ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-20 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9432413cf6
MalwareSourceCode/MSIL/Trojan/Win32/P/Trojan.Win32.Patched.mf-d8d6de6a708417645ef396f90e846eda5ae240e20dd2ceba0b7c9c1e4a6a7d77/ServerClass.cs

447 lines
16 KiB
C#
Raw Normal View History

auto-decompiled msil via petikvx add
2022-08-18 11:28:56 +00:00
// Decompiled with JetBrains decompiler
// Type: eRecoveryService.ServerClass
// Assembly: eRecoveryService, Version=2.5.3.6, Culture=neutral, PublicKeyToken=null
// MVID: 08DF666A-8C92-4CCB-869A-390134BB6787
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Patched.mf-d8d6de6a708417645ef396f90e846eda5ae240e20dd2ceba0b7c9c1e4a6a7d77.exe
using eSettings.Model.Library;
using Microsoft.Win32;
using ServiceInterface;
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Runtime.Remoting.Lifetime;
using System.Text;
using System.Threading;
namespace eRecoveryService
{
public class ServerClass : MarshalByRefObject, Interface
{
public const int BOOT_FLOPPY = 0;
public const int BOOT_HD = 1;
public const int BOOT_ODD = 2;
public const int BOOT_SCSI = 3;
public const int BOOT_D2D = 4;
public const int BOOT_LS120 = 5;
public const int BOOT_PCMCIA = 6;
public const int BOOT_NETWORK = 7;
public const int BOOT_ZIP = 8;
public const int BOOT_1394ODD = 9;
public const int BOOT_USBHD = 10;
public const int BOOT_USBODD = 11;
public const int BOOT_USBFDD = 12;
public const int BOOT_USBRD = 13;
public const int BOOT_SECHD = 14;
public const int BOOT_USBZIP = 15;
public const int BOOT_USBOTH = 16;
public const int BOOT_OTHER = 17;
private IntPtr INVALID_HANDLE_VALUE = new IntPtr(-1);
private System.Timers.Timer PercentageTiemr;
private string m_szTmpHid;
public int globalint;
private System.Timers.Timer SWCDExtractTimer;
private string wimFile;
private string tmpDir;
private string applyDir;
private ILease lease;
public override object InitializeLifetimeService()
{
if (this.lease == null)
{
this.lease = (ILease) base.InitializeLifetimeService();
if (this.lease.CurrentState == LeaseState.Initial)
this.lease.InitialLeaseTime = TimeSpan.Zero;
}
return (object) this.lease;
}
public bool SetBootSeqFromInt15(int nType)
{
IntPtr bootSequence = INT15.GetBootSequence();
int length = 0;
int num1 = 0;
if (bootSequence != IntPtr.Zero)
{
byte num2;
while ((num2 = Marshal.ReadByte(bootSequence, length)) != byte.MaxValue)
{
++length;
if (num2 == (byte) 0)
++num1;
else
num1 = 0;
if (num1 == 4)
{
length -= 3;
break;
}
}
}
int index = 0;
byte[] sequence = new byte[length];
if (nType == 0 || nType == 1)
{
for (int ofs = 0; ofs < length; ++ofs)
{
byte num3 = Marshal.ReadByte(bootSequence, ofs);
sequence[ofs] = num3;
if (sequence[ofs] == (byte) 1)
index = ofs;
}
sequence[index] = sequence[0];
sequence[0] = (byte) 1;
}
else
{
for (int ofs = 0; ofs < length; ++ofs)
{
byte num4 = Marshal.ReadByte(bootSequence, ofs);
sequence[ofs] = num4;
if (sequence[ofs] == (byte) 2)
index = ofs;
}
sequence[index] = sequence[0];
sequence[0] = (byte) 2;
}
return INT15.SetBootSequenceNB(sequence, length);
}
public bool StartBackupMachine()
{
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
if (registryKey == null || registryKey.GetValue("InstallPath") == null)
return false;
string str = registryKey.GetValue("InstallPath").ToString();
