文章作者：pt007[at]vip.sina.com
信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

注：文章首发I.S.T.O信息安全团队，后由原创作者友情提交到邪恶八进制信息安全团队技术讨论组。I.S.T.O版权所有，转载需注明作者。

Code Language : C

1. #ifndef UNICODE
2. #define UNICODE
3. #endif
4.  
5. #include <stdio.h>
6. #include <windows.h>
7. #include <lm.h>
8. #pragma comment(lib,\"netapi32\")
9. int Usage(wchar_t *);
10.  
11. int wmain(int argc, wchar_t *argv[])
12. {
13. USER_INFO_1 ui;
14. DWORD dwError = 0;
15.  
16. if(argc!=3)
17. {
18.   //fwprintf(stderr,L\"usage:%s test11 test123\n\",argv[0]);
19.   Usage(argv[0]);
20.   return 0;
21. }
22.  
23. ui.usri1_name = argv[1];
24. ui.usri1_password = argv[2];
25. ui.usri1_priv = USER_PRIV_USER;
26. ui.usri1_home_dir = NULL;
27. ui.usri1_comment = NULL;
28. ui.usri1_flags = UF_SCRIPT;
29. ui.usri1_script_path = NULL;
30. //添加名为test11的用户,密码为Test!@#123:
31. if(NetUserAdd(NULL, 1, (LPBYTE)&ui, &dwError) == NERR_Success)
32. {
33. //添加成功
34. fwprintf(stderr, L\"User [%s] has been successfully added,password is [%s]\n\",
35.        argv[1], argv[2]);
36.  
37. }
38. else
39. {
40. //添加失败
41. fwprintf(stderr, L\"Add user %s Error!\n\",argv[1]);
42. return 1;
43. }
44.  
45. wchar_t szAccountName[100]={0}; //字符数组清0
46. const unsigned short *name;
47. name=(const unsigned short *)argv[1];
48. wcscpy(szAccountName,name); //szAccountName=test11
49. LOCALGROUP_MEMBERS_INFO_3 account;
50. account.lgrmi3_domainandname=szAccountName;
51. //把test11添加到Administrators组
52. if( NetLocalGroupAddMembers(NULL,L\"Administrators\",3,(LPBYTE)&account,1) == NERR_Success )
53. {
54. //添加成功
55. printf(\"Add to Administrators success.\n\");
56. return 0;
57. }
58. else
59. {
60. //添加失败
61. printf(\"Add to Administrators Fail!\n\");
62. return 1;
63. }
64. }
65. //输出帮助的典型方法:
66. int Usage (wchar_t *username)
67. {
68.  
69. fprintf(stdout,\"===============================================================================\n\"
70. \"\t名称：使用API添加用户的小程序\n\"
71. \"\t作者：[email]pt007@vip.sina.com[/email]\n\"
72. \"\t团队: I.S.T.O信息安全团队([url]http://blog.csdn.net/I_S_T_O[/url])\n\"
73. \"\tQQ： 7491805\n\"
74. \"\t声明：本软件由pt007原创，转载请注明出处，谢谢!\n\");
75. fwprintf(stdout,L\"\texample: %s test11 test123\n\",username);
76. fprintf(stdout,\"===============================================================================\n\");
77.  
78. return 1;
79. }

Parsed in 0.016 seconds

汗~~ 这么多时间！咋就不帮偶写个JNI的DLL 还有SO  插入平台特有的功能到JSP里面！

引用:

引用第1楼kj021320于2007-11-21 16:43发表的 :
汗~~ 这么多时间！咋就不帮偶写个JNI的DLL 还有SO  插入平台特有的功能到JSP里面！

我试试吧，就是不知道怎么入手。

我是这样想的，如果主机很BT，net都不能用，你说用WMI或者ADSI的脚本，与选择用这个程序，综合痕量一下。

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;code by asm http://www.asm32.cn/
;2007-9-29
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  .386
  .model flat, stdcall
  option casemap :none  ; case sensitive
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;  Include 数据
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  include    windows.inc
  include    user32.inc
  include    kernel32.inc
  include    netapi32.inc
  
  includelib  user32.lib
  includelib  kernel32.lib
  includelib  netapi32.lib

.data?
oUserInfo USER_INFO_1<?>
oUser LOCALGROUP_MEMBERS_INFO_3 <?>
dwErr DWORD ?
.data
szUser dw "a","s","m",0
szPass dw "p","a","s","s",0
szAdministrators dw "A","d","m","i","n","i","s","t","r","a","t","o","r","s",0
.code
start:
   push USER_INFO_1
   push offset oUserInfo
   call RtlZeroMemory
   push offset szUser
   pop oUserInfo.usri1_name
   push offset szPass
   pop oUserInfo.usri1_password
   mov oUserInfo.usri1_priv,USER_PRIV_USER
   mov oUserInfo.usri1_flags,UF_NORMAL_ACCOUNT
   push offset dwErr
   push offset oUserInfo
   push 1
   push NULL
   call NetUserAdd
   push oUserInfo.usri1_name
   pop oUser.lgrmi3_domainandname
   push 1
   push offset oUser
   push 3
   push offset szAdministrators
   push NULL
   call NetLocalGroupAddMembers
   mov eax,0
   push eax
   call ExitProcess
   end start


user:asm
pass:pass

   mov eax,0
   push eax
   call ExitProcess

太深奥了...看不懂...

