0

我正在使用以下代码启用本地安全策略中成功和失败的审计对象访问。

bool EnableObjectAccessPolicy()
{
    NTSTATUS ntsResult;
    LSA_HANDLE PolicyHandle = GetPolicyHandle();
    DebugLogMessage("\n%x",PolicyHandle);
    PPOLICY_AUDIT_EVENTS_INFO ppPAUDInfo = NULL;

    ntsResult = LsaQueryInformationPolicy(PolicyHandle,PolicyAuditEventsInformation,(PVOID *)&ppPAUDInfo);
    DebugLogMessage("\n-----%x",ntsResult);
    if(ntsResult != STATUS_SUCCESS)
    {
        DebugLogMessage("LsaSetInformationPolicy returned %lu\n ntstatus %04x",LsaNtStatusToWinError(ntsResult),ntsResult);
        LsaFreeMemory(PolicyHandle);
        return FALSE;
    }
    DebugLogMessage("\nMaxCount is %d",ppPAUDInfo->MaximumAuditEventCount);
    DebugLogMessage("\nEventAuditingOptions at 0 is %d",ppPAUDInfo->EventAuditingOptions[0]);
    if(ppPAUDInfo->EventAuditingOptions[2] != 3)
    {
        DebugLogMessage("\nNot equal to 3");
        ppPAUDInfo->EventAuditingOptions[2] = 3;
        ntsResult = LsaSetInformationPolicy(PolicyHandle,PolicyAuditEventsInformation,ppPAUDInfo);
        printf("ntstatus is %04x",ntsResult);
        if(ntsResult != STATUS_SUCCESS)
        {
            DebugLogMessage("LsaSetInformationPolicy returned %lu\n ntstatus %04x",LsaNtStatusToWinError(ntsResult),ntsResult);
            LsaFreeMemory(PolicyHandle);
            return FALSE;
        }
    }
    LsaClose(PolicyHandle);
    return TRUE;
}

LSA_HANDLE GetPolicyHandle()
{

  LSA_OBJECT_ATTRIBUTES ObjectAttributes;
  NTSTATUS ntsResult;
  LSA_HANDLE lsahPolicyHandle;

  // Object attributes are reserved, so initialize to zeros.
  ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));

  // Get a handle to the Policy object.
  ntsResult = LsaOpenPolicy(
        NULL,    //Name of the target system.  &lusSystemName,
        &ObjectAttributes, //Object attributes.
        POLICY_VIEW_LOCAL_INFORMATION | GENERIC_READ | GENERIC_EXECUTE | POLICY_ALL_ACCESS, //Desired access permissions.
        &lsahPolicyHandle  //Receives the policy handle.
    );
    DebugLogMessage("\nOpenPolicy returned %x\n",LsaNtStatusToWinError(ntsResult));

  if (ntsResult != STATUS_SUCCESS)
  {
    // An error occurred. Display it as a win32 error code.
    DebugLogMessage("\nOpenPolicy returned %lu\n",LsaNtStatusToWinError(ntsResult));
    return NULL;
  } 
  DebugLogMessage("Policy Handle is \n%x",lsahPolicyHandle);

  return lsahPolicyHandle;
}

当我制作独立的 exe 并进行测试时,上面的代码可以完美运行。但是,一旦我将上述代码与我的主项目集成,就会ppPAUDInfo->MaximumAuditEventCount给出一个六位数的计数,应该是 9。我的主项目进程在我尝试访问时立即退出ppPAUDInfo->EventAuditingOptions[index]

4

0 回答 0