mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 02:46:10 +00:00
399 lines
13 KiB
C#
399 lines
13 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
// Type: eRecoveryService.WIN32
|
|||
|
// Assembly: eRecoveryService, Version=2.5.3.6, Culture=neutral, PublicKeyToken=null
|
|||
|
// MVID: 08DF666A-8C92-4CCB-869A-390134BB6787
|
|||
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Patched.mf-d8d6de6a708417645ef396f90e846eda5ae240e20dd2ceba0b7c9c1e4a6a7d77.exe
|
|||
|
|
|||
|
using System;
|
|||
|
using System.Runtime.InteropServices;
|
|||
|
using System.Security;
|
|||
|
using System.Text;
|
|||
|
|
|||
|
namespace eRecoveryService
|
|||
|
{
|
|||
|
public class WIN32
|
|||
|
{
|
|||
|
public const string g_szC_AutorunIni = "C:\\Acer\\Empowering Technology\\eRecovery\\Autorun.ini";
|
|||
|
public const string g_szC_AutorunFolder = "C:\\Acer\\Empowering Technology\\eRecovery\\Autorun";
|
|||
|
public const string HIDDEN_PATH = "\\Device\\Harddisk0\\Partition1";
|
|||
|
public const string g_szH_AutorunExe = "\\imagex.exe\" /apply";
|
|||
|
public const string g_sz_CompressFileSrc = "\\autorun\\swcd.wim";
|
|||
|
public const string g_sz_ExtractDestFolder = "C:\\Acer\\Empowering Technology\\eRecovery";
|
|||
|
public const int ERROR_NO_MORE_ITEMS = 259;
|
|||
|
public const uint TOKEN_DUPLICATE = 2;
|
|||
|
public const uint TOKEN_QUERY = 8;
|
|||
|
public const uint TOKEN_ASSIGN_PRIMARY = 1;
|
|||
|
public const uint CREATE_NEW_CONSOLE = 16;
|
|||
|
public const uint BELOW_NORMAL_PRIORITY_CLASS = 16384;
|
|||
|
public const uint NORMAL_PRIORITY_CLASS = 32;
|
|||
|
public const uint FILE_ATTRIBUTE_DIRECTORY = 16;
|
|||
|
public static readonly IntPtr WTC_CURRENT_SERVER_HANDLE = IntPtr.Zero;
|
|||
|
|
|||
|
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
|
|||
|
public static extern uint WIMRegisterMessageCallback(
|
|||
|
IntPtr hwim,
|
|||
|
WIN32.WIMMessageCallback fpMessageProc,
|
|||
|
IntPtr lpvUserData);
|
|||
|
|
|||
|
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
|
|||
|
public static extern IntPtr WIMCreateFile(
|
|||
|
string lpszWimPath,
|
|||
|
int dwDesiredAccess,
|
|||
|
int dwCreationDisposition,
|
|||
|
int dwFlagsAndAttributes,
|
|||
|
int dwCompressionType,
|
|||
|
int lpdwCreationResult);
|
|||
|
|
|||
|
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
|
|||
|
public static extern bool WIMGetAttributes(
|
|||
|
IntPtr hWim,
|
|||
|
ref WIN32.WIM_INFO lpWimInfo,
|
|||
|
int cbWimInfo);
|
|||
|
|
|||
|
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
|
|||
|
public static extern bool WIMSetTemporaryPath(IntPtr hWim, string lpszPath);
|
|||
|
|
|||
|
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
|
|||
|
public static extern IntPtr WIMLoadImage(IntPtr hwim, int dwImageIndex);
|
|||
|
|
|||
|
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
|
|||
|
