mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-02 08:25:27 +00:00
170 lines
6.9 KiB
C#
170 lines
6.9 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
// Type: Microsoft.InfoCards.AccessibilityHelperForXpWin2k3
|
|||
|
// Assembly: infocard, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
|
|||
|
// MVID: ADE0A079-11DB-4A46-8BDE-D2A592CA8DEA
|
|||
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Virus.Win32.Expiro.w-67b630ead60119692b9abbdfd8717c96904ef041127c2cae033c86b718eaa61e.exe
|
|||
|
|
|||
|
using Microsoft.InfoCards.Diagnostics;
|
|||
|
using Microsoft.Win32;
|
|||
|
using System;
|
|||
|
using System.Collections.Generic;
|
|||
|
using System.Diagnostics;
|
|||
|
using System.IO;
|
|||
|
using System.Security.Principal;
|
|||
|
|
|||
|
namespace Microsoft.InfoCards
|
|||
|
{
|
|||
|
internal class AccessibilityHelperForXpWin2k3 : IAccessibilityHelper, IDisposable
|
|||
|
{
|
|||
|
private const int OSKIndex = 0;
|
|||
|
private static readonly string systemPath = Environment.GetFolderPath(Environment.SpecialFolder.System);
|
|||
|
private static readonly string baseRegistryPath = "\\SOFTWARE\\Microsoft\\Utility Manager\\";
|
|||
|
private static readonly string keyName = "Start on locked desktop";
|
|||
|
internal static AccessibilityHelperForXpWin2k3.DownlevelAtData[] atApplications = new AccessibilityHelperForXpWin2k3.DownlevelAtData[3]
|
|||
|
{
|
|||
|
new AccessibilityHelperForXpWin2k3.DownlevelAtData("On-Screen Keyboard", "osk.exe", "msswchx"),
|
|||
|
new AccessibilityHelperForXpWin2k3.DownlevelAtData("Magnifier", "magnify.exe", (string) null),
|
|||
|
new AccessibilityHelperForXpWin2k3.DownlevelAtData("Narrator", "narrator.exe", (string) null)
|
|||
|
};
|
|||
|
private List<int> m_restartList = new List<int>();
|
|||
|
private ProcessManager m_manager;
|
|||
|
private bool m_fTabletPC;
|
|||
|
|
|||
|
public AccessibilityHelperForXpWin2k3(bool fTabletPC) => this.m_fTabletPC = fTabletPC;
|
|||
|
|
|||
|
void IAccessibilityHelper.Stop()
|
|||
|
{
|
|||
|
if (this.m_manager == null)
|
|||
|
return;
|
|||
|
this.m_manager.Dispose();
|
|||
|
this.m_manager = (ProcessManager) null;
|
|||
|
}
|
|||
|
|
|||
|
bool IAccessibilityHelper.RestartOnUsersDesktop(
|
|||
|
uint userProcessId,
|
|||
|
string userDesktop,
|
|||
|
WindowsIdentity userIdentity)
|
|||
|
{
|
|||
|
InfoCardTrace.Assert(null == this.m_manager, "The AT applications must be terminated before they can be restarted");
|
|||
|
using (new SystemIdentity(false))
|
|||
|
{
|
|||
|
foreach (int restart in this.m_restartList)
|
|||
|
{
|
|||
|
string application = Path.Combine(AccessibilityHelperForXpWin2k3.systemPath, AccessibilityHelperForXpWin2k3.atApplications[restart].Image);
|
|||
|
int pid = 0;
|
|||
|
int userHelperWrapper = (int) NativeMcppMethods.CreateProcessAsUserHelperWrapper(application, "", userProcessId, userDesktop, userIdentity.Name, ref pid);
|
|||
|
}
|
|||
|
}
|
|||
|
this.m_restartList.Clear();
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
void IAccessibilityHelper.RestartOnInfoCardDesktop(
|
|||
|
uint ATApplicationFlags,
|
|||
|
SafeNativeHandle hTrustedUserToken,
|
|||
|
ref string trustedUserSid,
|
|||
|
string infocardDesktop,
|
|||
|
int userSessionId,
|
|||
|
uint userProcessId,
|
|||
|
WindowsIdentity userIdentity)
|
|||
|
{
|
|||
|
using (new SystemIdentity(false))
|
|||
|
{
|
|||
|
InfoCardTrace.Assert(null == this.m_manager, "The AT applications are already started");
|
|||
|
this.m_restartList.Clear();
|
|||
|
bool flag1 = false;
|
|||
|
string str = userIdentity.User.Value;
|
|||
|
