如何在 PowerShell 中使用 Windows API AuditEnumerateCategories 函数?

本文介绍了如何在 PowerShell 中使用 Windows API AuditEnumerateCategories 函数?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我想获得当前的高级安全审计使用 PowerShell 的策略.我可以使用 auditpol.exe，但它的输出因操作系统语言而异，这使得解析变得困难.

I want get the current Advanced Security Audit Policy using PowerShell. I could use auditpol.exe, but its ouput is different per OS language, which makes it difficult to parse.

设置存储在 HKEY_Local_Machine\Security\Policy\PolAdtEv 中的 REG_NONE 值中.我可以尝试在那个非官方结构表的帮助下解析该值.但是，我的首选方法是使用 advapi32.dll 的 Windows API 函数 AuditQuerySystemPolicy.

The settings are stored in a REG_NONE value in HKEY_Local_Machine\Security\Policy\PolAdtEv. I could try to parse the value with the help of that unofficial structure table. My preferred approach, however, is to use the Windows API function AuditQuerySystemPolicy of advapi32.dll.

在这个文章，我在 PowerShell 中创建了一个类型，如下所示.

With the great help of this article, I created a Type in PowerShell as follows.

$MemberDefinition = @'
[DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool AuditEnumerateCategories(
        out IntPtr ppAuditCategoriesArray, 
        out uint pCountReturned);

[DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool AuditLookupCategoryName(
        ref Guid pAuditCategoryGuid, 
        out StringBuilder ppszCategoryName);

[DllImport("advapi32.dll", SetLastError = true)]
    private static extern bool AuditEnumerateSubCategories(
        ref Guid pAuditCategoryGuid, 
        bool bRetrieveAllSubCategories, 
        out IntPtr ppAuditSubCategoriesArray, 
        out uint pCountReturned);

[DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool AuditLookupSubCategoryName(
        ref Guid pAuditSubCategoryGuid, 
        out StringBuilder ppszSubCategoryName);

[DllImport("advapi32.dll")]
    public static extern void AuditFree(
        IntPtr buffer);

[DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool AuditQuerySystemPolicy(
        Guid pSubCategoryGuids, 
        uint PolicyCount, 
        out IntPtr ppAuditPolicy);
'@

$Advapi32 = Add-Type -MemberDefinition $MemberDefinition -Name 'Advapi32' -Namespace 'Win32' -UsingNamespace System.Text -PassThru

类型已成功创建，但我的第一步失败了 - 获取所有审计类别的 GUID.我对不同类型有问题.我试过例如

The Type is created successfuly, but I fail with the first step - to get the GUIDs of all audit categories. I have issues with the different types. I tried for example

$guid = [Guid].MakeByRefType()
$count = [IntPtr]::Zero
[Win32.Advapi32]::AuditEnumerateCategories([ref]$guid, [ref]$count)
# Exception calling "AuditEnumerateCategories" with 2 Arguments: "The value "System.Guid&" of the type "System.RuntimeType" cannot be coverted to "System.IntPtr".

我还尝试将 AuditEnumerateCategories 定义输出从 IntPtr 更改为 Guid.ppAuditCategoriesArray 的输出是

I also tried to change the AuditEnumerateCategories definition output from IntPtr to Guid. The output of ppAuditCategoriesArray is

指向单个缓冲区的指针，该缓冲区包含指向 GUID 结构的指针数组和结构本身.

不幸的是，我不知道如何在 PowerShell 中处理它.

Unfortunately I have no idea how to handle that in PowerShell.

推荐答案

着手Marshal.PtrToStructure 方法 (.NET).例如，PtrToStructure(IntPtr, Type) 将数据从非托管内存块编组到新分配的指定类型的托管对象，请参阅以下注释代码片段:

Take up a Marshal.PtrToStructure Method (.NET). For instance, PtrToStructure(IntPtr, Type) marshals data from an unmanaged block of memory to a newly allocated managed object of the specified type, see the following commented code snippet:

### (unchanged)
### $MemberDefinition =  …
### $Advapi32 = Add-Type … 

$guid  = [System.Int64]::MinValue            ### or ### [System.Int64]0
$count = [System.Int32]::MaxValue            ### or ### [System.Int64]0

$aux = [Win32.Advapi32]::AuditEnumerateCategories([ref]$guid, [ref]$count)

$guidArr = @()                               ### array to store GUIDs

$guidPtr = [int64]$guid                      ### pointer to next GUID
$guidOff = [System.Runtime.InteropServices.Marshal]::SizeOf([type][guid])
$ppszCategoryName = [System.Text.StringBuilder]::new()

for ( $i=0; $i -lt $count; $i++ ) {
    $guidAux = [System.Runtime.InteropServices.Marshal]::
                      PtrToStructure( [System.IntPtr]$guidPtr,[type][guid] )
    $guidArr += $guidAux           ### update array of GUIDs for future use
    $guidPtr += $guidOff           ### shift pointer to next GUID

    ### debugging: try another method of [Win32.Advapi32] Runtime Type 
    $foo = [Win32.Advapi32]::AuditLookupCategoryName([ref]$guidAux,[ref]$ppszCategoryName)
    ### debugging: show partial results
    Write-Host $('{0} {1,4} {2,4}' -f $guidAux.Guid, 
                      $ppszCategoryName.Capacity, $ppszCategoryName.Length)
}

                        这篇关于如何在 PowerShell 中使用 Windows API AuditEnumerateCategories 函数?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！