public static extern bool WIMApplyImage(IntPtr hImage, string lpszPath, int dwApplyFlags);
|
|||
|
|
|||
|
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
|
|||
|
public static extern bool WIMCloseHandle(IntPtr hObject);
|
|||
|
|
|||
|
[DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
|
|||
|
public static extern bool WIMUnregisterMessageCallback(
|
|||
|
IntPtr hwim,
|
|||
|
WIN32.WIMMessageCallback fpMessageProc);
|
|||
|
|
|||
|
[DllImport("kernel32.dll")]
|
|||
|
public static extern void SetLastError(uint dwErrCode);
|
|||
|
|
|||
|
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
|
|||
|
public static extern bool FindNextFile(
|
|||
|
IntPtr hFindFile,
|
|||
|
out WIN32.WIN32_FIND_DATA lpFindFileData);
|
|||
|
|
|||
|
[DllImport("kernel32.dll")]
|
|||
|
public static extern bool CreateProcess(
|
|||
|
string lpApplicationName,
|
|||
|
string lpCommandLine,
|
|||
|
ref WIN32.SECURITY_ATTRIBUTES lpProcessAttributes,
|
|||
|
ref WIN32.SECURITY_ATTRIBUTES lpThreadAttributes,
|
|||
|
bool bInheritHandles,
|
|||
|
uint dwCreationFlags,
|
|||
|
IntPtr lpEnvironment,
|
|||
|
string lpCurrentDirectory,
|
|||
|
[In] ref WIN32.STARTUPINFO lpStartupInfo,
|
|||
|
out WIN32.PROCESS_INFORMATION lpProcessInformation);
|
|||
|
|
|||
|
[DllImport("shell32.dll", CharSet = CharSet.Unicode)]
|
|||
|
public static extern int SHFileOperation([In] ref WIN32.SHFILEOPSTRUCT lpFileOp);
|
|||
|
|
|||
|
[DllImport("kernel32.dll")]
|
|||
|
public static extern IntPtr OpenProcess(
|
|||
|
uint dwDesiredAccess,
|
|||
|
bool bInheritHandle,
|
|||
|
uint dwProcessId);
|
|||
|
|
|||
|
[DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
|
|||
|
public static extern bool CreateProcessAsUser(
|
|||
|
IntPtr hToken,
|
|||
|
string lpApplicationName,
|
|||
|
string lpCommandLine,
|
|||
|
IntPtr lpProcessAttributes,
|
|||
|
IntPtr lpThreadAttributes,
|
|||
|
bool bInheritHandles,
|
|||
|
uint dwCreationFlags,
|
|||
|
IntPtr lpEnvironment,
|
|||
|
string lpCurrentDirectory,
|
|||
|
ref WIN32.STARTUPINFO lpStartupInfo,
|
|||
|
out WIN32.PROCESS_INFORMATION lpProcessInformation);
|
|||
|
|
|||
|
[DllImport("advapi32.dll", SetLastError = true)]
|
|||
|
public static extern bool ImpersonateLoggedOnUser(IntPtr hToken);
|
|||
|
|
|||
|
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
|
|||
|
public static extern bool DuplicateTokenEx(
|
|||
|
IntPtr hExistingToken,
|
|||
|
uint dwDesiredAccess,
|
|||
|
IntPtr lpTokenAttributes,
|
|||
|
WIN32.SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
|
|||
|
WIN32.TOKEN_TYPE TokenType,
|
|||
|
out IntPtr phNewToken);
|
|||
|
|
|||
|
[DllImport("advapi32.dll", SetLastError = true)]
|
|||
|
public static extern bool OpenProcessToken(
|
|||
|
IntPtr ProcessHandle,
|
|||
|
uint DesiredAccess,
|
|||
|
out IntPtr TokenHandle);
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[DllImport("wtsapi32", SetLastError = true)]
