ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-26 13:25:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9432413cf6
MalwareSourceCode/MSIL/Trojan/Win32/P/Trojan.Win32.Patched.mf-fd200e64412b6be5c177c3cfa7b94e83e807ff04211ce324f12e2ffa5537eb36/Services/Ticket/SecureStateManager.cs

307 lines
8.6 KiB
C#
Raw Normal View History

auto-decompiled msil via petikvx add
2022-08-18 11:28:56 +00:00
// Decompiled with JetBrains decompiler
// Type: Bmc.Services.Ticket.SecureStateManager
// Assembly: ticketservice, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 3DFB8186-7053-43AF-8B45-70866071B1F2
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Patched.mf-fd200e64412b6be5c177c3cfa7b94e83e807ff04211ce324f12e2ffa5537eb36.exe
using Bmc.RegistryAccess.Ticket;
using Microsoft.Win32;
using Net.LShift.SPKI;
using Net.LShift.Utilities;
using System;
using System.Collections;
using System.IO;
using System.Security.Cryptography;
namespace Bmc.Services.Ticket
{
public class SecureStateManager
{
private static readonly string old_mac_subkey = "SOFTWARE\\Classes\\Interface";
private static readonly string mac_subkey = BuildVersion.ProductRegistryKey + "\\HideMe";
private static readonly SECURE_FIELD[] FixedKeys = new SECURE_FIELD[2]
{
null,
(SECURE_FIELD) 1
};
private string FixedKeyMac;
private RegistryKey HidingKey;
private string HidingValue;
private IDictionary State;
private string StateMAC;
private bool Dirty = false;
private static byte[] MacKey = new byte[16]
{
(byte) 185,
(byte) 215,
(byte) 27,
(byte) 51,
(byte) 201,
(byte) 82,
(byte) 154,
(byte) 129,
(byte) 59,
(byte) 241,
(byte) 233,
(byte) 83,
(byte) 190,
(byte) 249,
(byte) 125,
(byte) 206
};
private string MACSexp(SPKISexp sexp)
{
HMACSHA1 transform = new HMACSHA1(SecureStateManager.MacKey);
CryptoStream cryptoStream = new CryptoStream(Stream.Null, (ICryptoTransform) transform, CryptoStreamMode.Write);
sexp.Marshal((Stream) cryptoStream);
cryptoStream.Close();
string upper = ChecksumUtilities.HexEncode(transform.Hash).ToUpper();
return "{" + string.Format("{0}-{1}-{2}-{3}-{4}", (object) upper.Substring(0, 8), (object) upper.Substring(8, 4), (object) upper.Substring(12, 4), (object) upper.Substring(16, 4), (object) upper.Substring(20, 12)) + "}";
}
private string MACKeys(string id, SECURE_FIELD[] keys)
{
ArrayList arrayList = new ArrayList();
arrayList.Add((object) new SPKISexp("key-pairs"));
arrayList.Add((object) new SPKISexp(id));
for (int index = 0; index < keys.Length; ++index)
{
SECURE_FIELD key = (SECURE_FIELD) (int) keys[index];
string str = (string) this.State[(object) key];
if (str != null)
arrayList.Add((object) new SPKISexp(new SPKISexp[3]
{
new SPKISexp("pair"),
new SPKISexp(((Enum) (object) key).ToString()),
new SPKISexp(str)
}));
}
return this.MACSexp(new SPKISexp((SPKISexp[]) arrayList.ToArray(typeof (SPKISexp))));
}
private static bool IsFixedKey(SECURE_FIELD f)
{
foreach (int fixedKey in SecureStateManager.FixedKeys)
{
SECURE_FIELD secureField = (SECURE_FIELD) fixedKey;
if (f == secureField)
return true;
}
return false;
}
private string MACFixedKeys()
{
foreach (int fixedKey in SecureStateManager.FixedKeys)
{
if (!this.State.Contains((object) (SECURE_FIELD) fixedKey))
throw new SecureStateException();
}
return this.MACKeys("fixed-keys", SecureStateManager.FixedKeys);
}
private string MACAllKeys() => this.MACKeys("all-keys", (SECURE_FIELD[]) Enum.GetValues(typeof (SECURE_FIELD)));
private void GetHidingPlace()
{
if (this.HidingKey != null)
return;
this.FixedKeyMac = this.MACFixedKeys();
this.HidingValue = (string) null;
this.HidingKey = Registry.LocalMachine.CreateSubKey(SecureStateManager.mac_subkey).CreateSubKey(this.FixedKeyMac).CreateSubKey("ProxyStubClsid32");
}
private void DeleteHidingPlace()
