MalwareSourceCode/MSIL/Trojan/Win32/P/Trojan.Win32.Patched.mf-d8d6de6a708417645ef396f90e846eda5ae240e20dd2ceba0b7c9c1e4a6a7d77/WIN32.cs

399 lines
13 KiB
C#
Raw Normal View History

2022-08-18 11:28:56 +00:00
// Decompiled with JetBrains decompiler
// Type: eRecoveryService.WIN32
// Assembly: eRecoveryService, Version=2.5.3.6, Culture=neutral, PublicKeyToken=null
// MVID: 08DF666A-8C92-4CCB-869A-390134BB6787
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Patched.mf-d8d6de6a708417645ef396f90e846eda5ae240e20dd2ceba0b7c9c1e4a6a7d77.exe
using System;
using System.Runtime.InteropServices;
using System.Security;
using System.Text;
namespace eRecoveryService
{
public class WIN32
{
public const string g_szC_AutorunIni = "C:\\Acer\\Empowering Technology\\eRecovery\\Autorun.ini";
public const string g_szC_AutorunFolder = "C:\\Acer\\Empowering Technology\\eRecovery\\Autorun";
public const string HIDDEN_PATH = "\\Device\\Harddisk0\\Partition1";
public const string g_szH_AutorunExe = "\\imagex.exe\" /apply";
public const string g_sz_CompressFileSrc = "\\autorun\\swcd.wim";
public const string g_sz_ExtractDestFolder = "C:\\Acer\\Empowering Technology\\eRecovery";
public const int ERROR_NO_MORE_ITEMS = 259;
public const uint TOKEN_DUPLICATE = 2;
public const uint TOKEN_QUERY = 8;
public const uint TOKEN_ASSIGN_PRIMARY = 1;
public const uint CREATE_NEW_CONSOLE = 16;
public const uint BELOW_NORMAL_PRIORITY_CLASS = 16384;
public const uint NORMAL_PRIORITY_CLASS = 32;
public const uint FILE_ATTRIBUTE_DIRECTORY = 16;
public static readonly IntPtr WTC_CURRENT_SERVER_HANDLE = IntPtr.Zero;
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
public static extern uint WIMRegisterMessageCallback(
IntPtr hwim,
WIN32.WIMMessageCallback fpMessageProc,
IntPtr lpvUserData);
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
public static extern IntPtr WIMCreateFile(
string lpszWimPath,
int dwDesiredAccess,
int dwCreationDisposition,
int dwFlagsAndAttributes,
int dwCompressionType,
int lpdwCreationResult);
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
public static extern bool WIMGetAttributes(
IntPtr hWim,
ref WIN32.WIM_INFO lpWimInfo,
int cbWimInfo);
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
public static extern bool WIMSetTemporaryPath(IntPtr hWim, string lpszPath);
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
public static extern IntPtr WIMLoadImage(IntPtr hwim, int dwImageIndex);
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
public static extern bool WIMApplyImage(IntPtr hImage, string lpszPath, int dwApplyFlags);
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
public static extern bool WIMCloseHandle(IntPtr hObject);
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
public static extern bool WIMUnregisterMessageCallback(
IntPtr hwim,
WIN32.WIMMessageCallback fpMessageProc);
[DllImport("kernel32.dll")]
public static extern void SetLastError(uint dwErrCode);
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern bool FindNextFile(
IntPtr hFindFile,
out WIN32.WIN32_FIND_DATA lpFindFileData);
[DllImport("kernel32.dll")]
public static extern bool CreateProcess(
string lpApplicationName,
string lpCommandLine,
ref WIN32.SECURITY_ATTRIBUTES lpProcessAttributes,
ref WIN32.SECURITY_ATTRIBUTES lpThreadAttributes,
bool bInheritHandles,
uint dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
[In] ref WIN32.STARTUPINFO lpStartupInfo,
out WIN32.PROCESS_INFORMATION lpProcessInformation);
[DllImport("shell32.dll", CharSet = CharSet.Unicode)]
