1

我想使用 PowerShell获取当前的高级安全审计策略。我可以使用auditpol.exe,但它的输出因操作系统语言而异,这使得解析变得困难。

这些设置存储在 REG_NONE 值中HKEY_Local_Machine\Security\Policy\PolAdtEv。我可以尝试借助该非官方结构表来解析该值。但是,我首选的方法是AuditQuerySystemPolicy使用advapi32.dll.

在本文的大力帮助下,我在 PowerShell 中创建了一个 Type,如下所示。

$MemberDefinition = @'
[DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool AuditEnumerateCategories(
        out IntPtr ppAuditCategoriesArray, 
        out uint pCountReturned);

[DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool AuditLookupCategoryName(
        ref Guid pAuditCategoryGuid, 
        out StringBuilder ppszCategoryName);

[DllImport("advapi32.dll", SetLastError = true)]
    private static extern bool AuditEnumerateSubCategories(
        ref Guid pAuditCategoryGuid, 
        bool bRetrieveAllSubCategories, 
        out IntPtr ppAuditSubCategoriesArray, 
        out uint pCountReturned);

[DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool AuditLookupSubCategoryName(
        ref Guid pAuditSubCategoryGuid, 
        out StringBuilder ppszSubCategoryName);

[DllImport("advapi32.dll")]
    public static extern void AuditFree(
        IntPtr buffer);

[DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool AuditQuerySystemPolicy(
        Guid pSubCategoryGuids, 
        uint PolicyCount, 
        out IntPtr ppAuditPolicy);
'@

$Advapi32 = Add-Type -MemberDefinition $MemberDefinition -Name 'Advapi32' -Namespace 'Win32' -UsingNamespace System.Text -PassThru

类型已成功创建,但第一步我失败了 - 获取所有审计类别的 GUID。我有不同类型的问题。我试过例如

$guid = [Guid].MakeByRefType()
$count = [IntPtr]::Zero
[Win32.Advapi32]::AuditEnumerateCategories([ref]$guid, [ref]$count)
# Exception calling "AuditEnumerateCategories" with 2 Arguments: "The value "System.Guid&" of the type "System.RuntimeType" cannot be coverted to "System.IntPtr".

我还尝试将AuditEnumerateCategories定义输出从更改IntPtrGuid。的输出ppAuditCategoriesArray

指向单个缓冲区的指针,该缓冲区包含指向 GUID 结构的指针数组和结构本身。

不幸的是,我不知道如何在 PowerShell 中处理它。

4

1 回答 1

3

采用一个Marshal.PtrToStructure方法( .NET)。例如,PtrToStructure(IntPtr, Type)将非托管内存块中的数据编组到新分配的指定类型的托管对象,请参见以下注释代码片段:

### (unchanged)
### $MemberDefinition =  …
### $Advapi32 = Add-Type … 

$guid  = [System.Int64]::MinValue            ### or ### [System.Int64]0
$count = [System.Int32]::MaxValue            ### or ### [System.Int64]0

$aux = [Win32.Advapi32]::AuditEnumerateCategories([ref]$guid, [ref]$count)

$guidArr = @()                               ### array to store GUIDs

$guidPtr = [int64]$guid                      ### pointer to next GUID
$guidOff = [System.Runtime.InteropServices.Marshal]::SizeOf([type][guid])
$ppszCategoryName = [System.Text.StringBuilder]::new()

for ( $i=0; $i -lt $count; $i++ ) {
    $guidAux = [System.Runtime.InteropServices.Marshal]::
                      PtrToStructure( [System.IntPtr]$guidPtr,[type][guid] )
    $guidArr += $guidAux           ### update array of GUIDs for future use
    $guidPtr += $guidOff           ### shift pointer to next GUID

    ### debugging: try another method of [Win32.Advapi32] Runtime Type 
    $foo = [Win32.Advapi32]::AuditLookupCategoryName([ref]$guidAux,[ref]$ppszCategoryName)
    ### debugging: show partial results
    Write-Host $('{0} {1,4} {2,4}' -f $guidAux.Guid, 
                      $ppszCategoryName.Capacity, $ppszCategoryName.Length)
}
于 2017-10-03T00:13:00.210 回答