventWrite(handle, ref desc, 0, IntPtr.Zero); //Throws PInvokeStackImbalance
[StructLayout(LayoutKind.Explicit, Size=16)]
public class EVENT_DESCRIPTOR
{
[FieldOffset(0)]ushort Id = 1;
[FieldOffset(2)]byte Version = 0;
[FieldOffset(3)]byte Channel = 0;
[FieldOffset(4)]byte Level = 4;
[FieldOffset(5)]byte Opcode = 0;
[FieldOffset(6)]ushort Task = 0;
[FieldOffset(8)]long Keyword = 0;
}
[StructLayout(LayoutKind.Explicit, Size = 16)]
public struct EventData
{
[FieldOffset(0)]
internal UInt64 DataPointer;
[FieldOffset(8)]
internal uint Size;
[FieldOffset(12)]
internal int Reserved;
}
//...
void startService()
{
Guid webCleintTrigger = new Guid(0x22B6D684, 0xFA63, 0x4578, 0x87, 0xC9, 0xEF, 0xFC, 0xBE, 0x66, 0x43, 0xC7);
long handle = 0;
uint output = EventRegister(ref webCleintTrigger, IntPtr.Zero, IntPtr.Zero, ref handle);
//This is what is returned:
//output = 0 <- Good
//handle = 65537 <- Good handle?
bool success = false;
if (output == 0)
{
//Create event descriptor
EVENT_DESCRIPTOR desc = new EVENT_DESCRIPTOR();
//Write the event
unsafe
{
uint writeOutput = EventWrite(handle, ref desc, 0, null);
success = writeOutput == 0;
EventUnregister(handle);
}
}
}
[DllImport("Advapi32.dll", SetLastError = true)]
public static extern uint EventRegister(ref Guid guid, [Optional] IntPtr EnableCallback, [Optional] IntPtr CallbackContext, [In][Out] ref long RegHandle);
[DllImport("Advapi32.dll", SetLastError = true)]
public static extern unsafe uint EventWrite(long RegHandle, ref EVENT_DESCRIPTOR EventDescriptor, uint UserDataCount, EventData* UserData);
[DllImport("Advapi32.dll", SetLastError = true)]
public static extern uint EventUnregister(long RegHandle);