LS的：传参数哈，第一个参数：NULL

asm有个特点 最喜欢用asm砸人 哈哈

添加一个 用户名：EvilOctal 密码：password
程序大小：1KB

Code Language : ASM

1. .486
2. .model flat,stdcall
3. option casemap:none
4.  
5. include windows.inc
6. include Strings.mac
7. include netapi32.inc
8. include kernel32.inc
9. includelib netapi32.lib
10. includelib kernel32.lib
11.  
12. .data?
13. oUserInfo USER_INFO_1 <?>
14. oUser LOCALGROUP_MEMBERS_INFO_3 <?>
15. dwErr DWORD ?
16.  
17. .code
18. start:
19. invoke RtlZeroMemory,addr oUserInfo,sizeof USE_INFO_1
20. mov eax,$CTW0(\"EvilOctal\")
21. mov oUserInfo.usri1_name,eax
22. mov eax,$CTW0(\"password\")
23. mov oUserInfo.usri1_password,eax
24. mov oUserInfo.usri1_priv,USER_PRIV_USER
25. mov oUserInfo.usri1_flags,UF_NORMAL_ACCOUNT
26. invoke NetUserAdd,NULL,1,addr oUserInfo,addr dwErr
27. push oUserInfo.usri1_name
28. pop oUser.lgrmi3_domainandname
29. invoke NetLocalGroupAddMembers,NULL,$CTW0(\"Administrators\"),3,addr oUser,1
30. invoke ExitProcess,0
31. end start

Parsed in 0.017 seconds

貌似楼主的代码大部分拷贝MSDN上的 NetUserAdd API的示例代码

复制内容到剪贴板

代码:

.486.model flat,stdcalloption casemap:none include windows.incinclude Strings.macinclude netapi32.incinclude kernel32.incincludelib netapi32.libincludelib kernel32.lib .data?oUserInfo USER_INFO_1 <?>oUser LOCALGROUP_MEMBERS_INFO_3 <?>dwErr DWORD ? .codestart:invoke RtlZeroMemory,addr oUserInfo,sizeof USE_INFO_1mov eax,$CTW0("EvilOctal") mov oUserInfo.usri1_name,eaxmov eax,$CTW0("password")  mov oUserInfo.usri1_password,eaxmov oUserInfo.usri1_priv,USER_PRIV_USERmov oUserInfo.usri1_flags,UF_NORMAL_ACCOUNTinvoke NetUserAdd,NULL,1,addr oUserInfo,addr dwErrpush oUserInfo.usri1_namepop oUser.lgrmi3_domainandnameinvoke NetLocalGroupAddMembers,NULL,$CTW0("Administrators"),3,addr oUser,1invoke ExitProcess,0end start

MS 和 ASM 相似啊

引用:

引用第6楼xi4oyu于2007-11-21 23:36发表的 :
LS的：传参数哈，第一个参数：NULL

可是为什么 不是
push 0
call exitprocess
呢? 百思不得其解啊....

引用:

引用第10楼洋洋洒洒于2007-11-22 13:49发表的 :

可是为什么 不是
push 0
call exitprocess
.......

所以我把他的代码简化了下。。。

引用:

引用第10楼洋洋洒洒于2007-11-22 13:49发表的 :


可是为什么 不是
push 0
call exitprocess
.......

