mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 19:36:11 +00:00
207 lines
6.9 KiB
C#
207 lines
6.9 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
// Type: SmartAssembly.AssemblyResolver.AssemblyResolverHelper
|
|||
|
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
|
|||
|
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
|
|||
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
|
|||
|
|
|||
|
using SmartAssembly.Zip;
|
|||
|
using System;
|
|||
|
using System.Collections;
|
|||
|
using System.Diagnostics;
|
|||
|
using System.IO;
|
|||
|
using System.Reflection;
|
|||
|
using System.Runtime.InteropServices;
|
|||
|
using System.Text;
|
|||
|
|
|||
|
namespace SmartAssembly.AssemblyResolver
|
|||
|
{
|
|||
|
internal sealed class AssemblyResolverHelper
|
|||
|
{
|
|||
|
internal const string BindList = "{71461f04-2faa-4bb9-a0dd-28a79101b599}";
|
|||
|
private const int MOVEFILE_DELAY_UNTIL_REBOOT = 4;
|
|||
|
private static Hashtable hashtable = new Hashtable();
|
|||
|
|
|||
|
[DllImport("kernel32")]
|
|||
|
private static extern bool MoveFileEx(string existingFileName, string newFileName, int flags);
|
|||
|
|
|||
|
internal static bool IsWebApplication
|
|||
|
{
|
|||
|
get
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
string lower = Process.GetCurrentProcess().MainModule.ModuleName.ToLower();
|
|||
|
if (lower == "w3wp.exe")
|
|||
|
return true;
|
|||
|
if (lower == "aspnet_wp.exe")
|
|||
|
return true;
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
return false;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
internal static void Attach()
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(AssemblyResolverHelper.ResolveAssembly);
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
internal static Assembly ResolveAssembly(object sender, ResolveEventArgs e)
|
|||
|
{
|
|||
|
AssemblyResolverHelper.AssemblyInfo assemblyInfo = new AssemblyResolverHelper.AssemblyInfo(e.Name);
|
|||
|
string base64String1 = Convert.ToBase64String(Encoding.UTF8.GetBytes(assemblyInfo.GetAssemblyFullName(false)));
|
|||
|
string[] strArray = "ezJkYzBkMzY3LTQ2MDEtNGJjNS04Y2Q0LWFlM2E2MGY1NzYwMH0sIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49M2U1NjM1MDY5M2Y3MzU1ZQ==,[z]{b9141284-224a-4b92-8f0a-8b542563c270},ezJkYzBkMzY3LTQ2MDEtNGJjNS04Y2Q0LWFlM2E2MGY1NzYwMH0=,[z]{b9141284-224a-4b92-8f0a-8b542563c270}".Split(',');
|
|||
|
string str1 = string.Empty;
|
|||
|
bool flag1 = false;
|
|||
|
bool flag2 = false;
|
|||
|
for (int index = 0; index < strArray.Length - 1; index += 2)
|
|||
|
{
|
|||
|
if (strArray[index] == base64String1)
|
|||
|
{
|
|||
|
str1 = strArray[index + 1];
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
if (str1.Length == 0 && assemblyInfo.PublicKeyToken.Length == 0)
|
|||
|
{
|
|||
|
string base64String2 = Convert.ToBase64String(Encoding.UTF8.GetBytes(assemblyInfo.Name));
|
|||
|
for (int index = 0; index < strArray.Length - 1; index += 2)
|
|||
|
{
|
|||
|
if (strArray[index] == base64String2)
|
|||
|
{
|
|||
|
str1 = strArray[index + 1];
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
if (str1.Length > 0)
|
|||
|
{
|
|||
|
if (str1[0] == '[')
|
|||
|
{
|
|||
|
int num = str1.IndexOf(']');
|
|||
|
string str2 = str1.Substring(1, num - 1);
|
|||
|
flag1 = str2.IndexOf('z') >= 0;
|
|||
|
flag2 = str2.IndexOf('t') >= 0;
|
|||
|
str1 = str1.Substring(num + 1);
|
|||
|
}
|
|||
|
lock (AssemblyResolverHelper.hashtable)
|
|||
|
{
|
|||
|
if (AssemblyResolverHelper.hashtable.ContainsKey((object) str1))