new Process()
{
StartInfo = {
FileName = (str + "\\BackupMachine.exe")
}
}.Start();
registryKey.Close();
return true;
}
public bool LauncSetFDFolderExe(string InArg)
{
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
if (registryKey == null || registryKey.GetValue("InstallPath") == null)
return false;
Process.Start(registryKey.GetValue("InstallPath").ToString() + "\\SetFDFolder.exe", InArg);
registryKey.Close();
return true;
}
public bool SetMBR()
{
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
if (registryKey == null || registryKey.GetValue("InstallPath") == null)
return false;
string str = registryKey.GetValue("InstallPath").ToString();
new Process()
{
StartInfo = {
FileName = (str + "\\MBRwrWin.exe"),
Arguments = "-directh"
}
}.Start();
registryKey.Close();
return true;
}
public bool CheckD2DBIOS() => INT15.GetD2DBIOS();
public void DeleteFile(string filePath) => File.Delete(filePath);
public bool WriteLocalRegString(string RegSubKeyString, string RegKeyName, int RegKeyValue)
{
RegistryKey subKey = Registry.LocalMachine.CreateSubKey(RegSubKeyString);
try
{
subKey.SetValue(RegKeyName, (object) RegKeyValue);
}
catch
{
return false;
}
return true;
}
public bool IsNeedToExtractData()
{
string lpFileName = this.FindAutorunPath() + "\\Autorun.ini";
bool extractData = true;
IntPtr firstFile1 = WIN32.FindFirstFile("C:\\Acer\\Empowering Technology\\eRecovery\\Autorun.ini", out WIN32.WIN32_FIND_DATA _);
if (firstFile1 != this.INVALID_HANDLE_VALUE)
{
WIN32.FindClose(firstFile1);
int length = 4096;
byte[] lpszReturnBuffer = new byte[length];
StringBuilder lpReturnedString1 = new StringBuilder(4096);
StringBuilder lpReturnedString2 = new StringBuilder(32);
StringBuilder lpReturnedString3 = new StringBuilder(8);
WIN32.GetPrivateProfileSectionNames(lpszReturnBuffer, lpszReturnBuffer.Length, lpFileName);
string lpAppName = "";
for (int index = 0; index < length; ++index)
{
string str = lpszReturnBuffer[index].ToString().CompareTo("0") == 0 ? "\0" : ((byte) ((uint) lpszReturnBuffer[index] - 48U)).ToString();
if (str.CompareTo("\0") == 0)
{
if (lpAppName.CompareTo("") != 0)
{
int privateProfileString1 = (int) WIN32.GetPrivateProfileString(lpAppName, "Filename", "xfail", lpReturnedString1, (uint) lpReturnedString1.Capacity, lpFileName);
WIN32.WIN32_FIND_DATA lpFindFileData;
IntPtr firstFile2 = WIN32.FindFirstFile(lpReturnedString1.ToString(), out lpFindFileData);
if (firstFile2 == this.INVALID_HANDLE_VALUE)
{
extractData = false;
index = length + 1;
}
else
{
WIN32.FindClose(firstFile2);
int privateProfileString2 = (int) WIN32.GetPrivateProfileString(lpAppName, "Size", "xfail", lpReturnedString2, (uint) lpReturnedString2.Capacity, lpFileName);
uint uint32 = Convert.ToUInt32(lpReturnedString2.ToString());
if ((int) lpFindFileData.nFileSizeLow != (int) uint32)
{
extractData = false;
index = length + 1;
}
else
{
int privateProfileString3 = (int) WIN32.GetPrivateProfileString(lpAppName, "Time", "xfail", lpReturnedString3, (uint) lpReturnedString3.Capacity, lpFileName);
lpReturnedString3.ToString();
}
}
lpAppName = "";
}
else
break;
}
else
lpAppName += str;
}
}
else
extractData = false;
return extractData;
}
public bool GetSystemVolumnInfo()
{
long num = this.GetSysVolumnSize("C:\\System Volume Information") / 1048576L;