public static extern int SHFileOperation([In] ref WIN32.SHFILEOPSTRUCT lpFileOp);
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(
uint dwDesiredAccess,
bool bInheritHandle,
uint dwProcessId);
[DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern bool CreateProcessAsUser(
IntPtr hToken,
string lpApplicationName,
string lpCommandLine,
IntPtr lpProcessAttributes,
IntPtr lpThreadAttributes,
bool bInheritHandles,
uint dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
ref WIN32.STARTUPINFO lpStartupInfo,
out WIN32.PROCESS_INFORMATION lpProcessInformation);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool ImpersonateLoggedOnUser(IntPtr hToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool DuplicateTokenEx(
IntPtr hExistingToken,
uint dwDesiredAccess,
IntPtr lpTokenAttributes,
WIN32.SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
WIN32.TOKEN_TYPE TokenType,
out IntPtr phNewToken);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool OpenProcessToken(
IntPtr ProcessHandle,
uint DesiredAccess,
out IntPtr TokenHandle);
[SuppressUnmanagedCodeSecurity]
[DllImport("wtsapi32", SetLastError = true)]
public static extern void WTSFreeMemory(IntPtr pMemory);
[SuppressUnmanagedCodeSecurity]
[DllImport("wtsapi32", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool WTSEnumerateProcesses(
IntPtr ProcessHandle,
int Reserved,
uint Version,
ref IntPtr ppProcessInfo,
ref uint pCount);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool CloseHandle(IntPtr hSnapshot);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool RevertToSelf();
[DllImport("kernel32.dll")]
public static extern uint WTSGetActiveConsoleSessionId();
[DllImport("advapi32", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool LookupAccountSid(
string lpSystemName,
IntPtr pSid,
StringBuilder Account,
ref int cbName,
StringBuilder DomainName,
ref int cbDomainName,
ref int peUse);
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr FindFirstFile(
string lpFileName,
out WIN32.WIN32_FIND_DATA lpFindFileData);
[DllImport("kernel32.dll")]
public static extern bool FindClose(IntPtr hFindFile);
[DllImport("kernel32.dll", EntryPoint = "GetPrivateProfileSectionNamesA")]
public static extern int GetPrivateProfileSectionNames(
byte[] lpszReturnBuffer,
int nSize,
string lpFileName);
[DllImport("kernel32.dll")]
public static extern uint GetPrivateProfileString(
string lpAppName,
string lpKeyName,
string lpDefault,
StringBuilder lpReturnedString,
uint nSize,
string lpFileName);
[DllImport("kernel32.dll")]
public static extern bool WritePrivateProfileString(
string lpAppName,
string lpKeyName,
string lpString,
string lpFileName);
[DllImport("SysHook.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern void InstallLaunchEv();
[DllImport("SysHook.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern void UninstallLaunchEv();
[DllImport("kernel32.dll")]
public static extern uint GetLogicalDrives();
[DllImport("kernel32.dll")]
public static extern bool DefineDosDevice(
uint dwFlags,
string lpDeviceName,
string lpTargetPath);
[DllImport("kernel32.dll", EntryPoint = "GetStartupInfoW")]
public static extern void GetStartupInfo(out WIN32.STARTUPINFO lpStartupInfo);
public delegate int WIMMessageCallback(int msgId, IntPtr param1, IntPtr param2, IntPtr unused);
public enum Bool
{
False,
True,
}
public enum WIMMSGENUM
{
WIM_MSG = 38006, // 0x00009476
WIM_MSG_TEXT = 38007, // 0x00009477
WIM_MSG_PROGRESS = 38008, // 0x00009478
WIM_MSG_PROCESS = 38009, // 0x00009479
WIM_MSG_SCANNING = 38010, // 0x0000947A
WIM_MSG_SETRANGE = 38011, // 0x0000947B
