using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace SecLogProto
{
public class SecurityLog
{
/// <summary>
/// ログ出力には以下に同名のキーが必要
/// HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Eventlog\\Security
/// </summary>
const string APP_NAME = "SecLogProto";
const int TOKEN_QUERY = 0x00000008;
const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
const string SE_SECURITY_NAME = "SeSecurityPrivilege";
const string SE_AUDIT_NAME = "SeAuditPrivilege";
const int SE_PRIVILEGE_ENABLED = 0x00000002;
const ushort EVENTLOG_INFORMATION_TYPE = 0x0004;
[DllImport("advapi32.dll")]
private static extern bool OpenProcessToken(IntPtr ProcessHandle,int DesiredAccess,ref IntPtr TokenHandle);
[DllImport("advapi32.dll")]
private static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, ref long lpLuid);
[DllImport("advapi32.dll") ]
private static extern bool AdjustTokenPrivileges(
IntPtr TokenHandle,
bool DisableAllPrivileges,
ref TOKEN_PRIVILEGES NewState,
int BufferLength,
IntPtr PreviousState,
IntPtr ReturnLength
);
[DllImport("advapi32.dll") ]
private static extern IntPtr RegisterEventSource(string lpUNCServerName, string lpSourceName);
[DllImport("advapi32.dll") ]
private static extern bool DeregisterEventSource(IntPtr hEventLog);
[DllImport("advapi32.dll", EntryPoint="ReportEventW", CharSet=CharSet.Unicode)]
private static extern bool ReportEvent(
IntPtr hEventLog,
ushort wType,
ushort wCategory,
int dwEventID,
IntPtr lpUserSid,
ushort wNumStrings,
int dwDataSize,
string[] lpStrings,
IntPtr lpRawData
);
[StructLayout(LayoutKind.Sequential, Pack=4)]
public struct TOKEN_PRIVILEGES
{
public int PrivilegeCount;
public LUID_AND_ATTRIBUTES Privileges;
}
[StructLayout(LayoutKind.Sequential, Pack=4)]
public struct LUID_AND_ATTRIBUTES
{
public long Luid;
public int Attributes;
}
public SecurityLog()
{
IntPtr hToken = IntPtr.Zero;
OpenProcessToken( Process.GetCurrentProcess().Handle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref hToken );
EnablePrivilege( hToken, SE_SECURITY_NAME );
EnablePrivilege( hToken, SE_AUDIT_NAME );
}
private void EnablePrivilege( IntPtr hToken, string name )
{
long LUID = 0;
LookupPrivilegeValue( null, name, ref LUID );
TOKEN_PRIVILEGES tp = new TOKEN_PRIVILEGES();
tp.PrivilegeCount = 1;
tp.Privileges = new LUID_AND_ATTRIBUTES();
tp.Privileges.Luid = LUID;
tp.Privileges.Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero );
}
public void Write( string message )
{
IntPtr hEventLog = RegisterEventSource( null, APP_NAME );
ReportEvent( hEventLog, EVENTLOG_INFORMATION_TYPE, 0, 1001, IntPtr.Zero, 1, 0, new string[]{ message }, IntPtr.Zero );
DeregisterEventSource(hEventLog);
}
}
}
|