try
{
Registry.LocalMachine.CreateSubKey("Software\\acer\\eRecovery\\Main", RegistryKeyPermissionCheck.ReadWriteSubTree).SetValue("SysVolSize", (object) num, RegistryValueKind.DWord);
}
catch
{
return false;
}
return true;
}
private long GetSysVolumnSize(string pPath)
{
long sysVolumnSize = 0;
WIN32.WIN32_FIND_DATA lpFindFileData;
IntPtr firstFile = WIN32.FindFirstFile(pPath + "\\*.*", out lpFindFileData);
if (firstFile == this.INVALID_HANDLE_VALUE)
return 0;
do
{
string cFileName = lpFindFileData.cFileName;
if (((int) lpFindFileData.dwFileAttributes & 16) != 0)
{
if (cFileName.CompareTo(".") != 0 && cFileName.CompareTo("..") != 0)
{
string pPath1 = pPath + "\\" + lpFindFileData.cFileName;
sysVolumnSize += this.GetSysVolumnSize(pPath1);
}
}
else
sysVolumnSize += (long) lpFindFileData.nFileSizeHigh * 4294967296L + (long) lpFindFileData.nFileSizeLow;
}
while (WIN32.FindNextFile(firstFile, out lpFindFileData));
WIN32.FindClose(firstFile);
return sysVolumnSize;
}
public bool ExtractData()
{
string autorunPath = this.FindAutorunPath();
string path1 = autorunPath + "\\autorun.ini";
string path2 = autorunPath + "\\autorun";
if (Directory.Exists(path2))
{
File.SetAttributes(path2, FileAttributes.Normal);
WIN32.SHFileOperation(ref new WIN32.SHFILEOPSTRUCT()
{
hwnd = IntPtr.Zero,
wFunc = WIN32.FO_Func.FO_DELETE,
pFrom = path2 + "\0\0",
pTo = "",
fFlags = (ushort) 3604
});
}
if (File.Exists(path1))
File.Delete(path1);
this.m_szTmpHid = this.GetAvailableDrLetter();
this.MountHiddenPartition(this.m_szTmpHid);
this.wimFile = this.m_szTmpHid + "\\autorun\\swcd.wim";
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", true);
string str;
if (registryKey.GetValue("InstallPath") != null)
{
this.applyDir = registryKey.GetValue("InstallPath").ToString();
this.tmpDir = this.applyDir.Remove(this.applyDir.IndexOf("eRecovery"));
str = registryKey.GetValue("InstallPath").ToString();
}
else
{
this.applyDir = "C:\\Acer\\Empowering Technology\\eRecovery";
this.tmpDir = "C:\\Acer\\Empowering Technology";
str = "C:\\Acer\\Empowering Technology\\eRecovery";
}
if (!File.Exists(this.wimFile))
return false;
this.CallProcessNoWait("\"" + str + "\\imagex.exe\" /apply " + this.m_szTmpHid + "\\autorun\\swcd.wim 1 \"" + str + "\"");
return true;
}
private void SampleApplyCleanup(IntPtr hwim, IntPtr himg, WIN32.WIMMessageCallback callback)
{
int lastWin32Error = Marshal.GetLastWin32Error();
this.WriteLocalRegString("Software\\acer\\eRecovery\\Main", "SWCDErrorCode", lastWin32Error);
if (himg != IntPtr.Zero && !WIN32.WIMCloseHandle(himg) && lastWin32Error == 0)
lastWin32Error = Marshal.GetLastWin32Error();
if (hwim != IntPtr.Zero && !WIN32.WIMCloseHandle(hwim) && lastWin32Error == 0)
lastWin32Error = Marshal.GetLastWin32Error();
if (callback != null && !WIN32.WIMUnregisterMessageCallback(IntPtr.Zero, callback) && lastWin32Error == 0)
lastWin32Error = Marshal.GetLastWin32Error();
WIN32.SetLastError((uint) lastWin32Error);
}
private void CallProcessNoWait(string szCommand)
{
WIN32.PROCESS_INFORMATION lpProcessInformation = new WIN32.PROCESS_INFORMATION();
WIN32.STARTUPINFO lpStartupInfo = new WIN32.STARTUPINFO();
WIN32.SECURITY_ATTRIBUTES lpProcessAttributes = new WIN32.SECURITY_ATTRIBUTES();
WIN32.SECURITY_ATTRIBUTES lpThreadAttributes = new WIN32.SECURITY_ATTRIBUTES();