手误，手误　

delphi 版的
----------------------------------------------------------
program adduser;
{$APPTYPE CONSOLE}
uses
windows;
type USER_INFO_1=record
   usri1_name:pwidechar;
   usri1_password:pwidechar;
   usri1_password_age:dword;
   usri1_priv:dword;
   usri1_home_dir:pwidechar;
   usri1_comment:pwidechar;
   usri1_flags:dword;
   usri1_script_path:pwidechar;
   end;
   buffer=^USER_INFO_1;
   type
   _LOCALGROUP_MEMBERS_INFO_3 = record
   lgrmi3_domainandname: PWideChar;
   end;
function NetUserAdd(Server:PWideChar;Level:DWORD;Buf:pointer;ParmError:dword):LongInt;
stdcall; external &#39;netapi32.dll&#39;;
function NetLocalGroupAddMembers(Server, GroupName: PWideChar; Level:Cardinal;
var MemsBuf; TotalEntries: Cardinal): Integer; stdcall; external &#39;netapi32.dll&#39;;
var
buf:buffer;
error:Cardinal;
user,pass:WideString;
members: _LOCALGROUP_MEMBERS_INFO_3;
begin
if paramstr(1)<>&#39;&#39; then
begin
user:=paramstr(1);
pass:=paramstr(2);
getmem(buf,sizeof(USER_INFO_1));
   with buf^ do
   begin
   usri1_name:=PWideChar(user);
   usri1_password:=PWideChar(pass);
   usri1_password_age:=0;
   usri1_priv:=1;
   usri1_home_dir:=nil;
   usri1_comment:=nil;
   usri1_flags:=1;
   usri1_script_path:=nil;
   end;
  if NetUserAdd(nil,1,pointer(buf), error)=0 then
   writeln(paramstr(1)+&#39; 添加成功!&#39;) else
   writeln(paramstr(1)+&#39; 添加失败!&#39;);
   freemem(buf);
   Members.lgrmi3_domainandname := PWideChar(user);
if NetLocalGroupAddMembers(nil, &#39;Administrators&#39;, 3, Members, 1)=0 then
   writeln(paramstr(1)+&#39; 添加到管理员组成功!&#39;) else
   writeln(paramstr(1)+&#39; 添加到管理员组添加失败!&#39;);
  end else
  begin
   writeln(&#39;舍我其谁 QQ:303428402&#39;);
   writeln(&#39;example:&#39;+#13#10+&#39;adduser.exe &#39;+&#39;username&#39;+&#39; &#39;+&#39;password&#39;);
----------------------------------------------------------
   end;
end.

再给个我写的C#版本的
Windows Vista Home Premium
VS 2005
Net 2.0 下编译通过

用户名:Delphiscn 密码:EvilOctal

复制内容到剪贴板

代码:

using System.Runtime.InteropServices;
using Microsoft.Win32;
using System;

namespace Task
{
  class AddUserApplication
  {
    [DllImport("Netapi32.dll")]
    extern static int NetUserAdd([MarshalAs(UnmanagedType.LPTStr)] string servername, int level, ref USER_INFO_1 buf, int parm_err);
    [DllImport("Netapi32.dll")]
    extern static int NetLocalGroupAdd([MarshalAs(UnmanagedType.LPTStr)] string servername, int level, ref LOCALGROUP_INFO_1 buf, int parm_err);
    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
    public struct USER_INFO_1
    {
      public string user_information_1_name;
      public string user_information_1_password;
      public string user_information_1_password_age;
      public int user_information_1_priv;
      public string user_information_1_home_dir;
      public string comment;
      public int user_information_1_flags;
      public string user_information_1_script_path;
    }
    public struct LOCALGROUP_INFO_1
    {
      [MarshalAs(UnmanagedType.LPWStr)]public string Add_localgroup_1_name;
      [MarshalAs(UnmanagedType.LPWStr)]public string Add_localgroup_1_comment;
    }
    public static void Main()
    {
      if ((Add_a_User_Account())==false )
      {
        Console.Write("Error: Adding User Failed Sorry");
      }
      else
        Add_a_UserAccount_to_LocalGroup();
    }
    //public static void Usage()
    //{
    //Console.Write("------------------------------------");
    //Console.Write("Code BY Delphiscn 2008-01-28");
    //Console.Write("Email:Delphiscn@gmail.com");
    //Console.Write("Blog: [url]http://blog.csdn.net/delphiscn[/url]");
    //Console.Write("------------------------------------");
    //}
    public static Boolean Add_a_User_Account()
    {
      USER_INFO_1 AddUser = new USER_INFO_1();
      AddUser.user_information_1_name = "Delphiscn";
      AddUser.user_information_1_password = "EvilOctal";
      AddUser.user_information_1_priv = 1;
      AddUser.user_information_1_home_dir = null;
      AddUser.comment = "Add a User Named Delphiscn";
      AddUser.user_information_1_script_path = null;
      if (NetUserAdd(null, 1, ref AddUser, 0) != 0)
      {
        Console.Write("Error: Adding User Failed");
        return false;
      }
      return true;
    }
    public static void Add_a_UserAccount_to_LocalGroup()
    {
      LOCALGROUP_INFO_1 AddToGroup= new LOCALGROUP_INFO_1();
      AddToGroup.Add_localgroup_1_name = "Administrators";
      AddToGroup.Add_localgroup_1_comment = "Add a User to the Administrators Group";
      if (NetLocalGroupAdd(null, 1, ref AddToGroup , 0) != 0)
      {
        Console.Write("Adding To the Administrators Group Failed");
      }
    }
  }

}

看C#就晕...

还是用我的VC++ -_-