// Decompiled with JetBrains decompiler // Type: Microsoft.InfoCards.AccessibilityHelperForXpWin2k3 // Assembly: infocard, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 // MVID: 516D8B44-4448-4D2C-8B8E-FFBB3FFE472B // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Virus.Win32.Expiro.w-69bb73081eac86b8cf86f45e33515d0095855636967076e2b593d7a30cd80a07.exe using Microsoft.InfoCards.Diagnostics; using Microsoft.Win32; using System; using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.Security.Principal; namespace Microsoft.InfoCards { internal class AccessibilityHelperForXpWin2k3 : IAccessibilityHelper, IDisposable { private const int OSKIndex = 0; private static readonly string systemPath = Environment.GetFolderPath(Environment.SpecialFolder.System); private static readonly string baseRegistryPath = "\\SOFTWARE\\Microsoft\\Utility Manager\\"; private static readonly string keyName = "Start on locked desktop"; internal static AccessibilityHelperForXpWin2k3.DownlevelAtData[] atApplications = new AccessibilityHelperForXpWin2k3.DownlevelAtData[3] { new AccessibilityHelperForXpWin2k3.DownlevelAtData("On-Screen Keyboard", "osk.exe", "msswchx"), new AccessibilityHelperForXpWin2k3.DownlevelAtData("Magnifier", "magnify.exe", (string) null), new AccessibilityHelperForXpWin2k3.DownlevelAtData("Narrator", "narrator.exe", (string) null) }; private List m_restartList = new List(); private ProcessManager m_manager; private bool m_fTabletPC; public AccessibilityHelperForXpWin2k3(bool fTabletPC) => this.m_fTabletPC = fTabletPC; void IAccessibilityHelper.Stop() { if (this.m_manager == null) return; this.m_manager.Dispose(); this.m_manager = (ProcessManager) null; } bool IAccessibilityHelper.RestartOnUsersDesktop( uint userProcessId, string userDesktop, WindowsIdentity userIdentity) { InfoCardTrace.Assert(null == this.m_manager, "The AT applications must be terminated before they can be restarted"); using (new SystemIdentity(false)) { foreach (int restart in this.m_restartList) { string application = Path.Combine(AccessibilityHelperForXpWin2k3.systemPath, AccessibilityHelperForXpWin2k3.atApplications[restart].Image); int pid = 0; int userHelperWrapper = (int) NativeMcppMethods.CreateProcessAsUserHelperWrapper(application, "", userProcessId, userDesktop, userIdentity.Name, ref pid); } } this.m_restartList.Clear(); return false; } void IAccessibilityHelper.RestartOnInfoCardDesktop( uint ATApplicationFlags, SafeNativeHandle hTrustedUserToken, ref string trustedUserSid, string infocardDesktop, int userSessionId, uint userProcessId, WindowsIdentity userIdentity) { using (new SystemIdentity(false)) { InfoCardTrace.Assert(null == this.m_manager, "The AT applications are already started"); this.m_restartList.Clear(); bool flag1 = false; string str = userIdentity.User.Value; for (int index = 0; index < AccessibilityHelperForXpWin2k3.atApplications.Length; ++index) { using (RegistryKey registryKey = Registry.Users.OpenSubKey(str + AccessibilityHelperForXpWin2k3.baseRegistryPath + AccessibilityHelperForXpWin2k3.atApplications[index].RegistryPath)) { bool flag2 = false; int? nullable1 = new int?(); if (registryKey != null && RegistryValueKind.DWord == registryKey.GetValueKind(AccessibilityHelperForXpWin2k3.keyName)) nullable1 = new int?((int) registryKey.GetValue(AccessibilityHelperForXpWin2k3.keyName)); if (nullable1.HasValue) { int? nullable2 = nullable1; if ((1 != nullable2.GetValueOrDefault() ? 0 : (nullable2.HasValue ? 1 : 0)) != 0) goto label_9; } if (this.m_fTabletPC) { if (index != 0) continue; } else continue; label_9: foreach (Process p in Process.GetProcessesByName(AccessibilityHelperForXpWin2k3.atApplications[index].Image.Substring(0, AccessibilityHelperForXpWin2k3.atApplications[index].Image.LastIndexOf('.')))) { flag2 = false; if (userSessionId == p.SessionId) { flag2 = true; this.m_restartList.Add(index); if (!Utility.KillHelper(p)) break; break; } } if (flag2 && AccessibilityHelperForXpWin2k3.atApplications[index].AdditionalImage != null) { foreach (Process p in Process.GetProcessesByName(AccessibilityHelperForXpWin2k3.atApplications[index].AdditionalImage)) { if (userSessionId == p.SessionId && Utility.KillHelper(p)) break; } } if (nullable1.HasValue) { int? nullable3 = nullable1; if ((1 != nullable3.GetValueOrDefault() ? 0 : (nullable3.HasValue ? 1 : 0)) != 0) { if (ATApplicationFlags != 0U) { string fullPath = Path.Combine(AccessibilityHelperForXpWin2k3.systemPath, AccessibilityHelperForXpWin2k3.atApplications[index].Image); if (this.m_manager == null) this.m_manager = new ProcessManager(userSessionId, trustedUserSid); bool fUseElevatedToken = false; this.m_manager.AddProcess(hTrustedUserToken, ref trustedUserSid, infocardDesktop, userProcessId, userIdentity, fullPath, "", fUseElevatedToken); if (index == 0) flag1 = true; } } } } } if (!this.m_fTabletPC || flag1) return; if (this.m_manager == null) this.m_manager = new ProcessManager(userSessionId, trustedUserSid); bool fUseElevatedToken1 = false; this.m_manager.AddProcess(hTrustedUserToken, ref trustedUserSid, infocardDesktop, userProcessId, userIdentity, Path.Combine(AccessibilityHelperForXpWin2k3.systemPath, AccessibilityHelperForXpWin2k3.atApplications[0].Image), "", fUseElevatedToken1); } } public void Dispose() { if (this.m_manager == null) return; this.m_manager.Dispose(); this.m_manager = (ProcessManager) null; } internal struct DownlevelAtData { public string RegistryPath; public string Image; public string AdditionalImage; public DownlevelAtData(string path, string image, string additional) { this.RegistryPath = path; this.Image = image; this.AdditionalImage = additional; } } } }