lpProcessAttributes.nLength = Marshal.SizeOf((object) lpProcessAttributes);
lpThreadAttributes.nLength = Marshal.SizeOf((object) lpThreadAttributes);
if (WIN32.CreateProcess((string) null, szCommand, ref lpProcessAttributes, ref lpThreadAttributes, false, 0U, IntPtr.Zero, (string) null, ref lpStartupInfo, out lpProcessInformation))
;
}
private bool MountHiddenPartition(string szDr)
{
bool flag = false;
int num = 0;
while (!flag && num < 5)
{
flag = WIN32.DefineDosDevice(1U, szDr, "\\Device\\Harddisk0\\Partition1");
if (!flag)
Thread.Sleep(1000);
}
return flag;
}
private string GetAvailableDrLetter()
{
uint logicalDrives = WIN32.GetLogicalDrives();
string str = "";
char ch = 'D';
int num;
for (num = 3; num < 26; ++num)
{
if (((int) (logicalDrives >> num) & 1) == 0)
{
str = ch.ToString();
break;
}
++ch;
}
string availableDrLetter = str + ":";
if (num == 26)
availableDrLetter = "";
return availableDrLetter;
}
public bool UnMountHiddenPartition()
{
bool flag = false;
int num = 0;
if (this.m_szTmpHid.Length != 0)
{
for (; !flag && num < 5; ++num)
{
flag = WIN32.DefineDosDevice(7U, this.m_szTmpHid, "\\Device\\Harddisk0\\Partition1");
if (!flag)
Thread.Sleep(1000);
else
break;
}
}
return flag;
}
private string FindAutorunPath()
{
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
return registryKey.GetValue("InstallPath") == null ? "C:\\Acer\\Empowering Technology\\eRecovery" : registryKey.GetValue("InstallPath").ToString();
}
public void LaunchCheckFiles()
{
string str = this.FindAutorunPath() + "\\autorun\\CheckFiles.exe";
if (!File.Exists(str))
return;
WIN32.PROCESS_INFORMATION lpProcessInformation = new WIN32.PROCESS_INFORMATION();
WIN32.STARTUPINFO lpStartupInfo = new WIN32.STARTUPINFO();
WIN32.SECURITY_ATTRIBUTES lpProcessAttributes = new WIN32.SECURITY_ATTRIBUTES();
WIN32.SECURITY_ATTRIBUTES lpThreadAttributes = new WIN32.SECURITY_ATTRIBUTES();
lpProcessAttributes.nLength = Marshal.SizeOf((object) lpProcessAttributes);
lpThreadAttributes.nLength = Marshal.SizeOf((object) lpThreadAttributes);
WIN32.CreateProcess(str, (string) null, ref lpProcessAttributes, ref lpThreadAttributes, false, 0U, IntPtr.Zero, (string) null, ref lpStartupInfo, out lpProcessInformation);
}
public bool UnMountHiddenPartition(string m_szTempHid)
{
bool flag = false;
int num = 0;
while (!flag && num < 5)
{
flag = WIN32.DefineDosDevice(7U, m_szTempHid, "\\Device\\Harddisk0\\Partition1");
if (!flag)
Thread.Sleep(1000);
}
return flag;
}
public bool SetHiddenPartPassHint(string szPass, string szHint)
{
string availableDrLetter = this.GetAvailableDrLetter();
string str = availableDrLetter + "\\aimdrs.dat";
this.MountHiddenPartition(availableDrLetter);
if (szPass.Length == 0 && File.Exists(str))
{
File.SetAttributes(str, FileAttributes.Normal);
File.Delete(str);
this.UnMountHiddenPartition(availableDrLetter);
return true;
}
if (szPass.Length > 0 && File.Exists(str))
File.SetAttributes(str, FileAttributes.Normal);
WIN32.WritePrivateProfileString("MyData", "PD", szPass, str);
WIN32.WritePrivateProfileString("MyData", "HT", szHint, str);
File.SetAttributes(str, FileAttributes.ReadOnly | FileAttributes.Hidden | FileAttributes.System);
this.UnMountHiddenPartition(availableDrLetter);
return true;
}
}
}
Reference in New Issue Copy Permalink