for (int index = 0; index < AccessibilityHelperForXpWin2k3.atApplications.Length; ++index)
|
|||
|
{
|
|||
|
using (RegistryKey registryKey = Registry.Users.OpenSubKey(str + AccessibilityHelperForXpWin2k3.baseRegistryPath + AccessibilityHelperForXpWin2k3.atApplications[index].RegistryPath))
|
|||
|
{
|
|||
|
bool flag2 = false;
|
|||
|
int? nullable1 = new int?();
|
|||
|
if (registryKey != null && RegistryValueKind.DWord == registryKey.GetValueKind(AccessibilityHelperForXpWin2k3.keyName))
|
|||
|
nullable1 = new int?((int) registryKey.GetValue(AccessibilityHelperForXpWin2k3.keyName));
|
|||
|
if (nullable1.HasValue)
|
|||
|
{
|
|||
|
int? nullable2 = nullable1;
|
|||
|
if ((1 != nullable2.GetValueOrDefault() ? 0 : (nullable2.HasValue ? 1 : 0)) != 0)
|
|||
|
goto label_9;
|
|||
|
}
|
|||
|
if (this.m_fTabletPC)
|
|||
|
{
|
|||
|
if (index != 0)
|
|||
|
continue;
|
|||
|
}
|
|||
|
else
|
|||
|
continue;
|
|||
|
label_9:
|
|||
|
foreach (Process p in Process.GetProcessesByName(AccessibilityHelperForXpWin2k3.atApplications[index].Image.Substring(0, AccessibilityHelperForXpWin2k3.atApplications[index].Image.LastIndexOf('.'))))
|
|||
|
{
|
|||
|
flag2 = false;
|
|||
|
if (userSessionId == p.SessionId)
|
|||
|
{
|
|||
|
flag2 = true;
|
|||
|
this.m_restartList.Add(index);
|
|||
|
if (!Utility.KillHelper(p))
|
|||
|
break;
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
if (flag2 && AccessibilityHelperForXpWin2k3.atApplications[index].AdditionalImage != null)
|
|||
|
{
|
|||
|
foreach (Process p in Process.GetProcessesByName(AccessibilityHelperForXpWin2k3.atApplications[index].AdditionalImage))
|
|||
|
{
|
|||
|
if (userSessionId == p.SessionId && Utility.KillHelper(p))
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
if (nullable1.HasValue)
|
|||
|
{
|
|||
|
int? nullable3 = nullable1;
|
|||
|
if ((1 != nullable3.GetValueOrDefault() ? 0 : (nullable3.HasValue ? 1 : 0)) != 0)
|
|||
|
{
|
|||
|
if (ATApplicationFlags != 0U)
|
|||
|
{
|
|||
|
string fullPath = Path.Combine(AccessibilityHelperForXpWin2k3.systemPath, AccessibilityHelperForXpWin2k3.atApplications[index].Image);
|
|||
|
if (this.m_manager == null)
|
|||
|
this.m_manager = new ProcessManager(userSessionId, trustedUserSid);
|
|||
|
bool fUseElevatedToken = false;
|
|||
|
this.m_manager.AddProcess(hTrustedUserToken, ref trustedUserSid, infocardDesktop, userProcessId, userIdentity, fullPath, "", fUseElevatedToken);
|
|||
|
if (index == 0)
|
|||
|
flag1 = true;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
if (!this.m_fTabletPC || flag1)
|
|||
|
return;
|
|||
|
if (this.m_manager == null)
|
|||
|
this.m_manager = new ProcessManager(userSessionId, trustedUserSid);
|
|||
|
bool fUseElevatedToken1 = false;
|
|||
|
this.m_manager.AddProcess(hTrustedUserToken, ref trustedUserSid, infocardDesktop, userProcessId, userIdentity, Path.Combine(AccessibilityHelperForXpWin2k3.systemPath, AccessibilityHelperForXpWin2k3.atApplications[0].Image), "", fUseElevatedToken1);
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
public void Dispose()
|
|||
|
{
|
|||
|
if (this.m_manager == null)
|
|||
|
return;
|
|||
|
this.m_manager.Dispose();
|
|||
|
this.m_manager = (ProcessManager) null;
|
|||
|
}
|
|||
|
|
|||
|
internal struct DownlevelAtData
|
|||
|
{
|
|||
|
public string RegistryPath;
|
|||
|
public string Image;
|
|||
|
public string AdditionalImage;
|
|||
|
|
|||
|
public DownlevelAtData(string path, string image, string additional)
|
|||
|
{
|
|||
|
this.RegistryPath = path;
|
|||
|
this.Image = image;
|
|||
|
this.AdditionalImage = additional;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|