|
|||
|
return (Assembly) AssemblyResolverHelper.hashtable[(object) str1];
|
|||
|
Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(str1);
|
|||
|
if (manifestResourceStream != null)
|
|||
|
{
|
|||
|
int length = (int) manifestResourceStream.Length;
|
|||
|
byte[] numArray = new byte[length];
|
|||
|
manifestResourceStream.Read(numArray, 0, length);
|
|||
|
if (flag1)
|
|||
|
numArray = SimpleZip.Unzip(numArray);
|
|||
|
Assembly assembly = (Assembly) null;
|
|||
|
if (!flag2)
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
assembly = Assembly.Load(numArray);
|
|||
|
}
|
|||
|
catch (FileLoadException ex)
|
|||
|
{
|
|||
|
flag2 = true;
|
|||
|
}
|
|||
|
catch (BadImageFormatException ex)
|
|||
|
{
|
|||
|
flag2 = true;
|
|||
|
}
|
|||
|
}
|
|||
|
if (flag2)
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
string str3 = string.Format("{0}{1}\\", (object) Path.GetTempPath(), (object) str1);
|
|||
|
Directory.CreateDirectory(str3);
|
|||
|
string str4 = str3 + assemblyInfo.Name + ".dll";
|
|||
|
if (!File.Exists(str4))
|
|||
|
{
|
|||
|
FileStream fileStream = File.OpenWrite(str4);
|
|||
|
fileStream.Write(numArray, 0, numArray.Length);
|
|||
|
fileStream.Close();
|
|||
|
AssemblyResolverHelper.MoveFileEx(str4, (string) null, 4);
|
|||
|
AssemblyResolverHelper.MoveFileEx(str3, (string) null, 4);
|
|||
|
}
|
|||
|
assembly = Assembly.LoadFile(str4);
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
AssemblyResolverHelper.hashtable[(object) str1] = (object) assembly;
|
|||
|
return assembly;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
return (Assembly) null;
|
|||
|
}
|
|||
|
|
|||
|
internal struct AssemblyInfo
|
|||
|
{
|
|||
|
public string Name;
|
|||
|
public Version Version;
|
|||
|
public string Culture;
|
|||
|
public string PublicKeyToken;
|
|||
|
|
|||
|
public string GetAssemblyFullName(bool includeVersion)
|
|||
|
{
|
|||
|
StringBuilder stringBuilder = new StringBuilder();
|
|||
|
stringBuilder.Append(this.Name);
|
|||
|
if (includeVersion && this.Version != (Version) null)
|
|||
|
{
|
|||
|
stringBuilder.Append(", Version=");
|
|||
|
stringBuilder.Append((object) this.Version);
|
|||
|
}
|
|||
|
stringBuilder.Append(", Culture=");
|
|||
|
stringBuilder.Append(this.Culture.Length == 0 ? "neutral" : this.Culture);
|
|||
|
stringBuilder.Append(", PublicKeyToken=");
|
|||
|
stringBuilder.Append(this.PublicKeyToken.Length == 0 ? "null" : this.PublicKeyToken);
|
|||
|
return stringBuilder.ToString();
|
|||
|
}
|
|||
|
|
|||
|
public AssemblyInfo(string assemblyFullName)
|
|||
|
{
|
|||
|
this.Version = (Version) null;
|
|||
|
this.Culture = string.Empty;
|
|||
|
this.PublicKeyToken = string.Empty;
|
|||
|
this.Name = string.Empty;
|
|||
|
string str1 = assemblyFullName;
|
|||
|
char[] chArray = new char[1]{ ',' };
|
|||
|
foreach (string str2 in str1.Split(chArray))
|
|||
|
{
|
|||
|
string str3 = str2.Trim();
|
|||
|
if (str3.StartsWith("Version="))
|
|||
|
this.Version = new Version(str3.Substring(8));
|
|||
|
else if (str3.StartsWith("Culture="))
|
|||
|
{
|
|||
|
this.Culture = str3.Substring(8);
|
|||
|
if (this.Culture == "neutral")
|
|||
|
this.Culture = string.Empty;
|
|||
|
}
|
|||
|
else if (str3.StartsWith("PublicKeyToken="))
|
|||
|
{
|
|||
|
this.PublicKeyToken = str3.Substring(15);
|
|||
|
if (this.PublicKeyToken == "null")
|
|||
|
this.PublicKeyToken = string.Empty;
|
|||
|
}
|
|||
|
else
|
|||
|
this.Name = str3;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|