|
|||
|
public static extern void WTSFreeMemory(IntPtr pMemory);
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[DllImport("wtsapi32", CharSet = CharSet.Auto, SetLastError = true)]
|
|||
|
public static extern bool WTSEnumerateProcesses(
|
|||
|
IntPtr ProcessHandle,
|
|||
|
int Reserved,
|
|||
|
uint Version,
|
|||
|
ref IntPtr ppProcessInfo,
|
|||
|
ref uint pCount);
|
|||
|
|
|||
|
[DllImport("kernel32.dll", SetLastError = true)]
|
|||
|
public static extern bool CloseHandle(IntPtr hSnapshot);
|
|||
|
|
|||
|
[DllImport("advapi32.dll", SetLastError = true)]
|
|||
|
public static extern bool RevertToSelf();
|
|||
|
|
|||
|
[DllImport("kernel32.dll")]
|
|||
|
public static extern uint WTSGetActiveConsoleSessionId();
|
|||
|
|
|||
|
[DllImport("advapi32", CharSet = CharSet.Auto, SetLastError = true)]
|
|||
|
public static extern bool LookupAccountSid(
|
|||
|
string lpSystemName,
|
|||
|
IntPtr pSid,
|
|||
|
StringBuilder Account,
|
|||
|
ref int cbName,
|
|||
|
StringBuilder DomainName,
|
|||
|
ref int cbDomainName,
|
|||
|
ref int peUse);
|
|||
|
|
|||
|
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
|
|||
|
public static extern IntPtr FindFirstFile(
|
|||
|
string lpFileName,
|
|||
|
out WIN32.WIN32_FIND_DATA lpFindFileData);
|
|||
|
|
|||
|
[DllImport("kernel32.dll")]
|
|||
|
public static extern bool FindClose(IntPtr hFindFile);
|
|||
|
|
|||
|
[DllImport("kernel32.dll", EntryPoint = "GetPrivateProfileSectionNamesA")]
|
|||
|
public static extern int GetPrivateProfileSectionNames(
|
|||
|
byte[] lpszReturnBuffer,
|
|||
|
int nSize,
|
|||
|
string lpFileName);
|
|||
|
|
|||
|
[DllImport("kernel32.dll")]
|
|||
|
public static extern uint GetPrivateProfileString(
|
|||
|
string lpAppName,
|
|||
|
string lpKeyName,
|
|||
|
string lpDefault,
|
|||
|
StringBuilder lpReturnedString,
|
|||
|
uint nSize,
|
|||
|
string lpFileName);
|
|||
|
|
|||
|
[DllImport("kernel32.dll")]
|
|||
|
public static extern bool WritePrivateProfileString(
|
|||
|
string lpAppName,
|
|||
|
string lpKeyName,
|
|||
|
string lpString,
|
|||
|
string lpFileName);
|
|||
|
|
|||
|
[DllImport("SysHook.dll", CharSet = CharSet.Auto, SetLastError = true)]
|
|||
|
public static extern void InstallLaunchEv();
|
|||
|
|
|||
|
[DllImport("SysHook.dll", CharSet = CharSet.Auto, SetLastError = true)]
|
|||
|
public static extern void UninstallLaunchEv();
|
|||
|
|
|||
|
[DllImport("kernel32.dll")]
|
|||
|
public static extern uint GetLogicalDrives();
|
|||
|
|
|||
|
[DllImport("kernel32.dll")]
|
|||
|
public static extern bool DefineDosDevice(
|
|||
|
uint dwFlags,
|
|||
|
string lpDeviceName,
|
|||
|
string lpTargetPath);
|
|||
|
|
|||
|
[DllImport("kernel32.dll", EntryPoint = "GetStartupInfoW")]
|
|||
|
public static extern void GetStartupInfo(out WIN32.STARTUPINFO lpStartupInfo);
|
|||
|
|
|||
|
