Mamor's Blog
0%

UserAdd

发表于 更新于
本文字数: 2k 阅读时长 ≈ 2 分钟

使用 WIndows API 添加用户

net user/net1 user 添加用户底层都会调用NetUserAdd()实现

NetApi32.dll samcli.dll中均有该导出函数「NetUserAdd()」

相关函数
NetUserAdd

添加本地用户

1
2
3
4
5
6
NET_API_STATUS NET_API_FUNCTION NetUserAdd(
    [in]  LPCWSTR servername,
    [in]  DWORD   level,
    [in]  LPBYTE  buf,
    [out] LPDWORD parm_err
);

当level=1时,指定相关用户账号的信息,此时buf指向一个 USER_INFO_1 结构:

1
2
3
4
5
6
7
8
9
10
typedef struct _USER_INFO_1 {
    LPWSTR   usri1_name;
    LPWSTR   usri1_password;
    DWORD    usri1_password_age;
    DWORD    usri1_priv;
    LPWSTR   usri1_home_dir;
    LPWSTR   usri1_comment;
    DWORD    usri1_flags;
    LPWSTR   usri1_script_path;
}USER_INFO_1, *PUSER_INFO_1, *LPUSER_INFO_1;
NetLocalGroupAddMember

将用户添加到组

1
2
3
4
5
NET_API_STATUS NET_API_FUNCTION NetLocalGroupAddMember(
    LPCWSTR servername,
    LPCWSTR groupname,
    PSID    membersid
);
代码实现
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#include <stdio.h>
#include <windows.h> 
#include <lm.h>
#pragma comment(lib, "netapi32.lib")

int wmain(int argc, wchar_t* argv[])
{
	USER_INFO_1 ui;
	DWORD dwLevel = 1;
	DWORD dwError = 0;
	NET_API_STATUS nStatus;

	if (argc != 3)	{
		fwprintf(stderr, L"Usage:UserAdd.exe <username> <password>\n", argv[0]);
		exit(1);
	}

	ui.usri1_name = argv[1];
	ui.usri1_password = argv[2];
	ui.usri1_priv = USER_PRIV_USER;
	ui.usri1_home_dir = NULL;
	ui.usri1_comment = NULL;
	ui.usri1_flags = UF_SCRIPT;
	ui.usri1_script_path = NULL;

	nStatus = NetUserAdd(NULL,dwLevel,(LPBYTE)&ui,&dwError);
	if (nStatus == NERR_Success)
		fwprintf(stderr, L"User %s has been successfully added\n", argv[1]);
	else
		fprintf(stderr, "A system error has occurred: %d\n", nStatus);


	LOCALGROUP_MEMBERS_INFO_3 account;
	account.lgrmi3_domainandname = argv[1];
	//net localgroup adminstrators username /add
	NET_API_STATUS Status = NetLocalGroupAddMembers(NULL, L"Administrators", 3, (LPBYTE)&account, 1);
	if (Status == NERR_Success || Status == ERROR_MEMBER_IN_ALIAS) {
		printf("Administrators added Successfully!");
	}
	else {
		printf("Administrators added Failed!");
	}

	return 0;
}

通过底层重写NetUserAdd

参考 https://idiotc4t.com/redteam-research/netuseradd-ni-xiang

可以通过rpc的ms-samr协议去添加用户

见 https://mamor5409.github.io/posts/679d4e97/

欢迎关注我的其它发布渠道

------------- 💖 🌞 本 文 结 束 😚 感 谢 您 的 阅 读 🌞 💖 -------------