WIM_MSG_SETPOS = 38012, // 0x0000947C
WIM_MSG_STEPIT = 38013, // 0x0000947D
WIM_MSG_COMPRESS = 38014, // 0x0000947E
WIM_MSG_ERROR = 38015, // 0x0000947F
WIM_MSG_ALIGNMENT = 38016, // 0x00009480
WIM_MSG_RETRY = 38017, // 0x00009481
WIM_MSG_SPLIT = 38018, // 0x00009482
WIM_MSG_FILEINFO = 38019, // 0x00009483
WIM_MSG_INFO = 38020, // 0x00009484
WIM_MSG_WARNING = 38021, // 0x00009485
WIM_MSG_CHK_PROCESS = 38022, // 0x00009486
}
public enum FILEOP_FLAGS_ENUM : ushort
{
FOF_MULTIDESTFILES = 1,
FOF_CONFIRMMOUSE = 2,
FOF_SILENT = 4,
FOF_RENAMEONCOLLISION = 8,
FOF_NOCONFIRMATION = 16, // 0x0010
FOF_WANTMAPPINGHANDLE = 32, // 0x0020
FOF_ALLOWUNDO = 64, // 0x0040
FOF_FILESONLY = 128, // 0x0080
FOF_SIMPLEPROGRESS = 256, // 0x0100
FOF_NOCONFIRMMKDIR = 512, // 0x0200
FOF_NOERRORUI = 1024, // 0x0400
FOF_NOCOPYSECURITYATTRIBS = 2048, // 0x0800
FOF_NORECURSION = 4096, // 0x1000
FOF_NO_CONNECTED_ELEMENTS = 8192, // 0x2000
FOF_WANTNUKEWARNING = 16384, // 0x4000
FOF_NORECURSEREPARSE = 32768, // 0x8000
}
public enum FO_Func : uint
{
FO_MOVE = 1,
FO_COPY = 2,
FO_DELETE = 3,
FO_RENAME = 4,
}
public enum SECURITY_IMPERSONATION_LEVEL
{
SecurityAnonymous,
SecurityIdentification,
SecurityImpersonation,
SecurityDelegation,
}
public enum TOKEN_TYPE
{
TokenPrimary = 1,
TokenImpersonation = 2,
}
public struct GUID
{
public int a;
public short b;
public short c;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
public byte[] d;
}
[StructLayout(LayoutKind.Explicit, Size = 560, CharSet = CharSet.Auto)]
public struct WIM_INFO
{
[FieldOffset(0)]
public string WimPath;
[FieldOffset(520)]
public WIN32.GUID Guid;
[FieldOffset(536)]
public int ImageCount;
[FieldOffset(540)]
public int CompressionType;
[FieldOffset(544)]
public byte PartNumber;
[FieldOffset(546)]
public byte TotalParts;
[FieldOffset(548)]
public int BootIndex;
[FieldOffset(552)]
public int WimAttributes;
[FieldOffset(556)]
public int WimFlagsAndAttr;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct SHFILEOPSTRUCT
{
public IntPtr hwnd;
public WIN32.FO_Func wFunc;
[MarshalAs(UnmanagedType.LPWStr)]
public string pFrom;
[MarshalAs(UnmanagedType.LPWStr)]
public string pTo;
public ushort fFlags;
public bool fAnyOperationsAborted;
public IntPtr hNameMappings;
[MarshalAs(UnmanagedType.LPWStr)]
public string lpszProgressTitle;
}
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct STARTUPINFO
{
public int cb;
[MarshalAs(UnmanagedType.LPWStr)]
public string lpReserved;
[MarshalAs(UnmanagedType.LPWStr)]
public string lpDesktop;
[MarshalAs(UnmanagedType.LPWStr)]
public string lpTitle;
public int dwX;
public int dwY;
public int dwXSize;
public int dwYSize;
public int dwXCountChars;
public int dwYCountChars;
public int dwFillAttribute;
public int dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
public struct WTSProcessInfo
{
internal uint SessionId;
internal uint ProcessId;
[MarshalAs(UnmanagedType.LPTStr)]
internal string pProcessName;
internal IntPtr pUserSid;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct WIN32_FIND_DATA
{
public uint dwFileAttributes;
public FILETIME ftCreationTime;
public FILETIME ftLastAccessTime;
public FILETIME ftLastWriteTime;
public uint nFileSizeHigh;
public uint nFileSizeLow;
public uint dwReserved0;
public uint dwReserved1;
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)]
public string cFileName;
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 14)]
public string cAlternateFileName;
}
public struct SECURITY_ATTRIBUTES
{
public int nLength;
public IntPtr lpSecurityDescriptor;
public int bInheritHandle;
}
}
}