{
this.GetHidingPlace();
Registry.LocalMachine.CreateSubKey(SecureStateManager.old_mac_subkey).DeleteSubKeyTree(this.FixedKeyMac);
this.HidingKey = (RegistryKey) null;
}
private string HiddenMAC
{
get => (string) this.HidingKey.GetValue(this.HidingValue);
set
{
this.HidingKey.SetValue(this.HidingValue, (object) value);
this.HidingKey.Flush();
}
}
private RegistryKey StateKey => SecureState.Instance.StateKey;
private void UpdateState()
{
if (this.Dirty || this.StateMAC != null && !(this.HiddenMAC != this.StateMAC))
return;
this.StateMAC = (string) null;
this.State = (IDictionary) new Hashtable();
foreach (SECURE_FIELD secureField in Enum.GetValues(typeof (SECURE_FIELD)))
{
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
SECURE_FIELD key = (SECURE_FIELD) ^(int&) ref secureField;
string str = (string) this.StateKey.GetValue(((Enum) (object) key).ToString());
if (str != null)
this.State[(object) key] = (object) str;
}
if (this.State.Keys.Count == 0)
{
this.InitializeSecureState();
}
else
{
this.GetHidingPlace();
string str = this.MACAllKeys();
if (this.HiddenMAC != str)
{
this.HidingKey = Registry.LocalMachine.CreateSubKey(SecureStateManager.old_mac_subkey).CreateSubKey(this.FixedKeyMac).CreateSubKey("ProxyStubClsid32");
if (this.HiddenMAC != str)
throw new SecureStateException();
}
this.StateMAC = str;
}
}
public bool StateOK
{
get
{
try
{
this.UpdateState();
return true;
}
catch (Exception ex)
{
return false;
}
}
}
public void Init()
{
try
{
lock (this)
this.UpdateState();
}
catch (Exception ex)
{
}
}
public string this[SECURE_FIELD f]
{
get
{
lock (this)
{
this.UpdateState();
return (string) this.State[(object) f];
}
}
set
{
if (SecureStateManager.IsFixedKey(f))
throw new SecureStateException();
lock (this)
{
this.UpdateState();
this.State[(object) f] = (object) value;
this.Dirty = true;
}
}
}
public void Flush()
{
lock (this)
{
if (!this.Dirty)
return;
this.StateMAC = this.MACAllKeys();
foreach (SECURE_FIELD key1 in (IEnumerable) this.State.Keys)
{
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
SECURE_FIELD key2 = (SECURE_FIELD) ^(int&) ref key1;
this.StateKey.SetValue(((Enum) (object) key2).ToString(), this.State[(object) key2]);
}
this.HiddenMAC = this.StateMAC;
this.StateKey.Flush();
this.Dirty = false;
}
}
private void InitializeSecureState()
{
this.Dirty = true;
this.State = (IDictionary) new Hashtable();
this.State[(object) (SECURE_FIELD) 0] = (object) RandomId.GenerateId("machine", 5);
this.State[(object) (SECURE_FIELD) 1] = (object) RandomId.GenerateId("longid", 40);
this.State[(object) (SECURE_FIELD) 2] = (object) RandomId.GenerateId("pass", 6);
this.State[(object) (SECURE_FIELD) 3] = (object) "none";
this.Offset = new TimeSpan(0L);
this.LastUsed = DateTime.UtcNow;
this.GetHidingPlace();
this.Flush();
}
public void WipeState()
{
lock (this)
{
try
{
this.DeleteHidingPlace();
}
catch (Exception ex)
{
}
SecureState.Instance.Flush();
Registry.LocalMachine.DeleteSubKeyTree(SecureState.STATE_SUBKEY);
}
}
private DateTime LastUsed
{
get => DateTimeFormatter.ToDateTime(this[(SECURE_FIELD) 4]);
set => this[(SECURE_FIELD) 4] = DateTimeFormatter.ToString(value);
}
private TimeSpan Offset
{
get => TimeSpanFormatter.ToTimeSpan(this[(SECURE_FIELD) 5]);
set => this[(SECURE_FIELD) 5] = TimeSpanFormatter.ToString(value);
}
public void TurnTimeRatchet()
{
DateTime utcNow = DateTime.UtcNow;
DateTime lastUsed = this.LastUsed;
if (utcNow < lastUsed)
this.Offset += lastUsed - utcNow;
this.LastUsed = utcNow;
this.Flush();
}
public DateTime RatchetTime
{
get
{
this.TurnTimeRatchet();
return DateTime.UtcNow + this.Offset;
}
}
public void SetRatchetOffset(TimeSpan off)
{
this.Offset = off;
this.LastUsed = DateTime.UtcNow;
this.Flush();
}
}
}
Reference in New Issue Copy Permalink