mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 19:36:11 +00:00
125 lines
4.8 KiB
C#
125 lines
4.8 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
// Type: Microsoft.InfoCards.AccessibilityHelperForVista
|
|||
|
// Assembly: infocard, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
|
|||
|
// MVID: 1D4D5564-A025-490C-AF1D-DF4FBB709D1F
|
|||
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Virus.Win32.Expiro.w-f8f9f26e940480624825f6bddbea86e70fc4aa746c4dd8efa7d98dcb477000ed.exe
|
|||
|
|
|||
|
using Microsoft.InfoCards.Diagnostics;
|
|||
|
using Microsoft.Win32;
|
|||
|
using System;
|
|||
|
using System.Collections.Generic;
|
|||
|
using System.Diagnostics;
|
|||
|
using System.IO;
|
|||
|
using System.Security.Principal;
|
|||
|
|
|||
|
namespace Microsoft.InfoCards
|
|||
|
{
|
|||
|
internal class AccessibilityHelperForVista : IAccessibilityHelper, IDisposable
|
|||
|
{
|
|||
|
private static readonly string systemPath = Environment.GetFolderPath(Environment.SpecialFolder.System);
|
|||
|
private static readonly string progfilePath = Environment.GetFolderPath(Environment.SpecialFolder.CommonProgramFiles);
|
|||
|
private static readonly string baseATPath = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs";
|
|||
|
private static readonly string configPath = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Session";
|
|||
|
private List<string> m_applicationList = new List<string>();
|
|||
|
private ProcessManager m_manager;
|
|||
|
private bool m_fResetConfigKey;
|
|||
|
private int m_sessionId;
|
|||
|
private bool m_fTabletPC;
|
|||
|
|
|||
|
public AccessibilityHelperForVista(bool fTabletPC)
|
|||
|
{
|
|||
|
this.m_fTabletPC = fTabletPC;
|
|||
|
this.InitializeATAppData();
|
|||
|
}
|
|||
|
|
|||
|
private void InitializeATAppData()
|
|||
|
{
|
|||
|
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(AccessibilityHelperForVista.baseATPath);
|
|||
|
foreach (string subKeyName in registryKey.GetSubKeyNames())
|
|||
|
{
|
|||
|
string str = (string) registryKey.OpenSubKey(subKeyName).GetValue("ATExe");
|
|||
|
if (!string.IsNullOrEmpty(str))
|
|||
|
this.m_applicationList.Add(str);
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
void IAccessibilityHelper.Stop()
|
|||
|
{
|
|||
|
if (this.m_manager == null)
|
|||
|
return;
|
|||
|
this.m_manager.Dispose();
|
|||
|
this.m_manager = (ProcessManager) null;
|
|||
|
}
|
|||
|
|
|||
|
bool IAccessibilityHelper.RestartOnUsersDesktop(
|
|||
|
uint userProcessId,
|
|||
|
string userDesktop,
|
|||
|
WindowsIdentity userIdentity)
|
|||
|
{
|
|||
|
InfoCardTrace.Assert(null == this.m_manager, "The AT applications must be terminated before they can be restarted");
|
|||
|
if (!this.m_fResetConfigKey)
|
|||
|
return false;
|
|||
|
Registry.LocalMachine.OpenSubKey(AccessibilityHelperForVista.configPath + (object) this.m_sessionId, true).SetValue("Configuration", (object) "");
|
|||
|
this.m_fResetConfigKey = false;
|
|||
|
return true;
|
|||
|
}
|
|||
|
|
|||
|
void IAccessibilityHelper.RestartOnInfoCardDesktop(
|
|||
|
uint userATApplicationFlags,
|
|||
|
SafeNativeHandle hTrustedUserToken,
|
|||
|
ref string trustedUserSid,
|
|||
|
string infocardDesktop,
|
|||
|
int userSessionId,
|
|||
|
uint userProcessId,
|
|||
|
WindowsIdentity userIdentity)
|
|||
|
{
|
|||
|
using (new SystemIdentity(false))
|
|||
|
{
|
|||
|
InfoCardTrace.Assert(null == this.m_manager, "The AT applications are already started");
|
|||
|
this.m_fResetConfigKey = false;
|
|||
|
this.m_sessionId = userSessionId;
|
|||
|
string str = userIdentity.User.Value;
|
|||
|
for (int index = 0; index < this.m_applicationList.Count; ++index)
|
|||
|
{
|
|||
|
string application = this.m_applicationList[index];
|
|||
|
Process[] processesByName = Process.GetProcessesByName(application.Substring(0, application.LastIndexOf('.')));
|
|||
|
if (processesByName != null)
|
|||
|
{
|
|||
|
foreach (Process p in processesByName)
|
|||
|
{
|
|||
|
if (userSessionId == p.SessionId)
|
|||
|
{
|
|||
|
this.m_fResetConfigKey = true;
|
|||
|
if (!Utility.KillHelper(p))
|
|||
|
break;
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
if (this.m_manager == null)
|
|||
|
this.m_manager = new ProcessManager(userSessionId, trustedUserSid);
|
|||
|
string fullPath1 = Path.Combine(AccessibilityHelperForVista.systemPath, "AtBroker.exe");
|
|||
|
if (userATApplicationFlags != 0U)
|
|||
|
{
|
|||
|
bool fUseElevatedToken = false;
|
|||
|
this.m_manager.AddProcess(hTrustedUserToken, ref trustedUserSid, infocardDesktop, userProcessId, userIdentity, fullPath1, "", fUseElevatedToken);
|
|||
|
}
|
|||
|
if (!this.m_fTabletPC)
|
|||
|
return;
|
|||
|
string fullPath2 = Path.Combine(AccessibilityHelperForVista.progfilePath, "microsoft shared\\ink\\tabtip.exe");
|
|||
|
bool fUseElevatedToken1 = true;
|
|||
|
this.m_manager.AddProcess(hTrustedUserToken, ref trustedUserSid, infocardDesktop, userProcessId, userIdentity, fullPath2, "/SeekDesktop:", fUseElevatedToken1);
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
public void Dispose()
|
|||
|
{
|
|||
|
if (this.m_manager == null)
|
|||
|
return;
|
|||
|
this.m_manager.Dispose();
|
|||
|
this.m_manager = (ProcessManager) null;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|