public delegate int WIMMessageCallback(int msgId, IntPtr param1, IntPtr param2, IntPtr unused);
|
|||
|
|
|||
|
public enum Bool
|
|||
|
{
|
|||
|
False,
|
|||
|
True,
|
|||
|
}
|
|||
|
|
|||
|
public enum WIMMSGENUM
|
|||
|
{
|
|||
|
WIM_MSG = 38006, // 0x00009476
|
|||
|
WIM_MSG_TEXT = 38007, // 0x00009477
|
|||
|
WIM_MSG_PROGRESS = 38008, // 0x00009478
|
|||
|
WIM_MSG_PROCESS = 38009, // 0x00009479
|
|||
|
WIM_MSG_SCANNING = 38010, // 0x0000947A
|
|||
|
WIM_MSG_SETRANGE = 38011, // 0x0000947B
|
|||
|
WIM_MSG_SETPOS = 38012, // 0x0000947C
|
|||
|
WIM_MSG_STEPIT = 38013, // 0x0000947D
|
|||
|
WIM_MSG_COMPRESS = 38014, // 0x0000947E
|
|||
|
WIM_MSG_ERROR = 38015, // 0x0000947F
|
|||
|
WIM_MSG_ALIGNMENT = 38016, // 0x00009480
|
|||
|
WIM_MSG_RETRY = 38017, // 0x00009481
|
|||
|
WIM_MSG_SPLIT = 38018, // 0x00009482
|
|||
|
WIM_MSG_FILEINFO = 38019, // 0x00009483
|
|||
|
WIM_MSG_INFO = 38020, // 0x00009484
|
|||
|
WIM_MSG_WARNING = 38021, // 0x00009485
|
|||
|
WIM_MSG_CHK_PROCESS = 38022, // 0x00009486
|
|||
|
}
|
|||
|
|
|||
|
public enum FILEOP_FLAGS_ENUM : ushort
|
|||
|
{
|
|||
|
FOF_MULTIDESTFILES = 1,
|
|||
|
FOF_CONFIRMMOUSE = 2,
|
|||
|
FOF_SILENT = 4,
|
|||
|
FOF_RENAMEONCOLLISION = 8,
|
|||
|
FOF_NOCONFIRMATION = 16, // 0x0010
|
|||
|
FOF_WANTMAPPINGHANDLE = 32, // 0x0020
|
|||
|
FOF_ALLOWUNDO = 64, // 0x0040
|
|||
|
FOF_FILESONLY = 128, // 0x0080
|
|||
|
FOF_SIMPLEPROGRESS = 256, // 0x0100
|
|||
|
FOF_NOCONFIRMMKDIR = 512, // 0x0200
|
|||
|
FOF_NOERRORUI = 1024, // 0x0400
|
|||
|
FOF_NOCOPYSECURITYATTRIBS = 2048, // 0x0800
|
|||
|
FOF_NORECURSION = 4096, // 0x1000
|
|||
|
FOF_NO_CONNECTED_ELEMENTS = 8192, // 0x2000
|
|||
|
FOF_WANTNUKEWARNING = 16384, // 0x4000
|
|||
|
FOF_NORECURSEREPARSE = 32768, // 0x8000
|
|||
|
}
|
|||
|
|
|||
|
public enum FO_Func : uint
|
|||
|
{
|
|||
|
FO_MOVE = 1,
|
|||
|
FO_COPY = 2,
|
|||
|
FO_DELETE = 3,
|
|||
|
FO_RENAME = 4,
|
|||
|
}
|
|||
|
|
|||
|
public enum SECURITY_IMPERSONATION_LEVEL
|
|||
|
{
|
|||
|
SecurityAnonymous,
|
|||
|
SecurityIdentification,
|
|||
|
SecurityImpersonation,
|
|||
|
SecurityDelegation,
|
|||
|
}
|
|||
|
|
|||
|
public enum TOKEN_TYPE
|
|||
|
{
|
|||
|
TokenPrimary = 1,
|
|||
|
TokenImpersonation = 2,
|
|||
|
}
|
|||
|
|
|||
|
public struct GUID
|
|||
|
{
|
|||
|
public int a;
|
|||
|
public short b;
|
|||
|
public short c;
|
|||
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
|
|||
|
public byte[] d;
|
|||
|
}
|
|||
|
|
|||
|
[StructLayout(LayoutKind.Explicit, Size = 560, CharSet = CharSet.Auto)]
|
|||
|
public struct WIM_INFO
|
|||
|
{
|
|||
|
[FieldOffset(0)]
|
|||
|
public string WimPath;
|
|||
|
[FieldOffset(520)]
|
|||
|
public WIN32.GUID Guid;
|
|||
|
[FieldOffset(536)]
|
|||
|
public int ImageCount;
|
|||
|
[FieldOffset(540)]
|
|||
|
public int CompressionType;
|
|||
|
[FieldOffset(544)]
|
|||
|
public byte PartNumber;
|
|||
|
[FieldOffset(546)]
|
|||
|
public byte TotalParts;
|
|||
|
[FieldOffset(548)]
|
|||
|
public int BootIndex;
|
|||
|
[FieldOffset(552)]
|
|||
|
public int WimAttributes;
|
|||
|
[FieldOffset(556)]
|
|||
|
public int WimFlagsAndAttr;
|
|||
|
}
|
|||
|
|
|||
|
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
|
|||
|
public struct SHFILEOPSTRUCT
|
|||
|
{
|
|||
|
public IntPtr hwnd;
|
|||
|
public WIN32.FO_Func wFunc;
|
|||
|
[MarshalAs(UnmanagedType.LPWStr)]
|
|||
|
public string pFrom;
|
|||
|
[MarshalAs(UnmanagedType.LPWStr)]
|
|||
|
public string pTo;
|
|||
|
public ushort fFlags;
|
|||
|
public bool fAnyOperationsAborted;
|
|||
|
public IntPtr hNameMappings;
|
|||
|
[MarshalAs(UnmanagedType.LPWStr)]
|
|||
|
public string lpszProgressTitle;
|
|||
|
}
|
|||
|
|
|||
|
public struct PROCESS_INFORMATION
|
|||
|
{
|
|||
|
public IntPtr hProcess;
|
|||
|
public IntPtr hThread;
|
|||
|
public uint dwProcessId;
|
|||
|
public uint dwThreadId;
|
|||
|
}
|
|||
|
|
|||
|
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
|
|||
|
public struct STARTUPINFO
|
|||
|
{
|
|||
|
public int cb;
|
|||
|
[MarshalAs(UnmanagedType.LPWStr)]
|
|||
|
public string lpReserved;
|
|||
|
[MarshalAs(UnmanagedType.LPWStr)]
|
|||
|
public string lpDesktop;
|
|||
|
[MarshalAs(UnmanagedType.LPWStr)]
|
|||
|
public string lpTitle;
|
|||
|
public int dwX;
|
|||
|
public int dwY;
|
|||
|
public int dwXSize;
|
|||
|
public int dwYSize;
|
|||
|
public int dwXCountChars;
|
|||
|
public int dwYCountChars;
|
|||
|
public int dwFillAttribute;
|
|||
|
public int dwFlags;
|
|||
|
public short wShowWindow;
|
|||
|
public short cbReserved2;
|
|||
|
public IntPtr lpReserved2;
|
|||
|
public IntPtr hStdInput;
|
|||
|
public IntPtr hStdOutput;
|
|||
|
public IntPtr hStdError;
|
|||
|
}
|
|||
|
|
|||
|
public struct WTSProcessInfo
|
|||
|
{
|
|||
|
internal uint SessionId;
|
|||
|
internal uint ProcessId;
|
|||
|
[MarshalAs(UnmanagedType.LPTStr)]
|
|||
|
internal string pProcessName;
|
|||
|
internal IntPtr pUserSid;
|
|||
|
}
|
|||
|
|
|||
|
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
|
|||
|
public struct WIN32_FIND_DATA
|
|||
|
{
|
|||
|
public uint dwFileAttributes;
|
|||
|
public FILETIME ftCreationTime;
|
|||
|
public FILETIME ftLastAccessTime;
|
|||
|
public FILETIME ftLastWriteTime;
|
|||
|
public uint nFileSizeHigh;
|
|||
|
public uint nFileSizeLow;
|
|||
|
public uint dwReserved0;
|
|||
|
public uint dwReserved1;
|
|||
|
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)]
|
|||
|
public string cFileName;
|
|||
|
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 14)]
|
|||
|
public string cAlternateFileName;
|
|||
|
}
|
|||
|
|
|||
|
public struct SECURITY_ATTRIBUTES
|
|||
|
{
|
|||
|
public int nLength;
|
|||
|
public IntPtr lpSecurityDescriptor;
|
|||
|
public int bInheritHandle;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|